And we’re not speaking here only of self-defense or retaliation. Documents released by Edward Snowden show that the United States “carried out 231 offensive cyber-operations in 2011.”
No doubt one motive behind the frequent leaking of information on U.S. cybersecurity efforts is deterrence. As recently as last year, General Keith B. Alexander, head of the National Security Agency and the United States Cyber Command, repeated the frequent warning that “a devastating attack on the critical infrastructure and population of the United States by cyber means would be correctly traced back to its source and elicit a prompt and proportionate response.”
Most international law scholars would say that an unprovoked attack would constitute an act of war. The Tallinn Manual, produced by academic experts convened by NATO, presents one of the most detailed analyses of the application of the law of armed conflict to hostilities carried out by means of cyber- attack. Existing rules should apply, they argued, whether cyber- attacks are a small part of a larger conflict (as in the Russia- Georgia confrontation in 2008) or the parties engage each other entirely by using cyberweapons.
This would mean that the principle of discrimination applies: A cyber-attack, like a kinetic attack, must never intentionally target civilians, no matter the justification. Therefore, an attack by a state actor on a private factory not producing for the military holds the same legal status whether the attackers use cruise missiles or logic bombs.
Similarly, according to the Tallinn Manual, online attacks that cannot discriminate military from civilian targets are prohibited, including the use of malware that will “inevitably, and harmfully, spread into civilian networks.” A corollary would seem to be that a cyberweapon can be considered ethical only when the side that deploys it also retains the ability to stop it.