Cyber legalism: why it fails and what to do about it

Abstract

Abstract Western nations face a glaring punishment problem in the cyber domain. Repeatedly, other nations assail their political and economic interests. Repeatedly, Western leaders warn about the gravity of such actions. And yet repeatedly, the victims failed to punish to deter the offenders. This article examines why and how this situation arose and what to do about it. The Western approach to cyber conflict prevention emphasizes the centrality of existing international law and norms. The legal and normative framework is not adequate for this purpose, however, because it does not provide sufficient grounds to credibly respond to actions falling short of war. Consequently, the Western approach has failed spectacularly. It fails to grasp a central truth about contemporary security affairs: much of modern interstate rivalry fits neither the destructive criteria of war nor the acceptable boundaries of peaceful rivalry. Rather, it is unpeace, or mid-spectrum rivalry that is more damaging than traditional peacetime activity, but not physically violent like war. Nations use cyberspace to achieve some of the political and strategic objectives of war without firing a single gun. The lack of an effective Western response betrays not tolerance of aggression but a failure to devise a response strategy commensurate with the legal and doctrinal ambiguities of unpeace. Existing law and norms are a source of the problem, not its solution. An interim solution must be found instead in the development of new doctrine—in a consequentialist strategy that affects adversaries’ material interests to deter actions which international law and security strategy do not ordinarily recognize as deserving a strong response.