What should happen after a state is cyber attacked?
For much of human history, if a state was attacked the response was fairly standard, as there was an understandable entitlement to respond with varying degrees of either defensive or offensive force. Indeed, a founding principle of NATO is that an attack on one member state warrants a collective response from all other member states.
The rules of battle are far less clearly defined when it comes to cyberattacks, despite both their growing severity and growing prevalence. For instance, the SolarWinds hack has been widely attributed to hackers backed by the Russian state, with at least nine federal agencies across the United States infiltrated along with around 100 private companies. These federal agencies included the US Energy Department, which, of course, oversees the nuclear weapons armory.
States are increasingly taking cyber threats seriously.
For instance, the UK’s recently published Strategic Defence Review documents the creation of the National Cyber Force to craft effective responses to these kinds of cyberattacks. I also wrote recently about the use of computer science students to bolster the Estonian Cyber Command as part of their mandatory military service.
An appropriate response
What might an appropriate response actually be, however? When determining the appropriate physical response the “just war theory” has dominated for an incredibly long time. This examines whether a military response against an opponent is justified from a moral standpoint. So is it as simple as applying the same theory to cyberwar?
Yes and no. While there is an element of logic to doing so, there are some, such as King’s College London’s Thomas Rid, who question whether cyberwar is even possible in the first place. He suggests that most state-sponsored cyberattacks today are more akin to sabotage, espionage, and subversion than they are to warfare.
There are those, such as the University of Oxford's Mariarosaria Taddeo, however, who believe cyber war is very possible but that it requires a new theory of “just information war.” He argues that the Just War Theory is insufficient for our new era of information warfare and that the field of information ethics needs to be taken into account to develop a more effective framework to govern our response to cyberattacks.
A different form of attack
This approach is lent significant credence by the fundamentally unique form of attack cyberattacks impose upon us. For instance, whereas traditional warfare targets life and property, causing significant destruction to both, cyberwarfare primarily targets virtual objects and data instead. While there is inherent violence to physical warfare, cyberwarfare is usually anything but violent in its nature.
Of course, that isn’t to say that cyberattacks can’t result in physical harm.
For instance, the recent attack on the water system in Florida attempted to weaponize physical infrastructure, while the Stuxnet worm notably targeted nuclear power facilities. Indeed, healthcare facilities themselves have been targeted during the Covid pandemic, with Germany the first country to attribute the death of someone to a cyberattack after a ransomware attack on a hospital in Dusseldorf.
Despite this, there remains a high degree of ambiguity over the precise nature of cyberattacks. While Mitt Romney famously remarked that the SolarWinds hack was tantamount to an invasion, the US Senate Intelligence Committee was more inclined to position it somewhere between an attack and espionage.
This distinction is crucial for defense forces, as regarding state-sponsored hacks as an attack would entitle them to launch counter-offensives themselves, whether in the virtual or physical world. If they’re regarded as espionage, however, then it probably doesn’t require a great deal to change.
An individual approach
Perhaps rather than looking for an overarching theory that covers every eventuality, a better approach would be to judge each attack on its individual merits. It’s quite possible that as more attacks emerge that a framework will begin to present itself but given the new and ambiguous nature of cyber warfare today, such a framework largely does not exist.
For instance, while cyberattacks might result in violent outcomes, it’s by no means certain that violence was the intended outcome. For instance, the attack on the German hospital was purely intended to elicit money from the victims and while the threat of harm to patients at the hospital was largely what justified the high ransom in the first place, the attack was not intended to overtly harm any one individual.
This is overtly different from physical warfare, as the very act is designed to violently hurt others. The question is whether hacking a city’s water supply network carries the same threat to harm and dominate the victim as an armed force sending a missile or invoking a drone attack on a target. They may indeed establish technical dominance over their victim and create the prospect of enacting physical harm but it largely remains unknown whether they are performed in order to harm or the threat of harm is merely a prop used to elicit ransom payments from the victims.
At the moment, there’s a sense that cyberwarfare is seen more as espionage than an act of war, with responses metered accordingly. If that situation changes in the years ahead, then an ethical framework to ensure an appropriate response will urgently need to be developed.