The cyberwar era arguably began two hours before midnight on April 26, 2007, when hordes of Internet traffic started quietly overwhelming servers in the small European nation of Estonia.
The barrage, prompted by the Estonian government’s decision to relocate a controversial monument to the country’s Russian liberators in World War II, went largely unnoticed for the first 24 hours. After a week, major government websites were offline. In the second week, the hackers, operating from an unknown location and controlling infected machines all over the world, brought down the websites of Estonia’s major newspapers. The papers’ IT experts eventually had to block all international traffic to stay online—saving themselves, but cutting off their best way of telling the world that they were under attack.
The hackers were using a technique called a distributed denial-of-service (DDoS) attack. They assembled botnets—networks of computers surreptitiously infected with their malware—to flood Estonian servers with data requests. This jumble of garbage traffic prevented packets of genuine data from getting through. DDoS attacks are a crude but highly effective tool, and they continue to be a major weapon in cyberattackers’ arsenals.
The attacks peaked at midnight, Russian time, on May 9, the anniversary of V-E Day. The symbolism was obvious and deliberate: Most of the attacks were the work of pro-Russian activists, who used software distributed on Russian-language forums and were furious about the relocation of a statue honoring their war heroes. When the nationwide political cyberattack reached a fever pitch, Estonian servers received a combined total of 4 million packets per second from almost 1 million computers worldwide.
“Never before had an entire country been targeted on almost every digital front all at once,” wrote Wired’s Joshua Davis in August 2007, “and never before had a government itself fought back.”
Estonia did indeed fight back, identifying the individual IP addresses flooding its servers with traffic and sending them to the Internet Architecture Board, a small group of trusted experts who can take individual network addresses offline entirely. The North Atlantic Treaty Organization (NATO), of which Estonia is a member, sent a few cyber-defense experts to aid in the response.
The attacks on Estonia eventually stopped, but their implications continue to resonate today in the emerging international dialogue over the law of cyberspace. The coordinated digital strikes on that country of barely 1.3 million people raised profound questions about how to adapt international law to a new arena of combat, propaganda, espionage, and sabotage.
“Screwing up Sony’s computer system or stealing data, personnel records, or credit-card numbers, that’s not an act of war.”
Russia denied that it had orchestrated the attacks, but it refused to help the Estonians investigate several hackers connected to Russian IP addresses. What was Russia’s responsibility to cooperate with an investigation that implicated its citizens? For that matter, what was Russia’s responsibility to prevent its citizens from launching cyberattacks?
Article V of the North Atlantic Treaty clearly states that an attack on one NATO member is an attack on all. Yet none of Estonia’s NATO allies responded. Should they have invoked Article V and mobilized a cyber-counteroffensive? If they had, against whom would they direct such an operation?
These questions continue to confound the world’s international law scholars, cybersecurity experts, and government officials. In an age of increasingly powerful cyberweapons, when cyberattacks against governments and businesses happen almost constantly, we’re still struggling with the same fundamental issue Estonia faced: What constitutes war in the 21st century?
A new battlefield
The study of cyberspace as a battlefield began before most people relied on the Internet, at the U.S. Naval War College in Newport, Rhode Island. There, in the mid-1990s, U.S. defense officials and law professors started trying to figure out the implications of this emerging domain. But that work only lasted about a decade. The Sept. 11, 2001, terrorist attacks forced a complete reorientation toward Islamic extremism, and the Naval War College’s cyber work was put on hold. It wasn’t until Estonia in 2007 that legal experts would return to the topic.
“It was the defining moment,” said Michael Schmitt, an expert on cyberwarfare who directs the Naval War College’s Stockton Center for the Study of International Law. Schmitt was a uniformed officer at the war college during those early discussions in the ’90s. Estonia, he said, reminded the world of the power of cyberspace: “It was the moment where the international law community said, ‘We need to start looking into this.’”
The first time the word “cyberdefense” came up at a NATO meeting was during the Prague Summit in 2002, according to a NATO cybersecurity expert who declined to be named due to the organization’s policy on interviews. But it was just a passing mention; there was no serious discussion of what it meant.
More than a decade later, one of the biggest questions facing legal experts is how to define a cyberattack in the context of the law of war. In the past year, the United States has been hit by two massive cyberattacks, one against a major Hollywood studio and the other against the federal government’s human-resources office. But the attacks on Sony Pictures Entertainment and the U.S. Office of Personnel Management (OPM) were not part of a sustained international conflict, nor did they rise to the level of cyberwar, experts say.
“Screwing up Sony’s computer system or stealing data, personnel records, or credit-card numbers, that’s not an act of war,” noted Steven Ratner, a professor of international law at the University of Michigan Law School. “That’s not even close to being an act of war. And yet, those are things that need to be regulated.”
“Not many companies went into business thinking they were defending themselves against foreign intelligence services, but to one extent or another, that is happening.”
To address those attacks differently from incidents like Estonia in 2007 and the Russo–Georgian War of 2008—the first time in history that cyber operations were used to enhance a traditional ground war—the international community needs to determine what kinds of cyber incidents meet the definition of an “armed attack” under the international laws of war.
“I would not be sure that if, for example, a somewhat ambiguous cyberattack on an electrical power station that took down electricity to a portion of the United States for some period of time but resulted in no lethality at all, whether we would say that that was an armed attack,” added Michele Markoff, the deputy coordinator for cyber issues at the State Department. “If nobody dies, if life isn’t truly disrupted, there are unknowns about how we would apply things.”
Below the threshold
What happens below that armed-attack threshold might be much more important to the emerging legal regime than questions about all-out cyberwar. Legal and technical experts agree that virtually all of the known cyberattacks in history have fallen below that level. “They’re more the death-by-a-thousand cuts thing in terms of crime and espionage,” said Scott Shackelford, an assistant professor of business law at Indiana University’s Kelley School of Business.
There are legal reasons for cyberattackers to focus on private companies—it’s easier to avoid a state response if you avoid attacking state infrastructure—but there are practical reasons as well. As bad as government agencies are at securing their networks, private companies are often worse. Sony is one of the largest companies in the world, but its studio division’s computer system was riven with vulnerabilities that hackers deftly exploited.
“You’ve got the private sector on the front lines of some of these exploits,” said Frank Cilluffo, the director of the Center for Cyber and Homeland Security at George Washington University. “Not many companies went into business thinking they were defending themselves against foreign intelligence services, but to one extent or another, that is happening.”
Anyone who follows news about cyberattacks will recognize the two major aggressors: Russia and China. But the Russian Federation and the People’s Republic of China use cyber means to achieve markedly different ends. Whereas hackers in China allegedly steal economic secrets to prop up its economy, Russia’s cyberarmies reportedly focus more on stealing military and diplomatic data—and then mining it to locate U.S. spies.
“Russia is even better at that than China,” said Scott Borg, the director of the US. Cyber Consequences Unit, an independent research group that monitors cyber incidents. “They are probably successfully stealing virtually all our military secrets.”
While China might be the more popular of the two national boogeyman right now, Russia operates at a more sophisticated level. The Russian government, experts say, has the best of both worlds: a loyal force of hackers on its payroll and cyberattackers-for-hire in the criminal underworld. “These groups earn the right to operate in these countries by performing services for the countries, or at least services that these countries perceive as beneficial to them,” Borg said. “So Russian cybercrime, for instance, is bringing huge amounts of money into the Russian economy. They also are doing favors for the Russian government and voluntarily doing things to advance Russian policies.” For evidence of this, look no further than the messages that popped up on Russian websites urging attacks on Georgian cyber infrastructure as Vladimir Putin’s military was gearing up for battle.
There are other threats besides China and Russia. Iran and North Korea maintain sizable electronic armies; the U.S. government believes that the latter nation played a major role in the devastating Sony hack last year. And not all cybercriminals operate at the behest of strongman governments like Putin’s; many just want to hack into banks and reroute hefty sums of money into their own coffers. Perhaps the only major global threat that has not yet mustered a significant cyber presence is the constellation of Islamic terrorist groups in the Middle East and North Africa. They are growing remarkably adept at spreading their message on social media, especially on Twitter and Facebook, but they have not yet demonstrated the capacity to launch attacks like the ones that struck Sony and OPM.
Current approaches
The United States and China, seeking to mend strained diplomatic relations over online attacks linked to Beijing, established a working group to monitor their joint cybercrime prevention efforts earlier this month. As part of the new cyber pact, both nations promised not to “conduct or knowingly support cyber-enabled theft of intellectual property” for economic gain. The two countries will also establish a “hotline” for senior officials to raise concerns about noncompliance with cybercrime investigations.
China has almost always refused to help U.S. intelligence officials with these investigations. James Lewis, a cybersecurity expert and senior fellow at the Center for Strategic and International Studies, told the Daily Dot that the cyber agreement represented “a major step forward.”
“They really got more than I thought they were going to get,” Lewis said of the U.S. negotiators.
It remains to be seen, of course, whether the agreement truly signals a new attitude in Beijing toward cyberattacks. “Actions speak louder than words,” Rep. Will Hurd (R-Texas), chairman of the House Oversight Committee’s information-technology subcommittee, said in a statement. “We need to remain vigilant against possible attacks by the Chinese government and Congress needs to continue to do more to enable the fortification of our nation’s digital infrastructure.”
“Cyber armageddon is possible but very, very unlikely.”
The international community has responded to Russia, China, and other cyber threats with a patchwork of efforts. One of the only extant treaties dealing with cyberspace is the Budapest Convention on Cybercrime, which defines illegal cyber activity, like hacking and data purges, and commits signatories to cooperating on law-enforcement and surveillance activities. The International Telecommunications Union has set up the International Multilateral Partnership Against Cyber Threats (IMPACT), which helps developing countries build cyber defenses, network monitoring, and cybercrime prohibitions. And finally there’s the NATO Cooperative Cyber Defence Centre of Excellence, based in Tallinn, Estonia, the first and only center of its kind.
The United Nations is also a major player in international cyber conversations. It has convened the major cyber powers to hash out a starting framework for what the international law of cyberspace should look like. The 2013 report of the U.N. Group of Governmental Experts (U.N. GGE) was a landmark moment: For the first time, the major world powers agreed that international law, including the U.N. Charter, applied to cyberspace. The report also noted that states have an obligation to prevent criminals within their borders from launching cyberattacks against other countries, and, in a clear shot at Russia and China, stressed that nations should not “use proxies to commit internationally wrongful acts.”
The 2013 U.N. report may have knocked Russia and China by implication, but those countries sent negotiators to the GGE meetings, and they signed onto the final document.
The most prominent cyber-law document, however, is not a treaty or a U.N. report, but rather a reference guide. The Tallinn Manual, a project supported by NATO’s cyber center in the Estonian capital, has quickly become a go-to resource for states dealing with cyber intrusions and attacks. Michael Schmitt, the Naval War College professor, is the lead author of the manual. The first version, released last year, covered the use of cyber techniques during clearly defined armed conflicts and tried to connect the U.N. Charter’s right of self-defense to cyberspace. The second version is being written right now and is expected to be published in the spring or early summer of 2016.
“Tallinn 2.0 is OPM, Tallinn 2.0 is the Sony hack, Tallinn 2.0 is hacking into the Pentagon,” Schmitt said. “Perhaps the most important thing we’re looking at on a day-to-day basis for states is sovereignty and the responsibility of states for the actions of non-state actors.
“Whereas Tallinn 1.0 was about the dramatic earth-shaking event,” Schmitt continued, “Tallinn 2.0 is about the stuff that happens every single day in many countries of the world.”
Sean Watts, a law professor at Creighton University who is working on the updated manual, said that he had “seen the thing sitting out here in cyber operations rooms, or in the rooms where we do legal reviews of cyber operations.”
“It’s been, I think, very successful in what was the stated goal,” he said.
Authority versus agility
The problems of international law in the 21st century are apparent in the contrast between the work of the U.N. GGE and the Tallinn Manual. Whereas the U.N. group is proceeding agonizingly slowly, putting forward only the most modest of suggestions about how states should conduct themselves in cyberspace, the Tallinn Manual has tackled many of the same questions with considerably less hesitation.
“We’re much more agile [than the U.N. GGE] because we don’t have this constraint of needing to go back to our ministries and ask for negotiating guidance,” said Schmitt. “So we’re way, way ahead of them, and we will remain way ahead of them.”
But this agility comes at a cost. The Tallinn Manual, unlike the outgrowth of U.N. efforts, is not part of a process that can create international law. “It’s a very, very useful start,” Ratner said, “but … we have a long way to go to translate that informal document of some governmental and nongovernmental experts into anything that really would be a binding legal regime.”
Schmitt, for his part, agreed that the U.N. group was the one to watch for progress on what international scholars call “hard law.” He said he found that group’s timidity and slowness “unfortunate, because I really am a big believer that states make international law, not scholars in their private capacity.”
Although laws, norms, and procedures around cyberspace are coalescing in widely varying forums with different levels of authority, many experts say that the plethora of venues is a testament to the international community’s seriousness.
“I think you’re starting to see an emerging consensus that traditional legal principles, or international legal principles, along the lines of necessity, proportionality, some of the traditional domains, do apply in the cyber domain,” said Cilluffo. “You are starting to see cyber not only treated as a separate discipline, but how does cyber fit into existing disciplines, whether diplomacy, law, warfighting, and the like.”
Agreeing to disagree
For all the uncertainty that exists in the global debate over cyber capabilities and responsibilities, the threat environment is remarkably stable. “Cyber armageddon is possible but very, very unlikely,” said Herbert Lin, a senior cyber policy scholar at Stanford University’s Center for International Security and Cooperation. “What’s more reasonable to contemplate is a cumulative series of low- to moderate-level attacks that have a cumulative cost on the U.S. in a variety of ways.”
Technical experts and legal scholars repeatedly stress that the idea of a “cyber Pearl Harbor”—a devastating sneak attack on U.S. infrastructure by a powerful state actor that launched a sustained international conflict—is wildly overblown. Right now, Watts said, “states bite at one another’s ankles in a way to impede progress or to harass them,” but “as for the likelihood of a major cyber war, I would rate it pretty low.”
Cyber armageddon may be extremely unlikely, but the many attacks below the level of formal armed conflict have still extracted a staggering price, in both economic and political terms. Businesses are losing money. Diplomatic relations are being strained. Accusations are being leveled, often without meeting the traditional standard of proof. What should the international community do about all of this?
“There are probably more conferences about cyberspace than about anything else in the world right now. And a lot of that is to get policymakers over the hump of actually understanding what the implications of the technology are.”
The first step is to acknowledge and understand the problems. For starters, Russia and China may have endorsed the applicability of international law to cyberspace, but their idea of a solution is dramatically different from what the U.S. and its Western allies envision. China and Russia have repeatedly pushed in recent years for a comprehensive cyber treaty, but the U.S. has opposed the approach, for what experts say were good reasons.
“I believe that the push for this is primarily a political push by states that are unlikely to adhere to those treaties religiously anyway,” Schmitt said. “Our country, as you know, is moving cautiously, and I think that that’s the way we should move at this point.”
Another concern is that China and Russia’s treaty would empower states to censor content in the name of “protecting” cyberspace. “The Russian and Chinese governments use definitions of information security that could be interpreted to include content,” said Tim Maurer, the director of New America’s Global Cybersecurity Norms and Resilience Project. “A cybersecurity treaty could actually be used to legitimize censorship and the domestic control over content.”
Aside from specific problems with the comprehensive-treaty approach, there is also the broader observation that China and Russia benefit greatly from the proxy cyber conflicts that they encourage and direct. They “don’t really want to take measures against people who are engaging in cyber mischief,” Ratner said, “because often those people are somewhat loosely affiliated with the government, or sometimes even directly affiliated with the government.”
Regional technical insecurities also contribute to hubs of cybercrime that can be difficult to disrupt, given the absence of strong governance that enabled them to settle in the first place. “When you see countries such as some in West Africa that have pretty rapidly expanding broadband access and in some cases pretty weak governance, that can result in them becoming havens for cybercrime, whether the administration wants that to happen or not,” said Shackelford. Weak security measures in Chinese and Russian consumer technology also let hackers route attacks through those countries, taking advantage of both technical vulnerabilities and those countries’ already-negative reputations.
China “has some of the most porous networks in the world,” Shackelford sais. “So even though they might be the source of a significant number of attacks, I think it’s probably also the case that other groups are routing their attacks through China because it’s such an easy scapegoat.”
It’s tempting to think of established processes for collective self-defense, like Article V of the North Atlantic Treaty, as reliable ways for nations to collaboratively counter cyberattacks. But here, too, there is a glaring problem. Just because an attack on one NATO country is an attack on all, that doesn’t mean the North Atlantic Council is guaranteed to vote to invoke Article V as a group and rush to a cyber victim’s defense. Just ask Estonia.
The activation of collective self-defense under Article V is “a political decision to be taken at a given situation,” the NATO cyber official told the Daily Dot. “What kind of response would be given to a cyberattack will depend on that assessment by the NATO council at that time.” For this reason, the official said, “the problem of Article V cannot be solved.”
Asked if the Estonian government believed that its NATO allies had failed it by not responding in 2007, Karoliina Ainge, the head of cybersecurity policy in Estonia’s communications ministry, told the Daily Dot, “We’re not in the position to give any judgments on what happened back then.
“It will be tested in the future whether the mechanisms that are in place actually work,” Ainge added. “I’m sure with every incident there is, these mechanisms and procedures get looked over again and seen whether they actually work in the real world.”
The elephant in the room
Another difficulty with creating international cyber norms is that technological change outpaces diplomatic progress. This plays out in two ways. First, because cyberspace is a new and complicated field, it is “not well-understood by many diplomats and policymakers,” according to Markoff, who has helped spearhead campaigns to educate politicians and negotiators on cyber issues. “There are probably more conferences about cyberspace than about anything else in the world right now,” she said. “And a lot of that is to get policymakers over the hump of actually understanding what the implications of the technology are.”
The second technical challenge relates to the fact that diplomatic agreements are written broadly to avoid becoming obsolete as specific circumstances evolve. Major agreements on oceans, radio spectrum, and public health can accommodate changes in the specifics—the speed of warships, the power of radio transmitters, the efficacy of vaccines. But communications law does not apply to its subject matter as flexibly as its counterparts in other domains, as fights over U.S. laws like the Computer Fraud and Abuse Act (CFAA) demonstrate. “They’re like rules that we might have today for telegraphs,” Ratner said of cyber laws whose relevance decays. “There are telegraph rules out there, but nobody uses the telegraph anymore.”
The concern about applying outdated laws is also valid beyond specific technical regulations. In general, applying existing international law, while appropriate in some cases, can be fraught with pitfalls.
“When you’re applying that old law, you’re usually relying on analogies,” Shackelford said. “The problem is when your analogies break down. When you’re applying law by analogy, the integrity of your analysis is only as good as your analogy. When cyber operations don’t look like [a] conventional bombing run, that’s where we begin to run into problems.”
Mariarosaria Taddeo, a researcher at the Oxford Internet Institute and computer-science professor, said that the current approach of applying existing tools “seems a way of stretching the blanket more than a way of developing an adequate and long-term strategy.”
“Sometimes what we have done is to force a triangle in the shape of a quadrangle,” Taddeo said. “That might work if … you are in an emergency, but it doesn’t really work as a long-term strategy.”
There is also no agreed-upon definition of a cyberweapon. “A program that in one context will be completely innocuous and in other contexts can be a devastating tool for destroying value,” Borg said. “Nobody’s ever figured out a good way to sort this out.”
“No nation is willing to eschew offensive operations in cyberspace. Not the U.S., not the Russians, not the Chinese. Nobody’s willing to do that.”
Placing limits on cyber-espionage also poses complications, experts say. “There’s no prohibition [on] espionage in international law. Every nation does it,” said Lin. “[Until that changes] what are you going to do? Say ‘Attacks are not OK, but espionage is OK?’ How will anybody tell the difference?”
There are also concerns about going too far. Agreeing to certain prohibitions on cyber operations might raise questions about whether to place similar kinetic operations off-limits. If every nation agreed not to attack other nations’ power grids with cyber technology, for example, would they be setting a precedent that could limit their use of air power against military energy stations? A broad statement like “the power grid is off-limits” might be symbolically important, Lin said, “but it would have a lot of other implications as well, and I think that nobody has thought all of those other implications through.”
Attribution is one of the most significant challenges. Because of the way that cyberattackers launch their operations, it is often impossible to identify them. Cyberattacks that use the popular DDoS approach, like the 2007 digital strikes on Estonia, rely on botnets—hijacked networks of computers that are located around the world. Even if you could identify the IP addresses and physical locations of every computer that DDoSed your country’s servers, that wouldn’t tell you who had hijacked them. In other cases, governments contract out cyberattacks to criminal groups, giving them plausible deniability for when security researchers trace the attacks back to those criminals. Pointing to the guilty party is very difficult; proving their guilt, even more so.
“We don’t have, at the international level, a defined burden of proof yet on how much evidence should be necessary to attribute, for example, the actions of non-state actors, like organized crime, back to a government that’s pulling the strings,” Shackelford said.
All of these problems pale in comparison to the elephant in the room: No one wants to be the first to put down their gun. “No nation is willing to eschew offensive operations in cyberspace,” Lin said. “Not the U.S., not the Russians, not the Chinese. Nobody’s willing to do that.”
An uncertain leader
Unsurprisingly, there is a significant overlap between major cyber powers and permanent members of the U.N. Security Council. “A lot of these countries are benefitting from being able to spy on one another and otherwise,” said Shackelford. “There might not be the political support [for big changes] there, at the international level.”
The United States has been one of the most persistent critics of aggressive cyber operations, but it has also been at the forefront of deploying those capabilities, albeit with less fanfare. The federal government’s approach seems split between State Department diplomats, like Markoff, who want more norms, and the intelligence agencies, especially the National Security Agency (NSA) and the Central Intelligence Agency (CIA), that prefer more international ambiguity.
“I think it would be surprising to expect the U.S. to be doing anything to tie its intelligence hands. That’s just not what a great power does.”
“At this point, the U.S. still has the capacity to do all sorts of things through the cyber context that [intelligence] agencies believe is tremendously useful,” Ratner said. “I don’t think the U.S. is going to want to sign on to any kind of international agreement that would tie its hands in either intelligence-gathering or operational matters.”
This tension is epitomized in the story of the Stuxnet computer virus, which destroyed as many as 1,000 of the nuclear centrifuges at Iran’s Natanz facility in late 2009 and early 2010. Stuxnet, which experts have described as the most complex and expensive malware in history, snuck into the heavily guarded Iranian facility and sabotaged the systems that told the centrifuges how to spin. By tricking them into spinning at an improper speed, Stuxnet essentially broke them. In June 2012, the Washington Post and the New York Times revealed that the United States and Israel created Stuxnet to delay Iran’s development of a nuclear bomb.
Watts, who in addition to being a law professor is also a lieutenant colonel in the Army Reserve, avoided commenting on who was responsible for Stuxnet, but he called it “a portent of the future” and said that other countries with complex infrastructure “would be silly to think that that was a one-off event that couldn’t be replicated.”
“No matter who carried it out,” Watts said, “it did demonstrate that cyber means are capable of resulting in the kind of destruction or the kind of effects that manage to trigger some of the prohibitions of international law.”
Cilluffo called Stuxnet “an eye-opener” because of what it signaled about the scope of cyberattacks. “It did indicate that cyber incidents can have physical implications and impacts,” he said. “A lot of people thought it would only affect that cyber domain, but clearly, that was not the case.”
The United States has almost completely avoided discussing cyberattacks in a legal context. Republican lawmakers frequently criticize President Barack Obama’s administration for not publicly accusing China of the OPM hack, but they have made little noise about the administration’s lack of legal complaints. Few government officials, Republican or Democrat, want to go on the record calling the OPM hack a breach of international law. It was, at the end of the day, an act of espionage, however unusually sophisticated, and the U.S. does not want to give up its right to conduct similar digital forays in Chinese personnel databases.
Director of National Intelligence James Clapper echoed this view at a Sept. 10 House Intelligence Committee hearing on global cyber threats. “Many times, I’ll hear people throw out ‘attack,’ ‘act of war,’” Clapper told the committee. “And I go, ‘That’s not necessarily in every case how I would characterize the activity that I see.’”
According to Clapper, the “working definition” of a cyberattack required the attacker to destroy or modify data. That didn’t happen in the case of the OPM hack, he said, though he did warn that such attacks were the future of offensive cyber operations. Regardless, his desire to avoid describing the OPM breach as an “attack” suggested that he and his colleagues were keen to avoid stigmatizing such operations.
“I think it would be surprising to expect the U.S. to be doing anything to tie its intelligence hands,” Ratner said. “That’s just not what a great power does.”
President Obama has tried to present the United States as a leader in this realm. His administration has published several blueprints on cyberspace, including the International Strategy for Cyberspace and the Cyberspace Policy Review. But these are bland documents that speak in generalities about the cyber threat, with vague passages about the need to be vigilant, the need for international cooperation, and America’s willingness to protect itself. They do not address, in any substantive way, the key issues complicating international cyber discussions.
The impact of the cyber coordinator’s office, which Shackelford described as “heavy on responsibility” but “pretty light on authority,” is hard to measure. Markoff said that the United States wanted to create “a condition where no state has an incentive to attack another state and all states are interested in preserving cyberspace for positive developmental aim,” but she offers few specifics when asked about the Obama administration’s international legal goals for cyberspace.
Members of Congress are only just starting to raise these questions. At the Sept. 10 House hearing, several lawmakers pointed out the government’s ambiguous cyber-law policies and called for more clarity.
“We don’t know what constitutes an act of war, what the appropriate response is, what the line is between crime and warfare,” Rep. Jim Himes (D-Conn.) said to the senior intelligence officials present at the hearing. Himes argued that the United States should “lead the establishment of some rules of the road internationally on how warfare and crime is conducted in the cyber realm.”
President Obama, too, has acknowledged the need for clearer rules. “Unlike some of the other areas of international cooperation, the rules in this area are not well developed,” Obama said at his joint press conference with Chinese President Xi Jinping announcing the cybercrime agreement. “I think it’s going to very important for the United States and China, working with other nations and the United Nations and … the private sector, to start developing an architecture to govern behavior in cyberspace that is enforceable and clear.”
The American military is engaged in cyber operations through U.S. Cyber Command, the cyber component of U.S. Strategic Command. Although Strategic Command is most famous for managing the U.S. nuclear arsenal, it has been steadily boosting its cyber planning in anticipation of more sophisticated attacks on U.S. networks. If the United States ever declares cyberwar, whatever that might look like, Cyber Command will be the operational force on the front lines.
The Daily Dot submitted more than a dozen questions to the Department of Defense about the military’s cyber operations. Several Pentagon spokespeople said that they would attempt to provide answers, but they did not do so by press time.
The biggest problem with the U.S. strategy in cyberspace seems to be its lackluster deterrence policy. The Department of Defense (DoD) has published several documents that outline its cyber operations, including the Department of Defense Cyber Strategy, the DoD Law of War Manual, DoD Joint Publication 3-12: Cyberspace Operations, and the DoD Strategy for Operating in Cyberspace. But these publications only offer general commentary (“Patriotic entities often act as cyber surrogates for states”) and simple, obvious rules (“Military attacks will be directed only at military targets”).
During the Cold War, the United States and the Soviet Union publicized their capabilities, their red lines, and their potential response scenarios. The two governments also openly discussed their weaknesses and their concerns. This created a deterrent effect, where each side knew what to expect if it launched a nuclear strike. In cyberspace, the United States has shunned such deterrence techniques in favor of secrecy and vagueness.
“The United States,” said Borg, “has no cyber policy worthy of the name.”
“People knew during the Cold War what nuclear weapons were out there, what they were aimed at, what their capabilities were, what the likely policies for deploying or using them would be,” Borg added. “Now, in the cyber era, we don’t have any national policy for cyber that has any of those characteristics.”
In other words, Borg said, the U.S. has failed to lay out what capabilities countries like China and Russia have, what vulnerabilities affect the U.S., or what the consequences of a major attack on this country would be—the key elements in pushing the world beyond the current void.
“We mostly pretend that we don’t have vulnerabilities or try to keep them secret,” Borg said. “We haven’t laid out what they are and what we need to do about them.”
Shackelford agreed that the United States needed to “clarify the steps that we, as arguably the leading cyber power still, are going to take for different types of attacks to help guide the conversation here.”
At the Sept. 10 House hearing, Rep. Adam Schiff (D-Calif.), the ranking Democrat on the Intelligence Committee, argued that the United States should distinguish itself from its cyber foes by publicly committing itself to restrictions instead of “blurring the distinctions” like China did to “justify anything they do.”
“It seems to me it’s in our best interest to draw a line between economic espionage and intelligence gathering,” Schiff said. “Shouldn’t we make clear what the rules of the road are?”
The Daily Dot asked to speak with Michael Daniel, President Obama’s cybersecurity coordinator, to discuss deterrence and other cyber policy issues, but a White House spokesman did not arrange an interview in time for this story.
American policymakers clearly face a deterrence conundrum: If public statements are too vague, potential adversaries will not know enough to be worried. If statements are too specific, however, they could give adversaries exactly what they need to preemptively counter U.S. cyber operations. Whatever the tradeoffs of both extremes, however, experts tell the Daily Dot that the United States has not even visibly attempted to reconcile them in a serious way.
After the Sony hack, for example, President Obama blamed the North Korean government and said that the United States would “respond proportionally” “in a place and time and manner that we choose.” Three days later, North Korea suffered what the BBC called “an almost unprecedented Internet outage.” The United States might have been behind the disruption, but it did not take credit for it. Schmitt, who served as a nuclear targeting officer in the Air Force during the Cold War, said that, if the U.S. was responsible for taking North Korea offline, remaining silent was a huge tactical mistake.
“If the United States doesn’t come out and say, ‘We did that and we have the capability of doing that,’ it’s pretty hard for deterrence to work in a classic, linear fashion,” he said. “Deterrence becomes much more complex, because they [then] have to reason that that was us, and that if we could do it to the North Koreans we could do it to someone else.”
Amid concerns from lawmakers, security experts, and senior intelligence officials, there are signs that the United States is planning to move more aggressively to confront cyber malfeasance. President Obama signed an executive order in April that lets the Treasury Department level economic sanctions against malicious cyber actors, and the government is now reportedly drawing up a list of targets for those sanctions.
“It’s a very fluid environment, cybersecurity,” State Department spokesman Mark Toner told reporters at an Aug. 31 briefing. “We’re constantly assessing the danger, assessing the risks, how to better prevent incursions on our cybersecurity. … When we act, we want to make sure that we have compelling evidence to act on.”
It’s easy to see why this is. The United States faces competing concerns from its spies and its diplomats, and it has not decided which concern should form the basis of a unified cyber policy. The government “is really pulled in two different directions,” Ratner said. “It’s pulled in the direction that the U.S. is extremely vulnerable because it’s so interconnected” while also “using its own intelligence and military to be involved in those same sorts of activities.”
“If we’re going to play soccer … let’s figure out what the rules are. Then we can train up our teams and we’ll have a fair game.”
Suppose the U.S. were to propose a blanket ban on stealing bank records, but intelligence agents find accounts held by Al Qaeda or ISIS. “The U.S. is not going to want to sign onto an agreement that would prevent it from stealing their bank data,” Ratner said. And if the international community made an exception for terrorist assets, that could potentially make matters worse.
“If you have a carve-out saying, ‘Nothing in this agreement will prevent a state from using measures necessary in self-defense,’” Ratner said, “then you may have eaten up the whole agreement with your caveats.”
Absent a clear national consensus on how to use cyberspace, the United States might never be able to move past the vagueness of its current policy. The first step will be for Congress and the president to reconcile the intelligence community’s apparent addiction to cyber capabilities with the government’s fear of critical infrastructure vulnerabilities and data breaches. At some point, if the United States wants international limits on the cyberattacks that are piercing its servers, it may need to find alternatives to its own use of those techniques.
Building the way forward
Given all these roadblocks and disagreements, what are the best mechanisms for preventing malicious cyber operations? For starters, cyber-arms control is effectively hopeless. There’s no point, experts say, in trying to contain the spread of offensive cyber technology. Instead, the best hope for international law is to focus on reducing the incentives for malicious behavior.
“We have to look at not the weapons but the actions,” Borg said, “and talk about how to change the incentives globally, change the legal environment and diplomatic environment globally, so that there’s less value to gained by pursuing cyberattacks … and more value to be lost by doing so.”
Take China, for example. “China needs to wean themselves from the theft of competitively important business information, or at least reduce their dependency on this,” Borg said. “If we can address the problem here at the level of the total economy, not as a special-interest area … there should be serious opportunities to improve the situation, to influence their behavior.”
Other states will also have to consider what tools they are willing to collectively set aside. The U.S. intelligence community has for years hacked into computer systems by preying on undisclosed software vulnerabilities in attacks known as “zero-day exploits.” By sneaking into those gaps instead of warning tech companies to patch them, the intelligence community has earned the ire of practically every independent security expert.
Maurer said that zero-days offered a good example of the need to consider tradeoffs. “To what degree,” he asked, “is a zero-day vulnerability that might be useful for a cyberattack undermining U.S. economic interests or U.S. national-security interests at a scale that the costs and the risks involved outweigh the actual benefits?”
Additional potential areas of progress include collaborative cyber-defense planning. Given the boundary-spanning nature of cyber technology, it behooves every country to understand how it can and should interact with other countries if it suffers a cyberattack. NATO holds a yearly Cyber Coalition exercise in which its member-states simulate the process of sharing threat information among themselves to tamp down on the problem. NATO also has a broader defense planning process that unites member-states in planning for joint defense activities, and cyber is increasingly playing a role in those conversations, according to a NATO cyber defense official.
Whether it is changing incentives to use cyberweapons or harmonizing routines to defuse them, the key lesson from successful international efforts is to start with the fundamentals.
“There are probably areas of consensus, or at least more likely consensus, where we would want an international regime to protect basic humanitarian things, like states should never be able to use cyber to shut down hospitals, or they should never be able to use it to disrupt air traffic, or they should never be able to use it in a way where it’s clearly going to cause immediate harm to civilian life,” Ratner said. “If you can focus on cyberattacks that are most damaging to innocent human life, maybe you can work out from there.”
A frozen glimmer of hope
As tempting as it is to focus on laws and treaties, the first steps toward real international cyber law will be something smaller: norms.
Here, we already have a remarkably successful, if surprising, example. The eight-member Arctic Council has set boundaries and resolved disputes about the world’s northernmost region since 1996. Among its members: the United States and Russia. The Arctic is an important scientific and strategic asset to both countries, but the Arctic Council has helped tamp down tensions and produce international accord. In 2011, in the face of tremendous ongoing geopolitical tensions, the Council produced the Arctic Search and Rescue Agreement. It entered into force in January 2013.
The key lesson of the Arctic Council for those developing cyber norms is to produce agreements that benefit everyone and extract as much of the politics of cyberspace as possible. That’s why focusing on civilian facilities like airports and hospitals offers the most likely chance of success: It latches onto the most universally accepted principles of international humanitarian law.
“If you can make it as technical as possible, and create a win-win situation for everybody, then you’re most likely to get an agreement,” Ratner said.
Further, norms don’t bind anyone’s hands, even informally, until there is enough support for them that they become customary law—and by that point, they are basically agreeable to all or almost all states.
“Norms are good, so long as [they are] rationally arrived at by mature people [who] are not driven by emotive policy positions and politics,” Schmitt said. “A good, objective look at how we believe international law applies [in cyberspace] will enable the development of mature policies and create stability.”
The range of actors and motivations involved make these principles difficult to develop. But it is not as if drafting the law of the sea was easy. Everything covered by modern international law was once the subject of great panic. In that regard, at least, cyber is no different from space or sea.
“When cyber first came about, everyone talked about it as the wild West,” Schmitt said. “This was nonsense. International law applied then, it applies now, but we need to understand how it applies. If we’re going to play soccer … let’s figure out what the rules are. Then we can train up our teams and we’ll have a fair game.”
Illustration by Max Fleishman