Skip navigation
The Australian National University

Cyberwarfare: How the digital revolution can
change the rules of engagement

When does a cyberattack become an act of war, and how can governments protect their citizens from cyberattacks on civil infrastructure that is also a strategic military target?

Rory Medcalf

Image: IAEA on Flickr

When does a cyberattack become an act of war, and how can governments protect its citizens from cyberattacks on civil infrastructure that is also a strategic military target? T

The social revolution brought about by information technologies has changed the ways many of us live. Not so long ago we'd be reading this article in a magazine, but now you could also be reading this on a laptop, tablet or smartphone. These changes reach far deeper than the ways we consume entertainment: relationships, healthcare and even governments are rapidly evolving. As we become increasingly dependent on information technologies, the threat of cyberwar has the potential to make us targets of cyber-attack even though we're thousands of kilometres from any war zone.

In an effort to better understand the social implications of cyberwar, we can ask a series of questions to get a better idea of just what "cyberwar" means. What is new and what is just a continuation of things we've faced in the past? Would a cyberattack count as a reason to use military force, or are cyberattacks different to the conventional use of force? And should a country reduce the prospect of civilian harms by making its own cyber-infrastructure a target for attack?

A first and vitally important question is whether a cyberattack counts as an armed attack. In discussions about justified use of military force, there must a justifying cause. That is, you simply can't use your military to attack another country or people without some cause. Article 51 of The United Nations Charter holds that

Nothing in the present Charter shall impair the inherent right of individual or collective self-defence if an armed attack occurs against a Member oj the United Nations, until the Security Council has taken measures necessary to maintain international peace and security.

Basically this means that if one country attacks another, this could count as an "armed attack'. Thus, any armed attack could potentially be a just cause for war. Where would a cyber-attack fit in this?

Building from existing laws around war, a group of international legal experts drafted the Tallinn Manual, which compared the impacts of a cyber-attack with a traditional kinetic attack such as missiles. Rule 13 of the Tallinn Manual states:

A State that is the target of a cyber operation that rises to the level of an armed attack may exercise its inherent right of self-defence. Whether a cyber operation constitutes an armed attack depends on the scale and effects.

The basic idea here is that if the consequences of a cyberattack were the same as an attack by missiles, then a cyberattack could potentially be an act of war. In this way, cyberwar is essentially the same as traditional war, but carried out by different means.

The harder question is to define what counts as a sufficient impact to be considered an armed attack. This problem is not particular to cyberwar.

Further, in order to be morally justified, any decision to go to war in response to a cyber-attack must adhere to the basic conditions of a just war - it must be the last available option, proportional to the threat, be done with the right intention by a legitimate authority, have some likelihood of success, and cannot deliberately or knowingly harm civilians.

From the Tallinn Manual's reasoning, it is theoretically possible to respond to a cyber-attack with traditional military

force. This might not be immediately convincing, however. One possible worry is that a cyber-attack, by definition, does not actually cause any harm. A cyber-attack can only target other cyber-things, so any immediate impacts will be constrained to cyberspace.

Underpinning this is an important conceptual question: do virtual harms count as actual harms? What we have is a fundamental qualitative difference - hurt someone in the real world and you've clearly done something wrong, but does it even make sense to talk about hurting someone in cyberspace?

One obvious way of answering this is to recognise that harm is not just physical but psychological for sentient beings like us. Thus a cyber-attack should be considered harmful if it causes a given level of psychological suffering.

Recent research shows that certain cyber-attacks can cause psychological harms, so we are now faced with a notion of cyber-attacks being harmful even when no physical damage is caused.

Arguably, psychological harms alone are not enough to justify a military response, but what if a cyber-attack was to cause massive psychological harm over an entire population? "We might now find ourselves with a situation of significant harms even though no physical harms might have occurred.

Furthermore, as our institutions and critical infrastructures become increasingly dependent on information technologies, their vulnerabilities to cyber-attacks increases.

Would a cyber-attack count as a reason to use military force, or are cyber-attacks different to the conventional use of force?

While the notion of a "cyber-Armageddon" is very unlikely, time becomes a vitally important factor in assessing the impacts of a cyber-attack. Shut off access to services for relationships, healthcare and government for a day and it might not be a problem, but if a cyber-attack is effective for weeks or months we might find that the secondary impacts are as bad, if not worse, than a traditional military attack. Again, this can all occur without a cyber-attack directly causing any physical impacts.

These points about harms become particularly important when considering if cyber-weapons should be used as weapons of first resort. That is, we need to recognise that cyber-weapons can cause suffering and long-term impacts even if no physical damage occurs. Furthermore, recognising their potential to cause significant harms, any use of cyber-weapons should pay careful attention to prohibitions on the targeting of civilians.

This brings us to our final point - cyber-targets present a particular concern as they are often shared infrastructure. That is, a military might use communications infrastructure to send encrypted communications, or might use a private company's servers to store information in the cloud. Such infrastructure is said to be "dual use": it is used for both civilian and military purposes. This recognition of dual purpose infrastructure brings up a seemingly bizarre notion: that a state might be morally obliged to make themselves a target of cyber-attack.

Consider a cyber-weapon designed so that it will only impact on targeted infrastructure. However, this infrastructure is "dualuse": the communications infrastructure is necessary for military uses, so it's a target of strategic importance, but the infrastructure is also necessary for civilian uses. Furthermore, the state being targeted knows that this dual use infrastructure could be sabotaged and, if this occurs, it is likely that civilians will suffer as a result of this cyber-weapon. Given this, what are the defender state's responsibilities to ensure that civilians are protected from such attacks?

Rule 59 of the Tallinn Manual states:

The Parties to an armed conflict shall, to the maximum extent feasible, take necessary precautions to protect the civilian population, individual civilians, and civilian objects under their control against the dangers resultingfrom cyber attacks

Thus we have a general requirement for all parties to the conflict to protect civilians from the harms of cyber-attacks. Consider that the attacking group does not care about harms to civilians. If the defender state is not able to have absolutely independent infrastructure, such that their military are using civilian infrastructure - we might consider that the military should make their presence and use distinct from civilian use. Specifically, the defender state might make the military targetable for attack, insofar as they are distinct from civilian uses of that infrastructure.

On the face of it, making yourself a target for attack seems counter-intuitive. However, think of the requirement for military members to wear uniforms, or some identifier that makes them distinct from civilians. While this makes the member of the military easier to target, this is in part its purpose - to keep legitimate military targets distinct from civilian ones.

Although there would be many technological hurdles in creating a "cyber-uniform", if a country is to take its responsibilities to protect its citizens from attack seriously, there is some case to make military use of cyber-infrastructure distinct from civilian use. And, as we have seen, cyber-attacks can potentially harm individuals and groups and could plausibly be considered acts of war.

Thus, while a digital world war might not eventuate, we need to be considering that information technologies are likely to figure more in our considerations of war.

Dr Adam Henschke is an ethicjst at the National Security College, the Australian National University. He is co-editing Binary Bullets: The Ethics of Cyberwarfare for Oxford University Press (due later this year) and has a book on the ethics of surveillance under contract to Cambridge University Press.

This article first appeared in the June 2015 edition of Australasian Science and is re-produced here with permission,


Updated:  23 June 2015/ Responsible Officer:  Head of College, National Security College/ Page Contact:  Web administrator, National Security College