3 cyber scenarios worth considering
Specific situations must be explored before they come up in the heat of cyber conflict.
The introduction of cyberspace as the fifth domain of conflict has far reaching implications that have not yet been fully explored nor were appropriate policies created to provide operational guidance for our military and government leaders. Adding to an already complex issue is that fact that military planners and strategists do not have decades of well documented past actions that can be drawn upon as a guide in the prosecution of military cyber action. There is little doubt that military cyber capabilities are impacting the rules of engagement, military doctrine and international laws and policies.
During the past decade I have been involved in a number of cyber conflict planning exercises for training and research purposes. I recently was asked for my opinion on three specific scenarios involving offensive cyber operations that are very interesting. Here they are:
Scenario 1. The United States, as part of a NATO force or operation, launches a offensive cyber action from a facility in Maryland that targeted military systems in Syria, which is trying to quash the uprising. Would the cyberattack being launched from U.S. soil make the launching facility in Maryland included in the battlespace? Does the cyberattack command and control and launch facility being in the United States automatically make the U.S. mainland a legitimate target for physical or cyber retaliation?
Scenario 2. The United States experiences a fairly disruptive cyberattack on its infrastructure that black-outs a city of 60,000 for days. Would the United States be within its rights to launch a retaliatory strike, cyber or physical, against compromised systems in Venezuela that were used as an unwilling or unknowing intermediary in the cyberattack that was attributed to forces in Iran?
Scenario 3. A financial institution within the United States experiences a cyberattack on its online banking systems. The financial institution’s internal IT staff back-trace the attack to Argentina. As their servers are about to crash due to the malicious traffic, the IT staff decides to return fire and launch a retaliatory cyber strike against the top traffic sources in Argentina. Do they have the right of self-defense? (Note: This already happened back in 2011.)
These three scenarios illustrate the complexities of modern conflict now that cyberattacks have entered in to the equation. Recent planning of cyberattack scenarios such as these for training purposes resulted in the conclusion that it is easy to see how a room full of lawyers and international policy experts would be needed during the planning of any real-world cyberattack. These issues must be investigated, debated and answers agreed upon now before they come up in the heat of cyber conflict.