The Time Has Come for Rules of Engagement for Cyberwarfare
After over half a century of unmatched global security dominance, the United States and its western allies are now faced with a rapidly-changing playing field in what is now considered the fifth domain of battle: cyberwarfare. Russian, North Korean and Iranian hackers are beginning to push the limits of our current bounds of war, making this period of international relations trickier for military leaders and policymakers to decide not only if they should respond, but how.
While some leading experts point to the fact that political and military leaders can lean on the existing matrix of international civilian and military laws to use as rules of engagement in the digital world, it can be argued that the battleground of tomorrow will be dramatically different. In other words, we have reached a tipping point where rules of engagement unique to cyberwarfare are needed. Here are five reasons why that time has come:
Increasing Cyber-Capabilities Abroad
The United States and the other large international players are not the only ones with the skills, resources, technology and motivation to contend in the cyber arena. Countries around the world have taken large steps to begun to build their cyber warfare capabilities. According to Peter Singer, director of the Center for 21st-Century Security and Intelligence at the Brookings Institution, more than 100 nations now have a cybercommand or a special military unit assigned to fighting and winning wars in cyberspace.
Put simply, the global stage is nearly set for cyber-based conflict. If one occurs, it could be — as Pulitzer Prize winner Robert Kaplan noted in a 2016 speech at the University of North Carolina — not a cat and mouse game, but “a cat and a cat game. If you’re ever seen two cats fighting…it’s a dangerous game to get into.” Without established rules, conflict can quickly escalate with unexpected initial and follow-on consequences.
Cyberattacks Are Underway
At the national level, United States policymakers, military leaders and national security professionals each have begun to recognize the risks inherent in the lack of a set of rules of engagement and prominently voice their concerns.
This began back in 2006 when then-Defense Secretary Donald Rumsfeld signed the National Military Strategy for Cyberspace Operations, which stated that “DOD will conduct kinetic missions to preserve freedom of action and strategic advantage in cyberspace. Kinetic actions can be either offensive or defensive and used in conjunction with other mission areas to achieve optimal military effects.”
In the time since, Kaplan credits former U.S. Secretary of Defense Robert Gates with seeing the risks inherent in the lack of even an implicit set of rules of engagement among the major cyberpowers. Unfortunately, the issues were so complex that even Gates found the challenge to create them a bridge too far, Kaplan continued.
All the while, attacks like those against Sony Pictures and the Democratic National Convention highlight the complexities inherent in the digital arena. The result is widespread acknowledgement of both defensive and offensive cyber-operations, but debate among experts on whether that line that defines cyberwarfare has already been crossed. Therefore, without rules of engagement, responses to attacks could take too long to issue and may even be inconsistent, slow and ineffective.
Gaps Exist Within International Law
While some, including University of Exeter professor Michael Schmitt, believe current civilian and military laws can be the foundation for a future set of cyber warfare rules of engagement, many gaps exist that could confound responses at the national level. The results of the 2013 NATO effort, the Tallinn Manual, a non-binding study on how international law applies to cyberwarfare initially demonstrated this reality.
In addition to attempting to define cyberwarfare in recognition that no legal definition exists elsewhere, the Tallinn Manual represented existing international law in a digital context. The document’s 13 authors, known as the International Group of Experts, provided legal commentary and created recommendations that could serve as a framework to form future rules of engagement. However, the document was not widely adopted or seen as actionable.
Recognizing existing gaps remained, the Tallinn 2.0, released in February 2017, expanded on the scope of the original manual. The document presented scenarios that were designed to be the most disruptive and destructive of cyber-operations. International laws like those regulating telecommunications, diplomacy, and war were again applied. But in the fog of a cyberwar, this exercise using a web of laws could serve to be too complex to understand and apply.
Cyberattacks May Bleed Over
As former Deputy National Security Advisor to President Obama Avil Haines pointed out in a September 2017 speech at the Cloudflare International Summit, it is easy to just see the cyberworld as its own battlefield when, in reality, it is just part of a larger overall conflict. “We need to make sure we don’t imagine that the only responses to the cyber are in cyber,” Haines explained to The Register.
Asked what kind of cyberattack merits a larger military response in-kind, Haines believes it is when it has the same impact as a bomb would have on a target: taking out a critical piece of infrastructure. But what happens next? What if a cyberattack causes a large-scale blackout across the United States and thousands die as a result?
These questions can only be answered with more questions without rules of engagement. Do we go to kinetic, boots-on-the-ground war? Or, do we just respond in kind? While the Tallinn 2.0 attempts to answer these questions, not every scenario was evaluated, leaving military leaders and policy makers to make the call themselves.
Rising Calls for Action
Fortunately, many of the cyberattacks reported to-date are operating in the margins of existing international law and have not reached a major, infrastructure-crippling cyberattack foreseen by Haines, which gives the international community time to prepare. In 2017, Microsoft proposed a digital Geneva Convention, which chief legal officer Brad Smith outlined could constitute a multi-national effort to define the rules of engagement for cyberspace. A year later, U.N. Secretary-General Antonio Guterres called for the establishment of international rules of conduct for cyberwarfare.
However, Tallinn Manual project director and University of Exeter professor Michael Schmitt believes that these calls are too aspirational. The trick, according to Schmitt, is getting nations to acknowledge this. Developing rules of engagement is “happening in real time, on a case-by-case basis,” says Schmitt. “We act as if we can make up the rules of the game as we go along because there is nothing out there.” The next step should then be, as Schmitt proposes, getting like-minded countries and industry leaders together to just start defining their rules and their boundaries and build from there.
Although the idea of creating a formal set of widely-understood rules of engagement in cyberwarfare is a highly complex endeavor, experts like Haines and Schmitt nevertheless seem optimistic that they can be defined. In particular, in her September 2017 speech, Haines pointed towards the Law of the Sea as an example of a framework of laws that were developed organically that have come to define how countries interact outside of defined national borders. This mentality — that it is to everyone’s best interest to not be constantly in conflict on the open water — can also be true within the cyberdomain. The international community, as Schmitt notes, just has to see it that way. And that time is now.
Cyber operations come out of the shadows, Defense Systems
National Military Strategy for Cyberspace Operations, Homeland Security Digital Library
Tallinn Manual Process, CCDCOE
Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations to Be Launched, CCDCOE
The need for a Digital Geneva Convention, Microsoft
Pressure Building for Rules of Engagement for Cyberwarfare, Communications of the ACM