Is warfare the right frame for the cyber debate?

Nation-states are struggling to formulate cyberpolicy, especially against foreign-based intrusions and attacks on domestic computer systems. These incidents are often framed in the context of cyberwarfare, which naturally implies that military organizations should respond to these incidents. This chapter will discuss why cyberwarfare is ethically difficult and why, until responsible cyberpolicy is developed, we may plausibly reframe the problem not as warfare but as private defense, i.e., self-defense by private parties, especially commercial companies, as distinct from a nation-state’s right to self-defense. The distinction between private defense and national defense is relevant, since victims of cyberattacks have been primarily industry targets and not so much government targets, at least with respect to measurable harm. And we focus on foreign-based cyberattacks since, unlike domestic-based attacks that are usually considered to be mere crimes and therefore a matter for domestic law enforcement, foreign-based attacks tend to raise special alarms and panic about more sinister motives. More than a mere criminal act, a foreign cyberattack is often perceived as an aggression so serious that it may plausibly count as an act of war, or casus belli, and so we are quick to invoke national security. But insofar as the state is currently not protecting industry from such cyberattacks—in part because it is difficult to arrive at a sound cyberpolicy—we should consider interim solutions outside the military framework.