7 August 2020

When should cyber attacks be considered acts of war?

Shannon Corbeil

In the past 15 years, state-sponsored cyber attacks have increased significantly, from hacking government and military computers to obtain information to shutting down or defacing websites to interfering with power stations.

And that's just what we know from the news, and in my experience (cyber threat analysis at the NSA), if something is public knowledge, then the classified story behind it is way more vast and comprehensive.

Make no mistake: countries like Russia, China, North Korea, and Iran are attacking the United States and other global players every day -- just ask Mattis...or Sony. I mean, we traced North Korean hacking during our last summit with North Korea.

The United States, for example, knows that we're being targeted by cyber attacks. And we're really good at tracking down who is behind the intrusions. So, when a country like Russia targets the United States for a cyber attack, why isn't it considered an act of war?

Well, it can be. But it depends on the attack and how the law of war applies to it, even though those rules predate the invention of the internet. The United States government has identified cyberspace as an operational domain in which the armed forces must be able to defend and operate, just like land, sea, air, and space.


But just like the Chinese navy can aggressively fly past a ship without it being an attack, state-sponsored hackers can intrude on a network without it necessarily being an attack.


Per the Department of Defense Law of War Manual, codified cyber operations include all sorts of activity, from disrupting our websites to stealing our nudes to bringing down infrastructure. Other cyber operations include reconnaissance, securing access to key network systems, implanting malicious codes or access tools, acquiring foreign intelligence, or gaining information about an adversary's military capabilities and intent.

But the DOD also makes it clear that not all "attacks" are created equal. So most "cyber attacks" fall short of the legal and common-sense definitions of "attacks" during the conduct of hostilities. It's not an act of war to steal a copy of The Interview, even if you leak the ending online before the movie even comes out.

But, cyber operations can cause a variety of effects, and some of these could be defined as an act of war. If the effects of cyber operations cause the same damage as dropping a bomb, then that cyber attack becomes subject to the same laws as physical attacks.

And this is possible. In fact, it's already happened.

The New York Times reported a cyber assault that hit a petrochemical company in Saudi Arabia. The attack was designed to sabotage the firm's operations and trigger an explosion. That's a pretty clear-cut case, but it still might not be in a country's best interest to launch physical military attacks over the issue. After all, Syria didn't attack Israel even though Israeli jets are sometimes hitting targets in the Syrian Civil War because Syria can't afford a new state-level enemy right now.

Which makes sense. Would we really want to start a war with North Korea, China, or Russia, even if they managed to damage some infrastructure in the U.S.? (The answer is, hopefully, no.)

So in general, we use the same guidelines for assessing cyber attacks as we do any other kind of attack or intrusion. If it's peacetime intelligence and counterintelligence activities, we take it on a case-by-case basis. International law exists to determine the legality of intel operations — and we apply the same or similar rules for how we operate within cyberspace.

But we still recognize our right to self-defense, in cyberspace and any other battlefield. Publicly the U.S. has made a commitment to respond to a cyber attack just as we would any other attack — and by any means: diplomatic, economic, or military. But we try to exhaust all options, even our own cyber arsenal, before the use of military force.

And, we have to be certain that we're retaliating against the source of the original attack, which can be tough when countries like Russia hide behind shadowy hacker groups and any sophisticated hackers can take steps to mask their digital footprints.

Therefore, I can almost guarantee that a cyber "war" is raging...but it doesn't make the news. The United States and Russia do not want to actually launch missiles at each other. No one wants that kind of damage. We also have an economic relationship with them that benefits both parties. The same is true with China. But ideologically, we are not very compatible.

I've been out of the game for awhile, but I suspect that when we catch Russia sneaking into our systems, we just sneak right back. It's an information war, and I'm actually not sure about who's winning. While the US has made mistakes, for the most part, we play by the rules, and our adversaries...don't.

Right now, it's kind of like the Cold War, with mutually-assured destruction keeping everyone on their best behavior. But the truth is, a cyber attack has the potential to cause devastating effects. Imagine if an adversary manipulated the stock exchange or an air traffic control center at an international hub.

Such attacks would be violations of the law of war, but terrorists don't play by the rules. So far we're lucky that they don't have the same sophisticated technology as major global players, but the threat is real, which is why we must continue to develop our own capabilities and remain superior in the cyber battlespace.

No comments: