The decision to characterize an attack as an act of war can be difficult, and the lines get blurrier with a cyberattack,...
where the origin of the threat and the purpose can be harder to determine. Despite these difficulties, a new Senate bill asked the Obama administration for a cyber act-of-war definition.
In an effort to clarify when a cyberattack can be defined as a cyber act of war, Sen. Mike Rounds (R-S.D.), a member of the Senate Armed Services Committee, introduced the Cyber Act of War Act of 2016, asking President Obama to clarify the issue. The bill asked the president to consider "the ways in which the effects of a cyberattack may be equivalent to the effects of an attack using conventional weapons, including with respect to physical destruction or casualties" and "intangible effects of significant scope, intensity or duration."
According to Rounds, the ubiquity of the Internet means an act of cyberwar could "cripple our power grid, water supplies and communications networks. Earlier this year, Russian hackers were accused of using BlackEnergy malware to attack electric companies in Ukraine.
"Cyberattacks on our critical infrastructure are capable of impacting our entire economy and causing significant destruction," Rounds said in the press statement. "This legislation would require the executive branch to define which of these actions constitute a cyber act of war, which would allow our military to be better able to respond to cyberattacks and deter bad actors from attempting to attack us in the first place."
Current U.S. Code 2331 defines an act of war as "any act occurring in the course of declared war [or an] armed conflict."
Michael Assante, former naval intelligence officer and CSO of North American Electric Reliability Corp., and current director of SANS ICS, said this definition and a cyber act-of-war definition "need to be vague to provide options based on the situation under review."
"The trick is not to be so overly specific as to allow 'gaming' or catch activities being performed by all parties -- e.g., intelligence collection," Assante told SearchSecurity via email. "Cyberintrusions and corresponding cyberactor actions can be very difficult to characterize until the attacker reveals their intent -- even then, it may be difficult to determine if the outcomes were intentional or accidental."
Assante said the difficulty in characterizing the intentions of an attack can leave "much room for confusion and miscalculation."
"There are some strong arguments that a definition would be necessary to establish an overarching convention and norms around cyberacts," Assante said. "There are several challenges in defining both the act(s) and attempted or achieved outcomes that would qualify as an actor of war. In many cases, an act of war triggers specific authorities and obligations -- for example, those that come with a pact, alliance or treaty."
Richard Greene, CEO of cloud security company Seculert, based in Santa Clara, Calif., applauded Sen. Round's efforts, but was unsure of the effects a cyber act-of-war definition would have.
"I admire Sen. Round's motives in proposing his Cyber Act of War Act, as it will certainly raise the visibility of the risks we now face from nation-state-sponsored cyberattacks," Greene said. "However, I'm not sure requiring the executive branch to develop a policy on what constitutes an act of cyberwarfare will do very much to make us safer."
Assante said the expectation of a potential military response noted as an aim of Round's bill could act as a deterrent, though.
"It can make certain things safer if you apply deterrence; that is, if you do a specific something that we are defining here, then you should fully weigh and expect a military response," Assante said. "The definition helps to put others on notice. Now, with that said, it is also important to note that deterrence for cyber is very difficult -- for many of the same reasons it is hard to develop a working definition -- based on the nature of cyber."
Learn why we need cyberwar games.
Find out why a U.S. official said the risk of cyberwar has not been addressed.
Learn more about the current international cyberwar arms race.