A report from the American computer security firm Mandiant accuses China of hacking computer systems outside the People’s Republic. China denies the whole thing. And Washington and Beijing are making charges and counter-charges that have taken the whole matter public. The problem is that modern computer technology has blurred the line between espionage and warfare, and international law has little to say on the matter.
Mandiant said a group called APT1 is “one of the most prolific cyber espionage groups in terms of the sheer quantity of information stolen.” Mandiant says it has traced APT1 to a Shanghai building. Unit 61398 of the “is also located in precisely the same area” and the actors had similar “missions, capabilities and resources.”
The Americans are taking this very seriously and have been for quite some time. State Department spokeswoman Victoria Nuland said hacking has come up “in virtually every meeting we have with Chinese officials. We consider this kind of activity a threat not only to our national security but also to our economic interests and [we are] laying out our concerns specifically so that we can see if there’s a path forward,”
China has responded by claiming many of its institutions and citizens have been victims of cyber-attacks. No doubt this is true. What is less likely true are Chinese claims that any hacking that originates in China is contrary to the wishes of the Chinese government. Given the way the Chinese government controls access to the Internet, this just isn’t believable. In a sense, this is simple espionage; every government engages in it, and every government denies it.
In another sense, though, hacking is different. Not only are the hackers stealing data, but they are also gaining access to infrastructure and communications networks, enabling them to do actual physical damage. The most dramatic example of this was the Stuxnet virus attack on Iran’s nuclear installations last year. The ability to turn off another nation’s power grid or jam up its oil refineries goes well beyond espionage and becomes a military matter.
As of this moment, customary international law governing state actions in cyberspace is clouded at best, and treaty law almost non-existent. A misunderstanding in such a situation can readily become a serious international problem. Actions in cyberspace can constitute a use of force, meaning that it can be considered an act of war. An appropriate response could be a physical counter-measure. In other words, hacking could cause armed conflict.
If the UN would like to make itself useful, an international conference to draft a global treaty on governing cyberspace is long overdue. The major powers have a vested interest in codifying the rules, and the smaller countries may actually be more likely targets. This won’t be easy, of course, but it is vital that international law enters the 21st century.