Playing with Fire: The State of Cyber Attacks and Cyber Warfare
Following reports of cyber-attacks targeting the New York Times in January of 2013, a secretive legal review of the powers available to the president of the United States has brought to light the option of launching preventive cyber-attacks should credible evidence indicating an impending threat against the United States surface. In this context the United States reserves the right to use cyber weaponry with or without an existing state of war. While rhetoric concerning the growth of cyber threats has grown more prominent in the last three years, this is the first instance that a state has been reported to view cyber-instruments as a “preventive” or “deterrent” option. Though heavy investments have been made in the past years, there is no empirical evidence that demonstrates that the United States intends to utilize its cyber-capabilities as announced.
Granted that the reaction seen from officials may be timely, though somewhat exaggerated, owing to the growing number of high profile security incidents, it should be made clear that there is to date no incident within cyberspace that can be defined unequivocally as war or warfare. Most have been confined to the realm of espionage or vandalism. The few cases that displayed “war-like” characteristics, such as Israel’s presumed use of cyber weapons to disable Syrian air defenses in 2007, should not be counted given that the violent outcome was the result of conventional weapons. Similarly, while Stuxnet had the potential of causing significant damage to both equipment and human life, no reports of the latter taking place have surfaced. Consequently, claims from pundits that cyber war is upon us and that this merits such a strong response remains, at this point in time, baseless. In its place, what can clearly be seen is the abject lack of norms and regulations that define permissible behavior of states within cyberspace.
Subsequently, this situation gives rise to cases wherein states continue to act solely by their own accord. Disparate legislation and standards between states coupled with a lack of understanding of this new domain poses serious challenges in regulating and defining what is acceptable. Consequently, this gives rise to widespread cases of cyber-espionage attributed to China, DDoS cyber-attacks from North Korea towards South Korean, and the like. While it is unlikely that the United States would act unilaterally to mitigate an imminent threat in cyberspace as described in the report, the fact of the matter is that there are no mechanisms in place to prevent it from acting as stated should it wish to.