Tuesday, July 12, 2016

When is a Cyber Attack an Act of War?

Politics aside, one lesson we can draw from the ongoing debate over Hillary Clinton’s private email server is this - in the years ahead, questions of US national security will increasingly be tied to digital assets.

Just as the concept of a bank has evolved from “a physical place where you keep your money” to a software services provider that conducts financial transactions, so too are countries becoming increasingly defined by code, rather than physical, tangible assets. The United States and other countries are reaching a point where they have a far greater presence in cyberspace than they do on land, sea and air. The sovereignty, integrity, and viability of countries will increasingly depend on cybersecurity issues.

For many, this raises a key question, which members of Congress are now starting to press US military leaders to answer: at what point does a cyber attack constitute an act of war? And how should we respond?

The problem with this question is that it’s impossible to answer. The bottom line is that we can’t define a digital act of war with neat red lines, the way we can define a missile strike as an act of war. There are too many variables to account for in cyber activity, which would ultimately affect how the US government and military would interpret a cyber attack.

To illustrate the problem, consider this: when does an attack on an electric utility cross the line? Is it when a state-sponsored group turns off the power in Denver for a week? What if they only turned it off for one minute? How many lights do you have to turn off in order for it to be considered an act of war?

This seems academic, or far fetched, or perhaps simply hair-splitting, but this has come up before in real world situations. When the Iranians were DDoSing our financial infrastructure, we had to address whether to respond. How big of a DDoS constitutes an “attack”? Did the DDoS really have the kind of effect on our financial community that would require a response or was it simply uncomfortably expensive for private companies to ameliorate? For the executives at those financial companies and the nation security team addressing the issue, these questions were anything but academic.

Strategic Uncertainty

If Iran had assassinated Adelson by turning off his pacemaker, instead of hacking his casino, would we have responded as a nation? One valuable answer is “Perhaps”. Strategic uncertainty can provide cover for inaction and action both. But right now it is the result of a muddled national cyber strategy, with no clear answers forthcoming.

What does it mean if we can’t clearly define what an act of cyber war in any technical way? This problem reverberates through the strategic thought space in other ways too.

What is “Critical Infrastructure”?

The generally accepted view on cyber war is that when hackers cause physical damage to a critical infrastructure facility, this crosses the threshold and could trigger a military response.

This is part of the Pentagon’s own understanding of cyber war - what it refers to as the “equivalency principle.” If a cyber attack is equivalent to a traditional military action, then it crosses the line. Or as one military official put it: “If you shut down our power grid, maybe we will put a missile down one of your smokestacks.”

But what exactly is “critical infrastructure?” We seem to view it as primarily hard assets tied to things like energy production and military readiness. But in reality critical infrastructure is far more than that - it’s everything that makes the economy run and the country function. Therefore, the banking system is also critical infrastructure; so too is the news media, US election system, Justice system, and of course the computer systems used to manage and run those systems.

We also need to think of the US Constitution and Bill of Rights as part of our country’s critical infrastructure. That might sound strange to some, but we’re now in an age when a foreign government can easily target US citizens and companies for saying things it doesn’t like. Case in point is North Korea’s 2014 hack of Sony Pictures and threats to US theater chains over the “The Interview” film, which it opposed. However, earlier that same year, Iranian hackers also caused widespread damage to Las Vegas Sands Corp. because of its CEO’s criticism of the Iranian nuclear program.

Critical infrastructure is a far bigger category than it first appears. For this reason, we need to stop focusing on what was attacked and instead consider the effect of that attack.

Red Lines Won’t Work

Another problem in defining cyber war is the notion of “red lines.” This is a concept rooted in a past where air superiority was the dominant consideration and military planners literally drew red lines around objects on a map.

It is extremely difficult to draw a red line in cyberspace. Every government entity, military, company or organization has a broad and confusing presence in the digital world. For example, a hospital has its physical network hardware on site, as well as cloud-based storage in server vaults in other states or countries. The medical equipment it uses, which is increasingly connected to the web, also has back-end web servers and applications managed by outside companies in various other regions throughout the world. For US corporations, mapping cyber assets is even more complex, as you have vast networks and resources stretching over a wide range of countries and states. No US company is just a US company - even the smallest companies have supply chains, customers, and employees all over the world.

You can draw a red line around a hospital’s on-site network, but what if an attacker hits a third-party cloud solutions provider, which stores critical patient data within its systems, but of course, also processes military support information and financial trading information? All internet infrastructure is multi-use.

This feature of the cyber domain re-iterates that we are making a mistake if we focus our attention on what access was gained to what systems, rather than the effects of the attacks, which can vary widely even from the same networks.

What a Country Should Be Allowed to Hack

There’s real concern that a foreign intelligence service may have been able to breach the “homebrew” private email server that Hillary Clinton used when she was Secretary of State. Whether or not that did in fact happen, it is well within the bounds of “acceptable” nation-state activity.

Countries have the “right” to hack each other to fulfill traditional espionage goals. However, the key question in evaluating these attacks is how the data is handled. If data is stolen or communications monitored, all for the purposes of internal consumption by the other country, that is a permissible act. However, if the hackers try to manipulate or destroy data, or they dump it publicly to manipulate certain outcomes (like a Presidential election), that is when cyber espionage exceeds those established boundaries that we (as the US) would like to live by.

The Problem with Deterrence
The real mistake in cyber war planning is to focus on “deterrence”, a notional trap introduced by our fascination with Nuclear parallels.  

While much thought has gone into developing “deterrence” strategies for cyber, the real key to long-term national viability in the space is developing resilience strategies on top of the infrastructure we need to guide our daily lives. We have, for example, asked our power grid to do something impossible: be able to withstand any attack, and in the event of failure, be repairable within hours. Instead, solar power, generators and short-term household batteries need to be a key component of any cyber-defense strategy, much as hard drive backups are a key component at a tactical level against a Saudi Aramco-like attack.

We also have to invest in a country-wide cloud-computing infrastructure that can host key elements of our democracy too important to lose or have manipulated by a crafty adversary. Imagine a way for local governments to leverage the Federal Government’s information security expertise - or even just for for every Federal Agency to have the same level of security as the most secured ones.

And no strategy works when we don’t know what we would even consider worth a response. The current cloudiness as to whether a US Company being blackmailed by a nation-state is even worth the a US response, or whether manipulation of our electoral system counts as an offensive action indicates we are not ready yet to enumerate the norms our country wants to live under in the cyber domain - something that should worry all of us.  


  1. Check out the Tallinn Manual, Dave. It'll answer a lot of the questions that you posed. And Tallinn 2.0 will be out by the end of this year.

    And I'm sure that you know that in international law, there is no such thing as an "act of war".

    1. I've read it! I may be the only person in the offensive community who has! It's not great. :)