Opinion: No one knows how to define cyberwar – and that's a problem
Despite digital weapons becoming critical tools in every modern military, there's still no consensus when it comes to defining what amounts to an act of cyberwar.
Secretary of Defense Ash Carter at an April congressional hearing on the Islamic State.
Jonathan Ernst/Reuters
Even with hundreds of meetings, speeches, and conferences on the subject, there's still no clear definition of cyberwar.ÌýIncreasingly, that ambiguity is leading to confusion about how to respond to digital assaults on governments, companies, and individuals.
That's why a bill from Sen. Mike Rounds (R) of South Dakota that seeksÌý is so important.ÌýWhile this debate may seem like an esoteric discussion among policy wonks, it has very concrete real-world implications. Without it, the US will continue to fly by the seat of its pants in responding to a growing number of high profile breaches and other cybersecurity incidents.
As SenatorÌýRounds insinuates, the current vagueness around acts ofÌýcyberwar is not sustainable.
Aside from the military implications, these definitions are important for deterrence, collaboration between the government and theÌýprivate sector, and understanding trends in cyberspace. As is often the case, technology has outpaced our ability to formulate policies, theories, and strategies.
After President Obama issued late last year, Sen. John McCain (R) of Arizona to meaningfully deter cyberattacks. A clear and concise definition of anÌýact of cyberwar is a first step at moving toward greater clarity of operations – and their impact – in the digital domain.
The first and most obvious implication of legally defining acts of cyberwar is to explicitly state what behaviors cross the line. Knowing which activities will and will not incur the use of force is directly tied to deterrence.Ìý
For instance, after North Korea attacked Sony Pictures, President Obama said that the US response . But he stopped well short of calling it an act of warÌýand failed to clearly define actions that would reach the thresholdÌýof digital warfare. That ambiguity was a missed opportunity to deter future actions such as the Sony attack, and may have communicated to adversaries that data destruction and theft don’t cross the red lines.
While the Justice Department has gone after foreign hackers based in ChinaÌý²¹²Ô»åÌýIranÌýafter several high profile attacks, Justice Department indictments in those cases won't deter cybercriminals fromÌýattacking US systems.
As malicious behavior advances toward acts of war, it is likely thatÌýretaliation will become more aggressive and severe. But there is no requirement that a cyberattack should be countered with a cyber-response; an act of cyberwar can unleash the whole arsenal of hard and soft power. Unless adversaries know when theÌýUS will use military force, and when costs of an attack outweigh the benefits, there is little hope in achieving any real level of deterrence.
These challenges also have strong domestic implications. The private sector generally defends itself from cyberattacks, with the government stepping in afterwards to investigate criminal activity. At what point, however, would the government intervene and respond with the use of force?
Clarifying theÌýÌýis equally useful for the private and public sectors. It could lead to additional information sharing and partnerships thatÌýhave been overshadowed by the differences between the groups as opposed to the many, mutually beneficial forms of collaboration.
Fortunately, the President has a foundation on which to pull when definingÌýacts of cyberwar. NATO's , a guide for how international law applies to cyberconflict, notes that civilian objects cannot be targeted unless there are military objectives and defines an attack as a "cyber operation,Ìýwhether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects."
The Department of Defense's 2015ÌýÌýany cyberoperation would be regarded as a use of force if it produces effects similar to those of physicalÌýoperations that are deemed a use of force. In this case, opening a dam or disabling air traffic control would be considered use of force, while theft of data is not.
In each of these cases, the emphasis is on the effect of the cyberoperation. But most measurements of cyberattacks, to date, largely focus on the tactics or tools, not the outcome. And many measurements even conflate the two.
For instance,Ìý, a popular source in both the private and public sector for assessing the major attack trends inÌýcyberspace, lumps together attackers’ objectives and intrusion techniques, confounding the ability to assess critical trends in cybersecurity.
But at what point does this onslaught of malicious activity constitute war? It's a conversation that's long overdue.ÌýCyberspace will remain the Wild West without coherent definitions.
Andrea Little LimbagoÌýis principal social scientist at the cybersecurity firmÌý.
Ìý