In the past six months, hackers have infiltrated the websites and internal servers of the United States Senate, the CIA, numerous other state and federal agencies, private corporations, and individuals. The onslaught seems unstoppable, and the FBI and other US law enforcement agencies struggle to identify and arrest the hackers responsible for the attacks. Many hackers are after money, concentrating on identify theft and other frauds that have allowed them to steal tens of millions of dollars, primarily from small businesses in the United States. More ominous, however, is the recent trend of attempted and successful cyber-infiltrations into government agencies, the military, and the email accounts of government officials and other individuals with high security clearances, in the United States as well as other nations.
At the same time that attacks are being launched against the United States, the United States has come much closer to launching its own cyber attacks. In early 2011, before leading conventional military strikes against Gaddafi’s regime in Libya, the United States considered, and ultimately rejected, initiating a cyber attack against Libya’s air-defense system, hoping to cripple its ability to act against the upcoming airstrikes. Although the United States rejected the plan, that it was even considered is strong evidence of the importance that the Obama administration has placed on cybersecurity, as it has become increasingly pressing for both homeland security and offensive military tactics.
Since taking office, Obama has taken unprecedented steps to develop a coherent United States policy on the issues surrounding cyberspace, particularly those relating to defense. The Obama administration was the first to appoint a Director of Cybersecurity and has released several publications detailing its cyberstrategy, starting with the Cyberspace Policy Review and the International Strategy for Cyberspace, in the first years of Obama’s presidency. Published in July 2011, the Department of Defense Strategy for Operating in Cyberspace, as the title implies, outlined how the Pentagon, which is in charge of all military domains, would approach cybersecurity issues. The Obama administration has also pushed Congress to draft and pass comprehensive cybersecurity legislation, a move which has received bipartisan support. One factor that greatly complicates the issue of cyberdefense, however, is the fact that cyber attacks are not solely made against the government or other public networks, but rather against private companies. There is debate amongst experts about how much the government should be involved in ensuring private companies are adequately protected against cyber attacks.
The United States is also an active participant in international conversations about cybersecurity, where there is much less consensus about appropriate rules and norms. Broadly speaking, there are two different approaches to cybersecurity that countries tend to take. The first, which is exemplified by the policies of the United States and the United Kingdom, want to be able to crack down on cybercrime without inhibiting the free flow of information between and within countries. The second, primarily promoted by Russia and China, is concerned with limiting the flow of information across borders. Russian and Chinese leaders are concerned that free information could make their societies less stable. While the Obama administration has stated that it would support the creation of an international treaty on cyberspace, it seems unlikely that agreement could be reached on any such treaty in the near future, given the divergent views on the most pressing issues of cyberspace. Another important issue on which there is no international consensus is whether a cyber attack should be recognized as a use of force against another nation and what the appropriate response to such intrusions should be. The target of an attack is important when determining whether it constitutes an act of war against a nation. In the United States, the President’s Commission on Critical Infrastructure Protection identified five sectors, Information and Communications, Physical Distribution, Energy, Banking, and Finance, which are so critical to American economic and national security that a cyber attack against them would constitute an act of war and therefore justify the use of force in response. Clearly, the recommendations of this commission are not binding, and certainly do not apply to countries besides the United States, but they are an illuminating example of considerations that must be made regarding cyber attacks. One goal of an international cyberspace treaty would be to outline what types of cyber attacks constitute an act of force and therefore legitimize a retaliatory act of force.
Another reason that it is so difficult to develop domestic and international legislation around cybersecurity issues is that it is often hard to pinpoint exactly who the perpetrators of a cyber attack are and therefore how to respond to them. Even though Google was able to trace a successful campaign to infiltrate the email accounts of thousands of people in the United States to China, including some high ranking government officials, there was no clear next course of action for the United States. The Chinese government quickly denied any involvement, a claim the United States and Google had no way of proving definitively. Because the attacks were purported to be perpetrated by non-state actors, the United States could not take any direct action against the Chinese government, and instead pursued a law-enforcement program, attempting to identify and arrest the hackers within the confines of normal diplomatic rules, its usual and only course of action in such cases.
The United States clearly has a long way to go in solidifying its own policies regarding cybersecurity, and even more time will be required before any kind of international consensus on these issues can be reached. The aborted cyber attack on Libya demonstrates how legal concerns about cybersecurity have yet to be resolved. One of the main reasons that the Libyan attack did not take place was that military officials were not convinced that the United States had the technology to launch an attack on such short notice and insure that it would be contained to the air-defense system without spilling over into other networks. Experts also feared that the United States launching its first full-scale cyber attack against another state would establish a precedent for Russia, China, or other nations to initiate similar campaigns, which would undoubtedly derail progress in establishing international cybersecurity norms. Furthermore, it was also questioned whether the attack needed to be authorized by Congress under the War Powers Resolution, depending on whether it qualified as using forces to initiate “hostilities.” While the technological impediments to a cyber attack like the one against Libya will undoubtedly be resolved in the near future, the other legal issues face questions that must eventually be resolved through domestic and international legislation.
Staff Writer Amy Lifland