The media and some U.S. politicians called the 2020 Russian cyberspace intrusion into U.S. government agencies to steal information a cyberspace attack, though it was clearly an act of espionage and involved no denial of service or damage. (In other words, the event was cyberspace espionage and not a cyberspace attack.)
Conversely, some politicians, many lawyers and some analysts want to call the 2014 North Korea destruction of Sony Pictures computers, the 2015 Russian denial of service attack against TV5 Monde in France, or the 2015 and 2016 Russian cyberspace denial of electricity in Ukraine a “violation of sovereignty,” but not a cyberspace attack, nor even a use of force. This is troubling and trivializes such events. By the same logic, for instance, ransomware events are not cyberattacks.
Historically, it is difficult to find a politician, lawyer or analyst who questioned the longstanding term computer network attack (CNA). They all accepted that such events involving creation of denial effects were CNA, since they involved actions that met the standard definition: “to disrupt, deny, degrade or destroy information resident in computers.”
Likewise, it would be hard to find a notable example of a politician, lawyer or analyst questioning the even longer-standing term electronic attack (EA) — the use of electromagnetic energy “to degrade, neutralize or destroy enemy combat capability.” EA has long been considered a form of “fires” and a bona fide form of attack.
But when the Department of Defense made a minor change in the term CNA to “cyberspace attack,” all of a sudden many changed the triggering criteria for attack to physical damage that one can see, or physical harm. What happened?
This reasoning is likely tied to the international humanitarian law distinction of an armed attack requiring physical violence. But this doctrinal and policy timidity fails to account for the uniqueness of operations in cyberspace and is politically and logically harmful.
The 2014 North Korean destruction of computers inside Sony Pictures was cyberspace attack and most certainly a violation of sovereignty. The 2015 and 2016 Russian denial of service on Ukrainian electric companies was cyberspace attack and most certainly a violation of sovereignty. In both cases, code was damaged, arms were used, service was denied, sovereignty was breached. The fact that Sony replaced the damaged computers (at a cost of tens of millions of dollars) or that electricity was restored in Ukraine 5 hours later is irrelevant. No one would claim that if the Russians destroyed a Ukrainian circuit breaker with a small charge, and the breaker was replaced 5 hours later, that no attack had been conducted. So why do some analysts claim a cyber weapon used to deny the breaker’s circuits, later restored, was not an attack?
The reason some don’t claim this is because they are afraid of having to call many more such events attacks, particularly events that the U.S. government conducts. Ironically, failing to call these North Korean and Russian attacks what they really are makes it even harder (not easier) to respond to them. Former President Barack Obama, for instance, declined to call the North Korean Sony event an attack and instead called it a cyber nuisance. Such decisions are always political in nature, made in consideration of many factors, only one of which is the actual effect in cyberspace. These politicians and analysts may think they are helping U.S. policy by not doctrinally calling such events attacks. But overall they are hurting policy terribly, since they minimize the significance of such attacks (despite the size of the damage or denial of service) and consequently hamper and hamstring U.S. responses.
Do we not call ransomware attacks “attacks”? We do, and we should, since they deny service. They are serious events; most often they enjoy the countenance of a state (e.g., Russia).
What if a five-hour electrical grid disruption delayed the delivery of medication somewhere, which resulted in a death weeks after the cyberspace event? Would that not be an attack? Can attackers deny service to webpages, electrical grids, dams, air traffic control — all temporarily — and, as long as no one dies during the event, it would only be considered a violation of sovereignty or a nuisance?
If a weapon physically tore apart a system, but it could be repaired, everyone would certainly call that an attack.
If a weapon physically dissembled a system, but the system was reassembled 5 hours later, the same would be true.
But if a cyberspace capability (a weapon; an “arm” – a form of fires) disabled code, which was later repaired, many claim such an event alone is not an attack. This is illogical.
These events involve “fires” and although the fires may be digital or small in size (even unseeable), logically, historically and doctrinally they fall within traditional understanding of “attack.”
On the one hand, many are quick to call a cyberspace espionage event an attack. On the other hand, when cyber events deny service or make systems inoperable, many are reluctant to call these events attacks, since such a label seems to imply some sort of escalation is warranted, if not mandatory.
A president may choose to downplay the significance of such cyberspace attacks for good political reasons, but no one should be afraid to call such events cyberspace attack. Likewise, theft of intellectual property via cyberspace (what the Chinese do) and espionage via cyberspace (what both the Chinese and Russians do) ought not be confused with or labeled cyber ‘attack.’ Confusing these events only hampers a proper and appropriate response.
In the traditional physical domains, causing actual, functional denial, no matter how severe or how minor, is a consequence of the use of arms: It is fires. Continuing to call such fires in cyberspace not an attack is confusing, unhelpful, and is of no long-term benefit to the U.S. militarily or politically.
James Van de Velde is an adjunct faculty member at George Mason, Johns Hopkins and the National Intelligence University. The views expressed in this article are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. government.