The Washington PostDemocracy Dies in Darkness

Obama called the Sony hack an act of ‘cyber vandalism.’ He’s right.

President  Obama called the Sony hack a form of cyber vandalism. (AP Photo/Carolyn Kaster)
Placeholder while article actions load

It's official: "Why didn't you call it cyber warfare?" is the new "Why didn't you call it terrorism?"

Over the weekend, Republicans slammed President Obama for that they called a weak-kneed response to the North Korean hackers who are suspected of targeting Sony in a major data breach. In interviews with CNN and CBS, Sens. John McCain (Ariz.) and Lindsey Graham (S.C.) called the hacking "a new form of warfare" and "terrorism," respectively, and criticized the White House's characterization of the incident as "cyber vandalism."

All this Washington hand-wringing over verbiage is more or less politically motivated. But the theatrics risk obscuring a key point: Like terrorism, cyber warfare has a specific military definition. Calling the intrusion into Sony's network a definite act of cyber war not only makes it harder for the United States to distinguish between actual national security threats and inflated ones, but it also makes it harder for America to shape crucial international norms about how and when to use cyberweapons — norms that could help ward off the next North Korean hack.

You may know that the Pentagon has an entire glossary of terms when it comes to waging war in cyberspace. This should make total sense. Just like in physical war, linguistic ambiguity and confusion lead to mistakes, and mistakes get people killed. Especially in a field as new as cyber, you don't want to be messing around trying to define your terms when the bombs start to fall.

So how does the Defense Department define cyber warfare?

cyber warfare (CW): Creation of effects in and through cyberspace in support of a combatant commander's military objectives, to ensure friendly forces freedom of action in cyberspace while denying adversaries these same freedoms. Composed of cyber attack (CA), cyber defense (CD), and cyber exploitation (CE).

Note the emphasis on "a combatant commander's military objectives." It might seem obvious that the Pentagon's business is to talk in terms of the military. But this is actually an important signal to the rest of the world that cyber warfare ought to be thought of as a military activity, conducted by military officials, for military purposes.

This is far from a consensus opinion. China, Russia and, yes, North Korea all have sophisticated military hacker units. To the extent Washington can prove it, these hackers' actions show they believe businesses, banks and other civilian institutions to be legitimate targets for cyberspace operations — or, as the Pentagon puts it,

The employment of cyber capabilities where the primary purpose is to achieve military objectives or effects in or through cyberspace.

What's really going on here is a battle to determine whether, in fact, the infiltration of corporate networks, exposure of business information and censorship of U.S. film studios is a legitimate military activity. Some foreign governments would probably like nothing better than for the definition of war to expand this way. But for those who believe civilians should be kept out of war as much as possible, blurring the line between cyber warfare and cyber crime (or espionage) is potentially a very bad thing. It expands the number of scenarios potentially requiring a military response, spreading resources thin. It puts pressure on countries like the United States to engage in reciprocal behavior — or suffer a growing disadvantage.

Obama has repeatedly come under criticism as being too cool in a crisis. Others have come to his defense, arguing that cooler heads make for less interesting headlines but better resolutions. The same pattern appears to be playing out today. And while we'll probably never know for certain, Obama's decision not to use the language of cyber warfare might be the best decision he can make right now.