It's time to get serious about the moral questions resulting from our new class of weapons.
In the last week or so, cyberwarfare has made front-page news: the United States may have been behind the Stuxnet cyberattack on Iran; Iran may have suffered another digital attack with the Flame virus; and our military and industrial computer chips may or may not be compromised by backdoor switches implanted by China. These revelations suggest that the way we fight wars is changing, and so are the rules.
This digital evolution means that it is now less clear what kind of events should reasonably trigger a war, as well as how and when new technologies may be used. With cyberweapons, a war theoretically could be waged without casualties or political risk, so their attractiveness is great -- maybe so irresistible that nations are tempted to use them before such aggression is justified. This essay identifies some important ethical issues that have been upturned by these emerging digital weapons, which in turn help explain why national cyberdefense is such a difficult policy area.
How we justify and prosecute a war matters. For instance, the last U.S. presidency proposed a doctrine of preventive or preemptive war, known as the "Bush doctrine," which asked, if a nation knows it will be attacked, why wait for the damage to be done before it retaliates? But this policy breaks from the just-war tradition, which historically gives moral permission for a nation to enter war only in self-defense. This tradition says that waging war -- a terrible evil that is to be avoided when possible -- requires a nation to have the righteous reason of protecting itself from further unprovoked attacks.
With the Bush doctrine, the U.S. seeks to expand the triggers for war -- and this could backfire spectacularly. For instance, Iran reports contemplating a preemptive attack on the U.S. and Israel, because it believes that one or both will attack Iran first. Because intentions between nations are easy to misread, especially between radically different cultures and during an election year, it could very well be that the U.S. and Israel are merely posturing as a gambit to pressure Iran to open its nuclear program to international inspection. However, if Iran were to attack first, it would seem hypocritical for the U.S .to complain, since the U.S. already endorsed the same policy of first strike.
A big problem with a first-strike policy is that there are few scenarios in which we can confidently and accurately say that an attack is imminent. Many threats or bluffs that were never intended to escalate into armed conflict can be mistaken as "imminent" attacks. This epistemic gap in the Bush doctrine introduces a potentially catastrophic risk: The nation delivering a preemptive or preventative first strike may turn out to be the unjustified aggressor and not the would-be victim, if the adversary really was not going to attack first.
Further, by not saving war as a last resort -- after all negotiations have failed and after an actual attack, a clear act of war -- the Bush doctrine opens the possibility that the U.S. (and any other nation that adopts such a policy) may become ensnared in avoidable wars. At the least, this would cause harm that otherwise might not have occurred to the warring parties, and it may set up an overly stretched military for failure, if battles are not chosen more wisely.
What does this have to do with cyberwarfare? Our world is increasingly wired, with new online channels for communication and services interwoven into our lives virtually every day. This also means new channels for warfare. Indeed, a target in cyberspace is more appealing than conventional physical targets, since the aggressor would not need to incur the expense and risk of transporting equipment and deploying troops across borders into enemy territory, not to mention the political risk of casualties. Cyberweapons could be used to attack anonymously at a distance while still causing much mayhem, on targets ranging from banks to media to military organizations. Thus, cyberweapons would seem to be an excellent choice for an unprovoked surprise strike.
Today, many nations have the capability to strike in cyberspace -- but should they? International humanitarian laws, or the "laws of war", were not written with cyberspace in mind. So we face a large policy gap, which organizations internationally have tried to address in recent years, such as the U.S. National Research Council. But there is also a gap in developing the ethics behind policies. We describe below some key issues related to ethics that need attention.
By the laws of war, there is historically only one "just cause" for war: a defense to aggression, as previously mentioned. But since aggression is usually understood to mean that human lives are directly in jeopardy, it becomes difficult to justify military response to a cyberattack that does not cause kinetic or physical harm as in a conventional or Clausewitzian sense, such as the disruption of a computer system or infrastructure that directly kills no one. Further, in cyberspace, it may be difficult to distinguish an attack from espionage or vandalism, neither of which historically is enough to trigger a military response. For instance, a clever cyberattack can be subtle and hard to distinguish from routine breakdowns and malfunctions.
If aggression in cyberspace is not tied to actual physical harm or threat to lives, it is unclear then how we should understand it.
If aggression in cyberspace is not tied to actual physical harm or threat to lives, it is unclear then how we should understand it. Does it count as aggression when malicious software has been installed on a computer system that an adversary believes will be triggered? Or maybe the very act of installing malicious software is an attack itself, much like installing a landmine? What about unsuccessful attempts to install malicious software? Do these count as war-triggering aggression -- or mere crimes, which do not fall under the laws of war? Traditional military ethics would answer all these questions negatively, but in the debate over the legitimacy of preemptive and preventative war, the answers are more complex and elusive.
Relatedly, insofar as most cyberattacks do not directly target lives, are they as serious as conventional attacks? Organized cybervandalism could be serious if it prevents a society from meeting basic human needs like providing food. A lesser but still serious case was the denial-of-service cyberattacks on media-infrastructure websites in the country of Georgia in 2008, which prevented the government from communicating with its citizens.
The laws of war prohibit the targeting of noncombatants, since they do not pose a military threat. Most theorists accept a "double effect" in which some noncombatants could be unintentionally harmed, i.e., collateral damage, in pursuing important military objectives, though other scholars defend more stringent requirements and greater protections for noncombatants. Some challenge whether noncombatant immunity is really a preeminent value, but the issue undoubtedly has taken center stage in just-war theory and therefore the laws of war.
It is unclear how discriminatory cyberwarfare can be. If victims use fixed Internet addresses for their key infrastructure systems, and these could be found by an adversary, then they could be targeted precisely. However, victims are unlikely to be so cooperative. Therefore, effective cyberattacks need to search for targets and spread the attack, but as with biological viruses, this creates the risk of spreading to noncombatants: while noncombatants might not be targeted, there are also no safeguards to help avoid them. The Stuxnet worm in 2010 was intended to target Iranian nuclear processing facilities, but it spread far beyond intended targets. Although its damage was highly constrained, its quick, broad infection through vulnerabilities in the Microsoft Windows operating system was noticed and required upgrades to antivirus software worldwide, incurring a cost to nearly everyone. The worm also inspired clever ideas for new exploits currently being used, another cost to everyone. Arguably, then, Stuxnet did incur some collateral damage.