Communications - October 2011

a network could easily slip the bonds of mutual deterrence simply because it proves difficult, if not impossible, to figure out against whom to strike a retaliatory blow. The same is true if networks ever get their hands on nuclear weapons, though for now the notion of a network having its own “nuclear Napoleon” remains just a far-off possibility. It is the imminent threat posed by hacker networks (and perhaps terrorist groups) that already possess or are developing capacities for mounting mass disruptive cyberattacks that demands attention. Against them, the only measure likely to work will be based on the notion of what experts call “denial deterrence,” the ability to convince malefactors that they are wasting their time with such attacks, as the likelihood of success is low. 26

Given the great edge conveyed by being able to launch cyberattacks from behind a veil of anonymity, denial-based deterrence is to be preferred when confronting the threat from networked actors. But when it comes to other nations, the hope remains that they can be identified when they perpetrate attacks, and that punitive retaliatory threats can work to stop them. 24 However, the ambiguity as to the perpetrator(s) of the Stuxnet attack suggests the veil of anonymity may remain difficult to pierce. 19 Thus, uncertainty abounds, leading to efforts to cultivate another Cold War concept: arms control. Though clear that almost all information technologies can be “weaponized” for cyberwarfare, and trying to control their spread is futile, there is some hope of fostering a behavior-based norm of restraint by “ emphasizing dialogue with like-minded nations,” as former CIA director General Michael V. Hayden explained earlier this year. 20

This notion, called “operational arms control,” reflects success in both the biological and chemical weapons conventions, formally adopted in 1975 and 1997, respectively, that have done much to limit development and use of these mass-destructive weapons. The question today is whether such behavior-based controls can make a similarly beneficial contribution, inducing those nations, perhaps even some networks, to refrain from using them, at least against civilian infrastructures.

the estonian and
Georgian cyberwars
both seem to
support the notion
that we are entering
an era of offense
dominance.

However, as with deterrence, it is difficult to see how such controls would be imposed on the battlefield, given that cyberwar applied in a military-on-military fight would likely convey an advantage to the better practitioner, bringing about a swifter, less-bloody end to the fighting. The answer to the question about cyber arms control and cyberwarfare is perhaps to be found in the ethical domain.

Just, unjust cyberwars

Classical ethical formulations about conflict address both going to war justly (acting in self-defense or fighting only as a last resort) and waging war morally (using force only in proportionate ways and refraining from inflicting harm on noncombatants). 41 Cyberwarfare puts considerable strain on both aspects of just-war ethics. The very ease of offensive action encourages redefining “defense” in preemptive or even preventive termsa and makes going to war in this way attractive as an early option rather than as a last resort. In terms of fighting justly, cyberwarfare, with its disruptive rather than destructive effects, hardly seems likely to qualify as “disproportionate,” either as a form of strategic attack or on the battlefield.

However, no one is able to predict effects across cyberspace, and the prospect of inflicting collateral damage is likely to be high. Think of Stuxnet, which may have targeted a specific Iranian nuclear-proliferation program but which also apparently “escaped” and spread. Thus it has inflicted damage on information systems in many other countries, and, now that it is out in the world, may be reengineered by others for their own, potentially unjust, uses.

In the realm of cyberwarfare on the battlefield, as opposed to its application as a form of strategic attack, a curious new ethical nuance emerges: acting early and aggressively might cripple an opponent in ways that sharply reduce physical casualties and overall a Preemption refers to attacking when under imminent threat of attack, with Israeli actions at the outset of the 1967 Six Day War often referred to as a clear example. Prevention means striking before the enemy poses a serious threat, the rationale some policymakers used for the U.S.-led invasion of Iraq in 2003.