How to Respond to Cyber Espionage, Corporate Computer Attacks and Other Acts of Online Crime? Experts Weigh Options

The question of how to react to a cyber attack brings up a complicated set of conundrums: When is a military response called for, as opposed to one from law enforcement? At which point does an attack on a company affect the security of a whole country? Does the victim respond with cyber warfare, or with a blizzard of bombs and bullets? And how quickly can the response be assessed through the norms of international law?

By UM News 04-26-2013

These were among the issues debated at a symposium organized by Miami Law's National Security and Armed Conflict Law Review and moderated by Professor Markus Wagner. The discussion, titled "The Internet and Armed Conflict," included as panelists the retired U.S. Air Force Major General Charles Dunlap, a Professor at Duke University School of Law; Jamil Jaffer, Republican Chief Counsel and Senior Advisor to the Senate Foreign Relations Committee; and Major Michael McFerron, a cyber-specialist for the U.S. Marine Corps, Southern Command.

"The evolving nature of national security law is important for those who practice law no matter what your particular practice is," Dunlap said. "There is almost no area of law that isn't going to be impacted."

Cyber warfare and the role of the Internet in conflicts and political upheavals has been a matter of much debate in the wake of the attack on the U.S. consulate in Benghazi, President Obama's executive order on cyber security, and a recent report in which U.S. intelligence leaders said for the first time that cyber attacks and cyber espionage had supplanted terrorism as the top security threat facing the United States.

"We do have a challenge to wrap our arms around what is exactly the nature of threat," Dunlap said. "The threat of cybercrime is very great. There are lots of actors out there who are figuring out a way to get your credit card and do bad things. The threat of espionage is immense and I think we've seen actors out there who have been very successful at garnering a lot of information."

Some people believe in the possibility of a cyber attack that could be as devastating as Japan's raid on Pearl Harbor in 1941, Dunlap said. "But if it was really easy to have a truly catastrophic cyber event, it would have happened," he went on. "There are too many people out there that want to hurt us any way they can. If they could turn the lights off in New York City for a month, and whatever chaos might ensue, they would have. That said, we do need to be concerned and we are operating in a legal environment which is complicated, not so much because the law is inadequate, but because the technology of understanding what is going on – determining what the facts are – is so difficult."

Jaffer continued the metaphor. "Cyber Pearl Harbor is not the thing to be worried about," he said. "I think the thing to be worried about today is really what is taking place on a day in–day out basis, and that is this massive campaign of cyber espionage that is taking place among U.S. private enterprise by the Chinese government. And the reason I raise that issue is because a lot of people talk about nation-state actors and what they might do that have kinetic-like effects. That is what is often talked about in the armed conflict context. What we are missing today in part is that we are in literally an economic war with China when it comes to cyber because of the level and scope – and we know it is the nation-state actor."

The intelligence community, Jaffer said, knows that there is a determined effort by the Chinese government to go after private U.S. companies, steal their intellectual property, bring it to China and let them reproduce it cheaper, faster, better. "What the Chinese government has done today is largely unprecedented: stealing from the private sector for economic gain. When does that rise to the level of an armed conflict? The fact is that if the attack is great enough, the U.S. will be forced to act against the parties they think are responsible. We will act, and we have, without U.N. endorsement when we feel we need to."

Professor Markus Wagner – an expert on the use of autonomous weapon systems – was curious as to whether new technology might speed up or slow down the need for a military response to a cyber attack. McFerron, the cyber-specialist for U.S. Southern Command, responded: "Inherently in the culture that we grow up in today, information is at our fingertips. It isn't any different in the military. When I first came in, fifteen years ago, I was with a communication battalion and we had three computers. Now there is one on every desk – it is the culture and dependence on it. The way we control and command our forces is extremely dependent on networks. Today we are looking at a complete redesign; what the Internet was created to do in the first place, to collect and share information – not so focused on the vulnerabilities."

In the case of cyber attacks, he said, "One thing we look at is access, capability, and intent – maybe they didn't have intent to do what they did." He added that it is important to determine to whom to attribute an attack – an individual or a group or a nation state. "The time it takes to do that and then get it into the hands of someone with the authority and legal know-how to say what the legal reaction should be, is extremely long," McFerron said.

The panelists made clear that the current legal rules are to a large extent applicable to the cyber world. What is less clear, they agreed, is how to determine where an attack originated or who was behind it. The use of cyber technology for criminal purposes or in the context of an armed conflict will therefore continue to pose challenges well into the future.