Cyberspace Invaders

Is a cyber-attack an act of war?

How does the United States answer an Internet invasion?

Chinese hackers have breached the White House computer network on numerous occasions, the Financial Times reported Thursday. Officials believe the attacks may be sponsored by the Chinese government. Is a cyber-attack by a foreign government an act of war?

It depends on the context. An “act of war” is defined in the U.S. Code as any act that occurs during declared war or during armed conflict between two countries (although President Bush did call the Sept. 11 attacks an “act of war”). So, technically, if a cyber-attack occurs during a war, it’s an act of war; if not, it’s not. Whether or not a cyber-attack is grounds for war depends on the nature of hackers’ intentions: to spy, by stealing secrets, or to disrupt national infrastructure. Most governments consider espionage—the collecting of information about another country—a crime but not a casus belli. But sabotage—say, pulling down a power grid that serves hundreds of cities—could be construed as one.

So far, no cyber-attack has ever started a war. That’s because the vast majority of attacks qualify as espionage. In 2007, hackers infiltrated the Pentagon’s unclassified e-mail system. The World Bank, with its troves of financial information about foreign governments, has been invaded several times. When a U.S. trade official traveled to China in 2007, foreign spyware programs were reportedly discovered on some of his electronic devices. Hackers targeted both the Obama and McCain campaigns with cyber-attacks, presumably to cull strategic information about the future president. Organized crime is active online, too, but usually the goal is profit, not access to classified information.

Another reason governments rarely treat cyber-attacks as acts of war is that they’re so hard to trace. The 1999 “Moonlight Maze” incident, in which hackers stole files from the Department of Defense, was traced to computers in Russia. But the Kremlin denied involvement, and the case remains unsolved. There’s also a risk that you’ll finger the wrong guy. A 1998 investigation called “Solar Sunrise” initially led intelligence officials to suspect Iraq in a series of breaches of Department of Defense computers. It turned out to be the handiwork of two teenagers in Northern California.

Compared with the rules of actual warfare—which are recognized by international treaties—the rules of cyber-warfare are murky. In 2007, the Bush administration announced a National Cyber Security Initiative that would, in part, codify the consequences of cyber-attacks on the United States. But the specifics of the doctrine remain classified. (A Senate committee criticized the initiative for its secrecy, arguing that deterrence works only if the enemy knows what the policy is.)

Other countries have pushed for a more explicit cyber-doctrine. Estonia, which fell victim to a massive foreign cyber-attack in 2007, created a Cyber Defense Center in cooperation with other NATO countries and urged NATO and the U.N. to establish a doctrine that covers cyber-warfare. Meanwhile, China has been blunt about its ambitions. A Pentagon report from 2007 concluded that while China doesn’t have an official cyber-doctrine, it has declared its intent to achieve “electromagnetic dominance” over its opponents and has developed viruses to attack enemy computers.

Got a question about today’s news? Ask the Explainer.

Explainer thanks James Lewis of the Center for Strategic and International Studies and Sami Saydjari of the Cyber Defense Agency.