Threshold for kinetic response to cyber higher than for physical attack, says paper


The nature of cyber attacks makes it likely that the threshold for triggering a military response to one will be higher than a kinetic equivalent, says Columbia national security law professor Matthew Waxman in a paper published by the Naval War College.

It's been open U.S. official policy for years now that the president may respond with kinetic force to a cyber attack, such as those "that proximately result in death, injury or significant destruction," as State Department Legal Adviser Harold Koh said in a September 2012 speech.

The United States has shied away from drawing clear lines about what would provoke a kinetic self-defense response, however, arguing that context will matter in any evaluation.

The fact that malicious actions in cyberspace are opaque by their very nature--and that defenders also may be reluctant to disclose details, "or even the very existence of cyber attacks"--means that the political upshot is that "armed self-defense to a cyber attack will likely require quite a high minimum threshold of harm," says (.pdf) Waxman.

Were the United States to suffer even a low level kinetic attack, "say a barrage of small missiles that fail to detonate or cause much injury," an armed response wouldn't only be justified but likely politically necessary. But, a dud or stymied cyber attack probably wouldn't create the same political pressure to respond.

In fact, Waxman says there's an argument that the strategic value of promoting the right of armed self-defense against cyber attacks could be low, since proving the case for it publicly may be difficult but in doing so, states may introduce greater global insecurity and instability "by eroding normative constraints on military responses to non-military harms."

Lowering those constraints could pave the way for governments prone to overreaction to act with force, Waxman says, noting that basing triggers of self-defense on the effect of a cyber attack--i.e., whether one proximately results in death, injury or significant destruction--can lead to complications when deciding whether an attack is imminent and so worth of an anticipatory self-defense strike. Spotting the difference between a network penetration made for cyber espionage versus one that's an attack is difficult, Waxman notes.

All that said, Waxman acknowledges that cyber attacks are unlikely to occur in the absence of a wider conflict. That likely infrequency does mean, however, that there will be few opportunities "to develop and assess State practice and reactions to them in ways that establish widely applicable precedent."

For more:
- download the paper, "Self-defensive Force against Cyber Attacks: Legal, Strategic and Political Dimensions" (.pdf)

Related Articles:
White House should develop cyberspace deterrence policy, says SASC
Benefits of brandishing cyber weapons not obvious, says Rand paper
Third Amendment constrains military cyber operation, argues EPIC lawyer