Amid rising tensions between the United States and Iran, Congressional lawmakers are grappling to determine when a cyberattack means war rather than an incident.
The U.S. Department of Homeland Security (DHS) has issued two warnings in recent weeks, telling IT professionals to brace for potential cyberattacks from Iran.
But what exactly is an all-out cyber war vs a limited or targeted event? It may be one of those things that you know it when you see it. Or if certain lines, such as an attack on critical infrastructure or one with a major economic impact, are crossed that may be the defining criteria turning a cyber event into a digital war.
Iran vs U.S. Cyber Tensions
The prospect of Iran targeting U.S. critical infrastructure sites with cyber attacks isn’t new. In a January, 2019 Worldwide Threat Assessment report, U.S. intelligence said Iran has the capability to inflict damage such as taking down an enterprise company for an extended period of time.
“Iranian cyber actors are targeting U.S. government officials, government organizations, and companies to gain intelligence and position themselves for future cyber operations,” the report reads. The document ranks Iran among the major state-sponsored cyber threats to the U.S., including China, North Korea and Russia.
Here’s when some legislators on both sides of the aisle might say "this means war": (via The Hill)
Senator Ron Johnson (R-WI): “We've never really gone down the route to define what constitutes an act of war when it comes to cyberattacks. When you start getting into control systems, electrical systems, other critical infrastructure, you start attacking our financial system — to me those certainly would qualify, or certainly should be considered, as something we would require a pretty robust response.”
Sen. Gary Peters D-MI): “We’re likely to see this not just with Iran, but in the future you are going to see cyber as one of the main domains of warfare going forward. So it’s important to try to get our arms around how we would define it.”
Sen. Richard Blumenthal (D-CT): “I think the question of what is an act of war in the cyber domain is a serious policy question that needs to be addressed, and Congress so far has failed to address it. It’s really the Department of Defense that should be providing guidance. Congress should certainly be overseeing the question and addressing it, but we have pressed the Department of Defense to come to us with a proposal on it.”
Sen. Angus King (I-ME): “It's a serious risk because I think they have the capability and we haven't ... defined what we would consider an attack that would trigger a response. I think that's one of the problems with our policy.”
Rep. Cedric Richmond (D-LA), who chairs the House Homeland Security Committee’s cybersecurity subcommittee, told The Hill that he and full committee Chairman Bennie Thompson (D-MS) would “get together and figure out” whether legislation around defining an act of cyber warfare was needed.
Cyber vs. Physical War: The Debate
Annie Fixler, deputy director of the Center on Cyber and Technology Innovation for the Foundation for Defense of Democracies, told The Hill that what type of cyberattack would push the U.S. into war was “the million-dollar question...The Pentagon has always said that they reserve the right to respond to cyberattacks with kinetic force and have traditionally said ‘significant cyberattacks’ — and the key is what constitutes significant cyberattacks,” Fixler told The Hill. “Given what we’ve seen so far from malicious cyber actors, it would be an attack on critical infrastructure that causes significant damage.”