Russian cyber attack should be met by counter-strikes.
This is an opinion piece by Professor Sandeep Gopalan, Pro Vice-Chancellor for Academic Innovation and Professor of Law, Deakin University. The author's view and opinion may not imply or reflect Deakin Law School's view.
Vladimir Putin appears to be delivering on his warning of “chaos in international relations.” Russia’s president sharply rebuked the April 14 missile strikes by the United States, United Kingdom and France on three Syria targets reportedly linked to chemical weapons production as an “act of aggression” and unsuccessfully tried to pass an United Nations resolution condemning it.
Then Russia’s ambassador to the United States, Anatoly Antonov, took to Twitter with a warning: “We are being threatened. We warned that such actions will not be left without consequences. All responsibility for them rests with Washington, London and Paris.”
As the rhetoric continued, the United States and United Kingdom on Monday jointly announced months-long, state-sponsored cyber attacks by Russian hackers that targeted millions of computer systems in homes and offices. The U.S. and U.K. technical alert accused “cyber actors supported by the Russian government” of carrying out global “operations [to] enable espionage and intellectual property that supports the Russian Federation’s national security and economic goals.” The alert said the Russians targeted routers and network systems with end-of-life or unsupported devices.
The goal of the attacks appeared to include ultimately commanding and controlling the devices. Australia said as many as 400 of its businesses may have been affected by the cyber attacks.
How the United States and United Kingdom respond to this act of aggression by Russia is important in what U.K. Defense Secretary Gavin Williamson has characterized as a “new era of warfare.” Russia, he said, “is ripping up the rule book by undermining democracy, wrecking livelihoods by targeting critical infrastructure, and weaponizing information.” Williamson’s predecessor, Sir Michael Fallon, has warned in the past that cyber attacks against the United Kingdom “could invite a response from any domain — air, land, sea or cyberspace," indicating that a cyber attack could be met with a conventional military response.
Indeed it is a new era of warfare. States such as Russia, Iran and North Korea are at the forefront of employing cyber attacks against Western targets. The advantages for these states are clear: cyber attacks are covert; they compensate for lack of parity with the United States in conventional military capability; they inflict widespread damage; and they are deniable. It is difficult to attribute responsibility to the state and, notably, all three offenders have denied responsibility. They blame criminals and rogue actors, professing no state connection with such entities.
These rogue states are not the only employers of cyber warfare — the United States and United Kingdom also have resorted to such tactics. The United Kingdom claims to have conducted cyber attacks against the Islamic State, and, though it wasn’t clear who carried out the attack, Iran was among several counties that recently experienced a cyber attack that placed U.S. flags on computer screens with a warning to “not mess with our elections.”
Russia’s massive attacks should prompt a forceful response. Clearly illegal under domestic and international law, the attacks don’t follow the international rules for decision-making in situations involving armed conflict: distinction, proportionality and taking necessary precautions. The Russians deliberately targeted civilians and civilian objects with indiscriminate attacks to cause excessive harm.
The United States and United Kingdom should respond with pre-emptive strikes. There is little sense in waiting for serious attacks to eventuate and cause millions of people to suffer harm. When there is an imminent threat — as evidenced by the warning from President Putin and his ambassador — the sensible action is to conduct preemptive cyber strikes that cripple Russian entities with the capability to conduct cyber attacks against Western targets, or even Russian military targets. It’s also time to put out of business those Russian businesses that use the dark web and may have ties to cyber criminals.
These steps are a necessary and proportionate response to brazen escalation in the cyber domain and are justified under international law that authorizes self-defense. Absent a firm response, our internet-addicted society will be a ripe target for countries that choose to wage war by stealth, on the cheap. Such countries must be taught that cyber war can be as costly as conventional conflict.