Opinion debate: When is a cyberattack an act of war?

Started by CountDeMoney, October 28, 2012, 07:14:36 PM

Previous topic - Next topic

CountDeMoney

Discuss.

QuoteWhen is a cyberattack an act of war?
By Ellen Nakashima, Published: October 26

On the night of Oct. 11, Defense Secretary Leon Panetta stood inside the Intrepid Sea, Air and Space Museum, housed in a former aircraft carrier moored at a New York City pier, and let an audience of business executives in on one of the most important conversations inside the U.S. government.

He warned of a "cyber Pearl Harbor," evoking one of the most tragic moments in American history, when Japanese bombers unleashed a devastating surprise attack on a U.S. naval base in Hawaii on Dec. 7, 1941, killing 2,402 Americans and wounding 1,282 more. President Franklin D. Roosevelt called it "a date which will live in infamy" as he asked Congress for a declaration of war.

Sixty years later, another surprise attack killed almost 3,000 people when al-Qaeda terrorists flew two jetliners into New York's twin towers. Panetta cited the Sept. 11, 2001, strikes, too, warning that the United States is in a "pre-9/11 moment," with critical computer systems vulnerable to assault.

We all know what an act of war looks like on land or sea, and by evoking two of the most searing attacks in our modern history, Panetta was trying to raise a sense of urgency about the threat in a new domain made of bits and bytes zinging between servers around the world.

But what does an act of war look like in cyberspace?

And perhaps more important, what does the U.S. government do when cyberattacks fall short of that — assuming it can identify the perpetrators in the first place?

What about something like Shamoon, the nickname for a virus that wiped data from 30,000 computers at Saudi Arabia's state-owned oil company in August, affecting business operations for two weeks? Panetta called that assault, along with a similar strike on Qatar's RasGas, "probably the most destructive attack" on the private sector to date. Another U.S. official declared it a "watershed" moment, beyond the troubling but all-too-familiar thefts of data and disruption of Web sites.

Unlike the Japanese planes at Pearl Harbor, the virus had no telltale markings that gave away its origins. The U.S. intelligence community has privately concluded that the invader was sent by Iran, though some security experts outside the government say they have reason to believe that Iran was not the perpetrator.

If Tehran is responsible, what was its motive? In the view of intelligence officials, it was striking back for sanctions; for the Saudi kingdom's implicit support for an oil embargo; and for the damage done to Iran's nuclear program by Stuxnet, the nickname for a cyber-sabotage campaign by the United States and Israel to slow the country's pursuit of a nuclear weapon by damaging almost 1,000 uranium-enrichment centrifuges.

The Shamoon attack on Saudi Aramco did not cause enough physical damage to rise to what international law experts call an armed attack. But what if something like it happened to several energy companies in the United States and it could be traced conclusively to a foreign government or a terrorist group? How much damage, pain and fear would need to result before national security officials would say, "We can't let this go unanswered"?


If government officials have reached a consensus on those questions, they're keeping it to themselves.

Welcome to the new world of "drip, drip cyber attacks," in the words of Tufts University law professor Michael J. Glennon. The nature of cyberspace, he says, creates the potential for "a mysterious airliner accident here, a strange power blackout there, incidents extending over months or years," generally "with no traceable sponsorship."

Japan's attack on Pearl Harbor was a direct assault on a U.S. military installation. But much of the nation's critical computer networks belong to the private sector. The companies that provide transportation, water, telecommunications and energy could become targets for adversaries bent on destruction. That simple fact has led to a complicated set of questions for policymakers responsible for the nation's security.

Should the U.S. government step in to prevent a destructive cyberattack, if it can see one coming, aimed at the private sector? If not, and such an assault is successful, when should Washington retaliate and how, assuming the attack can be conclusively traced to another nation or to a terrorist group? When should the government make preemptive use of cyberweapons to alter a state's agenda or behavior?

If a major cyberattack happened — a computer virus knocking out air traffic control, for instance, and sending planes crashing to the ground — the president and the National Security Council would focus first on what type of response would be proportionate, justified, necessary and in the U.S. interest. It might be a military response. It might be a cyber-response. It might be naming and shaming the attacker before the United Nations. It might be imposing sanctions. It might be no response at all.

Deciding what amounts to an act of war is more a political judgment than a military or legal one. International law avoids the phrase in favor of "armed attack" and "use of force." Retired Gen. James Cartwright, former vice chairman of the Joint Chiefs of Staff, has often said that an act of war "is in the eye of the beholder."

As Cartwright has pointed out, the United States didn't go to war with North Korea after it sank a South Korean warship in 2010, nor with Iran after the U.S. Embassy in Tehran was seized in 1979. Would we want to start a war over a virus that causes a power blackout? And if not, what other actions might the government contemplate?

The government has defined an armed attack in cyberspace as one that results in death, injury or significant destruction, as Harold Koh, the State Department's chief legal adviser, recently put it. Here's the rule of thumb, as Koh stated it: "If the physical consequences of a cyberattack work the kind of physical damage that dropping a bomb or firing a missile would, that cyberattack should equally be considered a use of force." If an attack reaches those levels, then a nation has a right to act in self-defense.

The more difficult cases will look something like what happened to Saudi Aramco. Matthew Waxman, a Columbia University law professor who studies the strategic dimensions of cyberattacks, said economic damage alone traditionally does not give rise to a right of self-defense. While "the erasure of data . . . is expensive to replace," he said, "I would not call that an armed attack."

A more complicated scenario: a cyber-assault on Wall Street computers that sends the markets into a tailspin and causes ripple effects throughout the economy. Industry experts say such an attack would be difficult to pull off — it's one of those low-probability, high-consequence events government officials fear.

"I can see that rising to the level" of an armed attack in some people's minds, Waxman said, but others would say it falls short of physical damage or loss of life.

Senior policymakers have been wrestling with these very issues. And the Saudi Aramco attack has heightened the sense of urgency, making the threat all the more concrete. "This was a deliberately disruptive event, done on purpose, not by some rogue hacker. Not some out-of-control operative," said one U.S. intelligence official.

Panetta, in his speech, said, "If a crippling cyberattack were launched against our nation, the American people must be protected." But what is "crippling"? What exactly would the military do to ensure such protection? That discussion remains very much behind closed doors, where the government has been working on rules of engagement that would guide its response.

A senior defense official, in an interview, said officials have done a lot of work on how the government would respond to certain attacks. "We feel we're very prepared to answer that question if it should come up in the case of the United States," he said.

But he would not get into specifics, for instance, as to whether destruction of data that caused a drop in the stock market or a huge increase in gas prices would trigger a military or any other response.

"Those are always classified things," he said. "It's not helpful to the United States to give a road map to the enemy to know when something is an attack on the nation and when it is not."

His point: Why tell other nations what the United States is willing to tolerate before it will respond forcefully?

The severity and duration of effects — the amount of pain caused — is only one element that drives decisions about how to respond. Perhaps the more difficult factor is figuring out who is behind an attack — and why.

U.S. officials believe that factions of Iran's Revolutionary Guard Corps were behind the attacks on Saudi Aramco and RasGas and that the Iranians were sending a message to the West and its supporters: You unleashed the Stuxnet virus on our nuclear program, and we're firing back.

"They don't see it as an escalation," the U.S. intelligence source said. "They see it as a response to what was done to them: 'Hey, you did it to us, and we're going to come back at you.' "

U.S. officials have not blamed Iran — or any other nation or group — publicly for the Aramco and RasGas attacks. An earlier version of Panetta's speech blamed the attacks on a "state actor,'' according to one source, but that language was cut.

There is another school of thought, coming from outside the government, that the attack was carried out by a group of employees, some of whom may no longer work there, and non-employees with a grudge against the company and the Saudi government. None has any apparent link to Iran, these sources assert.

No one, however, is making their case publicly or offering evidence to prove their conclusions. That, too, is the nature of drip, drip warfare.

The United States and the world may be moving toward a greater strategic use of cyberweapons to persuade adversaries to change their behavior. This can be good, if it averts war. On the other hand, it could cause other nations to feel vulnerable. Some experts foresee a kind of cyber arms race as nations try to catch up.

Cyber-sabotage, by nature, doesn't seem as cataclysmic as the Pearl Harbor or Sept. 11 attacks. But that may change. As Panetta warned in his New York speech, "These attacks mark a significant escalation of the cyberthreat, and they have renewed concerns about still-more-destructive scenarios that could unfold."

Scipio

Pfft.  Call me when they start cutting undersea cables.
What I speak out of my mouth is the truth.  It burns like fire.
-Jose Canseco

There you go, giving a fuck when it ain't your turn to give a fuck.
-Every cop, The Wire

"It is always good to be known for one's Krapp."
-John Hurt

Eddie Teach

Stuxnet would qualify IMO. Totally justified though.
To sleep, perchance to dream. But in that sleep of death, what dreams may come?

CountDeMoney

I can envision Shamoon, if indeed launched by the Iranians, as having a two-fold purpose:  not only a punitive response to oil politics by those vile Sunnis, but also as a pilot launch to see how it would fare against US systems.  If they could get it to them.

Neil

Always.  And when the forces of evil cyberattack, the US should retaliate with atomics.
I do not hate you, nor do I love you, but you are made out of atoms which I can use for something else.

Maximus


Ed Anger

Stay Alive...Let the Man Drive

Neil

Quote from: Maximus on October 28, 2012, 08:26:34 PM
How about when the US cyberattacks?
Act of war, and the US should follow up the cyberattack with a nuclear attack.
I do not hate you, nor do I love you, but you are made out of atoms which I can use for something else.

CountDeMoney


Neil

US cyberattacks are the equivalent of flying planes into towers, but both are legitimate forms of warfare.
I do not hate you, nor do I love you, but you are made out of atoms which I can use for something else.

Sheilbh

I think there's two parts, does the victim want it to be an act of war and can they reasonably convince others (whether your public, allies, sponsors, the international community or whoever else) whose support is necessary. If both of those are true it's an act of war.
Let's bomb Russia!

mongers

Never ?


Oh and Wall Street will eventually 'cyber attack' itself.   :cool:
"We have it in our power to begin the world over again"

Razgovory

Personally I think hackers and script kiddies should be tried by military tribunals.
I've given it serious thought. I must scorn the ways of my family, and seek a Japanese woman to yield me my progeny. He shall live in the lands of the east, and be well tutored in his sacred trust to weave the best traditions of Japan and the Sacred South together, until such time as he (or, indeed his house, which will periodically require infusion of both Southern and Japanese bloodlines of note) can deliver to the South it's independence, either in this world or in space.  -Lettow April of 2011

Raz is right. -MadImmortalMan March of 2017

jimmy olsen

When they cause something like a serious blackout or people actually die. That's when everyone will get up in arms.
It is far better for the truth to tear my flesh to pieces, then for my soul to wander through darkness in eternal damnation.

Jet: So what kind of woman is she? What's Julia like?
Faye: Ordinary. The kind of beautiful, dangerous ordinary that you just can't leave alone.
Jet: I see.
Faye: Like an angel from the underworld. Or a devil from Paradise.
--------------------------------------------
1 Karma Chameleon point

chipwich

Quote from: CountDeMoney on October 28, 2012, 07:14:36 PM

He warned of a "cyber Pearl Harbor," evoking one of the most tragic moments in American history, when Japanese bombers unleashed a devastating surprise attack on a U.S. naval base in Hawaii on Dec. 7, 1941, killing 2,402 Americans and wounding 1,282 more. President Franklin D. Roosevelt called it "a date which will live in infamy" as he asked Congress for a declaration of war.


I want to punch the author for writing this.