NEW HAVEN, CONNECTICUT – At what point does a cyberattack become an act of war?
My question is prompted by last week’s news that a highly sophisticated malware program called Mask has spent the last six years stealing valuable intelligence from supposedly secure government and diplomatic computers around the world.
Researchers are certain that Mask itself was produced by a government. Intrusions by one country into the networks of another have become so common that it’s reasonable to wonder whether all this cyberwarfare is warfare. The time to think about this is now, when these battles are still in their adolescence. Because how we fire back will depend in part on whether we think we’re at war.
Russia’s Kaspersky Labs, which discovered Mask, calls it more sophisticated than Flame, previously considered the gold standard in cyber-espionage. (All the world believes that the United States and Israel jointly developed Flame, along with its earlier cousins Stuxnet and Duqu, to attack the Iranian nuclear program, and perhaps other Middle Eastern targets as well.)
Mask, like Flame, is principally a surveillance program. It steals files and keystrokes and encryption keys, and it was designed to operate for a long time undetected.
So are most malware programs, of course. Mask, however, is in a class of its own; Kaspersky’s detailed report uses adjectives such as “special” and “elite” in describing its capabilities. The most interesting aspect of the program, also known as Careto, may be its ability to target files with unknown extensions. These, Kaspersky suggests, “could be related to custom military/government-level encryption tools.”
Actually that is a relatively benign possibility. These files could also hold the data for surveillance satellites — or details of presidential security.
Such grim possibilities help explain why the U.S. has ramped up its ability to engage in both offensive and defensive cyber-operations. According to the Washington Post, President Barack Obama has issued a top-secret directive ordering the creation of the means to undertake cyberattacks in any part of the world “with little or no warning to the adversary.”
And we’re not speaking here only of self-defense or retaliation. Documents released by Edward Snowden show that the U.S. “carried out 231 offensive cyber-operations in 2011.”
No doubt one motive behind the frequent leaking of information on U.S. cybersecurity efforts is deterrence. As recently as last year, General Keith B. Alexander, head of the National Security Agency and the United States Cyber Command, repeated the frequent warning that “a devastating attack on the critical infrastructure and population of the United States by cyber means would be correctly traced back to its source and elicit a prompt and proportionate response.”
Most international law scholars would say that an unprovoked attack would constitute an act of war. The Tallinn Manual, produced by academic experts convened by NATO, presents one of the most detailed analyses of the application of the law of armed conflict to hostilities carried out by means of cyberattack.
Existing rules should apply, they argued, whether cyberattacks are a small part of a larger conflict (as in the Russia-Georgia confrontation in 2008) or the parties engage each other entirely by using cyberweapons.
This would mean that the principle of discrimination applies: A cyberattack, like a kinetic attack, must never intentionally target civilians, no matter what the justification. Therefore, an attack by a state actor on a private factory not producing for the military holds the same legal status whether the attackers use cruise missiles or logic bombs.
Similarly, according to the Tallinn Manual, online attacks that cannot discriminate military from civilian targets are prohibited, including the use of malware that will “inevitably, and harmfully, spread into civilian networks.” A corollary would seem to be that a cyberweapon can be considered ethical only when the side that deploys it also retains the ability to stop it.
There are many more proposed rules, of course, but one gets the gist. Alas, the entire project, although laudable, suffers from a conceptual difficulty: The Tallinn Manual, in seeking to map the rules developed for kinetic warfare onto cyberspace, winds up making impossible demands.
To take a simple example, it is inconceivable that a state could develop a malware package that would recognize when it had jumped from military to civilian systems and stop automatically at the boundary. It isn’t just that the behavior of software is unpredictable. The behavior of individuals is unpredictable.
Country A launches a cyberattack on a military laboratory in Country B, where a researcher, unknowing, takes his infected smartphone home and syncs it to his personal laptop — and, just like that, the infection is in the wild.
Yes, the creators of malware of this sophistication often try to retain control (because of a concern over detection, not legal niceties). But this is harder than it sounds. Flame and Mask, for example, enabled operators to wipe their presence from infected machines. But the attempt to shut them off was only partly successful.
In the end, the rules of cyberwar will likely be very different from the rules governing kinetic wars. Battles will be fought in the shadows, often by untraceable perpetrators. There will be suspicions and accusations but very few acknowledgments. Absent massive damage or loss of life, there will never be war-crimes trials.
But there will be retaliation. Escalation is inevitable. If we go after their centrifuges, one day they’ll go after our power grid. No government is going to stop.
That’s why the Obama administration’s approach, if harsh, is probably the most pragmatic: In the future, our only real protection will be to fight in cyberspace better than our adversaries.
Stephen L. Carter is a Bloomberg View columnist and a professor of law at Yale University. He is the author of “The Violence of Peace: America’s Wars in the Age of Obama” and the novel “The Impeachment of Abraham Lincoln.” Twitter: @StepCarter Email: email@example.com.