As President Bush is reported to have said, “When I take action, I’m not going to fire a two million dollar missile at a ten dollar empty tent and hit a camel in the butt. It’s going to be decisive.” As the quote alludes to, when it comes to national defence and military action, enemies are arguably unlikely to be deterred by an army of three, one leaking canoe and an air fleet of second-hand microlights.
When engaging with enemies in times of war, a graphic display of military might is what we usually expect. Nation States may feel reassured that the sheer scale and sophistication of their armed forces will be enough to deter any potential threat, as would-be attackers are put off by the mere prospect of forceful retaliation. But what if decisive action can be implemented without invoking the arms and armament of conventional forces, without firing a single bullet, but by simply pressing ‘enter’?
It is precisely such action that is promised by cyber warfare, where the hostile use of software could be aimed at a State’s critical infrastructure – for example hospitals, energy and transport networks, financial markets – with devastating and immediate effect. The tools of cyber warfare may be acquired with relative ease and speed by new belligerents who were hitherto considered unthreatening by virtue of their lack of conventional forces. Belligerents may not even be States but unaffiliated hackers driven by a common ideology (whether this be political, religious or economic) who can quickly form, strike and disperse, using the anonymity of cyberspace to hide their tracks.
Increasingly, States are taking the threat of cyber warfare seriously. Several significant military powers have now publically declared their policy on cyber warfare, and the topic has dominated diplomatic exchanges at the highest level. Perhaps the most poignant acknowledgement of cyber warfare as a serious subject comes from its inclusion as a topic of importance in the 2011 Report of the International Red Cross on International Humanitarian Law and the challenges of contemporary armed conflicts.
The growing recognition of cyber warfare as a topic of legal concern in particular is of great importance, particularly for international law. On a basic understanding, international law is the body of law that governs the international relations between States. Amongst other things, it sets out a framework for the legally permissible use of force. International Humanitarian Law (also known as the Law of Armed Conflict) is the part of international law which tries to ensure that if there is armed conflict, it is conducted in as humane and restrained a manner as possible.
Determining how legal rules apply to cyber warfare is obviously important. States will want to know whether cyber offensives will engage the rules of international law on the use of force and what they can legally do in response. If a cyber war is unavoidable, then States will also want to know what rules apply to the actual conduct of such war, for example in determining what targets are permissible, how rules on neutrality apply, and what kinds of cyber weapons are permissible.
However, there is a lack of clarity as to how international law will apply to cyber warfare. International law is an historic construct, having evolved over time and being heavily influenced by traditional concepts of kinetic warfare between Nation States. As cyber warfare is so new, it is not specifically addressed in any treaties. It is difficult enough to get agreement on international matters at the best of times, especially when it comes to conflicts, and such difficulty is likely to apply to cyber warfare. In light of this considerable uncertainty, a recent report for Security Lancaster outlines an agenda for future legal research on cyber warfare, an agenda that prompts a reconsideration of the usefulness of international law as the prime framework for analysis. For example, international law focuses heavily on States, but are future cyber-attacks likely to come from States themselves? How should cyber hostilities that are initiated by federated or balkanised hacker groups with no clear State affiliation be legally categorised? Would we be better off starting to construct a legal framework from scratch as opposed to one that centres on outdated concepts that do not reflect the military realities on the ground?
It should be acknowledged that not all share the view that cyber warfare is a significant or worrying prospect. Its detractors point out that there are no human casualties on the cyber battlefield to date, and no hostile cyber incident has as yet been treated as an act of war or openly admitted to by a State. But arguably, the current lack of physical casualties or attribution ought not to deter us from taking cyber warfare seriously, and start thinking about an acceptable - and perhaps more importantly, workable - legal framework for the resort to and conduct of cyber hostilities. We would do well to recall that another world leader, Winston Churchill, was widely derided at the time for forecasting the onset of World War II, and should remember that if the lessons of history are not learned, they are inclined to be repeated. If World War III promises to be digital, we may as well be as prepared as we can be.
What do you think? Share your comments with us below.
Dr Bela Chatterjee teaches on our Law LLB Hons programme.
The opinions expressed by our bloggers and those providing comments are personal, and may not necessarily reflect the opinions of Lancaster University. Responsibility for the accuracy of any of the information contained within blog posts belongs to the blogger.