How “New” is the Threat of Cyber Attack?
Jennifer Welsh considers NATO’s decision against a cyber attack on Libya.
NATO’s recent military campaign in Libya is the subject of intense scrutiny from all corners. Did the alliance overstep its mandate? Were civilian lives sacrificed, rather than protected, in order to secure regime change? Is it possible to protect civilians from the air at all?
One aspect of the campaign, which has received relatively little attention, may in fact turn out to have long-lasting effects. In the very first days of NATO’s air strikes, officials in the Obama administration engaged in intense debate over whether to disrupt and disable the Libyan air-defence system through a cyber attack. While the precise details have not been made public, it appears that the attack would have involved an attempt to sever military communication links to prevent early warning radar in Libya from gathering information about NATO war planes, and relaying that data back to missile batteries with the capacity to bring down the aircraft.
Several reasons have been cited for the eventual decision not to proceed with a cyber attack (and to use conventional missiles and drones instead). One prominent theory is that members of the administration were concerned about a lack of legal authority to engage in such an act, without Congressional approval. But equally plausible is the argument (reported in the New York Times) that engaging in a cyber attack would have set a precedent for other countries, such as Russia and China, to do so in the future. If true, this suggests that the capacity to engage in cyber attacks is seen as a key advantage in the coming struggles of the 21st century – and one that should be kept secret from one’s rivals. As one U.S. official is reported to have said, “These cybercapabilities are still like the Ferrari that you keep in the garage and only take out for the big race, not just for a run around town.”
Yet, we know that the Ferrari has made it out on a couple of occasions – most notably in 2010 when a Stuxnet computer worm wiped out part of Iran’s nuclear centrifuges (delaying its ability to produce nuclear fuel), and in 2007 when Estonia was subjected to a “distributed denial of service” attack (effectively shutting down all internet-based services in this highly internet-reliant society).
In both of these cases, it has been difficult to attribute the attack to any one actor in particular (though the U.S. and Israel are the suspected perpetrators of the first, and Russia the suspected mastermind behind the second). This “attribution problem” has been noted by both scholars and policy-makers, and seems to be one of the key challenges confronting attempts to conceive of any legal constraints on cyber attacks. In one of the few attempts to analyse the moral issues raised by cyber attacks, philosopher Randall Diepert has argued that “cyber conflict” is so different and so novel that it cannot possibly be regulated by our existing ethical and legal frameworks.
But is this true? Do we need to start from scratch when thinking about how to limit cyber attacks? We were also told after 9/11 that terrorism was “completely different” from any other threat that we had ever faced, and that “new rules” were needed. And so we got rendition and Guantanamo Bay.
While not wanting to minimize the novelty or seriousness of the threat, it’s worth asking how our current legal and moral prohibitions on the use of force (contained in the UN Charter’s Article 2.4 and the broader notions of “just cause”, “proportionality”, and “last resort”) might serve as a starting point for thinking about how to contain and limit this new practice. So, as George Lucas (Distinguished Chair in Ethics at the U.S. Naval Academy) has recently argued, we can begin to distinguish between permissible from impermissible forms of cyber conflict – based on whether they are aimed at justified military targets. Under this logic, Stuxnet might be deemed a legitimate act, while the widespread attack on Estonia’s civilian infrastructure would not.
Adopting this perspective, we might also question the view – sometimes expressed – that cyber attacks are to be welcomed rather than feared. Because they do not use traditional military means, they are less destructive, and therefore constitute a kind of ‘lesser evil’ to bombs and bullets. Fewer (if any) soldiers’ lives are lost, and so-called collateral damage from inaccurate missiles is avoided. On this reading, then, the Obama administration acted immorally when it opted to use a conventional weapon, rather than a cyber attack, to take out Qaddafi’s air defences.
However, if we contemplate not the means, but the effects of cyber attacks, it’s not obvious that they are more “humane”. Estonia experienced a widespread and indiscriminate attack on civilian institutions; had the attack lasted much longer, the damage done to those institutions could have been profound (with the potential for loss of civilian life). To put it another way, cyber attacks do not render old ethical questions meaningless; rather, they challenge us to think about what “harm” means in the context of cyberspace.
Following the 2007 attack, Estonian officials requested NATO to consider invoking Article V of its treaty (which treats an attack on one member of the alliance an attack on all). At the time, this suggestion was swiftly rejected, on the grounds that a clear military attack had not occurred.
NATO’s confusion, and non-response, is unlikely to work when (and not if) such an attack occurs again. As long as societies become increasingly dependent on networked technologies, and as long as some of those societies are preparing ways to coerce one another in cyberspace, the question of how to minimize the harm caused by cyber attacks will remain a pressing one.
Photo courtesy of Reuters.