The Ethics of Cyber Warfare

As modern society advances technologically, information networks have become vulnerable to wrongdoing by malicious states and non-state actors. With recent strikes affecting critical infrastructures around the globe, the threats associated with cyber-attacks no longer seem the stuff of science fiction. While the world has not yet faced extreme, catastrophic cyber assaults, our dependency on information networks exposes us to potentially devastating attacks. For, these technologies present attractive targets for cyber attackers aiming to undermine national interests, or even to threaten state sovereignty. This essay draws upon Just War Theory to examine the military responses that are morally permissible in the face of a cyber-attack, interrogating the doctrine’s existing norms for this burgeoning field of coercive engagement. Indeed, certain cyber-attacks originating from a state’s government can be considered acts of war when analogous to conventional attacks either in means or in effect. These cases may justify a self-defensive response from victim states. Cyber responses are preferable to conventional responses in these cases, depending on the victim’s technological capabilities. However, the realities of cyber engagement have particular qualities, which, in contrast to other forms of conflict, render these more straightforward ethical norms less applicable. Firstly, the most dangerous cyber-attacks are not physically immediate in the way of traditional weapons. Thus, ethical norms based mainly on the (im)permissibility of physical violence are less straightforwardly applicable to cyber-attacks without considering the grave, physically harmful potential of targeting immaterial code. Secondly, and more importantly, cyber-attacks are often difficult to credibly attribute. The epistemological problem associated with an unattributed cyber-attack leaves its victim at a seeming impasse: if the state cannot credibly identify its aggressor, how can it justify a counter-strike? This paper takes a different, less traditional approach towards the difficulty of attribution, as well as towards the justified responses to identified non-state actors. I argue that according to the present legal and military norms, the epistemological bar for justified military retaliation is set at a level that may be appropriate for conventional attacks, but inappropriately high for cyber-attacks. While very precise attribution to the source computer(s) may not be possible in many cases, the state from which the attack originated can more readily be identified. I contend that if a cyber-attack can be reliably traced to the territory of a particular state, this state should be held at least partially responsible for the attack. Calling for robust enforcement of the norms codified in the Budapest Convention on Cyber crime, I argue that if a state becomes a frequent launchpad for cyber-attacks, does not reasonably cooperate with victims to identify perpetrators, and fails to enforce criminal laws prosecuting such attacks, the state may ultimately be liable for these attacks. If diplomatic means prove ineffective, victim states would be justified in a reprisal. This punitive form of retaliation would only be permissible in a narrow array of cases and should only be limited to temporarily disabling the launchpad state’s cyber testing capabilities.