Cyber Attacks Blurring Borders Between War and PeaceDirector of the Digital and Cyberspace Policy Program at the Council on Foreign Relations
Earlier this month, the Washington Post revealed that Russian hacker groups known as Fancy Bear and Cozy Bear reportedly breached the networks of the Clinton and Trump campaigns as well as the Democratic National Committee, White House, State Department and the Joint Chiefs of Staff.
Just days after the story broke, however, a hacker named Guccifer 2.0 took responsibility for the hacks and dumped some of the stolen data online, including opposition research on Donald Trump. A number of security specialists quickly questioned the validity of the claim, arguing that Guccifer 2.0 was in fact a cover for Russian intelligence, a false flag operation meant to shift attention away from Russian spies and perhaps influence the U.S. presidential election.
While the instigators may remain a mystery, the hack of the DNC is a clear reminder of how cyber attacks can undermine conceptions of sovereignty and are blurring the borders between war and peace. States are using cyber weapons for disruption to influence political outcomes. As Jens Stoltenberg, NATO secretary general, recently said, cyber attacks are now part of every crisis: “This is important to all possible conflicts we can foresee.”
Cyber conflicts will be diffuse, a constant hum of low-level skirmishes that violate sovereignty but often fall short of armed attacks. They may entail an attack on data at one company or distributed denial-of-service attacks on multiple banks in a country. States find these types of attacks attractive because they are unlikely to provoke military retaliation, but still have the potential to create useful political outcomes. Intelligence collection and force, espionage and sabotage have become blurred in cyberspace.
The vast majority of hacking is espionage. Russian hackers and the DNC dominate the news now, but China-based hackers have attacked similar targets, including the Obama and McCain presidential campaigns. Causing more damage to national security, Chinese hackers stole 22 million records, including security background checks and data on intelligence and military personnel from the Office of Personnel Management, and information from more than two dozen Defense Department weapons programs, including the F-35 Stealth fighter jet, Patriot missile system and the U.S. Navy’s new littoral combat ship.
There are few rules governing traditional espionage, and spying in cyberspace has been no different. After several years of publicly naming and shaming China for cyber economic espionage, the U.S. has slowly begun to build an international norm against the theft of intellectual property, trade secrets and business strategies for competitive advantage. In response, Beijing denied it conducted any type of cyber operations, announced that hacking was illegal under Chinese law and proclaimed itself the world’s biggest victim of cybercrime.
There are few rules governing traditional espionage, and spying in cyberspace has been no different.
With the public campaign proving ineffective, the U.S. raised the stakes significantly, threatening sanctions on individuals or entities that benefited from cybertheft before the September 2015 meeting between President Xi Jinping and President Barack Obama. The summit was important to Xi and his efforts to portray himself as a strong leader to the Chinese public; Beijing did not want the cyber issue to derail the summit, so he made concessions. Standing side by side in the White House Rose Garden, the two presidents announced an agreement in which “neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”
China and the UK reached a similar agreement a month later, and in November 2015, China, Brazil, Russia, the U.S. and other members of the Group of Twenty accepted the norm against conducting or supporting the cyber-enabled theft of intellectual property.
The problem for states, and for international stability, is that espionage precedes and enables a disruptive or destructive attack. Chinese hackers have reportedly broken into industrial control systems, and Admiral Mike Rogers, head of U.S. Cyber Command and the director of the National Security Agency, told a congressional panel that China and “one or two” other countries would be capable of mounting a cyberattack that could shut down the power grid or other critical infrastructure. What might seem to be legitimate spying to a Chinese or Russian hacker might to U.S. policymakers look like “prepping the battlefield,” that is, looking for weaknesses that an attacker can later exploit in the event that a conflict breaks out.
If the espionage is discovered during a time of high tension, the defender may assume that an attack is being immediately prepared and feel pressure to respond quickly. A cyberattack could lead to physical war.
This is a growing threat. Militaries that do not want to be caught flat-footed are rushing to develop powerful cyber weapons without any agreement on how and when they might be used or any deep understanding of the consequences they might unleash.
Cyberspace is “uncharted waters,” as President Obama said after his June 2013 summit with China’s President Xi: “You don’t have the kinds of protocols that have governed military issues, for example, and arms issues, where nations have a lot of experience in trying to negotiate what’s acceptable and what’s not.”
The U.S. has been trying, with its friends and allies, to develop some rules of the road. In 2015, a group of government experts at the UN, which included representatives from China, U.S., Russia and other countries, published a report arguing for a number of peacetime norms, including that states should not conduct activity that intentionally damages critical infrastructure or interferes with another country’s cyber emergency responders.
These are only beginning steps and much remains undefined and unregulated. Even if discussions among Washington, Moscow and Beijing reduce the chances of destructive cyber attacks on critical infrastructure, it will not end espionage. Other types of cyber conflict, like the DNC hack and data dump, will not cease.