Drawing the Digital Line

Introduction

As many different aspects of governance, including military operations, become increasingly integrated with cyberspace, policymakers must decide how to characterize and define cyberattacks. Cyber technology is a novel aspect of warfare. Its inherent unprecedentedness and asymmetrical nature complicate the systematic characterization of cyber actions as acts of war. This ambiguity leads to inconsistencies in our responses, which in turn increases the risk of miscalculation and escalation. To address these issues, a clear definition must be developed that distinctly states what cyber warfare is and, by default, what it is not. In doing so, it simplifies, streamlines, and standardizes the process of identifying which cyberattacks are genuinely warfare. This definition must establish clear parameters and qualifications to distinguish cyber warfare from other, less extreme, cyberattacks. Where we draw this line matters. It will set a threshold for the difference in how the United States responds. The U.S. should develop a selective definition grounded in rigorous criteria that defines cyberattacks as warfare based on whether they achieve a clear set of qualifications.

Conceptual Foundation

When contemplating how cyberattacks should be defined and whether they align with warfare’s definition, it is important to understand what warfare objectively entails. There is an inherent challenge in applying an objective concept to subjective and niche experiences, as war manifests itself under a wide variety of diverse circumstances. However, a trenchant and rigid definition of warfare is essential, as it determines the threshold that distinguishes between the U.S. responding with limited statecraft or overt force. The difference between these two is consequential to both the U.S. domestically and to the greater international community. While stringent definitions come with limitations, they must be firm, as the costs of mischaracterizing a cyberattack can be having to compensate for a lack of defenses or overstepping and causing an escalation crisis. Either way, both are devastating, hence why a definition is needed to clearly delineate between different types of cyberattacks so that the United States to respond optimally to cyberattacks according to their severity.

Carl von Clausewitz’s foundational argument that war is a purposeful effort that pursues a political goal, involves violence, and is done between two capable actors sets the foundation for my argument. The framework this paper advocates for is focused on his broader argument that war is a purposeful and organized effort. It will be argued that the three premises of an attack being in the pursuit of a political goal, involving violence, and being between two actors capable of engaging, are the key elements through which to ground a definition of cyber warfare. Later, a discussion on how it is possible for clear definitions of cyber warfare can still permit complexity, and within this space, more of Clausewitz’s work can be integrated. Furthermore, as the nature of cyber warfare evolves, definitions can shift to more accurately depict the current state of cyber warfare. An attack must be in pursuit of a political goal, involve violence, and be between two actors capable of engaging. These would be the three core areas of criteria in which to base the definition.

 John Arquilla and David Ronfeldt define cyber war as, “Conducting, and preparing to conduct, military operations according to information-related principles… It means turning the ‘balance of information and knowledge’ in one’s favor, especially if the balance of forces is not.” This aligns with Clausewitz, as non-kinetic modes of attack still have the ability to incite violence, for a political objective, and involve organized and capable actors. For example, disrupting software that controls hospitals or transportation services could result in patients dying from equipment malfunctions or travelers being severely injured in an accident. It is entirely possible for cyberattacks to have a political motive, and there have been examples of this in recent years, especially in the Russo-Ukrainian conflict, where Russia has launched a wave of  DDoS and disruption attacks on Ukraine’s cyberspace.

In defining cyber warfare, there is some gray area in the context of whether a cyber action can be linked to incited violence, if it inspires the violent actions, but did not directly cause the violence itself. If a charged social media post, inspired by a person who viewed it to act violently, is the social media post liable, to an extent, for the violence inflicted? This uncertainty underscores the need for a definition that could clearly define accountability and when cyber actions truly incite violence, and could therefore be considered warfare. Since in this example the social media post was not the direct source of violence, it would not be considered warfare, based on a Clausewitzian definition.

Potentially, one of the more difficult characteristics to meet would be that the attack occurred between two capable actors. A rogue hacker spreading malware in a civilian’s private network would not be considered warfare because the conflict would have been between two individuals. Furthermore, the problem of attribution and the anonymity that the internet allows makes it difficult to identify cybercriminals and accurately attribute their crimes to them. If this were to happen, then the attack would not qualify as warfare and would not be treated as such. However, if a state agency like the CIA sanctioned a cyberattack on another sovereign state’s cyber systems, that would indeed be warfare.

In attempting to define cyber warfare by these three metrics, it is true that cyber actors can never fully anticipate the outcome of their actions. Due to the interconnected nature of the online ecosystem, a single line of malicious programming intended for a specific target may cascade across a multitude of systems it connects with, yet was never initially intended to. If this attack was designed to target an adversary’s military network, yet also impacted civilian digital infrastructure, classifying it as definitively warfare instead of negligence becomes difficult. This unpredictability further underscores the need for definitional clarity on cyber warfare. Violence, capable actors, and political goals provide a structured lens through which cyber incidents in their totality, from their inception to their consequences, intentional or not, can be evaluated and accurately classified. Intentions may change the nature of how cyber incidents are understood, but intentions do not fundamentally change the outcome of a situation. While a cyberattack may include accidental technical mishaps, if it were carried out by political actors for the sake of a political goal and incited violence, that would be considered warfare.

In this sense, the essence of war in the digital realm can be understood and properly approached. Cyberattacks conducted for political purposes, incite violence, and are done between state actors should be recognized as warfare, just as a conventional attack that meets those requirements would. The method of attack and form of weapons may be different, but principally speaking, if a cyberattack meets these metrics, it constitutes warfare.

Potential for Criticism

 Some may argue that creating a rigid definition that imposes a binary response, only allowing cyberattacks to be classified as either warfare or not. Critics may also add that cyberattacks are too multidimensional and nuanced to fit into a binary system of classification. While there are many different types of cyberattacks, such as “botnets…logic bombs…trojan horses…viruses…worms…[and] zombies”, all definitions are in and of themselves binary. They clearly state what the parameters of something are, and by default, what they are not. However, a definition being decisively clear is not mutually exclusive with the propensity that the definition can have to account for depth.

A way to understand cyber’s multifaceted nature and accurately describe it could be to create different levels or types of cyberattacks, subgroups that an attack could fall into after its initial analysis against the warfare definition. For example, espionage and sabotage are “kinds of aggression that do not rise to the level of war”. The act of spying on or sabotaging another country may lack overt violence or political motive. While they should not be ignored, simply because they are not warfare, they do not warrant the military response that warfare would. It is also important to consider that, along with the variety of cyber incidents, there can be a variety in how states decide to respond. While something may be classified as warfare, states have the autonomy to approach resolution from the perspective of soft or hard power. Something being classified as warfare doesn’t lock states into a certain response; rather, a clear cyber definition allows states to have a clear understanding of the situation at hand and optimally positions them to craft a strategic response. Using a strict definition, with a structural integrity grounded in the three key Clausewitzian principles, provides the U.S. with a clear threshold for what attacks rise to the level of war, and even if they do not, how to still take them seriously and respond appropriately.

A rigid definition provides the initial test that defines what a cyberattack is, and then allows for a more accurate categorization based on the rejection or acceptance of warfare status. The goal is to accurately assess the level of severity and intensity of a cyberattack, then respond to that attack strategically and proportionately. Military operations exist on a wide spectrum of varying levels of violence. A definition would draw a clear line on this spectrum to delineate where cyber war begins. While this threshold is critical for national security, it does not diminish the complexity of cyber warfare. Rather, there is room for incidents like espionage and sabotage to be classified as a serious threat or potential conflict that requires proportional enhanced focus. This definition allows for every act of aggression against the United States, regardless of whether they are warfare or not, to be understood, properly prioritized, and countered appropriately.

Case Study

The 2007 Estonia cyberattack is a case study that exemplifies the ambiguity of cyberattacks and why firm definitions are needed to provide strategic clarity and stability. The Estonian government decided to move a bronze statue that initially represented the defeat of the Nazis by the Soviet Union. Over time, for those native to Estonia, the statue became a hurtful reminder of Soviet oppression. The decision incited intense backlash from Russian sympathizers who felt the moving of the statue was disrespectful and an insult to how they conceptualize that historical moment. Some of these groups took to action and began a wave of DDoS cyberattacks on critical Estonian infrastructure, including banks, media outlets, and government websites. DDoS attacks are denial-of-service attacks that overwhelm their target and compromise its ability to operate normally. With their cyberspace paralyzed, Estonian society fell into chaos, facing the massive repercussions of digital malware, with many citizens not having access to their money, news, or government.

This attack demonstrated the vulnerability that comes with intense interconnections between the cyber and physical worlds, and how harm in one realm prompts harm in the other. While this attack undoubtedly caused a harmful disruption in the lives of innocent Estonian citizens, it does not meet the requirements for warfare. Although it was politically motivated by pro-Russian groups, Russia was never definitively attributed with enabling this attack. Furthermore, no one died as a direct result of the cyberattack, resulting in no violence or coercive action occurring. While the Estonia case cannot be classified as warfare, it revealed the danger of the gray zone between sabotage and full-on war, and how aggression that lacks definitional clarity leaves states uncertain about how and when to respond.

The inconsistent responses from different international organizations, like the European Union (EU) and NATO, show a lack of coordination on cyber strategy, reflecting the harm that comes from the absence of a clear definition of cyber warfare. Cyberattacks look different from other previous methods of war, and this “unusual look of our forces may have less of an “intimidation effect” on our future adversaries, thereby vitiating crisis and deterrence stability”. When states cannot clearly articulate what constitutes cyber warfare, their response to cyberattacks is weakened, which signals inconsistency and allows adversaries to exploit these blind spots. This also denies them the ability to establish a consistent standard of response that, over time, would show coordination, strength between allies, and credibility on the international stage. The Estonia case is an example of the urgent need for a rigid definition of cyber warfare, based on criteria to ensure that states can form unified, strategic, and coordinated responses proportional to the incident at hand.

Final Recommendations

It is of paramount importance that the United States establish a clear definition of cyber warfare that definitively states the need for a political motive, violence, and conflict between two political actors. This definition would allow the U.S. to provide a consistent framework for identifying, classifying, and responding appropriately to cyber incidents across the spectrum of conflict. It would also position the U.S. to be proactive, rather than reactive, in its foreign policy decision-making.

As cyberspace continues to evolve at a rapid rate, states are often left managing the aftermath of malware, rather than actively preventing it. Preemptive definitional clarity allows the U.S. to systematically distinguish different types of cyberattacks  and respond to them in a strategic and proportional manner. Having clear protocols for managing cyberattacks, based on whether a cyberattack qualifies as warfare or not, strengthens the U.S. military’s confidence that its response will be coordinated across government agencies and highly competitive.

Ultimately, a unified definition of cyber warfare is a safeguard against miscalculation and strategic paralysis in an era where the boundaries between the digital and physical worlds are becoming increasingly blurred. A rigid definition based on strict Clausewitzian criteria provides policymakers with a clear framework for assessing a cyber incident, accurately identifying whether it is warfare or not, and then properly classifying it in a subgroup that determines how to respond proportionally. Through the metrics of political purpose, presence of violence, and capable actors, the United States can set a clear and distinct threshold that separates lesser cyberattacks from genuine acts of cyber warfare. Doing so reaffirms America’s capacity to be a great power in the cyber domain.

Check out all of Small Wars Journal’s great content.