When is a Cyber Attack an Act of War?
First, a sincere thank you to PJ Crowley, James Carafano, Clark Ervin, and Peter J. Brown for their contributions to HLSwatch during this past week. James’ piece on the cyber attacks conducted on Georgia during its confrontation with Russia over South Ossetia raised questions about not only who was to blame, but how Georgia should respond.
Both The Washington Post and The Wall Street Journal ran stories this past week about how cyber attacks on government and private sector entities of Georgia are invoking a debate about whether offensive measures in cyber space amount to acts of war. Because the cyber attacks occurred during the military offensive between Russia and Georgia, it begs the question about whether and how a government should respond to attacks on its cyber assets by way of the electromagnetic spectrum.
Finely-calibrated responses to attacks involving traditional kinetic methods has existed and evolved over the centuries. But measuring the appropriate response to a cyber attack is a unique challenge because information operations (IO) use digital weapons, new methods of attack, and novel targets.
Michael N. Schmitt, author of Computer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework, (1999), offers perhaps the most concrete way of answering the difficult question: “When does the attack rise to the level of a ‘use of force’ under international law?”
The Schmitt analysis applies a quantitative scale (1 to 10) to each of seven factors in order to determine if a cyber attack equates to an armed attack and to characterize any information operation as being closer to one end of a spectrum or the other. These seven factors are:
• Severity
• Immediacy
• Directness
• Invasiveness
• Measurability
• Presumptive Legitimacy
• Responsibility
This amounts to a modern adaptation of Just War Theory. One of the latter’s tenets is “always in response.” Let’s see whether that makes it into practice in the 21st century.