Tuesday, February 23, 2016

Cyberwar: Hypothetical for Teaching ICT Ethics


Last week I attended a series of seminars as part of the Securing our Future in Cyberspace Conference hosted by the Australian National University. This gave me inspiration for new material to teach ICT Ethics at ANU. Here is a draft. Comments are welcome:
Unclassified. All Scenario Data is Notional and For Exercise Only

Cyberwar: Hypothetical Scenario for Teaching ICT Ethics

Briefing by Cyberspace Operations Wing at Headquarters Joint Operations Command (COW/HQJOC), 12:30 Zulu 1 April 2017:

RAAF P-3 Orion Aircraft, photo by 'Timothy' CC BY 2.0, via Wikimedia Commons
Maritime Surveillance Aircraft
"At 02:20 Zulu, 1 April 2017, one of our maritime surveillance aircraft was reported missing. The aircraft was conducting a freedom of navigation flyover on one of the reefs, subject to claim by several nations. The last recorded radio transcripts are:
  • OPFOR: "Unidentified military aircraft, you are entering a restricted zone. Turn now to avoid unfortunate consequences.
  • OURFOR: We are over international waters, in accordance with accepted law.
  • OPFOR: Unidentified military aircraft, turn back now. This is your last warning.
  • OURFOR: Mayday, Mayday, Mayday, this is Surveillance One Zero Five Charlie Delta, one zero zero kilometers South East of ... " [Transmission ends]
RSAF G550-AEW Aircraft, photo by 'Alert5', CC BY-SA 4.0, via Wikimedia Commons
SIGINT Aircraft
Intercepts from our new signals intelligence (SIGINT) aircraft, which was on a test flight in the area, reported signals from a fire control radar, shortly before communication was lost.

Chinese HT-233 SAM, photo by Max Smith, Public domain, via Wikimedia Commons
SAM Fire Control Radar
The radar was in test mode, however, the older radar warning receiver in our maritime surveillance aircraft is not sophisticated enough to distinguish a test signal from a real attack.

Our aircraft's flares and electronic countermeasures were activated. This may have been mistaken for the launch of a cruse missile, which our aircraft can carry (but was not).
Chinese HQ-9 SAM TEL, Photo by Jian Kang, CC BY 3.0, via Wikimedia Commons
SAM Transporter Erector Launcher
A surface-to-air missile (SAM)  was launched and our aircraft appears to have crashed while maneuvering to avoid the missile. The crew have been rescued by a civilian vessel, but have not yet been debriefed.

The media are reporting that one of our unarmed aircraft has been shot down and the Government has asked for military options to respond. The best kinetic solution is a precision air attack on the missile batteries, guided by special forces landed from a submarine, which is already on station. However, the government has also asked for a cyber option which would disrupt the opposing force's systems, show our national resolve, but avoid casualties.

It is proposed to target the opposing force's electronic control systems. This is expected to disable electrical systems and cause some local electrical fires. Our intelligence assets in the area will arrange for video of the damage to be posted to social media, for maximum news value. We will be working with civilian government personnel with special expertise, to prepare a human factor attack on their Internet of Things (IoT).

Unclassified. All Scenario Data is Notional and For Exercise Only

What Will You Do?

Suppose you are a Senior Incident Responder (SRI) in the Digital Protection Group (DPG) at the Digital Transformation Office (DTO) of the Government. Your job is protecting the whole of government website. Recently you detected a sophisticated attack and boasted "we could turn that attack back on them!". So you are now asked to do just that, despite being a civilian employee.

You are reasonably sure you can mount a cyber-attack which will have the desired political effect: it will disrupt systems of the opposing force enough to cause public embarrassment to their government, with minimum risk of casualties. But can you be sure its effects will be confined to government systems, or to that country? What if the attack shuts down hospital in their country, or across the world?

Is it ethical to be involved in planning such an attack? Would your answer be different, if you are a civilian contractor rather than a government employee, or if you were a military officer? Note that the hypothetical scenario does not say what country is planning the attack, or who they are attacking: does it make a difference to your answer who is attacking who?

Note that you are not asked to become an expert on the Geneva Conventions or the laws of war. However, as an professional you need to be aware of the ethical implications of what you choose to do, or not do, in your work.

The Australian Computer Society's Code of Professional Conduct and Professional Practice, incorporating a code of ethics which requires all members to act with professional responsibility and integrity. How does that code apply to cyberwar? In decreasing order of priority, the ACS Code of Ethics lists:
  1. The Public Interest
  2. Integrity
  3. Confidentiality
  4. Objectivity and Independence
  5. Competence
  6. Keeping Up-To-Date
  7. Subordinates
  8. Responsibility to your Client
  9. Promoting Information Technology
  10. The Image of the Profession and the Society
There will be a question on this topic in the examination.

Discussion

The hypothetical scenario presented is based on real events. In 2015 an Australian military aircraft was challenged by radio while on patrol (Wroe & Wen, 2015). In 2010 the "Stuxnet" computer worm was released, apparently designed to destroy a nuclear processing facility, but spread world wide (Langner, 2011). In 2014 five military officers were charged with hacking to obtain trade secrets (Wechsler, 2016).

Henschke (p. 17, 2014) points out that "the purpose of a cyberweapon is to attack an information system in order to perpetrate harm". Ford (p. 7, 2014) provide a diagram to help decide how to respond to a critical infrastructure/high impact attack. This chart could equally used to plan an attack for maximum impact.

Screen image of the web page for the fictional Concinna Day Care Centre
Fictional day care centre
(
Page & Jean, 2013)
Cyber-warfare attacks do not necessarily need sophisticated computer code. Human factor attack, where someone within the organization being attacked is tricked into providing information or access. In 2013 invitations to apply to a supposed government endorsed child care center were sent to employees of an intelligence agency. An attached form was designed to collect personal information which could be used for later attacks (Page & Jean, 2013).

References

Ford, S. (2014). Warfare, cyberweapons and morality. In M. Keelty, A. Henschke, N. Evans, S. Ford & A Gastineau & L. West, Cybersecurity: mapping the ethical terrain. National Security College (ANU). Retrieved from http://nsc.anu.edu.au/documents/ocassional-paper-6-cyber-ethics.pdf
Henschke, A. (2014). A decision-making procedure for responding to cyber-attacks. In M. Keelty, A. Henschke, N. Evans, S. Ford & A Gastineau & L. West, Cybersecurity: mapping the ethical terrain. National Security College (ANU). Retrieved from http://nsc.anu.edu.au/documents/ocassional-paper-6-cyber-ethics.pdf
Langner, R. (2011). Stuxnet: Dissecting a cyberwarfare weapon. Security & Privacy, IEEE, 9(3), 49-51. Retrieved from http://ieeexplore.ieee.org/xpls/icp.jsp?arnumber=5772960
Page, F., & Jean, P. (2013, April 16). Free childcare scam aimed at intelligence staff. Sydney Morning Herald. Retrieved from: http://www.smh.com.au/it-pro/security-it/free-childcare-scam-aimed-at-intelligence-staff-20130415-2hwhq.html
Wechsler, P. (2016). Issue: Cybersecurity Short Article: China's Unit 61398 Pulled From the Shadows. Retrieved from http://businessresearcher.sagepub.com/sbr-1775-98146-2715481/20160201/chinas-unit-61398-pulled-from-the-shadows?download=pdf
Wroe, D., & Wen, P. (2015, December 15). South China Sea: Australia steps up air patrols in defiance of Beijing. Sydney Morning Herald. Retrieved from: http://www.smh.com.au/federal-politics/political-news/south-china-sea-australia-steps-up-air-patrols-in-defiance-of-beijing-20151215-gloc2e.html

Videos

Department of Defence. (2014, March 18) Royal Australian Air Force AP-3C Orion maritime patrol aircraft. Department of Defence. Retrieved from https://video.defence.gov.au/play/3267#

This presentation contains images that were used under a Creative Commons License. Click here to see the full list of images and attributions: https://link.attribute.to/cc/1584914

2 comments:

  1. which code of ethics is involved? (ethics is not an absolute given). The first reference already presumes "warfare" as the context in which this is framed. As I understand it, various legal frameworks distinguish a state of declared war from non-war.

    ReplyDelete
  2. Chris, the hypothetical is for the ICT profession, so their codes of ethics apply. This is covered in the course notes: http://www.tomw.net.au/technology/it/professional_ethics/

    ReplyDelete