Under what criteria can a cyberattack be ethically justified ?

Add to my custom PDF

Reliable Old Wineskins: The Applicability of the Just War Tradition to Military Cyber Operations

The relatively new phenomenon of attacks and warfare in cyberspace make it difficult to understand the effects of these actions. The invention of the ‘Cyber Domain’ provides very different warfare capabilities and challenges to previous technological advances. While international law has established some rules and regulations for cyber attacks, it may be that traditional moral frameworks still apply in cyberspace.

Barrett’s research builds on the existing legal framework for military cyber operations to include an ethicist’s perspective on the usefulness of including both law and the traditional just war doctrine to provide ethical guidance. The just war theory provides ethical criteria for decision-making about going to war and taking actions during war.

International law leaves a number of ethical and moral questions unaddressed for conducting military operations in cyberspace. For example, should contractors engage in military cyber operations or should autonomous cyber weapons exclude a human decision maker?

Barrett argues that both contractors and autonomous cyber weapons would not be able to act fully in accordance with the just war criteria of discrimination and complete attribution. Because of this contractors should not be deemed proper authority and autonomous weapons should be cautiously pursued. Barrett asserts that international legal definitions can lead to overly permissive and overly restrictive conclusions. The Tallinn Manual, a guide on how international law applies to actions in cyberspace, allows that operations which do not use “force” be directed against civilians and their objects. While international law may permit a cyber attack against civilians, Barrett argues that directing attacks against civilians would be unjust.

The just war criteria stipulates that only a proper authority (most likely a nation-state) can respond to a threat against life and life-sustaining properties in self-defence. A defensive response must be proportional and in defence of a real threat to life. While the proper authority has a right to self-defence, the authority also has to follow state responsibility. This means that if an attack originates from within its boundaries, the state must act to quell the attack (even if the attack is directed at another state or their citizens).

Difficulties with attack attribution in cyberspace create a challenge in identifying whom to respond to. To be deemed a justified defensive response, the attack must be attributed with absolute certainty, not just circumstantial evidence. If involving a state, the state responsibility cannot be assumed. If involving an innocent third-party (not responsible for the attack, but the attack originated in or routed through this state), the third-party state has sovereignty rights, but is morally obligated to protect other states’ citizens from the threat.

Furthermore, the defensive response must be able to discriminate the target, which is difficult in this highly unpredictable environment. While cyber weapons may seem more ethical than kinetic ones, users must exercise due diligence - adequate weapons testing and intelligence to ensure the impact is directed specifically where intended.

International law is insufficient in guiding cyber conflict, however where combined with a moral agent operating within the just war criteria are capable of providing the ethical guidance needed to legitimately conduct military cyber operations.

The Just War Doctrine provides ethical guidance on cyber security decision-making that can compliment international law.