Truman National Security Project

What is an Act of Cyber War?

Wikimedia-servers

We need new rules of engagement in cyberconflict. And they must be flexible enough to allow the military to conduct specific — yet limited — cyber-operations without presidential authorization. Requiring the president to approve all cyber-offensive operations is an antiquated framework that made sense when cyberthreats were less sophisticated. Times have changed.

What we need are prescribed thresholds for action. This, along with flexibility to act, will increase the military’s ability to respond appropriately and proportionally to cyberattacks. These thresholds will ensure proportionality in offensive actions and compliance with customary international humanitarian law.

This measured framework is necessary, because attributing who launched cyber-attacks is complicated. Today, the military might know where a cyberbreach originated, but it cannot discern key factors: Who sat at the keyboard? Who financed the attack? Is the culprit and financier a state or nonstate actor? Why did they attack? These answers are critical to inform policymakers and determine what constitutes a “cyber” act of war.

Some have called for authorizing the military to defend private corporate networks and critical infrastructure sectors, like gas pipelines and water systems. This is unrealistic. The military has neither the specialized expertise nor the capacity to do this; it needs to address only the most urgent threats. These calls also disregard privacy concerns about military involvement in private networks. As a result, everyone has a role to play in cybersecurity, and the military should get involved only in extreme circumstances as defined by the prescribed thresholds.

No one expects the military to act every time Facebook’s networks get hacked. And no one expects the military to serve as Facebook’s primary security provider. But, if a cyber-intrusion creates a large-scale power loss in the dead of winter, we should explore military options. Many lives may depend on it.

Candace Yu is a Truman Security Fellow. This article originally appeared in “Room for Debate” on the New York Times.