This week, the 28 member states of the North Atlantic Treaty Oganization will meet in Warsaw, Poland, to discuss the future of the world’s largest military alliance. At the Warsaw Summit, NATO is expected to classify cyperspace as “Operational Territory,” making the online and digital property of member states equivalent to their geographic territory. In other words, if a foreign state messes with a NATO country’s computers, it might as well have just rolled a tank over their border. While NATO’s proclamation shows that the battlefield of the future is changing rapidly, it also proves that no one is completely sure how to conduct cyberwarfare yet.
“When I read this [proclamation], I read it like the Nigerian constitution being hard on corruption — it’s aspirational. It’s not in and of itself something that will lead to a huge outcome of change,” Josef Ansorge, author of Identify & Sort, a book which examines the role of information technology in international relations, tells Inverse.
NATO’s operates as a “collective defense” organization. Under Article Five of the official treaty, an attack on any member nation constitutes an attack on the whole alliance, who will respond in kind. The new rule technically means a cyber attack on any NATO member state would also trigger Article 5, but Ansorge says digital attacks often aren’t as clear cut as physical violence, nor is retaliating to them. Ansorge says the digital battlefield raises three crucial conundrums to world leaders: how to legally classify digital attacks, establish the perpetrators of the attack, and how to respond proportionally. In short, cyberwarfare gets very complicated, very quickly.
3. Is Hacking a Declaration of War?
Hacking a Federal database or a private website is absolutely a crime, but at what point do digital attacks become a declaration of war?
The dilemma is similar to terrorism, which is often placed in a legal grey area in international conflict. Some theorists argue that the U.S. and other world powers should not consider terrorism “militaristic combat,” because it’s usually (but not always) carried out by “non-state actors” — loose organizations like ISIS, which have no set borders or center of power. The argument goes that their crimes should be prosecuted as international crimes, and not as organized warfare. Though he disagrees with this argument for terrorism, Ansorge says the same dilemma certainly applies to cyberwarfare, where non-state actors — in this case, hacker collectives — also engage in cyber attacks.
“It makes much more sense to try and prosecute these as crimes and not treat them as acts of war … where you’re suddenly dealing with the laws of war,” Ansorge says. “[A criminal court’s] legal framework has a lot of power, you can go out and stop people from traveling, investing, and put them in jail.”
And the United States knows better than anyone that cyberwarfare can be just as dangerous as conventional warfare. In the summer of 2010, the U.S. military (or some national agency) allegedly developed Stuxnet, an extremely dense and malicious computer virus, and set it loose on the Iranian nuclear program. Stuxnet overpowered centrifuges separating nuclear material and tore them apart, causing real-world, physical damage to systems. If soldiers had used physical bombs to do the same damage, it would have been an act of war.
And the U.S. Military is just as vulnerable.
“The U.S. military is no more capable of operating without the Internet than Amazon.com would be,” Richard A. Clarke, a former cybersecurity advisor to the Clinton and Bush Jr. Administrations, writes in his book Cyberwar: The Next Threat to National Security & What to Do About It. “Logistics, command, and control, fleet positioning, everything down to targeting, all rely on software and other Internet-related technologies. And all of it is just as insecure as your home computer, because it is all based on the same flawed underlying technologies and uses the same insecure software and hardware.”
While computer viruses may not shoot bullets, it’s completely reasonable to say that they could severely endanger lives of American troops and civilians, and could be considered acts of war.
2. Who Do You Attack?
One of the inherent problems with cyberwarfare is identifying who to attack. Hackers — working for governments or non-state actors — attempt to cover their digital tracks so their attacks can’t be traced back to them. Even when security forces are able to trace the attacker, it’s often difficult to tell if they’re working for their government or alone.
“It’s not obvious who the progenitor is, who is the author of the attack?” Ansorge says. “We imagine they’re this massive single all out attacks, but actually they’re worms, breaches that occur over a long time.”
Combatants don’t march in a straight line to the battle front anymore. The internet makes it harder to know who is attacking and from where.
“They’re running with the scenario where somehow one state launches all out cyber war either on NATO security infrastructure itself or on that of another state,” Ansorge says. “Increasingly, it should be thought of as something that happens in the background and something that’s very difficult to detect.”
1. What Is the Appropriate Response?
When Russian intervened in Ukraine, the U.S. didn’t resort to nuclear warfare. Even though Ukraine was not a NATO member state, the U.S. placed sanctions on the Russian Federation for their aggressive actions, severely harming their economy.
But what is the appropriate response to getting hacked? Hack them back? And who actually feels the effects of digital combat?
“Most of cyberwarfare has a huge economic slant to it,” Ansorge says. “You’re not even going out and attacking the government, you might be attacking industry, trying to steal the intellectual product.”
In other words, cyberwarfare could be another version of total war — the World War II theory that even civilian populations and basic infrastructure were viable targets. If two major countries like the U.S. and Russia (which has been linked to cyberattacks on Germany) decided to get in a cyber-shootout, where would they draw the line?
However, there is hope for a political solution to cyberwarfare. A report by FireEye iSIGHT Intelligence, a cybersecurity firm, found that hacks from known Chinese groups have decreased 80 percent since last August, possibly due to a deal formed by the U.S. and the threat of sanctions last summer.
“There’s an important lesson there, which is that there is a political solution, that’s how you resolve these things with different state actors,” Ansorge says. But those solutions only work with recognized governments who can cave to other forms of pressure. Non-state actors, like ISIS and Anonymous, are more difficult to negotiate with. While Anonymous often fights against terrorism, the U.S. government can’t push them around either, and it appears that the digital wild west is here to stay.