Opinion: Why doctrinal arguments continue to stymie effective cyber policies
Cyberspace is a mess. But did it have to have emerged this way? Certainly, liberal democracies are most especially hamstrung when dealing with such a complicated domain, which is entirely owned by either states or the private sector. Unlike the other domains, there is, of course, no global commons, no international waters or airspace in cyberspace. It’s either your network or someone else’s.
Operating in cyberspace is indeed complicated, especially legally. Most who follow the cyberspace domain admit that, unlike the other domains (land, sea, air, and space), cyberspace is where the totalitarian states make their most progress and can shape political attitudes, and sometimes realities, without resorting to armed conflict. Yet the U.S. and its allies remain unable to shape the domain to something harmless, let alone to its advantage.
Here are a couple reasons why policy often gets constrained in bureaucratic debate.
First is the ongoing and almost religious and intractable fight over the definition of “tactical” versus “strategic” operations in cyberspace, the ambiguity of which has colored — if not crippled — perspectives in cyberspace with consequential attitudes that consistently minimize the significance of foreign intervention in U.S. cyberspace.
Throughout the 20th century, right up to the post-cold war era, strategists have defined “tactical operations” as those that target the military capabilities of an enemy force, i.e., the elements of military power (i.e., counter-force). “Strategic operations” were those that were conducted against high-value (i.e., “counter-value”) civilian targets, such as civilian infrastructure, industry, resources, or institutions of significant value to a nation, regardless of the means employed.
In other words, the strategic bombing campaigns by the allies in World War II were those targeted against German and Japanese homeland (civilian) targets. Likewise, the Japanese balloon bomb attacks against the U.S. and German V2 rocket attacks against the U.K. were strategic attacks — regardless of their size or how many civilians were killed.
Here is the sad, U.S. Air Force definition: Strategic Attack is offensive action specifically selected to achieve national strategic objectives. These attacks seek to weaken the adversary’s ability or will to engage in conflict and may achieve strategic objectives without necessarily having to achieve operational objectives as a precondition.
Too many are defining strategic cyberspace operations today as big or consequential operations. And that’s causing all kinds of havoc intellectually. If our political and military leadership requires a cyberspace attack to be politically consequential, they will become instantly mired in debate and paralysis over what constitutes consequential today, which is precisely what is happening.
The size of the attack is not the trigger, nor does size make such attack significant; the target determines whether an attack was tactical (to achieve wartime aims) or civilian (to target a country’s homeland). And the targeting of civilian infrastructure of another state should be considered exceptionally concerning — something utterly unacceptable, regardless of size (see Broken Windows policy). Such attacks trigger proportional rights of self-defense. This should be intuitive, yet somehow it has not been for many who work the domain of cyberspace (they let slide attacks on U.S. targets that are small or seemingly inconsequential). Yet could anyone imagine the Air Force or Navy dithering over whether violations of U.S. air or maritime space and subsequent destruction inside U.S. territory is of concern?
“Strategic” versus “tactical” should not be related to the level of destruction or political impact (involving highly ambiguous interpretations), but instead whether the focus of the attack was against counter-force (tactical) or counter-value (strategic) targets. Anything that attacks U.S. homeland targets is/should/must be a concern of the Department of Defense. Allowing that norm to be violated — treating it as merely a criminal act — has crushed a long-standing international norm: No one has a right to attack inside the homeland of another state.
The size of the attack and the amount of damage committed determines the proportional response, but the act itself is of great significance. It should be completely unacceptable that adversaries are targeting and effecting civilian targets inside the U.S., regardless of whether they are disrupted by a bomb or computer code, or whether anyone is killed or not, or whether the attack was large in scale (effecting thousands) or extremely targeted (effecting just a few). Such attacks demonstrate the capability and temerity of certain state actors to attack U.S. civilian targets inside the country. DOD should absolutely be triggered into appropriate action. (Remember: you get the behavior you reward!)
By messing with our understanding of “strategic,” we have created a new de facto norm that state or criminal group cyberspace attacks against U.S. civilian targets, other than against U.S. critical infrastructure, is somehow short of something the Pentagon should address. Our adversaries understand this now and exploit our intellectual diffidence.
Second is the debate over when a cyberspace attack constitutes an “armed attack” under international law. If a bomb destroys a computer used to direct a weapon system or manage the network of a U.S. defense contractor, everyone agrees such an attack is an “armed attack.” Arms were used in committing “fires” against these computers. But if a state uses code to disable the very same computers, resulting in the same effect — the “bricking” of that weapon system or network, many lawyers will freeze in intellectual constipation, utterly flummoxed by what they perceive as some significant difference. Yes, in some cases, the code used to disable computers can be removed, allowing the computer to work again. So what? The effect is the same: The weapon system or network is disabled. Arms (code) are used — just like a bomb — to disable the computer or network. Some claim such cyberspace attacks are more like jamming or a naval blockade, both of which are not armed attacks.
Most lawyers who are uncomfortable defining disabling cyberspace attack as “armed attack” do so because they are afraid such an interpretation will encourage or legally justify a counter response to U.S. cyberspace attacks. Yes, they’re right! It would! And that is the point! But the higher you raise your threshold, the more the malicious actor will get away with (see Broken Windows policy – again!).
Cyberspace attacks that result in direct permanent damage, physical bodily injury, or risks death of an individual are clearly armed attacks. Cyberspace attacks that result indirectly in damage, injury or death, such as taking out an electrical grid, causing traffic deaths or hospital deaths, should be considered armed attacks. Cyberspace attacks that create physically destructive effects, such as changing the network’s information, permanent function denial, or hard drive destruction, should be considered armed attacks. And cyberspace attacks that merely disable a computer system or network temporarily should also be considered armed attacks. Arms are used as fires; tactical or strategic objectives are being sought.
The U.S. — like all states — has the legal right to respond to an armed attack. As set forth in Article 51 of the Charter of the United Nations, states are permitted to use force in the face of an armed attack as an exercise of their inherent right of individual or collective self-defense. Therefore, unauthorized disruption of U.S. critical infrastructure, such as disruption of voter rolls or electrical grids, can and should be deemed an armed attack by the U.S. president.
In Afghanistan, our strategy was to hold the cities and wait the Taliban out. Unfortunately, the Taliban strategy was to hold the countryside and wait the Americans out. Our strategy was in fact the enemy’s strategy.
Likewise, our strategy in cyberspace is precisely our adversaries’. They conduct operations that do not trigger the DOD. They discern our redlines through trial and error and conduct activities right up to our thresholds. No major competitor wants to provoke an armed conflict with the DOD; they are very happy stealing U.S. intellectual property, conducting ransomware attacks (suffering useless Department of Justice indictments) and influencing American political attitudes through cyberspace-enabled information operations.
In each case, most U.S. cyberspace policymakers have chosen interpretations that allow the U.S. government and DOD to eschew confronting malicious cyberspace actors. In short, such interpretations were chosen to avoid having to escalate the event and confront the actor. This type of timidity is overall costly, much like approaches to criminal law that allow misdemeanor offenders to go unpunished.
Cyberspace will continue to favor authoritarian states that violate sovereignty, law and international norms in peacetime as long as the U.S. does not successfully engage the malicious actors. Many of our attitudes and prior thinking may explain the state of cyberspace today.
James Van de Velde, Ph.D., is a professor at the National Defense University, Dwight D. Eisenhower School for National Security and Resource Strategy, associate professor at the National Intelligence University, and adjunct faculty at the School of Advanced International Studies, Johns Hopkins University. The views expressed in this article are those of the author and do not reflect the official policy or position of the National Defense University, the Department of Defense, or the U. S. Government.