Just War Theory and Cyberwarfare

Roger Crisp has an excellent analysis here:

In an interesting recent essay in the Atlantic – ‘Is it Possible to Wage a Just Cyberwar?’ – Patrick Lin, Fritz Allhoff, and Neil Rowe argue that events such as the Stuxnet cyberattack on Iran suggest that the way we fight wars is changing, as well as the rules that govern them. It is indeed easy to see how nations may be tempted to use cyberweapons to attack anonymously, from a distance, and without the usual financial and personnel costs of conventional warfare. (See also Mariarosaria Taddeo’s interesting recent post on this blog.)

Lin et al. raise what they claim to be certain special issues arising from cyberwarfare that are not covered by standard ethics.  But I want to suggest that, though cyberwarfare certainly raises ethical issues, they aren’t as novel as Lin et al. claim.

The first topic they discuss is aggression, which according to standard just war theory is the only just cause for war. Since this is usually taken to imply danger to human life, it may be difficult to justify a military response to a cyberattack on, say, a country’s banking system. But even if it were true that aggression usually involved a danger to life, it seems to me clear that it need not. A not uncommon experience when cycling home in Oxford late at night is for groups of drunken youths to shout abuse at one from a passing car. That’s aggression, but there’s no danger to my life or even my well-being (since it doesn’t bother me in the slightest). As Lin et al. say, it may indeed be difficult to distinguish a cyberattack from, say, espionage. But such grey areas are nothing new in warfare, especially since many possibly aggressive actions are in potential violation of treaties which are themselves open to differing interpretations. I see no reason, then, to conclude that traditional military ethics would not see even an unsuccessful attempt by a state to install malicious software in its enemy’s computer system as constituting an act of war deserving an appopriate, possibly military, response.

The next issue raised by Lin et al. is discrimination. Cyberattacks are like biological viruses (as Lin et al. themselves point out) in so far as they are likely to affect non-combatants as well as combatants. But the very mention of biological viruses itself shows that there is nothing new here. Wells in besieged towns have been poisoned by attackers for nearly three millennia.

The authors then move to proportionality. Their understanding of this is non-standard: ‘the idea that it would be wrong to cause more harm in defending against an attack than the harm of the attack in the first place’. Usually, proportionality is understood to regulate the means chosen in the light of the value of the goal achieved. So if your cyberattack has caused me huge damage, but I could respond so as to punish you and prevent your ever launching an attack on me again by inflicting much less damage, it would be disproportionate if I were to inflict on you any damage beyond that point.

But let’s take their conception of proportionality. One issue is that some cyberattacks may ‘go viral’ in ways not intended by those who launch them. But there is nothing novel about unintended consequences, and those who launch such attacks do them in the full knowledge of the risks they are imposing. Likewise, it has often been the case that those who unleash the dogs of war know full well that once released it may well be impossible to restrain them, and those who have been harmed find it hard to work out exactly how significant the harm in question is or may turn out to be.

According to Lin et al., cyberwarfare poses special problems of attribution. Combatants should be identifiable, and often in cyberwarfare they will not be, which makes it harder to avoid harming non-combatants in any response. Again, there is nothing new here. Consider, for example, those many British service personnel who worked undercover in France during the Second World War. They certainly posed some risk to ordinary French citizens who might have been confused with them. The idea of Lin et al. that treaties should be drawn up requiring that cyberattacks carry a digital signature strikes me as about as plausible as the idea that these British service personnel should have been required to wear full uniform at all times.

The authors then ask whether cyberattacks, which require people perhaps to click on some malicious link, might count as ‘perfidy’ within international law. The examples given in the 1977 Protocol added to the 1949 Geneva Convention, under article 37, are the following:

It is prohibited to kill, injure or capture an adversary by resort to perfidy. Acts inviting the confidence of an adversary to lead him to believe that he is entitled to, or is obliged to accord, protection under the rules of international law applicable in armed conflict, with intent to betray that confidence, shall constitute perfidy. The following acts are examples of perfidy:
(a) The feigning of an intent to negotiate under a flag of truce or of a surrender;
(b) The feigning of an incapacitation by wounds or sickness;
(c) The feigning of civilian, non-combatant status; and
(d) The feigning of protected status by the use of signs, emblems or uniforms of the United Nations or of neutral or other States not Parties to the conflict.

Consider for example an infected email sent by some state to its enemy’s military authorities apparently from the Red Cross. Could this not be prohibited under (d), above? I think not, since there is no feigning of protected status. An email apparently from some arms manufacturer, for example, would be equally deceptive.

Finally, Lin et al. focus on reversibility. As they point out, some cyberattacks might be reversible, with use of, say, back-up files or decryption. But, of course, the effects of some existing attacks are reversible. Cities can be rebuilt, or orchards cleared of landmines and replanted.

The technology of cyberwarfare is of course new. But the ethical issues it raises have been discussed for hundreds of years.


"The thing that bothers me about items such as the accusations and reactions in this ..."

Thank You Rod Dreher, Shame On ..."
"Hi John. I actually believe the Bible can be interpreted to convey an egalitarian view. ..."

What Women Want (Leslie Leyland Fields)
"Sin was the reason. Ungodliness.Nonsense. Evangelicals all over the place are perfectly happy to admit ..."

What Women Want (Leslie Leyland Fields)
"Is it necessary to view the Bible as fallible in order to be an egalitarian? ..."

What Women Want (Leslie Leyland Fields)

Browse Our Archives

Follow Us!

What Are Your Thoughts?leave a comment
  • Patrick

    I don’t mean to be disrespectful, but, surely the author should know we’ve never observed too many legalities in combat in the last century.

    Violating a “perfidy” clause of the Geneva conventions like this is so insignificant compared to much more acute moral flaws of modern combat, especially after air warfare was begun.

    Most every time we drop any ordnance from the sky, someone innocent dies and innocent = the Geneva convention designation. It’s hard blow up buildings and kill only an armed combatant.

    We’re so far past worrying about the Geneva conventions anyway. They are w/o meaning.

    Think about it. Would you shoot an unarmed woman and you had no doubt she was unarmed AND you had no fear of anyone else? Would you throw a grenade and kill an infant when no other fear was present?

    Only if you were a murderer.

    We do that daily and I don’t even hear the UN or the international anti war left sqauwking, certainly the American anti war movement is dead until a rightist is back in office.

    Every time we drop a bomb on a building or auto, it is likely someone is inside who is either not involved in terror or is unarmed or both. That’s more morally significant than cyberwarfare.

    On the other hand, if we do not do these murders, our options are then to send many more of our folks into captivity or death OR mind our own business and stop trying to manage global affairs.

    I’m for the last option myself and I don’t know hardly anyone else who agrees with that. The left and right want US power available to kill for their own causes. I’d like to see us return to about 1870 mentality on foreign affairs myself.

  • dopderbeck

    He is mostly wrong. The problems of attribution and proportionality are immensely difficult in the cyber domain in ways they are not in the kinetic domain. Not directly on point, but see my recent article, “Cybersecurity and Executive Power,” http://lawreview.wustl.edu/in-print/cybersecurity-and-executive-power/

  • aaronlage

    I think it is important to realize that other countries who wish harm on us could just as easily launch a cyber attack against the private sector and cause just as much if not more damage. Attacking banking systems, Wall Street or even ISP providers could very easily cost billions and throw a wrench in our economic system. If sustained attacks were launched who knows what could happen.

    Think of this – there are small town banks who are literally just now launching “online banking” products. A systematic attack against banks such as these across the rural areas of the midwest could effectively shut down these banks who have no way to prevent it. This would in turn affect agricultural loans and farmers and could easily exacerbate a midwestern drought causing food shortages, sky-high commodity prices and who knows what else.