Whether you agree or not, many, including law and policy makers, take the term 'cyber warfare' seriously.
That's no real surprise seeing as just last year, President Obama declared in the International Strategy for Cyberspace that the US has an 'inherent right to self defence' against hostile cyber attacks.
We reserve the right to use all necessary means - diplomatic, informational, military, and economic — as appropriate and consistent with applicable international law, in order to defend our Nation, our allies, our partners, and our interests.
Clearly, the US sees cyber attacks in terms of military doctrines and principles. This is reflected by their frequent reference to cyberspace as the new 'fifth domain' in warfare, the other four being land, sea, air and space.
Viewing "cyber" as a new domain of warfare is obviously rhetorically powerful, but it does raise some issues for law makers. The longstanding and rigidly defined principles of international law are not well-equipped to deal with cyber wars.
A recent Oxford University Press blog titled Cyber War and International Law highlighted problems in applying two particular legal frameworks to cyber war: the law on use of force against other states (jus ad bellum) and the laws of armed conflict (jus in bello).
Jus ad bellum
The United Nations Charter dictates when it is lawful to use force against another country. It also determines when there is a right to self-defence after an armed attack.
Created after WWII with foreign bomb and missile-armed attacks in mind, the UN Charter has rules to deal with physical attacks, not computer attacks. Without any actual physical destruction of property and death/injury to people, the rules don't work so well.
While some cyber attacks might create physical damage, such as interfering with SCADA systems at an industrial plant, many do not.
Jus in bello
Traditionally, the International Humanitarian Law (IHL) rules of the Geneva and Hague Conventions apply during armed conflict.
Determining if non-physical cyber attacks even create an armed conflict is difficult.
If they do, how are the rules be impacted? For example, with combatant and civilian targets, would people who design, install or operate cyber weapons be protected under the rules of IHL, or would they be considered as participants in the hostilities, and therefore legitimate military targets?
Is Cyber war the fifth dimension of war?
A recent post on Thomas Rid, on Kings of War, argued that referring to cyber war in the fifth domain was counterproductive:
- It's a lobbying gimmick for increasing the military budget
- Violence does not actually occur in cyberspace. Impact in the other military domains (land, sea, air and space) is needed for any tangible effect
- If the impact of cyber attacks were limited purely to cyberspace, talk of war would become metaphorical, like the war on obesity
- Segregating real space from cyberspace in warfare is very difficult because of ubiquitous computer systems in all domains of military conflict
- Cyberspace is not actually space: it's a term for the broader permeation of networks and the internet in physical society.
And Mary Ellen O'Connell, a US international law professor, suggests other frameworks that avoid resorting to the jus ad bellum or jus in bello in her journal article Cybersecurity Without Cyberwar. These include employing coercive international legal tools, such as considering a cyber disarmament treaty similar to nuclear and chemical weapon arms control treaties.
It is clear to me that we ought to look at alternative approaches. Viable alternatives exist to mitigate against the misapplication of military law to cyber issues.
Maybe if we all shy away from marrying state-sponsored cyber attacks to warfare rhetoric, government and policy makers will think more profoundly about the implications of cyber attacks.