Ask any three people to define cyberwar and you will get three different answers. But as global geopolitics worsen and aggressive cyberattacks increase, this becomes more than an academic question.
The common view is that cyberwar is war in the cyber domain. This is only partially true. It is more productive to consider war and cyberwar as two separate entities, albeit with overlapping edges.
The Merck insurance ruling illustrates this. For most people outside of government and military, the NotPetya attack against Ukraine was an obvious act of cyberwar. It was aggressive, it caused damage, and it was perpetrated by a Russian agency (the GRU) as part of an undeclared war against Ukraine. If it was an act of war within Ukraine, surely it was an act of war beyond Ukraine?
The answer is no. NotPetya was never, technically, an act of cyberwar. Misunderstanding this and the definition of cyberwar cost the insurance industry $1.4 billion. Trying to shine a light on a common person’s actionable understanding of cyberwar and cybersecurity is the purpose of this article.
What is war?
War is usually defined as kinetic military action between two nations, following the declaration of a state of war. This not a universal view. The purpose of war is for one party to exert supremacy over another – and this can be achieved by means other than armed conflict. It can be achieved just as effectively by economic means, by psyops including disinformation, or any other non-military means of effecting regime change.
Kevin Tierney, VP of global cybersecurity at General Motors and a member of the CISA cybersecurity Advisory committee (CSAC), holds this wider view. “If two countries are fighting over something, it’s not always by kinetic means. Sometimes it involves economic disruption,” he told SecurityWeek.
“If you disrupt large parts of the operational system of the target country, disrupt the financial systems, have a country lose trust in its information, lose governmental data, halt transportation or damage energy or water supplies, you can win a war without killing each other.”
[See The Vulnerable Maritime Supply Chain – a Threat to the Global Economy for the potential effect of disrupting the maritime supply chain.]
The Cold War was an undeclared war, primarily non-kinetic (with localized flare-ups around the world), between the USSR and the West. The West prevailed in this war by economic means rather than force of arms – the USSR ceased to exist.
But however you define war, there is a fundamental difference between the physical and cyber domains. Physical war is largely constrained within the national boundaries of the combatant nations. Cyberwar is not constrained by national boundaries and has a greater potential for spilling out to become global in effect, very rapidly.
Largely for this reason, cyberwar is usually and arbitrarily described as something separate to the wider concept of war. Cyberwar is neither viewed nor defined in the same terms as non-cyber-war.
What is cyberwar?
Most nations consider the correct response to a foreign nation-state’s cyberattack against their critical industries could include kinetic action. Cyber activity thus has the potential to spread accidentally and expand into a global military conflict. To limit this potential, the definition of what constitutes cyberwar must be, and is, set very high.
Most definitions ultimately derive from the Tallinn Manual – developed by international experts at the NATO Cooperative Cyber Defense Centre of Excellence based in Tallinn, Estonia. From this work, cyberwar is limited to cyber activity that causes, or can be expected to cause, death or destruction.
Anything less than this is generally considered to be cyberespionage rather than cyberwar – and cyberespionage is specifically excluded by Tallinn. This ultimately leads to a common binary view of cyberwar based solely on the delivery of death or damage – especially if that occurs to the critical infrastructure.
Tom Kellermann, senior VP of cyber strategy at Contrast Security, takes this view. “Cyberwarfare is when a nation state launches a destructive cyberattack against a critical infrastructure,” he told SecurityWeek. Almost everything else he would describe as cyberespionage.
John Hultquist, VP of intelligence analysis at Mandiant, agrees. “Economic suppression isn’t war,” he said. He disagrees with calling the Cold War an actual war, describing the term as a metaphor. “The moment it is war is when violence or the threat of violence is being applied. I think that’s a crucial element. You only really cross that line when people start dying.” The implication is that anything that falls short of death (or at least the expectation and intent to cause death or destruction) can only –at the worst – be classified as cyberespionage and not part of cyberwar.
The argument for excluding cyberespionage as a part of cyberwar is simple. It is spying conducted in the cyber domain. Spying is and always has been a part of everyday life, from individuals to corporations to governments. If spying is an act of war, the world has been at war with itself since the dawn of time. The only difference in the modern world is that cyber-spying is easier, more scalable, and more deniable than ever before.
The danger here is the difference between genuine cyberespionage and actual cyberwar could be a simple instruction from a C2 server at any time, or a mistake from the attackers, or a bug in their software. This brings two other terms into the classification: expectation and intent, both of which are fundamentally subjective interpretations that are easily deniable by an aggressor.
Vladimir Putin once famously denied government involvement in hacking, saying it may have been patriotic Russian citizens “contributing, as they believe, to the justified fight against those speaking ill of Russia.” In short, it wasn’t the Russian state, it didn’t cause death or destruction, and it cannot be considered an act of cyberwar.
Deniability is important. In a western democracy, legality is defined by the courts. Knowing something is not enough – it must be provable to the higher standards of a civilian court. Intelligence agencies may know something to be true, but be unable to make public the source of their knowledge.
Helder Figueira, founder at Incrypteon, studied and briefly practiced law before becoming an Electronic Warfare Signals Officer commanding a cryptanalysis unit with the South African Army. “Cyberwarfare is military action in the digital domain,” he said. “But a cyberattack by a sovereign state is hard to prove or identify. To complicate identification further, such activities are usually outsourced to independent contractors – which leads to the incidence of these activities increasing, since there are no actual diplomatic repercussions.”
He adds a further complication for the future. “Now imagine AI attackers waging ‘cyberwar’ against a target.” There are no legal remedies against a sub-contracted AI attacker.
Dr. Stephanie Carter, principal of FedRAMP advisory services at Coalfire, comments, “The last official release of what this means was published by the Senate Armed Services Committee stating that ‘The determination of what constitutes an act of war in or out of cyberspace, would be made on a case-by-case and fact-specific basis by the President.’”
Right now, she continued, “We are at the mercy of the Presidents to declare what is a part of cyberwar and what is not. That decision will be greatly influenced by political power and national defense… the goal should be defining cyberwar so that there are only clear-cut lines, not ‘clear as mud’ interpretations.”
A commonsense view of NotPetya is that it was an act of cyberwar undertaken by Russia against Ukraine in 2017. There was an undeclared state of war between the two nations since the annexation of Crimea in 2014. The attack was perpetrated by a Russian state agency (the GRU), and it caused damage.
It would be equal commonsense to view any collateral damage (such as that to the US pharmaceutical giant, Merck) to be a part of that act of cyberwar. However, on May 1, 2023, the US courts declared that the NotPetya attack could not be classified as an act of cyberwar. Among other arguments, the ruling stated, “While the attack caused property damage, there was no evidence the NotPetya malware caused bodily injury or death… the NotPetya attack is not sufficiently linked to a military action or objective as it was a non-military cyberattack against an accounting software provider.”
Juan Andres Guerrero-Saade, senior director of SentinelLabs at SentinelOne and an adjunct professor of strategic studies at John Hopkins SAIS, explains some of the complexities in describing a cyberattack as an act of cyberwar. Firstly, can it be proven in a court of law (beyond simply known to the intelligence agencies) that it was delivered by (in this case) the GRU? “Who exactly did it; where they were sitting; what uniform were they wearing. Who ordered what, and to what extent was it a premeditated action rather than the result of fat fingering something that turned it from a simple cyberattack into a potential act of war?”
This is where expectation and intent become important. The NotPetya weaponry could hardly be called a traditional weapon of war – it was fundamentally ransomware. The aggressor could simply claim that it was criminal ransomware that went wrong – certainly not an act of war. “In the context of intentional damage to critical infrastructure, I really like to point to malware such as Industroyer, as a really clear case,” continued Guerrero-Saade. “Industroyer has specialized tooling that is baked into the code and is specifically designed to interact with infrastructure so that it can damage it.”
If it is difficult for a third party (the US) to prove NotPetya was an act of war within Ukraine, it becomes impossible to prove that collateral damage outside of Ukraine (such as that caused to Merck and very many other global companies) was caused by an act of cyberwar against the US or other nations. “I’m not sure how you could prove intent to cause collateral damage without having access to the notes or recording of the meeting at which the decision to use NotPetya was made,” comments Robin Long, founder of Kiowa Security.
The basic problem is that much of the artifacts of any cyberattack are primarily dual purpose tools used as much for ‘friendly’ purposes as for nefarious purposes. “Many of the things that would be considered reconnaissance phases in cyber [and therefore a fat finger away from causing damage] are things that are currently being done to our systems every day by ad tracking networks, by Google – run of the mill things,” added Guerrero-Saade.
But herein lies an example of the fundamental problems with what amounts to an interpretive definition of cyberwar. A cyberwar wiper could be delivered by ransomware with broken decryption and be invisible as an act of war. Any damage could be claimed as accidental to the proffered purpose of collecting money, while the perpetration could be blamed on criminals.
This is not just a theoretical possibility. “The actors,” said Hultquist. “have known that for a long time. They were doing it before NotPetya. They were experimenting with that for a year. They’ve done it many, many times since the invasion in Ukraine. It’s a wonderful tool if you want to hide yourself behind an operation that looks criminal. I’ll go one step further,” he continued. “I’m certain that has already happened, and the real motivation has simply been ascribed to financial motivation.”
The Colonial Pipeline incident demonstrates these blurred lines. It caused damage to the critical infrastructure but is not classed as an act of cyberwar. “If you look at Colonial Pipeline” comments Hultquist, “there was a massive disruption to American critical infrastructure. But the intent wasn’t to disrupt the infrastructure, the intent was to just make money. So, although it followed the same sort of blueprint you might expect from a state actor in a time of war, it was just designed to make money.”
Now apply this reasoning to Russian meddling in the 2016 US elections. To many, it may appear to be an attempt at engineering regime change – from a global liberalism to a local America First platform (and from there to a weakened NATO and a more successful war against Ukraine). While attempted regime change might seem an obvious act of war, how can you prove this when you cannot prove the perpetrator in a court of law, no physical damage was done, and nobody died?
So, what is the definition of Cyberwar?
The official definition is clear: it must result in physical damage and or loss of life. Cyberespionage is excluded. Intent, which is largely a value judgment by the defender, is part of the argument. It is perpetrated by one nation state against another nation state. Knowing that an action is an act of cyberwar is not enough – it must be provable to a western democracy’s court of law.
The difficulties in this semi-formal definition are not all bad because it allows flexibility in government response. A government is not required to ask a civilian court of law, ‘is this an act of war to which we can respond?’ Politically, the government can simply say, this is too much – we respond.
The international danger is that the UK made it clear as long ago as 2018 that it considers an actual cyberwar attack can legally trigger in an immediate and unannounced kinetic response; and that since this is an interpretation of international law, any of its allies can take a similar stance. For this ultimate reason, the definition of cyberwar is purposely set high.
The Merck ruling makes it clear that the political/military definition of cyberwar is not a common person’s understanding of cyberwar. The correct response to what appears to be cyberwar needs to be based on the visible effect of a nation-state or nation affiliated attack, and not a government’s definition of cyberwar.
Does it matter?
A cyber act that is a clearcut act of cyberwar could easily demand or spiral into military kinetic retribution. For the reasons we have discussed, that final decision is ultimately left to the President – and that being so, the final question we need to ask is whether this distinction between cyberwar and cyberespionage has any practical relevance to the corporate cyber defender. After all, that defender must be resilient to all attacks by whomever and for whatever purpose.
Just as there are multiple opinions on the constitution of cyberwar and its relation to general war, there are multiple answers to this question.
“There’s a risk equation,” says Malcolm Harkins, chief security and trust officer at Epiphany Systems. “Risk is a function of threat, vulnerability, and consequence. I have no ability to control either the threat actor or the threat agent – it’s an uncontrollable variable. As a CISO, the only thing I have in my ability to manage security for my organization is my ability to manage how exploitable I am. That’s the only thing I can control. Everything else is just what it is. Running security is managing exploitability. If I over-focus on the nature of the perpetrator, I’m wasting time, because I have no ability to affect the actor.”
Hultquist has a different view. “It absolutely matters. You can’t do risk assessments if you don’t care who the attacker is. If you were in Ukraine two years ago and were responsible for securing the IT infrastructure, and you decided it didn’t matter whether or not there was a war looming, you would have failed. If you don’t consider who the adversary is, you can’t begin to secure your systems.”
He continued, “We sometimes forget to ask, who are the bad guys and what capabilities do they have – when will they attack and when will they not attack? Am I even at risk of these people? Imagine it’s the eve of World War Two, and you are responsible for making all the purchasing decisions for the military. You want to know what capabilities the enemy has developed, but somebody says to you: ‘You don’t need to know that; you can just make decisions based on what you think is best.’“
A third, potentially more political view comes from Guerrero-Saade. “This should be a very real nuanced concern for people both as citizens of law-abiding nations and as people trying to figure out what the right measures are for defense.” If the President is ultimately responsible for the right measures beyond CISOs defending their networks, we need to understand the arguments underlying those decisions taken in our name.