DATA DUPLICATION VILLAGE - A Beginner's Guide to Musical Scales of Cyberwar

Video thumbnail (Frame 0) Video thumbnail (Frame 2763) Video thumbnail (Frame 6629) Video thumbnail (Frame 8187) Video thumbnail (Frame 9036) Video thumbnail (Frame 14841) Video thumbnail (Frame 18933) Video thumbnail (Frame 21073) Video thumbnail (Frame 24214) Video thumbnail (Frame 26547) Video thumbnail (Frame 30165) Video thumbnail (Frame 31205) Video thumbnail (Frame 32723) Video thumbnail (Frame 34062) Video thumbnail (Frame 38150)
Video in TIB AV-Portal: DATA DUPLICATION VILLAGE - A Beginner's Guide to Musical Scales of Cyberwar

Formal Metadata

DATA DUPLICATION VILLAGE - A Beginner's Guide to Musical Scales of Cyberwar
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Whether you have a background in information security, law, or national security, this talk is a beginner’s guide to understanding the law of war in cyberspace. By juxtaposing the law of war with a keyboard, the process of how states evaluate the scale and effects of a cyber operation and determine a basis for resorting to a use of force under the Law of Armed Conflict, can be more readily conceptualized. For if music is indeed, the universal language of mankind, then by encouraging society to learn about this area we can collectively better strategize ways to mitigate cyber conflict
Cybersex Domain name Scheduling (computing) Presentation of a group Cross section (physics) Electronic program guide Physical law Cyberspace Formal language Number Revision control Data mining Moment of inertia Term (mathematics) Analogy Normed vector space Universe (mathematics) Musical ensemble Musical ensemble Table (information)
Point (geometry) State of matter Multiplication sign Direction (geometry) Cybersex Sheaf (mathematics) Insertion loss Cyberspace Rule of inference Field (computer science) Computer programming Machine vision Power (physics) Expected value Causality Military operation Object (grammar) Operator (mathematics) Analogy Information Process (computing) Form (programming) Cybersex Area Operations research Source code Time zone Information Software developer Physical law Expert system Physicalism Sound effect Core dump Computer network Computer Cyberspace Software System programming Aerodynamics Authorization Musical ensemble Object (grammar) Spectrum (functional analysis) Domain name
Decision theory Image resolution Code Octave Cybersex State of matter Set (mathematics) Right angle Communications protocol Thermal conductivity Metropolitan area network
Mass flow rate State of matter Latin square View (database) Multiplication sign Set (mathematics) Insertion loss Cyberspace Proper map Independence (probability theory) Computer configuration Analogy Finitary relation Set (mathematics) Descriptive statistics Thumbnail Data integrity Area Cybersex Source code Arm Decision theory Keyboard shortcut Shared memory Sound effect Price index Flow separation Type theory Octave output Right angle Information security Asynchronous Transfer Mode Point (geometry) Game controller Clique-width Divisor Variety (linguistics) Image resolution Cybersex Event horizon Thresholding (image processing) Theory Smith chart Power (physics) Crash (computing) Independent set (graph theory) Clef Well-formed formula Natural number Hacker (term) Octave Operator (mathematics) Energy level Right angle Communications protocol Form (programming) Newton's law of universal gravitation Dependent and independent variables Conservation of energy Image resolution Forcing (mathematics) Physical law Mathematical analysis Planning Basis <Mathematik> Incidence algebra Existence Basis <Mathematik> Personal digital assistant Musical ensemble Catastrophism Force
Dissipation Complex (psychology) Standard deviation Arm State of matter Variety (linguistics) Decision theory Forcing (mathematics) Range (statistics) Physical law Keyboard shortcut Constructor (object-oriented programming) Mathematical analysis Cyberspace Attribute grammar Revision control Proof theory Word Different (Kate Ryan album) Octave Set (mathematics) Electronic visual display Pattern language
Axiom of choice Group action Perfect group Petri net State of matter Multiplication sign Modal logic Image resolution Real-time operating system Cyberspace IP address Theory Attribute grammar Term (mathematics) Different (Kate Ryan album) Octave Operator (mathematics) Set (mathematics) Ideal (ethics) Flag Energy level Software framework Physical system Vulnerability (computing) Dependent and independent variables Arm Information Forcing (mathematics) Keyboard shortcut Physical law Cyberspace Type theory Message passing Arithmetic mean In-System-Programmierung Order (biology) Self-organization Perfect group
Game controller Group action State of matter Cybersex Range (statistics) Coroutine Revision control Malware Strategy game Military operation Operator (mathematics) Energy level Hill differential equation Proxy server Information security Form (programming) Physical system Cybersex Area Addition Dependent and independent variables Arm Software developer Physical law State of matter Mathematical analysis Sound effect Range (statistics) Denial-of-service attack Group action 1 (number) Integrated development environment Octave System programming Aerodynamics Musical ensemble
Cybersex System call State of matter Forcing (mathematics) Cybersex Nichtlineares Gleichungssystem Musical ensemble Office suite Cyberspace Equivalence relation Dimensional analysis Force
Ramification Email Presentation of a group INTEGRAL State of matter Cybersex Time zone Cyberspace Mereology Power (physics) Revision control Strategy game Term (mathematics) Analogy Operator (mathematics) Personal digital assistant Utility software Information Extension (kinesiology) Traffic reporting Punched card Physical system Data integrity Cybersex Source code Operations research Time zone Dependent and independent variables Email Information Physical law Computer network Leak Software Personal digital assistant Order (biology) Object (grammar)
State observer Group action Building Presentation of a group State of matter INTEGRAL Multiplication sign Cyberspace Insertion loss Perspective (visual) Formal language Analogy Kinematics Ultrasound Physical system Cybersex Area Software developer Keyboard shortcut Sound effect Physicalism Connected space Category of being Type theory Arithmetic mean Normal (geometry) Right angle Resultant Row (database) Point (geometry) Web page Slide rule Maxima and minima Thresholding (image processing) Theory Number Revision control Operator (mathematics) Data structure Form (programming) Time zone Dependent and independent variables Standard deviation Information Weight Physical law Expert system Independence (probability theory) Planning Word Universe (mathematics) Statement (computer science) Musical ensemble Table (information)
so without any further ado this is talk number two today we have two more talks tomorrow I've introduced honors he's going to take care of our musical scales of cyclo voice take it away welcome my name is Shauna and I'd like to thank the data duplication village for this opportunity to share my research with you on the log or in cyberspace but more importantly I'd like to thank you for taking time out of your schedule today from DEFCON to share that with me to learn about the musical scales of cyber warfare so whether your background is in law Technology Policy or academia this is a beginner's guide to understanding the basic legal principles that drive cyber international conflict now you might be wondering why did she use a music analogy well the American poet Longfellow wrote that music is the universal language of mankind so by using that analogy here I hope to engage a broader cross-section of the community to discuss these issues by bringing more participants more cyber stakeholders to the table we can better strategize how to mitigate conflict in this domain and strategize for peace now if you do have a basic understanding of how to play the piano you will be at a slight advantage but if you don't that's perfectly fine not only will you walk away from this presentation with an understanding of the basic principles of war how to play the piano so only at DEFCON would you get both of those in terms of my research work on this I compiled this while working as a postdoctoral fellow at the Harvard Kennedy School Belfer Center Cyber Security Project this presentation will also draw up draw upon my research work which I published with the Houston Law Review on mine so with the preliminaries out of the way let's dig in
for terminology now the main takeaway point from was developed by a group of government experts internationally offers under Rule 30th the following definition a cyberattack is a cyber operation whether offensive or defensive that is reasonably expected to cause injury or death to persons or damage or destruction to objects so what do we have here in this definition we have the loss of human life and then some form of physical damage but what about data with this talk after all is for the data duplication village it would seem remiss to not at least mention harm to this form other scholars have advocated for less of the preoccupation with direct physical effects and a broadening of that harm spectrum to include data specifically professor Matthew Waxman at Columbia Law University had the following to say he said that a cyber attack should include the effort to alter disrupt or destroy computer systems networks information or programs on them but to present to you the other side of the debate there are others saying timeout here the problem isn't that we don't have an international legal definition of what is a cyber attack the real problem is that we don't have a consensus on what misconduct and cyberspace needs to be stopped and I'd like to read to you some comments from Senator Mark Warner that he offered several months ago at the National Security Agency's law day which are available on law fairs blog Senator Warner removed the lack of clarity on what cyber activities are tantamount to an attack and he said that failing to articulate a clear policy and to set expectations about when and where we will respond to a cyber attack isn't just bad policy it's downright dangerous so I highlight to you these different definitions these different visions of what a cyberattack should be defined as to underscore the point that this field is very much still in development and I commend you for taking the time today to learn the basic principles it will be worth your time
next up cyber operations continuing with the music analogy consider a cyber operation as one instrument in a grand Symphony Orchestra of power the maestro take your pick of a state actor or a non-state actor cues the cyber section sometimes in conjunction with other sections to produce the right pitch that can be a political effect of social effect military effect economic it works together now the US Department of Defense categorizes cyber operations in three areas there's offensive cyber operations which are about projecting power to your adversary then there's defensive cyber operations which is about protecting data networks and the information on them last but not least you have Department of Defense Information Network operations now if you're wondering how gray zones fit into this hold on we will get to that area it is very exciting more to come on that the
US Supreme Court justice Oliver Wendell Holmes jr. remarked that the right to swing my fist ends where the other man's nose begins now apart from sounding like a code of conduct for an 18th century gentleman's Fight Club this is actually and with that we can finally turn to our first note on the
piano keyboard we have middle C so just as your your first point when you're learning how to play a song on the piano you place your thumb on middle C similarly here your first starting point the United Nations Charter and customary international law so I'll be building upon that analogy now I'm going to no set of indicators or formula on what is a cyberattack correction please on what is the use of force we do have some clarity we have some common examples and I'd like to read to you Herald COEs description of those three examples he was a former legal adviser to the US State Department mr. Coe said that the following constitutes a use of force in cyberspace one operations that trigger a nuclear plant meltdown two operations that open a dam above a populated area causing destruction and three operations that disable air traffic control resulting in plane crashes so what do these three examples share in common will they all reference some form of loss of human life or catastrophic damage next turn to the right of self-defense how do we define an armed attack in this situation well we need to turn to our first case law which was decided in 1986 by the International Court of Justice was a case called Nicaragua versus the United States while the International Court of Justice did not explicitly define an armed attack it did describe the general nature as the following acts which can be treated as constituting armed attacks specifically if such operations because of its scale and effects those are the keywords and will be echoing them throughout this presentation because of its scale and effects would have been classified as an armed attack rather than as a mere frontier incident had it been carried out by regular armed forces thus the scale and effects of an operation are requisite inputs for evaluating an armed attack which in turn provides the legal basis for the victim take victim state to respond under Article 51 one point I'd like to highlight before we go any farther on the musical scale but just like in music theory you have a treble clef and a bass clef playing piano notes that guide the player on what notes to play here we have two different legal regimes we have the use Belem and the use and bellow now for those of you that are frightened by the latin phrases you could think of it as use one that is the preliminary phase the right leading up to more then there's a triggering event and then we have the UCM bellow the law governing how war is carried out you can think of it as used to with that we are ready to move on to our first scale octave set
one which is how if states evaluate an armed response to an aggressive act in cyberspace step one the victim state needs to evaluate what type of harm was produced here we have the de minimis damage or injury threshold how I like to conceptualize it which might be helpful for you when I see de minimis damage or when I hear armed attack I think high level destruction it's an easy way just to cut to the width here did the state suffer a de minimis damage high level destruction in the form of a cyber attack now that analysis is going to take in a variety of factors we're going to look at the time place manner surrounding circumstances and not all that will be known at the time of the attack so it is a flexible analysis but assuming that we have an act that does rise to that level of being an armed attack next step we need to be able to identify the proper legal basis under international law to respond with force now if the US is performing this analysis we also need to ground it in domestic law such as the War Powers Resolution act now one point I'd like to highlight here is that the majority view an international community which is beautifully summarized by Michael Schmitt who's a professor at the UN at the sorry at the Naval War College said that all armed attacks are use of the force but not all uses of force are armed attacks the u.s. however does not subscribe to this view in the use ad bellum the preliminary phase we equate a use of force with an armed attack so we've had said if the state has determined that there is not but not from damage to rise that level of being armed attack and what are their options then well they have two modes of recourse they can appeal to the United Nations Security Council under Article 39 and they can employ non-forcible countermeasures and what I mean by that is economic sanctions diplomatic efforts and also legal sanctions and we've seen this in practice in January 2017 the US Department of Justice issued indictments against several Iranian hawkers for engaging in impermissible cyber activities with ties imputed to the state and also we saw the Department of Justice issue sanctions and indictments against China several Chinese hackers for engaging in commercial economic espionage we thought we can move on to our second scale of
anticipatory self defense so this scale in yellow you'll notice a pattern that will be going out on the keyboard here this scale displays the range of permissible activity when a state is evaluating how to respond anticipatorily now the US Army law of armed conflict desk book defines it as follows it's force that's justified anticipation of an imminent attack and imminent that is the key word here to emphasize the difference between a permissible act of a dissipate ory self defense and an impermissible act of preventative self defense lies in the state's ability to demonstrate a decision by the aggressor state to attack it for anticipatory self defense to be lawful there is a high standard of proof and rightly so this requirement goes beyond merely preferring evidence of the state's hostile intent but also evidence of some pending attack so there's a temporal requirement there that needs to be met do not end the complexities of carrying evidentiary standards with attribution in reality makes this a difficult analysis for the state to do in a timely manner when faced with an imminent attack so I will need to pivot here to disgust attribution well this could be a talk in and of itself there's a misconception what I'd like to clear up
attribution is not a plain vanila constructs in fact it comes in a variety
of flavors now these flavors these frameworks if you will were developed by they've proposed for different attribution frameworks and the reason why I'm taking the time to go over these is that the next time you hear the term bandied about when he critically think about what type of attribution framework that speaker is referring to let's start with perfect attribution now in this type of system the attribution challenge doesn't exist attributes of the sender and recipient are known to both in a timely fashion and at little cost to the investigating party so in this type of world we can imagine the surveillance state being happy with this type of outcome and whistleblowers and activists being at a disadvantage because everything has knowable in real time perfect non attribution turning to the second one it's the complete opposite of the first one here we can imagine that whistleblowers and activists will be happy because they have the perfect non attribution the protections of anonymity the surveillance state not being happy with that outcome third perfected perfect selective attribution here the actor wants attributes known to some entities but not to others so there's a freedom of choice here that is key to the third system and in this system you can disclose to your intended party your name organization your Internet Protocol address and also your ISP fourth you have false attribution this would be the ideal petri dish for waging false flag operations so here it's over populated with digital straumann or you can determine some attributes of the message or the actor but can you really trust it can you really go off on that information to be true so having highlighted those attribution frameworks we're going to turn back to our keyboard
and have an example of how this would work in theory so imagine if you will an oculus states eyes electrical grid was attacked by nefarious State End and accurately attributed to state n now in order for state I to be entitled to a use of force against state n under international law there are three requirements that must be met so let's take these in turn one the victim state's opponent must have decided to actually exploit that systems vulnerabilities to the strike is likely to generate consequences at the armed attack level and three the victim state must immediately act to defend itself unless all three of these requirements are met then state eyes response would not be restricted to only non forceful responses such as economic sanctions or legal action also any acts you defend yourself in cyberspace if you are a state has to be grounded in two principles of necessity and proportionality proportionality being you can't escalate the amount of force to counter that threat or that attack and then you have necessity which is doing your due diligence to ensure that you've exhausted all of their peaceful means of resolution in order to protect yourself in cyberspace to protect your state all right with that we're moving
to octave set three now this is the most difficult one to explain and I'll explain why because it involves the doctrine of state responsibility so with this let's charge the hill it does get easier from here now this orange octave label here this demonstrates the range of state action that may be somewhat permissible and the reason why I'm emphasizing it and saying it like that is that the surrounding circumstances will including the scale and effects of the operation and the legal status of the aggressor will influence how the victims day can respond and here the range of qualifying hostile cyber activity can rain from writing and executing malicious code launched a distributed denial-of-service attack providing malware or other cyber tools to party of the conflict and the state's analysis is further complicated when there are cyber proxy actors involved in addition to that that group might be constantly receiving the financial support or other forms of support from a state entity now turning to the doctrine of state responsibility the 2018 u.s. Department of Defense's national defense strategy summary makes clear that states are the principal actors on the international stage however non-state actors also threaten the security environments with increasingly sophisticated capabilities so here armed attacks from non-state actors how how would a state evaluated that well ultimately the legal analysis hinges on the doctrine of state responsibility and the International Court of Justices analysis and recommendation has been to evaluate whether an armed attack the high level destruction waged by a non-state actor can ultimately be imputed back to the state thus if the state has effective control over the cyber operation waged by a non-state actor then responsibility can be imputed back this is a flexible area that's still undergoing development it's one of the most difficult to explain on the scale but with some knowledge of how the doctrine of state responsibility operates hopefully that provides us with a good groundwork to evaluate this going forward last but not
least we have our final scale here these are musical notes that you kill cannot play on the scale that you will not play preventative self defense employed to counter non imminent threats is illegal under international law you also have access don't amount to high-level disruption and what Professor Gary Solis at Georgetown University Law Center has classified as cyber intrusions it's a cyber operation short of an attack in in other states cyber systems you can think of routine intelligence-gathering cyber theft activities that don't amount to the level of an armed attack so
putting this all together [Music]
but you might ask that's all fine a little but what if the state cyber punch doesn't amount to a use of force well I'm no rod serling I would say we've entered into a fifth dimension in an office realm between peace and war in short Nick's up ahead
but lately though again I'm no rod fairly it's amazing what you learn in law school though okay so I like to use this analogy of the twilight zone to help highlight the ambiguity between the amorphous rail between peace and war where you have an act in cyberspace that doesn't amount to a cyber punch in the face it's not high-level destruction but it's still disruptive it's not intrusion so it's that amorphous middle ground between the two you might have heard the term grey zone or gray zone tactics now
in 2015 US Army Special Operations commander Joseph Attell testified before the House Armed Services Committee talking about gray zone tactics describing them as tactics that actors leverage as part of a strategy campaign that seeks to secure their objectives while minimizing the scope and scale of actual fighting it's pretty brilliant when you come to think about it where it doesn't toll that going past de minimis damage however it's still disruptive and it can still deal a blow to your opponent now some place examples of this and 2014 we're all very familiar with North Korea's intrusion into the networks of Sony Pictures Entertainment here are the perpetrators deleted deleted critical information to the extent that it irreparably damaged some of Sony's infrastructure indeed the 2015 US Department of Defense's cyber strategy report references this Sony hack as an example of the political utility of cyber operations this case demonstrates how cyber operations can present an opportunity for revisionist state actors to challenge the geopolitical status quo you can affect your opponent's IP you can deliver that blow with a relatively low risk of retribution and financial cost another more recent example involves the July 2016 email leaks from the US Democratic National Committee and Russia's involvement in undermining the integrity of the 2016 US presidential election and disinformation campaigns so what is the future of Twilight's own conflicts ultimately states that employ great tactics in cyber operations you don't need to be successful and actually infiltrating the system in order to further your revisionist ambitions rather the sheer ramifications from the cyber act in and of itself has the power to disturb the nation's psyche and to grab that that international spotlight and attention to challenge the geopolitical status quo that you are a power to be listened to and reckoned with going forward a significant challenge for the United States and for other countries is how to develop tactics that can counter gray gray zone tactics it's one that we won't reach the answer to in this presentation but we've seen the United States at least respond by pursuing economic sanctions legal indictments and other diplomatic efforts to damper gray zone tactics but again it's it's one that is ongoing now this is the visual summary
[Music] [Music] No there are thinking there are consequences to those actions and going back to longfellows words that music is the universal language of mankind here it is the hope in this presentation by drawing on this analogy that a piece of it resonates with you and that by endeavoring to understand the basic principles of law through music we can collectively strategize for peace and also may the euphonium sound of peace always appeal to our ears so I thank you for your attention today I have a handout on this musical piano legal guy that I will be distributing I understand also that I am the last speaker of the day and I stand between you and a lovely dinner in Vegas which is quite dangerous so by all means if you need to leave I understand if you have questions you're more than welcome to stay as well and I'll be passing out these handouts thank you for your attention so any questions there we go that's true so the question asked by the gentleman in blue was the minimus damage threshold standard that we have that there must be some high-level form of destruction does that harm us from capturing your question right does that harm us when we have an attack that is equally disruptive but you don't have a loss of human life or a physical structure wasn't damaged but you have the degradation of data and it goes back to the the second slide that I had up there that the that the definition that currently carries weight is that it has to be tied to a loss of human life or physical kinetic effects and I agree with you that that type of notion of trying to shoehorn kinetic damage into this this new medium of warfare is harmful we we can see how that scenario that you gave more attack on with Wall Street would produce very harmful effects and while it doesn't result in the loss of human life it does have this cascading effect that can spill over into other sectors I wouldn't be surprised if those areas of the us's structures would be classified as protected critical infrastructure so that if attack were made upon that that signals this was protected you attacked it now we will respond in a time place and manner of our choosing it wouldn't necessarily be confined to cyber but the u.s. would respond to protect its critical infrastructure and in 2017 then DHS secretary jeh Johnson classified election systems as critical infrastructure to signal to the international community thank you for your question [Music] thank you so that is an excellent point and the piece on sovereignty the gentleman had asked what about accent cyberspace that undermine political sovereignty or the the integrity or political independence of that state and I I think that's an excellent point that you've raised an article to four could be a strong point to underscore that and granted this is all very flexible and still in development but that perspective needs to be heard thank you yes yeah very dynamic when I was conducting this research the idea of gray zone tactics I hadn't considered when I first developed the cyber scale so that's why I now 2018 I tacked it on as a separate slide to you describe how this keyboard is still flexible to envelope that but also highlight that there's no international legal definition on what is a cyberattack and here we've conceived out the difficulties referencing what about cyber acts and undermine political sovereignty true there's no loss of human life there isn't high-level destruction but it's still disruptive so how how can the law be developed to embrace that unfortunately if it was very oh I guess it's a mixed blessing actually the law is very slow and involving to adapt to the pace of Technology and that's your questions today that is why I developed this presentation so we can have that type of dialogue because it's not being had here so this is this is perfect that were or each seen at different pieces of the elephant here and a legal definition or some other cyber doctrine that can account for these nuances but still be breathable to absorb new developments that's the goal so thank you yes former CIA plan rather than retaliated to three states [Music] so that's a valid critique that you've raised here nice words on the page but in reality there seems to be a disconnect and how these come together not commenting politically on the statement that you raised I'd like to highlight a general principle that speaks to that disconnection and this is from Madeline overall in her book the mighty in the all the mighty and the Almighty she reasons that well countries often do take action outside the UN guidelines which you just raised despite such violations the standards in the Charter remain relevant and she reasons that justice loss against murder remained relevant even though murders are still committed that that is the best response that I can offer to your comment recognizing thank you if I understand your question correctly you're asking about with psychological operations fallen yes so psychological operations would fall into gray zone so grey zone tactic subversion sabotage economic coercion information warfare psychological operations yes that does fall into that category yes hi Joe thank you for that observation the observation that a gentleman made was that there's a group of international governmental experts that created the Tallinn manual who's actually choose Tallinn manual one and then point to the first one talking about cyber conflict in a war setting he had raised that Wow it's international you don't have participation from all international even participation from all members of the international community all members of the United Nations Charter how to bring them to the table I don't know it's too bad that we can't have participation from everyone you can from a liberal s standpoint international theory we want buy-in from all countries to develop these norms that will guide us towards peace but in reality if some players don't want to participate in this type of a form of thinking that well if I do that I have more to lose potentially speaking hypothetically I don't know how you rebut this row but that other than with facts and with a large number of states coming together hopefully there's a bandwagoning effect that more states would want to join in to support this type of a dialogue and definition creation okay that's the first that I've heard of it so it sounds like one fact that what Chinese faction decided to break off and develop their own discussion on cyber norm building interesting we'll see where it comes without and one would hope that in the spirit of international cooperation that when you have these states come together that they would stay committed to trying to develop some consensus I suppose it's inevitable at some groups will form off and create factions but thank you for for raising that if there are no further questions again thank you all for your time I appreciate it