In the wake of recent cyber attacks launched against the Republic of the Philippines, and in response to the formalisation of cyber-crime legislation, the Armed Forces of the Philippines (AFP) have recently announced plans to establish an operations centre to address the rising incidence of cyber attacks.
While timely, this move presents an enormous challenge to the AFP, as cyber space remains an ever-changing environment that is, as of yet, not fully understood by most policy makers and military leaders. Two points that require immediate clarification are the scope and potential for retaliation that the proposed cyber command would have. A failure to consider these boundaries could render any command at best inefficient, or at worst a possible source of destabilisation.
The year 2012 has seen numerous cyber attacks against Phillippine government websites. Most notable was the series of attacks and counter-attacks that defaced government websites of both the Republic of the Phillippines and the People’s Republic of China (PRC) at the height of the recent territorial disputes in the South China Sea. While the nature of cyber attacks makes it impossible to attribute an attack to an individual, group or nation-state with any certainty, postmortem analysis suggests that the PRC is the source of these attacks.
At this point, deciding whether to classify cyber attacks as criminal acts or acts of war becomes relevant. While academics, policy makers and legislators across the globe attempt to establish parameters to distinguish between the two, incidents attributed to the PRC have complicated the situation. The PRC is suspected of utilising elements of its populace involved in cyber crime to launch attacks beyond its borders, often to conduct forms of cyber espionage. The use of civilians to launch cyber attacks while continuously refusing to acknowledge state sponsorship of such actions makes any effective response — be it a legal approach if cyber attacks are viewed as crimes or a military response if viewed as acts of war — difficult.
In the Philippines, the Cybercrime Prevention Act 2012 provides guidelines as to what constitutes cyber crime. It includes illegal access and interception, and data and system interference. It fails, however, to distinguish between criminal activities and acts of war in cyber space. Such ambiguity is detrimental to democracy, as the armed forces in most democratic states are prevented from conducting police action. As such, simply stating that a proposed unit’s objective is to protect critical information and data is unhelpful given the lack of distinction between crimes and acts of war.
Assuming that the nature of cyber attacks is resolved, the second point to be addressed is that of escalation. To what extent should such a unit be able to react in defence of national security? The AFP has stated that the rationale behind this new unit is ‘to streamline and secure our communications systems in order to efficiently and effectively perform our mandate in protecting our people’. Broad statements such as this suggest the possibility of retaliatory action. While unofficial, such a scenario has already taken place, with nationalistic Filipino hackers defacing Chinese websites in response to similar attacks presumably launched by the PRC. This later prompted President Benigno ‘Noynoy’ Aquino to issue statements disavowing such actions and calling for a cessation of cyber hostilities.
Cyber attacks may appear to be an ideal weapon for nation-states that have weak conventional forces, due to the low cost of entry and inherent anonymity provided by cyber space. These advantages, however, tend to bely the risk of rapid escalation that has the potential to transition into the physical domain. In the case of the attacks launched by Filipino hackers, no obvious escalation was noted. This may be due in part to the fact that the level of aggression exhibited may not have merited a response in the physical or cyber realms. In the event of escalation from asymmetric to symmetric engagement, advantages perceived and gained by the weaker party during the initial stages of the conflict are bound to be lost.
While the development of capabilities to address emerging threats is crucial for any nation-state, careful consideration is required in cases where the nature of the threat is not clearly understood. The distinction between criminal acts and acts of war, as well as the appropriate scope for retaliation, must be well defined. For the Republic of the Philippines, its experience with cyber attacks in recent years has shown the need to develop capabilities to deter and possibly counter such threats. At the same time, careful consideration is needed regarding the dynamics of such conflicts. Concepts such as deterrence and escalation, while well understood in the conventional sense, remain troublesome when used to analyse cyber attacks. Nation-states that hope to establish cyber commands without first considering these factors may find themselves embroiled in unnecessary conflict.
Miguel Alberto Gomez is an instructor and researcher with the College of Computer Studies at the De La Salle University, Manila, Philippines.