The Pentagon is drafting a formal strategy that will categorize certain cyber attacks as acts of war – -allowing the U.S. to use military force in retaliation to such attacks, according to a Wall Street Journal article. Security experts, however, argue that clear origins of a cyber attack are next to impossible to find.
The WSJ article quoted an unnamed military official saying, “If you shut down our power grid, maybe we will put a missile down one of your smokestacks.”
Cyber attacks are of varying nature: ranging from phishing and hacking attempts to the use of malicious software. But most of these attacks fall under the category of cyber crime or cyber espionage. So what sort of a cyber attack would constitute an act of war?
“An act of cyber war could be considered one where an actor perpetrates a cyber attack against critical infrastructure systems or national assets in such a way that the effect of the attack causes physical harm, damage, or violence,” said Joseph Giordano, director of the cyber security program at Utica College, in an email. “Severe effects against the economy can also be considered an act of cyber war.”
Severe harm caused by an attack on the nation’s critical infrastructures like the electric power grid, the chemical sector, oil and gas, water supply and transportation, could trigger a military response, according to Giordano.
Under this strategy, the U.S. could use military force to retaliate against a foreign nation it believes has perpetuated a cyber war against it. This might seem like disproportionate use of force, but Catherine Lotrionte, adjunct professor of law at the Institute of International Law and Politics, Georgetown University, says it is justified under international laws.
“The right of self defense and use of force are not limited by what kind of weapon is used and it is not limited necessarily to kinetic vs. cyber,” said Lotrionte in a phone interview. “What it is often constrained by is the effects of the actual initiation of the use of force.”
This is known as equivalence in international laws. If a cyber attack causes similar amount of damage and loss of life as a physical attack would, then the right of self defense could be invoked and a military response undertaken, according to Lotrionte.
But one of the biggest challenges in justifying a military action against cyber attacks is the problem of “attribution.”
In such cases it is almost impossible to accurately determine where the attack originated from and who was behind it.
“In the realm of the Internet (cyber realm), you will fail miserably if you think that you can pinpoint an opponent via an IP address or even collection of addresses, a signature, a comment in an application and so forth,” wrote J. Oquendo, a security expert, in his blog.
Oquendo argues that an attacker can easily hide in cyber space.
“With millions of vulnerable machines worldwide, an attacker can launch an attack from anywhere with almost no attribution. This makes any analysis pretty much useless for the most part, wasted resources,” he wrote.
Giordano agrees, “smart and sophisticated hackers know how to easily obscure the origin of their attack even making it appear as if the attack is coming from a totally different point of origin.”
However, Catherine argues that, because of the difficulty with attribution, states should be able “to work under less than perfect certainty” on where the attack originated from and who is responsible.
“You might not know the original point, but you might know one of the intermediary points. So there is a state and you could track it back to this server which compromised our systems in a foreign nation, then you at least go to that point and hold that state responsible,” said Lotrionte.
Furthermore, she argues that even if the attacker is a non-state actor, the state is responsible for controlling its sovereign territories and could be held accountable.
“The norm of state responsibility will become very important in cyber,” she added.
But if sophisticated attackers can easily disguise traffic and make an attack look like it’s coming from multiple countries – how many unknowing countries will be held accountable for an act that could be perpetuated by non-state actors? And would this strategy lead to unjust wars and wasted resources? Possibly.
