Opinion: No one knows how to define cyberwar – and that's a problem
Even with hundreds of meetings, speeches, and conferences on the subject, there's still no clear definition of cyberwar.Increasingly, that ambiguity is leading to confusion about how to respond to digital assaults on governments, companies, and individuals.
That's why a bill from Sen. Mike Rounds (R) of South Dakota that seeks is so important.While this debate may seem like an esoteric discussion among policy wonks, it has very concrete real-world implications. Without it, the US will continue to fly by the seat of its pants in responding to a growing number of high profile breaches and other cybersecurity incidents.
As SenatorRounds insinuates, the current vagueness around acts ofcyberwar is not sustainable.
Aside from the military implications, these definitions are important for deterrence, collaboration between the government and theprivate sector, and understanding trends in cyberspace. As is often the case, technology has outpaced our ability to formulate policies, theories, and strategies.
After President Obama issued late last year, Sen. John McCain (R) of Arizona to meaningfully deter cyberattacks. A clear and concise definition of anact of cyberwar is a first step at moving toward greater clarity of operations – and their impact – in the digital domain.
The first and most obvious implication of legally defining acts of cyberwar is to explicitly state what behaviors cross the line. Knowing which activities will and will not incur the use of force is directly tied to deterrence.
For instance, after North Korea attacked Sony Pictures, President Obama said that the US response . But he stopped well short of calling it an act of warand failed to clearly define actions that would reach the thresholdof digital warfare. That ambiguity was a missed opportunity to deter future actions such as the Sony attack, and may have communicated to adversaries that data destruction and theft don’t cross the red lines.
While the Justice Department has gone after foreign hackers based in ChinaԻIranafter several high profile attacks, Justice Department indictments in those cases won't deter cybercriminals fromattacking US systems.
As malicious behavior advances toward acts of war, it is likely thatretaliation will become more aggressive and severe. But there is no requirement that a cyberattack should be countered with a cyber-response; an act of cyberwar can unleash the whole arsenal of hard and soft power. Unless adversaries know when theUS will use military force, and when costs of an attack outweigh the benefits, there is little hope in achieving any real level of deterrence.
These challenges also have strong domestic implications. The private sector generally defends itself from cyberattacks, with the government stepping in afterwards to investigate criminal activity. At what point, however, would the government intervene and respond with the use of force?
Clarifying theis equally useful for the private and public sectors. It could lead to additional information sharing and partnerships thathave been overshadowed by the differences between the groups as opposed to the many, mutually beneficial forms of collaboration.
Fortunately, the President has a foundation on which to pull when definingacts of cyberwar. NATO's , a guide for how international law applies to cyberconflict, notes that civilian objects cannot be targeted unless there are military objectives and defines an attack as a "cyber operation,whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects."
The Department of Defense's 2015any cyberoperation would be regarded as a use of force if it produces effects similar to those of physicaloperations that are deemed a use of force. In this case, opening a dam or disabling air traffic control would be considered use of force, while theft of data is not.
In each of these cases, the emphasis is on the effect of the cyberoperation. But most measurements of cyberattacks, to date, largely focus on the tactics or tools, not the outcome. And many measurements even conflate the two.
For instance,, a popular source in both the private and public sector for assessing the major attack trends incyberspace, lumps together attackers’ objectives and intrusion techniques, confounding the ability to assess critical trends in cybersecurity.
But at what point does this onslaught of malicious activity constitute war? It's a conversation that's long overdue.Cyberspace will remain the Wild West without coherent definitions.
Andrea Little Limbagois principal social scientist at the cybersecurity firm.
