Wednesday, December 17, 2014

A "Cyberattack" is not a declaration of war

Assuming that we still did quaint things like actually declare war.  The Czar of Muscovy ponders the Sony hack, in response to a reader who says it was an act of war:
When armed Libyan citizens attacked the Benghazi compound, which was American soil, and murdered the ambassador, that was an overt act of war. The President did nothing.

Given the Sony hack was much less catastrophic in terms of lives lost, the President will again do nothing. Since he blamed the compound attack on a YouTube video, perhaps he will blame the Sony hack on the popularity of Korean barbecue places.
The Czar is precisely correct that nothing will happen.  I will go further and say that a US company getting hacked by someone overseas is a really really really bad reason to go to war.  It's far too easy for a clever attacker to implicate a third party, pulling us into regional conflicts that we have no business in.

And quite frankly, there's quite a moral hazard here: many people think that Sony had a terrible information security program, because they didn't want to spend the money.  Fine, that's their business decision.  However, the US Marines shouldn't be a backstop for them trimming IT costs.

Are there cyber attacks that could cross this boundary?  Sure - shutting down a major part of the power grid would qualify in my book.  But not Sony.


Divemedic said...

At what point does this cross the line?
The attackers have threatened to perform a 9/11 style attack on any theater that screens a certain movie. Is THAT an act of war?

What if such an attack were to be carried out? Is THAT an act of war?

What if the cyber hack had the effect of shutting down our banking system, or the NYSE?

A cyber attack, while not aimed at killing citizens is a "countervalue" attack that can shut down a nation's manufacturing capabilities and financial system without physically damaging anything.

The question here, it seems, is one of degree. At what point does a nation cross the line from corporate espionage to an all out undeclared war?

ASM826 said...

What does it matter who threatens or attacks us? We prove, over and over, that we are a paper tiger, unwilling to face a threat and see it through. We have not declared war on anyone in over 73 years. We certainly aren't going to change now.

Borepatch said...

Divemedic, the question is what is a casus belli? You give some good examples - especially the ones involving blood. I'm skeptical that hackers could take down the banking network, but I guess I could be wrong.

But I don't feel the need to send in the Marines for Sony Entertainment.

Goober said...

However, the US Marines shouldn't be a backstop for them trimming IT costs.

Exactly. It's bad enough that we've sent men to die for cheap oil. But to protect a company too lazy or cheap to protect itself?

On the topic of futility of death, I'm reminded of Tam's post the other day about the cosmic unfairness meted out to the young men who died so young in the guano wars in South America.

It's bad enough to die over a quarrel over bat shit. But to die because Sony didn't give enough of a fuck to install some decent server protection?

ASM826 said...

We have, however, sent in the Marines for bananas and the United Fruit Company.

Borepatch said...

ASM826, you're absolutely right. I for one want to be out of that game.

Goober said...

To the eternal damnation of those responible, I hope, asm.

Jester said...

Sony was not an act of war. If the hackers want to plan 9/11 styles of attacks and we can correlate they are doing so, then we address the parties that do so alone in the proper level of force needed. I find it hard to think that anyone would say we need to look at Sony an act of war no matter how screwed up our priorities are as opposed to Benghazi or the current status of our southern borders off the top of my head.