Challenges of Civilian Distinction in Cyberwarfare
Avoiding attacks on civilian targets during cyberwarfare is more difficult than it seems. We discuss ways in which an ostensibly military cyberattack could accidentally hit a civilian target. Civilian targets are easier to attack than military targets, and an adversary may be tempted to be careless in targeting. Dual-use targets are common in cyberspace since militaries frequently exploit civilian cyber infrastructure such as networks and common software, and hitting that infrastructure necessarily hurts civilians. Civilians can be necessary intermediate objectives to get to an adversary’s military, since direct Internet connections between militaries can be easily blocked. Cyberwarfare methods are unreliable, so cyberattacks tend to use many different methods simultaneously, increasing the risk of civilian spillover. Military cyberattacks are often seen by civilian authorities, then quickly analyzed and reported to the public; this enables criminals to quickly exploit the attack methods to harm civilians. Many attacks use automatic propagation methods which have difficulty distinguishing civilians. Finally, many cyberattacks spoof civilians, encouraging counterattacks on civilians; that is close to perfidy, which is outlawed by the laws of armed conflict. We discuss several additional problems, including the public’s underestimated dependence on digital technology, their unpreparedness for cyberwarfare, and the indirect lethal effects of cyberattacks. We conclude with proposed principles for ethical conduct of cyberwarfare to minimize unnecessary harm to civilians, and suggest designating cyberspace “safe havens”, enforcing reparations, and emphasizing cyber coercion rather than cyberwarfare.
KeywordsCyberwarfare Civilians Ethics Distinction Cyberattack Networks Dual-use Reporting Propagation Perfidy Infrastructure Product tampering
The views expressed are those of the author and do not represent the U.S. Government. This work was supported by the U.S. National Science Foundation under the Secure and Trustworthy Cyberspace program.
- Al-Qasem, I., S. Al-Qasem, and A. Al-Hammouri, 2013. Leveraging online social networks for a real-time malware alerting system. In: Proceedings of the 38th IEEE conference on local computer networks, Sydney, AU, October, 272–275.Google Scholar
- Angwin, J. 2014. Dragnet nation: A quest for privacy, security, and freedom in a world of relentless surveillance. New York: Times Books.Google Scholar
- Anonymous. 2012, July. The collateral damage of Internet censorship by DNS injection. ACM SIGCOMM Computer Communications Review, 42(3):22–27.Google Scholar
- Brenner, S., and L. Clarke. 2011. Civilians in cyberwarfare: Casualties. http://works.bepress.com/susan_brenner/3. Accessed 1 Nov 2011.
- Burnham, G., R. Lafta, S. Doocy, and L. Roberts. 2006, October 11. Mortality after the 2003 invasion of Iraq: A cross-sectional cluster sample. The Lancet, 368(9545):1421–1428.Google Scholar
- Clarke, R., and R. Knake. 2010. Cyber war: The next threat to national security and what to do about it. New York: HarperCollins.Google Scholar
- Elisan, C. 2012. Malware, rootkits, and botnets: A beginner’s guide. New York: McGraw-Hill Osborne.Google Scholar
- Flemming, D., and N. Rowe. 2015. Cyber coercion: Cyber operations short of cyberwar. In: Proceedings of the 10th international conference on cyber warfare and security, Skukuza, South Africa, March.Google Scholar
- Geers, K., D. Kindlund, N. Moran, and Rachwald. 2013. World War C: Understanding nation-state motives behind today’s advanced cyber attacks. http://www.FireEye.com. Accessed 7 Apr 2013.
- Geiss, R., and H. Lahmann. 2012, November. Cyber warfare: Applying the principle of distinction in an interconnected space. Israel Law Review 45(3):381–399.Google Scholar
- Gross, M. 2012. A declaration of cyber-war. Vanity Fair, April 2011. Retrieved May 12, 2012, from www.vanityfair.com/culture/features/2011/04/stuxnet-201104.
- Hagopian, A., A. Flaxman, T. Takaro, E. Shatari, A. Sahar, J. Rajaratnam, S. Becker, A. Levin-Rector, L. Galway, H. Al-Yasseri, J. Berq, W. Weiss, C. Murray, G. Burnham, and E. Mills. 2013, October 15. Mortality in Iraq associated with the 2003–2011 war and occupation: Findings from a national cluster sample survey by the University Collaborative Iraq Mortality Study. PLoS Medicine 10(10). http://www.plosmedicine.org/article/info%3Adoi%2F10.1371%2Fjournal.pmed.1001533. Accessed 9 Nov 2013.
- Hashim, S., A. Ramli, F. Hashim, K. Samsudin, R. Abdulla, R. Azmir, L. Barakat, A. Osamah, I. Ahmed, and M. Al_Habshi. 2013, September. Scarecrow: Scalable malware reporting, detection, and analysis. Journal of Convergence Information Technology 8(14): 9–19.Google Scholar
- International Committee of the Red Cross (ICRC). 2015. Treaties and customary law. http://www.icrc.org/en/war-and-law/treaties-customary-law. Accessed 11 Jan 2015.
- Kaplan, D. 2011, October 18. New malware appears carrying Stuxnet code. SC Magazine. http://www.scmagazine.com/new-malware-appears-carrying-stuxnet-code/article/214707. Accessed 1 Aug 2012.
- Kaurin, P. 2007. When less is more: expanding the combatant/noncombatant distinction. In Rethinking the just war tradition, ed. M. Brough., J. Lango and H. van der Linden, Chapter 6. New York: SUNY Press.Google Scholar
- Kimmel, P., and C. Stout (eds.). 2006. Collateral damage: The psychological consequences of America’s war on terrorism. Westport: Praeger.Google Scholar
- Pearce, M., S. Zeadally, and R. Hunt. 2013, February. Virtualization: Issues, security threats, and solutions. ACM Computing Surveys 45(2):17.Google Scholar
- Raymond, D., G. Conti, T. Cross, and R. Fanelli. 2013. A control measure framework to limit collateral damage and propagation of cyber weapons. In: Proceedings of fifth international conference on cyber conflict, Tallinn, Estonia.Google Scholar
- Rowe, N. 2013. Cyber perfidy. In The Routledge handbook of war and ethics, ed. F. Allhoff, N. Evans and A. Henschke, Chapter 29, 394–404. New York: Routledge.Google Scholar
- Rowe, N. 2015. Distinctive ethical challenges of cyberweapons. In The research handbook on cyber security, ed. N. Tsagourias and R. Buchan, Chapter 14, 307–325. Cheltenham: Edward Elgar Publishing.Google Scholar
- Shakarian, P., J. Shakarian, and A. Ruef. 2013. Introduction to cyber-warfare: A multidisciplinary approach. Amsterdam: Syngress.Google Scholar
- Slay, J., and M. Miller. 2008. Lessons learned from the Maroochy water breach. In: Critical infrastructure protection, ed. E. Goetz and S. Shenoi, Chapter 6. New York: Springer.Google Scholar
- TechRepublic. 2005. Flaw finders go their own way. http://www.techrepublic.com/forum/discussions/9-167221, dated January 26, 2005. Accessed 1 Aug 2012.
- USCCU (United States Cyber Consequences Unit). 2009, August. Overview by the US-CCU of the cyber campaign against Georgia in August of 2008. US-CCU special report. http://www.usccu.org. Accessed 2 Nov 2009.
- von Heinegg, W. 2012. Neutrality in cyberspace. In: Proceedings of the 4th international conference on cyber conflict, Tallinn, Estonia.Google Scholar
- War Legacies Project. 2010. Agent orange record. http://www.agentorangerecord.com. Accessed 2 Mar 2015.