Mouths went agape when New York Times reporter David Sanger wrote in June that anonymous sources within the United States government admitted that the United States and Israel were indeed the authors of the Stuxnet worm and related malware. Those two countries had long been suspected of creating the code that wrecked centrifuges at Iran’s Natanz uranium enrichment facility. But never before had a government come so close to claiming responsibility for a cyberattack.
The origins of the most sophisticated cyberattacks ever undertaken may now be clear, but exactly where such attacks fit in the universe of war and foreign policy—and what the international community would consider a proper response to them—is still the subject of debate.
A particularly important question is what sort of cyberattack is the equivalent of a traditional armed attack. Efforts to answer that question have culminated in the Manual on International Law Applicable to Cyber Warfare (also known as the Tallinn Manual), which will be published later this year.
The Tallinn Manual is a nonbinding yet authoritative restatement of the law of armed conflict as it relates to cyberwar. It offers attackers, defenders, and legal experts guidance on how cyberattacks can be classified as actions covered under the law, such as armed attacks. “The term ‘armed attack’ has a precise meaning in international law: Not all ‘cyberattacks’ rise to the level of an armed attack,” says Bret Michael, a professor of computer science and electrical engineering at the U.S. Naval Postgraduate School, who has been serving as a technical expert to the group drafting the Tallinn Manual.
Despite this progress, the international community is just at the beginning of what could be a long process, says Charles Barry, a senior research fellow at the National Defense University’s Institute for National Strategic Studies, in Washington, D.C. He predicts that it will take “another 20 to 50 years to get traction on cyberrules.”
What is certain, say observers, is that going forward, conventional warfare will almost always be complemented by cyberwarfare aimed at knocking out an opponent’s communications and intelligence-gathering capabilities. “Actually, that’s already being done,” says Michael.
Cyberattacks can aid in military campaigns, but can the threat of a military response serve as a cyberdeterrent? “That’s downright silly, because it’s difficult, bordering on impossible, to identify a cyberattacker beyond a shadow of a doubt,” says Larry Constantine, a professor in the mathematics and engineering department at the University of Madeira, in Portugal.
However, identification beyond a shadow of a doubt might not really be needed to escalate a cyberattack into an armed conflict. In June at CyCon 2012, a NATO-sponsored cyberconflict conference in Tallinn, Estonia, U.S. Air Force Lt. Col. Forrest Hare told attendees that attribution is a political, not a legal, concept. The three standards of proof used in criminal law—“beyond a reasonable doubt,” “clear and compelling,” and “preponderance of the evidence”—don’t apply to military and intelligence operations. Michael adds that the difficulty of reliably tracing an attack to its source does not preclude the use of other sources to weave together what he calls “a clear mosaic of responsibility.” Showing who funded the activity or provided the actors with guidance may be enough.
And there is already a deterrent in the form of the law of armed conflict, says Michael. It holds military commanders or their civilian superiors who order attacks that amount to a war crime as criminally responsible.
In the meantime, governments can try to take heart in the belief that there are few nations capable of fielding a cyberweapon with the sophistication of Stuxnet. But Jeffrey Voas, a computer scientist in the computer security division at the U.S. National Institute of Standards and Technology, in Gaithersburg, Md., notes that if an attack doesn’t require stealth, the code doesn’t have to be nearly as artful. And there are tens of thousands of people who could pull off a less sophisticated strike, says Constantine, who designed his own Stuxnet-like malware in 2003 as the basis for a novel. In other words, powerful cyberattacks are within the range of many states, so long as they don’t care if they get caught.
This article was modified on 26 July 2012.