Alex Grigsby is the assistant director for the Digital and Cyberspace Policy program at the Council on Foreign Relations.
As Adam mentioned the other day, the Sony hack highlighted the fact that even after years of debates and increased public attention on cyber issues, fundamental policy questions in this area remain unanswered. For example, no one has been able to satisfactorily determine when a cyber incident becomes an armed attack. When does a cyber incident cross the threshold that allows a victim country to respond with force consistent with its inherent right to self defense? Does the incident need to kill people or will physical damage, or even economic damage as in the Sony case, suffice? These are tricky and wrenching questions to answer.
Yesterday during a House Foreign Affairs Committee briefing on North Korea, Brig. Gen. (Ret’d) Gregory Touhill, deputy assistant secretary for cybersecurity operations and programs at the Department of Homeland Security, hinted that the Obama administration was working on a framework to determine how the government should respond to a particular cyber incident based on its severity. Responding to a question from Rep. Gerry Connolly (D-VA) who asked "at what point does the intensity and severity and magnitude [does a cyber attack] constitute an aggressive act that has to be addressed?" Touhill replied:
Currently, the administration is working to put together that a codified construct for the priorities and the prioritization, and taking a look at it from a risk management and consequence management standpoint. That’s still a work in progress. But ultimately through our congressional processes and our constitutional processes, rather, you know, we -- we will be making those determinations.
Touhill’s answer, while convoluted, makes clear that the Obama administration is working on some sort of framework that could determine when a cyber incident reaches the level of an armed attack.
Government officials, like everyone else, prefer it when things are easy and straightforward. It would be great to have a framework document that sets out the criteria to determine when the United States is cleared to reply to a cyber incident with force.
The problem with these efforts are that determinations of whether something constitutes an armed attack is an inherently political decision, not a bureaucratic one. Responding to a cyber incident with force is a serious decision for any country, and a head of state will want maximum flexibility before making it. They won’t want to be constrained by a bureaucracy’s attempt to rationalize whether an incident meets the armed attack threshold, a concept which is also fuzzy given the lack of international consensus on the definition of an armed attack. Further, as Matthew Waxman argues, a country’s response to a cyber incident will not only rest on its interpretation of the law but also on its broader strategic interests.
That explains why NATO’s cyber doctrine gives the North Atlantic Council, the organization’s peak decision-making body, the authority to determine when a cyber incident is severe enough to invoke Article 5 on a case-by-case basis instead of some pre-determined matrix. It also explains why Iran didn’t consider the Stuxnet incident an armed attack, as the Iranians probably didn’t want to trigger a conflict with the United States and Israel, Stuxnet’s alleged authors. Saudi Arabia, Qatar, and the United States probably made the same calculus when confronted with disruptive and sometimes destructive cyber activity that affected Aramco, RasGas, and U.S. financial institutions in 2012.
Government mandarins and academics can try as hard as they want to come up with an answer as to when a cyber incident meets the threshold of an armed attack, but a head of state’s likeliest response is going to be: "When I say so."