This Means War! (or does it?)

SMALL cyber tuesday

“About four p.m., the enemy’s artillery in front of us ceased firing all of a sudden, and we saw large masses of cavalry advance: not a man present who survived could have forgotten in after life the awful grandeur of that charge. You discovered at a distance what appeared to be an overwhelming, long moving line, which, ever advancing, glittered like a stormy wave of the sea when it catches the sunlight. On they came until they got near enough, whilst the very earth seemed to vibrate beneath the thundering tramp of the mounted host.”

Captain Rees Howell Gronow, Foot Guards

On June 18, 1815, Napoleon Bonaparte led his French army of some 72,000 troops against a 68,000-man allied army commanded by Arthur Wellesley, Duke of Wellington. Wellesley’s forces included Belgian, Dutch and German troops, soon, decisively, to be joined by 50,000 Prussian troops. The battle took place just south of Brussels, near a little village named Waterloo. When the day came to a close Napoleon had suffered a defeat of staggering dimension.  His army was in tatters, having taken roughly 33,000 casualties.

For all the troops engaged in battle that fateful day the savage exchanges in close quarters were, unmistakably, acts of war. Few things are so obviously an act of war as armed warriors in conflict, and we’ve had countless opportunities to further our understanding of what constitutes an act of war. Thus, it’s interesting that some 200 years after Napoleon met his Waterloo, nations are wrestling with how to define whether and how an attack in cyberspace should be seen as an act of war.

U.S. Senator Mike Rounds just introduced the Cyber Act of War Act of 2016, which would require the administration to develop a policy to determine whether a cyber-attack constitutes an act of war. Senator Rounds argues that defining what sorts of cyber attacks constitute an act of war will both deter attacks and allow the Department of Defense to more effectively respond if a particular act meets agreed upon criteria.

In 2011, the Pentagon announced that computer sabotage coming from another country can constitute an act of war, opening the door for the U.S. to respond using traditional military force. But the precise definition of what sort of “sabotage” would be seen as an act of war was left unaddressed. The Obama administration seemingly favors ambiguity on the issue, having learned that drawing a red line in the sand can have a serious downside. The issue has also come before the North Atlantic Treaty Organization, a military alliance that includes the United States. NATO has tried to define what constitutes an act of cyberwarfare but views remain split. Some members argue a cyber act of war must demonstrate a “use of force.”

It will be interesting to observe the debate if Senator Round’s bill moves ahead. Can a cyber attack be an act of war? I would argue the answer clearly is yes. When is it an act of war? That answer is a little more elusive. But it cannot be ignored. The world is very different from the one that existed when Napoleon rose to prominence. But a Waterloo moment in cyberspace would resonate much the way Napoleon’s defeat did centuries ago.

By Tom Davis, SDI Cyber Risk Practice

May 10, 2016