The Dark Art of Cyberwar
Are cyberattacks warfare? It’s a lot more complicated than you think.
Earlier this summer, the two U.S. presidential candidates -- by then accustomed to jousting their opponents -- took another kind of hit. The FBI and the Secret Service told the Obama and McCain campaigns that hackers had tapped into their networks, looking for clues about likely future policies. The attacks probably originated in China. Hackers from that country have also infiltrated the White House and the Pentagon in recent months, according to news reports. And during the Russia-Georgia conflict, Georgian government Web sites also fell victim to attackers thought to be operating privately from Russia.
Earlier this summer, the two U.S. presidential candidates — by then accustomed to jousting their opponents — took another kind of hit. The FBI and the Secret Service told the Obama and McCain campaigns that hackers had tapped into their networks, looking for clues about likely future policies. The attacks probably originated in China. Hackers from that country have also infiltrated the White House and the Pentagon in recent months, according to news reports. And during the Russia-Georgia conflict, Georgian government Web sites also fell victim to attackers thought to be operating privately from Russia.
But when does a cyberattack become a declaration of war, rather than just a nuisance? The question is not merely academic: In the case of the White House and the Pentagon, key U.S. national security secrets risked being lost. And had Georgia been a NATO member, then other members, bound by mutual defense obligations, might have had to respond to Russia — not just for its ground assault, but its cyberattacks as well.
Yet in a world increasingly circumscribed by international law, there is scant legal infrastructure to address this new breed of combat. Few countries have detailed legislation, and there is only one major international treaty, the Council of Europe’s 2001 Convention on Cybercrime, which has been ratified by just 23 countries.
This legal vacuum could lead to trouble, worries Duncan Hollis, an associate professor at Temple University’s Beasley School of Law. “If [a country] considers [cyber attacks] acts of war, they have a right under international law to respond with self-defense, and it doesnt just have to be via computer,” Hollis says. “[We] need to get together and at least try and figure out what the rules of the game are.”
Knowing its members could end up in hackers’ cross hairs, NATO has started to look more closely at the laws of cyberwarfare. The organization recently opened the Cooperative Cyber Defense Center in Tallinn, the capital of Estonia, and a key focus will be how to close the gaps in legal systems that cybercrime has revealed (though researchers will also study a range of other policy and strategic issues, such as how to handle ongoing attacks and Internet users right to privacy).
“The researchers hope some of their suggestions could help guide other entities that are working on cybercrime and cyberwarfare,” says Kenneth Geers, a U.S. representative at the Tallinn center. “Law enforcement in general in the U.S. are not sure exactly what they can or cannot do, [as] laws are changing on the fly,” he says.
NATO’s researchers say one have their toughest challenges will come in defining who the opponent even is. Conventional warfare poses two adversaries head-to-head, but cyberattackers are virtually anonymous — or at best, difficult to track. Internet traffic traverses continents in fractions of a second. What’s more, malicious code sent by a criminal could pass through many countries, and those countries could refuse to pass on any information they have to investigators. Hackers can thus use the looseness of the international system in their favor.
“If I were an American hacker, I would route my traffic through countries with which the U.S. has poor cooperation laws,” Geers says. “All of a sudden, you’re completely anonymous.”
Another tricky question facing NATO is when a virtual attack causes enough real-world damage to constitute an act of war. In the brave new world of cyberwarfare, instead of soldiers firing rockets from a battlefield, “well-fed technicians in air-conditioned rooms, operating in the safety of their home state, could commit an attack on a facility in another state that is of a scale and effect as to constitute an armed attack,” warns Davis Brown, a former deputy staff judge advocate at the U.S. Defense Information Systems Agency. Last year, a video leaked from the Idaho National Laboratory showed how that might happen. Scientists simulated a computer attack on a power station that caused it to smoke and eventually break down.
National criminal law, moreover, often proves outdated when it comes to cyberattacks. Take, for example, the April 2007 incident when Estonian authorities removed a Soviet-era war memorial from the center of Tallinn. Violent protests broke out among the sizable ethnic Russian minority, and a backlash in the virtual sphere followed. Cyberattacks brought down the Web sites of Estonian banks, ministries, and newspapers.
Yet cyberattackers could receive a maximum sentence of only a handful of years in prison, says Eneken Tikk, an Estonian legal expert at the cybercenter. “Although intruding into a network was prohibited, the punishment for that crime was so low that it was impossible to procedurally initiate covert operations to investigate it,” Tikk explains. On top of that, Russian authorities refused to cooperate with the investigation. Prosecutions since then have been limited: In January, an ethnic Russian in Estonia was fined for taking part in the attacks.
Experts suggest that a global treaty is unlikely to resolve all these issues — it would probably not be ratified by every country, nor would it include the requisite details on how agencies and lawyers should carry out investigations and prosecutions.
There are also calls for lawyers to discuss, in addition to cyberdefense, the types of cyberwarfare that militaries are permitted to engage in. If attacks are confined to the virtual realm, so the thinking goes, 21st-century wars could be a lot less bloody than those of the 20th century. Says Hollis, “We might have less collateral damage if we can decide when cyberwarfare is allowed.”
More from Foreign Policy
Chinese Hospitals Are Housing Another Deadly Outbreak
Authorities are covering up the spread of antibiotic-resistant pneumonia.
Henry Kissinger, Colossus on the World Stage
The late statesman was a master of realpolitik—whom some regarded as a war criminal.
The West’s False Choice in Ukraine
The crossroads is not between war and compromise, but between victory and defeat.
Washington wants to get tough on China, and the leaders of the House China Committee are in the driver’s seat.