Simone Petrella, chief cyberstrategy officer of CyberVista, speaks during a panel discussion on “Cyber Attacks and Just War Theory” at the National Press Club on May 22. From left: Fr. Bryan Hehir, moderator Tom Gallagher, Petrella and retired U.S. Marine Corps. Brig. Gen. David G. Reis (Religion News Service/Adelle M. Banks)
Russian meddling in the U.S. election and the global ransomware "WannaCry" attack were the context as three experts discussed just war theory and its application — if it has one — to cyber warfare. The conversation was wide-ranging, touching on just cause, deterrence, intentionality, and the difficulty of accurately determining who really initiated a cyber attack.
The panel discussion, held May 22 before a small crowd at the National Press Club and streamed live on Facebook, was moderated by Tom Gallagher, CEO of Religion News Foundation and CEO/publisher of Religion News Service, which sponsored the event.
At the heart of the conversation was the question of whether cyber attacks constitute acts of aggression as traditionally defined. Gallagher opened by reminding those gathered that 17 intelligence agencies have confirmed Russian electoral interference, and some U.S. officials are responding with language more often associated with declarations of war. Sen. John McCain (R-AZ) did call it "an act of war." Former Vice President Dick Cheney said that "in some quarters, that would be considered an act of war." "A hostile act by a foreign power" was how former Secretary of State and National Security Advisor Condoleeza Rice described it.
Fr. Bryan Hehir, the Parker Gilbert Montgomery Professor of the Practice of Religion and Public Life at the Harvard Kennedy School, responded with a brief history of just war theory, from St. Augustine to the nuclear age to the present. Essentially, it argues that some uses of force are morally justified; the framework for judging the moral use of war hangs on that premise.
"Just War Theory exists to justify and limit use of force. It's both sides," said Hehir. "It is still cultivated today. It looks like a moral theory that maintains continuity over time, but it adapts itself to multiple political settings."
At the dawn of the nuclear age, strategists and moralists had to rethink the use of force, which places one "at the edge of the moral universe," Hehir said, adding that, "some think cyber is another boundary."
He was joined on the stage by Simone Petrella, chief cyber strategy officer at CyberVista, a cybersecurity training and workforce development company, and by retired Marine Corps Brig. Gen. David G. Reist, program manager of Knowledge Management Inc., an IT solutions company that works with the Defense Department, among other clients.
Petrella defined a cyberattack as any unauthorized access that causes a system to be "disrupted, degraded, denied or destroyed." She, too, cited Russian meddling in the 2016 election but then asked, "How is it an armed attack? Is it physical disruption that it potentially causes? Economic disruption?"
And what about the hacker's motivation? That matters in just war theory. The election hack was clearly more than the actions of a "script kitty" — which she defined as someone who tinkers around and causes small-scale trouble for fun — but was it a "hacktivist," with an ideological agenda? Or a criminal enterprise, in it for the money?
The problem with attribution is that it's very difficult to know with certainty, even if you track down a particular server in a particular country, that a particular group is responsible for an attack, or that the host country had knowledge of what was being done within its borders.
"Nation states can cause significant physical and economic damage," said Petrella. "They can use all of those other actors to mask their own attribution. When is a cyber attack armed? What is the scope of duration, what is the actual intensity, what are they going after?"
But even then, does a cyber attack ever justify using force? If it takes out a power grid, causing patients in a nearby hospital to die, does that justify force? And what level of certitude about the perpetrator of the cyber attack is necessary before you respond?
"I think that threshold is going to get less and less in the future. We're coming closer to the center and farther from the edge," said Reist, referencing Hehir's earlier comment about use of force existing at the edge of the moral universe.
"The fundamental idea is you can never use force unless someone else has violated a moral, political rule of such significance that just force is the only way to correct it," said Hehir, recalling that he had once mused that the science teams at Harvard and MIT could have been considered combatants during World War II. The remark drew a laugh from the crowd.
The issue of deterrence raised as many questions as it answered. While, during the nuclear age, transparency was key — when everyone knows you have an arsenal and mutual destruction is assured, nobody declares war — that doesn't work for cyber crime. Once an existing system's vulnerabilities have been exposed and exploited, the jig is up.
All agreed that the nation's laws concerning detection and deterrence of criminal cyber activity — which are largely based on analog law — need to be updated.
"The cat's already out of the bag, and we're chasing it now. That's a hard thing we're going to have to get in front of," said Reist. "It's going to take rigorous dialogue. This is only the start. We've got a tough road in front of us as a nation and a world."
Throughout the conversation, Behir brought it back to the moral and spiritual. "We ought not to concede that the world is going to become more violent before we have exhausted all tools to keep it from becoming more violent," he reflected. "The first task is the political task. I think this is the way the Holy Father tries to deal with every case. Has there been any dialogue, any attempt at resolving through dialogue?"
[Julie Bourbon writes for NCR from Washington, D.C.]