From the advent of the U.S.’s development and releasing of the Stuxnet virus in 2010 to the more recent attacks on critical infrastructure, such as the Colonial Pipeline, cyberattacks have become an increasingly prominent and newsworthy facet of contemporary society and international relations.
While by no means novel phenomena, amidst these growing developments and in the face of unavoidable influence of these malicious actions, the NATO Association of Canada’s Editors share their thoughts on an increasingly salient question:
Should cyberattacks be considered act of war?
Standing at the threshold
While there may be parallels, cyberespionage and cyberwarfare are separate concepts. Cyberwarfare denotes the use of cyberattacks intended to cause physical damage via manipulation of digital systems, such as shutting down power grids, transportation and communication systems, health services, and/or military assets.
Not all cyberattacks can be considered acts of war. There must be a threshold. For example, cases where a cyberattack affects vital military targets or systems responsible for ensuring security, such as a nuclear command and control and ballistic missile monitoring sites are very likely to approach or surpass such a threshold. Attacking these systems directly compromises security by limiting vital situational awareness and response time, quite possibly in the face of an existential threat, such as nuclear weapons.
In a similar vein to saturation missile attacks, cumulative saturation of cyberattacks, coordinated and in great volumes can in some cases be considered equivalent to an armed attack. Similarly, a cyberattack may be construed as an act of war if in effect it causes physical damage, similar to a conventional kinetic attack. In cases where cyberattacks target and have kinetic effects of civilian targets, such as hospital services, these acts of cyberwarfare can amount to war crimes.
Even in such a scenario, difficulties of attribution represent a serious obstacle. If an attacking adversary cannot be accurately identified, even in cases of cyberattacks amounting to acts of war, then countermeasures and deterrence become useless. While cyber-capable states take advantage of the difficulty of attributing actions when committing acts of cyberespionage and disruption, it is not difficult to imagine how this may complicate a hypothetical situation constituting an undeniable act of cyberwar.
Shoot the Hackers
War is a grey business and begins with the same hue. Traditionally, ‘acts of war’ that incite conflicts have been kinetic – i.e., effecting physical damage. From Princip’s shot at Ferdinand to Germany’s invasion of Danzig to the sinking of various ships (e.g., the Arizona, Maine and Lusitania), either the significant destruction of property or loss of life has been necessary to constitute a casus belli. This ambiguous threshold of ‘significance has been informally accepted by most states – precluding minor hostilities with anodyne deaths from dragging them into war. Indeed, there is no casualty toll or price of destruction that it sets – allowing leaders to shift the threshold for political expedience, and avoid war with double standards. Favourably so, for hypocrisy is better than death.
Cyberattacks darken such ambiguity considerably. Unlike traditional acts, they do not occur within physical space, with the ‘damage’ from intrusions and malware being waged in an artificial realm, and usually reversible. Just as the Colonial Pipeline was reactivated, and most of the ransom recovered, the artifice of cyberspace often allows for swift damage reversal (albeit, at a high cost). Moreover, the causal relationship between perpetrators and states – against whom war is waged – is even more nebulous, allowing the latter plausible deniability for such attacks. For most cyberattacks, the threshold of ‘significance’ – given the reversibility of damage, and low proof of culpability – may, therefore, not be reached. Nations must, thus, err on the side of caution, for war without a just cause would be disastrous.
However, this may not always be true, for cyberattacks may have physical consequences. If air traffic is disrupted, leading planes to crash; or power to a hospital stopped, causing losses of life; or financial systems targeted, prompting monetary losses and civil unrest; the threshold of ‘kinetic damage’ may be reached. The pervasiveness of digitization – connecting infrastructure and objects to the internet – makes this prospect more potent, with some hypothetical attacks more damaging than physical action.
Thus, should they cause ‘significant’ damage, cyberattacks may be considered acts of war. In such cases, nations must use all legal and military tools to defend themselves – which include treating hackers as ‘armed combatants’ under laws of armed conflict, who may be justly killed to prevent cyber warfare (despite their physical ineptitude). Given the harrowing threat landscape, nation-states must be discerning and ruthless to protect citizens from cyber threats. In the digital age, our lives depend on it.
Disclaimer: Any views or opinions expressed in articles are solely those of the authors and do not necessarily represent the views of the NATO Association of Canada.
Cover Image: Cyberwarfare on digital globe (2020). Found at Forbes.com via Getty Images.