The cyber domain, while declared an operational domain of warfare, has blurred the traditional lines established in the physical world. One of the key questionsLawmakers and policymakers have sought to address are what are cyber redlines are and what are cyber acts of war meriting a response within international law and self-defense.?
To date, lawmakers have appeared to be disappointed by the answers provided from those in the executive branch. When it comes down to what constitutes an armed cyberattack, essentially it depends.
"One of the [Defense] Department's key policy goals in cyberspace is to deter cyberattacks. Incidents described as 'cyberattacks' or 'computer network attacks' are not necessarily 'armed attacks' for the purposes of triggering a nation-state's inherent right of self-defense," Aaron Hughes, deputy assistant secretary for cyber policy at DoD wrote in prepared testimony for the Information Technology and National Security Subcommittees of the House Oversight and Government Reform Committee July 13. "In that vein, when determining whether a cyber incident constitutes an armed attack, the U.S. Government considers a number of factors including the nature and extent of injury or death to persons and the destruction of, or damage to, property. As such, cyber incidents are assessed on a case-by-case basis and, as the President has publicly stated, the U.S. Government's response to any particular cyber incident would come 'in a place and time and manner that we choose.'"
Hughes told the committee during oral testimony: "I think there's a number of factors from foreign policy implications and the like that we want to make a determination on response on a case by case basis."
In terms of responding to potential cyber incidents, the U.S. has long maintained a "whole of government" approach as it relates to the case by case evaluation. "This approach brings to bear its full range of instruments of national power and corresponding policy tools–diplomatic, law enforcement, economic, military, and intelligence–as appropriate and consistent with applicable law," said prepared testimony for the same committee hearing from Chris Painter, coordinator for cyber issues at the State Department’s prepared testimony for the same committee hearing read. "This means that regardless of whether a particular incident rises to the level of an armed attack, the President has a range of options for responding."
On a broad and high-level policy approach, Painter described that the U.S. takes an effects-based test – just like it is in the physical world – to evaluating cyber attacks and responses. The president, as outlined in Presidential Policy Directive/PPD-20, a previously classified document outlining U.S. cyber operations policy leaked by former NSA contractor Edward Snowden, must sign off on all cyber operations. These include cyber collection, defensive cyber operations and offensive cyber operations.
In line with the whole of government approach and policy of responding "in a place and time and manner that we choose," the administration has maintained on several occasions that a cyber incident might not merit or ultimately be responded to in cyberspace. This has been evident in the indictments unsealed against members of China's People's Liberation Army, members of the Syrian Electronic Army and Iranian hackers, among others, as well as specific executive orders for cyber sanctions.
"In no way, shape or form would we want to limit ourselves to a merely cyber response … we would want to have all the tools there," Peter Singer, strategist and senior fellow at the New America Foundation, told the committee.
"Part of why you may chose to delay your response is not just the normative questions, it's to complicate the attacker's job. If you know that [an adversary is] inside your system, you can then observe them, steer them into areas where they can't cause harm," he added regarding responses to cyber incidents. "The bottom line here is that we're going to need a very creative and diverse strategy and the old kind of Cold War model of whacking back if they hack us just won't be successful, it won't deliver actual cybersecurity."
Additionally, officials have always maintained that the U.S. could respond to cyber incidents using traditional military power, which some say is a critical component some say to an overarching deterrence strategy. "There’s lots of things that a China, a Russia, an Iran could do in this realm – they don’t in large part not merely because of our offensive cyber capability to hit back but because we can hit back in other realms," Singer said.
His comments parallel what others in the research and academic community have said to this topic. "Cyberspace is one domain. The United States military operates in many other domains," said, Isaac Porche, a senior engineer at the RAND Corporation, at a February House Homeland Security Committee hearing. "But what prevents nation-states from taking action are the fact that they would have to deal with the United States in other domains. And so it always has to include all domains not just cyber. Our response to a cyberattack may not be in cyber."
Singer added that he hopes it's not just the NSC and the president to making determinations on "cyber war." Congress, he said, has traditionally determined whether the U.S. is at war or not, a reference to Congress's constitutional authority to declare war.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.