When Bots Become Bombs

I rarely edit a post after it's been published, but a friend sent me a (second) white paper that simply had to be included.  Substantial additions, and few revisions, have occurred as a result.


Jus ad bellum is a set of criteria that are consulted before engaging in war, defining whether entering into the war is permissible and legal. Ideally, it is also serves as the moral framework a country adheres to before engaging in kinetic warfare.  As with most moral and legal frameworks, the United Nations loosely captured it within the United Nations Charter, Article 2(4).  That article reads:

All members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the purposes of the United Nations.

This is fairly cut and dry when we're talking about defending oneself against an invading army, but what about cyber attacks? There is almost certainly a cyber attack that would theoretically trigger a violation of the UN Charter, enabling a victim to declare a war in retaliation, but defining that attack before it happens is incredibly difficult.  The 2014 Sony Hack surely doesn't count; but what about Russian interference in the 2016 election? What about allegations of cyber activity in power grids?

Understanding where these lines exist, both internationally and internally, is incredibly important. This isn't an academic exercise in trying to figure out the legal nuances of stealing data or influencing opinions:  This is a means to avoid, or justify, war.  Nations are going to hack other nations, and people are going to hack other people; cyber attacks are a low cost/low risk way to achieve dramatic results. What isn't so well understood, as the Hoover Institute points out, not all is how a nation's perception of being hacked evolves overtime.

Adding to this complexity, mutual defense treaties (like NATO) have extended their right to collective self-defense to defense of cyberspace, and other nations/alliances (like China) have been studiously quiet on the issue. While the Chinese government has made efforts to “identify and promote appropriate norms of state behavior in cyberspace,” it has generally shied away from openly discussing its views on how the international law governing the use of force between states should apply to cyber conduct. On the surface, they've done so to avoid over militarizing the domain, but more likely than not their actions are motivated to counter a perceived U.S. threat to their sovereignty.

While the US has publicly declared that “cyber activities may in certain circumstances constitute uses of force within the meaning of Article 2(4) of the UN Charter and customary international law,” China has avoided releasing similar proclamations. While this sounds potentially dramatic, it's worth remembering that neither the U.S. nor China have publicly stated how this would transition would occur. After all, it's obvious that the Russian interference in the 2016 election didn't cross the line since we're not at war, and past history can provide us a guide for determining how China might react to a similar attack against their political institutions.

The Hoover Institute assesses China is likely to defer to the UN Security Council in deciding to use force, except in the instances of self-defense, but self-defense and "the use of force" are loosely defined throughout Chinese history. For example: We could assume that China would not invade North Korea for hacking one of its banks, but how would they react to a politically motivated hack by a Chinese expat residing in Taiwan?  Would they use military force, or would they conduct cyberwarfare, trade warfare, or some other asymmetrical means to retaliate against the small island country?  

If they did use military force, would they even consider it an act of war? Historical reference shows that China has had a very flexible definition of what it considers "use of force;" for example, it's intervention in the Korean War didn't make the cut as being anything beyond self-defense of Chinese sovereignty. It's unlikely that this view has changed in recent generations, as Chinese scholars have asserted that the scope of Article 2’s prohibition of force should extend beyond merely allowing the use of force against “territorial integrity and political independence," and should include a broader protection of a state’s sovereignty, to include economic and cyber traffic lanes.

Additionally Chinese writings have expressed skepticism in U.S. led efforts to establish cyberwarfare norms, describing them as attempts to “spur the international community into drawing up rules for cyberwarfare in order to put a cloak of legality on its ‘preemptive strike’ strategy in cyberwarfare” and “find a legal basis to justify NATO’s control over cyberspace.” Chinese fears that previous U.S. preemptive strikes in the Middle East have embolden America to declare U.S. cyber operations legal under international law when it suits their national interests, and illegal when it suits Chinese interests. This can be seen unfolding in real time based on U.S. responses to the continued, and blatant, psychological warfare coming out of Russia since the 2016 election (1, 2, 3, 4).

While this has led to economic and political warfare between the U.S. and Russia, it doesn't appear to have bled into outright conflict.  Clearly, the U.S. and Russia have not agreed on acceptable behaviors in cyberspace, and as we've seemed to weather the crisis of the 2016 election without setting foreign affairs back decades, it's less likely that China will fear its disagreements with the U.S. as likely to spark a war. Every day that seperates us from the 2016 election is a day that is less likely that the next World War will be caused by a cyber action, and more likely that these sovereignty-questioning cyber attacks will simply become part of the norm.

Life under this new spectrum is certainly more complicated, and it brings warfare uncomfortably close to the lives of average people. This realization isn't without its benefits, but until a "cyber 9/11" happens, it's unlikely that we will fully appreciate the potential destructive power of cyberwarfare and begin bringing clarity, and unity, to an ambigious realm.  Unfortunately, that prediction is based in as much hope as it is evidence, and hope is not a strategy. There will never be a "Cyber Non-Proliferation Treaty," and we cannot rely solely on barriers to entry to keep people from pursuing the ability to shape world orders.  Nor can we live in a world with plausible deniability and ambiguous redlines forever. Eventually, the line will be clear, and will have been crossed.  

We are quick to rally behind our second amendment rights to "protect ourselves" while simultaneously content to outsource our digital security to inept organizations like Equifax, the Office of Personnel Management, Target, Sonic, Whole Foods, and countless others. It only makes sense, Cyberspace is not a natural phenomenon, and it's impacts can be harder to fully grasp. To the untrained, or unobservant, it can be difficult to see personal freedoms slowly etched away by overzealous security policies and laws, or ineffective protection from theft of funds, identity, or access.

In his essay, Imposing and Evading Cyber Borders, Alessandro Guarino lays out two arguments about cyberspace: It's impossible to protect one's sovereign rights within it, or one's sovereign rights must be jealously guarded.  The argument he makes isn't purely academic, either: Countries have already be dramatically affected by the Internet, from Occupy Wallstreet to the Arab Spring. This unchecked control of information, both to adversaries (like the U.S.) and political dissidents, is what drives a lot of Chinese literature on the subject.  The development of the "Great Firewall of China," the colloquium used to describe Beijing's strict control over access to non-State Approved Internet websites, falls directly in line with China's view that state sovereignty in cyberspace must be jealously guarded. In direct opposition to Chinese philosophy, most U.S. firms, and certainly U.S. governance, supports the idea that one's sovereign rights (be it a state, or an individual) are difficult or impossible to protect.

The U.S. has entire business models built on this lasseiz faire attitude towards cyberspace, but its attitude has also enabled the rise of a cyber criminal's paradise:  A domain that's hard to control, where few people act beyond platitudes and mild outrage when cyber attacks occur, and even fewer dare to dream of an alternative.  Not unexpectedly, China views this permissive environment as dangerous to its tightly controlled national narrative and ruling party. 

Propelled by the revelations of Edward Snowden, the "Balkanization" of the Internet is occurring at an increasing rate, with the two major super powers, the U.S. and China, at odds on the fundamental philosophy on how it should occur.  With such a fundamental difference in governance, the Internet is becoming more crowded, more regulated, and more difficult to understand.  Simply put, we no longer fully understand who is responsible for deterring and apprehending which cyber criminals, and we don't know what acts of cyber espionage will be perceived as an act of war.  For all the bluster of progressives like Elizabeth Warren and Bernie Sanders, little can be done by the U.S. government to prevent cyber attacks like Equifax from occurring when music majors are placed in critical IT security roles.  The lasseiz faire attitude to cyberspace governance can work to our advantage, but it must not be coupled with a lazy attitude towards IT security.

If we are willing to accept the risks of a loosely controlled Internet, we must be willing to accept personal responsibility for protecting ourselves within it.  A world where anyone can own a gun, but few understand two-factor authentication, is a world where the U.S. falls behind its competitors in innovation, security, and geopolitical power.  It's a world where U.S. primacy is a myth, and its sovereignty is in peril.

What can you do to protect your sovereignty? The simple advice is always the best:  Make sure your passwords don't suck, and don't fall for common scams.  The infographic below has a few basic steps you can take while the world figures its legalities and doctrine out.  Despite what the news would have you believe, the world (and warfare) is getting exponentially safer, but it's also becoming a lot smaller.  The likelihood of you dying from a Russian or Chinese act of war is smaller than in any point in history, but that doesn't mean that you aren't an unwilling participant in global politics. Even if you don't find yourself in the cyber-enabled geopolitical struggles of the ruling elites, you'll still likely find yourself targeted by cyber criminals. How you respond matters.