Although definitional debates can sometimes seem pedantic, debates over the term “cyber attack” are an important exception. How “cyber attack” is defined has real consequences. Take the recent reporting about a cyber incident affecting NASDAQ, for instance. Last month, reports surfaced that in 2010 federal investigators discovered - to great internal shock - potentially malicious, intentionally damaging software placed deep inside the NASDAQ network. The software, probably of Russian origin, had gone undetected for months. Should the incident be labeled a cyber attack because it could have undermined a key part of the global financial system? Or, should it not be because nobody died? Would the intrusion still be considered a cyber attack even if it could not be traced to the Russian government specifically? The answers to these questions crucially determine the appropriate NASDAQ and United States government response. In addition to the aforementioned political and military context, “cyber attack” takes on even more meanings when it’s used by other communities such as IT security professionals or human rights groups. As such, the definition of cyber attack has become a focal point for domestic and international debates about the intersection of Internet governance and international law.
In order to understand the importance of the cyber attack definition, it is first necessary to understand the possible ways to structure the definition itself. One way to think about cyber attack definitions is to split them into three main elements: means, target, and effect (intended or actual). The means concerns what system was used for the attack. The target concerns what (or who) the attack was directed at. The effect concerns what consequence the attack was intended to, or actually did, bring about. Consider this Department of Defense definition: “A hostile act using computer or related networks or systems, and intended to disrupt and/or destroy an adversary's critical cyber systems, assets, or functions.” In this case, the means is “computer or related networks or systems,” the target is “an adversary’s critical cyber systems, assets, or functions,” and the effect (intended) is “to disrupt and/or destroy.” All three definition components, included or omitted, as the case may be, have important wrinkles which show the big implications of minor definition disagreements.
The first component, the means, can produce problems when it is stressed to the exclusion of other components. Indeed, a definition too focused on means makes it easy for authoritarian states to punish dissent. Russia and China, for example, tend to favor definitions that only require a means and an effect. According to Oona Hathaway, a professor of international law at Yale University, “By encompassing any activity that uses cyber-technology and jeopardizes stability, a means-based understanding of cyber-warfare can be used to constrain the expression of free speech and political dissent online.” Since authoritarian governments are quite good at connecting any expression of dissent to security risks, requiring only a predicted effect and computer usage makes it easy to condemn legitimate contestation. Having a means component is not itself unwise, chiefly because, ultimately, “the only hard and fast difference between cyberattacks and other attacks is in their digital means and targets.” Yet, such a component should be treated as a necessary component but not a sufficient one.
The target component has distinct issues, mainly surrounding limitations to state actors as targets. Definitions which specify that the target must be another state actor could have a perverse effect: cyber actions taken by authoritarian governments against their civilians would not be covered by such a definition. Is a Distributed Denial of Service (DDoS) strike against resistance websites during civil war – intended to stifle warnings of a coming crackdown – a cyber attack? (This is something that happened during Syria’s civil war.) How about a cyber disruption of Aleppo’s water supply affecting the population of the city, however unlikely an occurrence that would be? There are clearly important implications for involved parties. Clarifying the appropriate range of actions deserving the cyber attack label should therefore be a key consideration.
Effects components, intended or actual, have a problem of precision. Say an unknown entity unsuccessfully hacks NASDAQ. Knowing if the intent of the intrusion was data gathering or infrastructure destruction is very challenging, either during or after the intrusion. Actual effect requirements would mean that the incident has to be labeled benign because no damage resulted - even though it might have without NASDAQ’s vigilance. Actual effect, after all, is always unknown until the incident concludes. Despite potential shortcomings, both the intended and actual effect components have important functions. An intended effect component based around national security purposes, for example, has been used by some authors, Hathaway among them, to distinguish “cyber-attack from simple cyber-crime,” which does not “raise the same legal questions.” The decision surrounding effects has crucial implications for organizations like NASDAQ responding to daily intrusions swiftly and legally, for lawyers and lawmakers legally classifying the many intrusions, and for potential intruders hawkishly watching the other two.
This definition debate is ongoing around the world in international forums, treaty negotiations, and legal institutions. Governments have different, increasingly conflicting stakes and interests. Russia, China, and the U.S. are publicly arguing on behalf of their own unique visions of the digital future. Whose vision comes out on top will be a function of international lobbying and geopolitics. The result will have important implications for human rights and the law of armed conflict. As such, cyber attack is one case where seemingly minor, academic definition debates merit close attention.
Tags:
-
Martin Sigalow