20 June 2016

No one knows how to define an 'act of cyber war' and that's becoming a big problem


The US Army's 'Cyber Center of Excellence', Fort Gordon in Augusta, Georgia, hosting a multi-service 'NetWar' to show, and build, cyber Warrior capabilities on June 10, 2014. 

What actually constitutes an act of cyber warfare? There's a Republican senator who wants to figure that out. 

Everyone knows hackers are breaking into networks quite regularly, whether they be hacktivists, criminals, or foreign intelligence services. But there's never been a clear definition of "cyber war," even if that term is thrown around often by cybersecurity experts and politicians alike. 

"More or less, we all engage in some manner of [cyber] warfare these days, we just don't go to 'war' over it," Bradley Moss, a national security lawyer, told Tech Insider last month. 

Now enter the Cyber Act of War Act of 2016, a bill introduced in May by Sen. Mike Rounds (R-S.D.), which would require the White House to come up with a specific policy that defines acts of cyber war. It would be the digital addendum to what the US defines as an act of war in its legal code.

"This legislation would require the executive branch to define which of these actions constitute a cyber act of war, which would allow our military to be better able to respond to cyber-attacks and deter bad actors from attempting to attack us in the first place," Rounds said in a press statement. 

Unfortunately, the senator's office did not respond to repeated requests for an interview. 

Still, it's a sticky subject with no clear answers, as interviews TI has conducted with numerous experts reveal. 

Some have argued that any intrusion by a foreign state into a US network could be an "act of war" - for instance, the alleged Chinese hacking of the Office of Personnel Management; or there's the recent breach of the Democratic National Committee. 

While both of these breaches were allegedly carried out by foreign intelligence services that resulted in widespread data theft, there was little to no physical harm to come of it. 

And then there's also the flip side to that coin: Does the US want to define cyber warfare when it was most likely the one who used it for the first time against critical infrastructure. That is, the sophisticated Stuxnet malware that destroyed roughly one-fifth of Iran's nuclear centrifuges in 2009.

There is some semblance of the Obama administration's mindset when it comes to cyber attacks that venture into the "warfare" realm. 

A document leaked by Edward Snowden and made public in 2013 listed cyber attacks resulting in "loss of life, significant responsive actions against the United States, significant damage to property, serious adverse US foreign policy consequences, or serious economic impact" as requiring presidential approval. 

Right now, a digital version of what would be equivalent to a sneak attack against Washington, D.C. simply does not exist. But if the bill ever makes it out of committee, perhaps it will. 

"If we get much fuller definition of the range of things that occur in cyber space," Lt. Gen. Vincent Stewart, the director of the Defense Intelligence Agency, testified to the Senate in February. "And then start thinking about the threshold where an attack is catastrophic enough or destructive enough that we define it as an act of war, I think that would be extremely useful."

No comments: