As the concept of online warfare advances, the international community is scrambling to lay out rules to regulate this potentially devastating new kind of conflict. Last week, the International Committee of the Red Cross released its first ever position paper on the subject, stating that "there is no question" that laws of war apply to cyberspace – but what that actually means remains unclear. The Red Cross paper comes on the heels of the first major international attempt to offer a solution: a nonbinding NATO-backed report called the Tallinn Manual. At the same time, a recently leaked U.S. policy directive suggests that our government is already writing its own rules for cyber-war – and some say the administration's reasoning raises many of the same concerns that surround other kinds of 21st-century American war.
The directive, which first appeared in The Guardian last month, states that the U.S. government retains the right to take "anticipatory action against imminent threats" in a cyber-conflict. For many administration critics, the use of the vaguely defined term "imminent" – which appears seven times in the 18-page document – is a major red flag. In a now-infamous Department of Justice white paper leaked earlier this year, the Obama administration laid out a partial legal rationale for when an American citizen can be killed without a trial, concluding that a person can be deemed an "imminent threat" even if there's no evidence of an attack happening in the immediate future. (The case in question was the 2011 killing of radical cleric Anwar al-Awlaki, an American citizen living in Yemen, via drone strike.) The white paper's slippery language prompted ACLU deputy legal director Jamel Jaffer to write that the administration was seeking to "redefine the word imminence in a way that deprives the word of its ordinary meaning."
The possibility that the government's loose definition of imminence has migrated from the drone world to cyberspace is troubling to some. "The Obama administration has defined the word imminence very broadly," says NYU law professor Ryan Goodman. "If the White House imports into cyberspace the definition of imminence used in the counterterrorism context, it may wreak havoc in trying to generate a set of feasible and principled rules for all nations to follow." Goodman notes that the NATO-led Tallinn Manual – currently the closest thing to an international consensus on the rules governing cyber-conflicts – appears to use a stricter standard, in which "the act of self-defense is limited to situations where the state must act lest it lose the opportunity to defend itself."
Unregulated cyber-attacks could pose serious dangers to civilians, as the Red Cross paper makes clear. "Civilian infrastructure is highly vulnerable to computer network attacks," wrote the paper's author, Cordula Droege, citing "power plants, nuclear plants, dams, water treatment and distribution systems, oil refineries, gas and oil pipelines, banking systems, hospital systems, railroads, and air traffic control" as potential targets. The paper also points out that the often-broad overlap between civilian and military online systems raises the possibility that cyber-attacks could be unable to distinguish between the two – a requirement for ordering any traditional strike under international law.
Critics say the U.S. government's continued reliance on the broadly defined idea of "imminence" is part of a larger, problematic pattern. "Language is being abused," says security technologist and author Bruce Schneier, who also cites Director of National Intelligence James Clapper's recent efforts to shift the meaning of the word "collect" after he was caught lying to Congress about the National Security Agency's domestic surveillance programs. Schneier believes that we are in the early years of a cyber-arms race; in the absence of stricter international rules, he says the U.S.' current approach could have disastrous consequences. "In a world where hacks can happen in seconds," says Schneier, "everything is imminent."