How Should The US Respond To Cyber Attacks?

Photo by Staff Sgt. Tracy Smith

The principles of jus ad bellum, the "right to war," and the laws of armed conflict have evolved through centuries of development and survived military innovations like aircraft and tanks. But given cyber warfare’s inherently asymmetric nature and the difficulties in correctly and quickly attributing attacks, do the traditional laws of armed conflict still hold true? Or are we already living in an era where we hold one set of standards for countries that adhere to international law and a different set of standards for those countries that either encourage or ignore their citizens to participate in cyber attacks? Should we hold ISIS to the same set of standards for Monday’s hacking of U.S. CENTCOM’s social media pages as a state-sponsored group that hacks Sony?

The use of cyber militias is nothing new. Russia and China have tacitly encouraged the technique for the last decade deliberately in order to throw off attribution and save money (patriotic hackers who will work for free in their spare time are much cheaper than a military). The continuing questions over who really was behind the Sony hack will only further this behavior in that they encourage nation-states to utilize non-state actors to do their dirty work, knowing they can then be shielded by layers of doubt over identity. It’s hard to retaliate if there’s no return address on the malware or virus dumped onto your computer systems.

Countries like Russia and China utilizing civilian hackers to do their dirty work trigger a dilemma in distinguishing between combatants and non-combatants in a cyber world. Distinction between a lawful and unlawful combatant can be difficult enough in a face-to-face environment; imagine trying to figure it out in a virtual world just based on programming code or behavior. Are you dealing with a civilian hacker utilizing a coffee shop internet protocol address or a military hacker trying to utilize a civilian network? In a world where our networks are so intertwined, how does one distinguish between military networks and civilian networks in a retaliatory attack? Ideally, of course, a targeted attack would just take military resources offline while leaving hospitals and education facilities stable, but since any computer in the proper hands can be used to retaliate, any computer network can therefore be seen as a weapon by an attacking enemy. In the realm of cyber warfare, the distinction between lawful combatant and unlawful combatant and the distinction between a military network and a civilian network may become a luxury.

Cyber warfare can also cloud the principles behind proportionality in a military response. Here, again, Sony can be used as an example. An entity, rumored to be backed by North Korea, hacked a company doing business in America, potentially costing it billions of dollars (and a loss of prestige). If the United States government has a right to retaliate on Sony’s behalf, what could it potentially do to North Korea to have any proportional impact? Sony likely has a greater gross domestic product than North Korea and North Korean civilians are unlikely to have any access to the Internet. But what if China was behind the attack, rather than North Korea, and to retaliate, the United States utilized the same distributed denial of service attacks on China that were rumored to have been used on North Korea? Suddenly the costs are astronomical to China’s economy, dwarfing Sony’s losses, and Chinese hackers launch their own retaliatory attacks. Imagine widespread distributed denial of service attacks in America, where we rely on the Internet for everything from banking to medical records, or what would happen if our power grids were hacked.

One thing that is indisputable is that virtual actions can have tangible, physical results. From the hack on Target last Christmas to the hack on Sony more recently, American companies and citizens are vulnerable. The United States government has been vague on admitting when a cyber attack constitutes an act of war — if it is true that the distributed denial of service attacks were retaliation for the Sony hack, why are we not pressing our Russian and Ukrainian allies more strenuously regarding the Rescator-backed hack on Target last Christmas?

The “International Strategy for Cyberspace” report, commissioned by the White House and released in 2011, will only go so far as to say that, “Consistent with the United Nations Charter, states have an inherent right to self-defense that may be triggered by certain aggressive acts in cyberspace,” but then does not define what those “certain aggressive acts” might be. It’s interesting, in theory, to ponder what self-defense measures could be triggered by a cyber attack, but it might not be theory within the next 10 years; not when technologies are growing exponentially year by year. A retaliatory distributed denial of service attack this year might become a complete shutdown of a power grid within five years.

Conflicts conducted in an entirely virtual realm — albeit with physical results — are a new arena in policy, giving the United States the potential to lead in establishing new doctrines and treaties, but in the meantime, leaving us in a world of nebulous unknowns, a sort of virtual Wild West that is open to exploitation and bad actors. Some of those bad actors will want to exploit our adherence to the rules and principles governing conflict in a physical realm, especially as we try to navigate what is essentially a new world and extrapolate laws and treaties to apply. The principles of jus ad bellum and the laws of armed conflict, then, must necessarily be as fluid and dynamic as the military conflicts and technologies they govern. We shouldn’t get rid of them, but we should be prepared to adapt them for the cyber realm and the conflicts we will face there.

A Coast Guard lieutenant arrested this week planned to "murder innocent civilians on a scale rarely seen in this country," according to a court filing requesting he be detained until his trial.

Read More Show Less
(From left to right) Chris Osman, Chris McKinley, Kent Kroeker, and Talon Burton

At least four American veterans were among a group of eight men arrested by police in Haiti earlier this week for driving without license plates and possessing an arsenal of weaponry and tactical gear.

Police in Port-au-Prince arrested five Americans, two Serbians, and one Haitian man at a police checkpoint on Sunday, according to The Miami-Herald. The men told police they were on a "government mission" but did not specify for which government, according to The Herald.

They also told police that "their boss was going to call their boss," implying that someone high in Haiti's government would vouch for them and secure their release, Herald reporter Jacqueline Charles told NPR.

What they were actually doing or who they were potentially working for remains unclear. A State Department spokesperson told Task & Purpose they were aware that Haitian police arrested a "group of individuals, including some U.S. citizens," but declined to answer whether the men were employed by or operating under contract with the U.S. government.

Read More Show Less
A photo shared by Hoda Muthana on her now-closed @ZumarulJannaTwitter account. (Twitter/ZumarulJannah)

The State Department announced Wednesday that notorious ISIS bride Hoda Muthana, a U.S.-born woman who left Alabama to join ISIS but began begging to return to the U.S. after recently deserting the terror group, is not a U.S. citizen and will not be allowed to return home.

Read More Show Less
Heckler & Koch's first batch of M27 Infantry Automatic Rifles

Have you ever wondered what would happen if the employee behind a firearm company's Facebook page decided to goaded a bunch of Marines into destroying their brand new firearms? Now you know.

Read More Show Less

A top Senate Republican and fierce ally of President Donald Trump reportedly exploded at Acting Defense Secretary Patrick Shanahan recently about the U.S. military's plans to withdraw all troops from Syria by the end of April.

"That's the dumbest f******g idea I've ever heard," Sen. Lindsey Graham (R-S.C.) reportedly replied when Shanahan confirmed the Trump administration still plans to complete the Syria withdrawal by April 30.

Later, Graham told Shanahan, "I am now your adversary, not your friend."

Read More Show Less