Cyber war is a mainstay in modern conflict. How precisely should nations respond to state and non-state cyber attacks?
Bilateral discussions between the world’s superpowers to limit the application of ultra-destructive weapons systems is not a new phenomenon. Indeed, the USSR and the US set numerous limitations on the use of weapons in space as well as the application of weapons of mass destruction not only to maintain normalcy in warfare but to constrain the military advancements of their enemies. Are such bilateral agreements and adaptations of the laws of armed conflict achievable in an era of cyber warfare?
Richard Haass of the Council on Foreign Relations explored this notion in this week’s Project Syndicate and ASPI’s The Strategist, examining how presidents Joe Biden and Vladimir Putin should negotiate new rules of engagement in the arena of cyber warfare.
“States and non-state actors can carry out cyber attacks with a high degree of deniability, which adds to the temptation to develop and use these capabilities. We know when and from where a missile is launched, but it can take a long time to discover that a cyber attack has occurred and figuring out who’s responsible can take even longer,” Haass argued.
“What put this issue squarely on the agenda of the Biden–Putin meeting is that Russia has grown increasingly aggressive in cyber space, whether by creating false accounts on social media to influence American politics or by gaining access to critical infrastructure, such as power plants. Reinforcing the issue’s salience is the reality that Russia is not alone: China reportedly gained access in 2015 to 22 million US government personnel files — which included information that could have helped it determine who was or is working for the US intelligence community.”
However, cyber warfare has largely followed the same strategy of competition as modern armed conflict. The application of proxy and surrogate forces has enabled global superpowers to conduct espionage at a distance and circumvent such bilateral agreements.
This was explored in Tim Maurer’s 2018 book Cyber Mercenaries, which was prophetic in the lead up to the recent Colonial Pipeline attack, arguing that proxy and surrogate groups enable states to project their power across non-state boundaries. Three pertinent examples being the North Korean related proxy group that attempted to steal $1 billion from the Bangladesh Central Bank, Chinese hackers that routinely appropriate intellectual property from around the globe to bolster the Chinese economy as well as the Iranian government backed Magic Kitten who keep tabs on the country’s opposition.
“This all adds up to a latter-day Wild West, with many armed people operating in a space governed by few laws or sheriffs to enforce them,” Haass concluded.
In order to minimise this less regulated space of warfare, Haass recommended drawing distinct lines in the sand for rules of cyber warfare engagement.
“One promising idea would be to follow up on what Biden and Putin discussed, namely, to ban the targeting of critical infrastructure, including but not limited to dams, oil and gas production facilities, electrical grids, healthcare facilities, nuclear power plants and nuclear weapons command and control systems, airports, and major factories,” he noted.
Despite Haass’ suggestions that the US and Russia should bilaterally ban the targeting of critical civilian infrastructure, international law already prevents this. Indeed, anything that indiscriminately impacts critical civilian infrastructure is already protected from attack and such agreements would make little difference to the laws of armed conflict that are already in place.
Furthermore, Haass’ policy recommendation of creating a symmetrical deterrence also violates international humanitarian law, in which he argues that “could involve the declared willingness to carry out symmetrical responses: if you target or attack our critical infrastructure, we will do the same to yours”.
Such threats to annihilate critical civilian infrastructure won’t win any support for the West in the quest for 'hearts and minds' and will likely foment increased opposition. Nor would surrogate actors likely abide by them.
Despite this, Haass does raise an interesting point that any agreement between the superpowers must be supported by bolstering the resilience of a nation's critical infrastructure. Seldom has this been proven to be more important than the recent Colonial pipeline ransomware that saw 45 per cent of the US east coast’s oil supply cut out.
International actors either directly or indirectly use cyber warfare as a means to support their own economic position by stealing funds, appropriating intellectual property, destabilising other nations or targeting their opposition. Truly, cyber war is the apotheosis of the Clausewitzian maxim “war is the continuation of politics by other means”.
It is clear that cyber warfare should be treated akin to any other type of armed attack. To disable critical infrastructure has the same impact on the civilian populace and military as an armed attack on the same piece of infrastructure, and thus it is time that the West’s rules of cyber engagement reflect this.