The Legality of Waging War in Cyberspace

In cyberwar, there is a fine line between acts of war and espionage

On June 14, the New York Times reported that U.S. active cyber agents had demonstrated their ability to penetrate the security of a Russian power utility system and had inserted U.S.-developed code into the software of these utilities. While President Donald Trump has denied that this occurred (and called the publication a “virtual act of treason”), the question remains what the scope and extent of U.S. affirmative cyberwar capabilities are, what targets are and are not legitimate for cyberwarfare and, of course, when and how they should be deployed.

The Times story noted that:

“Since at least 2012, current and former officials say, the United States has put reconnaissance probes into the control systems of the Russian electric grid. But now the American strategy has shifted more toward offense, officials say, with the placement of potentially crippling malware inside the Russian system at a depth and with an aggressiveness that had never been tried before. It is intended partly as a warning, and partly to be poised to conduct cyberstrikes if a major conflict broke out between Washington and Moscow.”

Is It Legal?

Last year’s defense authorization bill gave the U.S. Secretary of Defense the authority to engage in “clandestine military activities in cyberspace.” The bill provided:

`(f) Definitions.–In this section:
“(1) The term `clandestine military activity or operation in cyberspace’ means a military activity or military operation carried out in cyberspace, or associated preparatory actions, authorized by the President or the Secretary that–
“(A) is marked by, held in, or conducted with secrecy, where the intent is that the activity or operation will not be apparent or acknowledged publicly; and
“(B) is to be carried out–
“(i) as part of a military operation plan approved by the President or the Secretary in anticipation of hostilities or as directed by the President or the Secretary;
“(ii) to deter, safeguard, or defend against attacks or malicious cyber activities against the United States or Department of Defense information, networks, systems, installations, facilities, or other assets; or
“(iii) in support of information related capabilities.

Note here that, in addition to permitting defensive actions, the bill permits activities in cyberspace that are intended to deter and prevent attacks against the U.S. So are the power grids of an adversary a legitimate target for affirmative cyberattack? Are they a legitimate target during peacetime? Is the probing of an adversary’s vulnerabilities and/or the insertion of potentially (future) destructive code into a critical infrastructure legitimate, authorized or is it an act of war?

Law of Armed Conflict

The question of whether the penetration of an adversary’s power grid (or the theoretical penetration of an adversary’s power grid) is “authorized” depends in the first instance on what you mean by “authorized.” Assuming that it happened (and the president appears to dispute that), the question is whether those who did it had appropriate clearances within the appropriate chain of command, and whether those in the chain of command had appropriate authorization to engage in such conduct from Congress. At least, that is the start of the analysis. Clearly, federal law authorizes covert affirmative cyberactivity by the U.S. Department of Defense. This may include activities designed to prevent attacks on the U.S., and someone within DoD could have made a finding that the activities (hypothetically) of inserting code into a Russian power grid software would have that effect. So maybe we check that box.

But that’s just the start. Saying that it was “approved” by the correct personnel within DoD is not the same as saying it was “authorized.” Ultimately, the question is whether the power grid of an adversary (or potential adversary) is a legitimate target for attack. For that, we have to look first at the Law of Armed Conflict (LoAC).

The Law of Armed Conflict

LoAC governs the “appropriate” way to do what is essentially inappropriate—the right way to kill, maim, destroy and devastate. While LoAC is derived from tradition, history, treaties, conventions and domestic and international law, the principal guidepost for determining LoAC in the U.S. is the “DoD Law of War Manual.”

The most recently available copy of Law of War Manual notes explicity that: “Electric power stations are generally recognized to be of sufficient importance to a State’s capacity to meet its wartime needs of communication, transport, and industry so as usually to qualify as military objectives during armed conflicts.”

Yeah. Maybe. This is where kinetic war and cyberwar may differ. One of the principles of the LoAC is that of proportionality. When an attack on a legitimate target causes a disproportionate impact on the civilian population (e.g., poisoning the water or food supply used by military and civilian populations alike) then, even though the target (military procurements) may be legitimate, the impact against the civilian population would require that you do not attack the target. Indeed, the U.S. has signed on to several “additional protocols” to the LoAC, one of which expressly notes:

Dams, dikes, and nuclear electrical generating stations shall not be attacked (even if military objectives) if the attack will cause the release of dangerous forces and cause “severe losses” among the civilian population. Military objectives near these potentially dangerous forces are also immune from attack if the attack may cause release of the dangerous forces (parties also have a duty to avoid locating military objectives near such locations). The United States view is that such targets may be lawfully engaged under LOAC, but raise significant proportionality concerns.

It was, for example, under this doctrine that, during the Vietnam War in June 1972 the U.S. attacked and destroyed the Lang Chi hydroelectric facility but did not also destroy the dam that provided the water to power the facility.

During the Serbian war, for example, NATO forces attacked the power-generating capabilities of the Milosevic regime, partly to cause deliberate harm and inconvenience to the civilian population “so that the population would pressure Milosevic and the Serbian leadership to accede to UN Security Council Resolution 1244.”

And here is where kinetic and cyberattacks can differ with respect to proportionality. Bombs generally can be used to target a power plant, or to target a dam, or to target a transmission facility. If fighting breaks out in a medium-sized city, it may be legitimate to take out the power grid for that city—at least for a period of time. A cyberattack on the power grid as a whole may be targeted or may be indiscriminate. It may be designed to be targeted, but turn out to be indiscriminate. So in some cases, bombing may be better than cyber—or at least more lawful. Moreover, you don’t look at a target in seclusion. As the “Law of War” notes:

“While target systems are intra-dependent to perform a specific function, they are also interdependent in support of adversary capabilities (e.g., the electric power system may provide energy to run the adversary’s railroads that are a key component of their military logistic system). System level target development links these multiple target systems and their components to reflect both their intra and interdependency that, in aggregate, contribute to the adversary capabilities.”

So we take out the power grid to take out the telecommunications to take out the transportation, etc. This is both good (military can’t communicate or move troops) and bad (hospitals can’t operate, populations can’t get food).

So basically, the power grid is a “legitimate” target for potential attack, but we must tread lightly and narrowly.

Use of Force

As the “Law of War” notes, “Article 2(4) of the Charter of the United Nations states that ‘[a]ll Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.’” The DoD document further observes that:

“Cyber operations may in certain circumstances constitute uses of force within the meaning of Article 2(4) of the Charter of the United Nations and customary international law. For example, if cyber operations cause effects that, if caused by traditional physical means,would be regarded as a use of force under jus ad bellum, then such cyber operations would likely also be regarded as a use of force. Such operations may include cyber operations that: (1) trigger a nuclear plant meltdown; (2) open a dam above a populated area, causing destruction; or (3) disable air traffic control services, resulting in airplane crashes.”

So whether our activities are “acts of war” depends upon a wide variety of factors. What are we doing; does it resemble warfare, or intelligence gathering? What’s the actual impact of what we are doing? Why are we doing it? What is this in response to? To whom are we doing it? Are we targeting the political infrastructure of an adversary? The military infrastructure? The financial systems? Are we probing? Attacking?

Essentially, what the New York Times reported looks like we were laying inactive land mines to be activated at a later date against the civilian infrastructure of a potential adversary, to be used in the event of an escalation of tensions. Perhaps it is because of the ambiguity of the lawfulness of this action that the president denied it was happening. Well, sort of denied it was happening. Well, didn’t deny that it was happening at all.


OK, so we have the authority under the law to hack the Russians, and their power grid is a legit target—or at least parts of it are.

But when? Can we do this against an adversary during peacetime? What about to a neutral party? What about to an ally? Again resorting to the DoD manual, we observe that:

“International law and long-standing international norms are applicable to State behavior in cyberspace, and the question of the legality of peacetime intelligence and counterintelligence activities must be considered on a case-by-case basis. Generally, to the extent that cyber operations resemble traditional intelligence and counter-intelligence activities, such as unauthorized intrusions into computer networks solely to acquire information, then such cyber operations would likely be treated similarly under international law. The United States conducts such activities via cyberspace, and such operations are governed by long-standing and well-established considerations, including the possibility that those operations could be interpreted as a hostile act.”

Interpretation: Proceed at your own risk. Intelligence-gathering (probing vulnerabilities and weaknesses, determining targets and impact, etc.) are things that countries do in war and in peace. Some of it can be nasty stuff—nastier still if you are caught. Perhaps this was the cause of the President’s ire: Not that the New York Times was reporting falsehoods, but that the New York Times was reporting an inconvenient truth.

The Case For/Against Cyberwar

Any future war—whether hot or cold, kinetic or otherwise—will include a cyber component. And it should. If we can shoot a missile at an enemy fighter jet, why can’t we disable it with a software command? The rules of war need to be—and continue to be—modified to meet the new cyber command. Imagine, though, if a U.S. soldier snuck into a power facility in Pripyat, Ukraine, and installed a bomb powerful enough to take out some hypothetical nuclear power plant there. The bomb doesn’t go off, but it has a remote control device so that, at the push of a button in Arlington, Virginia, the Ukrainian power plant is destroyed. You realize, of course, this means war. On the other hand, if we simply pay off some apparchik to give us the plans to the plant so we can discover (for later exploit) some vulnerability, that’s called espionage. You know, James Bond or Jason Bourne stuff.

The real problem with the USA and cyberwar is not that we aren’t prepared to fight it (well, not just that we aren’t). Other countries (Russia … if you are listening …) have certainly been both more aggressive and more public in their efforts to use both cyber operations and information warfare generally against the U.S., and perhaps this is payback (again, the U.S. president denies this). While we have a huge capability to use affirmative cyberwarfare tools to inflict harm, damage and losses on our adversaries (and to conduct surveillance and espionage), we are understandably reluctant to use them (and use them publicly) because of our outsized vulnerability to counterattack. The joke about Iraq was that, If we bombed them into the stone age, would anyone notice? The U.S. economy and infrastructure is heavily dependent upon our critical infrastructure, which is incredibly vulnerable to cyber-styled attacks. While we have poured billions into making the infrastructure more resilient to cyberattacks, our civilian-owned and operated (for profit) infrastructure remains vulnerable to state-sponsored cyberwarfare.

When I am asked whether we can survive a cyberwar, I note that we are currently surviving one. A low-level one. If it heats up, either because of an actual kinetic war or because of an escalation of a war of words, who knows whether we—or they—can survive?

Mark Rasch

Featured eBook
How Your Vendor Access Management Tools Are Putting Your Company at Risk

How Your Vendor Access Management Tools Are Putting Your Company at Risk

If third parties are accessing your network, whether you’re using a VPN, a vendor-supplied support tool, or a Privileged Access Management (PAM) solution to manage network vendor access, the limitations of those tools leave you vulnerable to breaches. But you can’t manage risks that you don’t know you have. Vendor Privileged Access Management (VPAM) is ... Read More
Mark Rasch

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 76 posts and counting.See all posts by mark