What Is America’s Red Line for Military Action After a Cyberattack?

An unprecedented cyberattack by Eastern European hackers shut down a critical gas pipeline to the US East Coast over the weekend. It is, to date, the worst cyberattack to ever strike America’s infrastructure.

Over the ensuing days gasoline prices have surged. In places, gas stations are reporting fuel shortages. In Charlotte, North Carolina, more than 70% of gas stations have gone dry, The Washington Post reported Wednesday.

Hackers belonging to the cybercrime group DarkSide — which is reportedly based in countries across the former Soviet Union — carried out a ransomware attack on the pipeline’s operator, Colonial Pipeline Co. The pipeline could remain shut down until the end of the week, according to the company.

Due to prospective fuel shortages, the US Department of Transportation has declared a regional emergency for 17 states and the District of Columbia. Governors in Florida, Georgia, North Carolina, and Virginia have declared states of emergency. For its part, the Biden administration has invoked emergency powers to coordinate an “all-of-government” effort to mitigate the crisis.

As US officials scramble to coordinate a response — and while lawmakers debate how to prevent such an attack from happening again — a key question of paramount consequence remains to be answered.

If the Russian government were responsible for such a brazen cyber sneak attack, would it qualify as an act of war? And if so, would the US retaliate with lethal military force?

“No one has said thus far that cyber only begets cyber, even in the international law community,” said Steven Bucci, a former Army Special Forces officer who served as deputy assistant secretary of defense for homeland defense and defense support to civil authorities during the George W. Bush administration.

Our Administration has launched an all-of-government effort to mitigate the impacts of the Colonial Pipeline shutdown. Read about the steps we’re taking: https://t.co/5XsnjbETcR

— The White House (@WhiteHouse) May 12, 2021

Referring to the Colonial pipeline cyberattack, Bucci added: “I think such an attack, if tied to a government, could be considered either an act of war, or terrorism. Nation states have the right to respond to either with another cyber action, or however they see fit.”

For now, US officials say the DarkSide pipeline hack is a criminal act with no direct link to the Kremlin. However, Russia has a documented history of freelancing its cyberwarfare duties to criminal hacker groups. By using clandestine outfits technically unaffiliated with the Russian government, Moscow maintains its innocence while prosecuting a global cyber blitz.

“So far, there is no evidence from our intelligence people that Russia is involved,” President Joe Biden said on Monday. “Although there is some evidence that the actors’ ransomware is in Russia. They have some responsibility to deal with this.”

The Biden administration imposed sanctions on Moscow in retaliation for the December SolarWinds hack, which targeted multiple US government agencies. The US said the hackers were operating under orders from a Russian intelligence service. The Kremlin, for its part, denied it had anything to do with the breach.

In principle, US defense doctrine endorses the use of lethal military force in response to a cyberattack. According to the Trump administration’s 2018 National Cyber Strategy: “All instruments of national power are available to prevent, respond to, and deter malicious cyber activity against the United States. This includes diplomatic, information, military (both kinetic and cyber), financial, intelligence, public attribution, and law enforcement capabilities.”

Yet, according to multiple national security experts and officials, the US government currently has no clear guidelines to determine when a cyberattack qualifies as an act of war. Thus, it remains unclear how the US would respond if Moscow carried out a cyberattack on par with this week’s Colonial pipeline shutdown.

“There isn’t a clear line in international law about when a cyberattack rises to the level of a use of force that would justify a kinetic response, but there’s general agreement that interference in a state’s internal affairs — which could include an attack on critical infrastructure — could meet the threshold,” Michael Ellis, a visiting fellow for law and technology at The Heritage Foundation, told Coffee or Die Magazine.

The Department of Homeland Security has identified 16 “critical infrastructure sectors,” which are “considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”

Those 16 critical sectors include America’s nuclear power plants, food supplies, dams — and energy supplies. According to multiple cybersecurity and homeland defense experts, the Biden administration has not reversed the Trump-era doctrine that permits kinetic military strikes as a retaliatory measure following a cyberattack on one of those sectors.

The Biden administration’s Interim National Security Strategic Guidance, issued March 3, says that the US “will hold actors accountable for destructive, disruptive, or otherwise destabilizing malicious cyber activity, and respond swiftly and proportionately to cyberattacks by imposing substantial costs through cyber and non-cyber means.”

Based on defense officials’ prior statements, the decision to use lethal force in response to a cyberattack ultimately depends on the US president’s judgment.

“The determination of what constitutes an ‘act of war’ in or out of cyberspace, would be made on a case-by-case and fact specific basis by the President,” Marcel Lettre, who was then undersecretary of defense for intelligence, told the US Senate Armed Services Committee in September 2016.

“Specifically, cyber attacks that proximately result in a significant loss of life, injury, destruction of critical infrastructure, or serious economic impact should be closely assessed as to whether or not they would be considered an unlawful attack or an ‘act of war,’” Lettre said, adding: “Similarly, the [US government] would assess malicious cyber activities that threaten our ability to respond as a military, threaten national security, or threaten national economic collapse.”

In testimony before the House Armed Services Committee in June 2016, Thomas Atkin, acting assistant secretary of defense for homeland defense and global security at the time, said cyberattacks could merit a military response if there was an “act of significant consequence.”

“As regards an act of significant consequence, we don’t necessarily have a clear definition,” Atkin said. “But we evaluate it based on loss of life, physical property, economic impact, and our foreign policy.”

As air power did after World War I, cyberwarfare technology has redefined the boundaries of the modern battlefield. Early air power theorists argued that targeting an enemy country’s industry and infrastructure could destroy its industrial capacity to wage war. That theory was later extended to include targeting civilian population centers to damage morale.

In his 1921 book, The Command of the Air, Italian air warfare theorist Giulio Douhet wrote:

“No longer can areas exist in which life can be lived in safety and tranquillity, nor can the battlefield any longer be limited to actual combatants. On the contrary, the battlefield will be limited only by the boundaries of the nations at war, and all of their citizens will become combatants, since all of them will be exposed to the aerial offensives of the enemy.”

In this modern era of warfare, cyber weapons have been able to replace that strategic use of air power, to some degree.

Weaponized social media campaigns have replaced propaganda leaflets dropped on an enemy’s territory. And America’s strategic infrastructure, such as a gas pipeline, can now be taken out from a laptop in Moscow, rather than by a long-range bomber or missile.

Thus, the advent of cyberwarfare technology challenges centuries of military ethics concerning deterrence and the proportionality of force. As such, US lawmakers and military leaders may need a new ethical calculus for making decisions on the use of military force — both the moral guidelines for how wars should be fought, as well as the reasons for which wars should be waged at all — jus in bello, and jus ad bellum, respectively.

Notably, US national defense doctrine must grapple with how to redefine the principle of proportional military force in the cyberwarfare era. For example: At what point does a nonlethal cyberattack merit a kinetic military response?

Public opinion would likely play a key role in such a determination. So, too, would an adversary’s capacity for retaliation.

“Of course material constraints and escalatory risk play a pretty significant role, so if it proves to be an act by another major power with the ability to deter us, then that’s going to play a significant role in calibrating response,” Michael Kofman, director of the CNA Corp.’s Russia Studies Program and a fellow at the Woodrow Wilson Center’s Kennan Institute, told Coffee or Die.

“Similarly, loss of life generates political calls to act, so if there is no loss of life from a cyberattack then the resultant internal pressure for retaliation is much lower, and the domestic audience costs for inaction reduced,” Kofman said.

A nonbinding, academic study published in 2013, the “Tallinn Manual” is the closest thing to a law of armed conflict pertaining to cyberwarfare. In short, the study determined that a cyberattack would qualify as a “use of armed force” if it created physical destruction.

According to the available reporting, this week’s DarkSide cyberattack simply shut down the Colonial pipeline’s computerized control systems — but did not result in any physical destruction.

“So in the end, I don’t think this would have risen to the point that would have warranted a kinetic response, but there isn’t a lot of precedent,” C. Anthony Pfaff, a nonresident senior fellow at the Atlantic Council, told Coffee or Die, referring to the Colonial pipeline cyberattack.

However, Pfaff added that lethal military responses to cyberattacks are not necessarily prohibited by international law. “I could imagine a good case for a discriminate and proportionate armed response that goes beyond the nonlethal countermeasures normally available under international law,” Pfaff said.

Cyberattacks have become an integral part of modern warfare. When Russia went to war with Georgia in 2008, it launched cyberattacks against Georgian government computers and media websites. Likewise, Russia paralleled its 2014 military attacks on Ukraine with a cyber-offensive that targeted Ukraine’s banks, railroads, the mining industry, power grid — and the country’s elections.

Since a landmark 2007 cyberattack against Estonia, Russia has also launched cyberattacks against governments across Europe, including multiple NATO countries. Top NATO officials have since declared that a cyberattack against a member state could trigger the invocation of Article 5 — the Western alliance’s collective defense protocol.

“We have decided that a cyberattack can trigger Article 5, meaning that a cyberattack can trigger collective defense, because we regard cyberattacks as something that can cause a lot of damage and can be very dangerous,” NATO Secretary-General Jens Stoltenberg said during a June 2016 press conference.

“It’s hard to imagine a conflict without a cyber dimension,” Stoltenberg added. “So, yes, cyber can trigger Article 5, but [at] the same time I think it’s also important to understand that cyber is not something that always triggers Article 5.”

The only time NATO has invoked Article 5 was after the Sept. 11, 2001, terrorism attacks against the United States.

Read Next: Experts: Brazen Cyberattack Against US Agencies Bears Hallmarks of Russian Cyber Tradecraft