The attribution problem makes it very hard for the public to know if North Korea in fact attacked Sony, the precise damage Sony suffered, and the party responsible for the (apparent) counter-attack in North Korea. Attribution problems are present in other realms of conflict, of course. Some kinetic terrorist attacks leave no fingerprint; covert action is by definition designed to avoid attribution; and the like. But as the Sony episode shows, what is distinctive about cyber-conflict is the pervasiveness of the attribution problem. The problem makes it hard to judge the seriousness of the attack, the justification for the response, and the proportionality (and, more broadly, legality) of the response. The cyber context highlights how much our legal and political categories depend on knowing who did what.
There has been a lot of criticism of the USG’s apparently halting, uncertain, confused response to the Sony hack – including from me. Michael Crowley and Josh Gerstein have a recent piece summarizing some of the legal and policy uncertainty within the USG concerning the proper response to the alleged North Korean hack of Sony. They quote Keith Alexander, former NSA Director and head of U.S. Cyber Command, who says: “We don’t have the norms, the rules of engagement, the rules of the road for how we and other countries should operate in this space.”
At first glance this is an amazing statement. What the heck has the government been doing for the almost two decades that it has been warning us about cyberwar? The answer is that it has been doing a lot, and that Alexander’s statement is misleading. Here are three documents (there are many, many more in the unclassified realm, and many behind these in the classified realm) that show how seriously the government has been taking the organizational, policy, and legal issues for cyberwar: Presidential Policy Directive 20, which lays down basic USG policy principles and organizational responsibilities for offensive and defensive “Cyber Effects Operations”; the Gates memorandum establishing cyber-command; and Harold Koh’s (probably) inter-agency-cleared speech on how international law applies to cyber conflict. And yet, despite these and countless other documents, pronouncements, meetings, etc. about how the USG should respond to and conduct itself in cyber-conflict, Alexander is still right -- which in large part explains the USG’s hesitancy.
One reason why Alexander is right is that even if the USG had worked out its own organization and policy, there is no global consensus on these issues. Another, more fundamental reason why he is right, however, is that, as Crowell and Gerstein say, the USG is “confronting a new national security reality that has been the subject of mostly abstract debate for more than a decade” (my emphasis). The USG can talk itself blue about hypotheticals, and about analogies to real space conflict. But all the talk and planning in the world cannot anticipate the complex factual and political reality of the novel form of conflict that can take place in cyber.
A perceptive 1999 memorandum from the DOD General Counsel, entitled An Assessment of International Legal Issues in Information Operations, explains why:
Chief Justice Oliver Wendell Holmes once wrote, “The life of the law has not been logic; it has been experience.” It seldom happens that a legislature foresees a problem before it arises and puts into place a legislative solution before it is needed. More typically, legislators react to a problem that has already manifested itself. The international legal system operates in the same manner. The international community ordinarily does not negotiate treaties to deal with problems until their consequences have begun to be felt. This is not all bad, since the solution can be tailored to the actual problems that have occurred, rather than to a range of hypothetical possibilities. One consequence, however, is that the resulting law, whether domestic or international, may be sharply influenced by the nature of the events that precipitate legal developments, together with all their attendant policy and political considerations. . . .
[W]e can make some educated guesses as to how the international legal system will respond to information operations, but the direction that response actually ends up taking may depend a great deal on the nature of the events that draw the nations’ attention to the issue. If information operations techniques are seen as just another new technology that does not greatly threaten the nations’ interests, no dramatic legal developments may occur. If they are seen as a revolutionary threat to the security of nations and the welfare of their citizens, it will be much more likely that efforts will be made to restrict or prohibit information operations by legal means. These are considerations that national leaders should understand in making decisions on using information operations techniques in the current formative period, but it should also be understood that the course of future events is often beyond the control of statesmen. (my emphasis)
As Michael Reisman put it, “whether ... formal sources of [international] law have genuine significance or are merely a facade concealing raw and ephemeral political calculations can only be assessed when you have seen how they fared in a particular incident.” I expect that the Sony incident will cause us all to revise significantly our abstract notions of how international law should apply to cyber conflict.