In conventional warfare, it’s accepted that if a state finds itself under attack, it’s entitled to respond – either with defensive force, or with a counterattack. But it’s less clear how countries should respond to cyberattacks: state-backed hacks which often have dangerous real-world implications.
The 2020 SolarWinds hack, attributed to state-backed Russian hackers, breached security at around 100 private companies. But it also infiltrated nine US federal agencies – including theUS Energy Department, which oversees the country’s nuclear weapons stockpile.
Such attacks are expected to become more common. Recently, the UK’s2021 Strategic Defence Reviewconfirmed the creation of a “National Cyber Force” tasked with developing effective offensive responses to such cyberattacks, which could even includeresponding to them with nuclear weapons.
Philosophers like myself would urge caution and restraint here. As cyberattacks are new and ambiguous forms of threat, careful ethical consideration should take place before we decide upon appropriate responses.
‘Just war’ theory
Calling all Scaleup founders! Join the Soonicorn Summit on November 28 in Amsterdam.
Meet with the leaders of Picnic, Miro, Carbon Equity and more during this exclusive event dedicated to Scaleup Founders!
We already have a millennia-old framework designed to regulate the use of physical force in wars. It’s called “just war theory”, and its rules determine whether or not it’s morally justified to launch military operations against a target. Given how cyber systems can be weaponized, it seems natural for ethicists to build “cyberwar” into existing just war theory.
But not everyone is convinced.Scepticsdoubt whether cyberwar requires new ethics, with some even questioning whethercyberwar is actually possible.Radicals, meanwhile, believe cyberwar requires a wholesale rethink, and are building an entirely new theory of “just information war”.
Read more:Cyber attacks are rewriting the ‘rules’ of modern warfare – and we aren’t prepared for the consequences
Lending credence to the radicals’ claim is the assumption that cyberattacks are fundamentally different from physical force. After all, while conventional military force targets human bodies and their built environment, cyberattacks chiefly harm data and virtual objects. Crucially, while physical attacks are “violent”, cyberattacks seem to present – if anything – an alternative to violence.
On the other hand, some ethicists highlight the fact that cyber operations can sometimes lead to physical harm. For instance, when hackersinfiltrated the systemcontrolling the fresh water supply in Oldsmar, Florida, in February 2021, they weaponized physical infrastructure by attempting to poison the water. And a ransomware attack on a Düsseldorf hospital in September 2020 actually contributed to thedeath of a patient.
Espionage or attack?
Clearly, cyberattacks can result in grave harms that states have a responsibility to defend their citizens against. But cyberattacks areambiguous– US senator Mitt Romney characterized the SolarWinds hack as “an invasion”, while Mark Warner of the US Senate Intelligence Committee placed it “in that grey area between espionage and an attack”.
Read more:We aren’t in a cyber war – despite what Britain’s top general thinks
For defence agencies, the difference matters. If they regard state-backed hacks as attacks, they may believe themselves entitled to launch offensive counterattacks. But if hacks are just espionage, they may be dismissed asbusiness as usual, part of the everyday intelligence work of states.
In just war theory, some “revisionist” philosophers find it useful to go back to basics. They analyse individual threats and acts of violence in isolation before carefully building up a robust theory of complex,large-scale war. Because cyber-attacks are new and ambiguous, the revisionist approach may help us decide how best to respond to them.
Cyber violence
I have argued previously that some cyber-attacks areacts of violence. That’s partially because, as noted above, cyberattacks can cause grave physical harms just like conventional violence.
But the gravity of harms alone doesn’t help us categorize cyber-attacks as acts of violence. Think of the myriad ways that the often lethal harm of a coronavirus infection can be transmitted: throughrecklessness, negligence, or mischief; by accident; and even sometimesas a byproductof an otherwise legitimate policy.
We wouldn’t say these harms resulted from violence, and nor would we argue that defensive violence is an appropriate response to them. Instead, what seems to make some cyber operations violent attacks – rather than mere espionage – is that they express similar sorts of intention to those expressed in physical violence.
Intentionality
To explore how, consider an example of physical violence: someone shooting a distant, unwitting human target with a long-range rifle.
Like all agents of violence, the sniper seems to intend one thing,but really intends two. First, she intends to harm her target. But second, and less obviously, she intends to dominate her target. The target has no means of evading or deflecting the threat of the bullet.
This relationship, of domination versus defencelessness, can be established by any number of technologies, from swinging a club to launching a rocket from a remote drone. In these cases the threat is undetectable – like a cyberattack on drinking water, you don’t know anything is wrong until it’s too late.
Many cyberattackshave a similar profile. They establish technical domination by creating a vulnerability and positioning themselves to execute harm at the hacker’s will. Like boobytrap bombs, they leverage secrecy and surprise to keep their victims from acting until it’s too late.
If some cyberattacks are acts of violence, then perhaps they could justify defensive violence or counterattack. That would depend on the degree of destruction threatened, and defenders would still have to satisfy age-oldjust warrules.
But the same premise means that employing offensive cyber-attacks ought to be seen as a grave matter – as grave, in some cases, as physical attacks. It is vital, then, that the UK’s new National Cyber Force directs its operations with the same care and restraint as if they were using military weapons in a conventional war.
This article byChristopher J. Finlay, Professor in Political Theory,Durham University, is republished fromThe Conversationunder a Creative Commons license. Read theoriginal article.
Story byThe Conversation
An independent news and commentary website produced by academics and journalists.An independent news and commentary website produced by academics and journalists.
Get the TNW newsletter
Get the most important tech news in your inbox each week.
