Inside Cyber Warfare - Jeffrey Carr [49]
Unfortunately, technological limitations on attack detection, attack classification, and attack traces are likely to further complicate state decision-making during cyber attack analysis. Ideally, attacks would be easy to detect, classify, and trace. Unfortunately, this is not the case. This section analyzes the technological limits of these programs and explores their likely impact on state decision makers and system administrators.
Limitations on attack detection
Early detection and warning programs can help catch cyber attacks before they reach their culminating point, but even the best programs are unable to detect all cyber attacks. As a result, cyber attacks are bound to harm states. From a legal perspective, the failure to catch an attack until after its completion has both an upside and a downside. On the upside, states would gain the luxury of time to evaluate an attack, since the threat of danger will have already passed. On the downside, tracing an attack back to its source becomes more difficult the further removed the trace becomes from the time of attack.
Furthermore, even when it turns out that an armed cyber attack originates from a sanctuary state, state policymakers would need to think long and hard about using active defenses as a matter of policy. The longer it takes to detect an attack, the less compelling the need for states to use active defenses, especially when the attack seems truly complete. On the other hand, when an attack that has reached completion is seen as part of a series of ongoing attacks, the need to use active defenses to deter future attacks is more compelling.
Limitations on attack classification
Early detection and warning programs will detect many cyber attacks mid-attack. However, detecting an attack before its culmination makes it harder to classify. Naturally, a system administrator will immediately attempt to shut down a cyber attack with passive defenses as soon as it is detected, but that is not the full extent of his job. The system administrator must also assess the damage that has been done, as well as any likely future damage, so that an informed decision can be made about whether to use active defenses.[35]
When an ongoing cyber attack has already caused severe, immediate, invasive, direct, and measurable damage, it can safely be classified as an armed attack, even though it is still ongoing. On the other hand, when an attack has not caused such damage, a system administrator will need to look at (1) the immediacy of future harm and (2) the likelihood of fending off the attack with purely defensive measures to determine whether the attack should be classified as an imminent armed attack. Given the lightning speeds with which computer codes can execute, this will be very difficult to do, as delaying the use of active defenses increases the likelihood of harm to a state.
The limitations on attack classification should give system administrators pause before deciding to use active defenses in anticipatory self-defense. While it is lawful to make a decision based on their best analysis of the facts, such determinations will be highly speculative due to the shadowy nature of cyber attacks. Most likely, when a computer intrusion is detected, the purpose of the attack will be difficult to discern without dissecting a program’s code or reviewing the audit logs of an attacker’s activity. Furthermore, the speed with which cyber attacks execute will force system administrators to make their best guess, even though they will probably be missing critical information. Given the speculative nature of any such calculus, state policymakers may want to direct their system administrators to respond to cyber attacks in anticipatory self-defense only as an