Future Tense

What Is Cyberwar?

The defense community can’t figure out how to define it.

This article arises from Future Tense,a collaboration among Arizona State University, the New America Foundation, and Slate.

What constitutes an act of cyberwar?

Before we get to that, there’s a clue in the spelling of the word: cyberwar instead of cyber war. The U.S. Defense Department has determined that cyber is a fifth domain after air, land, sea, and space. We wouldn’t call the World War II battle for domain of the skies an “airwar,” or the showdowns over North African terrain “landwar.” Yet somehow cyberwar has become the preferred term. The oddity of the convention reflects the fact that cyberwar is not quite “war,” not quite “cyber,” yet it is so palpably real that most developed and developing nations are standing up their own cyber commands to engage in it.

The problem, of course, is that no one can agree on what constitutes an act of cyberwar. There is as yet no international treaty in place that establishes a legal definition for an act of cyber aggression. In May, the Pentagon released a cyber strategy, but U.S. senators have complained recently that there’s still no clarity on what, exactly, would be considered an act of cyberwar. The United States is not alone here: The entire field of international cyber law is still murky.

For a look at this confusing space, let us consider three examples of cyber attacks that may or may not be considered cyberwar.

One cyberwar scenario played out between June 2009 and July 2010, when Iran discovered it was the target of the most sophisticated cyber attack on record, known as Stuxnet. Iran suffered tangible losses of up to 1,000 P-1 centrifuges and experienced a slowdown in its uranium enrichment process. The damages, however, were minimal, and that appeared to be by design. The Stuxnet code specified that only a certain number of centrifuges were to be affected and that the damage was to be done slowly, over a period of months. It was clearly an act of sabotage—but was it an act of war?

Just this past week, McAfee released a white paper describing a very large cyber espionage operation, which the firm dubbed Shady RAT. The ring appears to have been in operation for five years and may have hit up to 70 global companies, governments, and nonprofit organizations. Shady RAT may or may not be all that McAfee claims; its competitors Symantec and Kaspersky have criticized it. However, it does serve to demonstrate the scope and scale of one type of cyber espionage operation that targets intellectual property. While espionage between nation states has never been considered grounds for going to war, it has also never occurred at this scale. And if a country’s national objectives of accumulating power, influence, and resources can be done virtually instead of on the battlefield, then should cyber espionage be considered a new type of warfare?

Finally, let us look at the cyber element of the 2008 Russia-Georgia conflict. On Aug.8, the Russian Federation launched a military assault against Georgia. One day later, a forum called StopGeorgia.ru was up and running with 30 members, a number that eventually exceeded 200. It was responding to a pre-existing cyber skirmish: In July, the Georgian government had begun blocking Russian IPs after the Georgian president’s site was knocked offline by a DDoS attack. StopGeorgia.ru’s purpose was to attack 37 high-value Georgian websites, such as those of the Parliament and Ministry of Defense. In addition to the target list, the forum admins provided members with downloadable DDoS kits, as well as advice on how to launch more sophisticated attacks, such as SQL injection. These cyber attacks began when military operations did and ended sometime after the ceasefire. The Russian government has never acknowledged that it had anything to do with the cyber attacks, arguing that they were merely the actions of patriotic Russian citizens who were outraged by Georgian oppression against its neighbors in the South Caucasus.

In November of that year, the NATO Cooperative Cyber Defense Centre of Excellence published a paper titled “Cyber Attacks Against Georgia: Legal Lessons Identified,” which attempted to tease out whether the Law of Armed Conflict applied to those cyber attacks. According to author Eneken Tikk and her team, a cyber attack only qualifies as an act of cyberwar under the LOAC standard if: a) it is done in conjunction with a physical attack; b) is attributable to a specific government; and c) if the attack caused injury. Georgia wasn’t able to demonstrate that injuries resulted from the cyber attacks, nor could it prove that they were ordered by the Russian government. Hence, they didn’t meet the LOAC requirements, which currently are the only legal requirements that stipulate when a country may act with force against an aggressor. If a cyber attack were to be considered as justification for going to war, it must comply with the LOAC unless and until there is international agreement on an alternate legal framework.

Although the Pentagon has just released a new strategy for cyberspace, there’s still plenty of internal dissent about this complex issue. The most recent example occurred when Vice Chairman of the Joint Chiefs Gen. James Cartwright criticized the document immediately after Deputy Secretary of Defense William Lynn announced it. Cartwright told reporters that “this strategy talks more about how we are going to defend the networks. The next iteration will have to start to talk about here’s a strategy that says to the attacker if you do this, the price to you is going to go up.” On the opposite end of the spectrum, Howard Schmidt, the U.S. Cyber-Security Coordinator (aka, the cyber czar) said in an interview with Wired that “there is no cyberwar.” Schmidt went on to say that he thinks cyberwar “is a terrible metaphor and … a terrible concept.” Our brightest minds on conflict can’t agree on even a basic definition of cyberwar.

With such attacks becoming more frequent, it is increasingly important to have a cogent, clear definition of what sorts of incidents should be labeled cyberwar, and what should not. So with this uncertain background, we would like to turn to the wisdom of the crowd. Join us in attempting to come to a consensus. Click hereto vote on what scenarios rise to the level of cyberwar, and submit your own to see what others think.