As the Lords call for greater levels of co-operation amongst governments, the EU and Nato to prevent and detect cyber attacks, many people are wondering what level of attack we are under, when does cyber-attack become cyberwar and who is responsible for cyber defence of critical infrastructures owned by private companies.
It is clear that we are under varying levels of cyber attack, often severe and sustained. In the US, these attacks have ranged from attempts to break into the Pentagon, to attacks on commercial institutions, and some have even attributed power blackouts to cyber-attackers penetrating the power grids.
Two recent historical events in former Soviet republics demonstrate the scope of current attacks, how much they can be woven into the fabric of other kinds of conflict, and yet how elusive their definition and containment remain. In 2007 the cyber infrastructure of Estonia was heavily and repeatedly attacked in successive waves of activity, significantly impairing or shutting down many cyber-based services and communications.
Firm attribution was never made, and in fact a large number of attacking computers were in the United States. Although the incidents occurred as part of a serious dispute with Russia over a monument to the Soviet liberation of Estonia from the Germans--the context of a traditional diplomatic dispute--even the Minister of Defence, Dr. Jaak Aaviksoo, who was in charge of responding, said recently at a cyber security Forum at Stanford University that without clear attribution, one dare not leap to conclusions about the ultimate source of the attacks. He is clearly wary of saying that they passed the point at which a cyber attack had become an act of war.
More recently, in 2008, as a part of the South Ossetia War, sustained denial of service attacks and defacement of government web sites in Georgia, coincided with with a physical attack by Russian forces with all the hallmarks of a traditional military confrontation: tanks and troops across the border, destruction of Georgian military systems and infrastructure, etc.
In both cases, in the absence of firm attribution, the results more resembled an extended cyber-riot rather than a formal act of war. In neither case did NATO's commitment to collective response come into play. In the UK, there have been 300 significant attacks on the government's core computer networks in the last year, according to Lord West of Spithead, parliamentary under-secretary for security and counter-terrorism.
In many ways, until nations and international organizations like the UN work to define cyber war, it is unrewarding to try to determine the point at which a cyber attack can be called a cyber war. There is an enormous legal and policy infrastructure developed over centuries the determine when war has started in a non-cyber context. Even then, undeclared "wars" are fought between groups of combatants who may or not be officially linked to nation states; civil unrest blends into insurgency into open rebellion and into civil war, just as incidents or provocations across borders lead to shows of strength, to cross border raids and into full scale invasions.