Opinion: No one knows how to define cyberwar – and that's a problem

Despite digital weapons becoming critical tools in every modern military, there's still no consensus when it comes to defining what amounts to an act of cyberwar. 

Secretary of Defense Ash Carter at an April congressional hearing on the Islamic State.

Jonathan Ernst/Reuters

May 20, 2016

Even with hundreds of meetings, speeches, and conferences on the subject, there's still no clear definition of cyberwar. Increasingly, that ambiguity is leading to confusion about how to respond to digital assaults on governments, companies, and individuals.

That's why a bill from Sen. Mike Rounds (R) of South Dakota that seeks to clearly define what constitutes cyberwar is so important. While this debate may seem like an esoteric discussion among policy wonks, it has very concrete real-world implications. Without it, the US will continue to fly by the seat of its pants in responding to a growing number of high profile breaches and other cybersecurity incidents.

As Senator Rounds insinuates, the current vagueness around acts of cyberwar is not sustainable.

Tracing fentanyl’s path into the US starts at this port. It doesn’t end there.

Aside from the military implications, these definitions are important for deterrence, collaboration between the government and the private sector, and understanding trends in cyberspace. As is often the case, technology has outpaced our ability to formulate policies, theories, and strategies.

After President Obama issued his cyberdeterrence strategy late last year, Sen. John McCain (R) of Arizona said the US lacks any coherent policy to meaningfully deter cyberattacks. A clear and concise definition of an act of cyberwar is a first step at moving toward greater clarity of operations – and their impact – in the digital domain.

The first and most obvious implication of legally defining acts of cyberwar is to explicitly state what behaviors cross the line. Knowing which activities will and will not incur the use of force is directly tied to deterrence. 

For instance, after North Korea attacked Sony Pictures, President Obama said that the US response would be proportional. But he stopped well short of calling it an act of war and failed to clearly define actions that would reach the threshold of digital warfare. That ambiguity was a missed opportunity to deter future actions such as the Sony attack, and may have communicated to adversaries that data destruction and theft don’t cross the red lines.

While the Justice Department has gone after foreign hackers based in China and Iran after several high profile attacks, Justice Department indictments in those cases won't deter cybercriminals from attacking US systems.

As malicious behavior advances toward acts of war, it is likely that retaliation will become more aggressive and severe. But there is no requirement that a cyberattack should be countered with a cyber-response; an act of cyberwar can unleash the whole arsenal of hard and soft power. Unless adversaries know when the US will use military force, and when costs of an attack outweigh the benefits, there is little hope in achieving any real level of deterrence.

These challenges also have strong domestic implications. The private sector generally defends itself from cyberattacks, with the government stepping in afterwards to investigate criminal activity. At what point, however, would the government intervene and respond with the use of force?

Clarifying the government's role is equally useful for the private and public sectors. It could lead to additional information sharing and partnerships that have been overshadowed by the differences between the groups as opposed to the many, mutually beneficial forms of collaboration.

Fortunately, the President has a foundation on which to pull when defining acts of cyberwar. NATO's Tallinn Manual, a guide for how international law applies to cyberconflict, notes that civilian objects cannot be targeted unless there are military objectives and defines an attack as a "cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects."

The Department of Defense's 2015 Law of Warfare Manual says any cyberoperation would be regarded as a use of force if it produces effects similar to those of physical operations that are deemed a use of force. In this case, opening a dam or disabling air traffic control would be considered use of force, while theft of data is not.

In each of these cases, the emphasis is on the effect of the cyberoperation. But most measurements of cyberattacks, to date, largely focus on the tactics or tools, not the outcome. And many measurements even conflate the two.

For instance, Verizon Data Breach Investigation Report, a popular source in both the private and public sector for assessing the major attack trends in cyberspace, lumps together attackers’ objectives and intrusion techniques, confounding the ability to assess critical trends in cybersecurity.

But at what point does this onslaught of malicious activity constitute war? It's a conversation that's long overdue. Cyberspace will remain the Wild West without coherent definitions.

Andrea Little Limbago is principal social scientist at the cybersecurity firm Endgame.