Historically when a country has been attacked deciding whether or not to declare war or how to properly respond has been a relatively straight-forward task. Pearl Harbor bombed, declare war; merchant ships targeted by U-Boats, declare war; German tanks roll over your border, declare war.
Jump to the 21st Century with warfare being waged over fiber optic cables and deciding whether a cyberattack is an act of war, a crime or just online vandalism is a much more difficult and complex task that our nation's decision makers are just starting to contemplate. And even when the attack has been properly defined, deciding upon a proportional response is no easy matter.
With both of these issues in mind, Sen. Mike Rounds (R-S.D.), a member of the Senate Armed Services Committee (SASC), introduced The Cyber Act of War Act of 2016 that asks the administration to define whether a specific cyberattack would and would or not be considered an act of war thus enabling the United States to respond appropriately.
Rounds told SCMagazine.com that systems are in place allowing for an immediate response by the military to a conventional or nuclear attack so “Why not integrate cyber into that. We want to provide some upfront guidance so they [the military] don't have to wake the president in the middle of the night to respond.”
The bill put forth does not address this at all, instead Rounds said he wants the individuals who “live and breathe” this problem to handle creating the guidelines. The bill contains 180-day deadline.
Rounds said the genesis for the idea came during a SASC hearing in February. During the course of the meeting the senator asked Lt. Gen. Vincent Stewart, director of the Defense Intelligence Agency, whether having a piece of legislation such as Cyber Act of War Act of 2016 would be helpful.
“I think it would be extremely helpful to have clear definitions of what constitutes cyber events versus acts of war…if we get much fuller definition of the range of things that occur in cyber space, and then start thinking about the threshold where an attack is catastrophic enough or destructive enough that we define it as an act of war, I think that would be extremely useful,” Stewart said.
|General Michael Hayden at the Centrify Connect conference.
During a keynote address at the Centrify Connect conference on May 11 in New York, said U.S. Air Force General Michael Hayden, former head of the National Security Agency and director of the Central Intelligence Agency, told a story of President Obama referring to the Sony breach by North Korea as cyber vandalism. When first heard that description he thought it was somewhat off base. We're not “talking spray painting graffiti on a subway car in the Bronx.”
But he then realized there's no word or descriptor yet to define what's going on.
“We don't know the difference between vandalism and crime or terrorism and an act of war,” Hayden told SCMagazine.com after the keynote, adding Rounds' bill is “an attempt to push that definition.”
Even though the United States has engaged in dozens of armed conflicts during its history, there have been few occasions where an Act of War has been asked for by the president and approved by Congress. Most recently during World War II on December 8, 1941 when President Franklin Roosevelt called for such a declaration in response to the Japanese attack on Pearl Harbor and on December 11, 1941 against Germany and Italy. The U.S. also used this power against Axis partners Bulgaria, Hungary and Romania in June 1942.
However, Rounds and Hayden envision the Cyber Act of War Act of 2016 being used less as a formal legal instrument and more as a yardstick to measure and define a cyberattack and the American response.
“This is more of a guideline that the government would use to elicit a response to a cyberattack that would not require the president going to Congress to ask for a declaration of war,” Rounds said.
The next question that this brings up is whether or not creating such a legal framework is even achievable, as military analysts told SCMagazine.com that it is almost impossible to figure out who is behind most cyberattacks. At least clearly enough to warrant a kinetic, meaning conventional military, counter strike.
“The asymmetric nature of it (cyberwarfare) makes it hard to determine the culprit,” Stratfor Security analyst Tristan Reed told SCMagazine.com, adding that for “most cyberattacks any conventional military response would be considered over the top.”
Rounds agreed saying the details that need to be worked out by the administration is when should a cyberattack be responded to in kind and when would it involve something much more destructive.
Isaac Porche, associate director, Forces and Logistics Program at the RAND Arroyo Center, does not think an armed response is likely between major nation-states, but he did not exclude this possibility for some of the other potential adversaries exist.
“But non-state actors do not follow the rules of war. So, it is possible that a ‘rogue' state will attempt to perform a major attack. And a tough response is likely,” Porche said.