Hackers, Beware the Ides of March
The United States has only just begun to define the rules of cyber warfare.
The U.S. government took a vital tangible step toward clearly defining rules of cyber war when the Department of Justice unsealed an indictment on March 15 accusing two operatives of Russia’s Federal Security Service (FSB) and two hired computer hackers of being behind last year's massive cyber breach of Yahoo.
The indictments put in motion one side of the warfare process that has had far less progress than the advancement of technology and techniques. For decades, cyber warfare has become a mainstream element of military and intelligence operations and racked up billions of dollars in security spending. But domestic and international political processes to determine the rules and norms for conduct had barely begun—until, some might say, the indictment on the Ides of March that will help define those rules and norms.
The idea of warfare involving information systems was sufficiently novel for the RAND Corporation to publish in 1993 Cyberwar Is Coming!, which introduced new concepts for thinking about cyber war and netwar. Today, the concept has matured and become widespread. The United States, China and Russia each have formidable offensive cyber capabilities, and regional powers such as Iran strive to develop them. Even isolated North Korea has demonstrated the ability to conduct cyber warfare, attacking South Korean TV stations and banks in 2013 and stirring the attention of the United States with the email breach against Sony Pictures Entertainment in 2014.
Roughly 20 years ago, forward-thinking midgrade military officers conducted early evaluations of information warfare as part of the Revolution in Military Affairs project run by Andrew Marshall, former director of the Defense Department’s Office of Net Assessment. The officers quickly identified several crucial issues that made cyber warfare different from military operations to which they were accustomed, among them:
- What would be an “information act of war” justifying U.S. retaliation?
- What responses would be considered proportional and appropriate to such acts?
- Which actions in cyberspace are likely to be plausibly deniable?
- How would U.S. authorities handle domestic and international public skepticism in the face of information operations by rival powers and domestic political and media polarization?
More than two decades later, these questions remain unanswered—not because of a lack of thought, but because domestic and international political agendas rarely have made them central to the actual conduct of reactions to acts of cyber warfare. The rules governing cyber warfare likely will be the product of political actions in response to real-world events, similar to the Geneva Protocol that emerged as a result of the use of poison gas during World War I. Though numerous noteworthy cyber attacks came to light following the discovery of the Stuxnet malicious computer worm in 2010 that damaged Iran's nuclear program, establishing U.S. policies and international norms regarding cyber warfare had barely begun until just a few years ago.
Before the March indictments, the Justice Department took a critical first step at establishing criminal ramifications for cyber espionage for economic advantage when it indicted five Chinese military hackers in 2014. The incident set the stage for a new retaliation world. Executive Order 13694 of April 1, 2015, (April Fool’s Day, for better or worse), established that “malicious cyber-related activities originating from, or directed by persons located … outside the United States constitute an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States” and that the Treasury Department, in consultation with Justice and State departments, can block their property. An amendment to that order, issued in December, included “activities to undermine democratic processes or institutions.” Russian intelligence agencies and individuals were sanctioned under it.
The indictment last month takes it all one-step further and demonstrates a degree of continuity between presidents, despite the political disputes resulting from the 2016 election. Similar to the 2014 indictment of Chinese intelligence officers, these new indictments charged officers of a foreign intelligence service with stealing information from Yahoo webmail accounts and using the stolen information for unauthorized access to numerous accounts. This latest example also indicts two people who have worked for the FSB but are not FSB officials. This introduces the issue of dealing with possibly deniable private individuals from third countries.
The effectiveness of legal actions that fall drastically short of cyber or kinetic counterattacks certainly is debatable. Perhaps only time and future events will tell whether they become essential parts of the U.S. approach to cyber warfare. For now, they are gradual steps forward, and show that interagency action by the government continues while politicians argue. More such actions are certain to follow in the years to come.
Robert Kim is a lawyer who served as deputy attaché for the U.S. Department of the Treasury in Iraq. In the 1990s, he worked on the Revolution in Military Affairs study project of the Office of Net Assessment. The views expressed are his own.