“When is a cyberattack an act of war?”

The Washington Post’s Ellen Nakashima examines the question of what constitutes war if the trigger point originates in cyberspace:

Deciding what amounts to an act of war is more a political judgment than a military or legal one. International law avoids the phrase in favor of “armed attack” and “use of force.” Retired Gen. James Cartwright, former vice chairman of the Joint Chiefs of Staff, has often said that an act of war “is in the eye of the beholder.”

As Cartwright has pointed out, the United States didn’t go to war with North Korea after it sank a South Korean warship in 2010, nor with Iran after the U.S. Embassy in Tehran was seized in 1979. Would we want to start a war over a virus that causes a power blackout? And if not, what other actions might the government contemplate?

The government has defined an armed attack in cyberspace as one that results in death, injury or significant destruction, as Harold Koh, the State Department’s chief legal adviser, recently put it. Here’s the rule of thumb, as Koh stated it: “If the physical consequences of a cyberattack work the kind of physical damage that dropping a bomb or firing a missile would, that cyberattack should equally be considered a use of force.” If an attack reaches those levels, then a nation has a right to act in self-defense.

Columbia Law School professor Matthew Waxman elaborates on the legal and policy dimensions at the Lawfare blog. Demonstrating attribution and the need for self-defence will be a multi-dimensional, complicated process, he writes:

As to the last questions, whatever certainty about the perpetrator is necessary to satisfy internally the legal self-defense question, a state will also need to explain and justify its military response externally, to domestic and international audiences – and those exercises may look very different. A state may not be willing to disclose publicly some of the intelligence information and analysis used to satisfy its internal legal analysis (I’m assuming that the attribution of a major cyber-attack could involve a combination of sophisticated digital forensics, human intelligence, reliance on circumstantial evidence and reasoning, and other means). Even if it chooses to disclose intelligence, that information might be unintelligible or unpersuasive to skeptical outside audiences. And the threshold of certainty necessary to win support from allies and partners may be higher (or perhaps in some cases lower) than that needed to satisfy legal requirements.

In terms of evolving international law in this area, the challenges of demonstrating attribution – besides just assessing it internally – will make it especially difficult to develop consensus legal appraisal of self-defensive actions against cyber-attacks, because so many of the key facts about the attack will be contested, secret, or difficult to observe.


Jasmin Ramsey

Jasmin Ramsey is a journalist based in Washington, DC.