Each Thursday we present a significant excerpt from a recently published book or journal article. In every case the proper permissions have been obtained. If you are a publisher who would like to participate in this feature, please let us know via the site’s contact form.
PUTTING THE WAR IN CYBERWAR: METAPHOR, ANALOGY, AND CYBERSECURITY DISCOURSE IN THE UNITED STATES
First Monday, Volume 17, Number 7 – 2 July 2012
[ Footnotes omitted; they are available in the original via the hyperlink above. This paper is licensed under a Creative Commons Attribution–NonCommercial–ShareAlike 3.0 Unported License. ]
. . . .
Revolutionary change and the law of war
The law of war is codified in the United Nations Charter, international treaties, the body of international case law, and in customary principles of behavior during times of conflict. The law of war covers the issues of jus ad bellum and jus in bello, that is, what constitutes “armed attack,” “use of force,” and when a state can defend itself with military force, as well as how states should conduct themselves once armed conflict has begun. In the case of applying law of war to cyber war, the tendency to focus on a set of new technological instruments instead of the effects of those instruments has sparked a debate about the adequacy of the law of war and even the definition of “war.”
Based in the belief that cyber “weapons” represent an unprecedented development, it is common to hear the argument that technology has run ahead of current ways of thinking about, planning for, and regulating the conduct of warfare. Former NATO Supreme Allied Commander and one–time U.S. presidential candidate, General Wesley Clark, believes that cyber war exemplifies the tendency for technology to be “ahead of the law” (Adhikari, 2009). Most notably, during his April 2010 Congressional confirmation hearing to become the first commander of U.S. Cyber Command, Lt. Gen. Keith Alexander testified that there is a “mismatch between our technical capabilities to conduct operations and the governing laws and policies” . Thus, several influential voices in the national security community, including former Director of National Intelligence, Adm. Dennis Blair, and former General Counsel for the National Security Agency, Stewart Baker, have claimed that the law of war is “inadequate” or “irrelevant” in the context of cyber conflict (Nakashima, 2010; Gjelten, 2010).
When the law of war is deemed inadequate, previously resolved questions are reopened for consideration. This includes not only the question of what constitutes “cyber war,” but also the more general question of what constitutes “war” in the Information Age. Daniel Ryan, a professor who teaches law of war at the National Defense University, stated the supposed problem most succinctly: “We don’t know when or if a cyber attack rises to the level of ‘armed attack’” (Gjelten, 2010). Even the leadership of the U.S. Strategic Command, which oversees both the U.S. nuclear arsenal and the newly formed U.S. Cyber Command, are openly wrestling with questions like
[D]o cyber attacks require a cyber response, or should the President order a live weapon reply? […] Does it matter if it’s an attack on the economy, where there’s little physical damage, there’s just disruption? […] Espionage generally is a crime punishable by jail — but in the cyber world couldn’t intensive spying be an enabler of physical combat? When do ‘normal’ cyber operations conducted in peace–time cross the line — and where is the line? (Perera, 2009)
Answers to these questions are important because they will determine “what constitutes a cyberattack worthy of a full–throated U.S. military response” including the use of physical force (Markoff and Shanker, 2009b).
In response, some have argued for reform of the law of war. But it is not because cyber war is so revolutionary or unprecedented that the law of war seems inadequate. Indeed, as I will argue below, current definitions of “war” as embodied in the law of war are more than adequate for allowing us to determine “where the lines are.” Rather, the seeming inadequacy of the law of war in the current discourse results from the fact that the move to frame cyber conflict and other malicious cyber acts as “war” involves the conflation of many acts that are clearly not war in the traditional sense (e.g., protest, crime, espionage) (Lewis, 2010, 2011). This conflation of non–war activities that is at the heart of the cyber war metaphor is, in part, a cause of the ongoing confusion and ambiguity about “where the lines are” (Carroll, 2011). Framing cyber conflict as “war” entails attempts to apply the law of war; but the conflation of activities that powers the “war” framing undermines the application of the law of war, creating a “double bind” situation in which it seems that we simultaneously must but cannot apply the law of war to cyber war.
The most disturbing response to this double bind has been efforts to reconcile cyber war and law of war that have resulted in serious calls to redefine “war” in general to include all of the activities lumped together under the term cyber war. After concluding that the cyber “attacks” against the nation of Georgia in 2008 did not constitute “armed attack” under current definitions of the term in the law of war, a report from the NATO Co–operative Cyber Defence Centre of Excellence (CCDCOE) concluded that “new approaches to traditional LOAC [law of armed conflict] principles need to be developed.” It advocated that the advent of “new bloodless types of warfare” mean that “the definition of an ‘attack’ should not be strictly connected with established meanings of death, injury, damage and destruction”.
There is evidence to suggest that U.S. policy–makers and military leaders are also beginning to adopt this view. As early as 2004, the National Military Strategy of the United States of America identified cyber attacks as a type of “asymmetric” threat that “may rely more on disruptive impact than destructive kinetic effects”. The strategy document advocated the preventive use of force against adversaries believed to be undeterred from acquiring such capabilities. In May 2009, when asked by members of Congress if the cyber attacks on Estonia in 2007 and Georgia in 2008 could be considered “cyber war,” Lt. Gen. Keith Alexander replied, “On those, you’re starting to get closer to what would be [considered war]” (Harris, 2009, brackets in original). Two months later, U.S. Representative Peter Hoekstra, the ranking Republican on the House Intelligence Committee, called for a military “show of force” against North Korea in response to a series of distributed denial of service (DDoS) attacks against U.S. and South Korean Web sites (Zetter, 2009). It later turned out that the attack had not in fact originated in North Korea (Dunn, 2010). Finally, as recently as June 2011, an unnamed Pentagon official involved with the development of the DoD cyberspace strategy released a month later said, “If you shut down our power grid, maybe we will put a missile down one of your smokestacks” (Gorman and Barnes, 2011).
This expansion of what counts as war is seemingly necessary because, as the CCDCOE report indicated, even the most dramatic cases like the cyber attacks against Georgia in 2008 do not rise to the level of war as traditionally defined. Many observers agree with that assessment and also note that the cyber attacks against Estonia in 2007 were not war (Ottis, 2010; Schneier, 2009; Lewis, 2009a). In fact, some claim that we have yet to see anything close to “armed attack” in the cyber “domain” (Dunn Cavelty, 2011; Dunn Cavelty and Rolofs, 2011; Lewis, 2009a, 2010). As Evgeny Morzov has argued,
there is no evidence yet to link the current generation of cyber–attacks to warfare, at least not in the legal sense of the term. […] [T]here is a line between causing inconvenience and causing human suffering, and cyber–attacks have not crossed it yet (Morozov, 2009).
Thus, arguments in favor of expanding the definition of “war” to encompass “bloodless” cyber actions are less a consequence of the supposed inadequacies of the law of war and more the result of political and military leaders, news media, and others focusing first and foremost on the instruments of cyber conflict rather than their effects or intent of their use. Many different types of actions carried out in/through cyberspace for very different reasons are conflated because they tend to rely upon the same instruments, which are seen as new and unprecedented. Unfortunately, the term under which they have been conflated is “war.” Because the instruments of cyber conflict are seen as new and unprecedented, and because the law of war does not specifically mention them, it is assumed that the law of war is therefore inadequate. Instead of using the law of war to determine whether the use of the instruments of cyber conflict amount to armed attack, many have merely presumed that the use of cyber instruments is armed attack and that, therefore, it is the law of war that is inadequate.
But there are strong arguments in favor of the continuing adequacy of the law of war and its restrictive definition of “armed attack.” Maj. Gen. Charles Dunlap, Jr. (ret), a leading expert in information age conflict and the law of war, has stated unequivocally that the law of war is more than adequate for determining if a cyber attack rises to the level of armed attack. He writes, “The leading view, therefore, among legal experts focuses on the consequences and calls for an effects–based analysis of a particular cyber incident to determine whether or not it equates to an “armed attack’” and that “the consequences must extend to more than mere inconvenience; there must be at least temporary damage of some kind”. As Michael Schmitt, the world’s preeminent expert on cyber conflict and the law of war has written, to count as “armed attack,” an action must have at least been “intended to directly cause physical destruction or injury”. As such, James Lewis has argued,
[t]he thresholds for war or attack should not be very different in cyberspace than they are for physical space. […] [V]iolence, or the threat of violence, is the defining element for the use of force, armed attack, or an act of war. […] If there is no violence, it is not an attack or the use of force (Lewis, 2011).
There exist a number of clear frameworks developed by international legal scholars and other critical researchers that provide a strong and compelling set of tools for identifying when “armed attack” has occurred in cyberspace (or anywhere, for that matter) and, thus, when a state can respond in self–defense with military force. Schmitt (1999) has provided a clear normative framework for determining if a cyber attack constitutes use of force or armed attack, as well as if self–defense is warranted. Similarly, Myriam Dunn Cavelty has provided a “cyber–escalation ladder” as an aid to distinguishing between different types of hostile cyber actions (Dunn Cavelty, 2010). These frameworks are thoroughly effects–based to the degree that the instrument used is largely irrelevant to determining whether an armed attack has occurred.
The argument that an effects–based approach to jus ad bellum is adequate is all the more compelling when we consider some of the possible negative consequences of expanding the definition of “war” that results from the instrument–based approach. First and most obvious is that ”[a]llowing forcible reprisal to non–military coercion would broaden the grounds for use of force to an intolerable degree”. Carelessly using the metaphor of war for acts that are clearly not war and, as a result, moving to formally alter definitions of armed attack “inevitably leads to aggressive behavior, the planning of escalating countermeasures and — eventually — to real war” (Dunn Cavelty, 2011). This is possible, in part, because of the speed, difficulty of controlling, and likely collateral damage that would result from the use of the kinds of offensive cyber attacks imagined by many policy–makers and military leaders. When militarist cyber rhetoric results in use of offensive cyber attack, it is likely that those attacks will escalate into physical, kinetic uses of force (Lewis, 2009a; Clarke, 2009).
Finally, overemphasis on cyber war could undermine our ability to focus on other forms of cyber threat, as well as undermine the military’s ability to address those aspects of the threat that should come under its purview. Though cyber crime and cyber espionage are real problems, conflating them under one term limits the possibility for taking the most specific and effective actions in response to each, leading simultaneously to the possibility of miscalculation and overreaction in some cases and a do–nothing, boy–who–cried–wolf response in others (Lewis, 2010). Similarly, Charles Dunlap, Jr. has warned that over–involvement of the military in cyber security matters that should rightly be the job of law enforcement or civilian regulatory bodies risks exacerbating an already–growing, “generalized distrust of government” that could “undermine the public support” for the military.
Ultimately, strict adherence to an effects–based approach can and should undermine the brave–new–world rhetoric of those who argue for the expansion of the definition of “war” as a result of their focus on cyber instruments rather than the effects of their use. When the focus shifts from instruments to effects, what had appeared revolutionary and unprecedented suddenly seems much more familiar. While the tools by which humans engage in conflict might change, the human suffering associated with war has not and should not be forgotten. The use of an effects–based approach helps to correct an imbalance in dominant views about the new and novel in relation to the old and familiar in the context of hostile or malicious actions in cyberspace.
. . . .