Sen. Mike Rounds (R-S.D.), member of the Senate Armed Services Committee (SASC), on May 10 introduced the Cyber Act of War Act of 2016 to require the presidential administration to develop a policy to determine whether particular cyber attacks constitute an act of war.
“Cyber-attacks on our critical infrastructure are capable of impacting our entire economy and causing significant destruction. This legislation would require the executive branch to define which of these actions constitute a cyber act of war, which would allow our military to be better able to respond to cyber-attacks and deter bad actors from attempting to attack us in the first place,” Rounds said in a statement.
The act would require that in developing the policy for determining when an action in cyberspace rises to the level of an act of war on the U.S. the administration must consider two core issues: the ways in which the effects of an attack may be equivalent to a conventional weapons attack and intangible effects of significant scope, intensity, or duration.
The bill also requires the Defense Department to include the developed definition in its Law of War Manual.
Rounds highlighted in the bill announcement that he earlier raised the issue at a February SASC hearing with Director of National Intelligence James Clapper and Director of the Defense Intelligence Agency Marine Lt. Gen. Vincent Stewart, first asking what amounts to an act of war in the cyber realm.
“That’s a great question, senator, one that we’ve wrestled with–- a certain extent I guess it’s in the eye of the beholder. And this gets to the whole issue of cyber deterrence and all of those kind of complex questions, but I think that’s a determination that would almost have to be made on a case-by-case basis depending on the impact,” Clapper said.
Rounds said defining an act of war in cyberspace would be helpful.
“I think it would be extremely helpful to have clear definitions of what constitutes a cyber events vs. acts of war. We generally look at cyber events and we define is as an attack. In many cases you can do reconnaissance, you can do espionage, you can do theft in this domain we call cyberspace. But the reaction always is whether it’s an adversary doing reconnaissance an adversary trying to conduct HUMINT [Human Intelligence] operations in this domain, we define it as an attack and I don’t think that’s terribly helpful,” Stewart said.
“So if we can get a much fuller definition of the range of things that occur in cyberspace and then start thinking about the threshold where an attack is catastrophic enough or destructive enough that we define as an act of war, I think that would be extremely useful,” Stewart added.