❖ This perspective paper explores the past, present, and future of cyberconflict for Cambodia and on the global scale. The components of cyberconflict will be discussed in terms of resources and actors, tools, and frameworks. Key interactions within the cyberspace include logical, physical, and psychological methods, and the exploitation, attack, and defense of computer networks.
❖ Challenges that arise in the field of cyberconflict concern governance and ethics. Cyberconflict laws must be forward-looking and preventative, rather than reactive, as technology moves at a much higher speed than policymaking. Ethics in governing the international cyberspace can be extrapolated from traditional pillars such as the “Laws of Armed Conflict” (LOAC) and “Just War Theory”, but adjusted within the context of emerging technologies.
❖ The following policy options for Cambodia could potentially help in preparing for cyberconflict in the future:
The nature of international conflict between nations is rapidly evolving; the players, the field of battle, the tools, and the resources we are fighting for. This paper will explore key interactions and actors involved in the cyberspace, including examples of past incidents of cyberconflict around the world. Although policies that govern these types of interactions in the cyberspace are still new and unrefined, we could use methods from traditional conflict to analyse them to a certain extent. We can prepare for the future of cyberconflict by combining our knowledge of previous fundamental theories of conflict, past incidents of cyberconflict, and contemporary domain knowledge of the cyberspace. The following are definitions that will distinguish key terms:
The term “cyberwarfare” could be considered a misnomer, as cyberattacks on the global scale have not yet been treated as official acts of war. Throughout this paper, “cyberconflict” will reflect a more neutral stand of an act of cyberwarfare, which has a more offensive connotation.
Cyberconflict involves the use of technology to harm another nation or its digital infrastructure. This new age of conflict can be broken down into: (1) Resources and Actors, (2) Tools, and (3) Frameworks.
(1) Resources and Actors
Today’s most valuable resource is data. Previous conflicts were over tangible resources such as currency, land, and oil, but cyberconflict marks the beginning of conflict over intangible resources. This battle takes place in the cyberspace, where traditional boundaries of combat and operations have completely changed. It no longer matters where we are on land, sea, or air, as long as we have access to digital infrastructure – making strategic moves borderless and instantaneous. Actors involved in cyberconflict are of a new profile, not specifically trained, but with general computing and security backgrounds.i We are witnessing the emergence of various types of non-state actors.
The tools used now are not only of physical and psychological nature, but logical as well. Logical tools are related to understanding Computer Network Operations (CNO) and how they can be used to access or manipulate systems, with malicious intent. Physical tools refer to those that would damage Supervisory Control and Data Acquisition (SCADA) systems that are crucial to all industrial processes. Psychological tools concern social engineering, where individuals or organizations are targeted, in attempt to extract confidential information and access their computer networks.
If we look at the bigger picture, Computer Network Exploitation (CNE) acts as a strategic framework that plans the utilization of the aforementioned logical, physical, and psychological tools from start to finish. This form of reconnaissance or espionage first identifies relevant targets that potentially hold key information, in order to plan a future Computer Network Attack (CNA) or Computer Network Defense (CND). A CNA consists of different phases: reconnaissance, scanning, system access, privilege abuse, data extraction, system assault, and trace removal. CND concerns security awareness and training, with regards to protecting data and information. The key principles of the cybersecurity framework are represented by confidentiality, integrity, and availability (CIA), and authentication, authorization, and auditing (AAA).iii These components are used to evaluate the security of data and information security within a system.
Given this new hybrid of actors, resources, and interactions, how do we interpret cyberattacks compared to physical attacks? Can states respond to “soft” force in the form of cyberattacks, with the use of kinetic military force? How do we distinguish or measure the magnitude of cyberconflict?
Legal systems vary from nation to nation, in dealing with matters of cyberconflict. The main challenges that arise from addressing issues of cyberconflict are related to: (1) Governance and (2) Ethics.
The fundamental challenges in cyberconflict are similar to those in traditional security, just in the context of the cyberspace. How can lawmakers strengthen existing legal frameworks to address issues related to this new age of interactions? Cyberconflict laws that are being newly formed should promote “confidentiality, integrity, and availability of public and private information, systems, and networks.” Furthermore, these regulations should incentivise the protection of individual rights and privacy, economic interests, and overall national security.iv These forward-looking laws should prevent future incidents, which is more sustainable than deciding punishments for past incidents. Technology is advancing at a much faster rate, than laws are being made to govern cyberconflict. Therefore, policymakers should focus on preventive measures, rather than reactive.
Aside from adopting a forward-looking approach in governing cyberconflict, ethical issues are of paramount importance. Just as with traditional forms of conflict, ethics govern the justifications of actions carried out during conflict. However, controversy arises as different nations sometimes have contrasting ethical standards. For example, China and Russia believe in national cyber sovereignty, as opposed to the free flow of information promoted mainly by the Western world, led by the US. These opposing paradigms underlie the situational ethical differences that contribute to the tension between these nations. Before discussing the ethics of cyberconflict, it would be helpful to explore the ethics of traditional conflict, as a conceptual framework to assess these situations. This comparison could potentially address the ethical gaps between the physical world and the cyberspace. The two main concepts concerning the ethics of traditional conflict are: A) “Laws of Armed Conflict” and B) “Just War Theory”.
A) “Laws of Armed Conflict” (LOAC)
Military decisions can be ethically assessed in accordance to the LOAC, consisting of four core principles: (1) distinction, (2) military necessity, (3) humanity, and (4) proportionality.
(1) Distinction traditionally requires soldiers to distinguish between enemy fighters and civilians, and military objects and civilian objects. This pre-determined distinction guides soldiers to target enemy fighters and military objects, and avoid civilians and civilian objects.
(2) Military necessity limits soldiers to use force only when necessary to complete a specific mission, that will benefit their side by weakening their enemy’s defense in some measure. However, attacks must align with all four principles of the LOAC. For example, military necessity should not violate the principle of humanity, concerning unnecessary suffering.
(3) Humanity protects combatants against harm that is not necessary to complete a military mission. All people regardless of sides, should be treated humanely and not have to endure any form of torture or preventable death.
(4) Proportionality concerns the balance between military necessity, against distinction and humanity. The main concern is to reduce collateral damage caused by tools on civilians or their property. An attack would be justified in this context, if the collateral damage is not excessive in comparison to the military advantage gained.
Although highly subjective, it is useful to have an assessment criterion in place, so that all aspects of a military decision are first weighed out before executing the plan.
B) Just War Theory
Furthermore, the contemporary “Just War Theory” discusses the views of revisionists and traditionalists. While traditionalists focus more on moral principles such as the LOAC, revisionists prioritise pragmatism. These contrasting views determine whether starting a war is justified, in addition to the conduct in war. Following the war, the moralist of settlement and reconstruction should also be considered. A certain extent of pragmatism could justify a war, if the practical benefits would outweigh the consequences, despite opposing theoretical views.
Given this structured approach to examining traditional military issues, how can we contextualise this framework to appropriately govern cyberconflict? Now that we are dealing with intangible components, the subjective matter of evaluating conflict becomes ever more complex.
Past Incidents of Cyberconflict
To get a better understanding of the nature and potential consequences of cyberconflicts, it would be useful to explore the implications of a cyberattack, by one nation on another. Although the validity of these accusations may sometimes be controversial depending on the origin of the news source, the threat of cyberattacks are real and should not be neglected. A few examples of significant accusations of cyberconflict are provided below to illustrate these threats, involving: (1) China-Philippines (2) Russia-US, and (3) US-Iran.
Starting in 2012, at the heat of South China Sea conflict, a chain of cyber retaliations between Chinese and Filipino hackers was triggered through induced corruption of academic websites, use of remote access Trojan malware.vii These series of attacks demonstrate how traditional conflict in terms of geopolitical tension, during the South China Sea dispute, can lead to a series of cyberconflicts.
During the 2016 US presidential elections, a group of Russians allegedly interfered with the process by means of ‘information warfare’, through social media. They used Virtual Private Networks to link their operations back to computers in the US. These cyberattacks occurred in a context of intense rivalries among candidates to the Presidency. These alleged cyber activities are now under investigation, given recent attempts to impeach President Trump.viii This past incident highlights the powerful nature of social media on the general public, and how key decisions can be influenced at the national level.
In June 2019, the US allegedly carried out a cyberattack on the database of Iran’s Islamic Revolutionary Guards Corps. This attack on Iran’s intelligence systems caused them to lose data and their capabilities were taken offline. The purpose of this mission was to temporarily hinder Iran’s ability to target commercial vessels and oil tankers travelling through the Persian Gulf.ix In a way, this cyberconflict could be seen as a case of the “security dilemma”, translating into the cyberspace. The physical military assets from Iran created fear and tension, instigating the US to carry out a cyberattack on the Iranian database, as a preventive measure against any physical attack.
Cambodia is experiencing peak development and growth in the digital era and should prepare against potential cyberconflict, by learning from past incidents from around the world. Currently, there is no legal framework or clear specialised leadership to govern and protect Cambodia’s cyberspace. Due to the lack of a comprehensive platform connecting the appropriate actors and policies, Cambodia is vulnerable to cyberconflict from all angles. Based on the aforementioned incidents of cyberconflict and the current status of Cambodia’s strategy, policy options can be formed to address the future of cyberconflict in Cambodia and in ASEAN. Cambodia should:
(1) Raise awareness to policymakers on the consequences of cyberconflict and the need of a national cybergovernance strategy,
(2) Integrate computing and security expertise through education and training, and
(3) Partake in regional dialogue to contribute to an ASEAN Cyberconflict Treaty.
1) Raise Awareness
Given the insecurity and paranoia that surround cyberconflict, the first step in addressing this issue of national security is raising awareness to policymakers, about its potential consequences. In November, Cambodia hosted a conference, Cyber Security Asia (CSA) 2019 in Phnom Penh. According to Haji Amirudin Abdul Wahab, CEO of CyberSecurity Malaysia, a guest speaker at CSA, “ASEAN is the world’s fastest-growing internet region, with the user base forecasted to reach 480 million by 2020.” The Cambodian society is becoming exponentially more connected, improving their productivity through faster communication of data and information. However, this rapid technological adoption comes at a price, translating into higher vulnerability to cyberattacks on individual devices. Local events such as CSA 2019 will raise awareness of cybersecurity and its implications on national security.
Furthermore, A.T. Kearney, a global management consulting firm in the US, stated that “In 2017, ASEAN countries collectively spent only 0.06 percent of their GDP, or $1.9 billion on cybersecurity which was in contrast to the global average 0.13 percent.” More specifically, CyberSecurity Malaysia is aiming to produce 10,000 security professionals.xi These regional initiatives highlight the importance of preparing professionally trained security experts.
If Cambodia is unprepared for cyberconflict in the short term, the nation should not be afraid, but instead stay focused and learn from its regional partners. Cambodia has a young and tech- savvy population, which is ideal for keeping up-to-date with technological trends, along with their consequences. Thus, tailored education and training will be essential to provide conceptual knowledge and practical experience to the upcoming generation of Cambodians.
2) Education and Training
Cambodia needs to assemble a team of specialists with both computing and security expertise. As this hybrid role is now in high demand, selected professionals with computing backgrounds must be trained in the context of national security. These individuals would have computing backgrounds, but are able to lead and strategise on a national scale of security. For those few Cambodians with specific expertise in cybersecurity or cryptography, they must be assembled together as key members of the team to advise on the technical aspects of cyberconflict.
From an educational perspective, in order to strengthen the nation against cyberconflict in the long term, the government should incentivise Cambodian students to pursue an academic path in mathematics, computer science, computer engineering, and security studies. These subject matters are foundational components for technical cybersecurity professionals. Currently, the more popular academic specializations in Cambodia are accounting and civil engineering, due to cultural reasons and the past industrial needs of a developing country. Now that Cambodia is striving for digital transformation in the era of Industry 4.0, education and training must be tailored to match the needs of the future. More importantly, these technical experts should be trained how to communicate effectively with policymakers that might be non-technical individuals. Not only is technical expertise important, but so is understanding security issues in the context of the big picture. When addressing a matter of national security, one must understand the motive behind each individual technical process, which plays a crucial role in the grand scheme of an international cyberconflict.
(3) Regional Dialogue
Finally, Cambodia must engage with international partners to voice its national interests concerning cyberconflict. In order for a regional cyberconflict treaty to be established, the national interests of regional members must be exchanged and taken into consideration. Cambodia must send a diverse group of delegates from the government, private sector, academia, and non-governmental organisations to represent the nation, in order to provide different perspectives. Furthermore, these delegates should attend regional dialogues of varying themes, so as to comprehend the entire situation from all narratives.
As with traditional security issues, communication between nations is key. Rather than focusing on potential cyberattacks stemming from paranoia, Cambodia can proactively interact with regional partners to constructively contribute to regional stability. Cambodia’s best way to prepare for future cyberconflict is to develop technical expertise on a national scale within a clear national cyberconflict strategy.
For example, on October 14th 2019, the Ministry of External Affairs of the Government of India and the Observer Research Foundation (ORF) hosted the ASEAN-India Track 1.5 Cyber Dialogue in New Delhi. Cambodian delegates were invited to constructively discuss the digital future of ASEAN. Aside from the high potential growth of the digital economy, even more consideration must be paid to the governance of cyberspace in the global context. Nations at the dialogue had the opportunity to share how they utilise emerging technologies to strengthen their own governance methods and how they wish to deal with issues of norms in the cyberspace and international cyberconflict.
However, the main challenge of these regional dialogues is to reach a consensus amongst all nations present. As a most recent example, the US-ASEAN Cyber Dialogue was held in Singapore on October 3rd 2019. The US and Laos co-chaired the event, discussing the themes of 5G, digital economy, and cyber capacity building. Although views were exchanged on their respective national interests and how to promote regional capacity building and cooperation in the cyberspace, more specific technical details were not expressed.xii All nations wish to know what their regional partners’ strategies are, but they will never disclose their own security methods and strategies, in technical details. As a conclusion, there was no consensus due to the relatively general statements provided by each side. However, as all nations take their first cautious steps into the cyberspace, it is crucial to initiate collaborative efforts internationally, in order to address this highly sensitive issue.
The global fear of cyberconflict stems from its intangibleness and uncertainty, as a new form of interaction in an unfamiliar cyberspace. The more our economies and societies become digitally interconnected, the more vulnerable our privacy and data are. These dynamics create a controversial trade-off for all nations: security of privacy and data, for technological convenience and efficiency.
On an international scale, as states increasingly convert their data into digital format, there are more sites prone to potential cyberattack by another state. Thus, it is of paramount importance for Cambodia to strategise and assemble a national team of experts to prepare for cyberconflict in the future, in line with the rapid growth of its digital economy. On a regional level, although Cambodia is relatively behind in terms of technological advancements and qualified human resources, initiatives can be taken to address this gap. The first step is to acknowledge the lack of national preparedness against the grave consequences of potential cyberconflict. Cambodia as a small state, cannot possibly control what lies ahead in the cyberspace, but can make every effort in preparing to respond to future cyberconflict by educating and training experts and the general public, establishing a national strategy for cybergovernance, building cybersecurity infrastructures, and learning from regional partners.
The opinions expressed are the author’s own and do not reflect the views of the Asian Vision Institute.