No reason for alarm . . . but a global conflict has erupted, and the struggle continues every day. The combatants may be all around us, and they could strike at any moment, advancing their agenda and upending the world order and the nature of armed conflict before our very eyes.
No, I’m not a conspiracy theorist. And no, this isn’t another blog post about The War on Terror. But the threat posed by world conflict in cyberspace, though often understated, is very real. The understatement largely results because links to state sanction for cyber-attacks are often tenuous. Take, for example, Russian cyberattacks against Ukraine, the destruction of Iranian nuclear centrifuges, purportedly by the US/Israeli worm Stuxnet, or the “spear-phishing” attacks allegedly perpetrated by PLA Unit 61398. At the Atlantic Council’s Brent Scowcroft Center on International Security earlier this month, General Wesley S. Clark (Ret.) has identified that such conflict now occurs continuously. “We’re doing it all of the time. So is everybody else; because, I hate to say this, you can’t wait [until] the next war to discover what the enemy’s cyber vulnerabilities are and what his nodes are.”
Clark’s warning belies a serious problem with the pervasiveness of cyber warfare: There are few, if any, established rules. On October 17 at the Vertex Innovation Forum on Cyber Security and Financial Technology held in Singapore, Professor Isaac Ben-Israel noted that the Geneva Conventions govern wars between states or armed conflict, rules governing conflict in the online space are nonexistent. The closest document that yet exists with regards to the subject is the Talinn Manual on the International Law of Cyber Warfare, published in 2013 at the invitation of the NATO Cooperative Cyber Defence Centre of Excellence in Tallinn, Estonia. Unfortunately, the Tallinn Manual has not yet achieved any widespread acceptance, and attacks both during and outside of “official” conflicts occur with great frequency.
At a SimLab conference and simulation in Tel Aviv last year, General Clark noted that when it comes to fighting a successful cyberwar, “You have to know in advance who has the capacity, who’s been practicing this against you.” Thus, a justification for preemption may be part of any adopted rules on the law of cyberwar. The Tallinn Manual asserts in Rule 15 that “[t]he right to use force in self-defence arises if a cyber armed attack occurs or is imminent” subject, of course, to an immediacy requirement. The issue, of course, is that imminence and immediacy are difficult to prove in cyberspace. A preemptive strike against an enemy cyber-target might be misplaced . . . or worse, could lead to a “non-virtual” conflict that quickly spirals out of control.
To what extent do you believe it is important to codify the laws of cyberwar? Should preemptive strikes in cyber-warfare be permissible?
Andrew Jerell Jones, “Russian Interest in Ukraine Now Includes Cyber Warfare,” The Intercept (October 17, 2014).
Michael B Kelley, “The Stuxnet Attack On Iran’s Nuclear Plant Was ‘Far More Dangerous’ Than Previously Thought,” Business Insider (November 20, 2013).
T.P., “Chinese cyber-attacks: Hello, Unit 61398,” The Economist (February 19, 2013)
Molly Bernhart Walker, “Cyberwarfare underway ‘all of the time,’ says former NATO supreme allied commander,” FierceGovernmentIT (October 13, 2014).
Kevin Kwang, “Cyber warfare needs a ‘Geneva Convention’: Israel’s Space Agency Chairman,” Channel NewsAsia (October 17, 2014).
Tallinn Manual on the International Law Applicable to Cyber Warfare (Michael N. Schmitt, ed. 2013).
NATO Cooperative Cyber Defence Centre for Excellence (CCDCOE), www.ccdcoe.org.
Youtube, “Wesley Clark on Cyber Warfare” (November 17, 2013).