Russia’s recent intrusions into American political organizations’ networks are driving discussions about the rules of engagement for cyber warfare, and forcing America’s own hacking of foreign governments into the light.
President Barack Obama told reporters at the G-20 summit in China that he has been in discussions with other world leaders, including Russian president Vladimir Putin, about creating a set of standards for cyber warfare. The debate over how and when to hack another nation has also reached the presidential race, with Democratic candidate Hillary Clinton calling last week for increased cyber capability for the U.S. military and for international norm-setting.
“Look, we’re moving into a new era here where a number of countries have significant capacities,” Obama said. “But our goal is not to suddenly, in the cyber arena, duplicate a cycle of escalation that we saw when it comes to other arms races in the past, but rather to start instituting some norms so everybody’s acting responsibly.”
But as Obama and Clinton call for discussions of cyber attacks, experts say that government-led hacking is already booming, and the lack of international guidelines has led to unintended consequences for ordinary civilians caught up in cyber conflict. The U.S. and the United Nations are each working to develop rules of engagement for the digital arena, but in the meantime, countries are deciding for themselves whether or not to follow the same guidelines for cyber capabilities as they do for traditional weaponry.
“This behavior is already being engaged in. We don’t have the procedures in place but we’re already engaging in that way, so we’re putting the cart before the horse,” says Amie Stepanovich, U.S. policy manager at the digital rights organization Access Now.
Stepanovich points to examples of U.S. hacking efforts like Stuxnet, malware believed to be developed in a U.S.-Israeli collaboration that spread beyond the Iranian nuclear facility that was its initial target, or a 2012 NSA exploit that knocked the entire country of Syria offline. These incidents, she says, demonstrate how cyber attacks can unintentionally impact broad swaths of the population — and show why nations need clear rules about cyber attacks on infrastructure.
“It’s something the next administration is going to have to address. All of our interactions are moving into the digital space very quickly and we’re seeing cyber activity that could determine the outcome of an election,” Stepanovich says. “Making sure there are protections for human rights and for people becomes exceptionally important on the internet because we all use the same infrastructure.”
Clinton is positioning herself to lead that conversation. Her remarks last week at the American Legion convention offered insight into how the Democratic presidential candidate views the recent cyber attacks against Democratic organizations, and how she believes the U.S. should respond.
The U.S. military should be ready and able to hack back against governments who target the country online, Clinton said. She pointed to the breach of the Democratic National Committee as an example of a cyber attack against the U.S., and advocated political, economic and military responses to such attacks.
“We need a military that is ready and agile so it can meet the full range of threats and operate on short notice on every domain, not just land, sea, air, and space, but also cyber space,” Clinton said.
The former Secretary of State went on to add:
We’ll invest in the next frontier of military engagement — protecting U.S. interests in outer space and cyberspace. You’ve seen reports Russia has hacked into a lot of things. China has hacked into a lot of things. Russia even hacked into the Democratic National Committee, maybe even some state election systems.
So we have got to step up our game. Make sure we are well defended and able to take the fight to those who go after us. As president I will make it clear that the United States will treat cyber attacks just like any other attack. We will be ready with serious political, economic and military responses. And we are going to invest in protecting our governmental networks and national infrastructure. I want us to lead the world in setting the rules of cyberspace. If America doesn’t, others will.
Of course, the U.S. already engages in plenty of cyber warfare. To use Clinton’s words, the U.S. has hacked into a lot of things. But her speech suggests an expansion of this kind of hacking is the best response to the recent Russian intrusions into the DNC and the Clinton campaign.
Hacking back has been a matter of policy debate in the U.S. for years, and the question of how to respond to cyber attacks isn’t entirely resolved. Most of the debate has centered around how to protect U.S. companies from intellectual property theft, but how and why the U.S. should hack a foreign government is a bit of an open question.
The State Department currently views cyber attacks as similar to physical ones, and bases its policy on presidential strategy.
“When determining whether a cyber activity constitutes an armed attack sufficient to trigger a state’s inherent right of self-defense, the U.S. government believes that states should consider the nature and extent of injury or death to persons and the destruction of, or damage to, property,” Christopher Painter, the State Department’s coordinator for cyber issues, told a House committee in July. If the government decides that a cyber attack injured people or destroyed property, it can launch its own counterattack.
Although the DNC hack embarrassed top Democrats, the incident didn’t sow death or destruction — so it seems that Clinton is open to expanding the kinds of hacks that merit hacking back.
“There is no universal red line for what constitutes an act of war. That determination is always context-specific, and nobody should expect it to be different with cyber,” says Mara Tam, an independent ICT policy and security specialist. Tam, who has a background in conventional nonproliferation and arms control, argues that governments should launch and respond to cyber attacks in the same ways they do physical ones.
“When Hillary talks about things like hacking back, what we’re really talking about is a doctrine of proportionate response,” Tam explains. “Proportionate response doesn’t mean tit-for-tat, hack-hack back, which is what many in the information security community seem to assume. In practice, if the harm suffered from a cyber attack requires a response, that response may not occur in the cyber domain at all. It could well be a diplomatic response or an economic response.”
Clinton’s technology platform doesn’t include an official stance on offensive hacking, but a source familiar with her campaign says that Clinton would likely respond to a cyber attack through diplomacy and sanctions, with military response as a last resort.
In addition to Obama’s G-20 discussions and those underway at the State Department, the United Nations has also been working to establish guidelines for government hacking since 2009, when it formed the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UN GGE). The UN GGE reconvened this August to continue developing this framework.
But in the meantime, government-led hacking is already underway. And because hacking doesn’t necessarily cause the same physical harm that traditional military action does, there are bound to be situations where the old rules just don’t apply.
“What we’ve seen, particularly with Russia, is that military applications of cyber are not necessarily looking for a kinetic effect. If you want to cripple your adversary’s ability to act coherently and with confidence, applications of cyber which embrace the informatic character of the domain are very effective,” Tam says.
It’s these kinds of attacks — ones that disrupt and misinform without causing harm to civilians or critical infrastructure — that have politicians struggling to come up with a proper response. As Obama noted yesterday, “What we cannot do is have a situation in which suddenly this becomes the wild wild West, where countries that have significant cyber capacity start engaging in competition — unhealthy competition or conflict — through these means when, I think wisely, we’ve put in place some norms when it comes to other weapons.”