Challenges of civilian distinction in cyberwarfare

Abstract

Avoiding attacks on civilian targets during cyberwarfare is more difficult than it seems. We discuss ways in which an ostensibly military cyberattack could accidentally hit a civilian target. Civilian targets are easier to attack than military targets, and an adversary may be tempted to be careless in targeting. Dual-use targets are common in cyberspace since militaries frequently exploit civilian cyber infrastructure such as networks and common software, and hitting that infrastructure necessarily hurts civilians. Civilians can be necessary intermediate objectives to get to an adversary's military, since direct Internet connections between militaries can be easily blocked. Cyberwarfare methods are unreliable, so cyberattacks tend to use many different methods simultaneously, increasing the risk of civilian spillover. Military cyberattacks are often seen by civilian authorities, then quickly analyzed and reported to the public; this enables criminals to quickly exploit the attack methods to harm civilians. Many attacks use automatic propagation methods which have difficulty distinguishing civilians. Finally, many cyberattacks spoof civilians, encouraging counterattacks on civilians; that is close to perfidy, which is outlawed by the laws of armed conflict. We discuss several additional problems, including the public's underestimated dependence on digital technology, their unpreparedness for cyberwarfare, and the indirect lethal effects of cyberattacks. We conclude with proposed principles for ethical conduct of cyberwarfare to minimize unnecessary harm to civilians, and suggest designating cyberspace "safe havens", enforcing reparations, and emphasizing cyber coercion rather than cyberwarfare.