![Sample our Humanities journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/5939/TOC-Subject-Sample-2021-Humanities.jpg"})
Abstract
My aim in this paper is to reflect on a very narrow question: under what conditions might a cyber-attack provide a just cause for war? I begin by articulating what makes for a just cause, briefly address the problem of attribution, and then discuss three broad categories of cyber-attack: those that clearly do not satisfy the just cause requirement, those that clearly do satisfy the just cause requirement, and three ambiguous cases – the destruction of property, the emplacement of logic bombs, and the failure to prevent cyber-attacks. My conclusions are exploratory and suggestive rather than definitive, partly by virtue of the extreme paucity of literature on the moral assessment of cyberwar.
Notes
1. This is a question that Bradley Strawser (Citation2012) most ably addressed in a paper recently given at the 2012 McCain Conference on the ethics of cyberwar.
2. I provide a much fuller account in an unpublished manuscript, God and War: An Exploration. I should note that implicit in my understanding of the just cause requirement is a conception of justice that has been worked out in considerable detail by Wolterstorff (Citation2010).
3. Many of its most prominent contemporary advocates take such a presumption to be an essential constituent of the JWT. Included in this number are particular theorists – James Childress, Rowan Williams, Robert B. Miller, and C. A. J. Coady – as well as institutional agents – most prominently, the US National Conference of Catholic Bishops. Some adherents of the JWT, notably James Turner Johnson (Citation2009: 250), have decried its inclusion into the JWT as ‘grievously wrong,’ practically misguided, and unfaithful to tradition.
4.
… The Internet is one big masquerade ball. You can hide behind aliases, you can hide behind proxy servers, and you can surreptitiously enslave other computers to do your dirty work. This is a cruel irony: If you want to shield your identity as you go about your business, it's extremely difficult. But if you want to hide your identity in order to attack a person or institution, it's unnervingly easy. (Brenner Citation2011: 32)
On the problem of attribution generally, see Dipert (Citation2010).
5. In a recent address, Secretary of State Leon Panetta (2012) informs us that the US government has ‘made significant investments in forensics to address th[e] problem of attribution’ and that ‘[p]otential aggressors should be aware that the United States has the capacity to locate them and to hold them accountable for their actions that may try to harm America’.
6. Of course, there is always the possibility that the perpetrator of an otherwise unattributable cyber-attack admits to having done so, as the US government has admitted to having attacked Iran with the Stuxnet virus (Stunext Was Work of US and Israeli Experts, Officials Say, Washington Post, 1 June 2012). So long as that claim of responsibility is credible, the problem of attribution effectively evaporates.
7.
Distributed denial of service “attacks,” extraction or modification of information, website vandalism, as well as insertion of malicious code designed to damage, or destroy, data and systems, are all referred to as “cyber attack” or even “cyber warfare” regardless of whether these activities result in death, destruction of property, or merely the loss of information. Intrusions and other activity conducted by disgruntled employees, teen-age hackers, and criminals, are typically not distinguished from those by terrorists or foreign intelligence and military personnel. (Huntley Citation2010: 4)
8. Note that I am not claiming that the DDoS attacks on Estonia provided a just cause but that a military response would have been disproportionate. Rather, I deny that those wrongful attacks were sufficiently weighty as to provide a just cause for war. Bluntly put, the DDoS attacks on Estonia were similar in one morally relevant respect to the ‘insult to Russian honor’ that putatively provided the Russians with just cause to launch the DDoS attacks: even if the destruction of the commemorative statue dishonored Russia, it was not even remotely a weighty enough violation to provide a just cause for war. Of course, if a cyber-attack does provide a just cause for war, it is possible that war is nevertheless impermissible – should a military response violate the JWT's ad bellum proportionality requirement. My thanks to an anonymous referee for raising this point.
9. It might seem that the DDoS attack on Estonia was similar in relevant respects to an unjust blockade; at least it had blockade-like economic consequences. A nation-state that is targeted by a blockade might very well take itself to have a just cause for war. Consequently, a nation-state that is targeted by a DDoS attack, like that directed against Estonia, might very well take itself to have a just cause for war – as did some Estonians. But I doubt that the DDoS attack against Estonia was relevantly similar to the imposition of an unjust blockade. Indeed, it seems to have far more in common with the wrongful imposition of sanctions than with a blockade. Most pertinently, although blockades, sanctions, and DDoS attacks inflict economic harm, only blockades inflict economic harm by threatening lethal military violence. Sanctions and DDoS attacks inflict economic harm absent any lethal violence, threatened or otherwise. Plausibly, unjust DDoS attacks have roughly the same moral status as the imposition of unjust sanctions – so long as they inflict comparable economic harm. Given that the imposition of sanctions does not by itself provide a just cause for war, it is plausible to suppose that DDoS attacks on Estonia cannot by themselves satisfy the just cause requirement. My thanks to an anonymous referee for raising this point.
10. There are many important moral questions raised by these kinds of ‘communal conflicts short of war.’ So far as I am concerned they lie beyond the purview of the JWT and – even more so – far beyond the scope of this paper.
11. Iran might have responded to the Stuxnet virus with malware of its own – the so-called ‘Sharoom’ virus ‘virtually destroyed’ some 30,000 computers owned by the Saudi Arabian Oil Company Aramco (Panetta Citation2012). If Sharoom was a response to Stuxnet, then it was almost certainly impermissible, as it failed to target any party to the Stuxnet attack. Nevertheless, if the Stuxnet attack was unjust, and if the Sharoom virus had been directed at Stuxnet's actual perpetrator(s), it might very well have been a morally permissible response. The destruction of 30,000 computers seems an entirely apt response to the unjust destruction of nuclear centrifuges.
12. The kind of threat inflation committed by the Estonian Speaker is, in my experience, exceedingly common in the ever-proliferating discussions of cyberwar in the media. So, for example, a news commentator responded to Secretary of State Panetta's (Citation2012) recent warning about an impending cyber ‘Pearl Harbor’ by insisting that the United States had already committed a ‘Pearl Harbor’ of its own – the deployment of the Stuxnet virus to destroy Iranian centrifuges. But this assessment of the Stuxnet virus is morally obtuse – the two attacks have vastly differential normative weight – with respect both to their immediate destructiveness and to the plans they helped to enact.
13. Richard Clarke: ‘As one pilot told me, “Aircraft these days, whether it's the F-22 Raptor or the Boeing 787 … all they are is a bunch of software that happens to be flying through the air. Mess with the software and it stops flying through the air”’ (Clarke & Knake Citation2010: 174).
14. My sense is that those most concerned about the dangers of cyberwar have their eye on future attacks made possible by ever-increasing dependence on software, and are more than willing to admit that the cyber-attacks that have actually been carried out have had comparatively mild consequences. See Clarke & Knake (Citation2010: 32).
15. As Randall Dipert (2010) has noted, a cyber-attack can also impede technology from performing its designated function.
16. I rely on the account provided in David Sanger (2012: 188ff).
17. What then of the Stuxnet virus? Because no human being was killed, because there is no indication whatsoever that the damage caused by the Stuxnet virus is in any way a prelude to the future killing of innocents, because the destruction inflicted by the Stuxnet virus was, and looks to be, merely economic, that cyber-attack provides the Iranians with no just cause for war. As I noted above, however, it might provide ‘just cause’ for retaliatory measures short of war.
18. A comparable point applies to the purchase of compromised hardware, as discussed by Randall Dipert in his essay in this issue of Journal of Military Ethics.
19. Apparently, ‘patriotic hackers’ from the United States launched DDoS attacks on Iranian government websites in order to ‘thwart their ability to spread lies and propaganda’ (Morozov Citation2011: 227).
