Transcript
When you walk around every day, interact with other people, and do things, there are certain norms of society that you just know to abide by. Like: people should be treated as equals. You have to pay your taxes. Bicyclists donât ride on the sidewalk, or in the middle of a lane of traffic. (Okay, maybe those are bad examples, since lots of people arenât so good at following them. But you get the idea, right?)
These rules were developed over time, as people realized that without them, society tends to fall apart.
Like during the years 1643 to 1649, when 109 diplomatic delegations gathered in the neighboring cities of MĂźnster and OsnabrĂźck, in modern day Germany, then Westphalia. The delegations represented 16 European states, hundreds of imperial states within the Holy Roman Empire, and 38 interest groups. The immense scope of this yearslong diplomatic event was fitting â no, necessary â to match the immensity of the matter at hand: a religious war of three decades, which had killed somewhere in the range of 4.5 and 8 million people. Europeâs worst war to date, not to be eclipsed for another 275 years.
The deal they all hashed out in Westphalia â culminating in two peace treaties, signed in October 1648 â finally ended that war, bringing peace to the Holy Roman Empire, and Europe more broadly. But the effects of this deal were felt far longer still.
Some historians have since credited the Peace of Westphalia with defining the outlines of national sovereignty in Europe and, with it, ideas that we utterly take for granted today, like respecting borders, and not meddling in other countriesâ internal affairs. Or, very basically, whoâs allowed to fight in wars. For centuries before Westphalia, any pompous Lord or religious leader might have rounded up some mercenaries to go kill people over something, which, you can imagine, got rather messy. But as American University professor Gary Corn wrote in an article two years ago, quote:
âSince at least the Treaty of Westphalia and the consolidation of the legal monopoly of violence in the sovereign, the law has recognized that with very limited exception, only members of a Stateâs armed forces, that is, âthose by whose agency the sovereign makes war,â are imbued with the âprivilegeâ to participate in hostilities. In return, only combatants benefit from the attendant immunity from criminal sanction for doing so. Civilians, on the other hand, lack this âprivilegeâ to participate directly in hostilities and their life should thus be respected and protected.â
Itâs this commonly held understanding that keeps people as safe as possible during the most dangerous of times.
So what would happen if an individual broke this rule? Would they then lose their protection under the law? What then?
In fact, modern technology has allowed ordinary people to start taking part in wars again. The trend started just a decade-and-a-half ago.
A War In Georgia
Its impetus came at 8:00 A.M. on August 1, 2008, when two improvised explosive devices detonated on a road near Tskhinvali, in South Ossetia, injuring five police officers. Luckily for Jose Nazario, it took another week of skirmishing before war officially began. Otherwise, it wouldâve interrupted his vacation.
â[Jose] I was in the airport, in particular in baggage claim with my wife. We had just flown from somewhere I forget where and I got this call.â
The call came from a colleague at his then-employer, Arbor Networks. (These days, Jose works at Mandiant.)
â[Jose] I got a call from our PR person. Kevin, who said hey, we got an inbound request. Thereâs a shooting war thatâs broken out in Russia. They want to talk.â
There was a reason why, when a shooting war broke out in South Ossetia â a disputed northern region in the country of Georgia â somebody called Jose Nazario in Michigan.
â[Jose] The year prior, late April, literally May of 2007. Were the Russia Estonia attacks.â
When Russian cybercriminals collaborated to perform denial-of-service attacks against Estoniaâs government, banks, and news outlets. We covered that story way, way back in Episode 4 of this podcast.
â[Jose] We would basically have our systems harvest every night: Hereâs all the commands, we recorded the botnets here that weâve sort of been tracking, hereâs all the attacks commands that weâve seen come across, because thatâs how we did this. We would you know, capture samples, weâd reverse engineer the protocols, and then pretend to be the bot to log in and get the command issued to the bots. And when they do that, they typically tell you â watch this kind of attack against this target for this long.â
Jose and his colleagues began mapping out these botnets, their behaviors, and what they were collectively aiming at.
â[Jose] We were seeing attacks, you know, into, again, the former Soviet Union into the Baltics, into various countries in the Caucasus Mountains including Chechnya, Ingushetia . Again, all denial of service attacks against, you know, news sites public at radio stations and the like, all of which, you know, the common thread was that they were generally sort of counter to Moscow, a pro Moscow message.â
In particular, the researchers were keeping an eye out for â.govâ domains which might indicate politically-motivated attacks. And about a year into their projectâŚ
â[Jose] We get this report in July from our system saying, hey, this, hereâs an interesting attack. Dig into it.â
It turned out to be targeting the website of the president of Georgia, Mikheil Saakashvili.
â[Jose] one botnet that we detected, launching a series of attacks against the website with a message actually in the request string saying âwin, love in Russia.’â
The site â or, more specifically, the server hosting it, along with several other mostly non-government websites â went down for more than 24 hours.
Immediately thereafter, discussions flared on Russian-language web forums. Were DDoS attacks and website defacements a good idea? Surely theyâd be used to support anti-Russian narratives. But those skeptical voices did not win out.
â[Jose] when the tank start rolling, we saw more than just that one botnet we had seen in July, light up with a whole bunch of different attacks into Georgian websites. [. . .] We have a guy or two who sort of spend a bunch of time looking at a bunch of other ad hoc open source materials to pastebins, and blog posts and underground forums where we see a lot of these attacks coordinated. âHey, everybody, you know, weâre going to hit the Georgian websites. Hereâs the target list for tonight.â And we would record that in traffic and weâd see many of these sites get hit.â
Websites belonging to the central government, the Ministries of Defence and Foreign Affairs, various commercial organizations, and, again, the presidentâs. This time, across a series of downed government sites, hackers plastered a collage of pictures of Saakashvili alongside Adolf Hitler.
â[Jose] The attacks werenât big, maybe a couple 100 megabytes, but relative to what was provisioned for those websites, it was pretty substantial. Many of them were disruptive, so availability was affected.â
Estonia, All Over Again
It was Estonia all over again, with a twist: unlike in that case, here, soldiers and civilians were dying every day. (The first time in history, in fact, that a traditional war was simultaneously paired with cyberattacks.) The result was that websites belonging to the government and media were materially impeded in informing and advising citizens on how to stay safe.
Like, if you went to the news site civil.ge, the most recent article you wouldâve seen published was titled âRussia Occupies Significant Part of Georgiaâ. Then nothing. If youâre in Georgia, what the heck are you supposed to do with that?
Besides the nature or scope of the damage, it was also the timing of these cyberattacks â beginning late on August 7th, 2008, and peaking on August 8th â that troubled analysts. The 7th was the day Georgian soldiers entered South Ossetia and, perhaps not so coincidentally, Russian troops as well. So this was either an incredibly swift response to the fighting, or, perhaps, a coordinated and prepared one.
By August 13th, Shadowserver, a nonprofit which tracks malicious activity online, had developed reliable intel that the overwhelming majority of the ICMP DDoS traffic was, as feared, coming from Russia, unlike with most botnets which tend to be geographically dispersed.
However, the activity derived from several internet service providers spread across the country, including both broadband and dialup users. If it were Russiaâs military or intelligence behind all this, you wouldnât expect them to be so geographically dispersed, and you definitely wouldnât picture Russian troops connecting over dial-up.
It turned out that all of the malicious traffic into Georgia was performed using a single Windows batch script. (Batch scripts are plaintext files with instructions that get executed by the command line when itâs run.)
As far as malware goes, this one was rather simple. At the top, times at which it would be called â 6 PM, and 8 PM â and a message: âThanks for support of South Ossetia! Please, transfer this file to friends!â Then, some commands and a list of 20 websites which would be targeted: Georgiaâs parliament, the president, the police, the supreme court, news media, and so on.
This script had been published and disseminated online in several Russian-language forums.
âBasically,â Shadowserver explained, âpeople are taking matters into their own hands and asking others to join in by continually sending ICMP traffic via the âpingâ command to several Georgian websites, of which the vast majority are government.â
For example, the hackers at stopgeorgia.ru/stopgeorgia.info wrote online that, quote:
âWe â the representatives of Russian hako-underground, will not tolerate provocation by the Georgian in all its Russian vs Georgia Cyber Attack manifestations. [. . .] We do not need the guidance from the authorities or other persons, and operate in accordance with their beliefs based on patriotism, conscience and belief.
â[Jose] these are people who are sort of responding in some fashion to what they see on the news, sort of hopping online and watching these attacks, responding to what they see as diplomatic tensions as opposed to tasking, you know, from headquarters.â
âYou can call us criminals and cyber-terrorists, raz-vya-zy-vaya with war and killing people. But we will fight [. . .] We call for the assistance of all who care about the lies of Georgian political sites, everyone who is able to inhibit the spread of black information.â
Thanks to a Windows batch script, as soldiers, planes, and tanks started killing hundreds in South Ossetia, it was regular people who were crippling the regionâs government and news media. Which raises the question:Â If a hacker is participating in a war, can you treat them like a soldier?
International Law
â[Oona] So civilians are insulated from attack and they retain their civilian status as long as they donât directly participate in hostilities.â
Youâre listening to Oona Hathaway, founder and director of the Center for Global Legal Challenges at Yale Law School, formerly special counsel to the general counsel at the U.S. Department of Defense. For the last decade and a half, sheâs been one of the top ten most frequently cited international law scholars in the U.S.
â[Oona] Direct participation is enough for you to lose your civilian status, your protected civilian status and thus become targetable. Now the question is what is enough to be a direct participant in hostilities.â
If somebody picks up a gun and starts shooting, itâs obvious that you can shoot back. But what if that person uses a keyboard to more subtly endanger a soldier, or a civilian?
â[Oona] The Geneva Conventions in particular regulate the conduct of war and regulate in particular the conduct of war by states. There are very limited regulation of war being conducted by private actors, by citizens. Really all that the Geneva Conventions have to say about that is in common Article Three. Thereâs some like basic rules that regulate the behavior of private actors that are engaging in conduct of war, but it makes it clear that theyâre not immunized from the ordinary criminal process that would apply to them.â
So if a person commits violence in a battle, for example, they arenât protected just because theyâre not wearing a uniform. But for less obvious acts, the Geneva Conventions become much blurrier â a situation which has real-world consequences for people in imminent danger.
eEnemy
Consider another, more recent phenomenon happening just a quick hop over the Black Sea from Georgia. In the last two years, thousands upon thousands of Ukrainian citizens have tested Genevaâs limits by chatting with âeVorogâ (translated: âeEnemyâ). eVorog is an AI chatbot developed by Ukraineâs Defense Ministry, which lives on the encrypted messaging platform Telegram. As Time Magazine wrote, quote:
âIt all looks like a game at first. Verified users of Ukraineâs government mobile app are greeted with options illustrated by icons of military helmets and targets. An automated prompt helps you report Russian troop movements in your area, and rewards you with a flexed-arm emoji. âRemember,â the message says. âEach of your shots in this bot means one less enemy.â [. . .] One example of an interaction shared with TIME shows emojis and arrows guiding users through a series of automated prompts: first making sure they are safe, then telling them to focus their camera on enemy actions, shooting video for up to one minute, and attaching a timestamp and geolocation.â
Users can report on the locations of munitions, including unexploded bombs, or troop movements, or any other relevant intel. A government ID system called Diia verifies their identities, to weed out fake news merchants. To report the sighting of enemy aircraft, drones, or even missiles, citizens use a different app, âePPO.â Other tools enable them to document damage to their homes, and various human rights abuses, or submit documents or apply facial recognition to identify individual Russian troops, and much more. In all, there are some half a dozen apps the government developed or adapted to help document war crimes and crowdsource the countryâs defense against Russiaâs invasion.
Thousands and thousands of ordinary people have taken up that call. In the first two months of war alone, more than 250,000 reports of Russian army developments flooded the government databases where these data are uploaded.
For a sense of the impact these reports have had, just look at the city of Kherson in southern Ukraine â north of Crimea, part of the territory Russia captured early in the war. In that first month, as Russian vehicles carrying missile launchers drove through the main streets of the city, locals uploaded photos and metadata to eVorog. Ukraineâs minister of digital transformation recalled to reporters how, quote, âAlmost every apartment sent us a report. So we could geolocate them to almost every apartment on those two streets.â.
Later, in September of 2022, Kherson residents earned another win when they used eVorog to report the location of a warehouse Russians were parking military vehicles in. On the following day, that facility was pulverized by an airstrike. Similar stories have repeated themselves throughout Ukraine in months since.
And while thousands of regular people use eVorog, dozens of hacktivist collectives have also taken up the fight on both sides.
In one case, pro-Russia hackers destroyed communications equipment supplying internet connectivity to millions of people in Ukraine, including those in warzones, and knocked out the air-raid system in regions around the capital, preventing civilians from being warned of incoming projectiles.
On behalf of Ukraine, Anonymous is reported to have nearly exploded a gas control system in North Ossetia â which wouldâve threatened lives, and was saved only by the quick thinking of an employee on-site.
Some Ukrainian hacktivists have also directly collaborated on missions with the military. (Russian cybercriminals have been doing this for years.) The people using eVorog are doing a version of the same thing.
So, can a Russian soldier target a civilian for using eVorog? Can a Georgian soldier target one for using a Windows batch script?
â[Oona]Â what is enough for an individual to cross the line to become a civilian directly participating in hostilities through engaging a cyber operations is really untested territory.â
Even though weâve been dealing with this issue for some years now.
â[Oona] In 2008, we were still kind of trying to figure out what the rules were. And so there werenât any cyber specific rules and thereâs still really arenât any cyber specific rules [. . .] And so what people were trying to do back then was to try to figure out how did the existing rules apply in cyberspace, you know, how do we take the rules that govern behavior of states generally? And how do we apply those in cyberspace?â
It isnât an easy question to answer because, while hacking has contributed to life-threatening situations, itâs never directly caused a death. Itâs also difficult to attribute cyberattacks and, even when you can, sometimes, you donât want to tip your hand by doing so. And most malicious hackers involved in serious conflicts live in countries that donât want to extradite them to face trials.
But these hurdles might have been overcome, and laws regulating this behavior might have been drafted, if certain powerful entities hadnât the motive to do the exact opposite.
â[Oona] There were some, particularly the Chinese, who took the position that we needed special rules for cyber and that the ordinary rules of international law didnât apply to cyberspace, and so you needed a whole new set of rules didnât know how to regulate that, that behavior. [. . .] part of the reason may have been that China was and still is, to some degree, on the forefront of the capacity to engage in cyber operations, particularly cyber espionage, and may have preferred to keep this a space that was largely unregulated, and not accept the idea that existing legal principles applied in this space because that would have been to accept that there were limits, legal limits on their behavior, and that is violating those legal limits that they were subject to penalties for that â countermeasures that could be imposed for doing so.â
It wasnât just China slowing down developing cybercriminal law.
â[Oona] And to be honest, you know, theyâre not alone in being reluctant to adopt robust rules. The United States has not been a forward leaning actor in terms of thinking about how to apply international law to cyberspace. It came around to that view, and it has come around to that view, and it has been an advocate in recent years of applying sort of bare bones, international law principles, like the prohibition on use of military force in cyberspace or the idea that international humanitarian law can apply to cyber operations. But in these early years that the states that were, that had the greatest capabilities were in part for that reason, less enthusiastic about adopting a robust legal framework to govern what could and couldnât happen in cyberspace.â
So there arenât any rules yet. But according to Professor Hathaway, who knows the issue better than probably anyone else on the planetâŚ
â[Oona] Some cyber operations might be enough to be a direct participant in hostilities, and particularly if a private organization is directly coordinating with the military, if theyâre engaging in operations that are meant to disable the military capacity of one side or the other in the conflict, or if theyâre engaging themselves in in attacks that that are sufficient to make them part of the conflict,  then it is enough for them to lose their civilians status and become become potentially targetable.â
Until cyber is integrated into the laws of armed conflict, militaries will enjoy the freedom to interpret these situations as they wish.
Russian soldiers could use eVorog as an excuse to justify their harsh treatment of civilians. It might look like what happened during the Bucha massacre, early in the Ukraine war, in which more than 400 civilians were killed. One survivor of the event recalled how Russian troops went from building to building, grabbing people and immediately checking their phones for evidence of anti-Russian activities.
Or it might look like what happened in 2019, when Hamas operatives attempted a large-scale cyber campaign against the state of Israel. In response, that May, the IDF air force bombed Hamasâ cyber headquarters, plus an equipment storage site it was using as a de facto data center, and an apartment building where its cyber operatives were hiding out. Three of them were eliminated, in the first ever kinetic response to a cyber attack in history.
Does it seem harsh to kill people over hacking? Maybe, but thereâs no clear rule against it, even if the person responsible isnât in a terrorist group, or a military, but is just some guy in his apartment.
Today, amid some of the most devastating armed conflicts in recent history, thereâs simply nothing stopping Russia, Israel, Pakistan, Ukraine, or any other nation from trying it. There may only be a matter of time before some keyboard warrior wakes up to find that the shield of an anonymous username and masked IP address doesnât protect them from lead dropped from 10,000 feet in the sky.
Source: https://www.cybereason.com/blog/malicious-life-podcast-can-you-bomb-a-hacker