Last week I attended a series of seminars as part of the Securing our Future in Cyberspace Conference hosted by the Australian National University. This gave me inspiration for new material to teach ICT Ethics at ANU. Here is a draft. Comments are welcome:
Unclassified. All Scenario Data is Notional and For Exercise Only
Cyberwar: Hypothetical Scenario for Teaching ICT EthicsBriefing by Cyberspace Operations Wing at Headquarters Joint Operations Command (COW/HQJOC), 12:30 Zulu 1 April 2017:
"At 02:20 Zulu, 1 April 2017, one of our maritime surveillance aircraft was reported missing. The aircraft was conducting a freedom of navigation flyover on one of the reefs, subject to claim by several nations. The last recorded radio transcripts are:
Maritime Surveillance Aircraft
- OPFOR: "Unidentified military aircraft, you are entering a restricted zone. Turn now to avoid unfortunate consequences.
- OURFOR: We are over international waters, in accordance with accepted law.
- OPFOR: Unidentified military aircraft, turn back now. This is your last warning.
- OURFOR: Mayday, Mayday, Mayday, this is Surveillance One Zero Five Charlie Delta, one zero zero kilometers South East of ... " [Transmission ends]
Intercepts from our new signals intelligence (SIGINT) aircraft, which was on a test flight in the area, reported signals from a fire control radar, shortly before communication was lost.
The radar was in test mode, however, the older radar warning receiver in our maritime surveillance aircraft is not sophisticated enough to distinguish a test signal from a real attack.
SAM Fire Control Radar
Our aircraft's flares and electronic countermeasures were activated. This may have been mistaken for the launch of a cruse missile, which our aircraft can carry (but was not).
A surface-to-air missile (SAM) was launched and our aircraft appears to have crashed while maneuvering to avoid the missile. The crew have been rescued by a civilian vessel, but have not yet been debriefed.
SAM Transporter Erector Launcher
The media are reporting that one of our unarmed aircraft has been shot down and the Government has asked for military options to respond. The best kinetic solution is a precision air attack on the missile batteries, guided by special forces landed from a submarine, which is already on station. However, the government has also asked for a cyber option which would disrupt the opposing force's systems, show our national resolve, but avoid casualties.
It is proposed to target the opposing force's electronic control systems. This is expected to disable electrical systems and cause some local electrical fires. Our intelligence assets in the area will arrange for video of the damage to be posted to social media, for maximum news value. We will be working with civilian government personnel with special expertise, to prepare a human factor attack on their Internet of Things (IoT).
Unclassified. All Scenario Data is Notional and For Exercise Only
What Will You Do?Suppose you are a Senior Incident Responder (SRI) in the Digital Protection Group (DPG) at the Digital Transformation Office (DTO) of the Government. Your job is protecting the whole of government website. Recently you detected a sophisticated attack and boasted "we could turn that attack back on them!". So you are now asked to do just that, despite being a civilian employee.
You are reasonably sure you can mount a cyber-attack which will have the desired political effect: it will disrupt systems of the opposing force enough to cause public embarrassment to their government, with minimum risk of casualties. But can you be sure its effects will be confined to government systems, or to that country? What if the attack shuts down hospital in their country, or across the world?
Is it ethical to be involved in planning such an attack? Would your answer be different, if you are a civilian contractor rather than a government employee, or if you were a military officer? Note that the hypothetical scenario does not say what country is planning the attack, or who they are attacking: does it make a difference to your answer who is attacking who?
Note that you are not asked to become an expert on the Geneva Conventions or the laws of war. However, as an professional you need to be aware of the ethical implications of what you choose to do, or not do, in your work.
The Australian Computer Society's Code of Professional Conduct and Professional Practice, incorporating a code of ethics which requires all members to act with professional responsibility and integrity. How does that code apply to cyberwar? In decreasing order of priority, the ACS Code of Ethics lists:
- The Public Interest
- Objectivity and Independence
- Keeping Up-To-Date
- Responsibility to your Client
- Promoting Information Technology
- The Image of the Profession and the Society
DiscussionThe hypothetical scenario presented is based on real events. In 2015 an Australian military aircraft was challenged by radio while on patrol (Wroe & Wen, 2015). In 2010 the "Stuxnet" computer worm was released, apparently designed to destroy a nuclear processing facility, but spread world wide (Langner, 2011). In 2014 five military officers were charged with hacking to obtain trade secrets (Wechsler, 2016).
Henschke (p. 17, 2014) points out that "the purpose of a cyberweapon is to attack an information system in order to perpetrate harm". Ford (p. 7, 2014) provide a diagram to help decide how to respond to a critical infrastructure/high impact attack. This chart could equally used to plan an attack for maximum impact.
|Fictional day care centre |
(Page & Jean, 2013)
ReferencesFord, S. (2014). Warfare, cyberweapons and morality. In M. Keelty, A. Henschke, N. Evans, S. Ford & A Gastineau & L. West, Cybersecurity: mapping the ethical terrain. National Security College (ANU). Retrieved from http://nsc.anu.edu.au/documents/ocassional-paper-6-cyber-ethics.pdf
Henschke, A. (2014). A decision-making procedure for responding to cyber-attacks. In M. Keelty, A. Henschke, N. Evans, S. Ford & A Gastineau & L. West, Cybersecurity: mapping the ethical terrain. National Security College (ANU). Retrieved from http://nsc.anu.edu.au/documents/ocassional-paper-6-cyber-ethics.pdf
Langner, R. (2011). Stuxnet: Dissecting a cyberwarfare weapon. Security & Privacy, IEEE, 9(3), 49-51. Retrieved from http://ieeexplore.ieee.org/xpls/icp.jsp?arnumber=5772960
Page, F., & Jean, P. (2013, April 16). Free childcare scam aimed at intelligence staff. Sydney Morning Herald. Retrieved from: http://www.smh.com.au/it-pro/security-it/free-childcare-scam-aimed-at-intelligence-staff-20130415-2hwhq.html
Wechsler, P. (2016). Issue: Cybersecurity Short Article: China's Unit 61398 Pulled From the Shadows. Retrieved from http://businessresearcher.sagepub.com/sbr-1775-98146-2715481/20160201/chinas-unit-61398-pulled-from-the-shadows?download=pdf
Wroe, D., & Wen, P. (2015, December 15). South China Sea: Australia steps up air patrols in defiance of Beijing. Sydney Morning Herald. Retrieved from: http://www.smh.com.au/federal-politics/political-news/south-china-sea-australia-steps-up-air-patrols-in-defiance-of-beijing-20151215-gloc2e.html