When is a cyberattack an act of war?

U.S. "officials have done a lot of work on how the government would respond to certain [cyber] attacks"

From Ellen Nakashima, Washington Post:  On the night of Oct. 11, Defense Secretary Leon Panetta stood inside the Intrepid Sea, Air and Space Museum, housed in a former aircraft carrier moored at a New York City pier, and let an audience of business executives in on one of the most important conversations inside the U.S. government.

He warned of a “cyber Pearl Harbor,” evoking one of the most tragic moments in American history, when Japanese bombers unleashed a devastating surprise attack on a U.S. naval base in Hawaii on Dec. 7, 1941, killing 2,402 Americans and wounding 1,282 more. President Franklin D. Roosevelt called it “a date which will live in infamy” as he asked Congress for a declaration of war. . . .

We all know what an act of war looks like on land or sea, and by evoking two of the most searing attacks in our modern history, Panetta was trying to raise a sense of urgency about the threat in a new domain made of bits and bytes zinging between servers around the world.

But what does an act of war look like in cyberspace?

And perhaps more important, what does the U.S. government do when cyberattacks fall short of that — assuming it can identify the perpetrators in the first place?

What about something like Shamoon, the nickname for a virus that wiped data from 30,000 computers at Saudi Arabia’s state-owned oil company in August, affecting business operations for two weeks? Panetta called that assault, along with a similar strike on Qatar’s RasGas, “probably the most destructive attack” on the private sector to date. Another U.S. official declared it a “watershed” moment, beyond the troubling but all-too-familiar thefts of data and disruption of Web sites. . . .

Deciding what amounts to an act of war is more a political judgment than a military or legal one. International law avoids the phrase in favor of “armed attack” and “use of force.” Retired Gen. James Cartwright, former vice chairman of the Joint Chiefs of Staff, has often said that an act of war “is in the eye of the beholder.”

As Cartwright has pointed out, the United States didn’t go to war with North Korea after it sank a South Korean warship in 2010, nor with Iran after the U.S. Embassy in Tehran was seized in 1979. Would we want to start a war over a virus that causes a power blackout? And if not, what other actions might the government contemplate?

The government has defined an armed attack in cyberspace as one that results in death, injury or significant destruction, as Harold Koh, the State Department’s chief legal adviser, recently put it. Here’s the rule of thumb, as Koh stated it: “If the physical consequences of a cyberattack work the kind of physical damage that dropping a bomb or firing a missile would, that cyberattack should equally be considered a use of force.” If an attack reaches those levels, then a nation has a right to act in self-defense.

The more difficult cases will look something like what happened to Saudi Aramco. Matthew Waxman, a Columbia University law professor who studies the strategic dimensions of cyberattacks, said economic damage alone traditionally does not give rise to a right of self-defense. While “the erasure of data . . . is expensive to replace,” he said, “I would not call that an armed attack. . . .”

Senior policymakers have been wrestling with these very issues. And the Saudi Aramco attack has heightened the sense of urgency, making the threat all the more concrete. “This was a deliberately disruptive event, done on purpose, not by some rogue hacker. Not some out-of-control operative,” said one U.S. intelligence official.

Panetta, in his speech, said, “If a crippling cyberattack were launched against our nation, the American people must be protected.” But what is “crippling”? What exactly would the military do to ensure such protection? That discussion remains very much behind closed doors, where the government has been working on rules of engagement that would guide its response.

A senior defense official, in an interview, said officials have done a lot of work on how the government would respond to certain attacks. “We feel we’re very prepared to answer that question if it should come up in the case of the United States,” he said.

But he would not get into specifics, for instance, as to whether destruction of data that caused a drop in the stock market or a huge increase in gas prices would trigger a military or any other response.

“Those are always classified things,” he said. “It’s not helpful to the United States to give a road map to the enemy to know when something is an attack on the nation and when it is not.”

His point: Why tell other nations what the United States is willing to tolerate before it will respond forcefully? . . .

The United States and the world may be moving toward a greater strategic use of cyberweapons to persuade adversaries to change their behavior. This can be good, if it averts war. On the other hand, it could cause other nations to feel vulnerable. Some experts foresee a kind of cyber arms race as nations try to catch up.

Cyber-sabotage, by nature, doesn’t seem as cataclysmic as the Pearl Harbor or Sept. 11 attacks. But that may change. As Panetta warned in his New York speech, “These attacks mark a significant escalation of the cyberthreat, and they have renewed concerns about still-more-destructive scenarios that could unfold.”  (graphic: Huffington Post)

Image: huffingtong%2011%206%2012%20CYBER-WAR-large570.jpg