On Cyber War | The Cove

Introduction

In Jebel Sahaba, Sudan, lie the remains of 40 individuals thought to be some of war’s earliest victims (Crevecoeur et al. 2021, pp. 11-13). Their bodies, pockmarked with lesions, broken bones, and other ailments exist as the pages on which a savage story of early warfare can be read (Crevecoeur et al. 2021, pp. 1-13). In the last 13,000 years, warfare has evolved significantly from what our ancestors experienced. The domains of land, sea, air, and space are now all home to military competition amongst advanced industrial nations. However, in the modern information age, these domains of conflict have not garnered as much attention as one other – cyber. A product of our increasingly networked and interconnected world, the cyber domain encapsulates both physical infrastructure (hardware) and logic systems (software) (Joint Publication 3-12 Cyberspace Operations 2018, pp. 22-24). The cyber domain’s vast scope, critical importance to modern life, and apparent vulnerability has prompted alarm amongst national security leaders. In June 2012, Leon Panetta, then US Secretary of Defense, stated that cyber risks represent ‘the potential for another Pearl Harbour’ (Eun 2016, p. 343). Panetta was not a voice in the wilderness, his fear of a nation-wide crippling cyber-attack was shared by much of Washington’s national security establishment (Eun 2016, p. 343). However, beyond the threatening idea of cyber war, scarce grounds exist for the threat’s credibility. Stuxnet’s deployment in 2010 remains the only confirmed example of a cyber-attack causing physical damage, an important point (Lindsay 2013, pp. 365-404). Therefore, practical questions arise regarding what constitutes cyber war, and if it is a distinct possibility. This piece will first examine what constitutes war to then enable an analysis of whether cyber war is currently occurring and if not, whether it could occur in the future. Cyber war is a term which has been wielded imprecisely since its inception, not subject to thorough examination and scrutiny. By properly defining the term, we can begin to take steps to avert a possible cyber war in the future.

War

To ascertain whether cyber war will occur one must first define war itself, a perniciously difficult task. In attempting to do so, Prussian General Carl von Clausewitz’s Vom Kriege or On War stands as a pivotal work. His reduction and articulation of war’s essential characteristics underpins much of contemporary thinking about war – ‘friction’ in war is just one of many terms he developed (Clausewitz 1984, p. 47). At its core, war and individual acts of war, fulfil three criteria. First, violence is integral (Rid 2012, p. 7). Without it, the word and the act lose their essence. Someone ‘going to war’ with your boss on your behalf to request a pay raise is not going to war. Just as the government ‘going to war’ with COVID-19 is not actually doing so. Violence, physical violence specifically, ‘die physische Gewalt’ as Clausewitz describes it, is therefore essential to defining war (Clausewitz 1984, pp. 191-192). Second, war is instrumental, it is an action or set of actions in furtherance of a larger end (Clausewitz 1984, p. 29). Violence is unfortunately commonplace throughout the world, but one would not describe an isolated street stabbing or other isolated violent acts as acts of war. War is waged in order to ‘compel the enemy to do our will’, it requires that the violence be in service of a desired end state (Clausewitz 1984, p. 27). Finally, war is political as Clausewitz’s famous quote ‘war is a mere continuation of politics by other means’ lays plain (Clausewitz 1984, p. 44). Simply put, the violence is attributed and in furtherance of an end which has been articulated by a political entity. For example, Ukraine seeks the restoration of its international borders, and its army is openly waging war to achieve this desired political end state. Altogether, the Clausewitz definition of war and acts of war serves as a useful foundation, although it will benefit from a consideration of how modern wars commence.

By examining just cause, a central pillar of the globally significant Just War Theory, one can understand how modern wars commence. For the purposes of this piece, just cause will remain the sole focus as it is arguably the single most influential criterion in states going to war, often forming their casus belli. As one might expect, just causes for war exist at a high bar, including acting against crimes against humanity or responding to armed aggression. Crimes against humanity – genocide, ethnic cleansing, and indiscriminate killings – give states just cause to initiate a war for humanitarian purposes (Dipert 2010, p. 384-410). Conversely, armed aggression gives states just cause to engage in war to defend themselves. However, armed aggression is a rather nebulous term. As Brian Orend describes ‘the gold standard […] is a kinetic physical attack’ (Orend 2013, p. 176). Pearl Harbour, where Japanese uniformed military actors engaged in a kinetic physical attack against US uniformed military actors and assets on US sovereign territory, is one such gold standard example (Oakley 2019, p. 2). However, history is replete with less clear examples. For example, what if an attack is unattributable, if the attack is not against persons. Further complicating this matter, Michael Walzer’s seminal work on Just War Theory, Just and Unjust Wars, largely fails to clarify this question, leaving the UN Charter as the most authoritative document (2006, pp. 50-53). It has a prohibition against ‘use of force against territorial integrity’, in effect establishing a three-limb test for what constitutes armed aggression (The UN Charter 1945). Armed aggression must include use of force, violation of territorial integrity, and knowledge of the responsible state. Therefore, having examined just cause, a further series of considerations made by states before commencing war are clear.

Employing Clausewitz’s definition of war and our understanding of just cause together, yields a framework for how war occurs. This is demonstrated by way of the following hypothetical conventional example. Blueland’s capital, specifically its parliament and other key government buildings, are struck by mass airstrikes, causing numerous fatalities and significant damage, coordinated by Redland’s military, who later publicly announce they have taken their first action to de-nazify their regional neighbour. Before retaliating, Blueland is intent on establishing it has grounds to do so. Blueland assesses it is the victim of armed aggression, necessitating the three-limb test. First, Clausewitz’s definition for acts of war will be used to assess use of force. The airstrikes were an inherently violent act, destroying people and property, instrumentally orchestrated in furtherance of a state’s political end, the attempted de-nazification of Blueland’s political leadership. This was an act of war, satisfying the test for use of force. Second, Blueland’s territorial integrity was violated. Enemy aircraft flew unauthorised through Blueland’s airspace. Finally, Redland is attributable as the perpetrator of the attacks, it has publicly claimed responsibility. Having established just cause, Blueland responds in turn with comparable strikes on Redland’s capital as their army invades, the war has commenced in earnest. This example demonstrates both the process by which a conventional war might arise and the nature of that war as defined by a series of tests. Furthermore, one can readily conceptualise acts of war on land, sea, air, and space which would fulfil the process. Overall, this framework exists as a useful heuristic to now assess whether cyber war will occur.

Cyber War?

To now assess whether cyber war will occur, the material differences between the cyber domain and cyber actions and conventional domains and conventional actions must be understood. First and foremost, the cyber domain is unique in that it is man-made and non-physical (Sleat 2017, p. 6). Cyberspace exists in a liminal state, both ‘dependent on the physical domains of air, land, [sea], and space’ for its continued existence and able to render physical effects in each of these domains (Joint Publication 3-12 Cyberspace Operations 2018, p. 7). This reflects the bi-directional relationship between physical infrastructure being necessary to run logic systems and logic systems being able to affect physical infrastructure (Joint Publication 3-12 Cyberspace Operations 2018, pp. 22-24). As a result, the entirety of the world’s networked infrastructure is conceived of as cyberspace. Uniquely, USCYBERCOM notes there is ‘no stateless maneuver space’ – such as international waters or airspace – reflecting the fact all cyberspace is tied to states, either directly or indirectly by way of private entities (Joint Publication 3-12 Cyberspace Operations 2018, p. 11). Naturally, given the domain, cyber actions are themselves unique for several reasons. First, unlike conventional actions – such as ground invasions, aerial strikes, or naval blockades – a cyber action does not need to involve the territorial violation of another state by ‘soldiers or even by physical objects’ (Dipert 2010, p. 397). The cyber action can then achieve an effect with greatly varying degrees of lethality, but importantly may register no physical damage whatsoever to person or property (Dipert 2010, p. 385). DDos attacks and intrusive malware monitoring exist as clear examples (Janczewski & Colarik 2008, pp. 1-565). Attribution of these actions once detected can then be notoriously difficult (Dipert 2010, p. 385). A cyber action originating from an IP address in a state does not confer culpability like a missile flight path being traced back to its origin. This is due to the fact that given the cyber domain is accessible to any networked system, any networked system may represent a ‘weapon’ in the hands of a capable individual, group or state (Dipert 2010, p. 385). On the whole, the cyber domain and cyber actions are clearly materially different from the conventional domain and conventional actions in key ways, posing challenges for our framework on war.

Assessing cyber actions against our framework on war reveals key challenges in determining whether a cyber war will occur. Immediately, problems are apparent. Just causes for war include crimes against humanity and armed aggression. Given it is not conceivable that cyber actions could constitute crimes against humanity, armed aggression is the only viable option. This creates the new problem of whether cyber actions can satisfy use of force – a distinctly physical quality. Importantly, Clausewitz’s definition demands the action be inherently violent, instrumental, and political in order to qualify. While cyber actions could conceivably be said to be instrumental and in service of political goals, could they be inherently violent? This is the key point on which much rests. Cyber actions such as downing of financial, government, and other systems could occur and not cause any physical damage to person or property. Is this violence? Defining violence’s parameters will be explored in greater detail shortly. However, ambiguity regarding cyber actions’ relationship with violence is not the only problem. Assuming a cyber action constitutes use of force, it must also violate territorial integrity. Yet we know that cyber actions, even hypothetically devastating ones, could occur without any territorial violation akin to that of an invading Army or sortieing aircraft. To be satisfied, one would need to reconceptualise territorial violation on the basis of damage wrought, physical or cyber. Finally, the attribution problem remains. Assuming the first two hurdles are cleared, the act must still be attributable as ‘history does not know acts of war without eventual attribution’ (Rid 2012, p. 8). This is a ‘wicked’ problem and would render all potential cyber acts of war as cyber acts of sabotage, unless the initiating state claimed responsibility. On balance, Cyber War remains plausible although it requires an examination of whether cyber actions may be deemed as violent.

To determine whether cyber actions are violent requires an exploration of violence’s relationship with lethality. As many scholars are prone to doing, violence and lethality are often conflated. Rid stated ‘a real act of war is always potentially or actually lethal’ and Arendt’s writings dictate that force implies violence, which in turn implies lethality (Rid 2012, p. 7; Arendt 1973, pp. 111-113). Violence is closely conceptually tied to lethal violative actions against humans, but it is not completely tied. As the Oxford English Dictionary defines, aligning too with a common appreciation, violence is ‘force intended to hurt, damage, or kill’ (Oxford English Dictionary 2000). The key word being ‘damage’ that implies violence can exist independent of people, it can be directed against objects (Stone 2013, pp. 104-105). This opens the possibility for non-lethal violent acts of war. Indeed, one can conceive of an example of a bombing campaign or targeted strike against unmanned infrastructure as a non-lethal violent act of war. What remains clear is that lethal or not, a violent act of war must be manifest in the physical domain. A cyber action affecting a logic system in the cyber domain is not a violent act. A cyber action resulting in the malfunction and subsequent explosion of a power plant is a violent act. This is important as a cyber action cannot be directly violent against people like firing a bullet from a gun. This is because cyber actions are inherently ‘parasitic’, they rely on the latent violent potential of the physical infrastructure they affect (Rid 2013, p. 13). For example, a nuclear plant with thousands of employees has a higher latent violent potential for cyber actions than an isolated, unmanned solar farm. Therefore, while a cyber action can be directly violent against physical infrastructure, it is always going to be indirectly violent to biological people (Dipert 2010, p. 397-398). Therefore, by establishing violence as inclusive of non-lethal acts wreaking damage against physical objects, it is conceivable that cyber actions could satisfy the use of force.

Given that cyber actions could constitute uses of force, a cyber war exists as a distinct possibility. Using our framework, a cyber war could occur in the following hypothetical example. Blueland’s national electricity grid is struck by a devastating cyber action, resulting in the grid being downed and multiple power plants malfunctioning and sustaining physical damage. Redland publicly claims credit, showering praise on their Army’s Cyber Warfare division’s efforts in service of the government’s aims to cripple their regional neighbour’s economic self-sufficiency. Naturally, this scenario raises the questions of whether cyber actions could affect such physical damage and whether a state actor would ever claim responsibility, mitigating the attribution problem. However, this is beside the point. The central point is that it could occur, regardless of how unlikely. This scenario would satisfy use of force, with its attendant Clausewitzean tests, and attribution. It would also likely satisfy violation of territorial integrity, a conclusion supported by arising state practice. For example, Australia’s Department of Foreign Affairs and Trade’s Application of International Law to State Conduct in Cyberspace, finds cyber actions constitute violations of territorial integrity if they affect ‘matters that a state is permitted by the principle of state sovereignty to decide freely. Such matters include a state’s economic political and social systems’ (2017, p. 4). One can reasonably include a nation’s electricity grid within such a definition. Importantly, with this understanding, the most prominent known past cyber actions – Stuxnet, the Israeli Air Force’s downing of Syrian Defence systems, DDoS against Estonia – do not constitute acts of war as they fail to be substantially violative of territorial integrity (Finlay 2018, pp. 357-377). For all the rhetoric of cyber war, the world is yet to experience one. Overall, it is clear that a cyber war has yet to occur, but there is nothing preventing one from occurring in the future.

The Future

As technological development both continues and accelerates, cyber war of the future will likely be far more lethal than currently imagined. Presently, scholarship on cyber war is hobbled by a strict conception of humanity as a distinctly biological and physically oriented species. However, this is not likely to remain the case forever and one can already see the burgeoning future in its infancy with technologies such as Neuralink and the Metaverse (Anninos 2019, pp. 542-558; Mystakidis 2022, pp. 486-497; Pisarchik et al. 2019, p. 1). Should these technologies and their more developed progeny be adopted on a mass scale, humanity will shift to being a biologically hybrid or wholly synthetic species that exists predominantly in the cyber domain. Naturally, such a future allows for the possibility of a far more lethal cyber war. If a person’s conscious mind, completely or partially, exists in the cyber domain, then cyber actions against individuals could become indistinguishable in effect from shooting someone. Similarly, if the Metaverse evolves to encompass digital infrastructure, such that persons spend large portions of their time inhabiting these virtual spaces for leisure or work, then its destruction by cyber actions could become indistinguishable in effect from a café or office building being bombed. Counter-intuitively, if this future of great technological change eventuates our framework on war will maintain its utility as cyber war will align with conventional war far more closely with regard to effect. Altogether, as humanity becomes ever more closely intertwined with the cyber domain and cyber war exists as a far more lethal possibility, our framework on war will maintain its utility.

Conclusion

War is one of humanity’s oldest vices. From our earliest ancestors to the modern day, war has changed greatly in its nature to encompass the domains of land, sea, air, space, and now cyber. Coinciding with its advent, there was a great fear amongst national security leaders that the cyber domain would be the next great domain of warfare. However, despite cyber warfare being a term wielded with increasing frequency, it faced little scrutiny. The question remained unanswered as to whether cyber war had ever occurred or would ever occur in the future. By developing a coherent framework on war to assess both acts of war and war’s commencement, the possibility of cyber war was examined comprehensively. It is clear that despite the cyber domain and cyber actions unique differences, cyber war could occur in the future. This determination rests on a conclusion that violence can indeed be non-lethal and that cyber actions could wreak physical damage. Furthermore, it would require the cyber action to be on such a scale as to violate territorial integrity under emerging state practice with the responsible actor also claiming responsibility. While not a likely set of circumstances, it remains a distinctly possible set of circumstances. Crucially, as technology evolves, having an ever-greater impact on the human species, potentially forever altering our species, cyber war as a truly lethal possibility only continues to grow. It is for this reason that cyberwarfare should not be allowed to become a buzzword encapsulating any and all cyber actions. As with all war, the prospect of cyber war is harrowing, and we should appreciate it fully so we can best act to prevent it.

Comments

Submitted by: amstan77

06/08/2024

To preface my response I skim read it, so somethings may be taken out of context or make ill sense. But I agree, cyber warfare or a cyber war could absolutely occur. I may even go as far as to say it can fit the bill as 'a crime against humanity'. Which can be roughly defined as "a widespread or systematic attack against a civillian population". If a cyber attack was to occur that crippled infrastructure that a civillian population depends on, then widespread suffering and possibly death could occur, as a result fits the bill as a crime against humanity.

All in all, well written and I agree.

Art & Science of Thinking

Art & Science of War

Leadership, Ethics & Society

STEM

Organisation, People & Projects

Officers

NCO/WO

Other ranks

Written

Video

Audio

Mixed media

Announcement

AAC

All Corps

Cbt Arms

Cbt Spt

Health

Log

Pers Spt

CoveTalk | Small Aircraft, Sizable Threats: SUAS - The Threats They Pose and How to Counter Them

Responding to the Chief's Challenge: Reflecting On the Nature and Character of War

CoveTalk | Small Aircraft, Sizable Threats: SUAS - The Threats They Pose and How to Counter Them

The Cove Community Podcast