In a Wall Street Journal op-ed this week, Senator Mike Rounds argued the United States urgently needs “a clear and concise definition of when an attack in cyberspace constitutes an act of war.” To produce this definition, Rounds introduced the “Cyber Act of War Act” to remove “dangerous ambiguity” in U.S. policy and better prepare the United States “to respond to cyberattacks and better deter bad actors from attempting an attack on the U.S. in the first place.” Unfortunately for Rounds, his proposal would neither produce the definition he believes is critical nor advance policy from where it presently stands.
Although Senator Rounds stresses the need for a clear and concise definition of a cyber act of war, the bill does not mandate the government produce such a definition. The proposed legislation would require the president to “develop a policy for determining when an action carried out in cyberspace constitutes an act of war against the United States.” This obligation is procedural—establish a process for deciding when a cyber incident crosses into warfare. Developing this process would not necessarily produce a clear and concise definition of a cyber act of war.
In developing a policy process, the bill instructs the president to consider how “a cyberattack may be equivalent to the effects of an attack using conventional weapons, including with respect to physical destruction or casualties” and “intangible effects of significant scope, intensity, or duration.” Application of these criteria would not produce a clear and concise definition. What the bill proposes is a process that evaluates cyber incidents on a case-by-case basis using relevant considerations.
In that sense, the proposed act would do nothing not already being done. The Obama administration has delineated criteria for deciding how to characterize a cyber incident. In keeping with prevailing policy and law, the administration analyzes this issue in terms of the use of force rather than acts of war, but the different terminology is not analytically important. As just one example, the State Department’s Legal Advisor, Harold Koh, noted in 2012 that:
Cyber activities that proximately result in death, injury, or significant destruction would likely be viewed as a use of force. In assessing whether an event constituted a use of force in or through cyberspace, we must evaluate factors: including the context of the event, the actor perpetrating the action . . . , the target and location, effects and intent, among other possible issues.
Koh also highlighted that “there are other types of cyber actions that do not have a clear kinetic parallel, which raise profound questions about exactly what we mean by ‘force.’” U.S. policy already considers the different effects cyber operations can produce and the challenges such consequences create for determining whether a use of force occurred. Koh further noted that, pre-cyber, states experienced “ambiguities and differences of view” concerning when kinetic activities constituted a use of force or an armed attack—a situation that never provoked Congress to demand clear and concise definitions of these critical terms.
Moreover, the Obama administration has addressed numerous incidents, including the North Korean cyberattacks against Sony Pictures Entertainment, and determined they did not constitute acts of war based on the criteria used to make these decisions. The administration has developed a policy process informed by relevant criteria, raising the question why Senator Rounds wants Congress to force the president to develop a process that considers criteria already embedded in policymaking.
Senator Rounds’ advocacy for a clear definition also runs headlong into the well-understood reality that determining whether a use of force has occurred involves, and should involve, strategic and political factors that render attempts to produce unambiguous definitions futile. In this context, governments prefer a measure of political discretion. This preference is normatively important especially where kinetic or cyber incidents do not obviously involve the use of force. The exercise of this discretion requires policy processes that evaluate incidents on a case-by-case basis utilizing multiple criteria, including political and strategic factors specific to the incidents and their political contexts.
Nor would a definition promote better responses to cyber incidents or deter cyberattacks. The United States already has ample reasons to respond effectively to cybersecurity threats, and a definition will not produce better response strategies or capabilities. In terms of deterrence, setting a low threshold for a cyber act of war would be controversial and invite adversaries to test this “red line.” Setting the threshold high would incentivize operations that push against it, daring the United States to violate its self-imposed definition. Either way, the definition could undermine the credibility of deterrence.
In sum, the Cyber Act of War Act is an ill-conceived proposal that deserves to die, quickly, in Congress.