Cyberwarfare: On Whose Authority?

So far, most covert cyber operations come from the White House in coordination with the Pentagon; most notably the Olympic Games program started under G.W. Bush and culminating with the infamous Stuxnet attack. Constitutionally, only Congress has the power to declare war. So, what constitutes an “act of war”?

According to Farwell and Rohozinski, we should look to the UN Charter. Article 2(4) prohibits the “threat or use of force against the territorial integrity or independence of any state,” and Article 51 states that nothing “in the present Charter shall impair the inherent right of individual or collective self-defense if an armed attack occurs against a Member of the United Nations” (111). Based on this logic, an act of war would occur with the use of force.

Does software code qualify as “use of force”? Farwell and Rohozinski (111-116) suggest a few elements to consider: pre-emptive/coercive action; uniformed combatants as coders; a pattern of employing cyberweapons; intent of the cyberweapon (regardless of actual impact); an evolving technological arms race; unsettling the confidence of the adversary; and disrupting momentum for an adversary’s offense. McGraw contends that a cyberattack is anything with a “kinetic” effect—that is, anything with a physical, real-world impact (112). Rid would disagree, since cyberwarfare has never caused the loss of human life (11). Could cyberattacks constitute a “use of force”? Which authority should regulate outgoing cyber engagement: Congress, the White House, the Pentagon, or the CIA?

On the receiving end, who should run offense in the attack of a private company? Private industry owns and operates 90% of US civilian critical infrastructure (Farwell and Rohozinski 110), such as financial services, public transportation, and power grids. Should a cyberattack be dealt with in domestic criminal courts, or should a higher power determine the cutoff for civilian impact? — Molly

26 thoughts on “Cyberwarfare: On Whose Authority?

  1. Molly poses an interesting question as to what entity should have the authority to engage in cyberwarfare, which is a pretty new and unprecedented question for the US government. What really complicates this matter, however, is that any single individual could perpetrate significant cyberattacks, especially with utilizing botnets to harness the computation of thousands or millions of separate computers. Hence, I think cyberwarfare should be regulated like media is regulated, more or less minimally. Just like each individual section of government could easily promote and protect against slander or verbal attacks, cyberattacks can be so personal that each branch and the private sector should have their own specialists dealing with the potential of cyberwarfare. It really is a concept that will never be regulated, but also does not require massive collaboration like actual use of force or warfare. These stipulations force it into a realm that is super personal to each operating body, and while, in truth, there should really be an entirely new body to deal with these issues, for the time being it can be dealt on an individual basis, so there is no need to delegate or delineate the issue.

  2. Under what conditions should a cyber-attack represent the use of force? The delineation is indeed an important one, given that UN Charter Article 2(4) forbids the ‘threat or use of force against the territorial integrity or independence of any state’ (Farwell and Rohozinski 111). The authors outline a few factors that might be taken into account: (1) inflicted damage, relative to a “kinetic attack”; strategic objective, including intent, which in the context of Olympic Games was “to irreparably damage critical infrastructure”; deployment of combatants; likelihood of kinetic reprisal, as well as the larger implications of the attack; pattern of use (Farwell and Rohozinski 111-113). The authors pose an interesting conundrum: “how deep is the distinction between [the case of unexploded ordinance] and a cyberworm that fails” (Farwell and Rohozinski 113)? This is a very weighty comparison; whereas a bomb presents a direct threat to human life, a cyberworm presents a prima facie indirect hazard to life. This question of lethality is in my mind the distinguishing factor of force; intent is simply not a reliable indicator of anything unless a crime is actually committed—in the case of the ordinance, the crime was the construction of a bomb (with intent to detonate), not the explosion of one.

  3. I think that cyber attacks alone may not always directly constitute a “use of force,” but may be a modern tool in the intensification of aggression. Gartzke is correct to point out that cyber war alone cannot achieve “conquest” or “coercion” (33). Instead, cyber attacks have the potential to escalate political tensions and military involvement (Farwell and Rohozinski 35). This automatically differentiates its political status from traditional war as it mainly disables and disturbs rather than launching direct offensives in physically harmful ways. I really like Gartzke’s explanation that, “It is best to discuss cyberwar in these contexts, not as an independent, or even alternative form of conflict, but as an extension of the logic already expressed in combined arms battle” (34).

    Responsibility for our offenses and prevention are naturally difficult powers to allocate. For practical purposes, I don’t think that cyber attacks should be classified as an act of war in a strict sense such that Congress has a monopoly of power over its use. Congress meetings are generally open to the public, if not televised, unless under special circumstances. In the event of “needing” to use cyber methods, this would eliminate the element of surprise that allows malware to go undetected even in a closed meeting, which may raise suspicion. For this reason, I recommend that it becomes a function of the Pentagon as an extension of its already existing defense work. This then poses the problem of creating a checks and balances system for action, for which I do not have a conclusive answer. I think that it is hard to make a black or white argument for free market or government protection against cyber attacks. On a small scale, companies have competitive incentives to use their own prevention methods. It would be extremely costly for the government to take responsibility for every industry, but large-scale attacks may necessitate intervention. I recommend that the same body responsible for our offenses (in this case the Pentagon) be responsible for our defenses and responses from an efficiency standpoint.

  4. I believe that McGraw’s requirement that a hostile cyber action needs a physical impact to be considered a cyber-attack to be too narrow a definition for a consideration of cyberwarfare, and appropriate government responses. Specifically, I consider attacks that focus on disruption of digital systems and capture or manipulation of information, which McGraw may classify as cyber-espionage or crime, to also be applications of force. Such attacks lack the physical aspect of the Israeli disruption of Syrian air defense in 2007, or the industrial damage of Stuxnet, but they still have the potential to dissuade or coerce enemies, in line with conventional views of war and force. Attacks may focus on eroding general support for a government, with a high-profile infiltration of government systems reducing the citizenry’s confidence in government, potentially averting future aggressive action. A conventional war correlate would be flyovers to demonstrate the inability of a government to secure its own airspace. Attacks such as these are strikingly evocative of violations of territorial integrity prohibited in the UN Charter. It seems that territory and sovereignty should be applied to certain aspects of the digital realm in a similar way to how concepts of privacy and property have been. Cyber attacks are not merely a new arm of conventional combined warfare, but offer alternatives of conflict.

    Based on the wide array that digital means could be used to exert force, I would argue that a body more adaptable than Congress should be responsible for response. Congress may play a part in developing broad guidelines for engagement and response, but the specifics and actual execution most logically fall to the executive branch and the military, with deep benches of experts and analysts. Further, digital attacks have the potential of being exceptionally rapid, while the legislative process is notoriously slow.

  5. I’d like to specifically address one question here: Could cyberattacks constitute a “use of force”? I think, definitely, it does. First of all, war does not necessarily mean that we must kill enemy soldiers. Oftentimes, we target infrastructure (as in , and sometimes, just scaring or destroying morale can also count as war (I think this is often the objective of terrorism–think Sherman’s March to the Sea). But even if we were to operate under the assumption that forces must cause loss of life, cyberwarfare easily has the capacity to do just that. We think a lot of times about potential economic losses, but what if a cyberattack targeted hospitals or pharmacies? Or what if someone discreetly attacked the computer systems of the TSA or CBP or ICE and we happened to let in a known terrorist because he could not be identified by technology? Such attacks are not out of realm of possibilities.

    But, you brought up uniformed combatants as coders, so it got me thinking. I think a more interesting question would be: Is cyberwarfare a just form of war? Or is it more like terrorism in that it’s an unfair battle? In order to answer this, I think we can take a look at Ex parte Quirin and its definition for an unlawful combatant. Part of the reason they (the German soldiers/saboteurs) could be tried by military tribunals was that they did not clearly identify themselves as enemy soldiers. So, just putting a uniform on a coder would not suffice to make coders true soldiers. In order for cyberwar and attackers to conform to a just form of war, they need to clearly identify themselves during the attack, i.e. in their code.

  6. I really liked Richard’s comment on whether cyberwarfare is a just form of war. Like he mentioned, I do agree that in order for it to be just, it must be made known who is conducting the attack. If this known, then there ought to be no hesitation in leaving it to our domestic justice system. However, given that cyberwarfare is often asymmetrical and identities are often masked (i.e. Anonymous), the United States has to tread carefully since we often use the same guises in our attacking of others (i.e. Stuxnet). Given that they occur on private “property”, or in the hands of private industry our government can simply extend the same privileges accorded to people today, should a crime occur, one can call the police and an investigation can be processed. In doing so, we can normalize cyberwarfare and adapt it into our standard lexicon and frameworks.

  7. I think Ben brought up a good point in his comment about how cyberwarfare is different from more conventional war between two countries in that it can be perpetrated by individuals fairly easily, which would make it both harder to regulate and harder to defend against. Unlike in conventional warfare, there is a much more fluid line between cyberwarfare and cyberterrorism, as Richard alluded to in his comment about using cyberwarfare to let terrorists into the country. In conventional war, it is easier to tell who you are fighting and so it is easier to make a distinction between war and terrorism. With cyberwarfare, especially as attackers often don’t identify themselves (as Richard and Paarth discussed), this is harder, making the issue more complicated and harder to defend against, as it can come from more sources. Even if a cyber attack is perpetrated by one country, it could still be coded and sent by one person, making it seem as if it could be a terrorist attack.

    The mysterious aspect of cyberwarfare makes me wary of attempts to defend against it by the government. Since the internet is such a big presence in our lives, governmental efforts to protect against cyberwarfare could easily go to far, violating privacy rights. With the internet, small amounts of regulation are often ineffective but too much regulation can be even worse. I think it would be hard for Congress or the Pentagon to be able to find the right balance in the case of cyberwarfare.

  8. I think that the key distinction for me is the difference between a cyber act of aggression and a cyber act of war. Because of our limited experience with cyber during a declared, classic war, we aren’t sure where to draw the line. I think this line is physical damage or loss of life as a direct result of a cyber attack. To this end, I respectfully disagree with Trevor and side with McGraw’s distinction between cyber crime/espionage and an act of war. The violation of territorial integrity is required for any attack to be considered an act of war and something that takes place in cyberspace alone seems to fall short of that threshold.

    I also wanted to address Richard’s incredibly compelling point about cyber attacks as acts of terrorism. The veil of the anonymity provided by the internet means that coders, whether uniformed in person or not, are in fact unmarked operatives. The solution of a code signature is valid, however that seems to run counterintuitive to most uses of cyber warfare. The US government may also have a problem with such a distinction, given their current free use of cyber intervention.

    All of the semantics aside, I think it is frightening how much grey space exists for the White House and the Pentagon to work within. Molly’s question of limits is both fair and incredibly necessary. Some sort of international, or even just national, supervisory committee should be established to evaluate and review the severity and type of an attack. The committee would keep Congress in the loop about the level of danger and any specific threats while also regulating the accepted cyber attacks carried out by the US.

  9. I think that Molly’s list of questions highlights an important theme found in Farwell and Rohozinski’s paper and directly relates to the complex future of cyber war. They are able to point out the immense ambiguity found in the use of cyber weapons and it’s subsequent implications on the future of strategy within the military and private spheres. First off, the lack of clear guidelines for defining an act of war is even more clouded by the use of cyber weapons. Even though Rid says that they have not caused a loss of life (11), the Olympic Games program shows that they can be used to disrupt a nation-states military capabilities. Disruption of a nation’s military, economy, or society can indeed be seen as an act of war, even if ‘kinetic’ force is not used, because it implies a clear strategic motive to alter a states global positioning. I do admit that this is vague, because many countries do not view sanctions as such, but regardless, the use of cyber weapons is much more targeted and has the ability to cause substantial harm to a variety of systems. This is further clouded by what McGraw calls the, “Three headed Cyber Cerberus” as cyber war, espionage, and crime are closely intertwined and hard to detect (110). McGraw points out that the use of cyber force is not necessarily difficult and can be deployed by many non-state factors. This gives nation-states the ability to distance themselves from attacks and lessens ‘responsibility’. How can a state justify retribution if the attack is categorized as “criminal” instead of state sanctioned force? Because it’s inevitable that a state will view the use of cyber weapons as a ‘use of force’, it is important for the international community to clarify guidelines and states to set up the proper command structures required so that acts perpetrated by non-state factors do not cause state on state warfare.
    Also, because of these ambiguities, which Farwell and Rohozinski point out nicely, McGraw stresses the strategic necessity to build up defensive systems rather than offensive ones since, “It is evident that whoever strikes first can expect retaliation, since it is exceptionally difficult to incapacitate another country’s offensive cyber capabilities permanently” (117). With the rise of technology, it is important for states to shift their strategy to a defensive one so that these attacks do not cause massive disruption to a states ability to protect itself.

  10. The above comments, especially yours, Richard, seem to suggest that new methods of attacking an adversary may require the definition of “use of force” to change. By definition, “use of force” is the “use of physical restraint – usually by a member of a law enforcement agency – to gain control of an unruly person or situation,” (Wikipedia). By definition a use of force never has to result in a person’s death or injury; it results in his or her restraint, which can be as violent as it needs to be. However, Richard, you are confident that cyberattacks can constitute uses of force because of the way they might affect human morale. But I think the word “physical” in the definition of a use of force is what separates it from other forms of attack, such as sabotage, which is what is described when discussing the kinetic effects of a cyberattack on infrastructure and the resources within them. I think major cyberattacks (such as those that can indirectly affect human health) already fall under the umbrella of acts of war because the UN Charter Article 2(4) does not just say the “use of force,” but before that it says the “threat” against a state’s independence. The definition of a use of force does not have to broaden if a cyberattack can be defined as a threat against a nation. What needs to seriously be considered by Congress if it were to ever think about declaring war following a cyberattack is the extent to which the cyberattack crippled the U.S. in comparison to uses of force or acts of violence in the past that have caused the U.S. to get involved. Unless a hacker is able to sink another Lusitania by disabling its controls or threaten and succeed in destroying life-saving medical equipment on a large-scale, the U.S. is better off finding ways to intervene that do not end in the declaration of war of some form.

  11. This is a really fascinating question, Molly. Clearly, sophisticated hackers who attempt to cripple crucial infrastructure such as water filtration, electricity grids, and the computers that run our cars and medical devices are engaging in acts of war, as any such successful attack would lead to widespread loss of life. A natural next question would be the appropriate response to hackers who target institutions which provide indirect (but massive) utility to the state, such as the financial markets, centers of manufacturing, or scientific research facilities. I argue that these two categories are on par with each other; both should be considered cyberterrorism. The goal of terrorism is to disrupt the flow of normal life and substantively weaken the power of the state, so clearly both categories fit the mold. What is less clear, however, is what to be done about “non-kinetic” attacks, as McGraw might describe them. Here, the correct classification is messy. Hacking the credit cards and medical records of every American would be serious enough to be considered cyberterrorism, for example; a Facebook outage would not. Fundamentally, it is important to consider the extent of the damage done when determining a response; disproportionate responses are costly, come with baggage, and should be saved as deterrents against truly catastrophic attacks.

  12. In light of the question you asked about who should regulate cyber engagement, I think it’s important to take note of some of the structural changes going on at the CIA:

    While this mentions solely cyber espionage, I wonder if this restructuring would mean that the CIA would become tasked with overseeing “covert” acts of cyberwarfare in the future. This makes me a bit worried that there will be some sort of repeat of what happened in the 1960s in Latin America and around the world, where the CIA ran amok plotting assassinations and coups, actions that certainly did not always adhere to international law. To avoid such a repetition of history, I agree with Farwell and Rohozinski here that transparency is key. States must engage with one another to set clear guidelines how cyber weapons may be used. In short, I don’t think the CIA should regulate cyber engagement. I believe another agency whose work is a bit more transparent such as DoD should be tasked with this.

  13. To take this conversation in another direction… Molly asked “On the receiving end, who should run offense in the attack of a private company?… Should a cyber attack be dealt with in domestic criminal courts, or should a higher power determine the cutoff for civilian impact?” It seems that as more and more people get access to the Internet we should see a proportional rise in the number of people that are potential hackers. If we follow this logic one could say that a rise in the number of hackers could potentially lead to a more cyber attacks on private companies. It would be interesting to see whether or not in the event that there are more attacks on private companies that we would see private companies hiring their own hackers as a form of cyber defense in an effort to curb the potential new threat. I don’t believe that there would be overt retaliatory attacks by private companies as a form of getting justice, but I could easily see these companies using hackers to build better defenses against other hackers. I also believe that it would be hard for domestic criminal courts to prosecute a cyber attack, seeing as it could originate anywhere in the world, and therefor companies may find it more effective to build better defenses rather than waiting for the government to curb hackers.

  14. It is without doubt that Molly has posed a great question for discussion according to the Farwell and Rohozinski reading. And to my surprise, there is a lot more to include in the debate of whether or not cyberattacks constitute a “use of force.”

    I am having a hard time taking one stance on whether or not cyberattacks are a “use of force.” On one hand, I feel as though I fall on the side of Rid, who argues it is not a use of force, as it has never taken a human life (11). The main reason I believe that it is not a “use of force” is because it is not on the same level as many other attacks or uses of force – such as military attacks (whether bombs, nuclear weaponry, bioterrorism, etc.). Even though its intentions may be similar to small attacks of war, because it is so below the level of devastation, I cannot completely name it a “use of force.”

    On the contrary, cyberattacks still fall under more than a few elements of consideration according to Farwell and Rohozinski, such as unsettling the confidence of the adversary and pre-emptive / coercive action (111-116). Therefore, I easily recognize why it is such a difficult debate. Furthermore, by returning to my previous reasoning that cyberattacks are so below the devastation of other forms of attacks, I now recognize that this may not be completely true.

    We discussed earlier in the year that it is not necessarily the initial impact of nuclear bombs that does the most damage: what follows by both wind and fire is usually the most disastrous. Furthermore, the damage this does to the area usually leaves it inhabitable for more than a short period of time. While cyberattacks may not leave physical damage to an area, it is easy to believe cyberattack terrorists are able to find ways to ruin a target economically and socially, and that is not to mention how a targeted country feels after reviewing what remains of their land.

    After this more thorough thought process, I can now understand why it is important to think of all possible threats by cyberattacks as well as in who’s hands lies the authority.

  15. The above responses, and the fascinating question Molly originally posed, deal with the definition of “use of force”. Indeed, Molly reminds us of the relevant elements that could constitute cyberweapons. “Use of force” seems to suppose that cyberweapons are obvious entities, but I am not sure that this is true. At the end of his NPR interview, Richard Clarke gets asked what average citizens can do to protect themselves, and prevent their computers or accounts from being “weaponized” by nefarious coders. He defeatedly responds, “Not much.” That is once one of the most interesting and most terrifying aspects of potential cyberwarfare: we don’t know what the weapons will look like until they are deployed. We see a machine gun, and we know it can harm people. Regardless of where people fall on the political spectrum of gun possession, we can generally agree that shooting a gun has possibly lethal effects. Not so for code, hardware discrepancies built into a computer, or large routers. Most people interact with these implements virtually and/or physically on a daily basis, but would not be able to recognize the subtleties that distinguish good from evil cyber technology. Indeed, “use of force” supposes that all we need is a definition of that term, that we know who is “using” the “force”. Understanding cyberwarfare, however, goes well beyond that contained definition of “offense”, whether propagated by a nation or a third party. Ordinary people can unknowingly be militarized on a massive scale, which adds another layer to the definitional complexities of cyber attacks.

  16. What I find extremely interesting about cyberwarfare, is that theoretically for the most part, cyber attacks will not result in as many deaths as conventional war. Thus, at face value, cyber attacks do not pull on as many emotional factors as conventional warfare—they do not operate within the same realm of incentives in many ways. While conventional warfare directly impacts nations and states through immediate loss of lives, cyber warfare operates in a much slower manner in some ways. It threatens lives in the long run, but not in the short run. Even the most aggressive form of cyberwarfare, such as Stuxnet, doesn’t directly translate into the loss of lives, thus decreasing the incentive of policymakers to react with a declaration of war. With cyberwarfare that hacks into information databases, there isn’t really an proportionate method for a government to respond in a effective way to deter future attacks. For cyber warfare, there is no deterrence method comparable to what “mutually assured destruction” was for nuclear warfare. However, there is the potential that this will change with more research and training, as suggested by the Conti piece. Perhaps there is the chance that with more development, cyberwarfare could result in a more humane sort of warfare, what people previously deemed biowarfare.

  17. In response to Richard’s comment about whether or not cyberwarfare is a just form of war, Paarth brings up how cyberwarfare can be asymmetrical with masked identities, such as in the case of Anonymous. I think this brings up an interesting question of how we identify enemy combatants in cyberwarfare at all. For example, hardly anyone would classify Anonymous’s cyberattacks as an attack sanctioned by the U.S. government. But what about a terrorist group operating out of a Middle Eastern country? If cyberattacks were traced back to that location, would the U.S. government be likely to believe an isolated terrorist group–not the country’s government–was responsible for the attack? Especially considering the history of espionage and unofficially sanctioned attacks on other states in international relations, the ambiguity of the origins of cyberwarfare adds another layer of murkiness in trying to classify cyberwarfare as a just form of war or as a form of terrorism.

  18. Thanks for kickstarting such a great discussion, Molly! In a discussion about whether cyber attacks should be considered “acts of war,” I think we need to take another closer look at Article 2(4) of the UN Charter before we start asking questions about “use of force” or “just warfare.” Article 2(4) in its entirety states, “All MEMBERS shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations” [emphasis added]. Thus, for a cyber attack to be considered an act of war under the UN definition, it must be perpetrated by another member state, not a random individual or a group of criminals. Even if we expand our definition of war beyond the UN Charter’s, the Stanford Encyclopedia of Philosophy still limits war to conflicts between political communities, i.e. states or entitles trying to become states.

    So, whether cyber war is happening depends on who commits the attack and for what reasons. It is certainly important to engage in discussions about whether a cyber attack involves the “use of force,” but we also need to make sure the attack actually occurred in the context of a war. This is a difficult fact to determine, and it hearkens back to Jeffrey’s post about McGraw’s “Three Headed Cyber Cerberus.” How do we know if an attack is cyber war, cyber espionage, or just a cyber crime? How do we know if a cyber attack on our infrastructure is a pre-mediated act of war or just the product of bored coders who dislike our country? How can we be sure that a state (or an actor acting on behalf of a state) hacked into the Office of Personnel Management and stole personal files of hundreds of thousands of government employees? In my mind, figuring out how to confidently answer these questions is what makes cyber attacks so tricky to handle from a policy standpoint. If we can figure out who or what committed a cyber attack against us, then we can determine which actors should take charge of the situation and how we should respond.

  19. Cyber warfare is, unfortunately, probably the future of warfare, in some ways. We don’t have concrete response mechanisms in place to address such attacks, some which may be detrimental to our national security and sovereignty. I agree that we need to understand at what level the attack is occurring — whether it seems like a more benign act of aggression or whether it indeed an act of warfare. Not all attacks are created equal, and often, it is hard to delineate. In many ways, cyber warfare’s inherently complicated and opaque nature, makes it difficult to identify the aggressor and the methodology behind the attack. While cyber attacks have not ever resulted in the direct loss of life, it is important to realize that their impact can lead to compromised national security, which in turn, could affect defense mechanisms, leading to a critical loss of life. We ought not discount the amount of harm that can be done when categorizing and understanding cyber attacks.

    Ultimately, the most effective strategy to responding to cyber attacks and cyber warfare is through a joint coalition via the White House, Departments of State and Defense, as well as the CIA. Cyber attacks can multiply quickly, so response time is most critical.

  20. You say that constitutionally, only Congress has the ability to wage war—but that, I think you’ll find, is true only insomuch as symbolic declaration of war is concerned. What we might think of as belonging to the world of war–boots on the ground, our forces invading other countries and participating in others’ armed conflicts—has for some time now been easily instigated without need for the Congress’ outright call for war. Congress hasn’t actually approved a resolution to declare war on any country since WWII, but one most assuredly would argue that America’s involvement in Korea, Vietnam, and the Middle East since then should fall under the broad heading of “war.” Some say that Congress in effect “declared war” when it passed the AUMF shortly after 9/11(, but it didn’t; it simply gave the president the authority to use military force against whichever terrorists perpetrated the attack. That, according to the law of the land, isn’t actually war.

    The response would likely be similar in the event of a cyberattack, inasmuch as Congress would be wary of declaring war, but the implication of the attack would be heard loud and clear within the upper echelons of our government. Nothing in the present UN Charter makes any reference to the ability of a state to retaliate against cyber-attacks, and indeed solely focuses on armed conflict, as you mention—but again, consider the stakes. If America were to be attacked by China in a cyberwar, then America too would lash out at China in the cyber world; there need not be combatting soldiers for these two to be warring. But it would be a strictly virtual battlefield, unless one of the two countries chose to break out into physical battle. It makes sense for China—or for any other country that wishes to undermine US power—to eat away at America slowly, damaging our economy through small manipulations, rather than to come at us with a debilitating cyber-attack. A state actor choosing to attack in such an outward manner has to be prepared for the backlash of America’s own furious counterattack, and must be prepared for the escalation to draw in the power of the military in a worst case scenario. Few, I think, are willing to wake that beast—and so the cyber-attacks we experience will likely remain on a fairly small scale.

  21. In the context of examining whether cyberattacks constitute a “use of force,” it is apparent that the inherent ambiguity involved in this ongoing, multifaceted threat will persist in being arduous to define; yet each branch of authority needs to clearly strategize against this ambiguity as cyberwar continues to trend as a means of attack throughout the global arena. In response to the just war comment, it is interesting to consider that although cyber attacks might not result in the same number of deaths as a conventional war (borrowing the assumptions of previous comments), in most of the recent examples, it has directly impacted civilians. In terms of defining war and categorizing threat levels based on targets, what distinctions can we make when the targets are regular citizens that, especially in this context, can not and do not know how to protect themselves and their information? For example, how can a government quantify the severity of an attack in an example like the cyberattack on the Ukraine less than a month ago during its election process (although it did not result in a conventional war’s death toll)? Molly’s last set of questions problematize how much risk is involved given the target. Since there is little that the average citizen can do to mitigate an attack, there should be serious concern and discussion over how the U.S. government should involve itself in ensuring and protecting private sector security. Also interesting to consider in this private sector discussion is the “intent of the cyberweapon”; the lack of definition questions whether all preparations should actually be classified as acts of war.

  22. Although the Article 2(4) of the UN Charter bans acts of violence that threaten the territorial integrity or political infrastructure of any state for its members, I do not think that we can limit our definition of war to these actors. If acts of war could only be carried out by member states, then many of the conflicts labeled as war would in fact just be a series of attacks rather than anything larger scale. Can a group that does not identify as a UN member state really not wage war?

    After the November 13 attacks on Paris, a group of hackers by the name of Anonymous, declared war on Daesh (ISIS). All of the group’s activities occur online, and most of their effect has been on deleting Twitter accounts and websites related to the group. None of this activity involves destroying “territorial integrity or political infrastructure.”

    This declaration of war calls into question two aspects of Article 2(4): (1) can a non-member state, or even an ambiguous group, actually declare war on another non-member state? and (2) can an act of war be such that it only affects the online world? It also raises a third question. If the US or any other member state were to involve itself with Anonymous and support its fight, would the nature of the activity change?

    The last thing to consider is McGraw’s belief that we are facing an “inevitable slide towards cyber war” (109). Though Anonymous’ attacks have not yet caused damage to physical infrastructure, it is not certain that they won’t begin to do so in the future. McGraw warns that “unless and until we eradicate systemic security vulnerabilities in the systems we depend on, they will continue to be attacked. The relative ease with which an attack can be made levels the cyber playing field, allowing even cyber activists to do real and permanent damage” (115). If a group like Anonymous, which is technically helping fight the battle against ISIS, begins doing this damage, will it be called acts of war? Alternatively, if a group like ISIS used cyber to cause physical damage, would this be considered an act of war?

    How limited is our definition of war in reality?

  23. Beginning from the idea of what constitutes an “act of war” rather than what constitutes a “use of force” is a more ideal place to begin a discussion of the use of cyber technologies. The options of whether an act of war is anything that has a physical, real world effect or an action that results in the loss of human life are parameters that leave too much room if the purpose is the policing of cyber warfare. There are too many possible actions that can be taken in the technological realm that will not meet these criteria, but are clearly seen as acts of war. The problem is that the current political infrastructure does not allow for the very non-linear problems that these technologies present. This leads into Molly’s other question of which authorities should be responsible for regulation.

    The process of regulation in its current condition is set up to account and react for very linear types of issues. The issues that arise from the use of cyber-technologies, however, are very different from any in the past. A single hacker can inflict widespread disruption. Circumstances that have never been confronted before call for improved measures of regulation. While Congress, the White House, the Pentagon, and the CIA may have the been able to handle linear problems of the past, these issues that require non-linear solutions will need to be evaluated in a manner that matches their fluidity.

  24. This has been quite an interesting discussion. I agree with Kennedy in that any sort of distinctions between acts of aggression and acts of war are fine at best. With such overall ambiguity, I might propose that for now, we assume that the hackers in question are part of a small, non-state cell so that they can be tried before an American court as would a terrorist who had willfully committed an act of destruction on American soil without a computer. (Perhaps such an arrangement would even be beneficial for international relations if there does happen to be a state-sponsored cyberaggression, things can be blamed on a select group of bad apples instead of having things devolve into open conflict!) With this, acts of cyberaggression would be directly pursued as a police action, likely administrated through a special division of the FBI. Ultimate authority would thus rest with Congress.

    This categorization is in some part inspired by Rid’s overall claim that, like with nuclear weapons, the ultimate nature of War will not change as the result of new technologies. In previous wars, infrastructure would be destroyed by coordinated bombing runs or artillery strikes whereas now this infrastructure may be compromised by computer. Yet in times of peace, a lone wolf bombing a factory would be considered an act of terrorism and the same end result would not be prosecuted as in war. So let it be with cyberwarfare. As the most frequent “cyberwarriors” will likely be small groups of individuals associated with no greater organization or private entities in it for their own gain, prosecution as a domestic police action might not even be that far from what would have happened “naturally.”

  25. I would like to comment on Molly’s raising of the question of whether or not cyber warfare has ever caused the loss of human life (11).Though it was noted that some scholars would argue that it never has directly contributed to the loss of human life (though that, too, is up for debate, since many questions of cyber security are left obscured globally in the interest of a given nation’s protection of information), I think this question is worth scrutinizing. Zoe brought up the point, for example, that Russian cyber attacks have been particularly intense against Ukrainian government infrastructure in recent months – and this is true also beyond that time frame, as attacks coded in Cyrillic have plagued Ukrainian systems in the years before the beginning of the hybrid war between the two. (There have also been attacks originating on the Ukrainian side of course.) The question I think this scenario raises is where do we draw the lines of causality — If we are certain that cyber attacks can and do destroy or hinder a country’s military capabilities in times of increased tension, does this not directly disadvantage that country in protecting its soldiers and citizens? I think these questions are really incredibly important for our generation of IR students and future security and military experts because the Information Age has introduced a new era of warfare, with cyberspace a centrally important field of battle. The rise of “hybrid war” requires us to redefine war itself.

  26. “On the receiving end, who should run offense in the attack of a private company?”

    Ed Skoudis pointed out in his talk that large US companies (Google, JP Morgan Chase) are not only hiring “defensive” hackers, but also hiring abnormally large numbers of “offensive” hackers. Skoudis suspects that these companies may plan to retaliate against people (or countries) that hack them. In the future, attackers may find that hacking a large company will have similar, “retaliatory” consequences to hacking a nation’s security.

    “Should a cyberattack be dealt with in domestic criminal courts, or should a higher power determine the cutoff for civilian impact?”

    In theory, there should be legal accountability for cyber attacks. In practice, establishing an international law that can effectively hold nations and groups accountable for cyber attacks is rather complicated. Currently, nations respond to cyberattacks by “counter-hacking” the attacker. However, this tit-for-tat style justice is far from ideal. I think that if there are noticeable kinetic effects from a cyberattack (instead of just data loss), nations will be more motivated to develop international cyber laws. A cyber attack that results in deaths may be a turning point for the development of cyber law.

Leave a Reply