Paul Pillar

Acts of War in the Computer Age

The Wall Street Journal reports that the Department of Defense will soon release unclassified portions of its first ever “cyber strategy.” One aspect of the new document highlighted in the Journal's story is that computer sabotage by another country against the United States might be considered an act of war and grounds for responding with military force. In fact, the Pentagon hopes the strategy document will serve as a warning in this regard. As one military official put it, “If you shut down our power grid, maybe we will put a missile down one of your smokestacks.”

The strategy reportedly does not address a couple of major issues that such talk raises. One is how much certainty the United States could be expected to have about the origin of a cyber attack, and how much it should have before retaliating forcefully. Another is how serious electronic sabotage would have to be to qualify as an act of war warranting retaliation. On the latter question, an answer the Journal says is “gaining momentum at the Pentagon” is that the defining threshold should be one of “equivalence”: whether the sabotage causes death, damage, destruction, or disruption comparable to what a traditional military attack might cause.

If the Pentagon is so far withholding judgment on these questions, that is a good thing. Except perhaps for an assessment about the likelihood of determining responsibility for a cyber attack, the questions go beyond the Pentagon's responsibilities. The military is responsible for being ready to respond forcefully against foreign adversaries when political authorities order a response; it is not the military's job to determine when a response should be made, whether it is electronic sabotage that is involved or something else. The grounds for striking back at someone with military force is as much a job for political leaders, for foreign policy strategists, for moral philosophers who expound about just and unjust wars, and for those of us in the public who elect the political leaders.

This is not the place to attempt to construct a philosophy of what is right and wrong in responding to electronic sabotage—only to point out some directions the questions could take. The equivalence idea is attractive; perhaps after further deliberation it might provide the basis for a politically and morally sound strategy. But it can be challenged from multiple directions—that it is either too inclusive or not inclusive enough—and it might not offer as clear a line as first appears. If non-military (or as the military itself would say, non-kinetic) actions that result in death, damage, destruction, or disruption are to be considered acts of war as much as firing guns or dropping bombs, then why stop with electronic sabotage? Other actions, such as blockades and other forms of economic warfare, or perhaps even environmentally damaging actions, can have such effects as well. Some such actions (especially blockades) have been used in the past as rationales for resort to military force.  Do we believe such resorts to force were justified?  (How about Japan's response to an oil embargo in 1941?)      

Perhaps going beyond kinetic actions that clearly constitute military force loosens unacceptably the concept of act of war and gives up one of the clearest defining lines that can be used to separate war from non-war. Shooting guns or dropping bombs really is different in some important ways, especially involving the direct effects involving human suffering, from other types of hostile actions. And societies have traditionally reacted differently to the use of guns and bombs, reactions that are not necessarily artifacts of pre-computer age technology.

Whatever formula is proposed for incorporating computer sabotage into principles of war and peace, the proposed principles naturally will be assessed against real cases and real policy problems. The case that this discussion immediately brings to mind is the famous Stuxnet virus, which reportedly caused major damage to Iran's uranium enrichment program and by most speculation was probably the work of Israel and/or the United States. According to the “equivalence” idea, introduction of this virus was an act of war.

Here is where the philosophical, semantic, and legal issues of what constitutes an act of war get mixed up with issues of what constitutes prudent policy in any one case. And it is easy to be of two minds about how to handle a case like Iran. Insofar as Stuxnet constituted an alternative to a military attack on Iran—the consequences of which would be disastrous for the United States—or at least bought substantial time to set back the possibility of such an attack, then it was a good idea. But if one accepts the equivalence idea, then Stuxnet was a wrongful act of war. It was wrong because it was not a response to any act of war by Iran. And it was wrong because the program it was intended to disable is one that Iran has a right to have (and even the feared diversion—a nuclear weapons program—is one that Israel, the United States, and seven other countries presume to have themselves). To the extent the equivalence principle applies to Iran, Tehran would have the right to respond to the electronic sabotage, if it chose to do so, with military force.

Just as war is too important to be left to the generals, defining acts of war is too complicated to be left to them.