Recently, the U.S. Senate’s version of the 2019 National Defense Authorization Act (NDAA) was approved and sent back to the House for reconcilement of differences
Notably, the NDAA calls for a decisive strategy on how the United States could respond to cyber attacks that threaten “the political integrity, economic, or national security” of the United States. Specifically, the NDAA references the activities conducted, directed, or orchestrated by foreign governments. Such a move is seen as critical particularly as recent escalated hostile cyber activities that have targeted U.S. presidential election, the theft of a tremendous amount of sensitive information on government employees, and a small dam that have been conducted by suspected foreign government actors. In each of these incidents, the question of whether or not they met the parameters of committing an act of war has been raised and questioned.
The debate over what constitutes an act of war in cyberspace has been ongoing dialogue, with little consensus among governments as to the criteria that crosses the threshold of unacceptable hostile cyber activity. To be fair, the relative “newness” of cyberspace and the types of activities that can be conducted in its domain is still nascent, with little thought given to how such operations should be and could be interpreted and acted upon. Nevertheless, there has been some made way in international for a where civilian, military, and government experts have congregated to see if common ground could be achieved. For example, an international panel of academic and legal experts generally agreed that international law’s applicability to cyber warfare and cyber conflicts in its landmark, albeit non-binding, Tallinn Manual and its companion, Tallinn Manual 2.0. And in 2014, the North Atlantic Treaty Organization (NATO) updated its cyber defense policy as it pertained to Article 5 of the Treaty, classifying digital attacks as the equivalent of kinetic attack.
But despite the superficial agreement that cyber attacks can be considered acts of war, there has been little fidelity to what establishes the very red lines by which these cyber acts can be classified as such. This appears to be the impetus for the Congressional push for the United States to develop a strategy that would be levied against these severe types of attacks that target critical political, economic, and social assets that directly impact national security. It is understandable why public officials want an explicit strategy in place, particularly given how the United States’ public and private sectors have been consistent targets of criminal and espionage actors, and as such, have been the victim of financial, sensitive information, and intellectual property theft, without the offenders suffering any repercussion for their actions.
A strategy focused on the legal and moral justification to retaliate against hostile actors, particularly those of states, requires a clear articulation and public socialization of these “points of no return.” Failing to do so risks unwittingly “allowing” states to continue to test the boundaries of acceptable cyber operations, gradually increasing the types of activities as well as the types of targets until a response is levied. If such activities can’t be stopped or deterred, the wronged certainly want to be able to punish the offenders.
But crystallizing those red lines sets a bar that the United States must be willing to not cross, or at least, not get caught crossing. Public indictments levied against China and Russia reveal that the United States is comfortable enough with its attribution efforts to implicate official state actors in a “name-and-shame” offensive. The implication is that its human and technical capabilities to render such a conclusion – an extremely difficult thing to do – was good enough to inform such a decision. Notably, neither China nor Russia have followed suit in trying to indict or officially accuse the United States of its own cyber espionage operations. This suggests that the United States is not doing it (or at least hasn’t been caught), or that China and/or Russia cannot do the same level of human/technical analysis, both of which seem unlikely. As both eastern governments are considerable cyber powers, there is always the chance that evidence is being collected, and being held onto like a trump card, waiting to be used at the right time for behind the scenes leverage, or public exposure.
So, in this context, it actually behooves states not to solidify cyber red lines because then they aren’t forced to at least publicly abide by what they have set forth, even if clandestinely they may be breaking their own rules. Once these red lines are set and known, the government that gets caught with its hand in the proverbial cookie jar will have to be made an example of for the rest if such red lines are going to have any credibility in the future. And if one considers that certain states may have that trump card to play, no Western nation should want to be the first to be caught in those cross hairs.