There is an awful lot of hype and confusion surrounding the concept of cyber warfare. It is certainly a term that has gained traction recently in the media and in military and government discussions. As ambiguous as the term cyber is itself, cyber warfare seems to suffer from even more variance and mischaracterization in its definition, doctrine, and implementation. Fortunately, I believe that in understanding warfare and cyber separately we can societally come to a more standardized and widespread acceptance of what it means to defend ourselves in a cyber war, conduct cyber warfare, and perhaps globally define what is and is not acceptable in such conflicts.
To properly understand what it will mean to go to war through cyber means we must unilaterally understand and cede to the truth and challenges that would exist in such combat. We cannot continue to apply known paradigms to a novel concept. “The Charge of the Light Brigade” is regaling and heroic; however, it was decimating and futile, and casualties were excessive. If we keep trying to think of cyber warfare as simply shooting like-sized cyber bullets at our enemy for similar or more improved effect or applying monolithic military doctrine without a technical understanding to cyber warfare, we will fail. Educating people, policy makers, and warfighters has to start somewhere, and I hope that in providing the ground truth of the technical and tactical challenges to waging a cyber war, we can together approach the future of warfare more informed.
Definition
First and foremost, what must be accepted is that war has not changed with the advent of the cyber buzzword. Cyber is just another way to carry out war, just like trench warfare, nuclear warfare, and any of the other categories of warfighting established throughout history. The United States Department of Defense (DoD) established its Cyber Command on October 31, 2010. From its homepage you can read its mission which is “to direct, synchronize, and coordinate cyberspace planning and operations to defend and advance national interests in collaboration with domestic and international partners.”1 Now, that does not sound particularly like warfighting, but on August 27, 2017, President Donald Trump decided to elevate USCYBERCOM from a sub-unified command to a Unified Combatant Command responsible for cyberspace operations. Also, from the USCYBERCOM web site, “The decision to elevate USCYBERCOM was seen as recognition of the growing centrality of cyberspace to U.S. national security and an acknowledgment of the changing nature of warfare.”
These statements and declarations need some further clarification to really understand where we are going with these concepts. First starters, what is cyberspace? Merriam-Webster defines it as “the online world of computer networks and especially the Internet.” The DoD recognized cyberspace as a warfighting domain, which means it is considered to be as encompassing as air, land, sea, or space, which are the other warfighting domains. This means that computer networks are to be viewed as the space within which we can maneuver, attack, and defend just like we do in warfare conducted in the other domains. Merriam-Webster defines war primarily as “a state of usually open and declared armed hostile conflict between states or nations” and warfare as “military operations between enemies.” So, a deductive definition of cyber warfare is military operations carried out over computer networks in a declared conflict between state or nation enemies. This may seem like an oversimplification; however, it is the foundation for understanding the challenges of carrying out such military operations.
Declaration
With the workings of a definition for cyber warfare established, we next need to focus on the action that officially initiates war in general, cyber or otherwise, which is a declaration of war. This is an important topic to cyber-specific warfare for many reasons. Regardless of the domain a war is fought in if war is declared by a state; there are ethical, legal, and other implications that now apply to all following actions.
A state goes to war by declaring war in response to an act of war. That is essentially how an acknowledged armed conflict between states would begin. This is quintessentially illustrated by the bombing of Pearl Harbor by the Japanese during World War II. There was an act of war by the Japanese in using uniformed military actors to perpetrate a state-acknowledged act of aggression on US uniformed military actors against targets in US sovereign waters and airspace and on US soil. In response to this, the US Congress, as the body with authority to do so, declared war against the Empire of Japan. The power to declare war is given to the US Congress in article one section eight of the US constitution. For perspective, the United States has only declared war 11 times, beginning with Great Britain in the war of 1812 and last with 6 individual declarations against specific countries during World War II.
It is an interesting thought experiment to ponder what type of cyber act it would take to convince the United States to declare war. Unlike conventional war, an act of war that was solely within the realm of the cyber domain is difficult to conceive. Slightly more analogous might be a cyber-enabled effect, where the cyber domain is used to control or effect some physical asset that might have widespread mortal effects worthy of a declaration war. Even this is extremely challenging as adequately attributing such an action to a state without an admission from that state is nearly impossible, we will cover more on that later. At this point we can essentially make two summations regarding cyber and warfare.
First, a cyber act of war almost assuredly will involve a cyber-physical connection and not simply stay within the realm of cyber. For instance, an attack fully within the cyber domain using a virus which cripples computers across all air force air bases is highly impactful to our national defense, but not likely to draw the US Congress into declaring war against the perpetrator. On the other hand, an attack that uses a computer virus to simultaneously take over the computers on nearly 100 air force aircraft involved in a large annual exercise and crash them all into the desert, killing nearly 1000 uniformed soldiers might be enough to result in a declaration of war against the perpetrator.
Second, with the exceedingly difficult obstacles to reliable attribution of cyber actions, the perpetrator of a cyber act of war would almost have to do so with the intent of acknowledging that action and starting a war. Even in the huge aggression of the cyber-physical example where billions of dollars in damages, thousands of deaths happen in a US sovereign area, if no perpetrator admits to the attack, what requirements must there be on an attribution to convince Congress to declare war on what they think to be the perpetrator. We will cover attribution in several chapters later in this book, but even at this juncture, trying to discern the type of proof Congress would require to declare war seems a daunting, if not impossible, task.
Even with the establishment of cyber warfare, it is only one of many warfighting domains, and Congress would have to be comfortable enough in the impact and identification involved in a cyber act of war to respond with armed conflict in all warfighting domains. As entertaining as the idea may be, I don’t think the United States is going to respond to malicious email solicitation by a Nigerian Prince by sending aircraft and naval vessels and deploying troops to Nigeria after performing intercontinental missile strikes on their military bases. The ridiculousness of this example is easy to see, coming up with what credible cyber act deserves such a response is nowhere near trivial.
Just War Theory
Just war theory is essentially a set of requirements that must be met for a war to be considered just. It focuses on two essential criteria, the right to go to war and the right to conduct within a war. This is a largely philosophical concept but one that international law with regard to war often mirrors, references, or mimics. Further, policies and guidelines such as international law and just war theory place constraints on warfare and the warfighter such that they need to be understood before we explore how such policy-level restrictions manifest themselves as technical challenges in war and especially cyber warfare in later chapters.
Jus ad Bellum
The concept of the justice of war involves war being waged while respecting several constructs. There is having a cause that is just, for example, self-defense or defense of an ally. War must be conducted as a last resort to efforts such as diplomacy. A state going to war must do so with the appropriate authority, which in the case of the United States is with a declaration by Congress. The intent to go to war must be just and not self-serving, for instance, the annexation of Crimea could by some be viewed as self-serving and unjust, though, philosophically speaking, many Russians presumably view the activity as just or choose to not acknowledge as a state action of war. A war should only be started with a reasonable chance at success and be proportionate to the way it is waged.
A lot of this concept is strongly philosophical and too subject to debate to be involved in the discussions of technical obstacles in cyber warfare. That being said, several do lend themselves well to influencing and shaping actions during war in the domain of cyber. For instance, being conducted under the proper authority is an easily provable and understood concept as we have specific constitutional references that dictate how war may be declared. We also have various titles of the US Code which dictate that activity such as cyber warfare must happen under appropriate authorities itself. Intention can certainly be framed in cyber, specifically as it is in wider warfare. For instance, using cyber warfare to steal money from banks of other states for the sole purpose of profit would certainly be understood to be with unjust intentions. A war should only be declared with a reasonable chance of success, and I believe that construct should aptly apply to the technical aspects of cyber warfare. For example, launching a computer worm which spreads from computer to computer that will destroy all the data on that computer but which has only a 2% chance of targeting the machines whose data you need destroyed might be viewed as having little chance of success. Avoiding the use of cyber warfare in such situations certainly keeps the activity more on the side of just than not based on the likelihood of success and prevents those uninvolved in the conflict from facing its affects .
Jus in Bello
The concept of just actions while at war is based on the two principles of discrimination and proportionality. Essentially the reason for differentiating between jus ad bellum, the justice of going to war, and jus in bello, justice while conducting warfare, is to diverge the cause of the conflict from the actions within it. It may, for instance, be viewed as just for the United States to declare war against the Empire of Japan after Pearl Harbor. Conversely, actions during that war, for instance, the nuclear bombings of Hiroshima and Nagasaki, are polarizing actions viewed by some as just and by others as unjust .
Using the nuclear bombing example, let’s explore the event while looking at it through the lens of jus in bello—was it a just or unjust action while being within a just war? Using the concept of discrimination, it would seem that the action was almost certainly unjust. Any offensive action must be carried out in a way that discriminates between combatants and innocents. The bombings certainly could not and did not do this, and many innocent lives were lost in both bombings. When looked at from the second perspective of just warfare, that actions should be proportionate to the desired objective, it becomes a much fuzzier decision.
Though indiscriminate, the proportion of deaths caused by the bombings compared to the deaths that would have happened on both sides during the rest of the island warfare being carried out on Japan and nearby areas favors the bombings and resulting surrenders. This is likely true of both combatant and non-combatant deaths on the side of the Japanese and certainly for combatants on the allied side. Through this lens it may be viewed as a just action within a just war, and certainly the decision makers who opted for the bombing must have felt so.
Just warfare has a large impact on the way cyber warfare should be carried out. Discrimination is extremely important given the interconnected nature of the cyber warfighting domain. We must ensure that if we carry out cyber warfare, we are able to have our offensive actions discriminate between combatants and non-combatants and even between targets within the declared enemy state and those without. In other warfighting domains such as air, land, and sea, it is not very likely that we accidently invade an ally, an abstainer, or even perhaps our own country.
Within the domain of cyber however, it can be extremely challenging to limit targeting to a specific enemy state while avoiding the occurrence of the effect acting upon a non-combatant or even a different nation state’s asset. Let’s take, for example, the Stuxnet virus , which almost certainly targeted the country of Iran and is largely heralded as an act of cyber warfare. Even in this advanced and very specifically targeted malware deployment, infections happened across the globe in many countries and in varying amounts. Certainly, all of the countries infected were not the target, and some were likely even allies to those which deployed the virus.
Proportionality is an extremely challenging constraint on cyber warfare as well. Take, for example, a cyber warfare offensive action that will shut down the power to the cyber-attack assets of another country. That in itself is certainly viewable as a just action of cyber warfare. But what if that same virus coincidentally also shut down the power to all the hospitals, traffic control systems, and water treatment plants of the target state. The objective of this action was to turn off the power to the cyber-attack assets of the enemy state; however, the result of the action would be considered in no way proportionate to that goal and would then be unjust. Once a cyber-attack has been launched, it can oftentimes be nearly impossible to cancel or reign back in and retarget completely. If the computers were shut down, it certainly can’t be reversed or undone.
Just Warfare in a Just War
International Agreements
Even in a just war, wherein just actions are continuingly taking place, the fog of war and its general ugliness negatively impact all those involved and, in many cases, even those not involved. With a proper and legal declaration as well as staying within the philosophical bounds of just war and just warfare, there is still a need to further protect humans from the unfortunate byproducts of conflict. Though there are several active agreements and many historical ones, the most well known and oft applied is the Geneva Convention. The Geneva Convention and international agreements like it, such as the Hague Convention and others, all constitute what is known as international humanitarian law . These laws mainly aim to regulate warfare with respect to respecting the rights of the individual people who never, or no longer are able to, participate in armed conflicts between states. Those who were never involved may be abstainers or civilians or medical and religious personnel within involved states or simply members of nearby states who were participating in the conflict. Those no longer able typically consist of the injured, prisoners of war, or surrendered forces.
The Geneva Convention also outlines the obligations of other states, both involved and not involved, to uphold the agreed-upon standards. The onus here being on both participating and by-standing states in armed conflict being able to hold accountable individuals or states which violate the Geneva and Hague Conventions. Such violations constitute war crimes under international law and are often tried by an international tribunal at the Hague. Examples of this being many World War II German generals and government officials as well as modern-day issues like shootings by Blackwater contractors in Iraq and actions in Russia-Chechnya conflicts. It may be difficult to conceptualize cyber warfare and war crimes being tied together; however, as we explore the facets of the Geneva Convention, we will see that a large portion of the agreements are at least tangentially, if not directly, applicable to cyber warfare and its resulting effects.
The first two protect sick and wounded soldiers on land.
The second protects sick, wounded, and shipwrecked soldiers at sea.
The third protects prisoners of war.
The fourth protects civilians, including those in occupied territory.
It is hard to imagine in today’s world and the near future that the first three conventions would be much of a guiding force for anything related to cyber warfare or other activities in the cyber domain. It does not take much extrapolation though to see that the first two, protecting the sick and wounded, can apply to attacks that may affect those individuals indirectly. Examples of such cyber-attacks could be the purposeful targeting of devices within and resources of places such as hospitals. Both field and traditional civilian hospitals house and care for individuals protected by the first two conventions, and any cyber-attack that hampers the ability of those individuals to receive care could certainly be perceived as a violation of the Geneva Convention. The least applicable of the original four conventions is seemingly the third, related to prisoners of war. Though there are certainly cyber-attacks that could negatively impact the standard of living of prisoners of war, the affected facilities and faculties responsible for managing and caring for prisoners of war would likely belong to the same country launching such a cyber-attack. It thus seems currently unlikely that a cyber-attack would infringe upon the third Geneva Convention specifically regarding prisoners of war.
The fourth convention has very interesting applications to current-day warfare and cyber warfare specifically. This convention protects civilians in general and calls out protection for those civilians in an enemy state-occupied area. Typically, this would seem to apply to persons like those French populations in German-occupied areas of France during World War II. A war including warfighting activities in a cyber domain puts an interesting twist on this, and the implications of different interpretations of this international law have yet to be fully explored with regard to cyber warfare .
Does a civilian’s computer or cell phone reside within the bubble of protection afforded to civilians in wars under the Geneva Conventions? Is it thus a war crime under international law to use an unwitting civilian’s laptop, smart fridge, or cell phone to redirect state cyber-attacks in an effort to avoid attribution of the attacker location? Similarly, is it a war crime to use an unwitting and innocent bystander’s cell phone and its Wi-Fi communication ability to spread viruses into an enemy state’s military installation network? As we will discuss in later chapters, attribution is extremely challenging, but in the cases where it happens, it is worth considering if we risk war crime implications by such actions.
This is important for the uniformed individual and the state involved. It also complicates the burden put upon signatories of the Geneva Convention to hold responsible those who commit what is understood to be war crimes. Can we really expect multiple uninvolved states to bring to military tribunal actors in a cyber war for such seemingly benign actions? Should we? These are heavily philosophical thoughts whose answers are best left for other people (probably lawyers?) and other literature (probably court proceedings), but at some point, the prevailing expectation of privacy in the cyber domain will lead to legal challenges to such behavior by states in the international law forum.
Other protocols amended to the Geneva Convention expand the document from one which pertains to state conflicts on an international stage to one that handles non-international conflicts by non-state-sponsored actors and everything in between. Further it has been refined to address types of weaponry and warfare that are deemed illegal or whose use is governed by international law. Such items include everything from cluster mines, chemical warfare to lasers, and other technologies. Interestingly enough the Geneva Convention has yet to have any language describing proper or improper use of cyber warfare and cyber weapons. Granted, as we have just discussed, the conventions still widely apply to war in general including efforts via the cyber domain, but perhaps it is a worthwhile pursuit to get the signatory states on board with at least some overarching dictation regarding how cyber warfare should or at least specifically how it should not be conducted to protect humanitarian rights on all sides. In the later chapters of this book, we will cover analogous examples on how and why cyber warfare and the cyber warfighting domain could be handled by international law. These same analogies, once properly understood, also allow for warfighters and policy makers to know why cyber warfare doesn’t necessarily afford the actions and impacts many attribute to it .
Expectation of Protection
Considering the expected conduct of appropriately going to war and the humanitarian protections that go into it is extremely important regardless of the mediums the warfighting happens across. Another aspect of warfighting that is not fully appreciated in the auspice of cyber warfare is the fact of expected protection. Traditionally this is a concept that is little discussed and generally assumed as a given for warfighting. In the most basic sense, take, for example, the deployment of troops to a foreign nation. Regardless of the reason for that deployment, the citizens of the United States have an expectation that if we are deploying uniformed military personnel to another nation that we are also capable of preventing like repercussions here at home.
If Congress declared war against Japan in World War II when we as a nation were incapable of keeping uniformed Japanese soldiers from landing and taking over portions of this country, the populace would likely not support the war. This example is rather extreme, but even in modern terms, the nation largely understands that part of the reason we are deploying troops to embattled Middle Eastern nations is to keep the fighting there and not within the United States or its territories. This is the same for many countries and conflicts throughout the ages. Indeed, a huge factor behind a healthy fighting force which prevents absences without leave (AWOL) or mutiny is that the members of that fighting force have an expectation that while they are away fighting their nation’s battles, their family is protected at home.
The underlying structure for the expectation of protection is that of boundaries. There is a benefit to being in countries such as the United States in that, while within the borders, national waters or airspace of the country, you can expect to be protected from the warfighting actions of others. This means that while you are in the United States, as a citizen or a visitor, you feel reasonably protected that, though the United States may be launching Tomahawk missiles at Syrian military bases under the direction of the Commander in Chief, there will not be a response in kind. Or, that when the United States similarly violates the sovereign airspace of Pakistan to capture or kill Osama bin Laden that other nation state helicopters won’t be landing in your back yard any time soon. It also means that while Iran claims the United States is violating its national waters by sailing through the straits of Hormuz, you don’t have to be worried about your chartered fishing boat being boarded or sunk by Iranian naval vessels while off the coast of Florida.
This situation is understood to be true both of conflicts a nation’s forces are involved in, such as those just discussed but also simply as a resident of a nation. Even, perhaps especially, when a nation is not involved militarily in international affairs, there is an expectation that while within that nation’s border, waters, and airspace, you have protections from outside malicious efforts, state-sponsored warfighting or otherwise.
Applying this to the cyber domain is extremely complicated. While browsing the internet from a device physically located in the United States, you may, for instance, travel through routing devices in many countries before you are presented with the web page of the web address you entered into your browser. Do you expect that the United States will protect you from downloading a virus that is part of a nation state’s cyber warfare efforts? Could you? The answer is no; that would be ridiculous. The reason it is ridiculous is that by nature and intention most of the internet is essentially borderless. You don’t have to provide a digital passport when your browsing habits take you to web sites hosted by servers outside the United States.
What is rather ironic is that most of the population of this country and others have this profound belief that the internet should be free of regulation and restriction while also being furious that their government was helpless to stop this international meddling attack or that state-sponsored cyber effort . It shouldn’t really be that surprising that without a national cyberspace, there can’t really be a realistic expectation of protection. This may seem preposterous, but I believe that if cyber-attacks and cyber warfare got bad enough, we will actually see more countries going the way of China and North Korea where there is a hard delimiter between where the nation’s infrastructure and regulations apply and there they don’t.
I am not suggesting countries adopt the suppressive behavior of these nations, but I do think that to protect the home front, we have to have a home front. Try and think of everything you own that has an ability to be somehow networked to the internet. Smart things and the internet of things are driving the potential attack surface of even a single individual to inconceivable breadth. The challenge of securing the digital attack surface of every citizen in this country from external cyber activity of nation states and other actors is insurmountable if we do not establish a boundary wherein we consider actions punishable under US law and are able to defend it as known US cyberspace . Further, if citizens do not know when they have left US cyberspace, they do not know when they are giving up their nation given protections in the cyber warfighting domain. An even more unique thought in that vein, is there some level of activity where even when out of US cyberspace, are you still expected to be protected from other state actors? Should alliances and treaties stretch into and be upheld in cyber as well? When I travel to another country, particularly an ally of the United States, I feel relatively safe due in no small part to my US citizenship. Currently in cyber and on the internet, this is essentially non-existent but perhaps that should evolve.
I say this not to put forward that I am a huge advocate of closing borders on the internet. I will admit that it is the most efficient way I can think of toward establishment of a national cyberspace and a resulting expectation of protection. I think the point of expected protection from the warfighting capabilities of other nations, including cyber warfare, is extremely salient and that this book would be incomplete without illustrating why this is so challenging defensively.
Summary
This chapter was intended to provide an initial overarching understanding of what is meant by the terms cyber warfare and the cyber domain of war. We also covered what it means to declare war and some of the pursuant activities. The theory of just war was discussed to provide some details on the philosophical constraints to any attempt at warfighting, with examples of cyber activity in such guidelines. International law and its involvement and effect on cyber warfare was outlined as was the difficulty in establishing an expectation of protection from cyber warfare activities.