In the last five years, cyber attacks on the U.S. government have increased exponentially. Thus far, the most publicized of these attacks was the Chinese encroachment on the records of the U.S. Office of Personnel Management (OPM); in May 2015, the agency announced that the hack stole the data of 21 million U.S. government employees. Our government’s response was somewhat bizarre. Though the Pentagon previously said an attack on its systems by another nation could be considered an act of war, the most direct action taken against cyber threats after the OPM debacle was to sign treaty on corporate espionage — which China has already violated — reorganize the NSA, and call for increased spending on cyber defense. But in the event of another attack like the OPM hack, would the U.S. have a case for going to war?
If one examines the relevant frameworks surrounding the use of force as it applies to interstate cyber attacks, it is clear that the U.S. has a moral and legal case for launching a conventional war over a cyber attack. Nonetheless, war is unlikely for two reasons: first, identifying hacks and hackers is difficult; and second, the U.S. wants to avoid the mutually-assured destruction (MAD) that would likely follow from a war with a nation as powerful as China.
Morally, the U.S. could wage a just war in response to a cyber attack. This is best seen by examining cyber attacks under jus ad bellum, a component of Just War Doctrine that originated from early Catholicism. According to Jus ad bellum, a nation can only go to war in self-defense; all other attacks by one nation against another nation are considered aggression. Aggression occurs when a nation invades another nation or otherwise violates a nation’s political sovereignty when not in response to a credible threat of war. A classic example of aggression is Hitler’s 1940 invasion of France, which subjugated its people to an unprovoked war. Using this definition, cyber attacks do not violate a nation’s territory because they are not invasions. However, all interstate cyber attacks do violate political sovereignty because they target government installations. In jus ad bellum, the amount of damage caused by an attack is irrelevant. In Just and Unjust Wars, just war theorist Michael Walzer argues that, according to social contract theory, since a government nominally represents its people, an attack on the government is an attack on the people, which is a violation of the political rights of a community. This represents a coercive act towards the community and is thus an act of aggression. Via social contract theory, any cyber attack on a government would be an act of aggression and a moral cause for war under jus ad bellum.
Some might argue that it is inappropriate to examine cyber-attacks under Just War Theory because cyber attacks do not always present a clear use of force, and have not killed anyone yet (as far as we know). For them, cyber attacks are primarily criminal offenses, and thus, have a different set of surrounding morals. However, this criticism fails to notice that a distinction can be made between cyber crimes and cyber attacks. As Walzer clarifies in Just and Unjust Wars, an attack “is a coercive use of force launched by a military.” In many cases, cyber attacks are launched by a military. For example, the Chinese military has an entire unit devoted to hacking. And while cyber attacks do not use physical force, they are still coercive. For example, the U.S. Stuxnet cyber attack destroyed fifth of Iran’s nuclear centrifuges in 2009. This, along with the Director of National Intelligence’s call for more funding for cyber deterrence, prove that cyber attacks have serious coercive capacity. In all, cyber attacks both can and should be analyzed under Just War Theory.
The U.S. definitely has a moral case for launching a cyber war, but what about a legal case? Under the U.N. charter, cyber attacks are probably acts of war. Article 2(4) mandates that states “shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.” Since cyberattacks threaten the political independence of other states, they violate Article 2(4), and can be considered acts of war. This, of course, requires an expansive reading of the article, but since the states that experience the most attacks are hegemons such as the U.S. with significant sway at the U.N., cyber attacks will, in all probability, increasingly be seen as acts of war.
The Pentagon also treats cyber attacks as a potential justification for war. In 2011, the Pentagon concluded that the Laws of Armed Conflict, which are informed by many international treaties and domestic laws, should apply to cyberspace. Under these laws, a cyberattack is a use of force, so a cyber attack on the U.S. government would constitute a cause for war. So if the U.S. government experiences another cyber attack, it has both the moral and legal standing to go to war.
Despite these justifications, there is little chance the U.S. would ever choose to go to war over a modern day cyber attack. It would avoid war for two reasons: difficulty discovering cyber attacks and their perpetrators, and threat of retaliation, cyber or otherwise, by major powers.
First, it is very difficult to discover cyber attacks. For instance in 2008, a cyber worm attacked the Pentagon via corrupted flash drive. This worm accessed classified and unclassified servers for 14 months before it was discovered. Assuming the U.S. determined a worm was planted by a particular nation, it would have a difficult time mobilizing its population after such a delay in the occurrence of the attack and discovery of the attack. Additionally, there is some debate about who launched the Pentagon attack; some insiders suggest it was Russia while others would not name a specific foreign intelligence agency. This will likely remain ambiguous because despite forensic testing, there is no way to definitively prove who corrupted the Pentagon’s flash drive.
In order to have a cause for war, the US would have to have almost indisputable proof that someone linked to a state or militant organization corrupted the flash drive. Historically, Americans are willing to undertake a war only if they can see examples of aggression and identify the aggressor themselves. This is the case for Pearl Harbor, the Gulf of Tonkin, and 9/11. All of these attacks received extensive media and mobilized the American population in the moment. However, the government itself does not announce cyber attacks until they have been patched, as seen in the delay in announcing the OPM hack. This means the public would not feel the need to go to war over a regular hack because it already sees a solution; it would only go to war if a hack compromised other vital systems, like Weapons of Mass Destruction (WMDs), and only if it could clearly determine international state or militant hackers were responsible.
Even if the U.S. could identify its hackers and then discover that it was hacked by a major power (such as when it discovered China likely caused the OPM attack), it may still decline to wage war in order to avoid MAD. This is not to say that any attack by the major cyber powers — U.S., Russia, and China to name few — would necessarily test the strength of the MAD hypothesis. Unlike other threat landscapes, there are possibilities for limited cyber attacks. However, on a larger scale, cyber attacks are the foot in the door to accessing other destructive weapons. For example, when the Russians launched a Distributed Denial of Service (D.D.O.S) attack against Georgia, they gained access to its computers. The Georgians do not have WMDs, but a similar attack on the U.S. could theoretically commandeer our WMDs and use them against us. In this sense, a D.D.O.S. attack on the U.S. could have 2080 times the potential destruction as the 1945 bombing of Hiroshima. Taking over our computers is a legitimate possibility; the U.S. invests relatively little in cyber defense in order to concentrate on cyber offense. By de-emphasizing cyber defense, the U.S. might overlook vulnerable backdoor entry points, otherwise known as “logic bombs,” that foreign hackers place in encrypted national security systems. In all, massive cyber attacks would still be subject to MAD, so nations that do have a cause for war may avoid war in favor of self-preservation.
As cyber attacks increase in volume and scope, they will test American patience. Cyber attacks are legitimate moral and legal grounds for war, but due to serious considerations, prudent nations will avoid going to war as long as possible. This might give rise to expanded cyber deterrence, but it is difficult to know who to deter since attacks crop up unexpectedly from places around the world. Cyberspace therefore represents a new frontier for warfare that demands more of our attention. It remains to be seen whether this platform will make the world more or less safe.
Sebastian Alarcon, a sophomore studying political science, is a staff writer at Stanford Political Journal.
Big Tech was caught in the political headlights in 2020. As Americans migrated en masse…
On May 28, 2020, the Stanford Faculty Senate convened to vote on a resolution supporting…
In late February 1954, Arsenal Elementary School in Pennsylvania gained nationwide fame for hosting the…
minah locked her bike and shuffled up the steps to Cemex Auditorium. Despite finals creeping…
n August 9th, 2020, it was announced that Alexander Lukashenko, the president of Belarus, had…
n the wake of the 2020 election, we’ve witnessed the SolarWinds cyberattack by Russian nationals…