The United States has made clear to the world how it would respond to a nuclear attack, and some members of Congress want to wrap similar clarity around the response to a destructive cyberattack on critical U.S. interests.
Are the two threats comparable in such a way that similar statements on deterrence would be meaningful?
James Lewis of the Center for Strategic and International Studies doesn’t think so.
“A more declaratory statement” on how the U.S. would respond to various cyberevents would be useful, Lewis said, but that would not involve defining what constitutes a cyberact of war as some lawmakers are seeking.
Lewis, one of the nation’s leading thinkers on cyberpolicy, questioned the purpose and effectiveness of trying to define a cyberact of war, saying this is “not a very helpful line to draw.”
U.S. and allied governments agree “that they don’t want a hard and fast rule, they want flexibility,” Lewis said.
“There’s no such thing as ‘an act of war,’ that’s from the Victorian Age,” Lewis commented last week. “We do have a strategy, but we don’t have a credible deterrent because there is no credible deterrent.”
Senate Armed Services Chairman John McCain, R-Ariz., has been badgering the Obama administration over the past few years to spell out how the United States would respond to attacks such as the one on Sony Pictures in late 2014.
“From Iranian and Russian attacks on American banks to China’s orchestrated campaign to steal military secrets from our defense contractors, the administration’s failure to deter our adversaries has emboldened, and will continue to embolden, those seeking to harm the United States through cyberspace,” McCain said after the Sony attack, which was attributed to North Korea.
Sens. Mike Rounds, R-S.D., and Angus King, I-Maine, last week added language to the annual defense authorization bill requiring the president to “develop a policy for determining when an action carried out in cyberspace constitutes an act of war against the United States.”
Their proposal says, “The president shall consider the following: 1.) The ways in which the effects of a cyberattack may be equivalent to the effects of an attack using conventional weapons, including with respect to physical destruction or casualties. 2.) Intangible effects of significant scope, intensity or duration.”
Speaking with reporters, Rounds disputed suggestions that the proposal would require a rigid definition of acts in cyberspace that constitute an act of war, with all of the attendant legal, diplomatic and military implications.
But he said a better definition is needed for when the military should step in to protect critical infrastructure, and that it would be “appropriate to let the world know that at some point it constitutes an act of war.”
Rounds acknowledged this is “a hard issue.”
“We have asked that the administration spell out the policy options rather than we dictate it,” Rounds said. Under the proposal, the administration would report to Congress in six months on forward-looking policy recommendations that could “go from administration to administration,” Rounds said.
“Do it now before we have an emergency situation,” he said. “Let the bad actors know that if they cross certain red lines … there will be repercussions.”
The proposal would at least stoke a conversation, and given the realities of the congressional calendar, it almost certainly would be an issue for the next administration, not this one.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers, and author of “Hacked: The Inside Story of America’s Struggle to Secure Cyberspace,” published by Rowman and Littlefield.
