The recent SolarWinds cyber attack raises a profound new question for policymakers. When does a nation-state cyber attack become an act of war?
In this article, I will review the policy aspect of cyber attacks and purposely put aside legal reasoning. There will always be lawyers on both sides making the case for and against the legality of military action.
Startup Nation Israel – Ammunition Center of Cyber Attacks
Before we delve into nation-state cyber attacks, let’s take a quick look at why this should interest Israelis? Besides our role defending against attacks from our adversaries and possibly carrying out attacks as well, startup nation Israel plays a special role in the era of cyber attacks.
According to Crunchbase, there are currently 346 Israeli cybersecurity companies. Israel is a major global hub for cybersecurity. For those not in the know, the term “cybersecurity” is at the top of a tree – there are many types of cybersecurity tools and platforms – both offensive and defensive.
If nation-state cyber attacks are a current and future trend, then Israeli cybersecurity startups are a major source of cyber offensive and defensive ammunition.
MAD – Mutual Assured Destruction
In the 1950s, the US and USSR avoided all out war via an interesting concept – mutual assured destruction, AKA MAD. Neither side would initiate a nuclear or total war against the other as it would lead to mutual assured destruction. Both sides fought one another via satellite states – Vietnam, Afghanistan, the Middle East, Africa and elsewhere.
Today, despite the adversary relations between the US and Russian, neither side has an appetite for total war. We can safely remove the possibility of nuclear war from the list of options.
Today – Cyber Attacks Replace Satellite Wars
Just a decade ago, cyber attacks as an act of war were in the realm of science fiction. Lately, state actors are leveraging cyber attacks like never before. It is fair to say all states that we support (in my case, Israel and the US and western nations in general) and adversary states (typically authoritarian regimes that lack freedom of speech) have the tools and means to wage small and large scale cyber attacks.
Cyber attacks have replaced the satellite wars of the 1950’s to 1980’s. Instead of waging indirect wars via smaller nations, nation-states perform cyber attacks against adversaries. The similarities are clear – during both eras, the major powers did not dare entertain the thought of direct all out war. It is fair to assume that both Russia and the US leverage their satellite states to assist them in offensive and defensive measures.
The current state is preferable to the past – as of yet, cyber attacks have not led to a Vietnam War or a mass casualty attack.
The Four Types of Nation-State Cyber Attacks
What would lead a powerful nation to initiate a conventional weapons attack in response to a cyber attack? I suggest there are four types of cyber attacks:
- Harm computer systems
- Damage physical assets via cyber attack
- Mass damage physical assets cyber attack
Probing cyber attacks are by far the most common type of cyber attack. The attacker unleashes malware in order to probe the adversary. Some harm may take place, but the goal is to penetrate and examine.
A harm computer systems attack is a classic hacker attack. The cyber attack’s goal is to shut down or obstruct computer systems.
A damaged physical assets via cyber attack is a large step from a harm computer systems attack. In a damage physical assets attack, the cyber attack is deliberately attempting to harm an adversary’s physical assets. This is akin to sending in a commando unit to destroy physical assets, only in this case, it is a remote attack via cyber means.
A mass damage physical assets cyber attack is when a nation-state scales up a physical asset-targeting cyber attack to dozens or hundreds of targets within the same timeframe.
Which Types of Nation-State Cyber Attack are a Casus Belli?
Where do nation-states draw the lines? When does a cyber attack become a casus belli (an act that justifies war or a traditional military attack)?
A probing attack will never be seen as an act of war. A particularly sensitive probing attack could cause a nation-state to respond under the shadows via commandos.
A harm computer systems attack originating from a nation-state is likewise unlikely to lead to a casus belli. It would take an exceedingly large-scale harming-only-computer-systems attack to trigger policymakers into initiating a military operation.
When a nation-state utilizes a cyber attack to harm physical assets, we are entering the danger zone. The origin of an attack is less important than the results. Policymakers will be less interested in how a major adversary harmed physical assets as opposed to what state treasures or assets were harmed.
Harming physical assets is a risk, whether carried out by in the shadow commando units, classic materiel or cyber means.
The attacked nation will form response policies solely based on national interests with little regard for the cyber aspect.
A mass scale cyber attack inflicting damage on physical assets is no doubt a casus belli. The goal of conflict management is to avoid war and massive military operations. Military leaders are typically the most prominent advocates of avoiding military responses unless absolutely necessary. Nonetheless, a mass scale cyber attack which shuts down national infrastructure (think electricity, water or oil & gas distribution) would be a game changer.
I’m sure that every nation with major cyber attack capabilities is “war-gaming” the possible outcomes of attacks and how their leaders may respond. My personal view is that the outcome of a cyber attack is more important than the cyber aspect of an attack.
The time to consider the new rules of the game is right now.