Is the Sony Pictures cyber-attack an act of war? Living on the edge of violent retaliation for hacking

When does a cyber-attack become an act of war? Sony Pictures must surely feel they are under siege, being threatened with data stolen from under their very nose.

Attacks via cyberspace are becoming more sophisticated, more aggressive, and more strategic. At the same time we have almost reached the threshold where cyber-attacks will be met with physical response. There are no precedents - yet - but we are already living on the edge.

The security mantra "I can prevent hacks" is changing to "I will be hacked". Because of this paradigm shift, development of disruptive and destructive cyber-technologies, and the increasing strategic importance of protecting cyber-sovereignty, both governments and companies have started to take the offense in the cyber-realm.

Sony Pictures probably started to strike back, which means that a private company may have taken matters into its own hands.

In short, the trend in cyber is offensive.

Cyber-attack an act of war?

The concept of "act for war" has to be rethought, especially in today's world where information is the most valuable asset.

It should be understood that cyber-attacks, whether resulting in physical damage or not, can be treated as an act of war - and telling this to opponents is an important part of today´s deterrence policy.

The biggest challenge in this field is cyber-espionage. When does intelligence collection or cyber-reconnaissance become an act of war? Such activities are usually not considered sufficient justification.

However, intelligence collection that involves the theft of terabytes of classified information, or intellectual property which is crucial for country or company competitiveness will - sooner or later - be interpreted as an act of war and responded to in a physical way.

The answer to whether a particular attack is an act of war comes down to this: is it in your interest to declare it so? Politically this also depends who is attacking you.

In Sony's case, it is worth asking: would the reaction of the US government have been the same if al-Qaeda had been behind the attack? In that case we probably would have been pushed over the edge.

Cyber-offense, physical retaliation

Several countries have declared that they would consider physical responses to severe and large scale cyber-attacks. In real life this means that people will have to die, and/or there will be significant destruction before such response is considered.

In the US there has even been suggestion from the Defense Service Board that in the case of the biggest possible cyber-attacks the United States could not rule out a nuclear response.

From the perspective of counter-measures, the line between digital and physical force is blurring. It is understandable that the threshold where physical response to cyber-attack could actually happen remains unclear because in the current context of "gray zone war" it is not wise to tell the adversary what is acceptable and what is not.

I believe that the first violent responses to cyber-attacks will not be made because of physical destruction but huge loss of digital property. There were no deaths resulting from the Sony Pictures hacking, but the consequences for the large US-based Company have been enormous.

If Sony would have suffered same amount of loss because of physical attack, would there be physical response? Probably. At the moment it seems that the threshold for triggering a physical response to cyber-attack will be higher than a kinetic equivalent. This might change soon.

Jarno Limnéll is Professor of Cyber-security at Aalto University, Finland.