Book Review: Cyberwar: Law and Ethics for Virtual Conflicts

Cyberwar: Law and Ethics for Virtual Conflicts edited by Jens David Ohlin, Kevin Govern and Claire Finkelstein. Oxford: Oxford University Press, 2015. 277 pp, £29.99 paperback 9780198717508, £95 hardcover 9780198717492

Both the attractive and the potentially catastrophic capabilities of cyber technology for militaristic purposes have become increasingly evident. But as Cyberwar: Law and Ethics for Virtual Conflicts illustrates, policy debates around the application of existing law to cyber contexts have lagged behind the pace of technological change encompassing such operations.

Aiming to stimulate related policy development and discussions, the edited volume’s contributors deal with matters such as whether or not international humanitarian law actually applies to cyber operations (they are divided on the matter; and by the end of the book a reader could be excused for still being confused on this foundational issue); the entry of non-government actors into an arena traditionally dominated by states; and the related problem of attribution (particularly at a time when few hackers or cyber ‘militants’ are likely to don a distinguishable military uniform).

Such topics seem rather apt in light of predictions in the book that terrorists are likely to turn to cyber weapons to ‘compensate for kinetic forces they lack’. Yet one also has to ask what the true feasibility of catastrophic ‘cyberwar’ is: particularly if one considers that the same three somewhat dated events are repeatedly used for exemplary purposes in the book. These examples are the reportedly American-Israeli Stuxnet virus that targeted a nuclear plant in Iran in 2009/10; cyber ‘attacks’ on Georgian websites during the Russian-Georgian war of 2008; and cyber ‘attacks’ on Estonian organizations’ websites in 2007 following a dispute with Russia. On the other hand, the apparent lack of case studies might be a consequence of challenges typical to the cyber realm, like that of attribution and detection – both of which are also evaluated in the book.

In the first part of the volume, certain foundational questions of ‘cyberwar’ are investigated – including whether it actually amounts to war. In a chapter that questions the very title of the book, Larry May argues that ‘cyberwar’ is not sufficiently like normal incidents of armed conflict or war to justify it being subject to just war theory (JWT) and its implications for intentional killing. James Cook, in the next chapter, disagrees: arguing that JWT focuses on effects and intentions, not means. As a new means of war, cyber holds a ‘unique ethical status’, he argues, because of its defining factors like ubiquity, uncontrollability and neoreality. But because JWT only applies when agents, intentions and effects of a cyber operation can be identified, Cook concedes that it is only useful in some instances.

The rather fiddly problem of causation is the subject of the next chapter, which, as its author Jens David Ohlin notes, the law of war has thus far remained ‘blissfully ignorant’ of. He not only stresses the importance of developing an adequate account of causation for the purposes of determining the application of international humanitarian law in cyber contexts, but also recommends that such standards of cyber causation be capable of public application and adjudication.

In the second part of the book, the civil-military divide in conceptualising cyber attacks is investigated. In an important chapter in the context of concerns about terrorists’ proclivity to use cyber weapons, Stuart Macdonald provides a fascinating yet somewhat disturbing account of the UK’s terrorism laws. Using examples of precursor offenses and their potential regulatory overreach, he illustrates how the parameters of criminal law have been extended to encompass a wider range of individuals, more severe punishments, and the diminution of defendants’ procedural rights. In the next chapter Laurie Bank similarly provides a stark depiction of the ‘blurring of lines’ between relevant and applicable legal frameworks, regulatory overreach and policy confusion, and the degradation of civil liberties. She warns against the negligent or overzealous use of warfare terminology, especially where terms like ‘cyberwar’ and ‘cyber attack’ are concerned.

The growing eminence of non-state actors in cyberwar – a phenomenon that most of the contributing authors mention in their respective chapters – is the subject of Nicolò Bussolati’s chapter. It is not only difficult to attribute cyber conduct to non-state actors, but he also shows how such actors are vastly different in terms of organizational structure, motivation, relationship to the state, and size. He stresses the need for addressing regulatory challenges posed as a result of the entry of such non-state actors, while emphasizing the need for flexible responses.

Part III of the book deals with cybersecurity in the context of international humanitarian law. Duncan Hollis provides a normative critique of the ‘constraining logic’ of boundaries in cyberspace: arguing that it not only creates an incomplete regulatory response to cyber but also fails to emphasize the law’s empowering capacity. To this extent he proposes a partial solution in his interesting (if somewhat impractical) notion of the ‘Duty to Hack’, which requires states to use cyber operations in their military operations whenever they are the least harmful means available for achieving military objectives.

In his chapter, Christopher Yoo again raises doubts about the applicability of international law to particular types of cyber conflicts and argues that due to ‘the unlikely prospect of legal solutions’ for such challenges, technological self-protective measures will become increasingly popular. Noting the latent disruptive capabilities of cyber operations, he stresses the need for developing useful principles and argues that engineers should be tasked with designing more reliable methods for attributing cyber operations to relevant actors.

William Boothby investigates deception in warfare in the next chapter, including the development of laws governing deception and the potential prevalence of cyber deception methods. Applying relevant laws to cyber contexts, he argues, will be problematic due to the difficulty of attributing such actions and the identification of actual effects.

Responsibility and attribution are the themes for Part IV, and in his chapter Marco Roscini investigates evidentiary challenges as another topic thus far neglected where international law’s application to cyber realms is concerned. He investigates potential methods of proof and the relevant burden and standard of proof in relation to claims seeking remedies for damage caused by cyber operations where international disputes between states are concerned.

In the book’s final chapter, Sean Watts investigates and attempts to clarify the principle of non-intervention in low-intensity cyber operations, arguing that the increasing use of such operations between states ‘will highlight doctrinal gaps’. He points out that states have had many opportunities to clarify the principle, yet have failed to do so – risking not only their ability to peacefully co-exist with other states but also their diplomatic, political, economic, and military endeavours.

Cyberwar: Law and Ethics for Virtual Conflicts provides a useful and interesting contribution to a global policy field that is still largely unchartered. One hopes that any debates stimulated by the volume will take due cognizance of the nature of cyber realms, along with the pace of technological change, when considering the development of regulatory responses. As shown by a few of the contributing authors in the book, overzealous and hasty regulation will have detrimental consequences for legal clarity, the protection and promotion of human rights, and – it may arguably be added – the developmental potential of cyber technology.

Anri van der Spuy is an attorney and consultant at the United Nations Secretariat of the Internet Governance Forum. She recently graduated from the London School of Economics and Political Science with a MSc in Media and Communications Governance.