When cyberattacks come from abroad, there’s special panic. We often imagine them to be the opening volleys of a cyberwar that could escalate into a kinetic war. For that reason, hacking back—or cyber-counterattacking—is presumed to be too dangerous to allow.
The legal case against hacking back is that the use of force is a power reserved only for governments, not private individuals and companies. The moral case is that it invites retaliations that can strain political and economic relationships or worse.
But this is too quick. A deeper ethical analysis reveals reasons why hacking back may not be as problematic as believed.
Consider this analogy: Imagine that state-sponsored parties—maybe explorers or military reconnaissance—from two adversarial nations cross paths in unclaimed or contested territory, such as the Arctic region. Nationalism runs high, words are said, and shots are exchanged. Some people are killed. Is this the beginning of a war?
On the face of it, this would seem to violate international laws of armed conflict. As declared by the United Nations Charter, article 2(4): “All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.”
And it is within the natural rights of the attacked nation to defend itself. As declared by the UN Charter, article 51: “Nothing in the present Charter shall impair the inherent right of individual or collective self-defence if an armed attack occurs against a Member of the United Nations, until the Security Council has taken measures necessary to maintain international peace and security.”
Firing back, of course, may exacerbate the conflict and draw the two nations into war, and this is a worst-case scenario that we would be right to guard against. But does hacking back really create a risk like this?
Like the Arctic, cyberspace is a borderland of sorts, too. Cyberspace is an ephemeral, unfamiliar domain that slips between a purely informational world and the physical world. If so, then it’s unclear that a cyberconflict threatens territorial integrity that requires armed defense, because the borders of cyberspace are hard to locate in the first place, even if it has clear physical roots.
If cyberspace is something like a contested frontier, then the following legal case is relevant. In the International Court of Justice case of Nicaragua vs. United States of America in 1984, the court’s judgment distinguished an armed attack from a “mere frontier incident” (para. 195).
This means that a frontier incident cannot trigger UN Charter’s article 51 to justify a counterattack and escalation. But that does not mean the victim cannot counterattack at all, only that the state can’t invoke its right to self-defense.
Personal self-defense could justify a counterattack, even if a state’s sovereignty isn’t at stake. The frontiersmen involved—the settlers, traders, explorers, or military scouts—would understandably want to defend their own lives, as well as deter future attacks, by returning fire at things that shoot at them.
Even without appealing to self-defense, it may be enough to observe that frontier incidents are an inherent risk to frontiers. Bad things happen here, and pushing back is one of those unfortunate, but reasonable and natural, responses. It would be better if frontiers were governed by law, but that’s the nature of frontiers. This lines up with the idea that “gray zones” of conflicts can exist: attacks short of war but still aggressive.
The rules and borders of the cyber frontier are still unclear, as are its governing authorities. While these are still being sorted out, we may arguably treat cyberattacks as frontier incidents, which are not necessarily escalatory. At least when they don’t harm physical things clearly within a state’s territory—such as causing equipment to fail or even explode—hacking and counter-hacking aren’t as serious as an armed attack or act of war.
In a larger discussion, the Ethics + Emerging Sciences Group at Cal Poly just published a new report where we consider other analogies for cyberattacks, such as seeing it as a public health problem, like fighting a virus outbreak. These also suggest that hacking back could be ethically and legally allowed.
Until there is clear law that forbids it, and until authorities can reliably defend our systems, hacking back may become the “new normal”, if it becomes more prevalent. It’s simply an assumed risk of living in the cyber frontier. But it’s easy to forget this risk under the comfortable blanket of Facebook likes and cat videos. Settling on new lands has never been easy, and we must never forget where we are.
This post appears courtesy of CFR.org.