When is a cyber attack an act of war?
If foreign soldiers attack Germany, Berlin would more or less know how to react. Responses in such situations often involve familiar political procedures, trained armed forces and regulations dictated by international law.
However, if Germany becomes the target of a cyber attack, things would look a bit different. It could be that no one really knows how to respond. Security experts in the federal government hypothesize a scenario in which foreign hackers attack the computer servers of political parties, ministers and the Bundestag, just as the federal government discovers from which foreign servers these attacks originated. The government could thus theoretically defend itself by crippling the foreign servers and deleting the pilfered data. But who would be responsible for it? And would it even be allowed?
A panel of experts in Berlin has been struggling with these questions for months. The interior, foreign and defense ministries have been involved; the secret service and even the Federal Security Council have prioritized the theme on their agendas. Minister of the Interior Thomas de Maizière has already warned: “If we identify where a cyber attack comes from, we must be able to actively fight it.”
But there is no legal basis for such a response. The Federal Intelligence Service (BND), the agency responsible for foreign espionage, possesses the technical capabilities, but does not feel it is responsible for counterattacks in cyberspace. The ministry of defense has experienced cyber troops at the ready, but only has the duty to employ them if the cyber attack amounted to an act of war or were directed against Bundeswehr units abroad. The Office for the Protection of the Constitution would take on the task, but it would first have to expand its cyber capabilities in terms of counterespionage. An expedient solution is thus nowhere in sight.
This applies to much in the world of the internet, a world President Barack Obama has called the Wild West. There are no rules for what is allowed or what is forbidden. Many states consider hacking a foreign political party a permissible act of espionage; even the NSA and the BND allow for it. However, to then publish the material, as Russia’s secret service is alleged to have done with the help of Wikileaks, in order to influence the US election and deliver Donald Trump into office – this, at least in the West, is considered to be an impermissible breach of a foreign country’s domestic affairs. But where is that formalized?
During his farewell visit to Berlin in November, Obama called for rules to be implemented in cyberspace: “We have to work on and develop frameworks and international norms so that we don’t see a cyber arms race.” What would then be defined as an act of war in the internet? Former US Secretary of Defense Robert Gates once asked his Pentagon lawyers the same question. He had to wait two years for the answer. Even NATO has been occupied with this question; Secretary General Jens Stoltenberg claims that a cyber attack could trigger the mutual defense guaranty outlined in Article 5 of the NATO charter. But how severe must the cyber attack be?
Up until now, governments and secret service agencies have written their own rules for cyberspace. Indeed, the first computers helped British and American agents decipher German military codes, and ultimately to win World War II.
Infiltrating foreign networks and databases has been the core of electronic espionage since long before the world became digital. Operatives can now not only eavesdrop, but manipulate and destroy as well. The former separation between military, diplomatic and private networks hardly exists today – any can now be hacked. The game of espionage is now played with new technological means and, unfortunately, close to no rules.
If any initial binding rules have emerged, they exist only between individual countries. In 2015, the US, the UK and China agreed to carry out or tolerate no cyber attacks for the purposes of industrial espionage against companies. However, espionage against a foreign government and its military institutions is still allowed. Germany and China have also made a similar agreement in the past year.
Under the leadership of the German diplomat Karsten Geier, experts at the United Nations in New York are searching for a definition of what is permissible and what is prohibited on the web. The working group is located in the Office of Disarmament Affairs, and in June will issue a report on “responsible state behavior.” Those in Germany’s ministry of defense call it “table manners for nations.” In concrete terms, the issue is whether the crippling of a traffic light in a major city constitutes an act of war. Or perhaps the sabotage of its water supply. It will soon cover whether material stolen in a cyber attack may be used to influence elections.
In a certain respect intelligence services are now simply using the internet for the same sort of things they have always done. It is not new that agents are trying to influence foreign elections. The Soviet KGB did so, as has the CIA. Each agency has distributed embarrassing information about politicians around the world, and at times has cleverly invented news to trigger uprisings. The difference now is that everything happens much faster, cheaper and more effectively through the internet.
Even the distinction between war and peace is becoming blurred. In 2010, the US allegedly carried out the first military attack through the internet when they used a computer worm named Stunt to damage the uranium centrifuges in Iran’s nuclear facilities. Michael Hayden, the director of the NSA at the time, compared the action to the dropping of the first atomic bomb: “Somebody crossed the Rubicon,” he said. The US has been aware of the destructive power of cyber weaponry at least since 2007, when skeptical soldiers were shown that a few clicks of a mouse can cause more damage than a bomb: as part of the Aurora test, a 2.25 megawatt generator connected to the internet was destroyed within seconds.
A study by the Clingendael Institute in The Hague describes how various states react to cyber attacks. Saudi Arabia and South Korea have tried to stem foreign attacks on their own. Others have sought international assistance. In 2012, the US offered to purge harmful programs from computer servers operated by other countries. When Estonia was attacked in 2007, the country sought the help of NATO and the EU. Apart from that, attacked countries have at their disposal the toolbox of classic diplomacy. The alleged perpetrators can privately be warned that they have been found out; this can also be done publicly, with the threat of sanctions or the recalling of diplomats from the attacking country.
After the hack of the Democratic Party’s servers in the US, Obama threatened Moscow with even greater retaliation. His administration compiled a list of potential cyber targets within Russia. Attacks on Russian networks were discussed, as well as the publication of compromising information on the Russian President Vladimir Putin.
In Germany the issue is not retaliatory attacks, but rather defense – up until now, at least. Several intelligence chiefs have warned that Russia could interfere with electoral campaigns. These warnings were also for Russian ears, as well. The German government is now adopting a more threatening posture. Minister of the Interior de Maizière would like to allow the security agencies to attack foreign servers with the goal of completely paralyzing them, or at least of deleting stolen data they may store. Germany would be more or less alone in having formalized such a legal norm. Most states still adhere to the traditional rules of espionage: they complain loudly about what has been done to them, and then do the same to others.
However, many governments are worried that the issue is getting out of hand. The OSZE has now joined the EU in working on reducing the risks of a conflict that can arise through the use of information and communications technologies. The risks are vast. After Sept. 11, 2001, US President George W. Bush and his advisers discussed what could inflict more damage: 19 assassins hijacking airplanes, or 19 hackers attacking “critical infrastructure,” the server of a US bank, etc. It was already clear back then: the hackers are more dangerous.
We must now be vigilant that the attacks do not strike the West’s most critical infrastructure of all: democracy itself.
A version of this article appeared in print in February, 2017, with the headline “Hacking the Rubicon“.
Georg Mascolo is the former editor-in-chief of the German weekly Der Spiegel. He heads the joint investigative reporting unit of the daily Süddeutsche Zeitung and the public radio and television broadcasters NDR and WDR.