28 January 2021

Guest Post: Dean Cheng on “Cyber Actions and Acts of War”

BY CHARLIE DUNLAP, J.D.

In today’s post popular LENS Conference speaker Mr. Dean Cheng wrestles with one of the toughest national security issues these days: at what point do–or should–cyber actions become a casus belli?

In addressing that question Dean unpacks the political term “act of war.” For the purposes of his essay, it means the kind of action that can trigger legal authority for acts in self-defense pursuant to Article 51 of the UN Charter (and its analog in Article 5 of the NATO charter).

When the attack is conducted with bombs or bullets, the legal determination is relatively easy to discern, but when it’s via electrons in cyberspace. not so much.

In short, to what extent has the nature and capabilites of cyber technology challenged traditional legal and political norms as to what warrants armed conflict? How great a breach of sovereignty must occur? Here are Dean’s views on those complicated questions:

Cyber Actions and Acts of War

Over the past decade, a variety of cyber actions have been in the news. The federal government’s Office of Personnel Management was hacked, exposing the information and backgrounds of millions of Federal employees. More recently, Russian hackers have been accused of penetrating perhaps 18000 or more sites by slipping malware into network management tools.

Meanwhile, economic espionage has been estimated to entail losses as high as a trillion dollars.

Cyber means were used to infiltrate Iran’s nuclear facilities at Natanz, in the “Stuxnet” attack, slowing Iranian nuclear efforts.

This variety of actions raises the question of when does a cyber action cross the line and become an act of war?

The fact that none of these actions resulted in an open conflict suggests that, at present, most cyber actions are not necessarily seen as an “act of war.” Instead, there seems to be a broad consensus that cyber-espionage, computer network exploitation, and theft of data does not constitute an act of war.

On the other hand, NATO has now stated that some types of cyber actions could trigger Article 5, which calls upon all NATO members to assist in the collective defense of its members.[1] This would suggest that at least some types of cyber actions are considered the equivalent of an act of war. However, as the NATO Secretary General has also acknowledged, not every cyber action will necessarily trigger an Article 5 response.

Defining an Act of War

According to United States law, an “act of war” is defined as “any act occurring in the course of declared war; armed conflict whether or not war has been declared, between two or more nations; or armed conflict between military forces of any origin.”[2]

What this underscores is the use of violent means, by either a nation-state or an organized political group, against another, as part of an effort to achieve previously determined political ends.

Not only does this potentially overlap with what some might consider terrorism, but it also places heavy significance on violence. Consequently, based on this definition, it is possible that many cyber actions might not, in fact, constitute an “act of war,” if they do not involve violence.

It may also be useful to consider what most analysts would consider does not constitute an “act of war.”

Economic actions such as embargoes and sanctions are typically not considered acts of war, in part because they do not necessarily involve the use of military force. By contrast, a blockade, which entails the use of military force, is generally considered an act of war.[3]

Similarly, espionage is not considered an “act of war,” but part of normal statecraft. Indeed, history is replete with examples of espionage which did not precipitate war.

Political subversion, such as by the COMINTERN or pro-Nazi elements, posed a definitional problem, but was eventually not seen as an act of war. Countering propaganda and subversion was usually therefore a law enforcement issue, or a form of counter-intelligence. 

On the other hand, efforts at regime change are seen as “intervention,” and therefore prohibited under the UN Charter.

Changes Due to the Information Age

The difficulty lies, not with changes in definitions, but changes in technology. In the past, in order to do violence, or even in order to influence another state, it was usually necessary to have physical access to the other state.

Shutting down power grids, disrupting energy and communications networks, all typically required physically attacking physical infrastructure such as power plants, pipelines and refineries, and telephone exchanges. While airpower bypassed at least some defenses, it still involved applying physical force.

The growth of information and communications technology (ICT) has fundamentally altered this situation. The linkage of various information and communications networks into a global network has created unprecedented ability to access the populations and leadership of most nations. Information now flows, with minimal control, across international boundaries.

As important, the incorporation of ICT into critical infrastructure (e.g., power grids, air traffic control systems), and the subsequent ability to access that same infrastructure from the Internet allows national and non-national actors to affect key systems.

Physical destructiveness and disruption that once required physical access, and usually massed capabilities (e.g., 1000 bomber raids), is now potentially possible remotely.

Further complicating the situation is that ICT means that the form of destruction no longer need be physical.

In the past, shutting down a power grid meant attacking power plants, transformers, transmission lines. But many attacks involving cyber actions may result in no physical damage.

Distributed denial of service (DDOS) attacks can prevent systems from operating normally by preventing the target from accessing the Internet
Malware attacks targeting SCADA (supervisory control and data acquisition) networks, or by deleting operating systems and databases, can halt the operation of infrastructure without physically affecting its components.
Ransomware doesn’t even necessarily destroy data or software, but simply prevents the user from accessing the data.

It is therefore now possible for state and non-state actors to create massive disruptions without necessarily using force or physically damaging the targeted systems. As important, they not only may be able to do so without physically violating the sovereignty of a target state (that is, without crossing the land borders or violating national airspace or maritime space), but also they may be able to do so with some degree of anonymity.

When Japan attacked Pearl Harbor, there was no real question of whose aircraft were launching torpedoes or dropping bombs. German forces staged an incident at Gleiwitz, in order to claim that the invasion of Poland was in response to Polish aggression, but few believed this claim. As important, subsequent attacks on Polish forces and urban centers were unmistakably German.

In the context of modern information attacks, however, attribution can be far harder.

While there are various suspicions about who may have conducted the Stuxnet attack on Iranian nuclear facilities, no official charge has been aired by Tehran, while no actors have openly claimed responsibility. The WannaCry and NotPetya attacks, which had global impact, have not been clearly attributed to any particular actor, whether state or non-state.

Both the original Tallinn Manual and the revised Tallinn Manual 2.0 have sought to reconcile these traditional aspects of the laws of armed conflict and war and modern technology, regarding cyber activities.

The manual, the product of inputs from a variety of Western legal, military, and other experts, constitutes an attempt to codify what does and does not constitute an “act of armed conflict” in the realm of cyber and information warfare.[4]

Thus, the Manual notes that the “use of force” is not restricted to military actions, but can include the actions of contractors and actions by certain non-state actors. However, as the Manual also observes, acts of “intrusion,” including cyber intrusion, is not necessarily the same as “intervention,” which constitutes a violation of sovereignty and can be seen as tantamount to an “act of war” or “act of armed conflict.”

“Intervention” is held to incorporate coercive aspects, which is why espionage is not seen as constituting an act of war, whereas any threat of destruction or destructive effect may be seen as such. Similarly, use of cyber means to effect economic coercion and certain types of political coercion (e.g., subversion) are seen as distinct from the use of force, just as their historical non-cyber counterparts have been in the past.

At base, the Tallinn Manual 2.0 seems to suggest that, if the effects of a cyber attack are analogous to those of a kinetic attack, then it is potentially an “intervention” or “use of force”; at a minimum, it justifies self-defensive actions.

By the definitions of the Tallinn Manual 2.0, the Stuxnet incident would therefore seem to constitute at least an “intervention.” The inability to provide definitive attribution, however, means that there is no clear party for Iran to retaliate against, underscoring the newly arising dilemmas of the cyber age.

This will become even more complicated, as nations and companies mull more active measures to counter computer network intrusions. How would orchestrated responses to a cyber attack be interpreted, if those responses were undertaken by corporate entities?

Implications for the Future

Secretary of Defense Leon Panetta captured the attention of many when he warned of a “cyber Pearl Harbor.” It may be useful to consider when cyber actions become acts of war in this light.

Pearl Harbor was the opening act of a larger campaign. Even as fires billowed from Battleship Row, Japanese forces attacked the Philippines, Hong Kong, and the Dutch East Indies.

It may be similarly useful to consider whether a cyber action is part of a larger effort.

The most destructive cyber actions of the last several years, including Stuxnet, the Sony intrusion, and the Shamoon attack on Aramco, were arguably one-off attacks, and were not, at least as far as is publicly known, coordinated with other actions, whether cyber or physical. They may therefore approach acts of terrorism, rather than acts of war—still threatening, still destructive, but not necessarily an act of war.

Perhaps as important, these attacks did not lead to the direct loss of life, and certainly not on a large scale. Nor did these attacks lead to massive disruption.

While Sony and Aramco suffered financial losses, these were limited to individual companies. Similarly, Iran’s nuclear facilities at Natanz were affected, but the broader Iranian infrastructure was not. A cyber action that generated casualties on the scale of Pearl Harbor or the 9-11 attacks, involving thousands, might well be considered an act of war. 

It may be, then, that cyber actions are recognized as rising to the level of an act of war only in retrospect, i.e., if it is later determined that they are part of a larger campaign, or lead to significant loss of life or large-scale disruptions. 

Conversely, even protracted, sustained disruptive attacks may not be considered an act of war, if there is no obvious goal or beneficiary. If it is difficult, at times, to distinguish terrorism from acts of war when the actions are physical, the lines are even more blurred in the informational and cyber realm.

Ironically, some of the efforts in recent years, especially by nations such as China and Russia, to extend sovereignty to cyber space may well make it easier to define cyber acts of war. As nations strive to have all data pertaining to their nation and citizens housed within their own borders, it potentially means that attacks against that data will be seen as specifically violating national sovereignty.

Just as it was not possible to attack engine plants supplying the Luftwaffe without violating German sovereignty, attacks on, say, Chinese citizens’ data in the future may require attacking servers on Chinese soil. Establishing sovereignty on the Internet may therefore clarify the nature of intrusions (i.e., whether they are an act of armed conflict), and provide better guidelines for responses, even as it also restricts the free flow of information.

No comments: