With government officials and executives in the U.S. reeling from sophisticated hacks traced to China and other state-backed entities, American spies and soldiers are sharpening the ongoing debate over if – and when – an online action, like the hack of the U.S. Office of Personnel Management (OPM), should trigger a “kinetic” response – a euphemism for military actions ranging from drone strikes and commando raids to all-out war.It's a question that also vexes foreign policy think tanks and former intelligence specialists now in the private sector. In a debate that parallels the policy tussles taking place at the White House, the Department of Defense and U.S. intelligence agencies, outside experts are squaring off over the very definition of cyberarmies and cyberwar – and, if and when an unambiguous cyberattack takes place, what the response should be.
Where one stands on the issue depends in part on experience and perspective. In a series of interviews with SC Magazine, former intelligence officials and military veterans debated whether the OPM breach and spectacular private-sector hacks, like that of Sony (which the U.S. attributed to North Korea), are old-school spying or the early volleys of virtual warfare.
But both views have an element of truth, says Adam Segal, senior fellow for China studies and director of the digital and cyberspace policy program at the Council on Foreign Relations. “People are throwing around the term ‘hybrid,' which exists in the space between war and peace,” he says. There is no clear distinction between the start and the end of a conflict, he adds.
John Felker, director of cyber and intelligence strategy, HP Enterprise Services
Jason Healey, senior research scholar in cyber conflict studies at Columbia University's School of International and Public Affairs
Maria Horton, CEO, EmeSec James Lewis, program director, Center for Strategic and International Studies
Isaac Porsche III, senior engineer at the RAND Corporation
Adam Segal, senior fellow for China studies and director of the digital and Cyberspace Policy Program, Council on Foreign Relations
Richard Schaffer, executive, KEYW
Terry Roberts, founder and president, CyberSync
The proxy wars that variously pitted allies of the old U.S.S.R. and China against U.S. client states provide a useful comparison for understanding today's cyberconflicts, Segal says. Directly confronting the other side could be too dangerous or escalatory in an all-out cyberwar, just as a conventional military clash once risked nuclear warfare.
Segal doesn't hesitate to disagree with those who characterize the OPM breach as a military attack. “We have basically identified it as political-military espionage,” he says. Even a hack of top military contractors, like Boeing and Lockheed Martin, to obtain plans for the F-22 or F-35 warplanes falls under that heading, he says.
But the boundaries between espionage and acts of war may soon blur in the virtual world, Segal acknowledges. “We need to have more discussion of norms and rules,” he says. “How do you prevent the virtual from becoming kinetic?”
One way to do so, he says, would be for the U.S. government to be clearer about what it may do in dealing with cyberattacks. The point is to get other countries to be more transparent about their own capabilities and doctrine.
James Lewis has taken up that challenge. A program director at the Center for Strategic and International Studies (CSIS), he's worked as a consultant during negotiations on cybersecurity at the United Nations in an effort to cajole representatives from various nations into disclosing their cybermilitary capabilities. While a Cold War-style arms control treaty is a long way off, the UN's focus for now is norms of behavior and confidence-building measures, like transparency, he says.
People don't want a cyberarms control treaty, says Lewis, a former Foreign Service officer and arms control negotiator. “The Americans don't want it, because they think the Russians and the Chinese will cheat. The Chinese say they don't want it because it would militarize cyberspace – which sounds hypocritical to American ears.” The Russians, he adds, have a more complicated position, which focuses on the very definition of a cyberweapon.
Complicating negotiations on cybertalks is the fact that the bipolar, Washington-Moscow partition of the world in the Cold War is long gone, Lewis says. “The U.S. won the Cold War in 1989 and World War II in 1945. For most people in the world, that is ancient history. It's like saying, ‘We are the ones who can set the rules because we won the Trojan War.'”
What keeps cyberwar at bay – and keeps negotiations on track – is a shared interest in global connectivity that fuels economic growth, says Jason Healey, a senior research scholar in cyberconflict studies at Columbia University's School of International and Public Affairs, and senior fellow and former director of the Cyber Statecraft Initiative at the Atlantic Council.
For him, cyberwar deterrence obviously is working, pointing out that the phrase “cyber Pearl Harbor” was first used in 1991. “In the 24 of the 74 years from the actual Pearl Harbor, it hasn't happened yet. Nobody has died from a cyberattack. Nobody.”
The constraints on nation-states launching cyberattacks on their rivals aren't very different from the pressures against mounting conventional military attacks, Healey says. “China hasn't tried to take electrical power out in the U.S., and the U.S. hasn't tried to do that in Moscow. Even if we could land a strategic blow, why would we?”
Even the apparently successful U.S. use of cyberweapons to achieve Washington's strategic aims, such as the Stuxnet virus that damaged Iran's nuclear program in 2009, have, in fact, made wider cyberconflict more likely, Healey says. Prior to that, Iran's focus on the internet was primarily at quelling internal dissent. “After they got hit by Stuxnet, Iran said, ‘OK, that is the way the game is going to be played,' and they put things in that space,” Healy says.