Image: NASA Marshall
There was a moment during the First Gulf War when ideologues argued that warfare technology had reached a tipping point. Gains in efficiency would reduce casualties and destruction; supremely accurate weapons would minimize unnecessary suffering without compromising military objectives. This inaugurated the age of target bombings and stealth missions enabled by precision technology. Now, we are at the threshold of yet another tipping point for war and technology. Software interference and cyber technologies threaten mass disruptionand destruction without a shot or bomb explosion. Physically waged wars—populated and won by armed bodies and manned weaponry—have given way to data and coding wars, creating vast, powerful, and yet not fully tapped, spaces and abilities.
Cyberwarfare acts are broadly understood as the use of cyber capabilities for spying or sabotage by one nation against another. However, the term “cyberaggression” can refer to everything from individual cyberbullying and harassment to sabotage that affects national interests. One example of the latter type is the infamous Stuxnet computer worm that targeted and invaded Iranian nuclear facilities in order to derail the Iranian nuclear program. The term ‘cyberaggression’ was also applied to the April 2015 breach of cybersecurity at the White House when sensitive details of the President’s schedule were obtained. It is therefore of little surprise that civilian and military resources to wage and contain cyberaggression are on the rise.Last January, there were reports that North Korea had doubled its military cyberwarfare units to over 6,000 troops.
To be sure, it is not clear when an act is merely an instance of cyberaggression as opposed an act of war. To complicate matters further, our conception of cyberwarfare and cyberaggression is taking shape against a background of increasing state domestic surveillance and other incursions to privacy, often defended on the basis of considerations of safety or convenience.
It is in this context that the Department of Defense (DoD) Cyber Strategy memorandum, published in April, needs to be analyzed. The document attempts to demarcate the concern of national security, the role of private citizens and, notably, the responsibilities of corporations that own cyberinfrastructure. The memo stresses cooperation between public and private actors, information sharing, reduction of vulnerabilities, more cybersecurity training, and international cooperation. Because cyberspace is so vast, individuals and corporations are called upon to be vigilant against cyberaggressions, mainly by fortifying networks. As for the DoD itself, the memo details the direction that cyber defense preparations will take in the near future. The memo portends a centralization of the efforts being built around cyberwarfare in the United States—a centralization of funding, strategy, manpower, decision-making, and, most importantly, data management.
The memo portends a centralization of funding, strategy, manpower, decision-making, and, most importantly, data management.
The memo therefore reflects the rapidly evolving threat of cyberwarfare and public expectations regarding the balance between privacy and security, which have continued to change following the revelations of Edward Snowden and others. As anti-war and privacy advocates call for restraint on military and domestic security fronts, fundamental questions of just war and civil and human rights become even more important.
Much of the memo deals with strategies to arm and maintain existing infrastructures within the DoD purview. The first "cybermission” is for the DoD to protect its own through building capabilities and enhancing capabilities that already exist. However, the optimal operation of the DoD relies to a large extent on civil critical infrastructure across the United States–over 90 percent of networks and infrastructure in cyberspace are privately owned. Thus the security of such networks is also contingent on the strength of the domestic and private sectors. Moreover, because cyberspace has a particular way of evading traditional boundaries and borders, the US (as any single nation would be) is ill-equipped to address cyber risks through the mere force of isolationist will. International cooperation is also called upon given the U.S. government’s “limited and specific role to play in defending the nation against cyberattacks.”
Alarmingly, in the name of preventing and winning future cyberwars, the DoD memo outlines coordination and cooperation actions with the FBI and the Department of Homeland Security over a range of measures that once again blur the lines between pubic and private, the military and law enforcement. No doubt, this fusion of warfare and concern for public safety finds its roots in the post-9/11 counterterrorism regime. But the extraordinary expansion of the cyberworld in the years since 2001 has catapulted the fusion of war and policing to an entirely new level. For US citizens, this means that data gathered “passively”(and legally according to recent precedent) by the FBI through stingrays, CCTV, and surveillance drones, will be married to other data (search, IP, file size and address) gathered by the NSA, creating a superstore of data. All this data should be, according to the memo, available for war prevention and waging. Additionally, the memo calls for expansion of the once top-secret “Five Eyes”treaty group (the state parties to which include at least the USA, the UK, Canada, Australia, and New Zealand, though others also participate). According to leaked information, the "Five Eyes" comprise an information-exchange used to circumvent domestic legal provisions that regulate the surveillance of citizens in each country of the group by their respective national governments. This is all in the name of prevention of cyberwar.
After arming and maintaining and preventing, the third mandate that the DoD lays out is an open-ended call for assistance with "supporting operational and contingency plans." It is in this third cybermission that both retaliation and preemption (preemptive attacks as distinguished from preventative attacks in which the ability to commit an attack is removed) reside, and where the most important questions about just war must be asked.
• • •
In asking the question of what cyberaggression is—and when such aggression constitutes an act of war—we confront questions of how to (or if it is even meaningful to) apply the old paradigms of the state and state sovereignty, and of the laws of war based on them, to the new realities of cyberspace. One of the more important aspects of the traditional laws of war is the question of proportionality. According to standard understandings of the proportionality principle, a military in war has to weigh risk to civilians against the importance of the military objective at hand and the choice of military means to achieve their objective. How would proportionality apply in cyberspace, where victimization is not necessarily physical in personal or economic terms?
Imagine, for example, that the United States assesses a variety of serious cyberthreats coming from a foreign territory—these might range from shutting down White House cybercommunications to disrupting nuclear power plant operations in the US. As a response, the United States neutralizes or erases all of the cyber content created and hosted within that foreign territory so that individuals within this territory are no longer able to have a cyberpresence, effectively wiping out communications between the conspirators behind the serious threat in question. According to Rule 51 of the Tallinn Manual—a non-binding guide to the application of international law to cyberconflicts produced by NATO—collateral damage in cyberwar is acceptable so long as it is not “excessive in relation to the concrete and direct military advantage anticipated.”If no tangible “property”was destroyed and nobody was killed, was the act proportional? Under the current laws of war, the answer could be yes. However, given how much of life has moved or expanded to cyberspace, would this answer pass moral and legal muster?
One argument that may come into play in such new scenarios is the economic one. People’s data is immensely valuable on such a large scale—some estimates put the average value of a Facebook account at $174.17. Even if only a quarter of, say, the Russian population has a Facebook presence, erasing even selective cybercontent would amount to approximately 5.2 billion dollars in damages. However, there is also an added emotional value. Social media is becoming more and more central to the lives of individuals, and the content created, curated, and “owned”in cyberspace is very personal indeed. To lose such a cache would be, to many, devastating in a way that monetary value does not account for.
Some argue that unless and until cyberaggression escalates to the point of threatening life and limb, it should not be put into the context of warfare. Others argue that response in kind does nothing to redress the act, and that physical response to certain acts of cyberaggression is the best option. Still others believe that the traditional laws of war are not applicable to cyberwarfare and cyberaggression and that explicit rules about the consequences for cyberaggression should be created. These positions only scratch the surface of the legal and moral challenges ahead.
For now, we only know cyberaggression when we see it: for instance, a quietly accomplished stealth-type undertaking of computer worms foiling plans for nuclear armament. But cyberaggression will eventually confront us in one way or another, including on larger, more disruptive, scales. Though we remain unsure about the specific forms that cyberaggression will take, it is nevertheless important that cyberaggression be put into a specific context—its distinct frame of reference—in regards to legal and moral questions. For the U.S. government and the DoD, this means thinking about wartime justice in more precise terms that, though perhaps using old paradigms, are not bound by them.