The Ethics of Cyber-War: Are we Prepared for Web War One?

Dr Matt Sleat

University of Sheffield

 

If we take history as our guide, war and violent conflict seem to be permanent albeit regrettable features of human experience. But warfare changes; and the recent introduction of cyber-weapons represents one of the most radical and far-reaching changes in how conflicts between states take place at least since the advent of nuclear weapons some 60 years ago (arguably in the history of warfare).

Cyber-space has recently been recognised as the fifth domain of warfare by the United States (alongside land, sea, air, and space) and the UK government has only in the past few months announced that its cyber-strategy now goes beyond simply securing us against cyber-attacks but actually developing our own cyber-weapons for future employment. Though the definition of cyber-war remains a matter of some intense dispute, at the most basic it is possible to say that it is an action carried out by a nation-state, usually via the internet, to perpetrate another nation’s computers or information networks for the purposes of causing damage and disruption to its critical infrastructure.

Though it might sound like science fiction or the preserve of Hollywood blockbusters (it is the focus of the fourth instalment of the excellent Die Hard franchise, for instance), cyber-war has been a part of contemporary conflicts for at least a decade. Cyber-war is here and it is happening. Yet many are beginning to question whether our traditional ethical frameworks for thinking about the morality of warfare, frameworks that were developed after World War Two in response to  conventional kinetic weapons, apply to weapons employed in the cyber realm.

I have just returned from a conference at the Centre for High Defence Studies (Rome) on ‘The Ethics of Cyber Conflict’ dedicated to exactly this issue. The conference was organised by NATO’s Cooperative Cyber Defence Centre of Excellence (CCDCOE) and attempted to take a first step in filling the ethical and policy vacuum that currently exists at the international level in relation to cyber-war, exploring from different practical and theoretical perspectives the numerous ways in which the novelties of cyber-weapons fundamentally challenge or problematise our traditional understanding of the morality of warfare. What motivated this conference was a genuine worry (or maybe fear, if that is not putting it too strongly) that cyber-weapons will play a significant role in any future conflict, yet we currently lack an appropriate moral compass that can help us think through the novel ethical issues that this new domain of warfare gives rise to. Are we prepared for ‘Web War One’?

So what are these distinct issues that we urgently need to think through? Let me just mention a few. One of the biggest issues surrounding cyber-attacks is what is called the ‘attribution problem’. It is well-established in both ethics and law (e.g. Article 51 of the UN Charter) that a state is permitted to defend itself when it is the victim of aggressive actions on the part of another state. In traditional warfare it is more often than not very clear exactly whose tanks it is crossing your borders, whose planes are dropping bombs on your munitions factories, or whose soldiers are shooting at you (indeed such public disclosure of the identity of the aggressive actor is required by international law).

The case is very different in cyber-space. There are two main reasons for this: The first is that the internet was purposefully designed to be security-light in order to enable the greatest degree of access and communication. A consequence of this is that the vast majority of actions in cyber-space are completely anonymous and take place without requiring the declaration of one’s identity. Furthermore, it does not take a computer-expert to be able to re-route their connections through servers located anywhere else in the world, making it seem like the connection is coming from South Korea when the ‘cyber-warrior’ is sat in Skegness. The consequence of these two factors means that when an attack is taking place it is incredibly difficult to track with any high degree of certainty exactly who the aggressor state is.

This is not a theoretical problem; it has happened. For example, just before the first Iraq War (so cyber-attacks have been a feature of modern warfare for decades) the United States’ Department of Defence (DoD) realised that its network security was systematically being breached. Initially the DoD were unable to establish who was behind such breaches, though the fact that tensions between the US and Iraq were high, and that the attacks seemed to be coming from the Middle East, meant that most analysts and military chiefs strongly suspected that Sadam Hussein’s regime was responsible. It turned out that the real culprits were two Californian teenagers, aided by an Israeli man, who had managed to reroute their connections through the Middle East to mask their actions (this event has been code-named SOLAR SUNRISE). All signs reasonably pointed to Iraq. Yet they were completely innocent. And in more recent attacks, while again there is good reason to suspect that it was Russia behind attacks on Estonia and Georgia given the geopolitical situations at the time (in the case of the cyber-attacks on Georgia, the two countries were actually at war), their responsibility cannot be proven to the degree of certainty that many think would justify retaliatory response. For all we know they could indeed be totally blameless, and any military response would hence be unwarranted and potentially immoral. So the crucial question is begged: to what degree of certainty must it be possible to attribute responsibility to a state for perpetrating a cyber-attack in order for a military retaliation to be morally, let alone legally, justified? At the moment, we simply have no answer to this question.

The ‘attribution problem’ is compounded by a second issue. Unlike traditional kinetic weapons, bombs and bullets, cyber-weapons are packets of code that cannot in and of themselves harm human beings. Indeed, it is not clear that such weapons are even physical in the normal sense of the word. Furthermore, most cyber-attacks are very unlikely to cause major harm or injury to human beings. They are much more liable to be disruptive rather than violent in nature. To be sure, cyber-attacks might be seriously disruptive: they have the potential to take down entire power-grids, to significantly damage economic activity, to destroy oil or gas pipelines or uranium enrichment plants (as the Stuxnet worm, discovered in 2010, did in Iran), to cut-off a government’s pathways of communication to its people and the outside world (as happened in the Georgia attacks), and to seriously undermine a military’s command and control facilities and processes. All of these represent serious potential damage to a state’s vital interests, but none of them are acts of aggression in the traditional Clausewitzian notion of violence: in most cases of cyber-attacks no physical damage need be done to any physical object, nor are persons likely to be harmed (at least not directly). So alongside the question of who the aggressor is in any cyber-attack is the equally significant question, in the absence of any physical intrusion into a territory or actual violence to human beings, of whether a cyber-attack can rightly be considered an act of aggression? And if it is not an act of aggression, then how can any military response be justified?

So cyber-war throws into doubt the most basic questions of warfare: are we being attacked and who is attacking us? In academic and legal terms, this requires us to ask whether a cyber-attack provides a casus belli, i.e. a justification for going to war (though there are further interesting questions as to what forms of military response are appropriate to a cyber-attack: Only a retaliatory cyber-attack or could a traditional kinetic attack also be justified?). But cyber-war also poses questions for the morality of actions undertaken during a conflict, what in just war theory is called jus in bello. Most theorists believe that there are moral rules that limit what states can do to one another even when they are at war. One of the most important of these moral laws is the principle of discrimination. In both ethics and international law there is a strong prohibition against killing non-combatants, that all acts of war should be directed towards enemy combatants and not towards those who are not involved in the conflict. The killing of civilians, often classified as non-combatants or innocents, who are playing no role in the war effort is therefore prohibited.

Yet cyber-attacks can be highly indiscriminate. An attack which took down a power-grid, communication services, or significantly disrupted economic activity is likely to have major impact on both combatants and non-combatants. The deeply integrated nature of much of our critical infrastructures ensures that such discrimination would be very difficult to achieve in even the most sophisticated of cyber-attacks. Taking a more global view, once many cyber-weapons have been employed it is often the case that even those who developed it will be unable to adequately track who it will target. This is especially true for computer viruses and worms that are specifically designed to replicate themselves so as to infect numerous computers and networks. As of September 2010, for instance, the Stuxnet worm which was originally employed to infect Iranian uranium enrichment plants had been found to have infected over 100,000 computers in 155 countries across the world! That Stuxnet was designed to damage a specific target, and that the vast majority (if not all) of these over 100,000 computers were not involved in the enrichment of uranium, meant that such widespread and indiscriminate infection caused little harm. Yet a cyber-weapon that was less specific in its target and objective and which spread in a comparable manner would clearly be much more of an issue.

It is one of the ironies of cyber-war that those nations whose populace and infrastructures are most dependent upon and integrated into cyberspace, like ourselves and the US, are most vulnerable to cyber-attacks. Our dependency makes us vulnerable. And hence it is probably right that we prepare ourselves for conflict in the cyber-domain, which must include developing our own cyber-weapons. But we have a moral responsibility to properly consider the ethical ramifications of such conflict before we find ourselves faced with some of the issues I’ve briefly mentioned. Yet this discussion has only just begun.