When is a cyberattack an act of war?
By Ellen Nakashima,
On the night of Oct. 11, Defense Secretary Leon Panetta stood inside the Intrepid Sea, Air and Space Museum, housed in a former aircraft carrier moored at a New York City pier, and let an audience of business executives in on one of the most important conversations inside the U.S. government.
He warned of a “cyber Pearl Harbor,” evoking one of the most tragic moments in American history, when Japanese bombers unleashed a devastating surprise attack on a U.S. naval base in Hawaii on Dec. 7, 1941, killing 2,402 Americans and wounding 1,282 more. President Franklin D. Roosevelt called it “a date which will live in infamy” as he asked Congress for a declaration of war.
Sixty years later, another surprise attack killed almost 3,000 people when al-Qaeda terrorists flew two jetliners into New York’s twin towers. Panetta cited the Sept. 11, 2001, strikes, too, warning that the United States is in a “pre-9/11 moment,” with critical computer systems vulnerable to assault.
We all know what an act of war looks like on land or sea, and by evoking two of the most searing attacks in our modern history, Panetta was trying to raise a sense of urgency about the threat in a new domain made of bits and bytes zinging between servers around the world.
But what does an act of war look like in cyberspace?
And perhaps more important, what does the U.S. government do when cyberattacks fall short of that — assuming it can identify the perpetrators in the first place?
What about something like Shamoon, the nickname for a virus that wiped data from 30,000 computers at Saudi Arabia’s state-owned oil company in August, affecting business operations for two weeks? Panetta called that assault, along with a similar strike on Qatar’s RasGas, “probably the most destructive attack” on the private sector to date. Another U.S. official declared it a “watershed” moment, beyond the troubling but all-too-familiar thefts of data and disruption of Web sites.
Unlike the Japanese planes at Pearl Harbor, the virus had no telltale markings that gave away its origins. The U.S. intelligence community has privately concluded that the invader was sent by Iran, though some security experts outside the government say they have reason to believe that Iran was not the perpetrator.
If Tehran is responsible, what was its motive? In the view of intelligence officials, it was striking back for sanctions; for the Saudi kingdom’s implicit support for an oil embargo; and for the damage done to Iran’s nuclear program by Stuxnet, the nickname for a cyber-sabotage campaign by the United States and Israel to slow the country’s pursuit of a nuclear weapon by damaging almost 1,000 uranium-enrichment centrifuges.
The Shamoon attack on Saudi Aramco did not cause enough physical damage to rise to what international law experts call an armed attack. But what if something like it happened to several energy companies in the United States and it could be traced conclusively to a foreign government or a terrorist group? How much damage, pain and fear would need to result before national security officials would say, “We can’t let this go unanswered”?
If government officials have reached a consensus on those questions, they’re keeping it to themselves.
Welcome to the new world of “drip, drip cyber attacks,” in the words of Tufts University law professor Michael J. Glennon. The nature of cyberspace, he says, creates the potential for “a mysterious airliner accident here, a strange power blackout there, incidents extending over months or years,” generally “with no traceable sponsorship.”
Japan’s attack on Pearl Harbor was a direct assault on a U.S. military installation. But much of the nation’s critical computer networks belong to the private sector. The companies that provide transportation, water, telecommunications and energy could become targets for adversaries bent on destruction. That simple fact has led to a complicated set of questions for policymakers responsible for the nation’s security.
Should the U.S. government step in to prevent a destructive cyberattack, if it can see one coming, aimed at the private sector? If not, and such an assault is successful, when should Washington retaliate and how, assuming the attack can be conclusively traced to another nation or to a terrorist group? When should the government make preemptive use of cyberweapons to alter a state’s agenda or behavior?
If a major cyberattack happened — a computer virus knocking out air traffic control, for instance, and sending planes crashing to the ground — the president and the National Security Council would focus first on what type of response would be proportionate, justified, necessary and in the U.S. interest. It might be a military response. It might be a cyber-response. It might be naming and shaming the attacker before the United Nations. It might be imposing sanctions. It might be no response at all.
Deciding what amounts to an act of war is more a political judgment than a military or legal one. International law avoids the phrase in favor of “armed attack” and “use of force.” Retired Gen. James Cartwright, former vice chairman of the Joint Chiefs of Staff, has often said that an act of war “is in the eye of the beholder.”
As Cartwright has pointed out, the United States didn’t go to war with North Korea after it sank a South Korean warship in 2010, nor with Iran after the U.S. Embassy in Tehran was seized in 1979. Would we want to start a war over a virus that causes a power blackout? And if not, what other actions might the government contemplate?
The government has defined an armed attack in cyberspace as one that results in death, injury or significant destruction, as Harold Koh, the State Department’s chief legal adviser, recently put it. Here’s the rule of thumb, as Koh stated it: “If the physical consequences of a cyberattack work the kind of physical damage that dropping a bomb or firing a missile would, that cyberattack should equally be considered a use of force.” If an attack reaches those levels, then a nation has a right to act in self-defense.
The more difficult cases will look something like what happened to Saudi Aramco. Matthew Waxman, a Columbia University law professor who studies the strategic dimensions of cyberattacks, said economic damage alone traditionally does not give rise to a right of self-defense. While “the erasure of data . . . is expensive to replace,” he said, “I would not call that an armed attack.”
A more complicated scenario: a cyber-assault on Wall Street computers that sends the markets into a tailspin and causes ripple effects throughout the economy. Industry experts say such an attack would be difficult to pull off — it’s one of those low-probability, high-consequence events government officials fear.
“I can see that rising to the level” of an armed attack in some people’s minds, Waxman said, but others would say it falls short of physical damage or loss of life.
Senior policymakers have been wrestling with these very issues. And the Saudi Aramco attack has heightened the sense of urgency, making the threat all the more concrete. “This was a deliberately disruptive event, done on purpose, not by some rogue hacker. Not some out-of-control operative,” said one U.S. intelligence official.
Panetta, in his speech, said, “If a crippling cyberattack were launched against our nation, the American people must be protected.” But what is “crippling”? What exactly would the military do to ensure such protection? That discussion remains very much behind closed doors, where the government has been working on rules of engagement that would guide its response.
A senior defense official, in an interview, said officials have done a lot of work on how the government would respond to certain attacks. “We feel we’re very prepared to answer that question if it should come up in the case of the United States,” he said.
But he would not get into specifics, for instance, as to whether destruction of data that caused a drop in the stock market or a huge increase in gas prices would trigger a military or any other response.
“Those are always classified things,” he said. “It’s not helpful to the United States to give a road map to the enemy to know when something is an attack on the nation and when it is not.”
His point: Why tell other nations what the United States is willing to tolerate before it will respond forcefully?
The severity and duration of effects — the amount of pain caused — is only one element that drives decisions about how to respond. Perhaps the more difficult factor is figuring out who is behind an attack — and why.
U.S. officials believe that factions of Iran’s Revolutionary Guard Corps were behind the attacks on Saudi Aramco and RasGas and that the Iranians were sending a message to the West and its supporters: You unleashed the Stuxnet virus on our nuclear program, and we’re firing back.
“They don’t see it as an escalation,” the U.S. intelligence source said. “They see it as a response to what was done to them: ‘Hey, you did it to us, and we’re going to come back at you.’ ”
U.S. officials have not blamed Iran — or any other nation or group — publicly for the Aramco and RasGas attacks. An earlier version of Panetta’s speech blamed the attacks on a “state actor,’’ according to one source, but that language was cut.
There is another school of thought, coming from outside the government, that the attack was carried out by a group of employees, some of whom may no longer work there, and non-employees with a grudge against the company and the Saudi government. None has any apparent link to Iran, these sources assert.
No one, however, is making their case publicly or offering evidence to prove their conclusions. That, too, is the nature of drip, drip warfare.
The United States and the world may be moving toward a greater strategic use of cyberweapons to persuade adversaries to change their behavior. This can be good, if it averts war. On the other hand, it could cause other nations to feel vulnerable. Some experts foresee a kind of cyber arms race as nations try to catch up.
Cyber-sabotage, by nature, doesn’t seem as cataclysmic as the Pearl Harbor or Sept. 11 attacks. But that may change. As Panetta warned in his New York speech, “These attacks mark a significant escalation of the cyberthreat, and they have renewed concerns about still-more-destructive scenarios that could unfold.”