A copy of the full analysis can be downloaded by clicking on the link at the bottom of this blog entry.
In Part 1: Game Theory Basics of War, I described the three potential options players may take in traditional war: don't arm, arm, or attack. I described the benefits and costs associated with arming for defense, as well as the benefits and costs associated with arming for offense or attacking. I indicated that there are ambiguities in interpretaions by players associated with the actions other players are taking: sometimes arming can increase a player’s security, while other times, arming can decrease a player’s security. I explained that there are two crucial variables that contribute to the ambiguity: (i) whether defensive weapons can be distinguished from offensive weapons, and (ii) whether defense or offense has the advantage.
Now that we have some understanding of the basics of war – the actions players are able to take, the benefits and costs associated with the different actions, and the crucial variables for determining the stability of the situation – we can move on to cyberwar. The first issue to cover is the definition of cyberwar.
Why Do We Care How Cyberwar Is Defined?
The terms cyberattack and cyberwar have been tossed around in the media, generally without the writers having provided a clear definition of terms. Why do we care about distinguishing cyberattacks from cyberwar and defining exactly what constitutes cyberwar? It is important because there are vital implications for international law and the appropriate use of policy for addressing the actions.
Part of the reason the terms have been used in such a slippery way is that cyberattacks represent a new form of attack that has not been available before now. Furthermore, attempting to frame cyberattacks in terms parallel to those of traditional, real-world attacks has proven to be problematic and not at all clear-cut.
In “Marching off to cyberwar,” The Economist indicates that
All sorts of “translation problems” arise when trying to apply existing international rules relating to terrorism and warfare to online attacks… The United Nations Charter prohibits the use of force except when authorised by the Security Council, for example, but does not spell out what counts as “the use of force” in cyberspace…
Agreement on a definition is needed because under international law a country that considers itself the victim of an act of war has the right to self-defence—with conventional military (not merely electronic) means. And members of an alliance with mutual-defence obligations, such as NATO, may be duty-bound to respond to an attack on any of their members.
Randall R. Dipert, in “The Ethics of Cyberwarfare” notes the “novelty” of cyberwar, together with the associated “policy vacuum” available for addressing it:
It [cyberwarfare] is arguably the first major new form of warfare since the development of nuclear weapons and intercontinental missiles. This novelty has also meant that there is at present a virtual policy vacuum: there are no informed, open, public or political discussions of what an ethical and wise policy for the use of such weapons would be.
It becomes more complicated, because not only is the nature of the action itself important in determining whether the action is a simple crime versus an act of war versus an act of terrorism, but the identity of the actor is also essential. Again, from the Economist,
A cyberattack on a power station or an emergency-services call centre could be an act of war or of terrorism, depending on who carries it out and what their motives are.
Definitions of Cyberwar
Media discussions of cyberwar provide the following definitions.
I thought the most satisfying definition of cyberwar came from Jason Rivera, “A Theory of Cyberwarfare: Political and Military Objectives, Lines of Communication, and Targets” (emphasis mine):
Over 100 years ago, naval strategist Sir Julian Corbett wrote Some Principles of Maritime Strategy to explicate national strategies for the use of naval forces. In part one of this text, Corbett begins by putting forth a theory of war largely inspired by 19th century wartime strategist Carl von Clausewitz, defining war as “an exertion of violence to secure a political end which we desire to attain.” Given this well understood and accepted definition of war in the physical domain, it stands to reason that in an attempt to define cyberwarfare, one might assume that the purpose of cyberwarfare is to achieve political and strategic military objectives via cyberspace.
I also like Wikipedia’s definition of Cyberwarfare:
Cyberwarfare is politically motivated hacking to conduct sabotage and espionage. It is a form of information warfare sometimes seen as analogous to conventional warfare.
I disagree with the first distinguishing element of cyberwar provided by the Economist, but I agree with the second:
For a cyberattack to qualify as “cyberwar”, some observers argue, it must take place alongside actual military operations...
The strongest definition of cyberwar requires that cyberattacks cause widespread harm, rather than mere inconvenience.
What’s the difference between war and terrorism? According to NewsOne,
War: An organized, armed, and often a prolonged conflict that is carried on between states, nations, or other parties.
Terrorism:The French word terrorisme in turn derives from the Latin verb terreō meaning “I frighten.” Although “terrorism” originally referred acts committed by a government, currently it usually refers to the killing of innocent people by a non-government group in such a way as to create a media spectacle.
NewsOne is basically distinguishing war from terrorism based on the actors and victims. Specifically, war entails government or military actors perpetrating acts on government or military victims. In contrast, terrorism entails civilian actors perpetrating acts on civilian victims.
Based on a reading of the literature, I have summarized in Figure 3 various forms of cyberattacks into categories based on the perpetrator’s type and motivation and on the victim.
In Figure 3, I have unofficially classified any political or military attack by a government on another government as cyberwar. However, one would think, as per the Economist, that there should be a minimum threshold that must be exceeded to classify such an attack as an “act of war” that would invoke the right of self-defense under international law.
Let’s see what the official definition of “act of war” is. From 18 U.S.C. § 2331 : US Code - Section 2331: Definitions (emphasis is mine):
As used in this chapter -
(1) the term "international terrorism" means activities that -
(A) involve violent acts or acts dangerous to human life that are a violation of the criminal laws of the United States or of any State, or that would be a criminal violation if committed within the jurisdiction of the United States or of any State;
(B) appear to be intended -
(i) to intimidate or coerce a civilian population;
(ii) to influence the policy of a government by intimidation or coercion; or
(iii) to affect the conduct of a government by mass destruction, assassination, or kidnapping; and
(C) occur primarily outside the territorial jurisdiction of the United States, or transcend national boundaries in terms of the means by which they are accomplished, the persons they appear intended to intimidate or coerce, or the locale in which their perpetrators operate or seek asylum;
(4) the term "act of war" means any act occurring in the course of -
(A) declared war;
(B) armed conflict, whether or not war has been declared, between two or more nations; or
(C) armed conflict between military forces of any origin…
The official definition does not appear to easily allow for a politically motivated cyberattack to be classified as an act of war unless it occurs within the context of a declared war. But then how do you distinguish a cyberattack that incites a war; that is, what is the cyber equivalent of 9/11? I think the Department of Defense is going to have a difficult time constructing a clear definition of a cyberattack that constitutes an act of war.
An act of terrorism, however, seems to have a much lower threshold than an act of war: any politically motivated criminal act by a civilian on a civilian. As a note, the difference between an action being considered as occurring within the context of war versus within the context of terrorism is the type of law applied and the rights accorded the perpetrators. Terrorists have fewer rights than soldiers.
It seems, then, that in the interim, until the government is able to construct a clear definition of a cyberattack that falls within the realm of cyberwar, most politically motivated attacks by government on government will be classified as cyberterrorism rather than cyberwar.