NotPetya: First Strike in a Cyber War?

The law of international conflict is clear on when and how a state may invoke a state of armed conflict between sovereign nations. For example, in the US, the power to declare war is reserved for Congress, regardless of the President’s position as head of the US Armed Forces. It also dictates the reasons for which one nation may declare war on another. For example (and these are very limited), after the Second World War, the Allies, in an attempt to end the practice of armed conflict, created the United Nations. As one of the UN’s first acts, it invoked the United Nations Charter, which prohibits both the threat and the use of force in international conflicts. This has effectively made declaration of war a largely obsolete instrument in international relations. You may be wondering by this time what exactly I am blathering on about. I recently read an article in The Guardian, a UK media outlet, titled “NotPetya malware attacks could warrant retaliation, says Nato affiliated-researcher” [sic]. The title worried me, so I dove in and read the article.

The NotPetya malware attack wiped out many machines, including ones at organizations like Maersk, a large Scandinavian shipping company. However, The Guardian reported that the Ukraine and its government in particular were strongly targeted. According to Tomáš Minárik, a researcher at the NATO Cooperative Cyber Defence Centre of Excellence in Tallinn, NotPetya could be construed as an attack and merit countermeasures at a comparable level. Just as an unprovoked nuclear attack by a nation could illicit a like-for-like response, so could this type of attack. However, there are strict guidelines for such a response. There would, for example, need to be clear and present proof of the source of the attack, and further, a cyber attack must have caused damage comparable to an armed attack to justify an armed response. For example, the attack could have shut down a dam’s overflow capacity, causing a flood. The attack must actually cause destruction. Financial loss would not justify an armed response, but it would justify a “hack back” response.

With this situation (again we are directed by the UN Charter), any response must not affect a third party and cannot amount to a use of force (e.g., closing down a dam’s overflow capability). When a nation state actively participates in hacking/cyber attacks in the way it is alleged that China, Russia, North Korea, Iran, Israel, and the US do, it has to be very careful that its attacks do not spread to non-targeted countries. This is very difficult and very likely one of the reasons why so-called offensive cyber warfare is still under wraps in a nation’s more secretive agencies. If it is not in the mainstream military, a country has plausible deniability. It is, however, true that nations have electronic warfare arms. The UK military has just founded a cyber defense force, ostensibly to protect and retaliate against focused attacks by nations and others against the UK’s critical infrastructure.

A malware attack like NotPetya is just one very visible hacking event. Targeted hacking of a nation, like the infection of Iran’s centrifuges, is another. If proven to have been orchestrated by a nation, these could lead to a targeted response. However, even more troubling would be an attack orchestrated by a non-governmental organization, like Daesh. Here, there is no nation to target. Any retaliation against a Daesh target would have a significant risk of falling outside the UN Charter’s guidance, especially regarding damage to third-party counties. Cyber warfare, as waged by the new military forces being raised by many nation states, is currently labeled as defensive and is used for averting attacks. However, this will not always be the case. There is a valid case for the UN to revisit their Charter and see if it is in need of a dust-off and modernization in this brave new world of electronic and digital warfare that we are entering.

Posted in SecurityTagged , , , ,