10. The Boundaries of Cybersecurity: Ethics, Rights, and Laws 283 The principle of proportionality is an important concept in state relations. It says that if a state suffers harm from another state, a response out of proportion to the harm inflicted is not justified. For example, the United States attributed the 2014 doxxing attack on Sony Pictures to North Korea (see Chapter 4). A response from the United States against North Korea would have been justified as long as it was in proportion to the harm North Korea caused. For example, ordering air strikes against North Korea that could result in death and destruction would not have been justified under the principle of proportionality. That would exceed the damages done by North Korea and escalate the conflict. It is not known for sure how the United States did respond, but at the time President Obama stated, “We will respond proportionately and in a space, time and manner that we choose.” 10.3.3.4 Summary “Cybersecurity is national security.” - NSA saying The concepts of jus ad bellum and jus in bello create important boundaries for international relations. The help to prevent nation state conflicts from escalating and seek to limit human suffering. They also impose justice that transcends the laws of any one nation. In cyberspace nation state cyber operations almost never rise to the level of Stuxnet or the attack on Tallinn. Rather, the history of cyber operations has been one of nearly continuous cyber competition and maneuvering between nations. The operations invariably fall short of the use of force thresholds that could trigger a response according to international law. Over time, however, such operations can have a cumulative strategic effect. Cybersecurity is vital to United States national security. In 2018, the United States adopted a persistent engagement approach to cyber operations characterized by defending forward. Defending forward means gaining the initiative in cyberspace by persistently engaging adversaries on their own networks. The goal is to create friction in adversary networks in order to prevent them from achieving their objectives. Prior to 2018, the United States counted on our ability to deter our adversaries from attacking us in cyberspace. We were conservative, attempting to set the precedent of respecting national sovereignty in cyberspace. This approach resulted in essentially waiting for a cyber incident to occur and then cleaning up afterwards. By then the damage was already done, and our ability to meaningfully respond was muted because the attacks, while consequential, did not qualify as uses of force or acts of war. Deterrence, or the threat of retaliation, cannot work if clear lines cannot be drawn and if plausible deniability can be maintained by the transgressor. Persistent engagement recognizes cyberspace is fundamentally different from physical space, that deterrence in cyberspace is ineffective, and that territorial sovereignty need not be respected in the same way it is in physical space. Persistent engagement has helped establish international norms of behavior in cyberspace that respect international law and also reflect the uniqueness of the cyber domain.
RkJQdWJsaXNoZXIy MTM4ODY=