This House would consider a large scale cyber attack an act of war

The world has developed along with the new digital medium. Lots of crucial business and government services have moved online. While the military modernised in relation to digital developments, a definition of an act of war has not caught up with it yet. It is now being suggested that the digital domain is the new realm of warfare for the 21^st century. States have already been using cyber attacks in hostilities and as acts of aggression against each other. For instance, USA and Israel have released a virus Stuxnet that sabotaged parts of Iran's nuclear programme in 2010, followed by retaliatory cyber attacks by Iran on USA [7]. In the 1998 war over Kosovo the USA successfully hacked Serbia's air defence systems, which left Serbia vulnerable to air attacks [8] [9]. Cyber attacks are thus attacks that can be perpetrated by states against other states in an effort to weaken the other state, the same way armed attacks are used. Given these realities large scale cyber attacks should be considered acts of war. 

An important thing about recognising something as an act of war is that it allows countries to retaliate. This includes military retaliation that causes human casualties, and political and economic sanctions, which impose suffering on the civilian population. The crucial difference between armed conflicts and cyber conflicts, is that in cyber attacks people, military or civilians, do not actually get killed. However, if we recognise cyber attacks as acts of war, this would allow an attacked state to retaliate with force resulting in human casualties. There is no way one could equate disruption in computer services to that of loss of human lives, therefore recognising cyber attacks as acts of war would be disproportional and unjust. Serbia's example that included human casualties following a cyber attack is not relevant as the cyber attack was as a part of a larger military attack. 

Large scale cyber attacks can result in substantial harms to the state equivalent to those of an armed attack. Many states are dependent on flawless functioning of government and financial services online, and attacking them would cause mass disruption. For example, massive cyber attacks can cause serious disruption to economy by targeting financial, banking and commercial services; they can target government websites and steal confidential information that would compromise country's security, as was the case with USA in 2007 [10]; they could target power grids and shut down infrastructure on a massive scale across the country. All these instances cause disruption and leave the targeted country vulnerable with the government unable to operate successfully. This way, for instance, a large scale cyber attack from Russia on Georgia 2008 caused massive disruption to government, banking services, and communication within and outside of the country [11]. For these reasons USA's Pentagon decided to consider a cyber attack that 'produces the death, damage, destruction or high-level disruption that a traditional military attack would cause' an act of war [12]. Given the damage of possible attacks to the state, large-scale cyber attacks should be considered an act of war. 

Cyber attacks might be disruptive, but they do not result in destruction, violence, injury and death the same way traditional armed aggressions do. For the majority of businesses and citizens, disruptions to online baking might be very inconvenient, but they are in no way equal to actual bombings and deaths. Targeted power grids, if they result in power outages, is mostly a discomfort in contrast to actual killings and atrocities that happen during wars. Plus, the infrastructure that really matters in a conflict, such as nuclear plants or military weaponry, cannot be hacked as they are not connected to the internet [13] [14]. Developed countries might be very used to amenities and comfort of online services and computers, however, a definition of armed conflicts as acts of war is much more universal because everywhere a human life is more important than any form of comfort. This is why people have a right to life and not a right to internet. 

Currently international law on how a state can respond to cyber attacks by another state is lacking: it only covers cyber attacks during armed conflicts or those are tantamount to an armed conflict [15]. An attacked state thus has no legitimate means to respond to cyber attacks. This leaves them no option of self-defence, which is an important element in international law. Moreover, without international law regulating cyber warfare between states, there is no actual illegitimacy for cyber attacks. Despite their far-reaching and grave consequences, cyber attacks by other states do not feature heavily in the news. Few people actually know about cyber attacks between USA and Iran, which would be an unimaginable situation should these states resorted to military attacks. This apparent lack of condemnation and attention in the wider society to cyber attacks further decreases ability of the state to defend themselves or even call out an aggressor publically as there is little to fear from global opinion for such actions

While a modification to international law is needed in terms of acknowledging the gravity of cyber attacks, it does not mean that these should be considered acts of war. There are many things that states do that other states do not like and even find harmful, but these things are not considered to be equal with acts of war. Instead they are things that states need to reach agreements over to control. War is the last possible resort in such cases, there are other less drastic options such as sanctions to encourage the hostile state to desist.[27]

Moreover, it is not true that cyber attacks are not condemned enough. The reason that countries generally do not engage in cyber attacks openly is because of fear of international condemnation [16]. 

The world has developed along with the new digital medium. Lots of crucial business and government services have moved online. While the military modernised in relation to digital developments, a definition of an act of war has not caught up with it yet. It is now being suggested that the digital domain is the new realm of warfare for the 21^st century. States have already been using cyber attacks in hostilities and as acts of aggression against each other. For instance, USA and Israel have released a virus Stuxnet that sabotaged parts of Iran's nuclear programme in 2010, followed by retaliatory cyber attacks by Iran on USA [7]. In the 1998 war over Kosovo the USA successfully hacked Serbia's air defence systems, which left Serbia vulnerable to air attacks [8] [9]. Cyber attacks are thus attacks that can be perpetrated by states against other states in an effort to weaken the other state, the same way armed attacks are used. Given these realities large scale cyber attacks should be considered acts of war. 

An important thing about recognising something as an act of war is that it allows countries to retaliate. This includes military retaliation that causes human casualties, and political and economic sanctions, which impose suffering on the civilian population. The crucial difference between armed conflicts and cyber conflicts, is that in cyber attacks people, military or civilians, do not actually get killed. However, if we recognise cyber attacks as acts of war, this would allow an attacked state to retaliate with force resulting in human casualties. There is no way one could equate disruption in computer services to that of loss of human lives, therefore recognising cyber attacks as acts of war would be disproportional and unjust. Serbia's example that included human casualties following a cyber attack is not relevant as the cyber attack was as a part of a larger military attack. 

Large scale cyber attacks can result in substantial harms to the state equivalent to those of an armed attack. Many states are dependent on flawless functioning of government and financial services online, and attacking them would cause mass disruption. For example, massive cyber attacks can cause serious disruption to economy by targeting financial, banking and commercial services; they can target government websites and steal confidential information that would compromise country's security, as was the case with USA in 2007 [10]; they could target power grids and shut down infrastructure on a massive scale across the country. All these instances cause disruption and leave the targeted country vulnerable with the government unable to operate successfully. This way, for instance, a large scale cyber attack from Russia on Georgia 2008 caused massive disruption to government, banking services, and communication within and outside of the country [11]. For these reasons USA's Pentagon decided to consider a cyber attack that 'produces the death, damage, destruction or high-level disruption that a traditional military attack would cause' an act of war [12]. Given the damage of possible attacks to the state, large-scale cyber attacks should be considered an act of war. 

Cyber attacks might be disruptive, but they do not result in destruction, violence, injury and death the same way traditional armed aggressions do. For the majority of businesses and citizens, disruptions to online baking might be very inconvenient, but they are in no way equal to actual bombings and deaths. Targeted power grids, if they result in power outages, is mostly a discomfort in contrast to actual killings and atrocities that happen during wars. Plus, the infrastructure that really matters in a conflict, such as nuclear plants or military weaponry, cannot be hacked as they are not connected to the internet [13] [14]. Developed countries might be very used to amenities and comfort of online services and computers, however, a definition of armed conflicts as acts of war is much more universal because everywhere a human life is more important than any form of comfort. This is why people have a right to life and not a right to internet. 

Currently international law on how a state can respond to cyber attacks by another state is lacking: it only covers cyber attacks during armed conflicts or those are tantamount to an armed conflict [15]. An attacked state thus has no legitimate means to respond to cyber attacks. This leaves them no option of self-defence, which is an important element in international law. Moreover, without international law regulating cyber warfare between states, there is no actual illegitimacy for cyber attacks. Despite their far-reaching and grave consequences, cyber attacks by other states do not feature heavily in the news. Few people actually know about cyber attacks between USA and Iran, which would be an unimaginable situation should these states resorted to military attacks. This apparent lack of condemnation and attention in the wider society to cyber attacks further decreases ability of the state to defend themselves or even call out an aggressor publically as there is little to fear from global opinion for such actions

While a modification to international law is needed in terms of acknowledging the gravity of cyber attacks, it does not mean that these should be considered acts of war. There are many things that states do that other states do not like and even find harmful, but these things are not considered to be equal with acts of war. Instead they are things that states need to reach agreements over to control. War is the last possible resort in such cases, there are other less drastic options such as sanctions to encourage the hostile state to desist.[27]

Moreover, it is not true that cyber attacks are not condemned enough. The reason that countries generally do not engage in cyber attacks openly is because of fear of international condemnation [16]. 

Cyber attacks are often carried out by non-state actors, such as cyberterrorists or hacktivists (social activists who hack), without any involvement of the actual state. For instance, in 2007 a massive cyber attack launched on Estonia was blamed on Russia due to the then on-going tensions between these two states [17]. However, the attacks on Estonia were generated from all over the world; and even those from Russia could not have been linked to the Russian authorities, who denied involvement. Similarly, a huge wave of cyber attacks dubbed GhostNet that compromised computers in 103 countries in 2009 was blamed on China, not the least for hacking computers of Tibetan authorities. However, it could not be conclusively proven that this was an attack perpetrated by the Chinese authorities [18]. Any retaliation against a state for a cyber attack can never be certain to be against the right target – the state should not be blamed for the actions of its individual citizens.  

In case of non-state actors attack, many practitioners in international law agree that the state can still retaliate in self-defence if another state is 'unwilling or unable to take effective action' to deal with attacks coming from within their territory [19]. This applies to traditional warfare, but the same way it can apply to cyberwarfare. If a country is not doing anything, or not doing enough, in order to ensure cyber security and persecute cyber attackers, then the attacked country has a right to take measures against cyber attackers. 

Cyber attacks are very difficult to trace as cyber attackers hide their digital tracks [20]. Cyber attackers also often launch attacks from poorly protected computers in other countries, which in no way implicates that the state was responsible for attacks – for instance, roughly 10% of spam comes from computers in China, but that is not Chinese spam [21]. The situation is different with traditional warfare, where there is evidence of weapons used, uniforms spotted, and reports of witnesses on site. Of course, we can expect states to lie about launching cyber attacks, thus China and the USA trade accusations about responsibility for cyber attacks, but there is no good way to test the truth. All of this means that an act of war would be judged based on incomplete and misleading information about another state’s involvement, threatening international peace and resulting in the loss of human life for no good reason. 

It is unlikely that states would freely attack other states when there is unclear evidence as to who the perpetrator was. In any country that is going to engage in military action regardless of the reason there is intense public debate this would apply all the more if the reason was novel (for instance, those on interfering against Syria's Assad's regime), so we can expect public scrutiny to apply to cyberwarfare as well.

Furthermore, there are also cases when cyber attacks can be traced to a particular country hostile country or even particular group within the country. This can happen when the country or groups within it themselves admit to the attack, as the Syrian Electronic Army, sympathetic to Assad's regime, cyber attacking USA in 2013 [22]. Or through intensive investigation. Tools to track cyber attacks are also constantly being perfected. For example, IPv6 (the latest version of the internet protocol) is the most effective at decreasing anonymity of cyber attackers [23]. So there are scenarios when cyber attackers are known and can be tracked, and the states have a right to treat them as acts of war. 

Armed acts of aggression are a good method of judging if an action is an act of war because they result in actual destruction, violence and loss of human life. Cyber attacks, on the other hand, do not and thus there is no objective way to tell what scale of a cyber attack is enough to constitute an act of war. While Pentagon claims a cyber attack that is equivalent of damage caused by traditional warfare as a standard, how is it supposed to be applied if pretty much all of the cyber attacks have been bloodless [24]? For instance, stealing large amounts of confidential data from a country is a large scale cyber attack, and could have an immense economic impact, but it is bloodless and so how much damage does there need to be before it can be a casus belli? It is very difficult to measure the impact of even a very evident and intense cyber attack, as NATO found out when assessing a cyber attack on Georgia in 2008 [25]. While the Pentagon might have a nice theoretical framework, in reality there are too many unanswered (and possible impossible to answer) questions. This can lead to abuse of justifications for war and unnecessary violence. 

A definition of aggression in traditional warfare is the act that threatens sovereignty, territorial integrity or political independence of another state [26] – a definition which is expected to be used with cyber attacks too. It is highly unlikely to see a small scale cyber attack corresponding to this definition. For instance, taking down a media web page (as the Syrian Electronic Army did) does not threaten political independence of another state in a way that taking down all the government websites, and thus rendering the state incapable of functioning, does. Recognising that a cyber attack can be an act of war, does not mean that any cyber attack, will be considered such. In practice this same ambiguity is inherent in war – a country might consider it a casus belli if another’s military chases terrorists onto its territory but this would be similarly ambiguous if there were no casualties and it was not a direct attack.