International Standards to Regulate Aggressive Cyber-behavior from a Foreign State

International Standards to Regulate Aggressive Cyber-behavior from a Foreign State

International Standards to Regulate Aggressive Cyber-behaviour from a Foreign State

Mansoor Faridi

Fort Hays State University

May 10, 2015

Author Note

Mansoor Faridi, Department of Informatics, Fort Hays State University.

Mansoor Faridi is a graduate student at Fort Hays State University specializing in

Information Assurance Management. He lives in Toronto, Canada where he manages the

Compliance function for a major Canadian Financial Institution.

This position paper is a deliverable for Public Policy, Law, and Ethics in Informatics (INT610) course.

Correspondence concerning this paper should be addressed to Mansoor Faridi.

Contact: [[email protected]]

International Standards to Regulate Aggressive Cyber-behavior from a Foreign State ii

Table of Contents

Abstract .......................................................................................................................................1

Introduction ..................................................................................................................................2

Regulation of Foreign State’s Aggressive Cyber-behavior .........................................................3

Background …………………………………………………………………………… ..3

Significance ……………………………………………………………………………..4

Present Frameworks Regulating Aggressive Cyber-behavior ......................................................5

Problem Definition ……………………………………………………………………...5

Current Status ...................................................................................................................6

Developing and Implementing Global Standards Regulating Aggressive Cyber-behavior .......10

Challenges ......................................................................................................................10

Roadmap ........................................................................................................................12

Conclusion ................................................................................................................................14

References ..................................................................................................................................16

Appendices

Appendix A – Cyber-attack representations

Appendix B – Examples of recent incidents of nations' cyber warfare

Appendix C – Cyber-attacks on various Nations (by category)

Appendix D – Estimates cost of cybercrimes in U.S. and Globally

Appendix E – Model to develop global standards regulating aggressive cyber-behavior

International Standards to Regulate Aggressive Cyber-behavior from a Foreign State 1

Abstract

Where technological advancements have improved our quality of life, it has also exposed us to

previously unknown threat vectors, such as, aggressive cyber-behaviour from a foreign State.

This significant issue has materialized in the form of huge financial losses (and otherwise), and

disruption of critical service provision. The main reason behind this problem is owing to absence

of international standards regulating foreign State’s aggressive cyber-behavior. The global

community has failed to develop a united front to develop and implement effective solutions to

tackle this issue proactively. Some global and regional organizations have developed frameworks

that also fail to address this issue fully, as their scope is domestic, focussing on individuals’

cyber-behaviour (as opposed to State), and solutions are theoretical in nature with no provisions

defining investigation and prosecution mechanism. Since the rules of engagement of modern

cyber-warfare are different than conventional military conflict, therefore, nations need to take

this distinction into consideration when approaching the issue. Another important aspect is

codification of international standards including the definition of scope, jurisdiction, forensic

procedures, resources, investigative and prosecution authorities. This difficult feat is possible

with mutual cooperation, active involvement, and maintaining compliance (by member nations)

with these international standards regulating foreign state’s aggressive cyber-behavior.

Keywords: best practices, coe, continuous improvement, cyber-hacktivism, cyber-law, cyber-

terrorism, cyber-warfare, impact, interpol, nato, jurisdiction, sovereign, united nations, wegener


International Standards to Regulate Aggressive Cyber-behavior from a Foreign State

Mansoor Faridi

Fort Hays State University

Introduction

This position paper supports the argument that ‘there exists an imminent need to develop

and implement international standards to regulate aggressive cyber-behavior from foreign State.’

First section provides background and significance of the issue, illustrates the magnitude

of this problem with examples of sovereign nations attacking each other in cyber-space,

concluding with estimates of financial losses incurred due to this aggressive cyber-behavior.

Second section describes the issue in detail along with a description of frameworks

developed by various global organizations to regulate cyber-behavior. However, all frameworks

lack in scope (focus on regulating individuals’ cyber-behavior as opposed to that of the State),

and intent (theoretical in nature without defining jurisdiction and prosecuting authorities).

Third section lists and discusses major challenges hindering the development and

implementation of the aforementioned global standards; it also provides some recommendations

along with a roadmap to design, develop, and implement global standards. The section concludes

by detailing an overall approach emphasizing collaborative engagement and launching of this

initiative through globally recognized platforms, with respected world bodies supporting

investigation and prosecution mechanisms.

This position is based on an overall approach in a global context where centralized

institutions are responsible for designing, developing, implementing, regulating, prosecuting, and

enforcing international standards. The approach has been inspired by industry best practices and

global standards and frameworks with a focus on continuous improvement to keep the standards

agile, relevant, and up-to-date!


Regulation of Foreign State’s Aggressive Cyber-behavior

In my opinion, there is an imminent need to design, develop and implement robust,

effective, and comprehensive international standards to regulate aggressive cyber-behavior

instigated by a foreign nation state against another entity, such as another state, organization,

person, etc. These standards should be supported by an international body (such as the United

Nations, Interpol, etc.) to ensure its legal enforcement and effective implementation on a global

scale. The sub-sections below describe the background and significance of this issue.

Background

In traditional warfare, strategic objectives are realized by executing offensive maneuvers.

This cripples a nation by inflicting damage to its airfield, ports, roads, ordnance depot, defense

and communication capabilities, etc. However, with technological advancements, the focus has

shifted to a more sophisticated mode of warfare, which is equally lethal but entirely virtual

[emphasis added] in nature (See Figure 1, Passeri, 2015). This is eloquently summed up by Noah

Feldman (2015), Harvard Law professor, “Cyber- attacks … as a strategic matter … do not differ

fundamentally from older tools of espionage and sabotage.” In fact, cyber-warfare is politically

motivated hacking to conduct sabotage and cyber espionage (Cyberwarfare, 2015;

See Appendix A, Chart A).

The change in venue where the ‘war’ is being fought has led to a paradigm shift. This

aggressive cyber-behavior is akin to cases of road-rage. Fortunately, we have traffic laws to deal

with such menace; however, we do not have a holistic set of international standards regulate

aggressive cyber-behavior from foreign State actors. This is defined as “attacks or series of

attacks on critical information carried out by terrorists and instills fear by effects that are

disruptive or destructive and has a political , religious and ideological motivation” (Schjolberg,


2007, p. 2). Table 1 below illustrates recent examples of cyber-attacks instigated by sovereign

nations on other nations and entities (See Appendix B for details; Cyberwarfare, 2015).

Table 1

Instances of nations’ cyber-warfare

Next sub-section highlights the gravity and impact of cyber-crimes supported by

statistics, and signifies how cyber-crimes expose the vulnerabilities of our data and information,

as it relates to its privacy, security, integrity, and availability.

Significance

Through cyber-warfare, nations (or proxy agents acting on their behalf) try to gain illegal

access to data and information, in order to sabotage, conduct espionage, harm critical

infrastructure, assets, and disrupt mission critical operations (Awan, 2010, p. 6); resulting in

significant financial losses, tarnished reputations, and even leading to total financial collapse.

According to the InfoSec Institute (2013), estimated total global losses owing to cyber-

crimes ranged from $300 billion to $1 trillion (See Table 2, McAfee, 2013, p. 4); which equates

to a noticeable percentage of 0.4% to 1.4% of the world’s GDP! (See Appendix D)

The magnitude of this problem, signified by the troubling statistics, is sufficiently

alarming to trigger immediate response by policy makers globally (Wegener, 2014, p.2). If an

issue of such paramount importance is not proactively tackled and addressed by developing

policies and standards, then it will put us at a disadvantage to effectively combat cyber-

warfare/cyber-terrorism instigated by rogue nations. According to Passeri (2015), the most


cyber-attacked countries are U.S., U.K., and Australia, respectively. However, in March 2015,

U.S. was the subject of most cyber-hacktivism attacks worldwide (See Appendix C).

In case of inaction, rogue states will continue to exhibit aggressive cyber-behavior,

inflicting damage on other states without any threat of a retaliatory response; and the biggest

loser in all this will be the general public, as they rely on their respective countries for provision

of various services that are supported by critical infrastructure that is vulnerable to these threats.

It is comforting to know that United States and United Nations have taken several steps in the

right direction to address this issue head-on, which forms the topic of discussion in the next

section. It is high time that a mechanism is established, as echoed by Leon Panetta (CIA

Director, 2009 - 2011), “it was vital for the organization to be one step ahead of the game when

it comes to challenges like cyber space security.” (Defence, 2010)

Present Frameworks Regulating Aggressive Cyber-behavior

Though the extent of losses is not fully quantified, however there is ample evidence

available (See Appendix D) to estimate the extent of losses, and to determine major sources of

threats emanating from certain rogue nations (See Appendix B) - what also remains unclear is

the absence of repercussions (Hathaway et al., 2011, p. 52) in current international legal

frameworks to deter nations from engaging in this aggressive cyber-behavior. The following sub-

sections describe the problem, analyzing the frameworks by examining their shortcomings.

Problem Definition

Presently, comprehensive international standards do not exist, and some frameworks that

do exist fail to address the issue of cyber-aggression perpetrated by a sovereign state, but rather

by individuals. To date, satisfactory steps have not been taken to design and implement

international standards effectively combatting foreign states’ aggressive cyber-behavior. Next


sub-section describes various frameworks developed to date, and why they failed to regulate

foreign state’s aggressive cyber-behavior.

Current Status

International standards are drafted by various entities based on the premise afforded by

international laws. Presently, the international law of countermeasures does not define when a

cyber-attack is unlawful, nor does it clearly differentiate between the instigator as an individual

or a sovereign state. It simply provides that when a State commits an international law violation,

an injured State may respond with a reciprocal act. In the cyber-attack context, injured State may

employ active defenses as reciprocal countermeasures, in which injured State ceases obeying the

same or a related obligation to the one the responsible State violated. The challenges to such a

response is firstly to identify attacker’s identity, as it may not be a State but a proxy working on

its behalf. Secondly, it is difficult to deploy countermeasures to only injure the actor that

perpetuated the attack. For these reasons, the customary law of countermeasures offers only a

partial answer to the problem of sovereign cyber-attacks (Kanuck, 2010, p. 1586; Hathaway et

al., 2011, pp. 45-47).

However, some mechanisms (listed below) have been developed to regulate aggressive

cyber-behavior (Hathaway et al., 2011, p. 48) of individuals, which can be extended to sovereign

states as well after revising their scope and modifying the overall intent.

The United Nations: Headquartered in Cyberjaya, Malaysia, the International Multilateral

Partnership Against Cyber Threats (IMPACT) was created in 2008 (IMPACT, 2015) with

United Nations support to serve as a politically neutral global platform that brings

together governments of the world, industry and academia to enhance the global

community’s capabilities in dealing with cyber threats. With a total of 152 member


states, IMPACT coordinates its partners’ resources to fight cyber-crimes that go beyond

political borders. IMPACT provides research and training services, policy planning, and

cyber-intelligence gathering & sharing with its partners, however, it lacks any

prosecution and/or enforcement authority. It can be concluded that at present, United

Nations role vis-a-vis cyber-security remains largely limited to facilitating discussions

and information sharing among member states, failing to address the issue at hand.

North Atlantic Treaty Organization (NATO): In 2008, a NATO summit prompted the

creation of two new NATO divisions focused on cyber-attacks: the Cyber Defense

Management Authority and the Cooperative Cyber Defense Centre of Excellence

(Hathaway et al., 2011, pp. 50-51).

The Cyber Defense Management Authority aims to centralize cyber-defense

capabilities across NATO members. Due to lack of publicly available information, it is

speculated that the Authority is believed to possess “real-time electronic monitoring

capabilities for pinpointing threats and sharing critical cyber intelligence in real-time”,

with the ultimate goal of becoming an operational war room for cyber-defense.

The Cooperative Cyber Defense Centre of Excellence aspires to “advance the

development of long-term NATO cyber defense doctrine and strategy.” In conflict with

NATO's Article 5, member states do not feel compelled, and are not bound, to "assist”

each other in case of a cyber-attack on any member state.

NATO’s creation of these two divisions represents the recognition of the problem

and a tangible step in the right direction; however, both divisions lack any prosecution

and/or enforcement authority to deter aggressive cyber-behavior by a sovereign state.


The Council of Europe: In 2001, the Council of Europe promulgated a common criminal

policy aimed at the protection of society against cybercrime, through legislation and

international cooperation (Council, 2015). The rules of this framework do not appear to

apply to government actions, whether taken for law enforcement or national security

purposes. Member states have implicitly ensured full cooperation during investigation

and/or prosecution, however, the most developed international legal framework voids

itself by ignoring ‘government actions’, and hence fails to serve as a deterrent.

The Organization of American States: The Organization of American States (OAS) aims

to build and strengthen cyber-security capacity in the member states through technical

assistance and training, policy roundtables, crisis management exercises, and the

exchange of best practices related to information and communication technologies. In

2004, OAS approved the creation of a cyber-security program to build cyber security

capacity in OAS member states, recognizing that the responsibility for securing

cyberspace lies with a wide range of national and regional entities from the public and

private sectors working on both policy and technical issues. The main objectives focus

around developing threat identification and mitigation capabilities, timely communication

to all member states, and strategic planning activities supported by all member states

(OAS, 2015).

Again, OAS’ cyber security program fails to formalize prosecution mechanism to

criminalize and prosecute illegal/aggressive cyber-behavior from a sovereign state.

The Shanghai Cooperation Organization: In its Yekaterinburg Declaration of June 16,

2009, member states have recognized the significance of cyber-security issues but have


not formalized any concrete actions. The absence of any framework and standards

renders this initiative invalid when combating sovereign state’s cyber aggression.

INTERPOL: INTERPOL is committed to becoming a global coordination body on the

detection and prevention of digital crimes through its INTERPOL Global Complex for

Innovation (IGCI), currently being constructed in Singapore. This new center provides

proactive research into new areas and latest training techniques, and coordinates

operations in the field (INTERPOL, 2015). INTERPOL supports operations by local law

enforcement agencies by providing subject matter expertise and forensic support.

INTERPOL does not clearly spell out any frameworks, standards and/or

mechanisms through which it can support successful prosecution of a rogue State in any

world body, such as, the International court of Justice (ICJ, 2015). Therefore, despite

their noble intentions, they have failed to address the issue at hand.

United States: The United States Cyber Command (USCYBERCOM) is a United States

armed forces sub-unified command subordinate to United States Strategic Command.

USCYBERCOM plans, coordinates, integrates, synchronizes and conducts activities to:

direct the operations and defense of specified Department of Defense information

networks, conduct full spectrum military cyberspace operations in order to enable actions

in all domains, and ensure US/Allied freedom of action in cyberspace and deny the same

to their adversaries (Cyberwar in the U.S., 2015).

USCYBERCOM’s approach is clearly offensive in nature from a military

perspective. Its main aim is to attack and cripple the enemy state's capability from

launching any further cyber-attacks on the United States. This unilateral strategy is also

missing the elements of design and implementation of international standards to regulate


cyber-behavior, but rather to punish any cyber-aggression with an equally proportionate

response.

Other agencies, including the Federal Communications Commission (FCC), have

also regulated various cyberspace aspects with a domestic scope, failing to define and

address global jurisdiction and standards.

In summary, the efforts described above by the respective organizations have been

theoretical in nature - mostly focusing on research and development, policy planning, serving as

centers of excellence, being a facilitator, etc. Aforementioned organizations have failed to

establish a comprehensive legal framework and standards required for effective governance and

regulation of foreign state’s aggressive cyber-behavior. Next section discusses the challenges in

developing and implementing global standards that will deter foreign states’ aggressive cyber-

behavior, along with a roadmap to design, develop and implement effective international

standards that none of the above entities have developed thus far.

Developing and Implementing Global Standards Regulating Aggressive Cyber-behavior

This section describes and explains major challenges behind developing and

implementing global standards, along with a recommended roadmap to achieve this task.

Challenges

Following is a list of challenges hindering development and implementation of global

standards (Shinder, 2011) to regulate aggressive cyber-behavior from a foreign state:

Lack of standards: At present, there are no local and/or global standards developed and

implemented to regulate aggressive cyber-behavior of state actor.

Forensics: Due to sheer complexity and virtual nature of the crime, standards to collect,

sanitize, and analyze forensic evidence, has not been determined.


Establishing identity: Cyber-criminals operate under false identities which can be

undetected, but there are no standards developed to identify the culprit accurately.

Jurisdictional issues: Traditional subjective doctrine does not hold as there are no clearly

marked boundaries during the commission of cyber-crime, which crosses political

boundaries. Nations can determine the exact location of Internet activity to a certain

extent by assigning Internet Protocol (IP) addresses and Domain Name Server (DNS)

addresses to computers that coincide with their physical addresses, but cyber-terrorists

can easily evade this identification system by masking their origin. The Victim State may

base their prosecution (before international courts) on the principle of universal

jurisdiction, however, this has been contested by many jurists and one of its significant

limitations is that cyber-terrorists cannot be prosecuted preventively. The potential

Victim State must wait for the crime to occur, and then prosecute (Stockton & Goldman,

2014, pp. 231-250).

Compliance: There is no law or regulation forcing countries to comply with certain

standards or best practices. Countries can operate aggressively in the cyber landscape

without any threat of punitive actions. Some countries have even gained notoriety by

providing safe haven to hackers who operate on their behalf.

Thus far, nations have not displayed a collective will to tackle the aforementioned

challenges in order to develop global standards that will deter rogue states from committing

cyber-crimes against other nations. Next sub-section provides some practical approaches to

develop and implement a mutually-agreed upon set of global standards.


Roadmap

Following suggested roadmap (Figure 1) can help with designing global standards to

regulate aggressive cyber-behavior, along with recommendations to implement those standards.

This roadmap is approached by keeping industry best practices and various program developm-

ent methodologies in view, with a specific focus on continuous improvement (See Appendix E).

Figure 1. Proposed model to develop and implement international standards vis-à-vis cyber-behavior

Consensus building: In this preliminary stage, states should recognize the need for mutual

cooperation, recognize the issue that we are all confronted with, and with collective

determination, work jointly in defining, developing, and implementing global standards

to regulate foreign states’ aggressive cyber-behavior.

Global body creation: In this stage, all states must mutually agree to create a regulatory

body with the power to enforce and prosecute aggressive cyber-behavior of a rogue

nation. This should be formalized in policies, framework, and international standards.

Ownership: In this stage, states should develop internal policies and procedures to play an

active role in the ‘global body’ and submit themselves to the decisions of this body.

States should also allocating resources and maintain compliance at all times.


Design & development of tools: In this stage, Global body should leverage best practices

to design and develop tools. These tools will support proposed universal framework and

international standards to regulate aggressive cyber-behavior from a foreign state.

Development of procedures and processes: In this stage, procedures and processes should

be documented to operationalize international standards. The most important aspect of

these documents will be to define the scope, prosecution authority, logistics, and

functional & administrative ownership. Defining these aspects clearly should take away

the ambiguity that surrounds forensics, identity issues, and jurisdictional issues.

Jurisdiction and logistics: Even though this has been touched upon in the last step, but the

success of this exercise hinges on proper definition of jurisdiction and scope, therefore, it

warrants a policy document clearly detailing matters regarding scope, jurisdiction, and

enforcement mechanism. It should also define prosecution authorities (e.g. ICJ) and

policing accountabilities (e.g. INTERPOL) for those jurisdictions (on a rotating basis),

allocation of resources, and periodicity around periodic review of this critical document.

Monitor and control: In this stage, the overall monitoring and controlling aspects should

be defined. All violations should be identified, logged, addressed; and reviewed on a

periodic basis. These records will also enable investigators to perform analysis to

determine recurring trends, anomalies and outliers. The Global body should publish

reports highlighting topics of significant public interest and areas of concern.

Continuous improvement: In this crucial stage, the Global body will be in an excellent

position to advance its Research and Development (R&D) interests by leveraging other

member states and also serve as a Center of Excellence on matters relating to standards

for cyber security issues, research, advisory, best practice sharing, etc. All of these


activities will enable continuous improvement of this mode, and of the standards

themselves.

Conclusion

This position paper is in support of the position that there lies an imminent need to

develop and implement international standards to regulate aggressive cyber-behaviour of a

foreign State. At the hand of rogue nations' aggressive cyber-activities, various countries have

suffered enormous financial losses, with estimates ranging from $300 billion to $1 trillion.

The significance and scope of this problem has been realized by various world bodies,

resulting in varied responses. All proposed solutions have been theoretical, lacking concrete

actions vis-a-vis defining global standards, jurisdiction, and prosecution mechanisms. Also, all of

these solutions are geared toward regulating individual cyber-behavior within prescribed political

boundaries, as opposed to regulating sovereign state’s aggressive cyber-behavior.

Cyber-warfare’s rules of engagement are also different that of a conventional conflict,

and thus, cyber-warfare’s rules remain to be formalized. In addition, the common challenges

faced, when developing these international standards, is the lack of focus around jurisdictional

definition and authority, lack of scope definition, forensic complexities, culprit's identity

establishment issues, and general lack of will toward forming international standards.

The key to coming up with effective international standards lies in countries launching

this initiative from a globally recognized and respected platform (e.g. UN), developing a

consensus through policy planning, allocating resources for the initiative, decide mutually-agreed

upon deliverables, assign investigative bureau (e.g. INTERPOL), nominate prosecuting body

(e.g. ICJ), take joint ownership of this initiative on a continuing basis, and most importantly,

maintain full compliance themselves with the international standards at all times.


Moving forward, with the global paradigm shift (Ophardt, 2010, pp. 3-4) in the

commission of state-committed (or state-sponsored) cyber-crimes and aggressive cyber-

behaviour, global institutions (such as the United Nations, the International Court of Justice, and

INTERPOL) have a major role to play to hold aggressive parties accountable for their actions,

and to promote progress towards developing international standards, building consensus, and

developing mechanisms to serve justice to Victim States (Glennon, 2013, pp. 569-570). Due to

the dynamic nature of this issue, any solution will always be a work in progress as emerging

challenges are addressed, and corresponding solutions appended into the framework.


References

Ashford, W. (February 13, 2015). Data Breaches up by 49% in 2014. ComputerWeekly.com.

Retrieved from http://www.computerweekly.com/news/2240240346/Data-breaches

-up-49-in-2014-exposing-more-than-a-billion-records

Awan, I. (2014). Debating the term cyber-terrorism: Issues and problems. Internet Journal of

Criminology. Retrieved from http://www.internetjournalofcriminology.com/Awan_

Debating_The_Term_Cyber-Terrorism_IJC_Jan_2014.pdf

Council of Europe. (2015). Standards: the convention and its Protocol. Retrieved from

http://www.coe.int/t/DGHL/cooperation/economiccrime/cybercrime/default_en.asp

Cyberwarfare. (2015). In Wikipedia. Retrieved from http://en.wikipedia.org/wiki/Cyberwarfare

Cyberwarfare In the United States. (2015). In Wikipedia. Retrieved from http://en.wikipedia.org/

wiki/Cyberwarfare_in_the_United_States

Defence IQ. (2010, May 26). CIA, US Military Step Up Cyber Space Security Strategies.

Retrieved from http://www.defenceiq.com/defence-technology/articles/cia-us-military-

step-up-cyber-space-security-strat/

Feldman, N. (2015). Brainy Quote. Retrieved from http://www.brainyquote.com/

quotes/keywords/cyber.html

Glennon, M. (2013). The dark future of international cybersecurity regulation. Journal of

National Security Law & Policy, 4, 563-570. Retrieved from http://jnslp.com/wp-c

ontent/uploads/2013/04/The-Dark-Future-of-International-Cybersecurity-Regulation.pdf

Hathaway, O., Crootof, R., Levitz, P., Proctor, H., Nowlan, E., Perdue, W., Spiegel, J. (2011).

The Law of Cyber-Attack. Yale Law & Economics Research Paper No. 453, 100 (4), 1-

76. Retrieved from http://www.law.yale.edu/documents/pdf/cglc/LawOfCyberAttack.pdf

http://www.internetjournalofcriminology.com/Awan_%20Debating_The_Term_Cyber-Terrorism_IJC_Jan_2014.pdf

http://www.internetjournalofcriminology.com/Awan_%20Debating_The_Term_Cyber-Terrorism_IJC_Jan_2014.pdf

http://www.coe.int/t/DGHL/cooperation/economiccrime/cybercrime/default_en.asp

http://en.wikipedia.org/%20wiki/Cyberwarfare_in_the_United_States

http://en.wikipedia.org/%20wiki/Cyberwarfare_in_the_United_States

http://www.defenceiq.com/defence-technology/articles/cia-us-military-step-up-cyber-

http://www.defenceiq.com/defence-technology/articles/cia-us-military-step-up-cyber-

http://www.brainyquote.com/%20quotes/keywords/cyber.html

http://www.brainyquote.com/%20quotes/keywords/cyber.html

http://jnslp.com/wp-c

http://jnslp.com/wp-c


IMPACT. (2015). Mission & Vision. Retrieved from http://www.impact- alliance.org/

aboutus/mission-&-vision.html

InfoSec Institute. (2013). 2013 - The impact of cybercrime. Retrieved from

http://resources.infosecinstitute.com/2013-impact-cybercrime/

INTERPOL. (2015). Cybercrime. Retrieved from http://www.interpol.int/ Crime-areas/

Cybercrime/Cybercrime

ICJ. (2015). Jurisdiction. Retrieved from http://www.icj-cij.org/jurisdiction/index.php?p1=5

Kanuck, S. (2010). Sovereign discourse on cyber conflict under international law, Texas Law

Review, 88, 1570-1597. Retrieved from https://www.law.upenn.edu/institutes/cerl/

conferences/cyberwar/papers/reading/Kanuck.pdf

McAfee. (2013). The economic impact of cybercrime and cyber espionage. Retrieved from

http://www.mcafee.com/ca/resources/reports/rp-economic- impact-cybercrime-

summary.pdf

OAS. (2015). Cyber-security program. Retrieved fromhttps://www.sites.oas.org/

cyber/en/Pages/default.aspx

Ophardt, J. (2010). Cyber warfare and the crime of aggressions: The need for individual

accountability on tomorrow's battlefield. Duke Law & Technology Review, 9(2), 1-27.

Retrieved from http://scholarship.law.duke.edu/dltr/vol9/iss1/2

Passeri, P. (2015, April 13). March 2015 Cyber Attacks Statistics. Retrieved from

http://hackmageddon.com/category/security/cyber-attacks-statistics/

Schjolberg, S. (2007). Terrorism in Cyberspace - Myth or reality?. Retrieved from

http://www.cybercrimelaw.net/documents/Cyberterrorism.pdf

Shinder, D. (2011, January 26). What makes cybercrime laws so difficult to enforce. Tech

http://www.impact-/

http://www.interpol.int/%20Crime-

https://www.law.upenn.edu/institutes/cerl/%20conferences/cyberwar/papers/reading/

https://www.law.upenn.edu/institutes/cerl/%20conferences/cyberwar/papers/reading/

http://www.mcafee.com/ca/resources/reports/rp-economic-impact-cybercrime-

http://www.mcafee.com/ca/resources/reports/rp-economic-impact-cybercrime-


Republic. Retrieved from http://www.techrepublic.com/blog/it-security/what-makes-

cybercrime- laws-so-difficult-to-enforce/

Stockton, P., Goldman, M., (2014). Prosecuting cyberterrorists: Applying traditional

jurisdictional frameworks to a modern threat. Stanford Law & Policy Review, 25, 211-

268. Retrieved from https://journals.law.stanford.edu/sites/default/files/stanford- law-

policy-review/print/2014/06/stockton_goldman_25_stan._l._poly_rev._211.pdf

Wegener, H. (2014). Regulating Cyber Behaviour: Some Initial Reflections on Codes of Conduct

and Confidence-Building Measures. Retrieved from https://www.unibw.de/infosecur/

publications/individual_publications/wegener_regulating_cyber_behaviour_paper_2014

http://www.techrepublic.com/blog/it-security/what-makes-

http://www.techrepublic.com/blog/it-security/what-makes-

https://journals.law.stanford.edu/sites/default/files/stanford-law-policy-review/print/2014/06/stockton_goldman_25_stan._l._poly_rev._211.pdf

https://journals.law.stanford.edu/sites/default/files/stanford-law-policy-review/print/2014/06/stockton_goldman_25_stan._l._poly_rev._211.pdf

https://www.unibw.de/infosecur/%20publications/

https://www.unibw.de/infosecur/%20publications/


Appendix A

Cyber-attack Representations

Chart A – Distribution of Cyber-attack targets

Chart B – Distribution of Cyber-attack techniques

Chart C – Distribution of Cyber-attack (by industry)

Chart D – Distribution of Cyber-attack (by Org.)

Note: Above pie charts represent cyber-attack target distribution, cyber-attack techniques employed to infiltrate the target organizations, categorization of industries affected by these

cyber-attacks, and types of organizations attacked.

Source: http://hackmageddon.com/author/paulsparrow s/


Appendix B

Examples of recent incidents of nations' cyber warfare

2014 North Korea hacked SONY Pictures Entertainment

The cyber-attack on Sony Pictures Entertainment by a state-sponsored group called the Guardians of Peace

resulted in a canceled movie release (at least for a little while), leaked personal information, and apologies

from Hollywood executives caught in embarrassing e-mail conversations.

2012 Iran (via proxy) attacks US energy interest and ally

Forensic investigation revealed that virus (named Shamoon) was brought in on a USB drive and planted in

the network by an authorized Aramco user. This compromised and disrupted more than 75% of networked

computers (30,000) affecting world’s largest oil and gas producer’s production.

2010 US & Israel attack Iranian nuclear facility

New York Times reported that the US along with Israel was responsible for Stuxnet computer virus that was

used to destroy centrifuges in an Iranian nuclear facility in 2010.

2010 Indian-sponsored group hacks Pakistani websites

A group calling itself the Indian Cyber Army hacked the websites belonging to the Pakistan Army and other

government ministries to avenge Mumbai attacks.

2010 Britain cautioned against cyber threats from ‘hostile’ states

Britain’s internal agency warned against cyber threats from hostile states and criminals.

2009 North Korea attacks South Korea & USA

A series of coordinated denial of service attacks against major government, news media, and financial

websites in South Korea and the United States. While many thought the attack was directed by North Korea,

one researcher traced the attacks to the United Kingdom.

2007 Israel attacks Syria

Israel carried out an airstrike on Syria dubbed Operation Orchard. U.S. industry and military sources

speculated that the Israelis may have used cyber-warfare to allow their planes to pass undetected by radar

into Syria.

2007 Russia attacks Estonia

Estonia came under cyber-attack in the wake of relocation of the Bronze Soldier of Tallinn. The largest part

of the attacks were coming from Russia and from official servers of the authorities of Russia. In the attack,

ministries, banks, and media were targeted. This attack on Estonia, a seemingly small Baltic nation, was so

effective because of how most of the nation is run online.

2006 Israel (via proxies) attacks Hezbollah

Israel alleges that cyber-warfare was part of the conflict, where the Israel Defense Forces (IDF) intelligence

estimates several countries in the Middle East used Russian hackers and scientists to operate on their behalf.


Appendix C

Cyber-attacks on various Nations (by category)

Note. CC=Cybercrime, H= Hacktivism, CE= Cyber Espionage, CW=Cyber Warfare


Appendix D

Estimated cost of cybercrime in US and Globally (As of November 2013)


Appendix E

© 2015. Mansoor Faridi. All rights reserved.

The above model is inspired to develop and implement international standards vis-à-vis

aggressive cyber-behavior of a foreign state. The inspiration behind this approach is

based on research materials produced by global organization, industry best practices,

global frameworks, and international standards pertaining to quality assurance as

follows: ISO 27000x, Capability Maturity Model Integration (CMMI) for Development

Ver. 1.3, NIST, InfoSec Institute publications, ISACA publications, FCC publications,

etc.

The focus is on developing a mutually-agreed upon consensus and then on

continuous process improvement of the deliverables as the solution matures and

lessons are learned.

International Standards to Regulate Aggressive Cyber-behavior from a Foreign State

Documents

Transcript of International Standards to Regulate Aggressive Cyber-behavior from a Foreign State