“One of the big problems we face with cyber is that it hasn’t really been discussed internationally about what is the acceptable use of cyber-powers, where the red lines are and what happens when those red lines are crossed.”
Sir John Sawers — Former chief of the British Secret Intelligence Service [MI6]
“This has the whiff of August 1945. [referring to the US cyber-attacks against Iran Nuclear facilities] Someone, probably a nation-state, just used a cyber weapon in a time of peace… to destroy what another nation could only describe as their critical infrastructure. That’s a big deal. That’s never happened before.”
General Michael Hayden — Former CIA/NSA Director
November 15 2016 — Senator John McCain (R-Ariz.) — the chairman of the US Armed Services Committee — has said he believes Russia’s alleged interference in the 2016 presidential election amounted to an act of war. Most legal scholars disagree. What really defines an act of war in cyberspace? The US Military is currently working out its own definition. Follow us on Twitter: @Intel_Today
RELATED POST: Obama’s Cryptic Comment on the DNC Leaks
UPDATE (November 15 2018) — So, how much progress has been made in the last 12 months towards agreeing on a definition of what constitutes an act of war in cyberspace? Short answer: none at all.
Tarah Wheeler — an information security researcher and political scientist — has written a good piece on the subject recently published in the Fall 2018 issue of Foreign Policy magazine.
“The great challenge for military and cybersecurity professionals is that incoming attacks are not predictable, and current strategies for prevention tend to share the flawed assumption that the rules of conventional war extend to cyberspace as well. Cyberwarfare does have rules, but they’re not the ones we’re used to—and a sense of fair play isn’t one of them. Moreover, these rules are not intuitive to generals versed in fighting conventional wars.
That’s a problem because cyberwar won’t be waged with the informed participation of much of the U.S. technology sector, as the recent revolts at Google over AI contracts with the U.S. Defense Department and at Microsoft over office software contracts with U.S. Immigration and Customs Enforcement demonstrate. That leaves only governments and properly incentivized multinational corporations to set the rules. Neither has yet provided a workable and operational definition of what constitutes a globally recognized act of war—a vital first step in seeking to prevent such transgressions.
The international community needs new habits for a new era. Leaders must follow NATO’s tentative footsteps in Tallinn and convene digital Geneva Conventions that produce a few deep, well-enforced rules surrounding the conduct of war in cyberspace. Cyberwar is the continuation of kinetic war by plausibly deniable means. Without a global consensus on what constitutes cyberwar, the world will be left in an anarchic state governed by contradictory laws and norms and vulnerable to the possibility of a devastating war launched by a few anonymous keystrokes.”
END of UPDATE
Although, there is a broad consensus on what constitutes an “Act of War” and how to define “Cyberspace”, there is no agreement on the definition of an act of war in cyberspace.
[NOTE: “A May 12 2008 ‘for official use only’ memo signed by Deputy Defense Secretary Gordon England defines ‘Cyberspace’ as “a global domain within the information environment consisting of the interdependent network of information technology infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.” Wired ]
Can the existing legal framework be applied to cyber conflict? Assuming that it is the case, is the existing framework adequate? Or does it require additional concepts and specific definitions?
Asked during a congressional hearing last year if offensive cyber operations could constitute an act of war, Admiral Atkin — Office of the US Secretary of Defense — answered that an act of war [in the cyber domain] has not yet been defined.
“We are still working towards that definition across the interagency,” said Thomas Atkin.
“When determining whether a cyber incident constitutes an armed attack, the U.S. Government considers a number of factors including the nature and extent of injury or death to persons and the destruction of, or damage to, property.
Besides effects, other factors may also be relevant to a determination, including the context of the event, the identity of the actor perpetrating the action, the target and its location, and the intent of the actor, among other factors.”
Admiral Atkin also warned that civilians — who support military cyber operations — are not lawful combatants and therefore not legally protected as soldiers.
“During armed conflict, some civilians who support the U.S. armed forces may sit at the keyboard and participate, under the direction of a military commander, in cyberspace operations. The law of war does not prohibit civilians from directly participating in hostilities, such as offensive or defensive cyberspace operations, even when that activity would be a use of force or would involve direct participation in hostilities.”
“However, in such cases, a civilian is not a ‘lawful combatant’ and does not enjoy the right of combatant immunity, is subject to direct attack for such time as he or she directly participates in hostilities, and if captured by enemy government forces may be prosecuted for acts prohibited under the captor’s domestic law.”
Toni Gidwani, a former Department of Defense analyst who now heads up operations research at cyber-security firm “ThreatConnect”, agrees:
“The rules here are not as clean in terms of what’s allowable and what the consequences are.”
According to the US Department of State, cyber activities would constitute a use of force if they were to cause direct physical injury and property damage such as (1) operations that trigger a nuclear plant meltdown; (2) operations that open a dam above a populated area causing destruction; or (3) operations that disable air traffic control resulting in airplane crashes.
“The [US] government has defined an armed attack in cyberspace as one that results in death, injury or significant destruction, as Harold Koh, the State Department’s chief legal adviser, recently put it. Here’s the rule of thumb, as Koh stated it.”
“If the physical consequences of a cyberattack work the kind of physical damage that dropping a bomb or firing a missile would, that cyberattack should equally be considered a use of force.”
“If an attack reaches those levels, then a nation has a right to act in self-defence.” [Washington Post 2012]
The Tallinn Manual
The Tallinn Manual 2.0 is an updated reference for lawyers around the world on how International Law applies to cyberspace.The new manual was published by Cambridge University Press in March 2017.
Michael Schmitt is the chairman of the U.S. Naval War College’s International Law Department and director of a project that analyzes how International Law applies to cyber operations.
Schmitt — also a law professor at the University of Exeter in Britain — led the legal team that compiled the manual.
“I’m no friend of the Russians. But Moscow’s hacking and dumping of Democratic emails to WikiLeaks is not an initiation of armed conflict.
It’s not a violation of the U.N. Charter’s prohibition on the use of force. It’s not a situation that would allow the U.S. to respond in self-defense militarily,” Schmitt recently said.
Hacking the DNC’s emails is an act of political espionage, which is not a breach of international law, Schmitt added.
Microsoft weighs in
On February 14 2017, Microsoft President Brad Smith pressed the world’s governments to form an international body to protect civilians from state-sponsored hacking.
“Countries need to develop and abide by global rules for cyber attacks similar to those established for armed conflict at the 1949 Geneva Convention that followed World War Two.
Technology companies need to preserve trust and stability online by pledging neutrality in cyber conflict.
We need a Digital Geneva Convention that will commit governments to implement the norms needed to protect civilians on the internet in times of peace.”
UPDATE (November 15 2017) — What is an Act of War in Cyberspace? Steven Aftergood (SECRECY NEWS) has written a post on the new US military doctrine.
It’s a question that officials have wrestled with for some time without being able to provide a clear-cut answer.
But in newly-published responses to questions from the Senate Armed Services Committee, the Pentagon ventured last year that “The determination of what constitutes an ‘act of war’ in or out of cyberspace, would be made on a case-by-case and fact-specific basis by the President.”
“Specifically,” wrote then-Undersecretary of Defense (Intelligence) Marcel Lettre, “cyber attacks that proximately result in a significant loss of life, injury, destruction of critical infrastructure, or serious economic impact should be closely assessed as to whether or not they would be considered an unlawful attack or an ‘act of war.’”
Notably absent from this description is election-tampering or information operations designed to disrupt the electoral process or manipulate public discourse.
Accordingly, Mr. Lettre declared last year that “As of this point, we have not assessed that any particular cyber activity [against] us has constituted an act of war.”
“Russia engaged in acts of war against America, not with bullets and bombs, but through a modern form of warfare, a cyberattack on our democracy,” opined Allan Lichtman, a history professor at American University, in a letter published in the latest issue of the New York Review of Books.
Not so fast, replied Noah Feldman and Jacob Weisberg: “The US is not now in a legal state of war with Russia despite that country’s attempts to affect the 2016 election.”
History, Geopolitics and International Law are ‘different things’.
I am glad to see that some people still agree that — as I wrote previously — cyber activities would constitute a use of force if they were to cause direct physical injury and property damage such as operations that trigger a nuclear plant meltdown, operations that open a dam above a populated area causing destruction, or operations that disable air traffic control resulting in airplane crashes.
This is the doctrine of the United States Department of State and I want to believe that most legal experts would agree on this — or a similar — definition.
Cyber warfare: Legal experts and programmers search for solutions
“In war, anything connected to a computer network can be targeted from anywhere in the world, according to experts attending a recent conference on cyber warfare in Moscow.
That includes civilian objects, so many countries are looking at how to protect civilians from cyber attacks. And one of the solutions is to comply with IHL in cyberspace.”
Is Cyberwarfare a Serious Problem? Richard Clarke (2010)
“Author of the #1 New York Times bestseller Against All Enemies, former presidential advisor and counter-terrorism expert Richard A. Clarke sounds a timely and chilling warning about America’s vulnerability in a terrifying new international conflict—Cyber War!
Every concerned American should read this startling and explosive book that offers an insider’s view of White House ‘Situation Room’ operations and carries the reader to the frontlines of our cyber defense. Cyber War exposes a virulent threat to our nation’s security.
This is no X-Files fantasy or conspiracy theory madness—this is real.”
The Tallinn Manual — WIKIPEDIA
International Law in Cyberspace — US Department of State
Is “Cyberwar” War? — Secrecy News
Acts of War in Cyberspace
Acts of War in Cyberspace — 2017
Acts of War in Cyberspace — 2018