By Saundra McDavid
Faculty Member, School of Business at American Public University
When does a cyber attack become an act of war? Consider the increasingly common ransomware attacks, such as the cyber attack on the Erie County Medical Center’s computers. Its 6,000 computers were disabled and a ransom demand for nearly $6,000 appeared on the screens of the affected computers to unlock their data. The Buffalo, New York, medical center refused to pay and suffered nearly $10 million in expenses. (Davis, 2017)
Are attacks like this an act of war? The short answer is no. An act of war is a hostile interaction between two or more states.
In the ECMC incident, there was no evidence of state involvement. However, that alone does not constitute an act of war. It’s the consequences of the act that determines whether it was an armed attack that resulted in damage.
What Is an Armed Attack?
An armed attack results in death or injury to people and/or damage to property. An armed attack produces a violent effect; a mere inconvenience is not sufficient to be classified as an armed attack.
Actions that would qualify as acts of war are 1) the disruption or destruction of a nation’s financial institutions and nuclear command and control systems, and 2) computer-induced failures of power grids, transportation networks or financial systems that might result in physical damage or economic disruption of Department of Defense (DoD) operations. These events would rise to the level of cyber attacks that could prompt a declaration of war.
But in the ECMC case, there was no physical damage, no destruction of financial institutions and no attack on nuclear command and control systems. This was a ransomware-induced temporary shutdown of a medical facility. It was an inconvenience, but the ransomware attack cannot be classified as an act of war.
What Constitutes a Cyber Crime?
Was the ransomware attack on the Buffalo medical center a cyber crime? Cyber crimes involve an element of economic gain.
Typically, hackers who engage in this type of crime use ransomware and distributed denial-of-service (DDoS) attacks to blackmail or to steal information for identify theft and fraud. Such was the case in the ECMC incident.
Should the ECMC Event Be Classified as Espionage?
Cyber espionage involves the “unauthorized probing of a target computer’s configuration to evaluate its system defenses, or the unauthorized viewing and copying of data files,” cybersecurity expert Clay Wilson writes. Cyber espionage gathers secret or confidential information.
Cyber espionage does not appear to be the case in the ECMC incident. While it is clear there was an unauthorized probing, no information gathering was readily apparent and no significant technological secrets were compromised.
German Steel Mill Attack: Act of Cyber War or Not?
Consider, however, the case of a cyber attack on a German steel mill in 2014. A phishing email was used in an “advanced social engineering” attack that provided access to the mill’s network.
Once the attackers were inside the network, they accessed the production management software and took over the plant’s control systems, disrupting them and prevented a furnace from shutting down. This so-called advanced persistent threat (APT) produced massive physical damage to the plant.
Was that an act of war? The people responsible for this attack remain unknown.
However, the complexity of the APT attack is a characteristic of criminal groups backed by sovereign states. This most definitely was an armed attack that led to temporary, but major, damage to the steel plant.
Would such an attack have interrupted DoD operations had it occurred in the United States? The Department of Homeland Security lists steel plants as a critical manufacturing sector.
If the hackers who carried out the German steel mill attack could be identified, this cyber attack most likely would be considered an act of war. What would be the appropriate response, then?
What Constitutes a Proper Response to a Cyberattack?
An attack from a likely, but unknown, state actor is always subject to misattribution. The aim might be to disrupt relations between two allies by enticing the United States to mistakenly place the blame for the attack on a third, more hostile country.
This mistaken blame underscores the importance of taking the time to investigate the situation instead of acting reflexively with cyber retaliation. While the German steel plant attack might rise to the level where a counter attack is necessary, deterrence is also important.
Imposing costs – perhaps in the form of economic sanctions – is one way to maximize deterrence efforts. The Obama administration set a compelling precedent by imposing sanctions against Russia in response to Russia’s computer hacking efforts to influence the 2016 presidential election.
In that case, two Russian compounds in the U.S. were ordered closed and Russian diplomats were deported. In July 2017, Congress introduced a bill to impose additional sanctions against Russia for the same offense.
However, a cyberattack on the United States similar to the ECMC ransomware and German steel plant cyberattacks would not warrant a similar response. The ransomware incident involving a medical facility is a cyber-crime, best resolved through the FBI’s cyber crime division. The state actor involved in an attack on a steel plant in the United States must first be identified. Until that occurs, there can be no state-level response by the United States.
Brown, G. and Poelle, K. (2012). The Customary International Law of Cyberspace. Strategic Studies Quarterly. Fall. 6:3 126-45
Davis, H. (2017, Jul. 26) ECMC spent nearly $10 million recovering from massive cyberattack. The Buffalo News. Retrieved from http://buffalonews.com/2017/07/26/cost-ecmc-ransomware-incident-near-10-million/
Department of Defense (DOD). (2011, July.) Strategy for Operating in Cyberspace. Retrieved from http://www.defense.gov/news/d20110714cyber.pdf
Department of Homeland Security (DHS) (2017, Jun. 7) Critical Manufacturing Sector. Retrieved from https://www.dhs.gov/critical-manufacturing-sector
Dunlap Jr., C. (2011) Perspectives for Cyber Strategists on Law for Cyber War. Strategic Studies Quarterly, Spring. 81-99. Retrieved from http://www.au.af.mil/au/ssq/2011/spring/dunlap.pdf
Kugler, R.L. (2009) Deterrence of Cyber Attacks. In Kramer, F. D; Starr, S. H.; & Wentz, L. Cyberpower and National Security. Potomac Books. [Kindle Edition]
Lachow, I. (2009) Cyber Terrorism: Menace or Myth? In Kramer, F. D; Starr, S. H.; & Wentz, L. Cyberpower and National Security. Potomac Books. [Kindle Edition]
Lee, R., Assante, M., & Conway, T. (2014, Dec. 30) ICS CP/PE (Cyber-to-Physical or Process Effects) case study paper – German Steel Mill Cyber Attack. SANS Industrial Control Systems. Retrieved from https://ics.sans.org/media/ICS-CPPE-case-Study-2-German-Steelworks_Facility.pdf
Thomas, T. (2009) Nation-state Cyber Strategies: Examples from China and Russia. In Kramer, F. D; Starr, S. H.; & Wentz, L. Cyberpower and National Security. Potomac Books. [Kindle Edition]
Wilson, C. (2009) Cyber Crime. In Kramer, F. D; Starr, S. H.; & Wentz, L. Cyberpower and National Security. Potomac Books. [Kindle Edition]
About the Author
Saundra McDavid is an associate professor in the School of Business who teaches courses in law, technology and business strategy for American Public University. Saundra holds a B.S. in business administration from the University of Kansas, an M.B.A. in business administration and a J.D. in law from Saint Louis University. She is currently pursuing a master’s in cybersecurity at American Public University. She is also an attorney practicing in the areas of cybersecurity law and intellectual property.