Publications

Professor Antonia Chayes Investigates "Rethinking Warfare: The Ambiguity of Cyber Attacks"

Harvard National Security Journal

Cyber attacks and cyber warfare raise issues of self-protection, the ability to fend off (or deny) an attack, attribution about the source of attack, and effectiveness of response. It may be difficult to identify exactly when an “attack” has taken place; who has perpetrated the act; whether more than an internal response to repair and protect is appropriate; and, if so, what response is legal and proportionate. The problem of attribution alone raises novel issues different from those encountered in other grey area conflicts.

Many cyber intrusions are a form of commercial espionage—not an attack that might be a prelude to war. For example, “phishing”—literally requesting information by posing as legitimate organizations—may be a commercial crime, to be dealt with by the domestic criminal justice system, to the extent it has jurisdiction and adequate attribution can be made.

Yet economic espionage has been committed by states, and might be a precursor to a system-wide attack to destroy or cripple critical infrastructure such as electric, water and transportation systems. In fact, the definition of “critical infrastructure” under the Patriot Act of 2001 is very broad: “the term ‘critical infrastructure’ means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”

Nations are acquiring experience and judgment to sort out what kind of response is appropriate to an incident that involves a large-scale, state-sponsored pilfering of data, but no shut-down of a system. The waves of attacks on major U.S. banks, such as on Wells Fargo and JPMorgan Chase, are cases-in-point, with new cases reported weekly.

Factual uncertainty about the origins and nature of a cyber attack almost guarantees legal uncertainty under both international and domestic law. Legal indeterminacy in turn spawns confusion or competition among civilian and military actors to distribute roles and relationships. For example, a phishing attack upon American telecommunications, if attributed to a private party, might be handled by state law enforcement; if attributed to a nation, might be handled by the FBI; if regarded as part of a series of attacks to bring down critical infrastructure, might be handled cooperatively by the Department of Homeland Security, NSA, Cyber Command, and perhaps other agencies. The demands for close cooperation, discussed further along, are unprecedented.

Read the full article