This file photo shows the sign outside the National Security Administration (NSA) campus where U.S. Cyber Command is located in Fort Meade, Md., June 6, 2013. (AP Photo/Patrick Semansky, File)
International security experts have warned that internet attacks by major world powers on other governments could lead to a real war. But they say it is not easy to define what kind cyberattack would be considered an act of war.
President Joe Biden said in July that if the United States ended up in a war with a major power it could “be as a consequence of a cyber breach of great consequence.” Biden made the comments to leaders of the U.S. intelligence community.
Tensions are currently high between Russia and members of the NATO alliance over a possible conflict in Ukraine. Russia has deployed more than 100,000 troops near its border with Ukraine. U.S. and NATO officials have expressed concern that Russia may invade Ukraine.
Some Western officials have also warned about the danger of Russia possibly launching harmful cyberattacks against Ukraine or NATO allies. But experts say there is no clear line for how severe a cyberattack would have to be before it resulted in military action.
“The rules are fuzzy,” said Max Smeets, director of the European Cyber Conflict Research Initiative, to The Associated Press. “It’s not clear what is allowed, what isn’t allowed,” he added.
The U.S. and other NATO members have threatened to put economic restrictions on Russia if it sends troops into Ukraine. But it is less clear if such restrictions would be put in place if Russia launched a serious cyberattack.
Currently, arms control treaties do not provide detailed guidelines on how state-backed cyberattacks should be dealt with. It can also be difficult to quickly identify who is behind such attacks. Criminals and independent attackers can also work together with governments, making it harder to target specific blame.
In 2015, major world powers and others agreed at the United Nations on a set of 11 voluntary guidelines for international cyber behavior. But those guidelines have mostly been ignored.
Ukraine has blamed Russia for a cyberattack last month on Ukrainian government websites. Experts say the damage from that internet attack – which affected servers at several agencies – was not considered serious.
But cybersecurity company CrowdStrike recently said on its website it thinks such attacks are likely to continue as Russian President Vladimir Putin tries to “delegitimize” trust in Ukraine’s government.
Michele Markoff is the deputy coordinator for cyber issues for the U.S. State Department. She said she thinks it will require, what she calls, “muscular diplomacy” to end such “immoral” and “destabilizing” behavior.
But it is unclear how such diplomatic efforts can be effectively carried out. Unlike nuclear arms, cyberweapons cannot easily be limited in treaties and they are difficult to identify. Violators are also not likely to be held responsible by the United Nations, since Russia and China both hold veto power on the Security Council.
NATO approved a new U.S.-supported policy last year. Under the policy, repeated lower-level cyberattacks could be enough to activate NATO’s Article 5. The article states that any attack on any of the alliance’s 30 members is considered an attack on all. But NATO rules are currently not clear on exactly what kind of cyberattack would be covered under Article 5.
Serhii Demediuk is with Ukraine’s National Security and Defense Council. He told the AP the U.S. and other NATO partners have been helping Ukraine set up a separate cyber military organization.
In November, Ukraine said it had discovered an eight-year spying operation by agents of Russia’s FSB security service that involved more than 5,000 attempted cyberattacks. Ukraine’s state-run news agency said the goal of the operation was to gain control over important infrastructure.
This month, American software company Microsoft said the cyber operation is ongoing. It said it found evidence of attempts to break into Ukraine’s military, judiciary and law enforcement systems. But Microsoft said no damage was discovered so far.
Words in This Story
consequence – n. the result of an action or situation
breach – n. an action that breaks a rule, agreement or law
fuzzy – adj. confusing and not clear
allow – v. to permit
delegitimize – v. make something seen as not valid or acceptable
destabilize – v. to make a government, area or political group lose power or control
infrastructure – n. the basic equipment and structures (such as roads and bridges) that are needed for a country or area