Conceptualizing Cyberwar
Last Tuesday’s Wall Street Journal (November 10, 2015) carried a front-page story titled “Ukraine: Cyberwar’s Hottest Front.” A few weeks earlier, the Journal had carried a related front-page article, “Cyberwar Ignites a New Arms Race” (October 11, 2015) – subtitled “Dozens of countries amass cyberweapons, reconfigure militaries to meet threat.” Militaries and policy-makers around the world have awoken to the fact that cyberwarfare is already a r
Published by The Lawfare Institute
in Cooperation With
Last Tuesday’s Wall Street Journal (November 10, 2015) carried a front-page story titled “Ukraine: Cyberwar’s Hottest Front.” A few weeks earlier, the Journal had carried a related front-page article, “Cyberwar Ignites a New Arms Race” (October 11, 2015) – subtitled “Dozens of countries amass cyberweapons, reconfigure militaries to meet threat.” Militaries and policy-makers around the world have awoken to the fact that cyberwarfare is already a reality in such places as Ukraine and that in various ways, it will be a permanent, evolving part of the war-fighting landscape.
Recognition of this new landscape has not resolved certain fundamental conceptual questions, however. These start with the most basic - whether, for example, cyberwarfare should actually be considered "war" or “armed conflict” at all, at least within the existing ethical and legal frameworks of “kinetic” warfare, and even within the "theory of war" itself. The questions go from there to ask how one might differentiate between cyberwar (to which some version of the existing rules of war presumably apply) and cybersecurity (under the rules of law enforcement and crime, not as armed conflict).
There have been influential efforts to answer some of these questions (the Tallinn Manual, most notably, resulting from discussions among 20 leading law of armed conflict experts and edited by the formidable LOAC scholar Michael Schmitt). Still, basic categories and questions remain open and intellectually contested. Given international political developments of the last several years, these basic framework questions take on increasing urgency.
Cyberwar: Law and Ethics for Virtual Conflicts is an edited volume of essays arising out of a 2012 conference at the University of Pennsylvania Law School’s Center for Ethics and the Rule of Law (CERL). CERL (directed by one of the editors of this volume, Penn law and philosophy professor Claire Finkelstein) has convened outstanding conferences over the past few years on current topics in the law and ethics of war, including drone warfare and autonomous weapons – conference papers in several instances appearing in edited volumes from OUP. The book’s other two editors are both highly regarded scholars, Jens David Ohlin (Cornell University Law School) and Kevin Govern (Ave Maria School of Law).
Many Lawfare readers (this reviewer among them) are often dubious about picking up edited volumes, particularly ones publishing conference papers. The papers are typically too disconnected from one other to create a whole that’s greater than the parts. (Most of the time, the papers would be more useful posted individually to SSRN and made available worldwide on the Internet and without cost.) This edited volume is an exception. The editors have made considerable efforts to think through the structure of the book and, to judge by the final results, appear to have worked to a larger degree than usual with chapter authors in order to ensure that the articles intertwine with each other.
Claire Finkelstein and Kevin Govern’s admirably clear Introduction (pdf link at SSRN) also contributes greatly to creating a dialogue among the individual chapters. As they note, cyberwar as "war" in either a legal or moral sense is a contested question; moreover, it raises fundamental questions of the "theory of war" itself and, by extension, theories of just war that depend (as moral theories) on the criteria used to determine what falls under the moral domain of just war ethics in the first place:
It is often debated whether cyber attacks constitute true acts of war. Those who offer a negative answer to that question maintain that since cyber attacks can cause only limited damage, mostly of an economic nature, such acts do not belong to the domain of war. Those who answer affirmatively maintain the irrelevance of the fact that cyber attacks do not cause physical damage on the grounds that this argument fails to consider the secondary effects of infrastructure failure, particularly where the quality of civilian life is concerned. They point out that one need only recall the loss of life routinely caused by systems failures from electrical surges during fairly routine temperature spikes in the summer months to recognize the destructive potential of cyber attacks. In addition, they argue that the massive damage that cyber attacks can cause, and the serious use of such attacks as an alternative to kinetic attacks in war, belies such claims. Cyberweapons and cyberwarfare are now considered by the FBI to be the number one threat to national security.
On the side of the latter position, the US government has taken a functional view of the notion of war and declared cyber attacks as acts of war given that cyber attacks increasingly serve the function that kinetic attacks have historically served. It therefore becomes harder and harder to see such acts as limited to economic and financial destruction. In response, however, those who reject cyber attacks as acts of war may argue that the point is not that cyber attacks fail to cause destruction, but that the nature of the destruction is unclear. Brown-outs are a case in point: while damage from such events may be significant, no one would label them acts of war as a result. Once again, cyber events appear to challenge the traditional categories in war, leaving our theoretical accounts of war in search of an object.
A further difficulty with the functional characterization of cyber attacks as acts of war is that it does not specify the theory of war against which this judgment is being made, and arguably such a theory is necessary in order to know whether a certain characterization of acts of destruction should qualify them as acts of war. Traditional models of warfare are problematic in this regard, since they have all been implicitly called into question by the dramatic changes in the nature of warfare itself. In addition to the advent of cyber attacks and the introduction of other new technologies, there is a fundamental shift in features that formerly characterized acts of war in the first place, and it may seem that the theory of war must evolve as quickly as the emergence of challenging marginal cases whose identity we are seeking to understand by that theory. Because so-called "cyberwar" puts a particular strain on our traditional conception of war, it forces us to return to the basic building blocks of just war theory and to re-examine the theory of war in light of striking new examples.
This book has a number of outstanding essays directed largely to the conceptual architecture for thinking about cyberwar. To be sure, 2012 - the date of the original University of Pennsylvania conference - is a long time ago in terms of cyber developments. But the book retains its relevance, in large part because many of the book’s essays have a more philosophical connection (perennial questions, etc.) to law and policy than most other interventions on cyber. It will continue to have a shelf life so long as the basic conceptual, moral, and legal categories of cyberwar are contested issues.
