When does cybercrime become cyberwar
No consensus exists between the U.S. government and cyber security experts as to whether North Korea is responsible for the online dumping of Sony Pictures Entertainment’s confidential business data and emails. Even if it could be proven beyond any doubt with uncontestable forensic evidence that this theft is also, in fact, an act of computer hacking, it still wouldn’t technically constitute an act of cyberwar – regardless of the identity of the perpetrator. So then, when would it?
About 10 years ago, over dinner in Los Angeles, the late Andrew Breitbart (founder of Breitbart News) said that Islamic terrorists had already attacked the military and financial might of the West by hitting the Pentagon and the World Trade Center, and suggested that if they wanted to hit the epicenter of Western culture, all they would need to do is stuff a Hollywood celebrity into an orange jumpsuit. Targeting a Hollywood studio from behind computer terminals accomplishes more or less the same goal, instilling fear and insecurity at the heart of American exportable “soft power”.
No one’s suggesting that Islamic extremists have anything to do with the Sony breach, but it wouldn’t be hard to imagine that other bad guys who favor this kind of asymmetric attack might be taking notes on its effectiveness.
Still, it’s not technically war. As liberally as the term “cyberwar” is tossed around these days – to describe everything from temporary denial of service attacks on websites to corporate database breaches by foreign actors – international law recognizes that in order for any cyber attack to meet the threshold to be considered an act of war, it must constitute a prohibited “use of force” under international law.
NATO’s “Tallinn Manual On the International Law Applicable To Cyber Warfare” attempts to fit cyber “use of force” into conventional rules of war and existing international law: “Whatever ‘force’ may be, it is not mere economic or political coercion. Cyber operations that involve, or are otherwise analogous to, these coercive activities are definitely not prohibited uses of force.”
According to Tallinn, a cyber attack crosses the line into cyberwar when it causes physical harm to civilians or civil infrastructure. “Mere inconvenience and irritation” never constitutes an act of cyberwar. The Sony leak isn’t explicitly prohibited under international laws of war, regardless of its cause: “International law does not prohibit propaganda, psychological operations, espionage, or mere economic pressure per se.”
A cyber crime is rarely tantamount to an act of cyberwar – even if celebrities’ emails are involved and it’s featured on cable news all day long.
So what recourse does a company have? It can lay a complaint with local law enforcement, who may find that legal recourse ends at their own nation’s border when it involves a foreign cyber attacker, because international cooperation and the law tend to always be several steps behind in the domain of cyber crime.
Better laws and international harmonization between them are needed to combat cyber breaches, but cutting through the whining of the usual critics who think that every bit of legal tinkering involving anything cyber related somehow brings America one step closer to police state status will no doubt prove challenging.
In the case of a prominent multinational of significant economic importance to the American economy (and I’m not convinced that a Hollywood studio actually qualifies), a diplomatic channel could be opened to address the attack either directly with the attacker’s nation state, or via an ally who benefits from close relations with it – as Obama is reportedly doing now in addressing China in the Sony case.
At least maybe the critics who were upset when the top secret documents leaked by former NSA contractor Edward Snowden last year showed that Canada’s signals intelligence agency gathered economic intelligence on oil and gas companies in Brazil will now have a more concrete example of exactly how economic interests and national interests can be inextricable. For example, if the Sony screwball comedy film mocking Kim Jong-un that has been derailed in this fiasco has nothing to do with American national interests, then why so much insistence that Sony must stick to its guns and defend the spirit of the First Amendment by releasing this film?
Companies that aren’t considered to be of critical economic importance to the state can always hire their own private security and political operatives to prevent, mitigate, or resolve any problems.
While we haven’t seen any actual cyberwar yet, it’s everything below that threshold – the low level cyber insurgency – that risks causing grief if measures aren’t taken to mitigate it.