The advent of cyber conflict should push us to reassess and update the ethics of war. The ethical rules that have informed political and military leaders for generations do not provide adequate moral guidance on cyber operations in war because those rules are based on assumptions that no longer apply.
The existing ethics of war can be summarized as follows: A country is justified in waging war only in response to aggression that has violated its rights (primarily, its territory) or those of another country. War should be waged only after less lethal approaches have been tried and failed, and after the country’s legitimate political authority has publicly declared its decision. A just war’s aims must be limited to resisting the aggression, restoring the victim country’s rights and taking reasonable steps to prevent a recurrence of the aggression. The rights of countries that choose to remain neutral in a conflict should be respected.
When waging war, soldiers should attend to three principles: necessity, discrimination and proportionality. Soldiers should employ violence only as necessary to accomplish their military missions. They should discriminate between legitimate and illegitimate targets, directing their violence only at enemy combatants. Finally, given that noncombatants will be harmed in many combat actions, soldiers should try to minimize collateral damage so it is proportionally worth the good achieved by their mission.
Ethical Rules Blurred
These ethical rules assume that a country can answer three fundamental questions: Are we at war? What country are we at war against? Whom or what may we legitimately target?
The nature of cyberwarfare muddles the answers to each of those three questions.
The first question, “Are we at war?” is relatively easy to answer in the land, sea, air and space domains of war. It is a much more difficult question to answer in the cyber domain. If a foreign country’s military forces were to physically cross our country’s borders to reconnoiter our military formations and critical national infrastructure, build tunnels that bypass our defenses and leave hidden stay-behind combat forces that could attack at any time, we would rightly consider those to be acts of war. The reality is, our adversaries are doing those things to us every day in the cyber domain—and we are doing the same to them.
These violations of another country’s “sovereign cyberspace” are considered to be acts of intelligence gathering, not acts of war, perhaps because they are virtual, not physical, intrusions.
Regardless, the military effects of virtual and physical intrusions are the same. If anything, virtual intrusions are more dangerous because logic bombs are more versatile than soldiers and can be repurposed more quickly to conduct destructive operations. In the cyber domain of warfare, then, the line that demarcates peacetime and wartime operations is fuzzier than in any other domain.
The current ethical norms of war have developed over centuries under the assumption that the war/peace line is clear—that war is binary, and a country either is or isn’t at war. This war/not-war distinction is critical to contemporary military ethics. Actions that are commendable in wartime would be criminal in peacetime.
Our Eastern cyber adversaries do not approach war with the rigid war/not-war distinction that was written into the international laws of war by their Western authors. Our adversaries operate comfortably within the realm of continuous, ubiquitous cyber conflict. In contrast, we and our Western allies have struggled with how to engage ethically in cyber war when we are not legally or even publicly at war.
Are our cyber operators sometimes acting outside the bounds of conventional military ethics, engaging in acts of war when we aren’t in a state of war? Arguably, yes. Are they being asked to defend with one hand tied behind their backs against a relentless enemy, constrained because we aren’t officially at war? Indisputably, yes.
The second question, “What country are we at war against?” can be difficult to answer in cyber warfare because of the dual challenges of attribution and interconnectedness in cyberspace.
It is possible to suffer cyberattacks but be unable to determine who is responsible for them. The first principle of cyber operations is anonymity/deniability. Sophisticated cyber actors attempt to cover their tracks.
Even though U.S. cyber forces are confident they can positively attribute responsibility for any attacks, that is only half the attribution solution.
They also face the challenge of convincing the American people. Whereas an enemy’s physical attacks can be recorded on video and reported by eyewitnesses, virtual attacks cannot. Attributions of virtual attacks rely upon technical knowledge and classified methods.
Therefore, the American people will have to trust our government’s word that a country is waging cyberwar against us.
Involving Neutral Countries
Even if we know a country is attacking us with offensive cyber operations, our justified defensive actions and counterattacks are likely to violate the cyberspace of neutral countries. Information flows freely throughout the internet, passing through the infrastructure of almost every country. Thus, it is practically impossible to wage large-scale cyber operations without involving many countries that are not parties to the conflict. In fact, the battleground of cyber warfare is primarily in “in-between,” often neutral countries, where hardware and software can be more easily exploited to facilitate cyber operations. North Korea’s 2014 cyberattack on Sony Pictures, for example, passed through routers on five continents.
The third question, “Whom or what may we legitimately target?” is most relevant to military professionals. The ethics of war assume a distinction between military personnel and civilians, between combatants and noncombatants, and between military and civilian structures and equipment. Cyberwarfare complicates those distinctions. Many cyberattacks advance along commercial civilian networks. Many of our adversaries’ and our own cyber combatants are civilians. In the domain of cyber, an enemy combatant is anyone with access to the internet, hacking skills and a demonstrated willingness to do us harm.
As a result, we face ethical questions that were previously unimaginable. Consider this scenario: Motivated by patriotic fervor during a time of war against the U.S, a civilian teenager operating from his bedroom thousands of miles away in an enemy country hacks into a U.S. dam’s software and causes flooding that kills hundreds of Americans. Would it be ethical to fight back by hacking into his family’s gas stove to create an explosion that kills the cyber combatant and his family?
The ethical challenges created by uncertainties about whether we’re at war, what country we are at war against, and whom can we target are not unique to cyberwarfare. Russia’s strategy of hybrid war—using proxy forces, fake uniforms, and disinformation—is designed to create and exploit the same uncertainties, as we have seen in Ukraine. But cyberwarfare greatly increases the scale and scope of the challenges.
Update Laws of War
The current laws of war do not adequately address these challenges. The Geneva, Hague and other law-of-war conventions were necessitated by changes in the international community and technology over the past two centuries: the rise of the nation-state, mechanization, motorization, aviation, decolonization, etc. We need an update to the laws of war that takes into account the rise of the internet and corporate globalization.
A group of Western legal experts has collaborated to develop two nonbinding documents, the Tallinn Manuals, which recommend rules for cyberwar and cyberconflict. But the ongoing changes in warfare are too great—too fundamental and even revolutionary—to be addressed adequately by purely legal approaches, which tend toward incremental changes based on legal precedents.
Good jurisprudence is based on good moral philosophy. A much-needed update to the laws of war should begin with a thorough moral analysis of the nature of 21st-century warfare. That analysis would set the conditions for an informed public dialogue about morality and war. The conversations should be public because war is a public act carried out on behalf of the people and in their name. Now that cyber operations have become integrated into wartime combat operations, their role should no longer be secret. The public dialogue’s resulting consensus and contours would enable international legal experts to write a system of laws that are morally grounded, internally consistent and internationally understood.
The U.S. conceived the internet, regulates the multinational corporations that run it and pioneered cyber operations. As cyberthreats continue to grow, we should realize that our national interests increasingly converge with our national values. We should lead efforts to establish internationally recognized norms that address the unique ethical challenges created by cyber operations.