Warfare’s Wild West?
Cyberspace is anarchic, and incidents there span a hazy spectrum from acts of protest and criminality all the way to invasions of state sovereignty and deliberate acts of destruction. Cyber attacks that might be considered acts of war have so far been rare. It is certainly hard to characterise the rivalry between China and the U.S. as it stands as cyber warfare, argues Adam Segal, a senior fellow at the Council on Foreign Relations. “I tend to stay away from the term ‘cyber war’ since we have seen no physical destruction and no deaths,” he explains. Segal accepts that there is a conflict of sorts between China and the U.S. in cyberspace, though he says it is “likely to remain below a threshold that would provoke military conflict.”.=
While there is no internationally accepted categorization of different kinds of cyber activity (individual states have varying definitions), it is self-evident that some episodes are more serious than others. NATO’s Cooperative Cyber Defence Centre of Excellence (CCDCOE) – a unit based, not by accident, in Estonia, which experienced a massive cyber-attack from Russia in 2007 – distinguishes between “cyber crime,”“cyber espionage,” and “cyber warfare.”Enjoying this article? Click here to subscribe for full access. Just $5 a month.
China’s cyber operations, for all their notoriety, have essentially been acts of theft – either criminals attempting to extract privileged data, or incidents of state-sponsored espionage (some of which, admittedly, had national security implications, such as the extraction of blueprints for the F-35 Joint Strike Fighter). But these operations did not seek to cause any physical destruction, and so would be hard to interpret as acts of war. This may explain why the U.S. government has been quite tolerant of Chinese hacking until now, seeing it as an irritant rather than as anything more provocative.
However, other states – notably the U.S. with its use of the Stuxnet virus against Iran – have arguably engaged in acts of cyber aggression. “Stuxnet might be considered an act of war, or at least a use of force,” suggests Segal, though he adds that assigning labels to such incidents is never straightforward, even in the physical realm.
States certainly appear to be testing the boundaries in cyberspace, safe in the knowledge that those boundaries are undefined. There is almost a sense of lawlessness given the lack of consensus on how to treat cyber warfare from a legal standpoint. The U.S., for example, takes the view that existing international law can be applied to cyberspace. Others, notably China and Russia, have advocated a new code of conduct to address the unique problems that cyber operations create.
Recently , the CCDCOE made an important attempt to inform this debate when it published the Tallinn Manual, a detailed examination of the way in which existing international law might be applied to cyber warfare. “What makes the situation fairly unique is that there is not much cyber-specific international law regulating actions between states, and therefore states have to assess and analyze how the already existing, but not cyber-specific norms, apply to cyber activities,” explains Liis Vihul, a scientist with the CCDCOE’s Legal and Policy Branch. “It is at least the view of most western states that the international law dealing with the right of self-defense and also the conduct of armed conflict apply to cyber operations; the devil lies in the details – in other words, in some matters the states really have to think hard to figure out how exactly these norms play out in the context of cyber.”