China’s foreign minister has advocated a system of cyber rules in response to accusations regarding online operations. The US echoed the call, with National Security Advisor Tom Donilon saying that dialogue is needed “to define acceptable norms of behaviour in cyberspace”. But the question remains, what rules do we need to regulate cyber warfare?
“Cyber conflict” refers to actions by states in cyberspace, which deliberately seek harm to other governments. Cyber attacks can be directed at military and non-military targets, private entities pertinent to national security, or entities that - if disrupted - would adversely impact citizens’ daily lives.
The internet is ubiquitous: societies depend on it for communication, commerce, and information. So it is not surprising that the US has vowed to respond to intrusions with its own offensive cyber tactics.
Despite this rhetoric, a perplexing aspect of the cyber realm so far has been the lack of serious attacks among interstate competitors, especially considering the worst case scenarios promoted in the media. This has so far limited the damage to civilians and critical, non-military systems. As such, a good initial move would be to push the current limited usage of cyber tactics into a standard policy outcome.
The cyberspace community is open to control by those at the forefront of technological development. The ones who use new tactics early are the ones who set the norms. This tells us that a global system of best practices may be the most effective way to regulate the use of rapid advancements in cyber technology. But current efforts to delineate a system of legality for cyber activity seem to focus on justifying actions, rather than developing a system of best practices.
“Just war” theory offers just such a system. It considers the moral application of conventional force and its limitations. Early formulations of “just war” by Augustine and Thomas Aquinas take notions like proportionality, limiting civilians casualties, and the use of tactics as a last resort to create a community beholden to ideas of justice and restraint.
The basics of the “just war” tradition hold that violence is justified when carried out for the public good, in order to restore rather than destroy. Thomas Aquinas was very specific about the conditions he viewed as necessary for a just war. There must be a ruler who has the authority to conduct a war. A just cause is required: a nod to Augustine’s notion of war to avenge injuries. And finally, the war must be made with the right intentions.
Aquinas also noted that actions taken in self defence are only justified if they are proportionate to the initial aggression. The concepts of proportionality, authority, and a just cause will be critical aspects of a system of justice for the cyber domain. So will the principle of “discrimination”, which involves the conscious distinction between combatants and non-combatants, and grants the latter immunity from direct attack.
The just war tradition has grown through the years, adding clauses and considerations through time. These have included notions like last resort, clear declarations of causes and aims of war, and the need for a reasonable chance of success for combat operations. Cyber conflict is a situation to which existing just war norms can be applied; the question is which ones? And how?
The US considers non-combatant immunity, the authority of the sovereign, and the continuation of legal norms in war to be important characteristics in cyber actions. But it gives no consideration to proportionality or last resort, and ignores just war doctrine regarding preemptive attacks. Whatever its rhetoric, the US has acted preemptively, aggressively, and offensively, as have China and Russia. And there has been speculation recently that Iran and North Korea have done so too.
It seems critical to limit the worst practices in cyberspace. These are offensive, preemptive or retaliatory actions, which do not consider the scope of the action and the potential for civilian harm. This means that the consideration of violence as a last resort might not apply to cyber conflict. Lower level cyber operations could be permitted if done with the right intention, as long as dramatic actions that result in death are only done in the last resort.
Other actions that would be dangerous in the cyber realm include ones which aren’t authorised by a legitimate sovereign and those that do not limit harm to civilians. One example might be an attack which could replicate into civilian systems without time sensitive cut-off points. These actions could have dangerous repercussions for both individual states and the international community.
Intention will also prove an important consideration for cyber operations, such as the avoidance of evil dictate in the just war tradition. Powers should only act with good intentions to restore a right or prevent further harm. An attack such as Stuxnet might be justified if it was carried out to limit harm to civilians and individuals by preventing the launch of a direct military attack.
Avoiding collateral damage and observing non-combatant immunity remains the highest condition in cyber operations. The wider repercussions of cyber actions should limit the practice: cyber actions are unpredictable in nature, which often means that damage cannot be limited to military targets. If this is even a possibility, the actions should be restricted.
This issue also highlights the notion of proportionality. No matter how small and incapable a state may be of conventional violence, using disproportionate force in the fifth domain only incentivises a massive conventional response by the targeted state.
The best method to control the escalation and proliferation of cyber technologies is to avoid using them for offensive purposes, but also not to respond to their use with conventional methods. If the goal is to reduce tragedy, the cyber realm should be held sacred. Cyber dependence is bringing to light new vulnerabilities and possibilities for all nations. The rush to securitise the cyber domain will be distressing if it cuts off connections and avenues of growth that might otherwise benefit society. It is for these reasons that we need moral and ethical guidelines for cyber practices.