Defining cyberwarfare...in hopes of preventing it - Daniel Garrie

Wars are a tragic part of our history and will almost certainly be a tragic part of our future. Since the establishment of the United Nations, wars of aggression have been outlawed, and multilateral conventions refer to armed conflict instead of war. But the wars of the future won't be like the wars of our past. Alongside traditional warfare, our future will include cyberwarfare, remotely fighting our enemies through the use of a new class of weapons, including computer viruses and programs to alter the enemy's ability to operate.

And not only is cyberwarfare not covered by existing legal frameworks, but the question of what exactly constitutes cyberwarfare is still highly debated. So, how can we deal with cyberwarfare if we can't even agree on what it means? One way forward is to envision situations where new international laws may be needed. Imagine a new kind of assassin, one that could perpetrate a crime without firing a single shot or even being in the same country. For example, an individual working for the government uses a wireless device to send a signal to another foreign leader's pacemaker. This device directs the pacemaker to malfunction, ultimately resulting in the foreign leader's death.

Would this cyber assassination constitute an act of war? As a second example, imagine an allied group of nations cooperatively infiltrating the computer systems of an enemy nation's nuclear warship. This attack results in a nuclear-powered aircraft carrier almost melting down, which was stopped just short of killing thousands of soldiers and civilians. As a defensive measure, the enemy country responds by unleashing a defensive cyberattack that results in the allied nations' power grids going down. Hospitals can no longer treat patients, entire regions without heat or clean water, all ultimately causing tens of thousands of civilian deaths.

The origin of the power failure was the counterattack, but the fragile infrastructure, feeble cybersecurity, and the antiquated state of the power grid all contributed to the deaths of the civilians. Could the country fight back? Who would they fight? And would their retaliation be considered an act of war? Do they constitute war crimes against humanity? Who is to be held responsible? The computer programmers who wrote the code? The military project manager who oversaw the creation of the code? The commander who hit the button, setting off the event? The hardware engineer who created the computers, knowing that they were intended to enable an attack?

Because war has been with us for so long, we have laws to deal with figuring out who should be held accountable for their actions in combat. These legal frameworks aim to contain and prevent atrocities from being more atrocious. Commandeering civilian planes and using them as weapons, dropping atomic bombs, the use of gas chambers or poisonous gas in conflict, all of these actions, if committed, constitute acts of war and war crimes under customary international law and the Hague conventions.

Again, the current legal framework stays silent on hypothetical questions and countless others because there are no easy answers, and there are only two ways to make progress on these questions: peace or new laws. So, what hypothetical but plausible scenarios can you imagine falling under the burgeoning definition of cyberwarfare, and how might you design an international legal framework to deter these activities?