Keep Cyberwar Narrow
Some argue that illicit system access could, at the flip of a switch, cause destruction, which is what makes cyber warfare “different.” This oft cited claim is groundless. Remote access tools (RAT), such as Gauss, could serve the same function as a laser guiding a weapon to the final target. But a targeting laser is only part of a weapons system. A missile’s warhead is the actual object in the weapon system creating destructive effects. Similarly, in the case of a cyberweapons, a separate package has to be developed to exploit vulnerabilities and cause physical effects resulting in death or destruction. Given the unique characteristics of an ICS, a cyberweapon could not create an effect without being tailor-made for a specific target’s digital and physical environment. In short, this requires ICS schematics, network maps, application developers, cryptographers and a virtual environment replicating the target to the sensor or weapons tests before deployment. Arguing otherwise is akin to making a claim that a SEAL commander would turn a reconnaissance mission on its first foray into Abbottabad into an all-out assault against the bin Laden compound, and expect a high likelihood of success. Both instances require diligent preparation prior to execution.
Threats to Peace and Acts of Aggression
Below the threshold of cyber attack are incidents and events that are aggressive but do not rise to the level of armed attack. The U.S. financial-service DDOS disruptions are an example of aggression. The theft of U.S. intellectual property by Chinese hackers is an example of cyber espionage. While such cases may have negative impacts on economic security, it is the right political circumstances that could cause national leadership to consider such an event casus belli, not the event itself. The acts of disrupting business services or stealing data are not an armed attack. Despite private-sector arguments to the contrary, industrial espionage is not cyberwarfare and would not require an armed response by the government. Instead, a crime has occurred that may have been prevented with better information security. Federal reform of laws such as the Computer Fraud and Abuse Act could allow private sector firms to protect themselves by actively responding to thefts of data—to include destroying what was stolen.
Discussions of cyber crime and cyber espionage must be clearly separated from discussions of cyber warfare. While we are certainly in a cyber Cold War, we are not in an international armed conflict in cyberspace. By continuing to employ terms interchangeably the current discussion is drifting from issues of information security to issues of national security that warrant a military response. The paradigm required to address cyber crime and cyber espionage is not the same as that required to succeed in cyber warfare. Developing a clear distinction between various types of malicious cyber activity is critical as technologists and policy makers attempt to develop the means necessary to protect valuable information and critical infrastructure alike. The time for gross generalizations and sweeping assertions is at an end.
Cyber espionage, crime and war are very different and necessitate responses under different parts of the law. Consistency of definitions is essential. There cannot be a system of definitions for legal scholars and a conflicting system of definitions for the policy maker, technologist and layperson. It is on clear, common definitions and language that domestic policy and global norms of behavior will be built. Clarifying definitions will permit for the establishment of policy tools, such as escalatory ladders.
Embargo and trade sanctions might be the correct approach in milder cases of gross intellectual-property theft, and serve as a warning of severe penalties to come should something escalate from cyberespionage to attack. In the early hours of malicious cyber events, the United States should diplomatically address criminal disputes. Claiming all malicious actions as cyberwarfare could result in threats of retaliation that, in a real cyberwar, could be discounted as a bluff. Vigorously grasping the situation we are in, rather than fearfully reacting and making desperate pronouncements, will prevent misperception by our adversaries and the public alike.
We should not be concerned with cyberwarfare, but with war. If there is ever a war between great and emerging great powers, we must assume that cyberweapons will be used—and apply the Law of Armed Conflict to their use until a more formal treaty or convention can be negotiated, signed and ratified.
Panayotis A. Yannakogeorgos is Research Professor of Cyber Policy and Global Affairs at the Air Force Research Institute. The views expressed here are solely those of the author and do not in any way represent the views of the Air Force Research Institute, the Air University or the United States Air Force.
Image: Wikimedia Commons/Semplicemars. CC BY-SA 3.0