As a Christian who holds to the tenets of just war theory (JWT), I was struck by an online article last month in The Atlantic wherein Patrick Lin, Fritz Allhoff and Neil Rowe questioned whether a cyberwar could be initiated and subsequently waged according to JWT. The article insists that while many are familiar with how the just war concepts of jus ad bellum, jus en bello and jus post bellum are used when evaluating conventional (and, I would add, nuclear) conflict, the application of the tradition to cyberwarfare has been severely under-analyzed.
One of the primary concerns for the three authors is a state’s use of malware, viruses or other cyber tools for preemptive or preventive strikes. Since cyber applications are comparatively cheaper (and easier to deploy) than military equipment and/or personnel, and because their use comes with (again, comparatively) lower “casualty counts,” the authors believe that states will be overly tempted to use them preventively or preemptively. This, they add, is a perilous ad bellum quandary given the United States’ adoption of the Bush Doctrine. The article also highlights the issue of whether cyber attacks constitute “armed attacks," which justify a response under self-defense. Finally, the authors raise questions about en bello and post bellum categories: Can one launch (or perhaps even more importantly, control) cyber attacks in ways that discriminate between combatants and non-combatants? Does "double effect" come into play? And what might post-conflict reconstruction look like, cyber-wise?
First, some comments about terms, and a bit of a quibble. When one talks about preemption or preventive strikes in the context of JWT, I think two other labels are more useful: anticipatory self-defense and damage limitation. I would argue that the Atlantic article unfortunately conflates preemptive/preventive strikes (cyber and otherwise), military aggression and escalation, while JWT has historically addressed the (albeit limited) situations in which “striking first” might be justified in order to stop an aggressive opponent before he can launch his attack and, at the same time, limit the amount of military or civilian damage the aggressive opponent can inflict in the war’s initial phase. Indeed, the authors’ assertion that the Bush Doctrine represented a “break” from traditional JWT is a mischaracterization of the way anticipatory self-defense fits into the ad bellum category of just cause. JWT scholar James Turner Johnson has written extensively about early modern European (Grotius, Vitoria) JWT perspectives on anticipatory self-defense, as well as the 19th and early 20th century restricting of just cause to the “second use of force in response to (armed attack).”
I remain much less bullish about the escalatory dangers posed by cyber tools and their overall coercive character.
As an avid Clausewitzian, I view war first and foremost as "a duel on a larger scale," made up of three parts: (a) an act of force, the effect of which is to (b) compel an opponent to (c) bend to our (political) will. One walks away from the Atlantic article with little sense as to how the types of cyber operations described - targeting banks, attacks on media outlets or infrastructure, even the reference to attacks against military organizations - might actually constitute “acts of force” which could coerce an opponent into bending to the attacker's political will.
Indeed, unlike the Atlantic authors, Michael N. Schmitt, an expert on cyberwarfare and ethics who presented last week at the Naval War College International Law Division’s annual conference, has offered in an earlier article a seven-part rubric for evaluating whether a particular cyber operation should be considered an “act of force.” In the same article, Schmitt concludes that “mere destruction or damage (alteration) of data” does not raise to level of armed attack (thus triggering justifiable self-defense), but might if malware/virus insertion or data exfiltration signaled an imminent attack (e.g. what Schmitt calls “preparing the battlefield”) or was a clear move by an opponent to limit damage to himself prior to launching an attack (e.g. disrupting an opponent’s defenses).
Again, as someone who believes in the importance of connecting Christian ethics to the national-security arena, I am very appreciative that the Atlantic authors are working to apply JWT to cyberwarfare. However, after reading their article, I still remain much less bullish about the escalatory dangers posed by cyber tools and their overall coercive character.
What Do You Think?
- Should cyberwarfare be considered an extension of traditional warfare, or something distinct, with its own rules and definitions?
- How would you apply just war theory to cyberwarfare?