Cyberwar is War, a Duel on an Extensive Scale

Research Question: From the perspective of the United States, should most important cyber-attacks be defined as a type of warfare and what are the benefits and dangers of doing so?

Introduction

“A serious cyberattack could trigger Article 5, where an attack against one ally is treated as an attack against all”(Stoltenberg 2019).

Cyberattacks on American infrastructure, military, and private enterprises are a new type of war. Significant cyberattacks can leave a nation without electricity, withheld from clean water, and unable to communicate to their population. Industries that control nuclear plans, dams, and essential supply chains, if interfered, can affect millions of global citizens’ well-being (What limits does the law of war impose on cyber attacks?). The USA must establish that significant attacks against critical infrastructure and public entities are considered warfare. When an attack occurs, the USA will need to determine if the attack should be determined as an act of espionage or war. The attack must also be attributed to a state or non-state actor. Policymakers should approach cyberattacks post-investigation as guilty until proven innocent, placing the burden of proof on the suspected state. The USA should evaluate on a case-by-case basis to assign liability and retaliation. Responses must be bold.

The Red Line

The primary target of hackers has been critical infrastructure (Cunningham). This infrastructure is in the hands of the private sector and includes energy, transportation, public services, telecommunications, and critical manufacturing (Cyber attacks on critical infrastructure). Due to the “internet of things,” critical infrastructure is becoming increasingly more connected. While power grids were isolated decades ago, now they rely on connected devices and interconnection (Cyber attacks on critical infrastructure). Compromised ICS systems contributed to the blackouts in Ukraine, disruption of uranium enrichment facilities in Iran (Greenberg 2020), and breaches within the New York Dam (Hemsley and E. Fisher 2018). These systems are reportedly attacked daily, and a cyberattack should be considered an act of war if it results in lethal consequences (Cunningham 2021). The United States should publish a redline listing critical infrastructure. Any cyberattacks that cause fatalities would be considered an act of war.

Cyber War or Cyber Espionage Scale

Cyberattacks can range from probing of systems to indirect fatality. They have killed private citizens waiting for hospital treatment and have breached American public institutes (Eddy and Perlroth) (Significant cyber incidents). If Stuxnet attacked US nuclear plants, the result could be the leaking of ionizing materials (Gaffey). The leak would be felt globally and comparable to the 2011 Fukushima disaster (Gaffey). Cyberespionage is non-kinetic. It is the equivalent of an adversarial government “listening in” on devices (Wheeler). Cyberespionage in itself does not constitute an act of war. Policymakers should treat cyberattacks like kinetic attacks. Declarable as an act of war and follow humanitarian laws.

Revising cyber attacks to meet the same criteria as kinetic attacks implies that cyberattacks can also be a “Cyberwarcrime.” North Korea is alleged to have used a ransomware cryptoworm “Wannacry” on the U.K’s national healthcare system(NHS). The malware affected NHS servers’ ability to pull up patient information. Resulting in an inability to make appointments, cancelled scheduled surgeries, and caused millions of dollars from the taxpayer to be repaired. A similar ransomware attack occurred in hospitals in Germany, resulting in the first cyberattack death (Eddy and Perlroth). Russians have used cyberattacks against American hospitals, and the malware “NotPetya” unleashed in rural Virginia and Pennsylvania resulted in multiple hospitals turning away patients (Eddy and Perlroth). Policymakers should reconcile that if an adversary used physical force to create the same outcome, it would meet existing criteria for acts of war.

Peace Through Cyber Strength

“If we end up in a war, a real shooting war with a major power, it’s going to be as a consequence of a cyber breach…” President Biden (Bose).

Since the age of the nuclear weapon, America has responded to adversaries in a reduced capacity in fear of nuclear retaliation (Limited War). The result is coined “limited war.” Limited war is used to further negotiating leverages in a settlement, and this strategy has not achieved the same political results as total war. Limited war is thus limited results. American policymakers need to change the status quo by treating cyberattacks that constitute cyberwarfare with a disproportionate retaliation. America, being a greater technological power, should not seek to level itself to the adversary by responding to state or non-state cyber attacks tic for tac.

In 1982, the Argentinian’s launched an annexation of a British colony called the “Falkland Islands” (Calvo). The Argentian’s incorrectly assumed that their strategy to lower British civilian casualties would avoid strong retaliation (Calvo). They believed that the United Kingdom would not have the determination to respond assertively (Calvo). The U.K responded disproportionately with 38 warships, 77 auxiliary vessels and 11,000 soldiers, sailors and marines (Kennedy). The US must do what the U.K did during the Falkland Island War. Send a message to the international community that America will respond with awesome power if a cyberattack is considered warfare.

Strengths

· A bold response would decrease the adversary’s estimation that cyberattacks would be met non-lethally

· It would strengthen US credibility and allies’ confidence

· It would set precedence to respect any state’s cyberspace sovereignty

Risks

· America may not be prepared to respond assertively to military challenges

· Adversarial states may respond likewise to US cyber attacks

· The possibility that the cyberattack was incorrectly assigned to a state

Attribution

Cyberattacks driven by a state’s political goals are never broadcasted by the country of origin. Plausible deniability exists in cyberattacks because there is little to gain for a state to disclose their capacity. When investigators determine the attacker’s origin, they base their analysis on the attack’s funding structure, complexity, and sophistication (Gusovsky). They use TTP (tactics, techniques and procedures) and other technical criteria to attribute the attack (Gusovsky). Even with these tools, “beyond a shadow of a doubt,” attribution to a specific state is challenging (Gusovsky).

1948 Universal Declaration of Human Rights declares that each individual is presumed innocent until proven guilty (Universal declaration of human rights). States are not people. The status quo of translating this ethos into cyberwar is nonsensical. States will always deny culpability. Adversaries can work around public outcry by patiently and systematically targeting intuitions. Guilty until proved innocent puts the responsibility of the accused state to prove innocence. It expedites resolution and assigns blame within a responsible process. Cyber investigators should provide their findings to the United States, and the United States should use those findings to pressure adversaries into reconciliation by a guilty until proven innocent approach.

Conclusion

By setting up a red line within cyberspace, the United States will write the future of cybersecurity. Peace through strength will be extended into cyberspace. The United States can use this bold approach to pressure adversaries into concessions. There needs to be a revision on how cyberattacks are attributed and responded to. The United States will establish robust global precedence for cyberspace sovereignty by identifying which cyberattacks are an act of war and or war crimes. The US should seek to dominate cyberspace as it has done in space, air, land, and sea to respond appropriately to future cyber threats.

Work Cited

1. Bose, Nandita. “Biden: If U.S. Has ‘REAL Shooting War’ It Could Be Result of Cyber Attacks.” Reuters, Thomson Reuters, 27 July 2021, www.reuters.com/world/biden-warns-cyber-attacks-could-lead-a-real-shooting-war-2021-07-27/.

2. Calvo, Alex. “Cyberwar Is War: A Critique of ‘Hacking Can Reduce Real-World Violence.’” Cyberwar Is War.

3. Clausewitz, Carl von. “Book i-on the Nature of War.” Carl Von Clausewitz: ON WAR. Book 1, Chapter 1, www.clausewitz.com/readings/OnWar1873/BK1ch01.html.

4. Cook, Lorne. “NATO Says Attack in Space Could TRIGGER Mutual Defense Clause.” Defense News, 2021 Sightline Media Group, 14 June 2021, www.defensenews.com/smr/nato-priorities/2021/06/14/nato-says-attack-in-space-could-trigger-mutual-defense-clause/.

5. “Cyber Attacks on Critical Infrastructure.” AGCS Global, Allianz 2021., www.agcs.allianz.com/news-and-insights/expert-risk-articles/cyber-attacks-on-critical-infrastructure.html.

6. “Cyberwar and Peace: Hacking Can Reduce Real-World Violence.” Cyberwar and Peace: Hacking Can Reduce Real-World Violence, by Thomas Rid, 6th ed., vol. 92, Council on Foreign Relation, 2013, pp. 77–87.

7. Eddy, Melissa, and Nicole Perlroth. “Cyber Attack Suspected in German Woman’s Death.” The New York Times, The New York Times, 18 Sept. 2020, www.nytimes.com/2020/09/18/world/europe/cyber-attack-germany-ransomeware-death.html.

8. Eddy, Melissa, and Nicole Perlroth. “Cyber Attack Suspected in German Woman’s Death.” The New York Times, The New York Times, 18 Sept. 2020, www.nytimes.com/2020/09/18/world/europe/cyber-attack-germany-ransomeware-death.html.

9. Gaffey, Conor. “Cyber-Attack on Nuclear Facilities Could Cause Radiation Leaks.” Newsweek, Newsweek, 23 Apr. 2016, www.newsweek.com/cyberattack-nuclear-facilities-could-cause-radiation-leak-report-379859.

10. Gusovsky, Dina. “How Investigators Decide That a Country Is behind a Cyberattack.” CNBC, CNBC, 19 Sept. 2016, www.cnbc.com/2016/09/19/how-investigators-decide-that-a-country-is-behind-a-cyberattack.html.

11. Kennedy, Lesley. “How the Falklands War CEMENTED Margaret Thatcher’s Reputation as the ‘Iron Lady’.” History.com, A&E Television Networks, 3 May 2019, history.com/news/margaret-thatcher-falklands-war.

12. “Limited War.” Encyclopedia.com, Encyclopedia.com, 7 Aug. 2021, www.encyclopedia.com/social-sciences/applied-and-social-sciences-magazines/limited-war.

13. “Significant Cyber Incidents.” Significant Cyber Incidents | Center for Strategic and International Studies, www.csis.org/programs/strategic-technologies-program/significant-cyber-incidents.

14. Stoltenberg, Jens. “NATO Will Defend Itself (Article by NATO Secretary GENERAL Jens Stoltenberg Published in Prospect).” NATO, 27 Aug. 2019, www.nato.int/cps/en/natohq/news_168435.htm?selectedLocale=en.

15. “Universal Declaration of Human Rights.” United Nations, United Nations, www.un.org/en/about-us/universal-declaration-of-human-rights.

16. “What Limits Does the Law of War Impose on Cyber Attacks?” ICRC, International Committee of the Red Cross, 28 June 2013, www.icrc.org/en/doc/resources/documents/faq/130628-cyber-warfare-q-and-a-eng.htm.

17. Wheeler, Tarah. “The Danger in Calling the SOLARWINDS Breach an ‘Act of War’.” Brookings, Brookings, 4 Mar. 2021, www.brookings.edu/techstream/the-danger-in-calling-the-solarwinds-breach-an-act-of-war/.

18. Wolfe, Jan, and Brendan Pierson. “Explainer-U.S. Government Hack: Espionage or Act of War?” Reuters, Thomson Reuters, 19 Dec. 2020, www.reuters.com/article/global-cyber-legal-idUSKBN28T0HH.