![Sample our Politics & International Relations journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/5947/TOC-Subject-Sample-2021-Politics-International-Relations.jpg"})
Abstract
Cyber-weapons are software and software, at least intuitively, is non-physical. Several authors have noted that this potentially renders problematic the application of normative frameworks like UN Charter Article 2(4) to cyber-weapons. If Article 2(4) only proscribes the use of physical force, and if cyber-weapons are non-physical, then cyber-weapons fall outside the purview of Article 2(4). This article explores the physicality of software, examining Stuxnet in particular. First, I show that with a few relatively uncontroversial metaphysical claims we can secure the conclusion that Stuxnet is physical. In particular, there exist instances of Stuxnet that are both located in space and causally efficacious, and this is very strong evidence for their being physical. Second, I argue that the question of physicality is actually irrelevant for the moral evaluation of an attack like Stuxnet because of its undeniably physical effects. Finally, I argue that some features of Stuxnet should make us optimistic about the prospects for discrimination and proportionality in cyberwarfare.
ACKNOWLEDGEMENTS
I am indebted to many for their advice on previous drafts. Thanks to Alastair Norcross for his comments while this paper was in its formative stages. Thanks to Robert Rupert, Kathrin Koslicki, Leonard Kahn, and Andrew Chapman for their helpful advice in developing the arguments concerning Stuxnet's physicality. Special thanks are owed to Panayotis A. Yannakogeorgos for his assistance with the technical aspects of the paper. Finally, I am indebted to guest editor Bradley Jay Strawser and two anonymous editors for this journal, as well as Donald Joy and Ben Hale for their helpful remarks on an earlier draft. Responsibility for any remaining mistakes or infelicities lies solely with me.
Notes
1. We now know who the ‘somebody’ is to whom General Hayden refers. According to the New York Times, Stuxnet was produced in cooperation by American and Israeli cyberwar divisions (Obama Order Sped up Wave of Cyberattacks against Iran, New York Times, 1 June 2012).
2. It is worth noting that this move from physical to non-physical warfare is unprecedented. That is, even non-conventional weapons like nuclear, biological, or chemical weapons are deployed in the physical world. On this point, see Dipert (Citation2010: 385).
3. It is true that cyberspace depends on a physical infrastructure for its existence. And it is true that computational work takes energy and must, of course, obey the physical laws of nature (Landauer Citation1991). See also Yannakogeorgos (Citation2012: 103–104) on the physical characteristics of activity in cyberspace. But there is room for legitimate uncertainty regarding the metaphysical nature of cyber-weapons themselves.
4. It is probably most appropriate to regard Stuxnet and other cyber-attacks as falling under Walzer's (Citation2006: xv) framework of justice in the use of ‘force-short-of-war’ or jus ad vim. There, Walzer urges the development of a jus ad vim framework for evaluating methods often used to effect ‘regime change’ that seem short of war, such as ‘smart sanctions,’ blockades, and the enforcement of a no-fly zone. It is worth noting that all of these actions fall along a continuum running from non-physical to physical means of aggression. (Stuxnet is interesting in part because it is unclear where we should locate it along this continuum.) Viewed in this light, Stuxnet may represent an extra-judicial means of enforcing UN Resolution 1696 to prevent Iran from enriching uranium: the pursuit of policy by other, other means, if you will.
5. I would like to bracket the question of whether Stuxnet itself was justified, i.e., whether Stuxnet passes the requirements of just cause, proper authority, etc. (For what it is worth, Sanger indicates that the United States and Israel seemed to believe Stuxnet was a last resort (Obama Order Sped up Wave of Cyberattacks against Iran, New York Times, 1 June 2012).) Moreover, the question of whether Stuxnet represents an aggression (or the use of force) seems prior to the question of whether it was justified.
6. On the other hand, the United States officially reserves the right to respond to cyber-attacks with military force (United States Citation2011: 13). This is an explicit statement that the US regards a sufficiently severe cyber-attack as tantamount to conventional military aggression. I am suggesting we should be careful about such an equivalence.
7. See Franzese (Citation2009: 6): ‘the current international legal paradigm predates cyberspace and cannot adequately address the various issues raised by cyberspace.’
8. William Gibson coined both the terms ‘cyberspace’ and its opposite ‘meatspace’ in his 1984 novel Neuromancer. Suffice to say only the former has found its way into the vernacular.
9. It has been suggested to me that Dipert is perhaps merely being metaphorical here. At any rate, he and the other authors cited are, I contest, latching onto a serious intuitive worry about applying existing frameworks to cyberwar.
10. Schmitt (1999: 888) expresses a similar sentiment: ‘… in the twenty-first century an attack may be nothing more than the transfer of cyber commands from one computer to others.’
11. While the LOAC are not identical to the ethical constraints of just war theory, they serve a similar purpose: to make war, although it is hell, at least a ‘rule-bound hell,’ in the words of Orend (Citation2006: 134, emphasis mine). We should therefore expect that these two parallel projects would be beset by similar theoretical problems.
12. Authors have also grappled with the implications of cyberwarfare for UN Charter Article 51, which permits member states to defend themselves only when they have been the subject of an ‘armed attack.’ With little modification, the worries expressed here regarding the ‘use of force’ could apply to ‘armed attacks’ as well.
13. See, for example, Antolin-Jenkins (Citation2005: 134): ‘The use of terms of war in cyberspace operations obscures the reality that cyberwar does not fit well into the legal frameworks on war and use of force.’
14. Stuxnet therefore seems to occupy a middle position between the physical and non-physical. Jolley (Citation2012: 24) notes specifically that there exists no consensus about whether Stuxnet's attack on Natanz ‘actually constitutes force.’
15. In fact, there is some evidence that Stuxnet did indeed provoke cyber-retaliation against Saudia Arabia and the United States. According to New York Times (US Suspects Iran Was Behind a Wave of Cyberattacks, New York Times, 13 October 2012):
American intelligence officials are increasingly convinced that Iran was the origin of a serious wave of network attacks that crippled computers across the Saudi oil industry and breached financial institutions in the United States, episodes that contributed to a warning last week from Defense Secretary Leon E. Panetta that the United States was at risk of a ‘cyber-Pearl Harbor.’
The article talks of ‘an emerging shadow war of attacks and counterattacks already under way between the United States and Iran in cyberspace,’ of which Stuxnet was surely a part, if not the opening salvo.
16. This concern, known as the ‘threshold problem,’ is explored more below. Lucas (2010: 294) apparently coins the term as it is being used here.
17. See also Strawser (Citation2010).
18. See also Rowe (Citation2010: 22), who asserts that the use of cyber-weapons ‘necessarily involves trespassing.’
19. In fact, arguing from analogy is a popular strategy throughout the ethics of cyberwar literature. Cook (Citation2010), Rowe (Citation2010), Franzese (Citation2009), and others have all used this strategy, perhaps as a tentative and temporary answer to the theoretical lacuna that seems to exist in our normative framework.
20. People sometimes colloquially speak as if there are in fact ‘no boundaries’ in cyberspace. Witness John Perry Barlow's (Citation1996) oft-cited ‘A Declaration of the Independence of Cyberspace’:
Governments derive their just powers from the consent of the governed. You have neither solicited nor received ours. We did not invite you. You do not know us, nor do you know our world. Cyberspace does not lie within your borders … Ours is a world that is both everywhere and nowhere, but it is not where bodies live.
21. Barney (2001: 65) continues:
For example, some Internet sites are restricted to authorized users who register, obtain a password, or pay a fee to view materials or buy products or services on the site. Commanders conducting information operations should probably consider these types of owner/operator restrictions, by password or otherwise, as prima facie evidence that the site is within the internal Cyberspace of a State.
The fact that the nuclear facilities at Natanz were air-gapped is similarly strong prima facie evidence that they should be regarded as within Iran's internal cyberspace.
22. Although, interestingly, under Barney's (2001: 74) framework, Stuxnet's passage through neutral intermediaries does not violate their neutrality.
23. This has led some, following an analogy to the physical world, to propose Internet border inspections. See, for example, Franzese (2009: 39):
… states must also be able to establish a cyberspace border that a state can both monitor and control. Without the capability to perform this function, the concept of sovereignty in cyberspace is meaningless. One approach is to establish Internet border inspections similar to the physical border crossings that exist today. This approach relies on the limited number of entry and exit points that route Internet traffic in and out of the United States.
24. There is one noteworthy caveat, however: the facilities at Natanz were air-gapped, and so it is unclear whether this talk of Stuxnet transiting cables is applicable in the present case (Farwell & Rohozinski Citation2011: 24). However, tens of thousands of computers inside Iran were infected with Stuxnet, and so presumably some of these instances entered the country the ‘old-fashioned way’ through fiber-optic cables or other physical Internet infrastructure.
25. For an excellent explication of these and other features of Stuxnet, see Chen (Citation2010) and Farwell and Rohozinski (Citation2011).
26. Stuxnet did infect many computers that it was apparently not meant to, but it is unclear whether it damaged any of them. There was some speculation that Stuxnet was responsible for a loss of power on India's Insat-4 B satellite in July 2010 (Farwell & Rohozinski Citation2011: 34). The Indian Space Research Organization has since ruled out that possibility (Cyber Threat: Isro Rules out Stuxnet Attack on Insat-4 B, Economic Times, 12 October 2010).
27. Lucas (2010: 297) agrees that cyber-weapons, ‘if rightly handled,’ could render warfare more proportional and discriminate.
28. Admittedly, designing a sophisticated cyber-weapon seems well outside the capabilities of non-state actors at present. However, the technology and expertise are becoming increasingly common. Farwell and Rohizinski (2011: 25) are already convinced that Stuxnet is less impressive than many observers believe, implying that constructing something like it may already be within the reach of cyber-criminals:
Some of [Stuxnet's] core technical characteristics, including the use of a DNS-based command-and-control network, make it less stealthy than much of the more advanced malware that criminals use. Stuxnet's core capabilities and tradecraft, including the use of multiple zero-day exploits, render it more of a Frankenstein patchwork of existing tradecraft, code and best practices drawn from the global cyber-crime community than the likely product of a dedicated, autonomous, advanced research programme or “skunk works”. Nor is Stuxnet particularly innovative.
See also Schmitt (1999: 897): ‘the knowledge and equipment necessary to mount a computer network attack are widely available; CNA is quite literally “war on the cheap”.’
29. As Farwell and Rohozinski (2011: 34) note: ‘One important benefit of cyber attack, to be sure, may be its greater opportunity to achieve goals such as retarding the Iranian nuclear programme without causing the loss of life or injury to innocent civilians that air strikes would seem more likely to inflict.’