By the laws of war, there is historically only one "just cause" for war: a defense to aggression, as previously mentioned. But since aggression is usually understood to mean that human lives are directly in jeopardy, it becomes difficult to justify military response to a cyberattack that does not cause kinetic or physical harm as in a conventional or Clausewitzian sense, such as the disruption of a computer system or infrastructure that directly kills no one. Further, in cyberspace, it may be difficult to distinguish an attack from espionage or vandalism, neither of which historically is enough to trigger a military response. For instance, a clever cyberattack can be subtle and hard to distinguish from routine breakdowns and malfunctions.
If aggression in cyberspace is not tied to actual physical harm or threat to lives, it is unclear then how we should understand it.
If aggression in cyberspace is not tied to actual physical harm or threat to lives, it is unclear then how we should understand it. Does it count as aggression when malicious software has been installed on a computer system that an adversary believes will be triggered? Or maybe the very act of installing malicious software is an attack itself, much like installing a landmine? What about unsuccessful attempts to install malicious software? Do these count as war-triggering aggression -- or mere crimes, which do not fall under the laws of war? Traditional military ethics would answer all these questions negatively, but in the debate over the legitimacy of preemptive and preventative war, the answers are more complex and elusive.
Relatedly, insofar as most cyberattacks do not directly target lives, are they as serious as conventional attacks? Organized cybervandalism could be serious if it prevents a society from meeting basic human needs like providing food. A lesser but still serious case was the denial-of-service cyberattacks on media-infrastructure websites in the country of Georgia in 2008, which prevented the government from communicating with its citizens.
The laws of war prohibit the targeting of noncombatants, since they do not pose a military threat. Most theorists accept a "double effect" in which some noncombatants could be unintentionally harmed, i.e., collateral damage, in pursuing important military objectives, though other scholars defend more stringent requirements and greater protections for noncombatants. Some challenge whether noncombatant immunity is really a preeminent value, but the issue undoubtedly has taken center stage in just-war theory and therefore the laws of war.
It is unclear how discriminatory cyberwarfare can be. If victims use fixed Internet addresses for their key infrastructure systems, and these could be found by an adversary, then they could be targeted precisely. However, victims are unlikely to be so cooperative. Therefore, effective cyberattacks need to search for targets and spread the attack, but as with biological viruses, this creates the risk of spreading to noncombatants: while noncombatants might not be targeted, there are also no safeguards to help avoid them. The Stuxnet worm in 2010 was intended to target Iranian nuclear processing facilities, but it spread far beyond intended targets. Although its damage was highly constrained, its quick, broad infection through vulnerabilities in the Microsoft Windows operating system was noticed and required upgrades to antivirus software worldwide, incurring a cost to nearly everyone. The worm also inspired clever ideas for new exploits currently being used, another cost to everyone. Arguably, then, Stuxnet did incur some collateral damage.