Monday, November 15, 2010

Are cyberattacks an act of war?

An interesting question is what constitutes "cyberwar?" That is war in cyberspace. It wasn't defined a few years ago, and it's still not well defined today.

I was reading Cyberdeterrence and Cyberwar by Martin C. Libicki of RAND today. It's a long document and I've only made it through the dozen or so pages at this point, but he makes a really interesting point (page xvii) talking about the role of cyberdeterrence in preventing cyberwar:
Might retaliation send the wrong message? Most of the critical U.S. infrastructure is private. An explicit deterrence policy may frame cyberattacks as acts of war, which would indemnify infrastructure owners from third-party liability, thereby reducing their incentive to invest in cybersecurity.
In other words, if cyberattacks can be considered acts of war, this would this trigger an Act of War exclusion common in many insurance coverages, allowing parties to escape liability from damage caused by a cyberattack by framing it as a act of (cyber)war?

Your money gets stolen from a bank: sorry, act of cyberwar.

House burned down by a virus attacking your smart meter: sorry, act of cyberwar.

However, the courts have decided 9/11 and similar acts of terrorism are not acts of war:
the courts have consistently held that a “war” within the meaning of an “act of war” exclusion can only exist as between two sovereign or quasi-sovereign governmental entities.
So, despite rhetoric about "war" in various forms, courts have set a pretty high bar for use of the term. Until two countries come out (or one at least) and declares cyberwar explicitly on another country, I doubt we'll see the term hold up in court.