Pentagon Concludes Cyber Attack Can Be Act of War

by Kenneth Anderson

The Wall Street Journal reporting on un-classifed portions of a report anticipated for release next month.  I concentrate on robots, not cyber, so I leave it to others to comment, but I do recall that this report and its conclusions have been discussed a fair amount in academic circles, and as far as I know this will not surprise people following those discussions. (Here’s a good new piece on the topic from Matthew Waxman, in YJIL) Though this is not my speciality, I wanted to flag it for people’s attention.

The Pentagon has concluded that computer sabotage coming from another country can constitute an act of war, a finding that for the first time opens the door for the U.S. to respond using traditional military force.

The Pentagon’s first formal cyber strategy, unclassified portions of which are expected to become public next month, represents an early attempt to grapple with a changing world in which a hacker could pose as significant a threat to U.S. nuclear reactors, subways or pipelines as a hostile country’s military.

In part, the Pentagon intends its plan as a warning to potential adversaries of the consequences of attacking the U.S. in this way. “If you shut down our power grid, maybe we will put a missile down one of your smokestacks,” said a military official.

http://opiniojuris.org/2011/05/30/pentagon-concludes-cyber-attack-can-be-act-of-war/

5 Responses

  1. It’s an interesting analysis, but that’s all it is.  The Pentagon doesn’t get to decide what is a war and what isn’t.  They get to analyze stuff and plan for stuff that will hopefully never happen.

  2. Response…
    An interesting question would be whether some cyber attacks are “armed” attacks, thereby allowing responsive proportionate self-defense against state or nonstate actor attackers under Art. 51 of the Charter.  Some attacks could be “armed” attacks in view of the consequences, e.g., of blowing up a power grid by targeting machinery to overheat and explode.
    The dictionaries tend to equate “arm” with weapon.  Is this too broad or apt?  Cyber attacks are, clearly, attacks using a “weapon”.

  3. What I am interested in learning is how the DoD intends to define an armed attack. The traditional IHL concept of injury, death, damage or destruction may or may not be expanded upon by looking at harm not falling into the traditional notions of kinetic effects. Thus, will the DoD doctrine expand to include profound effects on economic infrastructure and not just “exploding” infrastructure?

    Certainly, using the effects based test, kinetic effects from a cyber attack fall within the meaning of armed attack. But what about the disruption of stock exchanges? While the roof of the NYSE may not cave in from a cyber attack, the economic consequences would be profound but don’t cause the IDDD consequences required to suggest an armed attack has occurred.

    I suspect that the unnamed official’s comment that “shutting down a power grid” would justify a conventional military response might be misplaced. I would be interested to know if DoD legitimately believes such a response would be justified under such circumstances. It will be interesting to see in the coming weeks what DoD really has in mind here.

    As you have noted, this topic has been flogged by a number of experts in the early 2000s – Schmitt, Dunlap, Holis and others have done an exceptional job of analyzing the cyber-IHL question but with a rapidly changing landscape in the cyber realm (e.g. Stuxnet), I think this subject deserves another look in 2011 and beyond.

    I recently wrote a paper looking at Stuxnet from an IHL perspective, focusing on the principles of distinction and proportionality if anyone is interested. There are also a number of interesting papers on the Net focusing on the jus ad bellum question, which remains a topic of considerable debate as it relates to the attribution to a state of non-state actors operating within its borders. This is a fact-based, technological problem in identifying the attackers, which has stymied thinkers on this question. However, I would posit that this is more a legal question related to state responsibility for actors within its borders (I should note that I do not have a clear analytical framework to argue this point – just a theory).

  4. ==“If you shut down our power grid, maybe we will put a missile down one of your smokestacks,”==

    Does he mean that Ahmadinejad can put a missile in the White House for the stuxnet virus? Or is this one of those exclusive U.S. privileges?

Trackbacks and Pingbacks

  1. […] surprising that the Pentagon would sit quietly to such attacks. The WSJ reported recently that the Pentagon would consider cyber attacks […]