When is cyberwar an act of war? Is NATO getting close to answers?May 3, 2016
Just over a month ago, an entry appeared raising some issues that to be quite blunt, remain somewhat perplexing. The entry was inspired by a chat with an Oxford University boffin at the Odessa Security Forum. Answers, it has to be said despite over a month of pondering, are still difficult to reach.
“Whether it be something approaching a temporary national convulsion as experienced by Estonia in 2007, with banks, the parliament, and broadcasters being downed, or the disruption of technical operations in conventional warfare experienced by Georgia in 2008, or the physical infrastructure damage such as that caused by the Stuxnet worm in 2011, or system wide computer malfunctions experienced by Sony in 2014, or the 2016 hack of the Ukrainian power grid, there would appear to be an empirical trend of escalation – or “pushing the envelope” to use the Tom Wolfe idiom. (It is perhaps a blessing that so old and ignored is Ukrainian infrastructure since independence that manual systems still exist to rectify matters swiftly.)
Directly or indirectly lives may have been lost through such acts, perhaps deliberately so on the battlefield, and perhaps as a consequence of downing power grid (or other) infrastructure.
The above incidents are employed to simply display a perception of escalation – there are numerous public domain incidents that could have been cited, and undoubtedly even more incidents remaining without the public domain that could have been used that may have already led to the loss of life.
All of which leads to the especially difficult question regarding what, exactly, will be the threshold for a cyber act that is deemed an act of war? Particularly so when such acts can be far more easily and deniably outsourced to non-State entities by the State?
Clearly those attacking any system have the advantage over those trying to defend it. There is no such thing as 100% security – on line or off line. Where there is a will there is a way with sufficient skill, determination, time, or money – or a combination thereof.
How do those on the receiving end recognise the difference between espionage (which all States engage in) and what is an attack (which perhaps not all States currently have the capability for) that will leave behind something nasty and that in the months ahead bring down critical defences and/or infrastructure?
Yet further, how easy would it be to misinterpret intent or miscalculate effects? How to judge the proportionate response – at least in a timely manner?
……..there is an empirical convergence of cyberspace and terrorism. There is an empirical convergence of cyberspace and organised crime – indeed with some States it is not always easy (if at all possible) to separate the State from organised crime, or organsised crime from the State. There is an empirical convergence of cyberspace and geopolitics. All of which leads to the empirical convergence of the space between war and peace – and ultimately what will be deemed and act of war – or not?
There will never be an international law that bans espionage – because every State engages in it. Domestic statute will predominantly deal with those caught engaging in espionage against the domestic interest, but will not ban the practice against others.”
These are all particularly difficult and thorny issues.
When does cyberwar become an act of war?
NATO Secretary-General Jens Stoltenberg recently told a key alliance planning summit that “cyber is now a central part of virtually all crisis and conflicts, NATO has made clear that cyber attacks can potentially trigger an Article 5 response.” Quite rightly too.
When sparing with Chairman of Russia’s Federation Council Committee on International Affairs Konstantin Kosachev over whether NATO would bomb a nation suspected of cyber attacks, the NATO Secretary General stated “We will do what’s necessary to do to protect all allies, but I’m not going to tell you exactly how I’m going to do that … that’s the main message.” The return of ambiguity in an very ambiguous theatre perhaps – or perhaps such a strategy and protocols remain work in progress, thus ambiguity masks developing strategy. Perhaps a little of both.
Having previously stated – “How do those on the receiving end recognise the difference between espionage (which all States engage in) and what is an attack (which perhaps not all States currently have the capability for) that will leave behind something nasty and that in the months ahead bring down critical defences and/or infrastructure?
Yet further, how easy would it be to misinterpret intent or miscalculate effects? How to judge the proportionate response – at least in a timely manner?”, the NATO Secretary General half-answered this issue raised with a statement that would infer, perhaps deliberately misleadingly (perhaps not) that policy is seemingly still under development when he said NATO should “sharpen our early warning and situational awareness … so we know when an attack is an attack.”
That statement does perhaps also infer that what constitutes an attack (that crosses certain thresholds) has at least been defined – as has what doesn’t constitute an attack (which doesn’t meet the parameters, whatever they are defined as).
Perhaps NATO is getting closer, or has indeed answered for itself, the issues raised by the blog last month. If so, bravo, for certainly the convergences mentioned above continue placing time constraints upon clever thinking.
Perhaps it will only be when policy triggers are pulled when as yet unknown red lines are crossed – and those red lines may not all be particularly obvious to those “pushing the envelope”. What then to do if those lines are crossed by deniable outsourced entities with no clear links to a State?
It’s a policy realm that’s enough to make your head hurt – but it is one faced by all the protagonists (for better or for worse)! It is also a theatre of war in which Ukraine can theoretically hold its own.