A new strategy for improving cyber-attacks evaluation in the context of Tallinn Manual

doi:10.1016/j.cose.2017.04.007

Computers & Security

Volume 74, May 2018, Pages 371-383

https://doi.org/10.1016/j.cose.2017.04.007 Get rights and content

Abstract

In this paper a systematic modeling methodology for evaluating the effects of cyber-attacks on States Critical Information Infrastructure (CII) is introduced. The analysis is focused on the United Nations Charter's normative scheme of the “use of force”, in order to define whether these attacks constitute a wrongful “use of force” under the principles of international law. By using the qualitative criteria for recognising the impact of cyber-attacks as proposed by the International Group of Experts in the Manual on the International Law Applicable to Cyber Warfare (Tallinn Manual) and by applying Multiple Attribute Decision Making (MADM) methods, cyber operations evaluation results are presented. For the analysis a case study of kinetic and cyber-attacks on Supervisory Control and Data Acquisition (SCADA) system is employed. Pros and cons of the Simple Additive Weighting (SAW) method and the Weighted Product Method (WPM) are evaluated. The weaknesses of applying the SAW method in cyber-attacks modelling, as well as the difficulty in defining an appropriate quantitative scale for the classification of such attacks when using WPM (due to the nonlinear relationship between attributes and overall score in WPM), lead us to present a new evaluation strategy. This new strategy combines the use of the above mentioned decision making algorithms and introduces a new grouping of Schmitt's criteria based on their properties for achieving an improved cyber-attacks modelling assessment. Different quantitative scales are applied in the distinct Schmitt's criteria groups in order to quantify them based on their characteristics. The correlation of the qualitative and quantitative methods of analysis leads to more accurate cyber-attack evaluation and classification.

Introduction

In the 21st century, cyberspace is the new frontier, a new world full of possibilities to help advance prosperity. Cyberspace and the rapid development of Information and Communication Technologies (ICTs) have fundamentally transformed the global economy and the way of life by providing billions of people across the world with instant access to information, to communication and to new economic opportunities. At the same time, national security, education, government, health, public safety, as well as sectors such as energy, transportation and communication are closely related to, if not dependent on, cyberspace and updated ICTs. The more the systems, infrastructures, societies and economies are becoming independent the higher their vulnerability and the complexity to deal with new risks and treats that menace the sovereignty of States and the well-being of societies and citizens (Albanese et al., 2013). The integration of new technologies that are enabled with Cloud Computing services is growing with an interlinkage of infrastructures which are amounting to a new dimension of vulnerability (Albanese et al., 2014). The increasing number of cyber-attacks on States' Critical Information Infrastructure (CII) are transforming cyberspace also into a battlefield, “the mouse and keyboard being the new weapons” and bringing out “cyber warfare” as the “5th dimension of war” (The Economist, 2010).

The wide range of cyber-attacks against Estonia's critical ICT's in 2007, following the country's spat with Russia over the removal of a war memorial, were the first large scale attacks that were meant to harm the functionality of the State and to cause a number of adverse effects on the operation of public administration and the economy. The specific assault quickly led to the cultivation of fear among citizens and to the destabilisation of the country's financial system, threatening Estonia's national security (Tikk et al., 2010).

A smaller range of cyber operations followed, such as the cyber-attacks against Georgia (June 2008), Lithuania (August 2008), Kazakhstan (January 2009) and Ukraine (March and May 2014). Meanwhile, Advanced Persistent Threats (APT) (Virvilis and Gritzalis, 2013a) clearly demonstrate the fact that cyber warfare is an increasingly alarming phenomenon. Examples of such include “Ghostnet” (Kassner, 2009), a large-scale cyber spying operation against the US; “Operation Aurora” (Zetter, 2010), a targeted malware attack against at least 30 major US companies – including Google and Adobe; “Stuxnet” (Farwell and Rohozinski, 2011), a zero-day malware leading to a sabotage against Iran's nuclear program; and “DarkSeoul” (Virvilis and Gritzalis, 2013b), a sophisticated malware that attacked South Korean financial institutions and the Korean broadcaster YTN (Sang-Hun, 2013).

In order to defend USA from cyber-attacks former US President Obama declared America's digital infrastructure a strategic national asset (The Economist, 2010). Such decisions reflect the need to address the challenges posed with regard to cyber-attacks that could be qualified as cyberwar actions. The continuous increase in both the number and the intensity of cyber-attacks on States' CII renders the research on defining and evaluating these categories of cyber-attacks into a pressing need.

A first range of questions relate to the adequacy and suitability of the existing “old” – developed over generations to be applied on attacks using kinetic weapons and armed violence – and the terminology used (such as force and aggression) to control “the brave new world of cyber warfare (Jolley, 2013). We have to bear in mind that terms themselves, such as CII, are steadily evolving due to the impacts of the advancing domination of online communications and cyberspace on the “real world” and ubiquitous computing. The difficulties to define and to identify the effects and impacts of a cyber-attack in order to be equated to an “armed attack” are obvious: if in the “traditional” jus ad bellum framework emphasis is given on human and/or material destruction, authors are arguing also for “unavailability” of CII as equivalent criterion (Tsagourias, 2012). Despite the progress made on regulation and research level to address the issues raised, there are still significant gaps in reaching a safe and definitive approach on when a cyber-attack constitutes “use of force” when the right to self-defence should be recognized (Robinson et al., 2015).

The paper contributes to the development of a systematic modelling methodology for evaluating the effects of cyber-attacks on States' CII in order to answer the question of whether these attacks have risen to the level of a “use of force” under the jus ad bellum, that body of international law that governs a State's resort to force as an instrument of its national policy. The threshold inquiry is crucial to assessing the level of violence between States in order to justify a lawful response. Because the UN Charter prohibits the unauthorized “use of force”, a State must be able to quickly and safely assess whether a cyber operation constitutes a “use of force” triggering the international condemnation and economic sanctions, (active) “cyber self-defense” – or an “armed attack” (with the use of conventional military weapons) as forceful response.

This is primarily achieved by adopting the “effects-based” or “consequences-based” approach, which focuses on the overall effect of a cyber operation to the victim-State, as well as by using the qualitative criteria for recognising the impact of cyber-attacks as proposed by the International Group of Experts in the Manual of the International Law applicable to Cyber warfare (Tallinn Manual). Furthermore, Multi-Attribute Decision Making (MADM) methods are also applied.

For the analysis, a case study of kinetic and cyber-attacks on Supervisory Control and Data Acquisition (SCADA) system is employed. The pros and cons of each MADM method are evaluated and cyber-attack evaluation results are presented. The weaknesses of each MADM method lead us to present a new cyber-attack evaluation strategy that combines the use of decision making algorithms of MADM methods and introduces a new grouping of the International Group of Experts criteria based on their distinctive features. The correlations of both qualitative and quantitative methods lead us to achieve an improved cyber-attack evaluation assessment and as a result a more accurate and complete cyber-attack classification.

The paper is organised as follows: In section 2 the related work in cyber-attacks modelling assessment is presented. Furthermore, a comparative evaluation of the proposed methodology with previous cyber-attack evaluation methodologies is critically discussed. In section 3 the review of the existing international legal framework of cyber warfare is presented. Then, cyber operations are being categorized, based on their intensity. Furthermore, the “effect-based” model assessment and the qualitative criteria, as proposed by the International Group of Expert on the “Tallinn Manual of International Law Applicable to Cyber warfare”, are described. In section 4 the descriptions of both Simple Additive Weighting (SAW) method and Weighted Product Method (WPM) are presented. Both methods are introduced as multi-criteria decision analysis ones for the evaluation of cyber-attacks. The pros and cons of each method lead us to propose a new cyber-attack evaluation methodology which includes both qualitative and quantitative methods of analysis and results to a more accurate and complete cyber-attack evaluation and classification. Finally, in section 5 the indicative results of the research are critically analysed.

Section snippets

Related work in cyber-attack modelling assessment

Being able to precisely define, evaluate and categorize cyber-attacks is becoming increasingly difficult. The technical complexity of systems, the growing variety of exploitable attack vectors and the ubiquitous integration of Internet technology into all aspects of our daily lives compound the problem. The failure to adopt a comprehensive approach to the problem is frequently the norm, leading to an incomplete understanding of cyber-attacks and a failure to provide an appropriate solution. A

Cyber warfare under the prism of jus ad bellum

When the United Nations Charter was adopted (1945), States were menaced and threaten only by kinetic means and methods of warfare and in its context aggression was understood as the use of armed force against sovereignty, territorial integrity or political independence of another State (UN Resolution 3314). Aerial bombardment, ground assault, missile strikes and other territorial incursions were the traditional kinetic methods of warfare in the military battlefield. Military operations were

Multi criteria decision analysis methods

Multiple Attribute Decision Making (MADM) involves “making preference decisions (such as evaluation, prioritisation and selection) over the available alternatives that are characterised by multiple, usually conflicting attributes” (Hwang and Yoon, 1981). The problems of MADM are diverse, and can be found in virtually any topic. Franklin, more than 200 years ago, recognised the presence of multiple attributes in everyday decisions, and suggested a workable solution (MacCrimmon, 1973).

By using

A new strategy for cyber-attack evaluation

In this section, we continue our analysis by presenting a new modelling methodology that introduces a new calculation procedure and a new usage of the Schmitt's criteria for the better evaluation of cyber-attacks. This new strategy combines the use of the previous two decision making algorithms and introduces a new grouping of Schmitt's criteria based on their properties for achieving a better modelling of attacks. Fig. 3 is a schematic diagram of this new strategy for cyber operations

Conclusions

In this paper, the aim was to present a new systematic modelling methodology for evaluating the effects of cyber-attacks on States' CII in order to define whether these attacks constitute a wrongful “use of force” under the jus ad bellum, that body of international law that governs a State's resort to force as an instrument of its national policy. We have adopted the “effects-based” or “consequences-based” approach, which focuses on the overall effect of a cyber operation to the victim-State,

Kosmas Pipyros is a PhD candidate with the Dept. of Informatics of Athens University of Economics and Business (Greece). He holds an MSc in Information Systems from the same University and an LLB (Bachelor of Laws) from the Aristotle University of Thessaloniki. On a professional basis, he is employed in the Hellenic Armed Forces as a military legal advisor, specialising on issues of international law. His current research interests focus on the legal and technical aspects of cyber warfare.

References (0)

Cited by (15)

Legal dilemma for combatting malicious cyber activities against space activities
2023, Acta Astronautica
The skyrocketing number and diversity of space activities utilizing cyber technologies have both improved our lives while simultaneously creating new threats to international peace and security. Multiple occurrences of malicious cyber activities against space activities (MCASAs) have compelled policymaker attention at international and national levels. The widening range of MCASAs scenarios is challenging jurisdictional assumptions regarding traditionally separate branches of international law. Due to ambiguous terminology and lacunae of current regulatory regimes, MCASAs pose far-reaching legal and policy questions. This paper identifies the salient legal issues created by MCASAs, focusing on specific weaknesses of the current legal regime while also providing regulatory and policy options addressing the growing legal and regulatory dilemmas posed by MCASAs.
Attributes impacting cybersecurity policy development: An evidence from seven nations
2022, Computers and Security
Cyber threats have risen as a result of the growing usage of the Internet. Organizations must have effective cybersecurity policies in place to respond to escalating cyber threats. Individual users and corporations are not the only ones who are affected by cyber-attacks; national security is also a serious concern. Different nations' cybersecurity rules make it simpler for cybercriminals to carry out damaging actions while making it tougher for governments to track them down. Hence, a comprehensive cybersecurity policy is needed to enable governments to take a proactive approach to all types of cyber threats. This study investigates cybersecurity regulations and attributes used in seven nations in an attempt to fill this research gap. This paper identified fourteen common cybersecurity attributes such as telecommunication, network, Cloud computing, online banking, E-commerce, identity theft, privacy, and smart grid. Some nations seemed to focus, based on the study of key available policies, on certain cybersecurity attributes more than others. For example, the USA has scored the highest in terms of online banking policy, but Canada has scored the highest in terms of E-commerce and spam policies. Identifying the common policies across several nations may assist academics and policymakers in developing cybersecurity policies. A survey of other nations' cybersecurity policies might be included in the future research.
The recent trends in cyber security: A review
2022, Journal of King Saud University - Computer and Information Sciences
Citation Excerpt :
The United Kingdom has introduced its own National Cyber Security Strategy 2016–2021 that resembles the ideas to that of the 2011 version (Niekerk and Solms, 2013) and has allocated a budget of £1.9bn for the Cyber Security Programme (UKCyber Security Strategy. National Cyber Security Strategy, 2016). As close as to 70 nations have addressed this issue through national cyber/information security strategies and significant legal acts in some type of strategy document describing their national security and defense strategies (Apostolopoulos et al., 2018). In fact, under the cyber network guide, the preplanning of vulnerabilities which includes the timely information exchange regarding threats which may lead to protect various entities such as environment, business, infrastructure and is capable of understanding the situational incidents accordingly (Fiedelholtz, 2021).
During recent years, many researchers and professionals have revealed the endangerment of wireless communication technologies and systems from various cyberattacks, these attacks cause detriment and harm not only to private enterprises but to the government organizations as well. The attackers endeavor new techniques to challenge the security frameworks, use powerful tools and tricks to break any sized keys, security of private and sensitive data is in the stale mark. There are many advancements are being developed to mitigate these attacks. In this conjunction, this paper gives a complete account of survey and review of the various exiting advanced cyber security standards along with challenges faced by the cyber security domain. The new generation attacks are discussed and documented in detail, the advanced key management schemes are also depicted. The quantum cryptography is discussed with its merits and future scope of the same. Overall, the paper would be a kind of technical report to the new researchers to get acquainted with the recent advancements in Cyber security domain.
Distributed denial of service attack on targeted resources in a computer network for critical infrastructure: A differential e-epidemic model
2020, Physica A: Statistical Mechanics and its Applications
Citation Excerpt :
Cyber attack on entire CI or on selected resources of the CI such as supervisory control and data acquisition (SCADA) systems, process control systems (PCS), distributed control systems (DCS) are very frequent [2]. Cyber attack has a potential to jeopardize the security, integrity, confidentiality, availability and continuity of CIs of any nation and not only that, it may even leads towards cyber warfare [3,4]. Cyber attack on one CI may also affect many other CIs due to their interdependencies [5,6].
Distributed denial of service (DDoS) attack on critical infrastructure networks has increased rapidly in recent past and therefore it is a matter of great concern that how to safeguard these targeted network resources. Our paper proposes a defense strategy by introducing quarantine compartment in the population of computer in a critical infrastructure network so that even in the case of attack the network should perform its operations successfully. This strategy if implemented properly may control propagation of malicious objects by reducing the rate of infection to a great extent. Therefore, the goal of this paper is to analyse that can quarantine help in reducing the damage of the critical infrastructure network by preventing the outbreak as epidemic? Our proposed differential model is analysed at infection free and endemic equilibrium points to find the conditions for their local and global stability. Numerical methods and simulation tools are employed to solve and simulate the system of ordinary differential equations developed.
Internet- and cloud-of-things cybersecurity research challenges and advances
2018, Computers and Security
Cyberterrorism as a global threat: a review on repercussions and countermeasures
2024, PeerJ Computer Science

View all citing articles on Scopus

Christos Thraskias received a B.Sc. in Electronics/Telecommunications Engineering from the Hellenic Air Force Academy and a Ph.D. in Optics and Photonics from the University of Peloponnese (Greece). He is currently serving as Postdoctoral Researcher with the University of Peloponnese and as an Electronics/Communications Engineer at Hellenic Air Force. His current research interests focus on high-power optical fibre design, inverse optical waveguide problems, and cybersecurity.

Lilian Mitrou is Associate Professor of Law at the University of the Aegean and Visiting Professor at the Athens University of Economics and Business. She has served as Member of the Greek Data Protection Authority and as Chair of EU Council's Working Group on Information Exchange and Data Protection. Her experience includes senior consulting and researcher positions in private and public institutions and projects.

Dimitris Gritzalis is Associate Rector of Athens University of Economics & Business (Greece) and a Professor of IT Security with the Dept. of Informatics. He also serves as Director of the MSc Programme on Information Systems and Director of INFOSEC Laboratory. He holds a BSc (Mathematics, University of Patras), MSc (Computer Science, City University of New York) and PhD (Information Systems Security, University of the Aegean). His current research interests focus on Critical Infrastructure Protection, Advanced Persistent Threats and Smartphone Security and Privacy. Prof. Gritzalis is the Academic Editor of the Computers & Security Journal and a Scientific Editor of the International Journal of Critical Infrastructure Protection.

Theodoros Apostolopoulos is a professor with the Department of Informatics of Athens University of Economics and Business (Greece). He is a graduate of the Department of Electrical and Mechanical Engineering of National Technical University of Athens and holds a PhD in Informatics from the same university. His research interests include computer and telecommunication networks, performance evaluation and queuing theory, mobile and ubiquitous systems and broadband infrastructure and e-services. He has served as AUEB's Vice-Rector of Academic Affairs.

View full text