cyber-thiefChile is a South American success story, emerging from decades of tumult to become a stable, prosperous nation. But roughly a hundred years ago, Chile was torn by conflict between President Arturo Alessandri and the conservatively controlled congress. Congress had refused to pass any measures proposed by Alessandri, but they did find time to vote to increase their salaries, much to the dismay of the nation, and to the military, who had long been hoping to get a salary increase. A small group of young military officers sat in on the session during which the congressional salary increase was to be discussed. Ordered to leave, they began to rattle the sabers they wore within their scabbards, a plain warning to the members of congress. Thus was born the term sabre rattling.

The United States now is engaged in a very public form of sabre rattling. A number of news outlets have reported that the Administration has asked the CIA to provide plans for a cyber attack on Russia, purportedly in retaliation for Russian sponsored efforts to disrupt the U.S. election process. The fact the potential attack is being discussed so publicly is ample evidence that the Administration is intent on sending a clear warning, regardless of whether an actual attack takes place.

One can assume that if the U.S. does attack Russia in some fashion, Russia will respond, and it is clear that Russia has the ability to attack both the government and the private sector. It’s conceivable that Russia could pursue remedies at the U.N. Security Council and/or the International Court of Justice, but if recent history is a fair guide, it is more likely its response would be more direct.

Where all of this will lead is anyone’s guess. Both nations have the ability to significantly disrupt the economies of the other. Neither is likely to want to go that far, for at some point an ill-defined line would be crossed, and escalation beyond purely cyber measures would be on the table.

Legal guidance on how activities in cyberspace are covered by international laws, treaties and norms is provided by the Tallinn Manual, a product of the work of twenty international law scholars and practitioners created on behalf of NATO’s Cooperative Cyber Defence Centre of Excellence. The manual attempts to define some of the basics of cyber warfare. It stipulates that an online attack on a state can, in certain circumstances, be the equivalent of an armed attack. It states that such an attack is against international law, and says a state attacked has the right to retaliate. It also uses terms like maybe and probably as guidance for specific attack/counterattack scenarios, which tells us the rules governing cyber warfare are evolving and not generally agreed upon.

Writing in TechRepublic, Steve Ranger points out “Some countries have a very narrow model of what cyberwarfare should look like – that it should focus on hacking and damaging systems. Others see it as just one part of a much wider information warfare spectrum which stretches from hacking to disinformation and propaganda. Indeed, much of the criticism of the Tallinn Manual has been around how it represents a NATO—and specifically Western—outlook on what cyberwarfare should look like.” Not surprisingly, nations like China and Russia have a different perspective.

If the U.S. goes beyond sabre rattling and actually does execute a cyber attack on Russia, the next version of the Tallinn Manual will have a lot more experience to draw upon in providing legal guidance.

By Tom Davis, SDI Cyber Risk Practice
October 18, 2016