Back in 2012, I was pleased to receive an invitation to a conference that Jens, Kevin Govern, and Claire Finkelstein were hosting on the law and ethics of cyberwar. It was a great conversation; so great, in fact, that Jens and his colleagues were inspired to use it as the launching pad for this volume — Cyberwar: Law and Ethics for Virtual Conflicts. They asked me to write a chapter on an idea I’d had been thinking about since my first foray into the cyber arena back in 2007 — whether and when IHL (international humanitarian law, or the law of armed conflict for those of you trained in the United States) might involve a duty to hack? The basic idea was straightforward — if a cyber-operation could achieve a military objective (say disabling a power grid or a war-supporting factory’s operations) without killing anyone or causing any lasting damage to the facility, shouldn’t IHL require States to employ it in lieu of kinetic operations that might cause civilian casualties or property damage?
Looking at the law today, the answer to this question is (largely) a negative one. Certainly, IHL contains a requirement for States to take precautionary measures (see Additional Protocol I, Art. 57) such as (i) choosing a means and method of warfare that minimizes ‘incidental loss of civilian life, injury to civilians, and damage to civilian objects’ and (ii) selecting military objectives ‘expected to cause the least danger to civilian lives and to civilian objects’ in cases where ‘a choice is possible between several military objectives for obtaining a similar military advantage.’ And these requirements could require a cyber-operation over a kinetic one in specific cases akin to the arguments for using available precision weaponry. But, there’s nothing in IHL that has ever said States have to use a particular type of weapon first, as my duty to hack might suggest.
More importantly, some cyber-operations might not even fall within IHL’s current ambit. Although there’s continuing debate, the majority view is that IHL’s principles of precaution, discrimination, and proportionality only apply in cases of an “attack.” IHL does not prohibit targeting or even harming civilians or civilian objects in a cyber-operation so long as the effects are not analogous to those previously crossing the attack threshold (i.e., those with violent consequences involving injury, death, destruction or damage). The scope of IHL’s precautions are similarly qualified; where a cyber operation does not qualify as an attack (i.e., it doesn’t physically damage anything), it does not need to be among the range of options military planners are required to consider in deciding what and how to attack. IHL thus appears to authorize attacks – kinetic or otherwise – that cause physical damage and loss or injury of human life so long as they compare favorably to potential losses from other types of ‘attacks’ even if the same objective could be achieved without any attack at all. That result may be incongruous with the humanity values that motivate much of IHL, but it represents the law as it stands today.
My chapter, therefore, undertakes a normative argument for a Duty to Hack, recognizing that the idea is clearly lex ferenda. I argue that IHL should require states to use cyber-operations in their military operations when they are expected to be the least harmful means available for achieving military objectives. This duty departs from the current law in two key respects. First, it would remove the “attack” threshold for precautionary measures since the novel and wide-ranging capacities of cyber-operations unsettle the idea that only attacks can achieve military objectives. A cyber-operation may be able to achieve a military objective (e.g., shutting down a factory for some desired period of time) without causing any physical harm. Rather than leave such cyber-operations outside the requirements of precaution because they do not meet the definition of an ‘attack’, a Duty to Hack would require that they be part of any choice in means, methods and objectives. A cyber-operation that can achieve a particular military objective without an attack should be required in lieu of any ‘attack’ on that same objective by other means or methods, whether cyber, kinetic, or non-kinetic in nature. In other words, so long as the military objective is achievable (and nothing in my idea would require hacking if it can’t achieve lawful military objectives), the Duty to Hack requires employing cyber-operations generating no physical harm over those means and methods of warfare that, by definition, must generate some physical harm (similarly, it would prioritize cases involving some harm in comparison to means and methods that would generate more harm).
Second, the Duty to Hack would addresses all forms of physical harm from cyber-operations, not just those of a civilian character. Existing IHL – distinction, proportionality, and precautions – only require efforts to avoid, limit, or minimize civilian harm. Absent the harmful civilian impacts protected by these and other IHL rules, militaries are free to employ destructive and lethal force against military objects and belligerents. This approach furthers military necessity – complete submission of the enemy as soon as possible – and made sense where military objectives were usually military in character and dual-use objects qualified as military objects only on occasion. But, as is well known, information communication technologies are regularly dual-use (that is, they are used by both civilian and military actors). I question whether this default treatment of dual-use objects as military objects should continue where all these cyber-related dual-use objects may be attacked (and damaged or destroyed) without regard to any questions of distinction, proportionality or precautions vis-à-vis the objects themselves. Of course, one solution would be to require more careful segregation of military objects in cases where they are situated within or among civilian objects. My Duty to Hack, however, takes a different, and simpler, approach. It would require using cyber-operations that cause the least harm to achieve a military objective in military operations. For example, assuming disruption of Iran’s nuclear processing plant was a lawful military objective, the prospect of deploying Stuxnet to achieve that objective would take priority over doing so by an airstrike if that airstrike – even a precise one – would foreseeably involve greater risks of injury, death, damage or destruction than spinning centrifuges out of control periodically.
Ultimately, my Duty to Hack idea is designed to preserve the principles of distinction and proportionality; IHL would continue to prohibit direct attacks on civilians and their objects by cyber-operations or otherwise, just as any military operation that does constitute an attack must not generate excessive civilian harm. Nor would my Duty to Hack override the requirement to comply with the principles of discrimination and avoidance of unnecessary suffering when it comes to developing or deploying cyber-operations.
My chapter offers a longer examination of the Duty to Hack concept than space permits here (including a discussion of how it differs from the “duty to capture” concept that has caused much controversy in IHL circles). I explore the trade offs involved in adopting it (including the potential for it to incentivize greater military cyber surveillance to solidify the reliability of various cyber capabilities). In doing this analysis, however, I was struck by the larger challenges of using analogies to carve out the existing lines of IHL in cyberspace (not to mention the contours of any new lines that I propose). As a result, I ended up framing my chapter around a larger, introductory analysis of the role of boundaries in legal discourse over cyberspace.
Readers may be familiar with debates over whether cyberspace is subject to physical, territorial boundaries, most notable in on-going debates about which governance models best serve cyberspace (the traditional sovereign territorial model, a multistakeholder model where cyberspace is a res communis, or some sort of hybrid approach). But, I notice similar sorts of conceptual boundary disputes in questions over what rules of international law apply in cyberspace, with much of the existing analyses resting on analogies to pre-existing regulatory regimes. I find this “law-by-analogy” approach problematic, particularly when it comes to IHL and rules on the use of force. My chapter explains the problems such line-drawing poses in terms of their (i) accuracy, (ii) effectiveness and (iii) completeness. Law-by-analogy works well where analogies hold (i.e., defining a use of force in cyberspace where the effects of a cyber operation analogize to the effects of prior activities treated as uses of force in the past; or, defining a non-use of force where the effects analogize to activities not treated as uses of force in the past). But analogies break down where the technology includes previously-unseen capacities, which have no prior analogues. In such cases, default presumptions may simply regard the behavoir as automatically prohibited or permitted in ways that create tensions with the law’s underlying nature and purpose. For example, I find it problematic that cyber-operations do not qualify as attacks simply because they do not involve violent consequence even if they can achieve the very same military objective as an attack. My Duty to Hack idea serves as a response to such difficulties by thinking more carefully about the rules for cyber operations and the values they serve when there are no analogues to earlier operations defined as attacks.
In the end, I had two overarching goals for this chapter. First, I wanted to highlight the role of boundaries in governing cyberspace, and problematize the reasoning it generates as a result, particularly when done under the heading of law-by-analogy. Second, I offer a critique of how existing boundaries operate with respect to contrasting cyber operations with other forms of attack, leading me to call for IHL to include a Duty to Hack. Although such a duty would not come without costs, I believe it would more accurately and effectively account for IHL’s fundamental principles and cyberspace’s unique attributes than existing efforts to foist legal boundaries upon State cyber-operations by analogy. It could, moreover, offer a necessary first step to resolving the larger theoretical and functional challenges currently associated with law’s boundaries in cyberspace.
Interested in more? You could always buy the book.