U.S. Legal defines an act of war with the following description. “An act of war is an action by one country against another with an intention to provoke a war or an action that occurs during a declared war or armed conflict between military forces of any origin. The loss or damage caused due to such conflicts are excluded from insurance coverage except for life assurances.” Under this guidance we can determine that in order for something to be an act of war it must include one nationstate against another or a conflict between other military forces. This action must cause loss or damage during a conflict or must provoke a conflict into erupting as an effect of the action.
Under this premise in order for a cyber action to be considered an act of war it would be necessary for it to be directed toward a nation state with the intention to cause irreparable damage or to provoke conflict. With this guidance any cyber action could potentially be defined as an act of war since all cyber actions cause damage to some extent. For example cyber espionage causes damage to national security by leaking sensitive information that could put people’s lives in danger. However the second and third order effects of the cyber action are forms of indirect damage which creates ambiguity surrounding the intent.The question then arises, to what degree of damage warrants the action being categorized as an act of war?
Using the above definition it would appear that the cyber action would need to be directed toward a nation state or its military forces by an opposing military force of some kind with a clear intention to cause damage, loss of life or to provoke a military response. An example of this would be if a nationstate such as China were to target U.S. military satellites that provide various actionable services to war fighters abroad.
According the U.S. Legal an act of terrorism is characterized by the following requirements:
(1) Is unlawful; (2) Causes harm, including financial harm, to a person, property, or entity, in the United States, or in the case of a domestic United States air carrier or a United States-flag vessel (or a vessel based principally in the United States on which United States income tax is paid and whose insurance coverage is subject to regulation in the United States), in or outside the United States; and (3) Uses or attempts to use instrumentalities, weapons or other methods designed or intended to cause mass destruction, injury or other loss to citizens or institutions of the United States."
Simplified, an act of terrorism uses unlawful actions by leveraging some type of instrument designed to cause destruction or injury to individuals or institutions. Using this guidance any illegal cyber activity that causes injury to an individual or institution, including financial loss could be considered cyber terrorism. This means that acts of hacktivism such as defacing a website, leaking personal information and denial of services could be considered cyber terrorism. The question then is to what degree is petty cyber crime differentiated from cyber terrorism because according to this definition cyber crime can also be considered cyber terrorism.
As you can see there are some serious ambiguities surrounding the proper interpretation of the law in regards to illicit cyber activities, cyber crime, cyber terrorism and cyber warfare. One proposition to clear up these ambiguities would be to set a measurable standard or precedent in order to differentiate between classes of armed conflict and cyber crime. For example cyber actions can be measured by their effects after the fact in terms of magnitude, loss and intent. A hacktivist who defaces a corporate website is breaking the law but is likely not a terrorist. A nation state actor who targets a missile guidance system on a military vessel is more in line with cyber terrorism or cyber warfare.