Norms of cyberwar in peacetime

Editor’s Note: Cyberattacks and the appropriate response are new territories in national security. While most attacks do little damage and their perpetrators are often unclear, the potential risk is growing. Fergus Hanson unpacks the cyber threat and offers his thoughts on how to best respond. This post originally appeared on Lawfare. 

Cyberattacks regularly make the headlines. There have been military cyberattacks, like those used by Russia during its invasion of Georgia, and political cyberespionage such as the NSA programs revealed by Edward Snowden. And there has been state-backed economic cyberespionage, which topped the agenda during Chinese President Xi Jinping’s visit to the United States in September.

Another form of attack frequently occurs, but sits outside these three categories: aggressive cyberattacks during peacetime. Consider some recent state practice: In 2012, it was revealed that the United States and likely Israel had been targeting Iran’s nuclear program with cyberattacks: the first time a cyberattack had turned hot, doing physical real-world damage. In retaliation, Iran launched a major cyberattack in August 2012 on Saudi Aramco, releasing a virus, dubbed “Shamoon,” which replicated itself across 30,000 Saudi Aramco computers and took almost two weeks to recover from.

North Korea has also been active in the cyber realm. In November 2014, it struck at Sony after the company proceeded with its movie, The Interview, a farce that portrayed the fictional assassination of the North Korean leader. The attackers used the threat of terrorism to persuade theater chains in the United States to pull out of screening the film. And in March 2015, South Korea formally accused the North of cyberattacks on its nuclear reactor operator that had occurred back in December 2014.

Other examples include China’s attacks on code-sharing site GitHub, targeting pages that monitor Chinese online censorship and a Chinese-language version of the New York Times, and the 2014 Iranian cyberattack on Las Vegas Sands casino in retribution for comments CEO and majority owner Sheldon Adelson made about Iran.

Complicating the picture, it is not always nation-states that perpetrate the cyberattacks. As U.S. Director of National Intelligence (DNI) James Clapper has observed, profit-motivated criminals and ideologically motivated hackers or extremists also conduct attacks, such as the attacks carried out by the hacking collective Anonymous or the Russian jihadist group accused of hacking U.K. phone company TalkTalk.

The targets all of these actors can choose are similarly varied. As several examples above illustrate, a state need not always target another state directly. States also direct attacks towards state-related facilities and corporations, private companies, and individuals.

Rhetoric suggests a growing acceptance that cyberattacks launched in peacetime will continue. In 2012, the United Kingdom’s then-Minister of State for the Armed Forces, Nick Harvey, made the case to the Shangri-La Dialogue that cyberattacks were “quite a civilised option.”

DNI Clapper has also acknowledged a permissive environment for these short-of-war attacks. In his statement to the Senate Armed Services Committee, he observed:

Numerous actors remain undeterred from conducting economic cyber espionage or perpetrating cyber attacks. The absence of universally accepted and enforceable norms of behavior in cyberspace has contributed to this situation. The motivation to conduct cyber attacks and cyber espionage will probably remain strong because of the relative ease of these operations and the gains they bring to the perpetrators. The result is a cyber environment in which multiple actors continue to test their adversaries’ technical capabilities, political resolve, and thresholds. The muted response by most victims to cyber attacks has created a permissive environment in which low-level attacks can be used as a coercive tool short of war, with relatively low risk of retaliation. Additionally, even when a cyber attack can be attributed to a specific actor, the forensic attribution often requires a significant amount of time to complete. Long delays between the cyber attack and determination of attribution likewise reinforce a permissive environment.

The frequent use of cyberattacks in peacetime suggests an alluring assumption: they offer states a means of expressing displeasure that is more forceful than a diplomatic statement but is short of lobbing a cruise missile into a foreign capital. 

Although tempting, this view is short-sighted. More than 100 countries now have military and intelligence cyberwarfare units, and most of this capability has only developed in the last few years. It is hard to imagine miscalculations won’t occur. For example, it is difficult to predict the outcome of an attack on a power plant that might cause indirect deaths or on industrial facilities, such as the attack on a German steel mill late last year. When an attack causes deaths, the public will demand a swift response and the situation could escalate. This could occur through a response perceived as disproportionate, prompting a counter-response, or if the attacking state is incorrectly identified and targeted, the aggrieved innocent state could retaliate.

Various factors increase this risk. These include rapidly improving capabilities and proliferation of capability. There is also uncertainty over whether the perpetrator was a state, a state-backed entity, criminal, or extremist group, increasing the chances that the wrong perpetrator could be targeted. The appropriate response is similarly unclear. A threshold question is whether these peacetime attacks constitute an armed attack under international law. Once the attacks hit a certain level, for example causing mass casualties, the answer seems almost certainly yes (as the Pentagon has argued), but for lower-scale attacks the answer is less clear-cut.

As some states look to push back on this emerging norm, there is also potential for escalation owing to the lack of clarity over what constitutes an appropriate response. U.S. Defense Secretary Ashton Carter told Congress in February that “we need to improve our abilities to respond. And those responses can be in cyberspace or in other ways, but certainly they should include the option to respond in cyberspace.”

Efforts to work through these challenges have not kept pace with state practice. Below are a few thoughts how states might respond:

• Leadership and venue: States need to work much more vigorously to tackle these issues. This requires greater leadership (especially from countries besides the United States) than we’ve seen to date. It also requires like-minded states to act in concert through a small and flexible forum. For some of these issues, a grouping like the G20 might be preferable to an all-states venue like the UN.
• Distinguishing between attacks: It would be useful to start distinguishing different types of cyberattacks: military attacks during war, state-backed economic espionage, political espionage, and military-style attacks during peacetime. States are likely to decide that some categories of attack are more legitimate than others (for example, military attacks during war and political espionage would likely be tolerated over state-backed economic espionage and military-style attacks during peacetime).
• Developing a position: For the latter two types of attack, with many states now able to develop these capabilities, a norm permitting their use is a recipe for chaos, increasing costs to companies and the possibility of escalation. Reversing the current trend will require an aggressive push in the opposite direction in favor of a prohibition on the use of such attacks. Like-minded states would need to act in concert when attacks occur and clearly articulate consequences for states that support them.

Early cyberattacks during peacetime were small-scale, protest-like events such as Distributed Denial of Service (DDoS) attacks on websites. Proliferation of capability has brought us into a new era where serious damage can be done, requiring thoughtful international norms to prevent miscalculation.