“Today, we are in a stealthy cyber war in America,” Rep. Mike Rogers (R-Mich.), chair of the House Intelligence Committee, wrote in February.
Just consider the following: In a matter of months, a group of Syrian youths with ambiguous government ties hacked a news account and briefly caused a dip in the Dow Jones, experts concluded that the Chinese government has been systematically stealing secrets from American companies, and Iranian attacks on U.S. infrastructure have reportedly reached a boiling point.
Perhaps even more stressing, a recent confidental report by the Defense Science Board for the Pentagon claimed that more than two dozen major weapons systems were compromised by Chinese hackers, according to the Washington Post.
All of which begs the question: At what point does this cyberwar become real war?
There are, in fact, strict international laws about this sort of thing—established in the wake of World War II. In essence, assuming a nation doesn’t want to go to war, it can counter a cyberattack with a physical one without violating international law. But only if that attack caused real, physical damage to infrastructure or to people.
Such laws were written for a different time, Professor Mike Schmitt, chair of the International Law Department at the U.S. Naval War College, told the Daily Dot. He’s the director of the Tallinn Manual, NATO’s 215-page guide to interpreting established laws of engagement in the age of the Internet.
Back when the laws were written, “when the enemy attacked us, they blew stuff up, they killed people, so we created a law to deal with those consequences,” he explained. “We were concerned with certain consequences because that’s all that was out there.
“The problem is that in cyberspace, that law still applies. But cyberspace can have consequences that weren’t in the contemplation of the guys who were making the law five decades ago.”
Those laws might change in coming years, but they haven’t yet.
In other words, despite how positive leaders in Washington are that the Chinese army is constantly stealing American businesses’ confidential files, the U.S. can not retaliate with acts of war because such actions didn’t cause physical damage.
Another good example would be the Syrian Electronic Army (SEA). In April, the SEA took control of the Associated Press’s Twitter account and posted that President Obama had been injured; that action inadvertently, briefly sent the Dow Jones industrial average down more than 100 points, according to the Washington Post. It doesn’t matter that the SEA has ambiguous—but possibly very real—connections to the Syrian government. It still hasn’t done any physical damage.
The incident highlights the fickle nature of what is—and equally important, what is not—considered an actual attack.
Picture “a massive cyber operation directed against a country that has devastating effects on that country’s economy,” Schmitt says. “Why is that not an armed attack? If a warship sits off the coast of Rhode Island, shells it and destroys five empty houses,” that would clearly prompt a physical retaliation.
“If I had to pick between destroying five houses and seriously affecting the economy, I think I’d give up the houses,” he said. “’Cyber’ takes us out of the traditional way of thinking about war.”
That’s why the recent news about cyberattacks from Iran is so troubling. According to several sources in a Thursday Wall Street Journal report, Iranian hackers, believed to have government support, accessed software that enabled them to control unspecified American gas and oil pipelines along the Canadian border.
Those attacks have “reached a really critical level,” said James Lewis, director of technology and public policy at the influential Center for Strategic and International Studies. “We don’t have much we can do in response, short of kinetic warfare.”
Of course, the U.S. is believed to have attacked Iran’s infrastructure as well. Multiple sources close to the White House gave detailed explanations to the New York Times about how the virus known as Stuxnet was created by the U.S. as a means to nonviolently slow down Iranian’s nuclear research. In particular, Stuxnet led to damaged centrifuges. While for a time, Stuxnet was seen as an effective tool, more recent data suggests it backfired, actually speeding up Iran’s research.
International law wouldn’t allow Iran to use Stuxnet to justify a counterattack on the U.S., Schmitt said, but not for the reason you might think.
“It would need to count as an armed attack to allow Iran to respond,” he said. That means severe use of force. “The question is whether that would cross the threshold. My personal view is it comes pretty close. It’s pretty serious damage being done to a very important system operation. That would mean the Iranians could take those steps necessary to defend themselves during the attack.”
However, attacking another nation to stop a cyberattack can’t be retaliatory; it can only be designed to halt an attack in progress. Stuxnet first appeared as early as 2009, and it wasn’t fully identified until 2010; the U.S. has long wiped its hands of direct involvement.
“The attack was over by the time it was discovered, so Iran had no right to retaliate even if it was a state that did it,” Schmitt said. “So their remedy is diplomatic protest and so forth. If they’d caught it while it was ongoing, and they needed to use force to make it stop, I would say they probably could [physically retaliate].”
Iranian government officials rebuffed the claims that they sponsored cyberattacks against the U.S. Instead, they offered the same response China did when it addressed claims that Chinese government hackers regularly stole from the U.S.: No, it was you who attacked us.
“Although Iran has been repeatedly the target of state-sponsored cyberattacks, attempting to target Iran’s civilian nuclear facilities, power grids, oil terminals and other industrial sectors, Iran has not ever retaliated against those illegal cyberattacks,” Alireza Miryousefi, an Iranian representative at the United Nations, told the Wall Street Journal.
Illustration by Jason Reed