Congress struggles to set rules for cyber warfare with Iran

The U.S. and Iran may have walked back from the brink of war, but the potential for a cyber battle looms with no clear rules of engagement.

Lawmakers and military officials say there’s no agreed-upon definition of what constitutes cyber warfare, leaving them to decide on a case-by-case basis how best to respond to individual incidents.

“We’ve never really gone down the route to define what constitutes an act of war when it comes to cyberattacks,” Sen. Ron Johnson (R-Wis.), chairman of the Senate Homeland Security Committee, told The Hill last week.

Sen. Gary Peters (Mich.), the top Democrat on the committee, told reporters it’s an issue that “needs some further attention” and one that isn’t going away anytime soon.

“We’re likely to see this not just with Iran, but in the future you are going to see cyber as one of the main domains of warfare going forward,” Peters said. “So it’s important to try to get our arms around how we would define it.”

While Iran has been considered a major cyber adversary, joining the ranks of Russia, China and North Korea, its threat level spiked this month after President Trump ordered a drone strike that killed Iranian Gen. Qassem Soleimani.

The Department of Homeland Security (DHS) and FBI subsequently issued a bulletin to law enforcement and briefed lawmakers of the threat of retaliation. The Cybersecurity and Infrastructure Security Agency at DHS issued a separate notification warning of Iranian cyber threats.

But what kind of cyber aggression might spark a return to hostilities remains unclear.