Cyber Defense Review

Economic Ethics: A Case for Applying the Ethics of Sanctions to Cyber Conflict

By James Loving | March 21, 2016

Introduction

            Technology has revolutionized warfare. Every major advance, from automatic weapons to modern airpower, has instigated ethical debate: How do we ethically employ strategic bombing campaigns? Are weapons of mass destruction ever ethically justified? Similarly, the growth of computer technology has created a series of ethical challenges related to cyber conflict. Scholars have sought to answer these questions with the body of ethics traditional to armed conflict, just war theory. Yet, cyber conflict is critically different from traditional armed conflict in practice; these differences mean that two tenets of just war theory, distinction and proportionality, are not easily applied. This article argues for the application of a tangential body of ethics, the ethics of economic sanctions. Sanctions face many of the same difficulties in employment as cyber attacks, and thus their ethical standards apply far more readily than those of traditional armed conflict.

Defining Cyber Conflict

            Cyber conflict has its own unique lexicon, so I will briefly explain the necessary terms. A cyber attack is an intentional and negative impact on a computer system or network with a political goal.1 However, various organizations within the US Government, including the Departments of Defense (DoD) and Homeland Security (DHS), have defined cyber attack in differing ways—notably, eschewing a requirement for political intent.2,3 This difference is likely due to the difficulties in attributing motivation prior to legal or military reaction. Defining cyber attack by intent separates it from the related concept of cyber crime, which lacks a political motivation; cyber attacks are not simply crimes dramatized on the international stage. This distinction is critical to understanding the ethical dilemma presented by cyber attacks. Cyber crime, which lacks the political intent, must be addressed by a different body of ethics; it is simply traditional criminal ideas executed through non-traditional means. While neither classification is necessarily government action, state sponsorship typically implies a political action. Thus, industrial espionage by one company against another is a simple cyber crime; espionage by a government agency would be a cyber attack.

Some frameworks propose an additional category, cyber espionage, or computer network exploitation (CNE) in DoD terminology.4 However, separating offensive activities into attack and espionage, while perhaps useful for certain purposes, presents a false dichotomy. Both categories have negative consequences. On a broad scale, the effects to the information system are overshadowed by the impact to users and their information. Dividing these two actions artificially imposes a border based on a nuance that matters little to the underlying ethics, as both classifications result in systems or information being harmed. Moreover, modern bureaucratic policy has shifted towards this mindset: The recent US Army Field Manual on Cyber Electronic Activities, FM 3-38, abandons this separation in favor of “offensive cyberspace operations.”5 While this namespace is still in flux, this ethical discussion will rely on the wider definition of cyber attack that includes acts of espionage, including certain levels of industrial espionage.

Applying Just War Theory to Cyber Attack

            Scholars have recently sought to map the traditional ethics of war, Just War Theory, onto cyber conflict. This theory, as discussed by its author Michael Walzer, allows for ethical war to be distinguished from senseless violence through the adherence to moral principles. Broadly, these principles are divided into two categories: jus ad bellum, which addresses the justification for war, and jus in bello, which concerns conduct during war. For war to be ethically right, the inciting nation must have a just cause, such as self-defense or humanitarian intervention; the act must be proportional to the threat or harm, a utilitarian argument that the damages of the war must be less than the damages of keeping the peace; the actors must have a right intention, that they intend to achieve the just cause; the war must be conducted under legitimate authority—war is the realm of governments and international coalitions, not individuals, corporations, or other groups lacking legitimate political authority; and the war must have a reasonable chance of success and be an act of last resort, after all diplomatic options have been exhausted.6

Jus in bello mandates similar requirements. Military action must aim for distinction—only legitimate military objectives are targeted, and non-combatants are not; non-combatants may be harmed collaterally, but they must not be directly targeted for harm. The action must be proportional; harm must not be excessive in proportion to the gained military advantage. This principle is separate from the jus ad bellum principle of proportionality. Attacks must be necessary for the conclusion of war, and not simply to impose harms such as an act of retribution. Attacks must not be carried out by means that are evil in themselves, malum in se, such as mass rape. Finally, prisoners of war must be respected and treated humanely. Despite their similarities, jus in bello and jus ad bellum are independent standards; a war can be fought in adherence to one but not the other.7

While scholars have applied this framework to cyber conflict,8,9,10 it does not apply cleanly.11 Ethical standards for conflict exist to formalize the difference between acts that would be judged just from those that would not. Under the jus in bello and jus ad bellum standards, cyber attacks cannot be judged as ethical. Yet, there are situations where cyber attacks should be considered ethical, primarily as an act in lieu of outright armed conflict. Beyond such a naive judgment, such a standard would uphold the morality underlying just war theory, to minimize unnecessary harm. However, under the traditional principles of the law of war, cyber attacks fail two standards: proportionality and distinction.12

Cyber attacks are rarely narrowly tailored to their intended target, and such tailoring is technologically difficult. This results in a problem shared with weapons of mass destruction, an intermingling of the jus in bello principles of distinction and proportionality. Ethics demand that civilian harm be minimized, but when a computer virus can quickly spread beyond the targeted system, such harms may quickly overwhelm the harms avoided through the attack. This would violate the jus in bello principle of proportionality, thus making the entire attack unethical.13 Unfortunately, the scant history of cyber conflict has shown little capability for the secure distinction of targets. Sophisticated attacks have attempted, with limited success, to limit their impact, but often find themselves spreading. The Stuxnet worm, famed for its sophistication and bombasted as a potential US or Israeli cyber attack on the Iranian nuclear sector, quickly spread beyond that target: As of February, 2013, less than 60% of infections were on Iranian machines, of which only a minority were associated with nuclear enrichment.14 While Stuxnet was  sophisticated enough to do little damage to these tangential systems, they were still exposed to malicious software which could have effected significant damage, as seen on the eventual target. Considering a more dynamic situation, i.e., outside the capabilities of what is presumed to be a systematic, multi-year, and highly-funded campaign15, this event still raises concerns of the feasibility of narrow distinction.

The jus in bello principle of distinction further complicates an ethical standard for cyber conflict for two other reasons. First, cyber attacks are notoriously hard to properly attribute. Thus, it can be exceedingly difficult to distinguish the actual actors involved. This difficulty may also apply to distinguishing leadership elements,16 a subordinate principle that has been codified into the Geneva Conventions.17 Second, cyber capability is not exclusively the domain of uniformed personnel, and states have and will continue to recruit or incite non-government actors, including contractors, to effect cyber attacks on their behalf. This conflict intertwines with the jus ad bellum principle of legitimate authority: Are these sub-state experts legitimate actors for the purposes of a cyber attack? Conventional ethics hold that the only legitimate actors are states and interstate coalitions, including the United Nations. The traditional law of war has little to draw on, and modern legal standards typically firmly classify contractors, even in armed

capacities, as civilians (albeit sometimes subject to additional regulations).18 Cyber conflict may adopt this approach, but it will be an imperfect solution; an individual cyber contractor can have far greater capability for effecting cyber harm than a traditional contractor.

Alternative Ethical Standard: Economic Sanctions

            The ethics of cyber conflict are not neatly addressed by the ethics of war, because the nature of cyber conflict is critically different from the nature of traditional war. Cyber conflict more closely resembles an economic sanction, defined for this purpose as the “politically motivated withdrawal of customary trade or financial relations from a state, organization, or individual.”19 While the specific mechanism is overtly different, more subtle differences separate sanctions from war. Both strategies can be used to cause political change through three mechanisms: direct harm, making the enemy hurt so badly it quits; indirect harm, such as damaging their international reputation; or through the denial of resources, such as the bombing of a factory (in war) or a targeted arms embargo (in a sanction scheme).

Yet, a cyber attack is closer to an economic sanction. Both fail to rise to the direct lethal consequences of armed conflict. Until that capability has been unfortunately demonstrated, cyber attacks should be judged with a less stringent ethical standard, perhaps if only to prevent an actor from escalating to war in their place. Moreover, economic sanctions have an established difficulty addressing the jus in bello principle of distinction. While some ethicists judge economic sanctions as totally unethical, 20 the more important test is comparing them to their chief alternative, war. As economic sanctions generally cause less harm than a similar level of armed conflict, they may be held to a lower standard.21 Economic sanctions should be more easily justified to encourage their usage in place of more harmful war. Following this logic, cyber attacks should only be held to the ethical standards of war when they raise to equivalence to war; until then, they should be held to a lower standard, reflective of the lower harm.       Scholars of economic sanctions proposed a modification to the traditional tenets of the law of war: remove the principle of distinction and add two new principles. First, a commitment to and prospects for a political solution: the imposed sanctions must be an “alternative to war, not… another form of war.”22 Second, a humanitarian proviso that protects basic human rights to prevent the worst harms from befalling the civilian populace.23 This reformed framework is somewhat imperfect for judging cyber conflict. While cyber attacks may be an alternative to war, they are also a likely complement: As shown in the 2008 Russo-Georgian War, cyber conflict is likely to become an indelible part of war.24 Yet, the addition of cyber operations to war does not preclude a political solution any more than the first uses of military airpower; they are points on the same spectrum, from pure diplomacy to total war—diplomacy “by other means.”25

The second addition, the humanitarian proviso, readily measures the ethics of a cyber conflict. The overall goal of any ethical framework for conflict should be the minimization of undue suffering. Under the traditional principle of distinction, an attack is unethical if it targets civilians. Yet, cyber conflict may require such targeting. The humanitarian proviso aims to prevent the worst harms from affecting targeted civilians. Critically, this reflects a difference standard of measurement, with the humanitarian proviso reflecting a more effects-based judgment than the principle of distinction. Civilian computer systems, such as intermediary systems used to attack air-gapped systems, may be targeted, but they must be protected from grave harm. Given the naive judgment that a Stuxnet-like attack—which targeted intermediary systems to attack air-gapped systems26—should be ethical as it minimizes harm relative to a military alternative, but is unethical under just war theory for targeting non-combatants, this modified framework allows for more accurate evaluation of cyber conflict.

Conclusion

            Economic sanctions present a metaphor that suggests an ethical benchmark far more applicable to cyber conflict than the popular standard, the law of war. While the law of war has been successfully applied to many revolutions in warfighting, the nature of cyber conflict presents challenges to the jus in bello principle of distinction among others. This would judge as unethical nearly every known instance of cyber attacks, including the most sophisticated examples. Yet, next to war, cyber attack appears humane. It should be judged by a more tolerant ethical standard, and economic sanctions face many identical challenges in their implementation. By substituting the proposed humanitarian proviso and commitment to a political solution, cyber attacks can be ethically judged more accurately than under the traditional law of war.

 

Notes

  1. Adapted from a framework presented by Oona A. Hathaway et al., “The Law of Cyber-Attack,” (California Law Review, 2012) http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2134932.
  2. “Joint Publication 1-02: Department of Defense Dictionary of Military and Associated Terms” (US Department of Defense, November 8, 2010).
  3. “Cyber Glossary,” US Department of Homeland Security National Initiative for Cybersecurity Careers and Studies, accessed January 7, 2016, https://niccs.us-cert.gov/glossary.
  4. “Joint Publication 1-02: Department of Defense Dictionary of Military and Associated Terms.”
  5. “FM 3-38: Cyber Electromagnetic Activities” (US Department of the Army, February 2014).
  6. Michael Walzer, Just and Unjust Wars: A Moral Argument with Historical Illustrations (New York, NY: Basic Books, 2006).
  7. Ibid.
  8. Matthew Beard, “Cyberwar and Just War Theory,” Journal of Applied Ethics & Philosophy 5 (2013).
  9. James Cook, “‘Cyberation’ and Just War Doctrine: A Response to Randall Dipert,” Journal of Military Ethics 9, no. 4 (December 2010), 411–23.
  10. Joel A. Yates, “Cyber Warfare: An Evolution in Warfare Not Just War Theory” (Master’s Thesis, Marine Corps Command and Staff College, 2013).
  11. Just War Theory’s poor fit for cyber conflict has led to some to suggest eschewing the moral theory altogether. For a more in-depth discussion, see Randall R. Dipert, “The Ethics of Cyberwarfare,” Journal of Military Ethics 9, no. 4 (December 2010): 384–410.
  12. Michael N. Schmitt, “Cyber Operations and the Jus in Bello: Key Issues,” Int’l L. Stud. Ser. US Naval War Col. 87 (2011), 89.
  13. For a more in-depth discussion, see Schmitt, “Cyber Operations and the Jus in Bello.”
  14. “W32.Stuxnet,” Symantec, accessed January 7, 2016, https://www.symantec.com/security_response/writeup.jsp?docid=2010-071400-3123-99.
  15. David Kushner, “The Real Story of Stuxnet,” IEEE Spectrumhttp://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet (accessed January 7, 2016).
  16. Vijay M. Padmanabhan, “Cyber Warriors and the Jus in Bello,” Int’l L. Stud. Ser. US Naval War Col. 89 (2013), i.
  17. “Geneva Convention Relative to the Treatment of Prisoners of War,” Office of the United Nations High Commissioner for Human Rightshttp://www.ohchr.org/EN/ProfessionalInterest/Pages/TreatmentOfPrisonersOfWar.aspx (accessed January 7, 2016).
  18. Marc Lindemann, “Civilian Contractors under Military Law,” Parameters 37, no. 3 (2007), 83.
  19. Gary Clyde Hufbauer, Jeffrey J. Schott, and Kimberly Ann Elliott, Economic Sanctions Reconsidered (Washington, DC: Peterson Institute for International Economics, 2007).
  20. Charles A. Rarick and Martine Duchatelet, “An Ethical Assessment of the Use of Economic Sanctions as a Tool of Foreign Policy,” Economic Affairs 28, no. 2 (2008), 48–52.
  21. Drew Christiansen and Gerald F. Powers, “Economic Sanctions and Just War Doctrine,” in Economic Sanctions: Panacea or Peacebuilding in a Post-Cold War World?, ed. David Cortright and George A. Lopez (Oxford, United Kingdom: Westview Press, 1995).
  22. Ibid, 114.
  23. Ibid.
  24. “The Russo-Georgian War 2008: The Role of Cyber Attacks in the Conflict” (Armed Forces Communications and Electronics Association, May 24, 2012), https://www.afcea.org/committees/cyber/documents/TheRusso-GeorgianWar2008.pdf.
  25. Carl von Clausewitz, On War.
  26. Kim Zetter, “An Unprecedented Look at Stuxnet, the World’s First Digital Weapon,” Wired. http://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/ (accessed January 19, 2016).