There is something about the cyber domain that makes people lose perspective. The latest cyberspace incident is a perfect example.
According to the news, a foreign actor, most likely Russia, infected a much-used software program with malware that allowed it to access the accounts of those U.S. agencies that used the program. The goal seems to have been to collect (i.e., spy) on these organizations.
This cyberspace incident is a classic case of espionage through a system breach executed via a software supply-chain compromise by Russian actors. Many U.S. agencies were penetrated, without their knowledge, and the access to these systems reportedly was maintained for many months and may be ongoing today. If the Russians have this sort of cyber espionage tradecraft, you can be sure the Chinese have, or soon will have, it too.
However, the event was not, as widely characterized, a “cyberspace attack.” To call it such is to minimize the consequences of a real cyberspace attack, an event where actual functional denial occurs in cyberspace or one of the physical domains. It was not, if the news accounts are correct, an “armed attack” or even likely an example of “armed conflict.” No “arms” were used, unless Russia left behind code that would allow disruption or destruction of infected computers upon subsequent command. If the malware left behind can be used to allow malicious code to be delivered sometime in the future that destroys or degrades these U.S. computers, then this attack-preparation malware left behind might permit a future-armed attack. Ransomware events are examples of actual cyberspace attack, since they deny functionality.
In cyberspace, some code used to maintain access to a target for intelligence collection can also be used later to deliver weapons. So far, this case appears to be one of collection only, albeit a significant one. Affected agencies will now spend millions of dollars clearing their systems of this infected code, eliminating adversary access.
Historically, no act of espionage has ever been treated as an “act of war” by any president, the one and only person who decides whether any event is “an act of war.” Others can have opinions, but no one else but the commander-in-chief makes this call. No legal definition exists for when a cyberattack would constitute an act of war. There is no policy, doctrine or fixed criteria to guide the president in making such a determination, however, and only the U.S. Congress can declare war on another state.
By contrast, the 2014 North Korean attack on Sony Pictures was indeed a cyberspace attack, since its denial effects included destruction of Sony computers and proprietary information, and the extortion though the threat of more destruction and physical violence to theatergoers. Although it may have been justified, President Barack Obama declined to call it an act of war; he even declined to call it an attack, but instead called it merely a cyber nuisance. Such decisions are always political in nature, made in consideration of many factors, only one of which is the actual effect in cyberspace.
There is no statute of limitations on declaring something an act of war, so it is conceivable that the current or future president could declare the Russian espionage an act of war, but it would be historically unprecedented.
No American was killed, and no U.S. computer, as far as press reports explain, has been damaged, destroyed or made inoperable. In other words, there was no functional denial of systems, only exploitation and espionage. Calling these acts an “attack,” “act of armed conflict,” or “an act of war” is inconsistent with the doctrines and understanding of war and serves only to confuse and mislead.
This clarification is not meant to downplay the significance of the espionage. It is noteworthy in scope, tradecraft, cleverness and scale. The Russians likely now have insight into many U.S. programs, policies, attitudes, plans, command and control, and technology, which may give it enormous advantage in negotiations, defense planning, policy formation, foreign affairs and intelligence.
Policymakers and politicians who are calling for punishment seem to envision inflicting some level of retribution to dissuade Russia from conducting subsequent acts of espionage via cyberspace. That will not be easy. Espionage via cyberspace is something the U.S. intelligence community conducts too. Russia knows the U.S. conducts such cyberspace operations, and assumes the country will continue such espionage.
The current or future president may wish to respond via cyberspace or by leveraging other elements of national power, but such steps are not likely to dissuade Russia from conducting cyberspace espionage altogether. At best, Russia will become more circumspect (but therefore more advanced) in its techniques and procedures.
All U.S. agencies should be assisting each other with protection (i.e., security and defense) of government cyberspace. Indeed, having strong security and internal defensive measures is by far the best deterrent to malicious cyberspace activity.
Russia and China are near-peer cyberspace powers today. Russia is particularly stealthy; China overwhelms adversaries with superior numbers of forces and operations. Russia conducts espionage and influence operations via cyberspace. China conducts espionage, influence operations, and steals U.S. and allied intellectual property through cyberspace. Neither state cares that we know what they do.
No domain of operations is as disastrous to the United States’ strength, prosperity and commitment to the rule of law as cyberspace, which has allowed authoritarian states to recover from their political backwardness and challenge the U.S. and Western notions of sovereignty, rule of Western law, and accepted notions of international behavior. Cyberspace allowed the unipolar world to collapse into a multipoplar world, where authoritarianism now enjoys some semblance of global respect and comparable power. The locus of political competition has shifted to cyberspace — and cyberspace is delivering for the malicious, authoritarian states of the world.
James Van de Velde is an adjunct faculty member at George Mason, Johns Hopkins and the National Intelligence University. The views expressed in this article are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. government.