The Need to Regulate Cyber Warfare

In a recent Foreign Policy article, Stewart Baker argues that attempts to restrict “cyber warfare” using legal regulations are not only doomed to fail, but will leave the West “crippled.” That is, America will be open to a debilitating large scale cyber attack to which it will have no response.

I share a concern about the effects of cyber attacks, but fundamentally disagree with Baker’s thesis. Limits on war do not, as Baker maintains, always fail, nor is cyber war likely to take the form he fears. In fact, I think Baker’s combination of crude strategic thinking and scare-mongering represents the worst side of the current cyber warfare debate.  

Baker is angry that U.S. law-makers, as well as partners in Europe, are currently attempting to formulate some basic “rules of engagement” for conduct in cyberspace. Like Geneva before it, Western ministers are calling for a code of restraint for the undeniably powerful new weapons — such as botnets and Stuxnet — which have been invented in the past decade.

Baker’s thesis can be broken down into three simple parts. Firstly, cyber-weapons are one of the biggest dangers we face and could be used to shut down the majority of the Western world. Secondly, like airpower before it, computer warfare will naturally escalate to its most extreme — making attempts to regulate it foolish and unlikely to succeed. Finally, without large-scale aggressive counter-measures in cyberspace, the U.S. and its allies are leaving themselves with no response to this threat.

I first question the doomsday scenario Baker paints. The tools of information warfare have indeed grown more sophisticated, but research and experts are starting to question the “Apocalypse Now” vision of cyberspace.

But even if we presume cyber weapons could end up dealing out some pretty nasty blows, Baker’s historical comparison to the development of mass airpower is not really accurate. Attempts to regulate the use of bombing on civilians via law may have failed in WWII, but since then, no nation has flattened a city with bombers. In fact, even one stray Western missile makes headlines in modern wars. I would argue this proves the effectiveness of legal restraints in the long-term, rather than undermines it.

Even more fundamentally, Baker’s argument is built on poor strategic thinking. Take for instance the oft-cited fact that most cyber attacks are “untraceable,” making us more vulnerable.

This may hold true for an isolated nihilist or terrorist group. But, as Dr. David Betz has convincingly argued, for states, coercive force has no value if the target does not know who is coercing them. Attackers cannot change political behavior or force surrender anonymously, so they cannot fight wars that way.

Given this logic, states need to be able to “signal” that a cyber attack originated from them. As Jason Healey from the Atlantic Council of the United States has explained, this quickly draws cyber warfare into well-known paradigms. “We don’t necessarily care who is pressing the enter key — we need to know which head of state the president can call to put a stop to an attack."

In other words, the “normal” toolkit of diplomatic pressures, economic sanctions, and even military force will come into play. America doesn't necessarily need massive “cyber retaliation” capabilities to deter cyber attacks.

This is not to say cyber attacks are not a serious concern, but the aggressive “don’t tie our own hands” scaremongering from the U.S. military is disingenuous. War is messy and often brutally unfair, and there is no reason to believe cyberspace will not be militarized in time. But attempts to regulate wartime behavior are noble and designed to reduce the suffering caused by war.

This should be applauded, not attacked as weakness.

Photo Credit: Wikimedia Commons