Military, political, technical, and education approach: information warfare is a multi-factor domain. But what about ethics? If we consider information warfare as part of the general war, instead of as a separate entity, we have to go deeper into this dimension.
From the dawn of the recorded history of conflict, attempts have been made to craft an ethical approach to war, following two main paths: a set of guidelines regarding the conditions for war (jus ad bellum), defined in the Charter of the United Nations, and the conduct of war (jus in bello), defined by the Geneva Convention and all its addendum, consisting in a set of rules by which combatants, should they adhere to them, might fight during a war in a just manner.
But is it possible to establish humanitarian norms and red lines applicable to the use of force in cyberspace? It’s time to review these ethical concepts in the information warfare age, as new forms of conflict are emerging to test existing understanding of “just wars”.
According to the information scientist Gurpreet Dhillon, Professor and Head of Information Systems & Supply Chain Management at the Bryan School of Business and Economics, University of North Carolina, Greensboro, «information warfare makes war more thinkable. This seems inescapable—and quite troubling. Yet it does not require that waging information warfare be either destructive or unjust. On the contrary, ethical notions of just warfighting will likely continue to provide a useful guide to behavior well into the information age». Similarly, could it be possible to create an international cyber armament control regime? Could cyber peace treaties be the answer after all? Our future holds the answers to these questions about ethics. While we embrace superior technologies such as artificial intelligence and distributed ledger technologies (DLT), perhaps ethical embrace will help us find the necessary means to combat the cyber threats we face today.
Despite the different specific approaches carried out by the EU and the US, there is some convergence. First of all, the need to strengthen our governance and response-mechanisms at the institutional level.
But laws and regulations alone aren’t enough: awareness about the threat, the game at play, and the price at stake, both among the general public and at the top institutional level, is the first line of defense. These tools can’t protect countries from cyber advanced persistent threats, but they are an easy and relatively inexpensive measure in a proactive approach instead of spending an enormous amount of money and time dealing with emergencies. Explaining in innovative and participative ways to the general public, the dangers of manipulated information can constitute an efficient cultural barrier against fake news. Our societies develop a healthy skepticism as they learn to manage, interpret, and evaluate large volumes of non-intermediated information. In other words, awareness can help reduce the “echo-chamber effect” of social media, boosting another critical element of a more in-depth defense against informational threats: the coherence with our society’s core values. As stated by Fabio Rugge, a diplomat currently working as Head of the Office in charge of NATO and Security and Politico-Military Issues, «Information warfare represents an attack to an unavoidable vulnerability of open democracies, but this does not mean we shall question or negotiate our commitment to transparency, openness and the rule of law. While we must confront foreign information warfare head-on, and we must increase transparency in political funding to avoid foreign meddling in our democratic processes, we must also, at the same time, avoid a witch-hunt against whoever is ideologically aligned with Moscow’s stances: such a course of action would ultimately erode the legitimacy of our democratic institutions, with the effect of dissipating precisely what we wanted to preserve». Disinformation works best precisely where there is a lack of trust.
There have been large scale takedowns of APTs and CIBs are the most recent one being Facebook’s removal of coordinated inauthentic behavior (CIB) from China. What we truly need is a public-private threat intelligence sharing and mitigation effort to combat these emerging threats. While these threat mitigation mechanisms and campaigns are ongoing, we must prepare to protect the integrity of our elections and elections around the world to respond to Cyber Political Engineering type attacks that combine all forms of network-based malicious cyber activities, spear phishing, information warfare, cyber espionage and mass manipulation of public opinion by timing such attack to influence significant events such as Presidential Elections. Elections hacking or any other form of cyber political engineering has to be treated like a massive scale cybersecurity incident. Stakeholders worldwide have to follow newly-created tools like the cybersecurity campaign playbook by Harvard plus similar recommendations made by ENISA, the EU cybersecurity agency.
While a fear-based offensive cyber policy, as proposed by the Trump administration may not be the silver bullet, it certainly seems to make sense in the short term, as seen most recently in June, when a secret cyberattack against Iran wiped out a critical database used by Iran’s paramilitary arm to plot attacks against oil tankers and degraded Teheran’s ability to covertly target shipping traffic in the Persian Gulf, at least temporarily, according to senior American officials. Not only did it neutralize the immediate threat and send a message to Iran, but also showed effective use of cyber strikes to avoid a full-fledged war as a response mechanism.