Fergus Hanson is author of Internet Wars: The Struggle for Power in the 21st Century. This post is part of a series that will also examine citizen activism and control of economic chokepoints.
It was only mid-2009 when the US Secretary of Defense ordered the establishment of a dedicated Cyber Command. Now more than 100 countries have military and intelligence cyber warfare units. In the words of then-Chairman of the Joint Chiefs of Staff Martin Dempsey, cyber has become 'one of the most serious threats to national security'.
A key problem is the absence of well-accepted norms of behaviour spanning the use of cyber in conflicts. Even more concerning, there are a broad spectrum of scenarios in which cyber weapons can be used in peacetime.
Russia was first to synchronise cyber attacks with a military offensive when it invaded Georgia in 2008, and there is no doubt cyber will be integrated into future conflicts. Less clear are the appropriate limitations. International law suggests the use of force should be proportionate and limit civilian casualties. However, the internet makes civilian targets the easiest to strike and in many instances causalities are not immediate. For example, disabling an electricity grid during summer might lead to deaths through heat exhaustion.
Also unclear is the appropriate response. If a cyber attack is deadly or enormously destructive, or if the attacked country has only a limited cyber-attack capability, is a conventional military response justified? The ease of launching disruptive cyber attacks also makes them tempting, low-cost ways for a third-party, perhaps an ally, to get involved by launching cyber counter-attacks.
The nature of cyber warfare also means attacks will not always come from states.
A well-organised diaspora population located in a third country could launch a cyber attack during a conflict. If this population was in a friendly state, a law enforcement response would seem likely, but if it was in an unfriendly state a range of other response options might be on the table depending on the severity of the attack. As US Director of National Intelligence James Clapper noted in his statement to the Senate Armed Services Committee in February, it can also be difficult to distinguish between state and non-state actors within the same country, further complicating a decision on the appropriate response.
State-backed efforts to agree to norms of behaviour have begun, but are still in their early stages. One wordily named forum is the UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security. This formation was established last year 'to study, with a view to promoting common understandings...including norms, rules or principles of responsible behaviour of States'. In June 2015 it offered recommendations. Many were sensible, such as the suggestion that 'A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure'. Unfortunately, the characterisation of some of the recommendations as 'norms' was more aspirational than founded in practice, considering they are being breached on a daily basis.
James Clapper characterised cyber attacks as a 'growing reality' and noted: 'foreign actors are reconnoitring and developing access to US critical infrastructure systems, which might be quickly exploited for disruption if an adversary's intent became hostile'. Key threat actors named were Russia, China, Iran and North Korea, the latter two noted for having 'possibly more disruptive intent'.
Cyber attacks should now be expected during times of war. Of far more concern though is the emerging norm in favour of conducting cyber attacks during peacetime. In 2012, the UK's then-Minister of State for the Armed Forces, Nick Harvey, even made the case to the Shangri-La Dialogue that cyber attacks were 'quite a civilised option.'
Practice would suggest several states agree. In 2012, it was revealed the US had been targeting Iran's nuclear program with cyber attacks. It was the first time a cyber attack had turned hot, doing physical real-world damage. In retaliation, Iran launched a major attack in August 2012 on the world's largest energy company, Saudi Aramco.
North Korea has also been active, attacking South Korean banks and broadcasters in March 2013. In November 2014, it struck again, targeting Sony's spoof movie, The Interview, about the assassination of the North Korean leader. The attackers used the threat of terrorism to persuade theatre chains in the US to pull out of screening the film. As President Obama said at the time: 'We cannot have a society in which some dictator someplace can start imposing censorship here in the United States. Because if somebody is able to intimidate folks out of releasing a satirical movie, imagine what they start doing when they see a documentary that they don't like, or news reports that they don't like.'
These attacks didn't lead to any deaths, but that seems unlikely to last. Major attacks on critical infrastructure could easily result in casualties, making escalation to traditional military options more likely. Cyber attacks may have appeared to be a soft, civilised option when not everyone had them, but with over 100 states now having military and intelligence cyber warfare units and cyber capabilities increasing, their more benign nature is unlikely to last or to escape the pitfalls of miscalculation and escalation.
As an advanced, open economy, Australia is vulnerable to cyber attack, including on critical infrastructure, as the first unclassified Australian Cyber Security Centre Threat Report made clear. There were 153 attacks reported last year on 'systems of national interest, critical infrastructure and government'. Australia has a strong interest in encouraging a much more robust global discussion that will agree on norms of behaviour and challenge the emerging norm in favour of using cyber weapons in times of peace.
Photo by Chip Somodevilla/Getty Images