Cyberwarfare: On Whose Authority?

So far, most covert cyber operations come from the White House in coordination with the Pentagon; most notably the Olympic Games program started under G.W. Bush and culminating with the infamous Stuxnet attack. Constitutionally, only Congress has the power to declare war. So, what constitutes an “act of war”?

According to Farwell and Rohozinski, we should look to the UN Charter. Article 2(4) prohibits the “threat or use of force against the territorial integrity or independence of any state,” and Article 51 states that nothing “in the present Charter shall impair the inherent right of individual or collective self-defense if an armed attack occurs against a Member of the United Nations” (111). Based on this logic, an act of war would occur with the use of force.

Does software code qualify as “use of force”? Farwell and Rohozinski (111-116) suggest a few elements to consider: pre-emptive/coercive action; uniformed combatants as coders; a pattern of employing cyberweapons; intent of the cyberweapon (regardless of actual impact); an evolving technological arms race; unsettling the confidence of the adversary; and disrupting momentum for an adversary’s offense. McGraw contends that a cyberattack is anything with a “kinetic” effect—that is, anything with a physical, real-world impact (112). Rid would disagree, since cyberwarfare has never caused the loss of human life (11). Could cyberattacks constitute a “use of force”? Which authority should regulate outgoing cyber engagement: Congress, the White House, the Pentagon, or the CIA?

On the receiving end, who should run offense in the attack of a private company? Private industry owns and operates 90% of US civilian critical infrastructure (Farwell and Rohozinski 110), such as financial services, public transportation, and power grids. Should a cyberattack be dealt with in domestic criminal courts, or should a higher power determine the cutoff for civilian impact? — Molly