28 April 2019

Cyber Declarations of War

By Bryan Terrazas

Late last month the lights went out in Venezuela and fingers were immediately pointing and blame cast for who may be responsible. Was it internally initiated through a failed coup, or government ordered to prevent escalation of dissent in the streets? Was shoddy infrastructure to blame, or is there a kernel of truth to some of the finger-wagging towards the U.S.? As tensions between the embattled socialist country and the West continue to escalate and sabers rattle, a pertinent question may be just how the U.S. will decide to get involved, if it has not done so already, and just what the Venezuelan response will be.

Certainly, this last question is difficult to answer, however on the digital front it is irrefutably complicated by the lack of current international norms regarding what collectively can be described as an information and cyber-attack red-line. Would, for example, turning off the lights by one state constitute an act of war on another? How about flooding a country with propaganda, urging citizens to overthrow the government? To both: perhaps, and perhaps not. In today’s increasingly digitally-interconnected world, the answers to these questions are as important as they are unclear, and a miscalculation may just result in a response neither side truly wants – war.

The time has come for policy-makers, think-tanks, practitioners, and academics alike to begin treating information and cyber operations as both a topic and threat deserving of the consideration previously reserved only for armed conflict. Without deep contemplation, open-discussion, and articulated dissection of the topic, the future is sure to be fraught with misunderstood posturing and misread signaling that will inevitably lead to unintended armed conflict.

In the U.S., Russian disinformation and cyber aggression are surely the most salient on-going example of this issue. It’s certainly easy to understand why Americans pose such a tempting target: according to a recent 2018 Nielsen report, Americans are spending nearly half of their day consuming media, much of it online. In addition, news agencies report almost daily on cyber-attacks affecting critical U.S. infrastructure and businesses. Without more open discussion of the consequences of these actions, the line between ‘acceptable’ peacetime digital excursions and those demanding a strong response remain opaque.

Though these peacetime attacks are often left without a meaningful response, numerous instances should give one pause. In 2008, Georgia experienced numerous issues on its websites and media platforms just before Russian encroachment. Ukraine too has much experience with this situation. Given this precedent, the signaling associated with these actions is relatively explicit.

Conversely, when North Korea was accused of tampering with Sony, it too experienced mysterious power outages, though this time no invasion followed. Now, with two different standards of conduct, it is not hard to imagine a similar future event resulting in a dramatically different outcome; especially between two nuclear states prone to butting heads.

The U.S. for its part has the intent to expand its capabilities in this field. In the recently published 2020 White House budget request, investment in the cyber domain has increased noticeably to the tune of roughly $10 billion.

Previous administrations have shown blanketed cyber red-lines are ineffective – but well-considered, proportional, and nuanced responses need complex analysis now. It is highly unlikely that a silver-bullet policy for all instances will ever exist, but all contingencies must be fully explored in advance to prevent a knee-jerk and disproportionate response later. In the near future, the advent of faster 5G connections, pervasive Internet of Things devices, and even meaningful artificial intelligence will only further complicate this arena, making development of this strategic void even more urgent now.

Information and cyber operations are certainly not one in the same; nevertheless, on a strategic and policy level, there is little to differentiate between the two as both increasingly overlap with one another while sharing similar outcomes. Additionally, few would make an argument that a nuclear attack is analogous to a cyber-attack, but the long-term consequences and scale of cyber-attacks remain to be seen. And although the capability to conduct these actions resides outside just the state-level, it is uniquely at the state-on-state setting that this conversation must be had; there is little chance of the U.S. declaring war on the likes of Anonymous or lone-wolf individuals. States, on the other hand, must mutually understand some actions will result in significant consequences, and calculate their actions accordingly.

Now is the time for the U.S. and its allies to normalize standards. While Washington continues to investigate the ways and means of conducting these operations, the international security community, led by the U.S. and its allies, must work to develop policy from which states can signal and understand one another while having limits enforced, before the next lights are turned off alongside the explosions of bombs.

No comments: