According to an article in The Wall Street Journal, “The Pentagon has concluded that computer sabotage coming from another country can constitute an act of war, a finding that for the first time opens the door for the U.S. to respond using traditional military force.” Since the military has been using computers since World War II, it is pretty remarkable that they are just now getting around to figuring this out.
As defined by the Constitution, it is the government’s job to “provide for the common defense.” Why would the rules in cyberspace be any different?
Of course, not everybody thinks America should defend itself in the event of an act of cyberwar. There are two arguments against self-defense from cyber Pearl Harbors—and they are both pretty stupid.
One holds that we are already attacked all the time in cyberspace. That’s true. The Department of Defense gets assaulted every day—sometimes in a “Wow! I can’t believe that!” kind of way. In 2008, an unnamed foreign intelligence agency conducted a cyber attack on a U.S. military command with malicious software dubbed “agent.btz.”
The issue of when a malicious act rises to “act of war” is a question of proportionality—like the real Pearl Harbor—we’ll know when we see it. A computer virus modeled on “stuxnet,” for example, which strikes SCADA (computer command and control systems) could direct something really bad—like making infrastructure melt down, shut down, explode or crash—perhaps killing or injuring thousands.
It is probably worth letting the world know that if a state or an organized non-state group tried something like that, the U.S. would come after them like it was the next 9/11. Murdering American innocents, whether it is with a bomb or a botnet (a form of malicious software) should never be thought of as a free lunch. A physical attack in response to a cyberattack that reaps catastrophic destruction is clearly proportional.
A second wrongheaded reason why some say a cyber attack can’t lead to war is the “attribution problem.” Since cyber attacks can be rooted around the Internet all over the world before they hit their targets, some claim we’ll never know whom to attack. I disagree.
Sorting out evil actors online is difficult, but it can be done. Computer forensics (the science and technology of tracking down online malicious actors) has advanced every bit as much as the enemy’s ability to write new malware. Even non-governments can do this. For example, the U.S. Cyber Consequences Unit (US-CCU), an independent research institute, conducted an analysis of the Russian attacks on Georgia. The US-CCU concluded cyber strikes were done by non-government entities with the assistance of organized crime and foreknowledge of the war and encouragement from the Russian government. Furthermore, cyber forensics is not the only tool available to track down cyber enemies. A range of information-gathering tools from open source intelligence to old-fashioned spies can be used to hunt down malicious actors—just like any other threat.
More often than not, the failure to deal decisively with cyber threats comes more out of fear or indifference than lack of knowledge.
As a new paper from Heritage cyber-expert Paul Rosenzweig makes clear, it makes no sense to think of cyber conflict as just our electrons fighting their electrons. If someone comes after America in a way that threatens the common defense, then that entity should expect to reap U.S. wrath with all the tools we can muster. That’s not to say that every cyber attack merits a declaration of war, but we should always be willing to use all the instruments of national power appropriately and proportionally to secure our rightful place in cyberspace.