Former CIA Director Michael Hayden said the U.S. election hacking by Russia should not be considered an act of...
cyberwarfare, and experts agreed.
Hayden's argument focused on semantics and the inconsistent definition that lawmakers and the military have for what constitutes an act of cyberwarfare.
"We are very sloppy with our language,” Hayden told The Hill in an interview. "My concern is not that it's going to lock us into an inappropriate response. My concern is it's just another reflection of, we haven't gotten the deeper understanding required to really operate in this domain -- what constitutes normal state-to-state activity, what constitutes a crime, what constitutes espionage, what constitutes war."
Experts generally said Hayden's comments were "spot on," and noted that there is already a definition for an act of war.
"An act of war is a political term. The U.N. charter prohibits the use of force. International court decisions and state practice determine what constitutes a use of force -- specifically, those acts causing loss of life or destruction of property," Amit Yoran, CEO of Tenable Network Security, based in Columbia, Md., told SearchSecurity. "Those definitions do not vary based on land, sea, air, space or cyber. I'm very skeptical of the argument that an act of war should be defined differently for the cyber domain."
Tom Kellermann, CEO of Strategic Cyber Ventures in Washington, D.C., agreed that the U.S. election hacking by Russia shouldn't be considered an act of war because it was not "an attack that would permanently damage critical infrastructure or result in the loss of human lives."
John Bambenek, threat research manager at Fidelis Cybersecurity in Bethesda, Md., said it should also be taken into account that the extent of Russian influence in the U.S. election hacking is still unclear.
"Russia didn't just want to be successful at this; they wanted the world to know they were successful. In this, we are their best allies because we are saying it was immensely successful without making any attempt to figure out if it was. That dynamic is playing into the rhetoric of those calling this an act of war. It simply enhances Russia's credibility here in ways that truly aren't deserved," Bambenek told SearchSecurity. "There is one, and only one, metric which [can] judge that, and that is the number of votes changed as a result. We can never know this with complete precision, but the absolute lack of any attempt to quantify exactly how much the influence was a factor is bizarre."
International norms on cyberwarfare
While experts agreed the U.S. election hacking shouldn't be considered an act of cyberwarfare, they were less optimistic about the prospects of international norms being developed to clear up the issue.
Kellermann said international norms are "not possible, as Russia, China and the G-77 [Group of 77] see the need for information security norms, not cybersecurity norms."
"The challenge lies in the differences in definitions. They believe that any distribution of information that is detrimental to their ideology [is an act of cyberwarfare] and thus constitutes aggression," Kellermann said. "A social media post or the availability of a search in a search engine could be perceived as acts of aggression. Since the Western world believes in freedom of speech, we would not agree to those norms. "
Yoran said we may already be building those international norms through action, rather than discussion of topics like the U.S. election hacking or cyberwarfare.
"Based on the lack of progress over the last 20 years, it is very unlikely that we'll see international agreement on a specific definition for what amounts to a use of force or an armed attack in cyber," Yoran said. "When such agreements can't be reached, norms are established by state practice. Years of actions and responses by states will build up norms of behavior and customary international law."
Michael Assante, former naval intelligence officer and current director of critical infrastructure and ICS at the SANS Institute, based in Bethesda, Md., said norms around cyberwarfare can't be developed without first defining cyber-risk.
"General Hayden's comment about lacking a deep enough understanding is incredibly insightful, as many policy makers, war fighters, infrastructure operators and cybersecurity market participants have failed to adopt the appropriate model for thinking about cyber-enabled risk," Assante told SearchSecurity. "We must get better at the difficult task of anticipating in today's software-defined world. Gaining a deeper understanding, as General Hayden puts it, is a prerequisite, as the digital world we are building cannot afford for its designers and stakeholders to adhere to a show-me-first understanding of cyber-risk."
Learn how the Dyn DDoS attack highlights the vulnerability of the global internet infrastructure.
Find out how why vulnerabilities persist despite widespread security measures.
Get info on whether cyber-physical attacks mark the dawn of a new age in cyberwarfare.