Proportional response to cyber attacks by foreign governments remains an unclear challenge

Behind an average strip mall in Rye Brook, a suburban New York town just north of the Bronx, sits a tiny, unremarkable dam. This bit of stormwater infrastructure is notable only because it was hacked, and not by just anyone.

The US Department of Justice indicted seven people working on behalf of Iran’s Revolutionary Guard for the attack.

The dam was offline at the time of the attack and no harm came of it. However, Rye Brook Mayor Paul Rosenberg says the same software is used elsewhere to control larger and more important dams. “Either they were horribly misinformed and they thought that by raising and controlling the dam they were going to release some kind of Noah’s ark tidal wave,” he says. “Or they were practicing.”

Cyber attacks by foreign governments are rapidly growing in number and sophistication, and yet there’s no clear sense for what an appropriate response to such an attack looks like.

“In cyber security, much as in nuclear strategy in the immediate post-World War II era, what actions will produce what results are still unknown,” says Zachary Goldman, executive director of NYU’s Center on Law and Security. “Some people asked after the DNC hack, ‘Was that an act of war?’ The answer is almost certainly no. But what is a proportionate dissuasive response to the DNC hack? Not clear. There is no settled response to that question. We don’t have a well-developed concept of deterrence. We don’t have a well-developed concept of strategic interaction in cyberspace.”

Article 51 of the UN Charter is accepted by most nations as including cyber conflict, but only when it comes to self-defense in response to a cyber attack. Beyond that, the legal framework is full of gray areas.

David Fidler at the Council on Foreign Relations is an expert on international law in cyberspace. He says, “In all of the controversies about cyber security we only have one incident that really sort of pushes that threshold, and the one incident that sort of does bump up against that is the Stuxnet attack on the Iranian centrifuge facilities allegedly conducted by Israel and the United States. Everything else falls well underneath that.”

Stuxnet is a computer worm that destroyed a thousand or more centrifuges that were part of Iran’s nuclear program. Reuters reported a similar attack launched at North Korea’s nuclear program failed. It’s possible the US could one day face a similar cyber assault.

John Bumgarner is the chief technology officer at the US Cyber Consequences Unit, which studies possible outcomes of cyber attack then provides the government with data and training. “In the electric grid in the United States, generation systems that generate electrical power spin the exact same way as those gas centrifuges,” he says, “Depending on how big they are can take years to get.”

Countries often depend on threats of retaliation to deter such attacks, but Bumgarner says it doesn’t really work that way in cyberspace.

“The only reason deterrence has worked in physical space like nuclear weapons is because it’s pretty easy to track when a nuclear weapon is launched from Russia to the United States or from Britain or France. But in cyberspace it’s not easy to determine who the actor is launching the weapon.”

NYU’s Goldman says the risk of escalation is tremendous. “When you start doing things like taking down portions of the power grid you very quickly run the risk of escalating a situation because it’s not hard to imagine ways in which people could get hurt and even, God forbid, killed, if portions of the power grid go down, if the streetlights go out, if hospitals shut down, if food starts spoiling on the shelves of supermarkets.”

Filder says virtually everything below that threshold, including the hack and leak campaign during the 2016 presidential election falls into a gray area subject to rules pre-dating our cyber world.

“You see the frustration because this type of attack indicates that cyber and digital technologies create possibilities and capabilities that these legacy rules have a very hard time capturing, describing and then providing guidance for future action," he says.