As predicted by science fiction writers, cyber warfare has become a rather real thing. The United States and Israel, some say, launched a cyber-attack on the Iranian nuclear program. North Korea, some say, launched a cyber-attack on Sony.
On the face of it, cyber-attacks seem to be a special sort of thing. While conventional attacks can be secret and hard to trace, the typical cyber-attack does not cause the sort of damage and causalities that a traditional attack causes. For example, a conventional attack aimed at the Iranian nuclear program would have most likely killed people and caused considerable damage. In contrast, the cyber-attack was narrowly focused and did not kill anyone. People often seem to “feel” that cyber-attacks are just “different” since they do not involve the sorts of things that most people think of as weapons and do not do the sort of damage that people tend to associate with military attacks. Despite this conceptual problem, it seems quite reasonable to accept that cyber-attacks can have qualities that make it reasonable to regard them as military attacks. To use the obvious analogy, criminals and soldiers both use guns, but the difference between a bank robber and a military attack lies in the agents carrying out the attack, those ordering the attack, and the goals of the attack. In the case of cyber-attacks, cyber-criminals and cyber-soldiers both use similar weapons. The distinction lies in the agents, those behind the action and the goals.
As mentioned above, some people lay the blame of the attack on Sony on North Korea. If this is true, then this would seem to have the potential of being a military action. After all, it was carried out by a state and had political goals as motivating factors. That said, it could also be argued that the attack was state-sponsored crime. After all, the target was Sony rather than a state target and the operation was more vandalism and extortion than a military strike. This can, of course, be countered by the claim that economic warfare is still warfare—North Korea was attacking an economic entity in another sovereign state (assuming North Korea was behind the attack).
President Obama took the attack seriously and seems to have accepted that North Korea was responsibility. He did fall short of calling it a military action and described it in terms of vandalism. He did, however, say that the United States would have a proportional response.
A proportional response is, as matter of general principle, the right thing to do. After all, the retaliation should be proportional to the provocation. Excessive response would be morally problematic. To use the obvious analogy, if someone shoves me in a dispute and I shoot them in the head with a twelve-gauge shotgun, then I would have acted wrongly. Naturally, there can be considerable debate about the matter of proportionality as well as the value of using a “robust” response as a deterrence (such as pulling a gun when the other person has a stick).
One problem with cyber-attacks is that they are relatively new. Because of this, states have not worked out the norms governing these interactions and there are, as of yet, no clear and specific international treaties and rules laying out the rules of cyber-warfare in a way comparable to the norms and rules of traditional war. We are now in the stages of making up the norms and rules. It should be expected that there will be some problems with this and, no doubt, some defining incidents. The attack on Sony might be one of these.
Obama’s decision to use a proportional response does seem sound and will, perhaps, serve as a starting point for the norms and rules of cyber warfare. This approach is certainly analogous to how conventional attacks are handled. This nicely fits the existing model, namely that incidents in the “physical world” between countries usually stay proportional. For example, with North Korea does something provocative with its military, the United States does not over-react, such as by firing cruise missiles into the country.
One obvious problem with cyber-attacks is working out the proportionality, especially if non-cyber responses are being considered. In such cases, the challenge would be working out what sort of conventional military response would be a proportional response to a cyber-attack. It is not uncommon for people to see cyber-attacks as somehow less “serious” and damaging than “real” world attacks. If North Korea had, for example, sent a strike team to the United States to physically grab computers and erase drives on the spot, then people would feel that something more serious had happened—though the results would have been the same. In such a case, the proportional response would almost certainly be more robust than a proportional response to a cyber-attack. Perhaps this would be justified on the grounds that a physical intrusion is a greater violation of territorial integrity than a virtual intrusion. But, this might simply be a matter of “feeling” and a result of “old-fashioned” thinking—that is, people thinking about attacks in the old way.
I think a reasonable case can be made to treat cyber-attacks as being comparable to traditional attacks and using the results as the measure of proportionality. That is, the United States’ response to the (alleged) North Korean intrusion should be treated the same way that the United States should react to a team of North Koreans physically breaking into Sony at the behest of the state. To treat cyber-attacks as somehow less serious because they are “virtual” seems, as I have been suggesting, a mistake based on outdated concepts of warfare.