How Should The US Respond To Cyber Attacks?

The principles of jus ad bellum, the “right to war,” and the laws of armed conflict have evolved through centuries of development and survived military innovations like aircraft and tanks. But given cyber warfare’s inherently asymmetric nature and the difficulties in correctly and quickly attributing attacks, do the traditional laws of armed conflict still hold true? Or are we already living in an era where we hold one set of standards for countries that adhere to international law and a different set of standards for those countries that either encourage or ignore their citizens to participate in cyber attacks? Should we hold ISIS to the same set of standards for Monday’s hacking of U.S. CENTCOM’s social media pages as a state-sponsored group that hacks Sony?

The use of cyber militias is nothing new. Russia and China have tacitly encouraged the technique for the last decade deliberately in order to throw off attribution and save money (patriotic hackers who will work for free in their spare time are much cheaper than a military). The continuing questions over who really was behind the Sony hack will only further this behavior in that they encourage nation-states to utilize non-state actors to do their dirty work, knowing they can then be shielded by layers of doubt over identity. It’s hard to retaliate if there’s no return address on the malware or virus dumped onto your computer systems.

Countries like Russia and China utilizing civilian hackers to do their dirty work trigger a dilemma in distinguishing between combatants and non-combatants in a cyber world. Distinction between a lawful and unlawful combatant can be difficult enough in a face-to-face environment; imagine trying to figure it out in a virtual world just based on programming code or behavior. Are you dealing with a civilian hacker utilizing a coffee shop internet protocol address or a military hacker trying to utilize a civilian network? In a world where our networks are so intertwined, how does one distinguish between military networks and civilian networks in a retaliatory attack? Ideally, of course, a targeted attack would just take military resources offline while leaving hospitals and education facilities stable, but since any computer in the proper hands can be used to retaliate, any computer network can therefore be seen as a weapon by an attacking enemy. In the realm of cyber warfare, the distinction between lawful combatant and unlawful combatant and the distinction between a military network and a civilian network may become a luxury.

Cyber warfare can also cloud the principles behind proportionality in a military response. Here, again, Sony can be used as an example. An entity, rumored to be backed by North Korea, hacked a company doing business in America, potentially costing it billions of dollars (and a loss of prestige). If the United States government has a right to retaliate on Sony’s behalf, what could it potentially do to North Korea to have any proportional impact? Sony likely has a greater gross domestic product than North Korea and North Korean civilians are unlikely to have any access to the Internet. But what if China was behind the attack, rather than North Korea, and to retaliate, the United States utilized the same distributed denial of service attacks on China that were rumored to have been used on North Korea? Suddenly the costs are astronomical to China’s economy, dwarfing Sony’s losses, and Chinese hackers launch their own retaliatory attacks. Imagine widespread distributed denial of service attacks in America, where we rely on the Internet for everything from banking to medical records, or what would happen if our power grids were hacked.

One thing that is indisputable is that virtual actions can have tangible, physical results. From the hack on Target last Christmas to the hack on Sony more recently, American companies and citizens are vulnerable. The United States government has been vague on admitting when a cyber attack constitutes an act of war — if it is true that the distributed denial of service attacks were retaliation for the Sony hack, why are we not pressing our Russian and Ukrainian allies more strenuously regarding the Rescator-backed hack on Target last Christmas?

The “International Strategy for Cyberspace” report, commissioned by the White House and released in 2011, will only go so far as to say that, “Consistent with the United Nations Charter, states have an inherent right to self-defense that may be triggered by certain aggressive acts in cyberspace,” but then does not define what those “certain aggressive acts” might be. It’s interesting, in theory, to ponder what self-defense measures could be triggered by a cyber attack, but it might not be theory within the next 10 years; not when technologies are growing exponentially year by year. A retaliatory distributed denial of service attack this year might become a complete shutdown of a power grid within five years.

Conflicts conducted in an entirely virtual realm — albeit with physical results — are a new arena in policy, giving the United States the potential to lead in establishing new doctrines and treaties, but in the meantime, leaving us in a world of nebulous unknowns, a sort of virtual Wild West that is open to exploitation and bad actors. Some of those bad actors will want to exploit our adherence to the rules and principles governing conflict in a physical realm, especially as we try to navigate what is essentially a new world and extrapolate laws and treaties to apply. The principles of jus ad bellum and the laws of armed conflict, then, must necessarily be as fluid and dynamic as the military conflicts and technologies they govern. We shouldn’t get rid of them, but we should be prepared to adapt them for the cyber realm and the conflicts we will face there.