"When Is a Cyberattack an Act of War?"
Ellen Nakashima of the Washington Post wrote over the weekend about “when is a cyberattack an act of war.” Focusing on Secretary of Defense Panetta’s recent speech warning of cyber-Pearl Harbors and on Shamoon, the nickname for a recent malware attack against Saudi Arabia’s state-owned oil company, Nakashima discusses in this piece two analytically distinct sets of questions that often get conflated: one is when do the type or effects of a cyber-attack give rise to a right of armed self-defense (substantive threshold or trigger issues); and another is how certain or confident a state must be in its assessment of who perpetrated the attack to justify such a response (attribution issues).
With regard to attribution issues, I’d add to the points made in this article that it is important to further distinguish between the legal and policy dimensions. Indeed, I’d break it down into at least three important questions with regard to the certainty or confidence of attribution: What level of certainty is sufficient from an intelligence perspective to convince policy-makers as to the perpetrator? What level is sufficient to satisfy the legal requirements of self-defense? And what level is demonstrable publicly (or perhaps privately when necessary) to attain diplomatic and political support for responses?
As to the last questions, whatever certainty about the perpetrator is necessary to satisfy internally the legal self-defense question, a state will also need to explain and justify its military response externally, to domestic and international audiences – and those exercises may look very different. A state may not be willing to disclose publicly some of the intelligence information and analysis used to satisfy its internal legal analysis (I’m assuming that the attribution of a major cyber-attack could involve a combination of sophisticated digital forensics, human intelligence, reliance on circumstantial evidence and reasoning, and other means). Even if it chooses to disclose intelligence, that information might be unintelligible or unpersuasive to skeptical outside audiences. And the threshold of certainty necessary to win support from allies and partners may be higher (or perhaps in some cases lower) than that needed to satisfy legal requirements.
In terms of evolving international law in this area, the challenges of demonstrating attribution – besides just assessing it internally – will make it especially difficult to develop consensus legal appraisal of self-defensive actions against cyber-attacks, because so many of the key facts about the attack will be contested, secret, or difficult to observe.