Richard Harrison is a Research Fellow and Program Officer at the American Foreign Policy Council in Washington, DC, where he heads its programs on defense technology. Emily Greenfield is a researcher at the Council.
Late last month, computers in Seoul became the latest victims of the growing number of cyber-intrusions now taking place worldwide. Approximately 32,000 computers belonging to South Korean banks and broadcasting stations were shut down by an unknown perpetrator, strongly suspected to be the notoriously unpredictable Stalinist regime in North Korea.
These cyber operations, and a similar intrusion that destroyed information on the hard drives of 30,000 computers of Saudi Arabia's Aramco oil corporation this past summer (likely at the hands of Iranian hackers), have shed light on a new challenge now facing sovereign nations: How to respond to cyber operations targeting their respective private sectors.
The problem is considerable. Currently, cyberspace is still a relatively unregulated domain, one without binding international laws defining acceptable behavior (or even settled norms suggesting them). As a result, no proportional response mechanisms are yet in place for states to rely on in addressing cyberattacks of the kind taking place in Riyadh, Seoul and elsewhere.
But serious efforts are now being made to rectify this problem. Thus, NATO's Cooperative Cyber Defense Centre of Excellence recently commissioned an international group of experts to construct a framework for regulating cyberwar. The resulting strategy, released earlier this year and entitled the Tallinn Manual on the International Law Applicable to Cyber Warfare, seeks to outline when it would be appropriate for a state to use force in response to a cyberattack and what actions would be permissible during the ensuing conflict.
So far, so good. But warfare is one thing, cybercrime quite another. The Tallinn Manual stops short of providing nation states with clear guidance about how cyber acts short of war, and in particular espionage, should be treated.
That, however, is the key issue with which both the White House and Congress are now grappling. The release in February of the Mandiant corporation's latest report gave policymakers and corporations alike an inside look at the world of Chinese cyberespionage and its devastating economic effects. But while the Mandiant report focused on just one entity—a unit of China's People's Liberation Army involved in large scale hacking and intellectual property theft—the problem goes much deeper. The persistent disruption of online banking in the U.S. by adversarial cyberoperations continues unabated and unpunished. So does the exploitation of cyberspace for gray and black market economic activity that has real effects on American commerce.
Here, the Tallinn Manual can help. Although the economic damage caused by cybercrimes doesn't satisfy the requirements for the use of force, as set out by the document, a framework for response can still be extrapolated from it. Specifically, per the Tallinn Manual, if a state harbors an actor committing the cyberoperation in question, then it can ultimately be held accountable. And if a state acts in self-defense in response to a cyberoperation, the Manual counsels a proportional response.
These ideas about attribution and proportionality can help policymakers in Washington in their efforts to craft a comprehensive cyberstrategy. They also suggest an important guiding principle to inform their efforts: That any state which allows cybercrimes to occur on its soil should to be held accountable for them (much the same way that physical acts that threaten foreign nations are already penalized under international humanitarian law).
That's simply prudent planning, because unless rules are created to govern cybercrime (and not just cyberwar), an isolated act of cyberaggression could easily spiral into actual physical conflict.