Modern field guide to security and privacy

Opinion: No one knows how to define cyberwar – and that's a problem

Despite digital weapons becoming critical tools in every modern military, there's still no consensus when it comes to defining what amounts to an act of cyberwar. 

Jonathan Ernst/Reuters
Secretary of Defense Ash Carter at an April congressional hearing on the Islamic State.

Even with hundreds of meetings, speeches, and conferences on the subject, there's still no clear definition of cyberwar. Increasingly, that ambiguity is leading to confusion about how to respond to digital assaults on governments, companies, and individuals.

That's why a bill from Sen. Mike Rounds (R) of South Dakota that seeks to clearly define what constitutes cyberwar is so important. While this debate may seem like an esoteric discussion among policy wonks, it has very concrete real-world implications. Without it, the US will continue to fly by the seat of its pants in responding to a growing number of high profile breaches and other cybersecurity incidents.

As Senator Rounds insinuates, the current vagueness around acts of cyberwar is not sustainable.

Aside from the military implications, these definitions are important for deterrence, collaboration between the government and the private sector, and understanding trends in cyberspace. As is often the case, technology has outpaced our ability to formulate policies, theories, and strategies.

After President Obama issued his cyberdeterrence strategy late last year, Sen. John McCain (R) of Arizona said the US lacks any coherent policy to meaningfully deter cyberattacks. A clear and concise definition of an act of cyberwar is a first step at moving toward greater clarity of operations – and their impact – in the digital domain.

The first and most obvious implication of legally defining acts of cyberwar is to explicitly state what behaviors cross the line. Knowing which activities will and will not incur the use of force is directly tied to deterrence. 

For instance, after North Korea attacked Sony Pictures, President Obama said that the US response would be proportional. But he stopped well short of calling it an act of war and failed to clearly define actions that would reach the threshold of digital warfare. That ambiguity was a missed opportunity to deter future actions such as the Sony attack, and may have communicated to adversaries that data destruction and theft don’t cross the red lines.

While the Justice Department has gone after foreign hackers based in China and Iran after several high profile attacks, Justice Department indictments in those cases won't deter cybercriminals from attacking US systems.

As malicious behavior advances toward acts of war, it is likely that retaliation will become more aggressive and severe. But there is no requirement that a cyberattack should be countered with a cyber-response; an act of cyberwar can unleash the whole arsenal of hard and soft power. Unless adversaries know when the US will use military force, and when costs of an attack outweigh the benefits, there is little hope in achieving any real level of deterrence.

These challenges also have strong domestic implications. The private sector generally defends itself from cyberattacks, with the government stepping in afterwards to investigate criminal activity. At what point, however, would the government intervene and respond with the use of force?

Clarifying the government's role is equally useful for the private and public sectors. It could lead to additional information sharing and partnerships that have been overshadowed by the differences between the groups as opposed to the many, mutually beneficial forms of collaboration.

Fortunately, the President has a foundation on which to pull when defining acts of cyberwar. NATO's Tallinn Manual, a guide for how international law applies to cyberconflict, notes that civilian objects cannot be targeted unless there are military objectives and defines an attack as a "cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects."

The Department of Defense's 2015 Law of Warfare Manual says any cyberoperation would be regarded as a use of force if it produces effects similar to those of physical operations that are deemed a use of force. In this case, opening a dam or disabling air traffic control would be considered use of force, while theft of data is not.

In each of these cases, the emphasis is on the effect of the cyberoperation. But most measurements of cyberattacks, to date, largely focus on the tactics or tools, not the outcome. And many measurements even conflate the two.

For instance, Verizon Data Breach Investigation Report, a popular source in both the private and public sector for assessing the major attack trends in cyberspace, lumps together attackers’ objectives and intrusion techniques, confounding the ability to assess critical trends in cybersecurity.

But at what point does this onslaught of malicious activity constitute war? It's a conversation that's long overdue. Cyberspace will remain the Wild West without coherent definitions.

Andrea Little Limbago is principal social scientist at the cybersecurity firm Endgame.

 

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.