A Concern in Cyber Conflict: Reconciling Deterrence by Retaliation and Preemptive Attacks
The rules of cyber conflict are unclear and potentially dangerous.
This piece is based on material I learned and wrote about in my graduate class Computers in Society.
Introduction
As cyber conflict continues to grab headlines with no de-escalation in sight, establishing strong norms around its conduct and ensuring that they are understood has become more important than ever. After all, norms matter, especially in international relations (IR). Norms serve as signals that let nations better understand the intent, values, and “red lines” of other political actors. Without them, the potential for strategic miscalculation becomes alarmingly high.
To give an example, the US has been the victim of several cyber attacks in the past few years but has responded to them largely with rhetorical and economic measures. As far as I know, it hasn’t responded to a cyber attack with a kinetic one, e.g., a bombing. This implicitly establishes a norm and informs potentially belligerent nations that if they conduct similar attacks the response will be largely the same. One can contrast this with Russian policy; at least one analyst has been quoted as saying that Russia may use nuclear weapons as a first response against a cyber attack (Arquilla 1999). When deciding whether or not to launch a cyber attack, it is crucial to understand how an enemy is likely to respond. What one side may consider just another jab in a prolonged but non-lethal sparring match may prompt another to literally go nuclear.
Norms in Cyber Conflict are Hard
If the establishment of norms is a stabilizing force, why have they not yet emerged in cyber conflict? There are two reasons. The first is that states want to maintain “strategic ambiguity” so that they are able to exercise discretion in their responses. If a country establishes a “red line” they are obliged to respond swiftly and severely if it is crossed lest they lose global credibility.1 The second, thornier reason is that the nature of cyber conflict makes it difficult to establish norms. Conventional warfare is largely regulated by Just War Theory (JWT), a field that has been studied for centuries and is generally acknowledged as the bedrock of ethics in kinetic conflict. JWT relies on creating dichotomies between permissible and impermissible actions which may be based on further divisions such as combatant vs noncombatant and offensive vs defensive capabilities. In the realm of cyber conflict, things are by nature transversal, meaning that they defy easy categorization (Taddeo 2012). Is a satellite used for GPS by many nations and that guides missiles as well as civilian ambulances a valid target (Rowe 2016)? Experts and policy makers reasonably disagree.
Generally speaking though, both researchers who want to directly analogize from JWT to the realm of cyber conflict (e.g., Randall Dipert and Michael Schmitt) and those who push for a more fundamental reconsideration of the underlying ethics (e.g., information ethicists such as Luciano Floridi and Mariarosaria Taddeo) have focused on a few common topics. Of these, I believe two are in tension in a way that has not been adequately expressed. For the rest of this post, I will first explain each of the topics and then show why their combination leaves unresolved questions.
Deterrence
During the Cold War, the term mutually assured destruction (MAD) entered the global lexicon. The idea is simple: if the Soviet Union launched a nuclear strike against the United States, the United States could launch a full nuclear strike back (and vice versa). In other words, any nuclear strike would be suicidal, ensuring that both sides were destroyed and making a nuclear conflict “unwinnable”.2 With both superpowers in the same boat, neither would be willing to make a move. Paradoxically, peace rested on each side having the ability to annihilate the other.
Deterrence theory in cyber conflict is somewhat analogous. We can think of two forms of deterrence: deterrence by defense and deterrence by retaliation. Deterrence by defense is like having a huge shield or city wall such that attack is essentially futile. On the other hand, MAD is an example of deterrence by retaliation — no matter how successful an attack is, an impending counterattack will make the aggressor regret it. As in the nuclear case, defenses in cyber conflict are bound to fail (Taddeo 2017), so deterrence by retaliation is the only viable defense. As Taddeo points out, the analogy is not exactly flawless: retaliation in cyber conflict faces issues with attribution, the ability to make credible threats, and the fact that this would be a repeated game (i.e., countries could retaliate back and forth repeatedly).
To belabor that second point briefly, deterrence by retaliation depends on adversaries believing that their enemies have the capacity to punish them; otherwise, they are likely to ignore what they believe to be an empty threat. This implies that the only effective defense states can have in the cyber realm is a powerful offense that other states are aware of.
Preventative vs. Preemptive
Another relevant distinction in JWT is preventative vs preemptive attacks. Preventative attacks are those based on an assumption that an enemy will eventually attack, without any concrete evidence of an immediate threat, and so should be destroyed before they can do so. One could argue the Third Punic War is an example of this.3 By contrast, “states can rightfully defend themselves against violence that is imminent but not actual” through preemptive attacks (Walzer 2006). The Six Day War between Israel and several Arab states in 1967 is an example of a successful preemptive attack.4 Preventative attacks, then, should be avoided and preemptive attacks are not only permissible but often preferable.
Even in kinetic warfare, it can be difficult to draw a line between “this state is shifting their defenses or conducting an exercise” and “this state is preparing to attack in the near future.” This difficulty only increases in the cyber realm, where enemy capabilities may be difficult to evaluate. Worse still, offensive cyber capabilities may built to explicitly target a system or vulnerability of a single country. A nuclear weapon will work roughly the same whether it’s headed for Washington, D.C. or Moscow; a computer virus designed to steal data from an American intelligence agency is unlikely to work on a Russian or Chinese intelligence agency. For this reason, it may not be enough to simply show that a potential threat has targeted cyber weapons as there may be no intention of using them except in retaliation.
Despite these issues, preemptive attacks have been advocated in cyber conflict (Taddeo 2014) and some have gone so far as to argue even preventative attacks should be encouraged if they meet certain criteria (Lucas 2014). Occasionally these arguments allow for more aggressive behaviour if the attacks are against purely “offensive” capabilities as states have a right to defend themselves but not to attack their enemies (Dipert 2010). In the realm of cyber conflict, I think this idea is in deep tension with deterrence by retaliation and could lead to dangerous escalation.
The Complication
The basic argument is as follows:
Because deterrence by retaliation is the only effective form of defense in cyber conflict, having offensive cyber capabilities is necessary for defense.
If preemptive and preventative strikes are encouraged, even if they target only “offensive” capabilities, they can be seen as destroying a state’s ability to defend itself.
A state who considers their defenses to have been attacked or dismantled is likely to see this as a potential act of war and respond forcefully.
If their cyber capabilities have been destroyed or disabled, the defensive state is likely to resort to a kinetic attack.
To reason by analogy, if the Soviet Union had been able to somehow disarm the American “nuclear triad” and prevent the United States from making a second strike, it seems almost certain that the US would have interpreted this as a sign Soviet nuclear weapons were on their way. There is no way this would have been seen as “insubstantial damage” that did not warrant an immediate response (Dipert 2010).
Although cyber attacks have not yet posed an existential threat in the way that nuclear weapons do, it’s not hard to imagine that cyber capabilities may be as core to a state’s defense as nuclear weapons are. There’s also the issue that a cyber attack could cause far more damage than anticipated if, for instance, it spreads in an uncontrollable way across many systems or a target is misidentified. What was meant to be the cyber equivalent of a precision airstrike could easily become a carpet bombing instead.
With the risk of immense escalation always present, this conclusion suggests that there should be a high burden of proof that an enemy is about to attack before launching a preemptive strike and a high degree of certainty that the attack itself will be narrowly concentrated against the enemy’s offensive capabilities. It’s not enough to simply claim that offensive weapons in the cyber realm are always valid targets — one has to consider their place in the target state’s larger strategy as well as how that state is likely to retaliate in future.
References
Arquilla, John. Ethics and Information Warfare in Strategic Appraisal, Zalmay M. Khalilzad and John P. White (eds.). RAND, pgs. 379–401, 1999.
Dipert, Randall R. The Ethics of Cyberwarfare. Journal of Military Ethics, Vol. 9, №4, pgs. 384–410, December 2010.
Lucas, George R. ‘Permissive Preventive Cyberwar: Restricting Cyber Conflict to Justified Military Targets’ in Luciano Floridi, and Mariarosaria Taddeo (eds) Ethics of Informational Warfare, Springer, 2014. ProQuest Ebook Central, https://ebookcentral.proquest.com/lib/oxford/detail.action?docID=1697732.
Rowe, Neil C. ‘Challenges of Civilian Distinction in Cyberwarfare’ in Mariarosaria Taddeo (ed) Ethics and Policies for Cyberwarfare: A NATO Cooperative Cyber Defense Centre of Excellence Initiative, Philosophical Studies, Vol. 124, Springer, 2016, section 3.2.4.
Taddeo, Mariarosaria. Information Warfare: A Philosophical Perspective. Philosophy & Technology, 25(1), pp 105–120, 25 March 2012, https://doi.org/10.1007/s13347-011-0040-9.
Taddeo, Mariarosaria. Just Information Warfare. Topoi, 16 April 2014, https://www.researchgate.net/publication/264083705_Just_Information_Warfare
Taddeo, Mariarosaria. The Limits of Deterrence Theory in Cyberspace. Philosophy & Technology, Vol. 31, Iss. 3, pgs. 339–355, 16 October 2017.
Walzer, Michael. Just and Unjust Wars: A Moral Argument with Historical Illustrations. 4th ed., Basic Books, 2006.
One realm where you see states attempt to back away from red lines is in genocide intervention. If an issue is labeled “ethnic cleansing” instead of “genocide” it does not necessitate the response indicated in the UN Genocide Convention. For much, much more on this, see “A Problem from Hell”: America and the Age of Genocide by Samantha Power.
There is some debate as to whether or not the Soviet Union actually believed that a nuclear conflict was unwinnable, see “Why the Soviet Union Thinks It Could Fight and Win a Nuclear War” by Richard Pipes. Either way, it seems likely that the prospect of MAD had at least some deterrent effect.
Fifty years after the Second Punic War almost ended the nascent Roman Republic, Rome prosecuted the Third Punic War with the sole intent of leveling the city of Carthage. Carthage, despite its quick economic recovery, posed no immediate threat to Rome and repeatedly tried to prevent the war from happening. This conflict would be difficult to justify under JWT, but Romans didn’t really think of morality that way. Their mindset was more vae victis (“woe to the vanquished”) — see Livy’s account of the Gallic sack of Rome for the origin of this phrase or the Melian Dialogue in Thucydides for a discussion of this justification.
In 1967, Egyptian president Nasser began to quickly mobilize troops near the Israeli border, started a partial blockade, and signed military alliances with Syria, Jordan, and Iraq. Seeing the writing on the wall, Israel launched a series of airstrikes to cripple the Egyptian and Syrian air forces. By attacking first, Israel gained a huge advantage in what was strategically a defensive war. The attack is seen as just because it was a response to a real and immediate threat to the existence of the state. See, for instance, the Encyclopedia Britannica entry for more information.