When does Cyber Attack become War?

Major David Willson is an attorney in the US Army. He has spent more than a decade providing legal advice to the DoD and NSA on information security. Yesterday at the BSides Denver conference Willson presented a paper titled “When does electronic espionage or a cyber Attack become an ‘Act of War’“. The BSides are an informal gathering of information security professionals from the local area.

His paper provides analysis and context to help with the definition of war, but he also offered concrete suggestions in his presentation for how nations can be better prepared to respond in the event of a cyber attack or cyber war. He calls for an international approach.

The audience response was interesting, to say the least. Most of the opposition came from a small vocal group that raised the following issues:

  • Can an International group be trusted?
  • Can an International group be trusted?
  • And last, but not least, can an international group…be trusted?

I say this in all seriousness. Although I would like to think security professionals are familiar with trust as it relates to controls (how to detect, prevent and verify) the mention of an international approach seemed to send certain people into a spell. A centralized authority model, especially one of international membership, clearly upset the audience; eyes rolled back, arms folded, heads shook.

One person in the audience asked several times “Who will be King?! Who will be the King of the group?!”


It quickly appeared that political science concepts (study of human behavior) could have helped this group see past whatever hurdles they were stuck upon. They struggled to transition from the technical material to more organizational security. While (expectedly) comfortable discussing locksport (picking locks), the mention of human behavior and power relationships resulted in comments that went awry. Here are a few suggestions for what Willson’s presentation might have started with to better prepare this particular audience.

  1. Forms and types of governance (or how to distinguish monarchy from democracy)
  2. Allocation and transfer of power in decisions
  3. Disciplines (or how to distinguish realism from instrumental rationality, positivism and behavioralism)

This might have done the job, explaining why a centralized group with international authority would not easily be compromised by a “bad apple” (pun not intended).

One person shouted:

International authority? Someone could compromise it! Isn’t this a case where the cure is worse than the disease?!

Another person asked:

So the US could just turn off the network in another country?

First, this response suggested to me a group that works with information security can nonetheless be missing key concepts of how to apply security in a real world. Security professional know that controls can be used to detect and prevent unauthorized access. These concepts can be adapted and applied to the model(s) put forward by Willson. His point is that there is a legal framework for technical controls to be introduced. That makes sense and so we could have discussed how those controls might work to achieve the purpose of the model. Instead the audience heckled the speaker about unfamiliar topics they feared: politics, law and trust.

Second, it reminded me of non-interventionalism and isolationist movements in America. After the First World War, for example, instead of ratifying Versailles the US essentially walked away and refused to be involved with international security frameworks such as the League of Nations and International Court of Justice. The 1920s also saw tough tariffs raised on imports and immigration severely restricted.

Another example could be the American Revolutionary War. The alliance with France was essential to victory in the war, yet many in the US strongly distrusted and advocated against ties to foreign states. President Washington spoke out against intervention. Thomas Paine published a book on the subject titled provocatively Common Sense.

With all this in mind President Roosevelt presented the state of international affairs as a cause for intervention in 1940:

Some indeed still hold to the now somewhat obvious delusion that we of the United States can safely permit the United States to become a lone island, a lone island in a world dominated by the philosophy of force. Such an island may be the dream of those who still talk and vote as isolationists. […] On this tenth day of June, 1940, the hand that held the dagger has struck it into the back of its neighbor.

The US President said intervention was justified to fight a power when the goal of that power is to destroy American ideologies. This led to legal arguments like the Fourth Neutrality Act that enabled international support (US aid to France and Britain) for defense against German aggression.

It makes perfect sense to me why a military legal expert like Willson would make a case for a platform of cooperation to fight international cyber attacks and cyber war. It makes sense in non-commercial as well as commercial spheres. Companies that compete can still work together when it comes to fighting fraud and crime. It does not, on the other hand, make sense to me why this particular audience of security professionals was so delusional as to ask “who will be king” or shout “cure is worse than the disease”, unless they represent the philosophical equivalent of mis-guided American isolationists.

Although there is a colorful past of non-interventionalism movements in America, no argument of logic or historic reference was raised by the hecklers. They simply, and ironically, expressed that they have a fear of authority and of foreigners. I suspect if they were prepared better, or approached in a different way such as how to build a secure lock for a door of their car, they would be full of ideas how we might build authentication and authorization. Instead they sat and spun in fear.

One thought on “When does Cyber Attack become War?”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.