When is a cyber attack an act of war? We don’t know, warns ex-Obama adviser

As warfare becomes increasingly digital, countries are facing a major problem: It’s hard to define when a cyberattack constitutes an act of war. Avril Haines, a former deputy national security adviser during the Obama administration, said today that while there are established norms around what counts as a physical act of war, those same metrics don’t exist for digital attacks.

“In the conventional world, we have a long history of rules that tell us when another country has used force, when what they do constitutes an armed attack, and therefore when we have a legal basis to respond to it in a kinetic way or in other ways,” she said during an onstage interview at the Cloudflare Internet Summit in San Francisco.

But digital attacks don’t have the same set of laws and norms around them, Haines said. That’s particularly important in the case of what she called asymmetric state-sponsored attacks, when one country is able to put a critical piece of digital infrastructure at risk without incurring the costs traditionally associated with such an action.

Another issue is that one country declaring a cyberattack an act of war means that it would then be bound by that same statement for similar situations in the future. In her view, the solution is to create an international framework that can help remove ambiguity around these issues.

Determining the seriousness of attacks isn’t an academic exercise. Consider the United States Justice Department’s indictment in 2014 of four Chinese army officers for hacking-related offenses. The American government has also blamed North Korea for a massive attack on Sony Pictures.

Haines said maritime law provides a ray of hope for nailing down international issues around cyberwar. Because the law of the sea has been so defined, it’s possible for international trade and sailing to take place. (It’s worth noting that even maritime law is not without its controversies, however — see China’s territorial claims to the South China Sea.)

In some cases, it’s possible to sidestep that issue when hacking and other campaigns accompany traditional military actions. Distributed denial of service attacks originating from Russia hit key websites in Georgia prior to and during a war between the two countries in 2008. (The Russian government denied responsibility for the attacks.)

Tech companies are also getting into the mix around cyberwar regulations. Microsoft chairman Brad Smith has been advocating aggressively on behalf of his company for a “digital Geneva Convention” establishing norms and protecting civilians.