Illustration via Max Fleishman (Licensed)
Two members of the Senate Armed Services Committee want the White House to clearly define what constitutes an act of war in cyberspace.
The Cyber Act of War Act, introduced on Tuesday by Sens. Angus King (I-Maine) and Mike Rounds (R-S.D.), would give President Barack Obama 180 days to send the House and Senate defense committees “a policy for determining when an action carried out in cyberspace constitutes an act of war against the United States.”
The policy would need to consider “the ways in which the effects of a cyber attack may be equivalent to the effects of an attack using conventional weapons, including with respect to physical destruction or casualties,” as well as “intangible effects of significant scope, intensity, or duration.”
“By requiring the Administration to define what constitutes an act of war in the cyber domain, this legislation would help our government be better able to respond to cyber-attacks and deter malicious actors from launching them in the first place,” King said in a statement.
“Declaring a cyber attack an act of war could have similar, far-reaching consequences.”
International law strictly governs conduct during war, but cyberwar presents new challenges—including the difficulty of attributing digital attacks that can be routed through intermediary countries—that combine to make cyberspace a largely untested legal zone.
Michael Schmitt, an expert in cyber conflict and the lead author of the Tallinn Manual, a guide to the international law of cyberspace, noted that the international law of war's three core terms—“use of force,” “armed attack,” and “armed conflict”—are all “highly technical and unsettled when applied to cyber ops.”
“Introducing a new term will only complicate matters,” Schmitt, who chairs the Stockton Center at the U.S. Naval War College, said in an email. He called the bill's mandate to define cyberwar “interesting, but not horribly feasible.”
Timothy Edgar, a senior fellow at Brown University's Watson Institute for International Studies and Public Affairs, agreed, calling the bill “a good first step” in an email but adding that “any definition would have to be rather general, given the technical and legal uncertainties.”
Still, said Edgar, who worked on cyber issues as President Obama's first director of privacy at the National Security Council, “A dialogue between the executive branch and Congress about what cyber attacks should be considered ‘war’ is a useful one to have before a major cyber attack.”
Lawmakers have taken an increasingly active role in cyberspace policy oversight as countries like Russia, China, Iran, and North Korea have refined their offensive cyber operations and begun striking overseas targets.
After a Dec. 23 cyberattack on a Ukrainian power company plunged a significant portion of the country's western region into darkness, U.S. and Ukrainian investigators identified malware linked to an ethnic Russian hacking group in the company's networks.
The Ukrainian incident, the first confirmed use of a cyberattack to disrupt physical civilian infrastructure, prompted new worries about the vulnerabilities of U.S. critical infrastructure and led the Obama administration to warn American power companies to harden their systems.
The White House has tried to tamp down cyber tensions with its main rivals. President Obama reached a deal last September with Chinese President Xi Jinping that bars either country from pursuing cyber espionage for commercial purposes. But that deal does not cover political intrusions like the 2015 Office of Personnel Management data breach, which is widely believed to be the work of China's cyber army.
Jason Healey, a senior research scholar in cyber conflict studies at Columbia University, said in an email that the two senators' push for a clear definition amounted to “not a very useful bill or debate.”
“After all, there is no definition of what an ‘act of war’ is for any kind of kinetic conflict either,” Healey said. “An ‘act of war’ depends entirely on the circumstances as well as the decision of the head of government—it is not just a national security decision, but ultimately a political decision.”
Edgar expressed hope that the bill's requirement to define cyberwar, as simplistic as it is, might at least prompt a careful examination of the policy shifts that occur in wartime.
“We are still living with the consequences of what it means to be in a ‘war’ on terrorism, both international and domestic,” he said. “Declaring a cyber attack an act of war could have similar, far-reaching consequences.”