close
Monday November 25, 2024

Conflicts in cyberspace

By Hassan Aslam Shad
December 11, 2018

In ‘What Really Matters in “Defending Forward”’, published in Lawfare on November 26, 2018, Lyu Jinghua offers a thoughtful analysis of America’s “defending forward” posture in cyberspace.

The article follows her first article titled ‘A Chinese Perspective on the Pentagon’s Cyber Strategy: From “Active Cyber Defence” to “Defending Forward”’ (published in Lawfare on October 19, 2018), in which Lyu contends that the difference in approach between China and the US is in the latter’s “preference for preemption or retaliation as the principle guiding the use of power”.

In response to Lyu’s first article, Ben Buchanan and Robert D Williams in ‘A Deepening US-China Cybersecurity Dilemma’ (published in Lawfare on October 24, 2018), among other things, point out that the US strategy stems from America’s threat perception from China, caused in part by the failure of a 2015 agreement between China and the US to regulate commercial cybertheft. While acknowledging that neither China nor the US is innocent in terms of their actions in the cyber arena, Lyu contends that the US posture will set a dangerous precedent by provoking suspicions among other states about their own cyber security.

Lyu’s warning ought to be taken seriously. War through traditional means is almost an afterthought in the 21st century. In a globalised world interconnected by technology, it isn’t unusual for software commands sent through a computer to threaten the integrity of an entire military infrastructure or weapons system. Throw in the mix hackers trained to sabotage the adversary’s information system and we have on our hands a new kind of warfare. Not warfare in the traditional sense of an “armed attack”, but one that plays out in cyberspace: a fluid and constantly shifting terrain.

Recent events point to the sheer magnitude of this threat. From the alleged Russian attempt to influence the US presidential election in 2016 to the US-Israel cyberattack on Iranian nuclear facilities in 2010, we are increasingly in the midst of this new warfare whose blurry edges make it a challenge for 21st-century military planners.

The sheer scope of the term ‘cyberwarfare’ is indicative of the nature of the beast we are dealing with. Some legal experts define it as “a battle for control over information and communication flows” to gain advantage over the adversary. Others see it as a “warfare grounded on certain uses of ICTs (information and communications technologies) within an offensive or defensive military strategy… aiming at the immediate disruption or control of the enemy’s resources”.

Richard Clarke, adviser to former US president George W Bush, saw it as “actions by a nation-state to penetrate another nation’s computers or networks for the purposes of causing damage or destruction”. However, it is in attempts at framing cyberwarfare policies in national military doctrines where we see the gloves coming off.

The US Department of Defence Cyber Strategy (2018) acknowledges the necessity for the US to “take action in cyberspace during day-to-day competition to preserve US military advantages and to defend US interests”. Emphasising that the US is engaged in a “long-term strategic competition with China and Russia” because of activities by these countries that “pose long-term strategic risk to the nation”, America’s posture is to “defend forward to disrupt or halt malicious cyber activity at its source, including activity that falls before the level of armed conflict”.

The 2018 vision for the US Cyber Command also acknowledges ‘defending forward’ as part of the US joint force (land, sea and air) strategy to be used across the full spectrum of conflict. In August 2018, Trump rescinded PPD-20, a directive that required inter-agency approvals before the US military could conduct cyberattacks, arguably giving a free hand to conduct offensive cyberattacks against targets threatening US interests.

China’s military posturing of “active defence”, outlined in China’s Military Strategy (2015) issued by the Ministry of National Defence, covers threats from “new security domains as outer space and cyber space”. It acknowledges that “cyberspace weighs more in military security” and mentions China’s resolve to “expedite the development of a cyber force”.

To date, China doesn’t have a published cyber strategy that can shed light on how the country intends to implement active defence in cyberspace, especially in circumstances where the threshold of the attack falls below an armed conflict (as underscored in the US strategy).

Herein lies the rub: whether it is America’s defending forward or China’s active defence strategies, it may very well end up being each country’s perceived vulnerability to cyber threats that will prescribe their response to threats.

Complicating things further is the fact that international laws predate technological advancements, leaving the field wide open for potential abuse. The UN Charter (1945) requires states to respect each other’s territorial integrity and prohibits armed attack unless they are conducted in self-defence. There are no binding international norms on what constitutes an armed attack in cyberspace that would lawfully entitle a country to invoke the right of self-defence.

Where does all this leave us? It depends on who you ask. In his piece titled ‘An American Perspective on a Chinese Perspective on the Defence Department’s Cyber Strategy and ‘Defending Forward’ (October 23, 2018) Robert Chesney states that the US ought to be viewed as “the responding party in an asymmetric security dynamic involving a peculiar domain in which US. capabilities are outstripped only by vulnerabilities”.

Lyu’s response is that what matters is not whether US cyber activity is an offensive action or a response to a threat. Instead, what really matters is “avoiding unintended escalation”. With China and the US locked in a seemingly unending battle for global dominance, and with no end in sight in the ongoing trade war, the latter appears to be the wiser suggestion.

The writer is a practising international lawyer and a graduate of Harvard Law School.

Email: veritas@post.harvard.edu