The massive data breach announced last week of personnel records stored at the U.S. Office of Personnel Management has left many questions unanswered.
Among them: Was the theft of files filled with the private details of 4 million federal employees digital espionage? Or was it something even larger – perhaps an act of cyberwar perpetrated to damage the nation?
The OPM attack provides only the latest example of the many ways in which the lines between spying and military action are blurring on the Internet. It highlights how cyberspace is increasingly becoming the arena where nations practice the arts of statecraft.
To that end, an international group of military strategists and legal scholars is hard at work to help define where online espionage ends and military actions begin, with the goal of detailing what international law says can be done in response to either.
Espionage or war?
Some analysts and politicians were quick to seize on the OPM hack as proof the government needs to take cybersecurity more seriously. But there’s little agreement as to just what the hack actually was.
U.S. officials say they are investigating whether Chinese hackers are to blame; China's Foreign Ministry spokesman Hong Lei called the accusations "irresponsible."
"We should be very clear: China is at virtual war with the United States, and the threat is far higher than that of terrorism, which gets the lion's share of attention — and, in the post-9/11 world, funding," he said.
"This doesn’t look like cyber fraud," said Freedman. "This looks like espionage."
At a press conference following G-7 meetings in Europe, President Barack Obama was equivocal.
"Both state and non-state actors are sending everything they’ve got at trying to breach these [U.S.] systems," Obama said. "In some cases, it’s non-state actors who are engaging in criminal activity and potential theft. In the case of state actors, they’re probing for intelligence or, in some cases, trying to bring down systems in pursuit of their various foreign policy objectives."
U.S. politicians have long warned about the dangers of a looming cyberwar and in recent years the warnings have grown more dire.
In 2012, then-Secretary of Defense Leon Panetta told a Senate appropriations subcommittee that "America faces the potential threat for another Pearl Harbor" and that "technologically, the capability to paralyze this country is there now."
But intelligence historian Matthew Aid, author of the book "The Secret Sentry" – considered by many a definitive history of the National Security Agency – told VOA there’s no clear definition of online war because, by its very nature, it defies clear definition.
"There’s offensive war, which runs the gamut from hackers trying to steal your banking information, but also the use of intelligence agencies such as the NSA hacking into the governments of foreign nations and terrorist organizations to find out what their intentions and capabilities are," Aid said.
"Then there’s the defensive side, with varying government agencies squabbling about who has the authority to defend American corporations and citizens from cyber-attacks from abroad," he said. "There was no one term, so they slapped the label 'cyberwar' on it."
'Law of War'
The difference between labeling an attack an act of espionage or military action is more than just semantic.
Over a period of hundreds of years, an international body of law and treaties has developed governing what nations can and can't do while at war, and while conducting espionage.
Called "Jus in Bello," this "Law of War" addresses nearly every aspect of conflict, from how wars begin and end to defining legitimate targets, the treatment of prisoners, and what are war crimes.
Brigham Young University professor of law and former U.S. Army Judge Advocate Eric Talbot Jensen has long studied the intersection of cyber and the law of war. Jensen points out the law is silent when it comes to espionage.
"True espionage is by definition not illegal under international law, although every nation in the world says it’s illegal as a matter of domestic law," Jensen said. "Espionage by definition is gathering information. That’s never been an act of war. Now if that espionage transitions to acts of sabotage, if it creates effects of significant impact and duration, that might be an act of war, but just espionage, no."
Jensen is part of the international team drafting the latest version of what’s called the “Tallinn Manual” – a guidebook as to how the Law of War applies to cyberspace.
"There is pretty good agreement on principles, but when you get into the details it becomes much more murky," he told VOA.
Jensen cites attribution, intent and the targeting of combatants versus civilians as just a few of the highly technical legal issues the Law of War takes great pains to dissect; issues the Internet can make considerably fuzzier.
The clearest example of a full-blown act of cyberwar, he says, is the Stuxnet malware that destroyed Iranian computers and SCADA systems.
"Let’s assume the U.S. and Israel were behind it," he said. “If they did in fact develop a cyber tool that infiltrated the nuclear facility in Iran and do the damage it did, that’s a clear violation of Iran’s sovereignty and in fact a use of force in violation of [U.N. Charter] Article 2 subsection 4, and an act of war."
Aaron Brantly, a cyber fellow at the Army Cyber Institute at West Point, says that up to this point, the majority of malicious acts of what some call cyberwar have been fairly mundane.
"We haven’t seen the proverbial cyber Pearl Harbor," Brantly said. "To me that somewhat indicates that states are attuned to the fact that if they take down a nuclear power plant, or mess with a chemical facility, that would be beyond the scope of espionage, and a clear act of war."
Earlier this year, in an address at Stanford University, Secretary of Defense Ash Carter spelled out the Pentagon’s new cyberwar policy in clear terms, warning potential adversaries that the U.S. is ready to respond to any act of cyberwar, using digital weapons of "blunt force trauma" as well as, potentially, conventional force.
Brantly says retaliating against cyber attacks, possibly with traditional weapons like bombs, is unsurprising.
"The Russians were the first to say this: If you get into a knife fight, you want to be the one with the gun," he told VOA.
“You put every tool at your disposal to end the conflict as soon as possible. By limiting it to the cyber domain you potentially expand the possibilities of damage. By claiming that we can go back into the kinetic domain, we move back into a place where the U.S. has clear dominance.”
Responding to an attack
While the Web complicates defining acts of war and espionage as well as attributing attacks to the actual source, analyst Jensen sees cyberwar not as a unique act unto itself, but just a new, additional facet to traditional war.
"My belief is that it’s very unlikely that we’ll have a cyberwar that only includes cyber means," Jensen said. "What’s most likely going to happen is that we’ll have normal war and cyber aspects to that, and we’ve seen that. Between Russia and Ukraine, Russia and Georgia, the U.S. and Iraq – basically every armed conflict between advanced nations we’ve seen since the mid-'90s has included cyber."
Brantly agrees, but cautions what’s still unclear is defining what represents a proportionate response to a cyber attack. That’s an ambiguity that makes cyber conflict potentially explosive, just as nuclear war was starting some 60 years ago.
"On the nuclear side, we’ve just been very lucky, incredibly lucky," Brantly said. "On the cyber side, we’re also pressing luck. Right now we’re still only at 50 percent Internet penetration, and still only depend on the Internet for a relatively moderate percentage of what we do. But as we start moving into the Internet of Things, the potential risk rises."
This month, scholars and strategists began working on the second version of the Tallinn Manual, produced under the aegis of NATO’s Cooperative Cyber Defence Centre of Excellence.
But Stewart Baker, a former Homeland Security assistant secretary and current partner at the law firm Steptoe & Johnson, is unconvinced that a codified Law of Cyberwar will seriously change how online conflict plays out once a full-scale war begins.
"The real law of war, putting aside political constraints, tends to be much more ad hoc," he told VOA. "It is the things that both sides decide they are not prepared to do. And usually that’s a mix of humanity, basic morality and hard-headed assessment that it won’t do much good but will cause massive pain if the enemy does it to you.
"I’m sure there are plenty of international law professors who would be appalled at what I just said, but I do think when you’re in an existential struggle, the law of war is very much based on what did the other guy do to me, and am I willing to do that back to him," he said.