Cyberspace matters. We know this because governments and militaries around the world are scrambling to control the digital space even as they slash defense spending in other areas, rapidly building up cyber forces with which to defend their own virtual territories and attack those of their rivals.
But we do not yet know how much cyberspace matters, at least in security terms. Is it merely warfare’s new periphery, the theatre for a 21st century Cold War that will be waged unseen, and with practically no real-world consequences? Or is it emerging as the most important battle-space of the information age, the critical domain in which future wars will be won and lost?
For the time being, some states appear quite content to err on the side of boldness when it comes to cyber. This brazen approach to cyber operations – repeated attacks followed by often flimsy denials – almost suggests a view of cyberspace as a parallel universe in which actions do not carry real-world consequences. This would be a risky assumption. The victims of cyber attacks are becoming increasingly sensitive about what they perceive as acts of aggression, and are growing more inclined to retaliate, either legally, virtually, or perhaps even kinetically.
The United States, in particular, appears to have run out of patience with the stream of cyber attacks targeting it from China – Google and The New York Times being just two of the most high-profile victims – and which President Obama has now insisted are at least partly state-sponsored.
Although setting up a cybersecurity working group with China, Washington has also signaled it intends to escalate. U.S. Cyber Command and NSA chief General Keith Alexander signaled this shift of policy gears earlier this month when he told Congress that of 40 new CYBERCOM teams currently being assembled, 13 would be focused on offensive operations. Gen Alexander also gave new insight into CYBERCOM’s operational structure. The command will consist of three groups, he said: one to protect critical infrastructure; a second to support the military’s regional commands; and a third to conduct national offensive operations.
As cyber competition intensifies between the U.S. and China in particular, the international community approaches a crossroads. States might begin to rein in their cyber operations before things get further out of hand, adopt a rules-based system governing cyberspace, and start respecting one another’s virtual sovereignty much as they do one another’s physical sovereignty. Or, if attacks and counter-attacks are left unchecked, cyberspace may become the venue for a new Cold War for the Internet generation. Much as the old Cold War was characterized by indirect conflict involving proxy forces in third-party states, its 21st century reboot might become a story of virtual conflict prosecuted by shadowy actors in the digital realm. And as this undeclared conflict poisons bilateral relations over time, the risk of it spilling over into kinetic hostilities will only grow.
Warfare’s Wild West?
Cyberspace is anarchic, and incidents there span a hazy spectrum from acts of protest and criminality all the way to invasions of state sovereignty and deliberate acts of destruction. Cyber attacks that might be considered acts of war have so far been rare. It is certainly hard to characterise the rivalry between China and the U.S. as it stands as cyber warfare, argues Adam Segal, a senior fellow at the Council on Foreign Relations. “I tend to stay away from the term ‘cyber war’ since we have seen no physical destruction and no deaths,” he explains. Segal accepts that there is a conflict of sorts between China and the U.S. in cyberspace, though he says it is “likely to remain below a threshold that would provoke military conflict.”.=
While there is no internationally accepted categorization of different kinds of cyber activity (individual states have varying definitions), it is self-evident that some episodes are more serious than others. NATO’s Cooperative Cyber Defence Centre of Excellence (CCDCOE) – a unit based, not by accident, in Estonia, which experienced a massive cyber-attack from Russia in 2007 – distinguishes between “cyber crime,”“cyber espionage,” and “cyber warfare.”
China’s cyber operations, for all their notoriety, have essentially been acts of theft – either criminals attempting to extract privileged data, or incidents of state-sponsored espionage (some of which, admittedly, had national security implications, such as the extraction of blueprints for the F-35 Joint Strike Fighter). But these operations did not seek to cause any physical destruction, and so would be hard to interpret as acts of war. This may explain why the U.S. government has been quite tolerant of Chinese hacking until now, seeing it as an irritant rather than as anything more provocative.
However, other states – notably the U.S. with its use of the Stuxnet virus against Iran – have arguably engaged in acts of cyber aggression. “Stuxnet might be considered an act of war, or at least a use of force,” suggests Segal, though he adds that assigning labels to such incidents is never straightforward, even in the physical realm.
States certainly appear to be testing the boundaries in cyberspace, safe in the knowledge that those boundaries are undefined. There is almost a sense of lawlessness given the lack of consensus on how to treat cyber warfare from a legal standpoint. The U.S., for example, takes the view that existing international law can be applied to cyberspace. Others, notably China and Russia, have advocated a new code of conduct to address the unique problems that cyber operations create.
Recently , the CCDCOE made an important attempt to inform this debate when it published the Tallinn Manual, a detailed examination of the way in which existing international law might be applied to cyber warfare. “What makes the situation fairly unique is that there is not much cyber-specific international law regulating actions between states, and therefore states have to assess and analyze how the already existing, but not cyber-specific norms, apply to cyber activities,” explains Liis Vihul, a scientist with the CCDCOE’s Legal and Policy Branch. “It is at least the view of most western states that the international law dealing with the right of self-defense and also the conduct of armed conflict apply to cyber operations; the devil lies in the details – in other words, in some matters the states really have to think hard to figure out how exactly these norms play out in the context of cyber.”
The Tallinn Manual is meant to guide governments through some of this hard thinking. Under international law, states are legally entitled to respond to an “armed attack” or a “use of force” in a proportionate way. Vihul says that “cyber activities carried out by states that injure or kill people or damage or destroy objects are most likely to be considered as uses of force.” If a state suffers such an attack, it could be legally entitled to retaliate with cyber or conventional forces, even if the attack was purely cyber in nature, and even if the attack was perpetrated by civilian, rather than military, agencies.
However, cyber complicates the application of the existing law in two ways. The victim of a cyber attack might hide the fact that the attack ever took place so as not to reveal its vulnerability to other potential aggressors. Even more importantly, it is hard to attribute a cyber attack to another state in a way that would satisfy international law, given the attacking state’s likely use of proxies.
The first challenge that states face is therefore proving the origin of an attack.
Secondly, states have to decide how to respond legally and effectively to cyber crime and cyber espionage. So far the governments have seemed inclined either to accept such attacks as a fact of interconnected life, or to try to retaliate with cyber operations of their own. The former approach only encourages further aggression, while the latter probably breaches international law if the original hack was not an example of the use of force. In future, the victims of virtual theft might instead focus on gathering evidence and then seek reparations at the World Trade Organisation or the International Court of Justice, much as they would do in cases of IP theft or breaches of sovereignty.
Thirdly, the international community must continue the debate where the Tallinn Manual has left it, and work to develop universally accepted rules and norms for operating in cyberspace. “I think the risks of miscalculation or inadvertent escalation are very high if two sides do not share a common vision of what are legitimate targets or thresholds for acts of war,” says Segal.
China and the U.S. have both said that they would like to see a rules-based cyberspace, but they do not see eye to eye on how those rules should be established. A costly and potentially dangerous Cyber Cold War awaits if they cannot do better, and agree on some rules of engagement for their rapidly expanding online forces.