'Act of war' treatment of cyber-attacks fails to answer harder questions: IU experts
June 2, 2011
BLOOMINGTON, Ind. -- Recent news reports that Pentagon policy will view certain cyber-attacks as acts of war to which the U.S. may respond with conventional military force is unsurprising but avoids hard policy and legal questions, according to Indiana University cybersecurity experts.
"The United States has long taken the position that in exercising its right to use force in self-defense its hands are not tied by the means and methods chosen by its adversaries," said David P. Fidler, James Louis Calamaras Professor of Law at the Maurer School of Law and fellow at the Center for Applied Cybersecurity Research (CACR). He pointed out that the United States reserved the right during the Cold War to respond to Soviet conventional attacks in Europe with nuclear weapons, and it has used conventional military forces against states responsible for sponsoring or harboring terrorists who attacked U.S. nationals and territory.
"That the U.S. government claims the right to use traditional military power in response to a large-scale cyber-attack that causes serious damage, destruction, or death in the United States is to be expected," Fidler continued. "However, this position does not address problems cyberweapons create, including the threshold a cyber-attack must cross to trigger the right to use force in self-defense and the difficulties in attributing responsibility for the attack."
Scott J. Shackelford, assistant professor of business law at the Kelley School of Business and CACR fellow, highlighted the complexity of the problem of attribution, which involves both technical and legal challenges.
"As a technical matter, you have to trace an attack back to a specific source -- many experts will tell you that this effort might identify a machine involved in the attack, but that alone is insufficient to determine who really was behind the attack," he said. "That computer could have been exploited from another location in a different country, creating barriers to applying international rules that assign legal responsibility for armed attacks."
Fidler and Shackelford agreed that the Department of Defense's development of a strategy for cyberconflict is needed, particularly in light of the establishment in 2010 of U.S. Cyber Command -- a combatant command tasked with military cyber readiness and capabilities -- and the May 2011 release of the Obama Administration's International Strategy for Cyberspace, which establishes general principles guiding U.S. defense, diplomacy, and development policies in cyberspace. The strategy states, for example, that "we reserve the right to use all necessary means" in responding to "hostile acts in cyberspace."
"We are starting to see a general policy framework take shape on the military and civilian sides," Shackelford said. "These actions by the Obama Administration demonstrate how important this policy area has become as many countries, particularly China, have started to develop cyber capabilities that are of national security concern to the United States."
"Not answering hard questions about cyberwar is, in many ways, part of the thinking," Fidler added. "As the International Strategy on Cyberspace provides, the United States is seeking to dissuade and deter cyber-attacks against its interests, critical infrastructure, and population. If your adversary is not sure where you are drawing the line for purposes of escalation, then you have created, in classic deterrence terms, a threat that leaves something to chance."
Fidler and Shackelford are available to comment on these and other cybersecurity matters. Fidler can be reached at 812-855-6403, or at firstname.lastname@example.org. Shackelford can be reached at 812-856-6728, or at email@example.com.