Can a cyber-attack really be considered an 'act of war'?

Can a cyber-attack really be considered an 'act of war'?

Summary: While cyber-attacks could be -- criminologically speaking -- seen an act of war, the response should not be disproportionate or militarised.


The limelight as firmly shone on the Pentagon's decision to classify severe cyber-attacks as an act of war.

Considering the recent social engineering attacks which led to compromised government Gmail accounts, the two are now seemingly connected. One has to wonder whether an attack on cloud-based government email could also be considered one-sided warfare.

Declaring an action as an 'act of war' is entirely subjective, and should be proportional to not only political belief, but public opinion also.

If every known Gmail account was hacked, copied and sent back to the originating source -- say China, for instance, as they have been accused already (and have been caught once before) -- then perhaps that breach could be considered an act of extreme espionage.

The Iranian Stuxnet worm incident, for example, could however be considered an act of war, from U.S. government involvement directly attacking an Iranian nuclear reactor.

To understand whether an act of war equates directly or equally to an act of terrorism, firstly we need to determine exactly what an act of war is. Is it 'simply enough' terrorist attack, or does it require state involvement?

Potentially, the worst case scenario is the U.S. could become embroiled in a war with a country of origin, for which it had no state collusion in the cyber-attack which brought the tanks rocking up on the shores in retaliation.

Nevertheless, while the Pentagon may consider a serious cyber-attack an 'act of war', retaliation does not necessarily have to be a direct consequence.

A short digression: 'Terrorism' as a blanket term

The September 11th terrorist attack was considered an act of war, for which the Allies led into Afghanistan and eventually Iraq, and arguably violated Pakistani sovereignty when the U.S. assassinated Osama bin Laden.

Yet in the case of the Lockerbie bombing, there have been issues of state collusion. Colonel Gaddafi himself was reported, by a defected minister, to have authorised the bombing of Pan Am flight 103.

Why we haven't invaded Libya under the premise that this could have been an 'act of war', I do not know.

Oh, wait.

Terrorism is action based, not actor based. The definition of terrorism is entirely subjective, with over 100 academic definitions and another 80 or so taken into laws of various countries.

The British definition, for example, is different to that of the United States; one of many reasons why Wikileaks can be classified as a terrorist organisation in the U.S. but not necessarily in Britain.

Can a state commit an act of terrorism?

In short, yes it can. But it depends entirely on the act of terrorism itself.

State terrorism is not necessarily abiding by the same realms that a conspiracy theorist may believe. Some believe that the September 11th terrorist attacks were orchestrated or at least played a part in by the U.S. government, for example.

The official account says that it did not. A series of intelligence failures led to a wide-ranging set of vulnerabilities which was ultimately exploited by terrorists. This reflexive account can be ported far and wide, from the Internet being a force for good, but equally a portal for predators to abuse.

State terrorism therefore is related directly to the action, along with the subjective perceptions that go along with it.

Objectively speaking, the London bombings could be seen as retaliatory actions against the Western movement in Afghanistan states. It falls down to, as the cliché may go, "one man's terrorist is another man's freedom fighter". It is above all else, true.

State terrorism theory dictates that a U.S. drone strike in a foreign land which kills a series of suspected militia members, but also the same number of civilians, is directly proportional to a civilian suicide bomber detonating their vest of explosives at an army checkpoint.

We, as Westerners, would deplore such "an act of terrorism". However, the remaining civilian population would equally denounce the U.S. drone strike on their population, calling that an act of terrorism in its own right.

So how do we stop cyber-attacks?

We can't, and we won't be able to stop every single attack there is. There is no single reason for why terrorists destroyed the World Trade Center in 2001. However, had that not happened, it would have happened elsewhere.

Terrorists do not necessarily want to harm the ideals, values, morals and beliefs of the Western world. Nor, as the case appears to be, do terrorists want to definitively 'spread terror'. It is merely a by-product of normal people in an abnormal world.

Cyber-attacks can only be carried out if there are vulnerabilities. Westerners have a preoccupation with risk and vulnerability, and vulnerabilities can only be absolved often once an exploit has been found.

But as no system, government or state is entirely secure, along with an ever burgeoning fascination with the macabre and the 'psychology of the terrorist' by the media, no wonder we are all half terrified to death most of the time.

The greatest danger is the United States or any other country acting without hesitation, against a country which has no direct or indirect involvement with a cyber-attack. Citizens of a country which have carried out an attack may lead to finding internal intelligence failings, but does not mean that country is to blame.

Responsibility should logically be shared for both states allowing the attack to occur.

And in what form should the retaliation take? Should it be a giant denial-of-service attack by the U.S. military -- a warfare campaign without fatalities -- or a Stuxnet variant to set a nuclear programme back a decade or two?

Punishment needs to be escapable; otherwise it is disproportionate and unfair. War, on the most part, is not escapable, which is why the cyber-warfare strategy needs to be handled by computers, and computers alone, without the need for tanks, soldiers and unmanned drone strikes.

Related content:

Topics: Government US, Government

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Depends on the outcome.

    How's a cyber-attack that brings down critical power or water infrastructure any different from a missile attack on the same? I'd consider it an act of war, treat the perps as enemy combatants and act accordingly.
    • RE: Can a cyber-attack really be considered an 'act of war'?

      @kraterz But can you see that, while we perceive particular acts of terrorism -- others may see the acts of the U.S. as act of terror also?

      It's two of the same thing. The 'terrorists' (or what we see as terrorists) could be acting politically, whereas the U.S. could react militarily.
      • Ever heard of Just War theory

        @zwhittaker Moral equivalance is useful for an anthropologist writing an ethnography. It is not appropriate for establishing foreign policy or coming to the defense of ones own citizens.
        Your Non Advocate
      • Reacting politically? Define the difference

        The problem is that you don't understand there is no difference:

        If I use a missle to destroy a power grid, you call it a military action, yet if I use a computer to destroy a power grid, you call it a political action.

        Whats the difference? both grids are destroyed, people and infrastructure have no power and people die.

        Define why they're different, especially if the military in another country is the one that hacked into the grid network to begin with.
        Will Pharaoh
      • RE: Can a cyber-attack really be considered an 'act of war'?


        You are wandering further and further into the weeds. "Act of war" is carefully defined in international law. You should know this, since you are studying criminology. See for more details.
      • relativistic ineptitude heralding inconclusive unproven dissimilitudes!!



    • RE: Can a cyber-attack really be considered an 'act of war'?

      @Will Pharaoh Exactly. You -could- call it anything. You could in fact call it a shoe, but that would be entirely subjective in itself.

      Using a computer to destroy a power grid could be an act of terrorism, just as Wikileaks could be classified as a terrorist organisation. It's so very subjective and variable across the board, that it runs the risk of state's using it as a political weapon.

      Remember, states can commit acts of terrorism and hide behind the shroud of government and 'national security'.
      • Just War Principals


        Let's dig a little deeper into the Just War Principals

        1. A just war can only be waged as a last resort. OK, we probably have no disagreements on this one.

        2. A war is just only if it is waged by a legitimate authority. Now this appears to be the principal you have issue with. Manning and Assange does not speak carry any legitimate authoritity to engage in acts of war. Leaking information on the whereabouts of Osama Bin Laden could have had a disasterous consequence. Is that an act of terrorism? Perhaps. But Manning being judged by the Uniform Military Code of Justice is "Just".

        3. A just war can only be fought to redress a wrong suffered. OK, another grey area for you. shutting down a water pipeline may result in death. Removing the individuals responsible for the shutdown is "Just".

        4. A war can only be just if it is fought with a reasonable chance of success. Probably no major disagreement here.
        Your Non Advocate
      • You haven't told me the difference, Zac

        @zwhittaker <br><i>Using a computer to destroy a power grid could be an act of terrorism, just as Wikileaks could be classified as a terrorist organisation</i><br><br>Or it could be the third option you left out: an act of war. You missed the part of "who was behind it"<br><br>When an Iranian Al Qaeda militant blows up a bus full of people in Iraq, it's terrorism. When the same person in the employ, and under orders of the Iranian <b>government</b> does it, it's can be an act of war.</i></i>
        Will Pharaoh
      • RE: Can a cyber-attack really be considered an 'act of war'?


        Not quite. In order for acts of terrorism to be effective, they have to be very public. Otherwise there is no terror in it. Your country had adequate illustration of that principle with the North Ireland problems. Would the IRA have planted bombs to kill people if nobody knew who was doing it? I don't think so!

        We have seen the same with the overwhelming majority of terrorist groups. Only a few have been so clueless as to resort to anonymous terror.

        Even in the case of the assassination of Litvinenko, though the Russian government officially denies involvement, the sophisticated way it was done proves high-level government involvement -- and everyone knows this.

        Finally, there is nothing 'subjective' about using a computer to destroy a power grid. Unfortunately, this is not the first time your posts have shown that they do not teach the difference between 'subjective' and 'objective' very well at your university:(
      • RE: Can a cyber-attack really be considered an 'act of war'?

        @zwhittaker You are sounding like Bill Clinton debating the meaning of the word "it."

        To me the word "act of war" should be objectively defined by the intentions and consequences of the action. If the intention of the action is to attack the United States and the consequences is the loss of US property or life then it is an act of war.

        Political activism may have the same intention (attacking the United States) but the consequence of it is never the loss of life or property. The goal of political activism should be to start a debate to get policy changed, not to force change through violence. When it becomes the latter it is no longer political activism, it is an act of war.
      • RE: Can a cyber-attack really be considered an 'act of war'?

        @Will Pharaoh Firstly, please take the time to spell my name correctly. You're right. Under orders from -- in your example -- the Iranian government, that could be construde as an act of war. If it was an Iranian -- again in your example, don't want to single any nationality out here -- works on their own, it is a failing of that country's intelligence agencies as well as Iraq's (again to your example). But terrorism can also be an act of war -- but it all falls down to perception and the mass of variables.

        There's no definitive "this is an act of war" anymore, and hasn't been for a long time.
    • Depends on the attempt

      @kraterz I'd have to say that an ATTEMPt to knock out a ciritcal bit of the nation's IT infrastructure would definitely be an act of war.
      PC Ferret
    • RE: Can a cyber-attack really be considered an 'act of war'?

      @kraterz Only congress can declare war. The Pentagon can't. Terrorists are generally not aligned with a country.
  • RE: Can a cyber-attack really be considered an 'act of war'?

    cyber attacks are weapons of mass destruction.
  • RE: Can a cyber-attack really be considered an 'act of war'?

    Yeah, if they cut the power grid or overloading it. Also they want to scare countries to not do such crap by making it very general. It's part politics, part protecting our country.
  • Your kidding right

    "Terrorists do not necessarily want to harm the ideals, values, morals and beliefs of the Western world"
    One of Osama's claims if we converted to mulism's then he would have no reason to attack the US.
    • RE: Can a cyber-attack really be considered an 'act of war'?

      @mrlinux I'm still scratching my head over that one, and the fact that it could even be uttered without a smirk.
    • Message has been deleted.

  • RE: Can a cyber-attack really be considered an 'act of war'?

    "...the cyber-warfare strategy needs to be handled by computers, and computers alone, without the need for tanks, soldiers and unmanned drone strikes."

    I disagree. If organizations intentionally do us serious harm, then we should either make a determined, disproportionate response; or make no response at all. That is, "destroy the enemy's offensive capability", or prepare for the next attack.

    Your recommendations are rational (good facts, good reasoning), but they seem inapplicable in a world where rough people equate "good & reasonable" with "weak".

    USA needed to clearly state that severe cyber-attacks are acts of war. This puts all weapons on the table in full view of evil actors. Severe options are a strong deterrent, even when USA's best response will be aggressive retaliation via cyber weapons. I believe the "deterrent effect" is the sole reason for this formal announcement.