In conventional warfare, it’s accepted that if a state finds itself under attack, it’s entitled to respond – either with defensive force, or with a counterattack. But it’s less clear how countries should respond to cyberattacks: state-backed hacks which often have dangerous real-world implications.
The 2020 SolarWinds hack, attributed to state-backed Russian hackers, breached security at around 100 private companies. But it also infiltrated nine US federal agencies – including the US Energy Department, which oversees the country’s nuclear weapons stockpile.
Such attacks are expected to become more common. Recently, the UK’s 2021 Strategic Defence Review confirmed the creation of a “National Cyber Force” tasked with developing effective offensive responses to such cyberattacks, which could even include responding to them with nuclear weapons.
Philosophers like myself would urge caution and restraint here. As cyberattacks are new and ambiguous forms of threat, careful ethical consideration should take place before we decide upon appropriate responses.
‘Just war’ theory
We already have a millennia-old framework designed to regulate the use of physical force in wars. It’s called “just war theory”, and its rules determine whether or not it’s morally justified to launch military operations against a target. Given how cyber systems can be weaponized, it seems natural for ethicists to build “cyberwar” into existing just war theory.
But not everyone is convinced. Sceptics doubt whether cyberwar requires new ethics, with some even questioning whether cyberwar is actually possible. Radicals, meanwhile, believe cyberwar requires a wholesale rethink, and are building an entirely new theory of “just information war”.
Lending credence to the radicals’ claim is the assumption that cyberattacks are fundamentally different from physical force. After all, while conventional military force targets human bodies and their built environment, cyberattacks chiefly harm data and virtual objects. Crucially, while physical attacks are “violent”, cyberattacks seem to present – if anything – an alternative to violence.
On the other hand, some ethicists highlight the fact that cyber operations can sometimes lead to physical harm. For instance, when hackers infiltrated the system controlling the fresh water supply in Oldsmar, Florida, in February 2021, they weaponized physical infrastructure by attempting to poison the water. And a ransomware attack on a Düsseldorf hospital in September 2020 actually contributed to the death of a patient.
Espionage or attack?
Clearly, cyberattacks can result in grave harms that states have a responsibility to defend their citizens against. But cyberattacks are ambiguous – US senator Mitt Romney characterized the SolarWinds hack as “an invasion”, while Mark Warner of the US Senate Intelligence Committee placed it “in that grey area between espionage and an attack”.
For defence agencies, the difference matters. If they regard state-backed hacks as attacks, they may believe themselves entitled to launch offensive counterattacks. But if hacks are just espionage, they may be dismissed as business as usual, part of the everyday intelligence work of states.
In just war theory, some “revisionist” philosophers find it useful to go back to basics. They analyse individual threats and acts of violence in isolation before carefully building up a robust theory of complex, large-scale war. Because cyber-attacks are new and ambiguous, the revisionist approach may help us decide how best to respond to them.
I have argued previously that some cyber-attacks are acts of violence. That’s partially because, as noted above, cyberattacks can cause grave physical harms just like conventional violence.
But the gravity of harms alone doesn’t help us categorize cyber-attacks as acts of violence. Think of the myriad ways that the often lethal harm of a coronavirus infection can be transmitted: through recklessness, negligence, or mischief; by accident; and even sometimes as a byproduct of an otherwise legitimate policy.
We wouldn’t say these harms resulted from violence, and nor would we argue that defensive violence is an appropriate response to them. Instead, what seems to make some cyber operations violent attacks – rather than mere espionage – is that they express similar sorts of intention to those expressed in physical violence.
To explore how, consider an example of physical violence: someone shooting a distant, unwitting human target with a long-range rifle.
Like all agents of violence, the sniper seems to intend one thing, but really intends two. First, she intends to harm her target. But second, and less obviously, she intends to dominate her target. The target has no means of evading or deflecting the threat of the bullet.
This relationship, of domination versus defencelessness, can be established by any number of technologies, from swinging a club to launching a rocket from a remote drone. In these cases the threat is undetectable – like a cyberattack on drinking water, you don’t know anything is wrong until it’s too late.
Many cyberattacks have a similar profile. They establish technical domination by creating a vulnerability and positioning themselves to execute harm at the hacker’s will. Like boobytrap bombs, they leverage secrecy and surprise to keep their victims from acting until it’s too late.
If some cyberattacks are acts of violence, then perhaps they could justify defensive violence or counterattack. That would depend on the degree of destruction threatened, and defenders would still have to satisfy age-old just war rules.
But the same premise means that employing offensive cyber-attacks ought to be seen as a grave matter – as grave, in some cases, as physical attacks. It is vital, then, that the UK’s new National Cyber Force directs its operations with the same care and restraint as if they were using military weapons in a conventional war.