Current cyberattacks better fit the mold of a cyber Cold War, rather than a Pearl Harbor, according to witnesses testifying in front of the House Armed Services Committee on Wednesday.
“We haven’t had a cyber Pearl Harbor in the way that we thought, in some way because they tend to only take down things made of silicone, things made of ones and zeros, and those are relatively easy to replace,” said Jason Healey, nonresident senior fellow of the Atlantic Council’s Cyber Statecraft Initiative.
Peter Singer, strategist and senior fellow for the New America Foundation, said that though Russia’s hack of U.S. political systems is arguably one of the most important cyber campaigns in history, it does not fit within an easy definition of cyber warfare.
“This is not the kind of ‘cyber war’ often envisioned, with power grids going down in fiery ‘cyber Pearl Harbors.’ Instead, it is a competition more akin to the Cold War’s pre-digital battles that crossed influence and subversion operations with espionage,” Singer wrote in his opening statement. “Just as then, there is a new need for new approaches to deterrence, that must reflect a dual goal to defend the nation, as well as keep an ongoing conflict from escalating into physical damage and destruction.”
Martin C. Libicki, adjunct management scientist at RAND, said that while U.S. capabilities in cyberspace are unquestionable and its attribution capabilities have grown over the past 10 years, the Federal government has yet to establish a concrete threshold of what is acceptable in cyberspace.
“Not everything that we might call a cyberattack is actionable,” said Libicki, explaining that it is hard to establish a firm threshold for what constitutes an actionable attack.
Libicki addressed the problems with using an already established international norm of combat, such as the Law of Armed Conflict (LOAC), to cyber conflict.
“Unfortunately, LOAC kicks in only when something is broken or someone is hurt, and in cyberspace damage has occurred twice and death not at all. An attack that bankrupts a firm by contrast would not be actionable by LOAC,” said Libicki. “Deterrence introduces multiple issues that need far more careful attention than they have received to date.”
Libicki also cautioned that relying on an internationally determined law of cyber combat should not replace national deterrence practices.
“International law is only as good as international organizations are willing to support it,” said Libicki. “In the end, international law has to be supported by nation-states, by countries.”
Singer added that the quickest way to undermine international norms is to not act when attacked.
“Credibility remains an issue,” said Libicki. “Although the United States did retaliate against North Korea for the Sony attack, and Russia for the DNC hack, the reprisals that have been made public, mostly sanctions, were not the sort that would induce fear in others.”
“For as long as we use the Internet, adversaries like Putin’s Russia and many others will seek to exploit this technology and our dependence on it in realms that range from politics, to business, to warfare itself,” said Singer.
