By Patrick Taylor Smith

Embed from Getty Images

Robert Mueller has recently indicted 13 people for using information technology to manipulate a US election. Russian intelligence agents have likely attempted to directly intervene by hacking election software, stealing emails from both the Democratic National Committee and Republican National Committee, and running assets to manipulate social media websites. Such cyberattacks have become almost overwhelmingly ubiquitous, and there is likely more to come. Ransomware attacks are 167 times more common than just a few years ago. Mega thefts of data are commonplace. There is strong evidence that at least one state—Russia—is engaged in a systematic campaign to undermine financial institutions, and hack vital infrastructure in a variety of countries. Many suspect that cyberattacks that cause serious physical damage and even death are not far off as attacks upon targets such as power plants and medical institutions become increasingly common.[1]

The increasing prominence and potential severity of these attacks poses an important question: when does a cyberattack justify a kinetic, military response? Generally, international law and just war theory acknowledge only one justification for going to war: defense against aggression. Similarly, the United Nations Charter permits states to fight wars unilaterally—without requiring approval of the Security Council—in the event that they or an ally have been subject to an ‘armed attack.’ Unfortunately, these admittedly plausible understandings of casus belli—or just causes for war—only move the question further back. When, if ever, do cyberattacks rise to the level of armed attack or an act of aggression? International law, for example, acknowledges that there are violations of sovereignty that fall short of being armed attacks.

The standard view, represented by the Talinn Manual[2], argues that the best definition of ‘aggression’ or ‘armed attack’ will not make reference to the mechanism of an attack but rather to its outcome. On this view, an attack is an act of aggression when it produces consequences of sufficient severity: death and destruction. If someone is intentionally killed by an attack, it should not matter whether the death was caused by hacking into a hospital database to cause a drug interaction or a sniper’s bullet. The idea is to imagine that the relevant damage or destruction was caused by a straightforwardly kinetic instrument: high explosive, a bullet, or a blade. If that damage would be a just cause for war, then equivalent damage caused by a cyberattack will also be a just cause. This view has the great benefit of explaining why cyberattacks with minimal consequences fall short of being casus belli and why especially severe attacks do.

Unfortunately, the standard view has two serious problems. First, aggression includes attacks on other values than death, injury, or destruction. Imagine a state that invades another, conquering territory in a without any immediate death or destruction because the defending state was slow to respond to the attack. The invaded state will then need to determine whether they should cause death and destruction in the invading country and its military in order to take the territory back. As John Rawls puts it, the proper pride a nation has in its own political institutions and its subsequent entitlement to collective self-governance over a territory can serve as a basis for just defensive war.[3] If this is true, then the standard view has a too impoverished view of the consequences that can generate a casus belli.

Second, the standard view is also too expansive and inflationary when it comes to just causes for war. Many unfriendly strategic actions will have, at the very least, foreseeable and often intentional consequences of death and destruction. Imagine the economic dislocation caused by a trade embargo or a new set of tariffs and how that foreseeably relates to death and destruction. Now, consider the following three scenarios:

TORPEDO: In order to win a dispute over an island atoll, one country shoots a torpedo at the flagship of a rival country’s navy, disabling it and causing some casualties.

LOGIC BOMB: Same as above, only this time the casualties and damage are caused by a hack leading to an erroneous depth reading, causing the ship to run aground

SANCTION: Same casualties as the prior scenarios, but this ship runs aground because the rival country’s economic sanctions have led to budget cuts in the naval budget.

Once we remove the requirement that armed attack be kinetic or physical, then it becomes difficult to distinguish between LOGIC BOMB and SANCTION. After all, the sanctions could be targeted in order to undermine military preparedness with the intended consequence that this could undermine readiness and cause death and destruction amongst the armed forces. Advocates of the standard view have tried to argue that LOGIC BOMB and SANCTION can be distinguished on the basis of causal directness or certainty of consequences,[4] but it is not at all obvious why these differences are normatively significant. At any rate, because the standard views turns all rivalrous or unfriendly strategic action into casus belli, it is massively inflationary. In other words, if the means are irrelevant and we take the causal effects of interstate rivalry seriously, then it looks like states have just causes much more often than we might think.

“…it is not obvious why the mere use of information technology should make the difference”

I have argued elsewhere[5] that we can avoid this consequence, placing LOGIC BOMB together with TORPEDO as casus belli while excluding SANCTION, if we focus on how a cyberattack relates to self-determination. Unilateral defensive responses are justified, on my view, when they substantially undermine the ability of states to set their own policies and control their own territory. Thus, in principle, a set of cyberattacks that were designed to disrupt an election could be a just cause if they substantially inhibited the ability of the target state to act collectively and autonomously. Yet, it is clear that many actions burden the self-determination of states without thereby being casus belli. Economic or technological developments in one country can undermine the ability of another to control their economic policy. Whether a state has open borders or closed borders or generates immigrants or emigrants might limit the options of neighboring states. Despite this, economic or immigration policy is not, at least under normal circumstances, a just cause for war.

So, we need a way to distinguish between strategic actions that burden states in ways that may be unjust or unfair and those actions that amount to a casus belli. This is not an easy task, but it might be useful to illustrate the distinction with a more interpersonal example. What is the difference between the mugger who uses a gun to steal one’s wallet and a gas station owner that charges 20 times the normal amount during a hurricane? The key difference between the two cases are how the bad agents relate to autonomy and judgment of the victim, especially with regards to resistance. The mugger will take your money or kill you and take your money: he aims to overcome your resistance, to make your judgment irrelevant. Of course, it might be better for you if you decide to do what the mugger wants but that choice does not affect whether you will be able to enjoy your entitlement to your wallet. The price gouger, on the other hand, commands compliance via the victim’s judgment that compliance is a good idea; she will not reach into your pocket and take your money should you decide not to buy gas. So, actions that attempt to overcome resistance and generate compliance with the desires of the coercer without regard to the judgment of the victim appear to be a deeper or more fundamental attack upon the autonomy of the agent than those that work through the judgment of the victim. Thus, it is plausible that the former justifies a unilateral defensive response while the latter does not.

Of course, there are circumstances where the incentives offered by the gouger are structured such that the victim has ‘no choice’ in a similar way to the mugging. For example, suppose the price gouger has control over medication that prevent seizures and the person will need that to function. This would be analogous to distributed denial of service attacks against telecommunication infrastructure. As we shall see DDoS attacks generally do not amount to casus belli, but if they undermine the ability of the state to form a collective judgment and then respond, they could graduate to justifying a defensive response. Similarly, sanctions could undermine the ability of a polity to engage in self-determination and thereby become a casus belli. Nonetheless, we can distinguish between SANCTION and LOGIC BOMB; the latter necessarily overcomes resistance and bypasses the self-determination of the target state while the former does not. The flagship is damaged, but LOGIC BOMB causes the damage by bypassing the firewall and forcing the ship into a shoal while SANCTION causes the damage through the budgetary decisions of the victimized country. Both may be unjust but only LOGIC BOMB necessarily justifies a physical, defensive response.

This account has several consequences for the evaluation of cyberattacks. First, attacks that are not attempts to overrun defenses but rather efforts to force the victim to expend resources are not casus belli. In international relations, these are often described as ‘probing’ attacks, where defenses are tested and then the attackers immediately withdraw.[6] This category may, for example, be expanded to included denial of service attacks, where cyber-attackers ping websites for information at rates that overwhelm the servers. Similarly, the disruptions described by Mueller, where Russian intelligence operators created identities and bots in order to spread disinformation and distrust through social media would likely not rise to the level of a casus belli. Neither of these common types of manipulation amount to an attempt to force a particular outcome over the resistance of a rival state.

Yet, my view does imply that some recent actions aimed at disrupting Western democracies could amount to casus belli. Most obviously, attempts to hack election software and directly change election results are attempts to overwhelm resistance and force compliance. They advance beyond firewalls to create a result that the target state is resisting; the attacked state is not in a position to decide whether it wants to pay the relevant costs since their will is bypassed. The idea that these actions may generate a defensive response is made more plausible if we imagine whether if, instead of using a hack, Russian operatives broke into state election offices in order to change election results. Could the United States use defensive force in order to prevent that election tampering? The answer seems clearly yes, and it is not obvious why the mere use of information technology should make the difference. Of course, if Russian disinformation activities became so prevalent and disruptive that the electorate was incapable of engaging in a collective judgment concerning, then we might need to rethink their status.

It is important to see that this is only an account for when an action is a prospective casus belli. Other conditions need to obtain before a violent response is all-things-considered justified. First, the military action must be necessary. Thus, just as a military response would not be justified in the election break-in if building security or law enforcement successfully prevented it, a cyberattack that could be stopped through digital means would not thereby justify further action. Second, the military action must be proportional. In the case of the Russian election hacks, even if they were successful, it seems unlikely they materially affected the election. So, the military response could not cause much damage without being a radically disproportional.

However, cyberattacks that overcome the resistance of a target state in order to undermine its political institutions and prevent it from engaging in political self-determination can nonetheless be a casus belli even if the physical damage they generate is small. If a military attack was both necessary and proportional when stopping those sorts of attacks, then I see no principled reason why the target state should refrain. Up until now, the international community has managed to avoid dealing with these issues. We so far lack evidence that the direct hacking of voter databases or tabulation software has been successful, and even the Mueller indictments do not show that Russian interventions successfully altered the result of the 2016 US presidential election. But the political process is as important as any ‘critical infrastructure’ node, and we need to consider the eventuality where the wrong done by cyberwarfare is to a set of values beyond economic damage, death, and destruction.

[1] For a summary of the current state of play, see Peter Singer’s “The 2018 Digital State of the Union: the Seven Deadly Sins of Cyber Security We Must Face,” at War On the Rocks.

[2] Talinn Manual, Michael Schmidt (ed), Cambridge University Press (2017). For a philosophical representative of the standard view, see Ryan Jenkins’ “Is Stuxnet Physical? Does It Matter?” Journal of Military Ethics 12(1)

[3] The Law of Peoples, Harvard University Press (page 48, especially 60n)

[4] See, for example, Daniel Silver, ‘Computer network attack as a use of force under Article 2(4) of the United Nations Charter’, International Law Studies 76 (2002), pp 92-93. The Talinn Manual also includes directness and immediacy in its account of digital causus belli

[5] Patrick Taylor Smith, “Cyberattacks as Casus Belli: A Sovereignty Based Account,” Journal of Applied Philosophy (2015):  https://doi.org/10.1111/japp.12169

[6] See the distinction between ‘grave’ armed attacks and ‘less grave’ uses of force that fail to be armed attacks in United States vs. Nicaragua 1986 I.C.J. 14 (1986)

Disclaimer: Any views or opinions expressed on The Ethical War Blog are solely those of the post author(s) and not The Stockholm Centre for the Ethics of War and Peace, Stockholm University, the Wallenberg Foundation, or the staff of those organisations.