target="_blank" rel="nofollow" href="#ulink_b177f951-6dac-58ac-8be1-5f78cad768e2">12.Volodymyr Horbulin, The World Hybrid War: Ukrainian Forefront (Kiev: Ukrainian Institute for the Future, 2017), 25.
13.Keir Giles et al., The Russia Challenge (London: Chatham House, June 2015), 51.
14.Keir Giles, Moscow Rules: What Drives Russia to Confront the West (Washington, DC: Brookings Institution Press, 2019), 13.
15.Donald Trump, National Security Strategy of the United States of America (Washington, DC: White House, December 2017), 25.
16.Trump, 25.
17.Mattis, “Summary of the National Defense Strategy,” 2.
18.Thomas Wright, “The Return to Great-Power Rivalry Was Inevitable,” The Atlantic, September 12, 2018.
19.Gen. Curtis M. Scaparrotti, USA, “Statement before the United States Senate Committee on Armed Services,” March 8, 2018, 19–20.
20.Mattis, “Summary of the National Defense Strategy,” 2.
21.Giles, Moscow Rules, xix.
22.Giles, xix.
23.Joint Chiefs of Staff, Cyberspace Operations, Joint Publication 3-12 (Washington, DC: Chairman of the Joint Chiefs of Staff, June 8, 2018), vii.
24.DOD, DOD Dictionary of Military and Associated Terms (Washington, DC: Secretary of Defense, April 2018), 59.
25.Joint Chiefs of Staff, Cyberspace Operations, GL-4.
26.DOD, Office of General Counsel, Law of War Manual (Washington, DC: Secretary of Defense, June 2015; updated December 13, 2016), 1012.
27.Gregory Conti and David Raymond, On Cyber: Towards an Operational Art for Cyber Conflict (San Bernardino, CA: Kopidion Press, 2017), 7.
28.DOD, “Summary: Department of Defense Cyber Strategy,” 2018, 1.
29.Donald Trump, National Cyber Strategy of the United States of America (Washington, DC: White House, September 2018), 21.
30.Joint Chiefs of Staff, Cyberspace Operations, i-x.
31.Joint Chiefs of Staff, I-12.
CHAPTER 1
Analytical Framework
Joel Brenner, a former counterintelligence leader for the US director of national intelligence, has noted that “cyber is one of the ways adversaries can attack us and retaliate in effective and nasty ways that are well below the threshold of an armed attack or laws of war.”1 The term cyberattack is used in a colloquial sense in discussing cyber operations that refer to various types of “hostile or malicious cyber activities, such as the defacement of websites, network intrusions, the theft of private information, or the disruption of the provision of internet services.”2 Therefore, cyber operations described as a “cyberattack” are not necessarily an “armed attack” or an “act of war.” They might qualify under thresholds and conditions for less severe classifications such as a “use of force” or an “internationally wrongful act.” The classification matters, for it determines under international law to what extent injured states can respond to a cyberattack—either with force in self-defense or by lesser means, known as countermeasures. Even though various legal conditions must be met, in any case, attribution to the responsible state under international law is a required condition for appropriate action.
Russian cyber operations exploit legal regimes to avoid thresholds and classifications that prompt or justify meaningful responses. They also use technical means to avoid attribution that is necessary for injured-state responses to an internationally wrongful act or any other type of unlawful attack under international law. The term attribution is defined simply as “determining the identity or location of an attacker.”3 Technical attribution is associated with indicators, such as tradecraft, code styles, domain registration, Internet Protocol (IP) ownership, resource language, and time zone information. Political attribution is more declaratory, usually based on cumulative or circumstantial evidence. For malicious actors, the goal is not only to avoid attribution but also to maintain anonymity for as long as possible during a cyber operation. Thus, in the cyber realm, anonymity infers not only the inability to identify an individual, group, or state actor but also the “inability to recognize an attack is occurring, and the inability to isolate the target or objective of the attack.”4 In order to thoroughly analyze and evaluate Russian cyber operations, this chapter will provide a technical (means used for intrusion, evasion, and deception) and legal (regimes for classification as an armed attack, a use of force, or an internationally wrongful act) framework. It will then demonstrate an application of the analytical framework to a case study of destructive Russian cyber operations against the energy sector in Ukraine.
Act of War
No clear legal definition exists for when exactly a cyberattack would constitute an act of war.5 US Code defines the term act of war to mean “any act occurring in the course of (A) declared war; (B) armed conflict, whether or not war has been declared, between two or more nations; or (C) armed conflict between military forces of any origin.”6 The term armed conflict infers an armed exchange. A more informal interpretation for an act of war is “a hostile interaction between two or more states.”7 The challenge is defining what cyber operations could prompt an initiation of armed conflict or a political declaration of war. In the physical domains, the answer might be more obvious. Take, for instance, the devastating attack on the American fleet at Pearl Harbor in 1941 that resulted in the US declaration of war against Japan.8 While metrics exist for what counts as a physical act of war, they do not exist for a cyber act of war.9
In May 2016, Sen. Mike Rounds introduced the Cyber Act of War Act of 2016, which is a bill “to require the President to develop a policy for determining when an action carried out in cyberspace constitutes an act of war against the United States.”10
