Can Courts Clear the Fog of War?
As online attacks blur the lines, the future may be perpetual conflict.
What constitutes an act of war? A military invasion, sure. Hostile acts by smaller armed formations, sure. The blowing up of a bridge by commandos or the poisoning of water, very likely. But a cyberattack? Zurich, one of the world’s leading insurers, claims that’s the case. The confectionary giant Mondelez, one of its customers, argues the opposite. This isn’t an abstract discussion: Two years ago, Mondelez was laid low by NotPetya, a computer virus unleashed by Russia against Ukrainian targets. Now the two companies are battling out the definition of war in court—and regardless of how the ruling turns out, a new fog of war is still settling over society.
NotPetya struck with devastating force in June 2017. First, the virus—subsequently traced to hackers working for Russian military intelligence—brought down virtually all of Ukraine’s government along with Ukrainian hospitals, power companies, airports, and banks. That was probably its real target. Then, however, the virus traveled on in a less predictable fashion. It crippled Maersk, the Danish shipping giant, and the global law firm DLA Piper. FedEx subsidiary TNT Express was hit, too, as was the U.S. pharmaceutical giant Merck and French construction company Saint-Gobain. Several of them lost hundreds of millions of dollars as a result of the attack.
After several months, the Five Eyes—a close-knit intelligence union comprising the United States, the United Kingdom, Canada, Australia, and New Zealand—concluded that the Russian government was ultimately behind the assault, and in March 2018 Britain’s attorney general, Jeremy Wright, said that “the U.K. considers it is clear that cyberoperations that result in, or present an imminent threat of, death and destruction on an equivalent scale to an armed attack will give rise to an inherent right to take action in self-defense, as recognized in Article 51 of the U.N. Charter.”
When Mondelez tried to claim its $100 million losses on its insurance policy with Zurich, the insurer—perhaps unsurprisingly, in light of statements such as those by Wright—refused, categorizing the attack as a “hostile or warlike action in time of peace or war” and as such excluded from insurance payouts. The two giants are now battling over the definition of warlike actions at a court in Illinois. DLA Piper and its insurer, Hiscox, are conducting a similar battle over whether a cyberattack such as NotPetya qualifies for insurance payouts.
Insurers do have weight behind their arguments. With countries increasingly staging cyberattacks against their adversaries—and key companies and organizations located in those countries—cyberattacks effectively form part of modern warfare. U.S. Cyber Command is thought to be battling some 30 hostile states in cyberspace. The Council on Foreign Relations’ Cyber Operations Tracker lists 22 countries (including the United States and the U.K.) as sponsoring cyberoperations. That, of course, doesn’t mean all cyberoperations are acts of war.
Indeed, Thomas Rid argues in his book Cyber War Will Not Take Place that because changing code doesn’t involve violence, cyberattacks can’t count as acts of war. Many cyberassaults, however, can be just as potent, or even more so, than physical sabotage. Proxy groups linked to the Russian and Chinese governments—or their sponsors themselves—have infiltrated the U.S. power grid, the German government, and countless companies. In targeting civilians, the attacks break international law. They just don’t involve enough physical violence to qualify as traditional acts of war. Making matters even more complicated, unlike soldiers and military hardware, weapons of cyberattacks and malign influence are virtually impossible to quantify.
Activities between war and peace have long existed alongside warfare. Indeed, the separation of war and peace is a relatively recent concept, one that medieval and Renaissance Europeans would have been unfamiliar with. Contemporary officers have been taught to view many such acts of aggression as criminal damage related to a potential act of war. But in reality, anything less than a full-blown military attack is usually treated as a police matter. If, say, the landing points of the undersea cables that carry the world’s internet were to be sabotaged, the perpetrators—if found—would face the justice system, not the armed forces. But in recent years, the fog of war has been thickening, both on- and offline. “[T]here are no clear guidelines any longer on what constitutes war. Moreover, since ‘war’ is forbidden by the charter of the United Nations except in self-defense or if authorized by the Security Council, states hardly ever declare military actions to be ‘war’ any more — they are always self defense, police actions, interventions or the like,” Nikolas Gvosdev and Andrew Stigler pointed out in a New York Times op-ed in 2011.
That’s the dilemma. The outlawing of war in the U.N. Charter was a milestone, as Oona A. Hathaway and Scott J. Shapiro document in their book, The Internationalists: How a Radical Plan to Outlaw War Remade the World, but it has simply led to warfare being labeled something else or nothing at all. (Land conquests have, however, dramatically declined since World War II.)
The cyber-engineers who launched NotPetya did not declare war on the Ukrainian government, Ukrainian companies, Mondelez, DLA Piper, or anyone else—but neither did Russia in eastern Ukraine. Most armed conflicts since World War II have not included declarations of war. What’s more, today belligerents are often not even nation-states but proxies operating on their behalf. In 2013, a U.N. body decided that, referring to information and communication technologies (ICT), “State sovereignty and the international norms and principles that flow from it apply to States’ conduct of ICT-related activities and to their jurisdiction over ICT infrastructure with their territory; States must meet their international obligations regarding internationally wrongful acts attributable to them.” Even so, governments unashamedly keep sponsoring cyberattacks.
“There’s a feeling among many states that other states are carefully calibrating their cyber-aggressions so they fall below the threshold of war,” said Gary Brown, a former U.S. Air Force judge advocate who now teaches cyberlaw at the National Defense University in Washington. “That makes it challenging for the targeted country to respond. It’s neither war nor peace—it’s constant competition.”
Politicians and analysts refer to cyberattacks, malign influence campaigns, and other nonkinetic aggression as part of hybrid or “gray zone” warfare. But in legal terms, hybrid warfare means nothing. The court in the Mondelez v. Zurich case may provide some clarity, but that’s only the first step. Brown suggests an additional way forward, one that is reportedly being discussed by at least two countries: a treaty among a small number of nations defining the rules of cyberconflict. Other countries could then join the treaty, essentially a club of countries committed to a rules-based order in cyberspace.
The gray zone is taking over. It’s no longer just the bastard companion of organized warfare: It can, once again on its own, be the warfare. The German philosopher Immanuel Kant has influenced generations with his treatise Perpetual Peace. Instead, we’re living with perpetual quasi-war. The recognition matters to ordinary citizens, who deserve to be informed whether they are living under war, peace, or a warlike condition.
Because war cancels most insurance coverage, the recognition of a warlike condition also matters greatly to insurance companies and their customers, who need clarity about what will—or won’t—be covered. And it matters urgently to governments, which have to consider if, and how, to respond to cyberattacks and malign influence campaigns against them, their populations, and companies located in their countries. Should the Danish armed forces have responded when NotPetya struck Maersk, Denmark’s largest company, rendering it virtually unable to operate? Or would that have been inappropriate, as NotPetya claimed no Danish lives?
The additional complication is this: Even though some countries turn to aggression such as cyberattacks precisely because it’s so unlikely to be treated as an overt act of war, the perpetual quasi-war doesn’t mean the specter of physical war has gone away. On the contrary, without rules for nonkinetic aggression—that is, aggression that involves no collective violence by armed forces—countries can easily slide into traditional war. What would have happened if the Danish armed forces had struck their Russian counterparts in response to NotPetya? Behind the shadow of quasi-war hides the possibility of real war.