Cyber Defense Review

Economic Ethics: A Case for Applying the Ethics of Sanctions to Cyber Conflict

By James Loving | March 21, 2016

Introduction

            Technology has revolutionized warfare. Every major advance, from automatic weapons to modern airpower, has instigated ethical debate: How do we ethically employ strategic bombing campaigns? Are weapons of mass destruction ever ethically justified? Similarly, the growth of computer technology has created a series of ethical challenges related to cyber conflict. Scholars have sought to answer these questions with the body of ethics traditional to armed conflict, just war theory. Yet, cyber conflict is critically different from traditional armed conflict in practice; these differences mean that two tenets of just war theory, distinction and proportionality, are not easily applied. This article argues for the application of a tangential body of ethics, the ethics of economic sanctions. Sanctions face many of the same difficulties in employment as cyber attacks, and thus their ethical standards apply far more readily than those of traditional armed conflict.

Defining Cyber Conflict

            Cyber conflict has its own unique lexicon, so I will briefly explain the necessary terms. A cyber attack is an intentional and negative impact on a computer system or network with a political goal.1 However, various organizations within the US Government, including the Departments of Defense (DoD) and Homeland Security (DHS), have defined cyber attack in differing ways—notably, eschewing a requirement for political intent.2,3 This difference is likely due to the difficulties in attributing motivation prior to legal or military reaction. Defining cyber attack by intent separates it from the related concept of cyber crime, which lacks a political motivation; cyber attacks are not simply crimes dramatized on the international stage. This distinction is critical to understanding the ethical dilemma presented by cyber attacks. Cyber crime, which lacks the political intent, must be addressed by a different body of ethics; it is simply traditional criminal ideas executed through non-traditional means. While neither classification is necessarily government action, state sponsorship typically implies a political action. Thus, industrial espionage by one company against another is a simple cyber crime; espionage by a government agency would be a cyber attack.

Some frameworks propose an additional category, cyber espionage, or computer network exploitation (CNE) in DoD terminology.4 However, separating offensive activities into attack and espionage, while perhaps useful for certain purposes, presents a false dichotomy. Both categories have negative consequences. On a broad scale, the effects to the information system are overshadowed by the impact to users and their information. Dividing these two actions artificially imposes a border based on a nuance that matters little to the underlying ethics, as both classifications result in systems or information being harmed. Moreover, modern bureaucratic policy has shifted towards this mindset: The recent US Army Field Manual on Cyber Electronic Activities, FM 3-38, abandons this separation in favor of “offensive cyberspace operations.”5 While this namespace is still in flux, this ethical discussion will rely on the wider definition of cyber attack that includes acts of espionage, including certain levels of industrial espionage.

Applying Just War Theory to Cyber Attack

            Scholars have recently sought to map the traditional ethics of war, Just War Theory, onto cyber conflict. This theory, as discussed by its author Michael Walzer, allows for ethical war to be distinguished from senseless violence through the adherence to moral principles. Broadly, these principles are divided into two categories: jus ad bellum, which addresses the justification for war, and jus in bello, which concerns conduct during war. For war to be ethically right, the inciting nation must have a just cause, such as self-defense or humanitarian intervention; the act must be proportional to the threat or harm, a utilitarian argument that the damages of the war must be less than the damages of keeping the peace; the actors must have a right intention, that they intend to achieve the just cause; the war must be conducted under legitimate authority—war is the realm of governments and international coalitions, not individuals, corporations, or other groups lacking legitimate political authority; and the war must have a reasonable chance of success and be an act of last resort, after all diplomatic options have been exhausted.6

Jus in bello mandates similar requirements. Military action must aim for distinction—only legitimate military objectives are targeted, and non-combatants are not; non-combatants may be harmed collaterally, but they must not be directly targeted for harm. The action must be proportional; harm must not be excessive in proportion to the gained military advantage. This principle is separate from the jus ad bellum principle of proportionality. Attacks must be necessary for the conclusion of war, and not simply to impose harms such as an act of retribution. Attacks must not be carried out by means that are evil in themselves, malum in se, such as mass rape. Finally, prisoners of war must be respected and treated humanely. Despite their similarities, jus in bello and jus ad bellum are independent standards; a war can be fought in adherence to one but not the other.7

While scholars have applied this framework to cyber conflict,8,9,10 it does not apply cleanly.11 Ethical standards for conflict exist to formalize the difference between acts that would be judged just from those that would not. Under the jus in bello and jus ad bellum standards, cyber attacks cannot be judged as ethical. Yet, there are situations where cyber attacks should be considered ethical, primarily as an act in lieu of outright armed conflict. Beyond such a naive judgment, such a standard would uphold the morality underlying just war theory, to minimize unnecessary harm. However, under the traditional principles of the law of war, cyber attacks fail two standards: proportionality and distinction.12

Cyber attacks are rarely narrowly tailored to their intended target, and such tailoring is technologically difficult. This results in a problem shared with weapons of mass destruction, an intermingling of the jus in bello principles of distinction and proportionality. Ethics demand that civilian harm be minimized, but when a computer virus can quickly spread beyond the targeted system, such harms may quickly overwhelm the harms avoided through the attack. This would violate the jus in bello principle of proportionality, thus making the entire attack unethical.13 Unfortunately, the scant history of cyber conflict has shown little capability for the secure distinction of targets. Sophisticated attacks have attempted, with limited success, to limit their impact, but often find themselves spreading. The Stuxnet worm, famed for its sophistication and bombasted as a potential US or Israeli cyber attack on the Iranian nuclear sector, quickly spread beyond that target: As of February, 2013, less than 60% of infections were on Iranian machines, of which only a minority were associated with nuclear enrichment.14 While Stuxnet was  sophisticated enough to do little damage to these tangential systems, they were still exposed to malicious software which could have effected significant damage, as seen on the eventual target. Considering a more dynamic situation, i.e., outside the capabilities of what is presumed to be a systematic, multi-year, and highly-funded campaign15, this event still raises concerns of the feasibility of narrow distinction.

The jus in bello principle of distinction further complicates an ethical standard for cyber conflict for two other reasons. First, cyber attacks are notoriously hard to properly attribute. Thus, it can be exceedingly difficult to distinguish the actual actors involved. This difficulty may also apply to distinguishing leadership elements,16 a subordinate principle that has been codified into the Geneva Conventions.17 Second, cyber capability is not exclusively the domain of uniformed personnel, and states have and will continue to recruit or incite non-government actors, including contractors, to effect cyber attacks on their behalf. This conflict intertwines with the jus ad bellum principle of legitimate authority: Are these sub-state experts legitimate actors for the purposes of a cyber attack? Conventional ethics hold that the only legitimate actors are states and interstate coalitions, including the United Nations. The traditional law of war has little to draw on, and modern legal standards typically firmly classify contractors, even in armed

capacities, as civilians (albeit sometimes subject to additional regulations).18 Cyber conflict may adopt this approach, but it will be an imperfect solution; an individual cyber contractor can have far greater capability for effecting cyber harm than a traditional contractor.

Alternative Ethical Standard: Economic Sanctions

            The ethics of cyber conflict are not neatly addressed by the ethics of war, because the nature of cyber conflict is critically different from the nature of traditional war. Cyber conflict more closely resembles an economic sanction, defined for this purpose as the “politically motivated withdrawal of customary trade or financial relations from a state, organization, or individual.”19 While the specific mechanism is overtly different, more subtle differences separate sanctions from war. Both strategies can be used to cause political change through three mechanisms: direct harm, making the enemy hurt so badly it quits; indirect harm, such as damaging their international reputation; or through the denial of resources, such as the bombing of a factory (in war) or a targeted arms embargo (in a sanction scheme).

Yet, a cyber attack is closer to an economic sanction. Both fail to rise to the direct lethal consequences of armed conflict. Until that capability has been unfortunately demonstrated, cyber attacks should be judged with a less stringent ethical standard, perhaps if only to prevent an actor from escalating to war in their place. Moreover, economic sanctions have an established difficulty addressing the jus in bello principle of distinction. While some ethicists judge economic sanctions as totally unethical, 20 the more important test is comparing them to their chief alternative, war. As economic sanctions generally cause less harm than a similar level of armed conflict, they may be held to a lower standard.21 Economic sanctions should be more easily justified to encourage their usage in place of more harmful war. Following this logic, cyber attacks should only be held to the ethical standards of war when they raise to equivalence to war; until then, they should be held to a lower standard, reflective of the lower harm.       Scholars of economic sanctions proposed a modification to the traditional tenets of the law of war: remove the principle of distinction and add two new principles. First, a commitment to and prospects for a political solution: the imposed sanctions must be an “alternative to war, not… another form of war.”22 Second, a humanitarian proviso that protects basic human rights to prevent the worst harms from befalling the civilian populace.23 This reformed framework is somewhat imperfect for judging cyber conflict. While cyber attacks may be an alternative to war, they are also a likely complement: As shown in the 2008 Russo-Georgian War, cyber conflict is likely to become an indelible part of war.24 Yet, the addition of cyber operations to war does not preclude a political solution any more than the first uses of military airpower; they are points on the same spectrum, from pure diplomacy to total war—diplomacy “by other means.”25

The second addition, the humanitarian proviso, readily measures the ethics of a cyber conflict. The overall goal of any ethical framework for conflict should be the minimization of undue suffering. Under the traditional principle of distinction, an attack is unethical if it targets civilians. Yet, cyber conflict may require such targeting. The humanitarian proviso aims to prevent the worst harms from affecting targeted civilians. Critically, this reflects a difference standard of measurement, with the humanitarian proviso reflecting a more effects-based judgment than the principle of distinction. Civilian computer systems, such as intermediary systems used to attack air-gapped systems, may be targeted, but they must be protected from grave harm. Given the naive judgment that a Stuxnet-like attack—which targeted intermediary systems to attack air-gapped systems26—should be ethical as it minimizes harm relative to a military alternative, but is unethical under just war theory for targeting non-combatants, this modified framework allows for more accurate evaluation of cyber conflict.

Conclusion

            Economic sanctions present a metaphor that suggests an ethical benchmark far more applicable to cyber conflict than the popular standard, the law of war. While the law of war has been successfully applied to many revolutions in warfighting, the nature of cyber conflict presents challenges to the jus in bello principle of distinction among others. This would judge as unethical nearly every known instance of cyber attacks, including the most sophisticated examples. Yet, next to war, cyber attack appears humane. It should be judged by a more tolerant ethical standard, and economic sanctions face many identical challenges in their implementation. By substituting the proposed humanitarian proviso and commitment to a political solution, cyber attacks can be ethically judged more accurately than under the traditional law of war.

 

Notes

  1. Adapted from a framework presented by Oona A. Hathaway et al., “The Law of Cyber-Attack,” (California Law Review, 2012) http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2134932.
  2. “Joint Publication 1-02: Department of Defense Dictionary of Military and Associated Terms” (US Department of Defense, November 8, 2010).
  3. “Cyber Glossary,” US Department of Homeland Security National Initiative for Cybersecurity Careers and Studies, accessed January 7, 2016, https://niccs.us-cert.gov/glossary.
  4. “Joint Publication 1-02: Department of Defense Dictionary of Military and Associated Terms.”
  5. “FM 3-38: Cyber Electromagnetic Activities” (US Department of the Army, February 2014).
  6. Michael Walzer, Just and Unjust Wars: A Moral Argument with Historical Illustrations (New York, NY: Basic Books, 2006).
  7. Ibid.
  8. Matthew Beard, “Cyberwar and Just War Theory,” Journal of Applied Ethics & Philosophy 5 (2013).
  9. James Cook, “‘Cyberation’ and Just War Doctrine: A Response to Randall Dipert,” Journal of Military Ethics 9, no. 4 (December 2010), 411–23.
  10. Joel A. Yates, “Cyber Warfare: An Evolution in Warfare Not Just War Theory” (Master’s Thesis, Marine Corps Command and Staff College, 2013).
  11. Just War Theory’s poor fit for cyber conflict has led to some to suggest eschewing the moral theory altogether. For a more in-depth discussion, see Randall R. Dipert, “The Ethics of Cyberwarfare,” Journal of Military Ethics 9, no. 4 (December 2010): 384–410.
  12. Michael N. Schmitt, “Cyber Operations and the Jus in Bello: Key Issues,” Int’l L. Stud. Ser. US Naval War Col. 87 (2011), 89.
  13. For a more in-depth discussion, see Schmitt, “Cyber Operations and the Jus in Bello.”
  14. “W32.Stuxnet,” Symantec, accessed January 7, 2016, https://www.symantec.com/security_response/writeup.jsp?docid=2010-071400-3123-99.
  15. David Kushner, “The Real Story of Stuxnet,” IEEE Spectrumhttp://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet (accessed January 7, 2016).
  16. Vijay M. Padmanabhan, “Cyber Warriors and the Jus in Bello,” Int’l L. Stud. Ser. US Naval War Col. 89 (2013), i.
  17. “Geneva Convention Relative to the Treatment of Prisoners of War,” Office of the United Nations High Commissioner for Human Rightshttp://www.ohchr.org/EN/ProfessionalInterest/Pages/TreatmentOfPrisonersOfWar.aspx (accessed January 7, 2016).
  18. Marc Lindemann, “Civilian Contractors under Military Law,” Parameters 37, no. 3 (2007), 83.
  19. Gary Clyde Hufbauer, Jeffrey J. Schott, and Kimberly Ann Elliott, Economic Sanctions Reconsidered (Washington, DC: Peterson Institute for International Economics, 2007).
  20. Charles A. Rarick and Martine Duchatelet, “An Ethical Assessment of the Use of Economic Sanctions as a Tool of Foreign Policy,” Economic Affairs 28, no. 2 (2008), 48–52.
  21. Drew Christiansen and Gerald F. Powers, “Economic Sanctions and Just War Doctrine,” in Economic Sanctions: Panacea or Peacebuilding in a Post-Cold War World?, ed. David Cortright and George A. Lopez (Oxford, United Kingdom: Westview Press, 1995).
  22. Ibid, 114.
  23. Ibid.
  24. “The Russo-Georgian War 2008: The Role of Cyber Attacks in the Conflict” (Armed Forces Communications and Electronics Association, May 24, 2012), https://www.afcea.org/committees/cyber/documents/TheRusso-GeorgianWar2008.pdf.
  25. Carl von Clausewitz, On War.
  26. Kim Zetter, “An Unprecedented Look at Stuxnet, the World’s First Digital Weapon,” Wired. http://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/ (accessed January 19, 2016).


US Army Comments Policy
If you wish to comment, use the text box below. Army reserves the right to modify this policy at any time.

This is a moderated forum. That means all comments will be reviewed before posting. In addition, we expect that participants will treat each other, as well as our agency and our employees, with respect. We will not post comments that contain abusive or vulgar language, spam, hate speech, personal attacks, violate EEO policy, are offensive to other or similar content. We will not post comments that are spam, are clearly "off topic", promote services or products, infringe copyright protected material, or contain any links that don't contribute to the discussion. Comments that make unsupported accusations will also not be posted. The Army and the Army alone will make a determination as to which comments will be posted. Any references to commercial entities, products, services, or other non-governmental organizations or individuals that remain on the site are provided solely for the information of individuals using this page. These references are not intended to reflect the opinion of the Army, DoD, the United States, or its officers or employees concerning the significance, priority, or importance to be given the referenced entity, product, service, or organization. Such references are not an official or personal endorsement of any product, person, or service, and may not be quoted or reproduced for the purpose of stating or implying Army endorsement or approval of any product, person, or service.

Any comments that report criminal activity including: suicidal behaviour or sexual assault will be reported to appropriate authorities including OSI. This forum is not:

  • This forum is not to be used to report criminal activity. If you have information for law enforcement, please contact OSI or your local police agency.
  • Do not submit unsolicited proposals, or other business ideas or inquiries to this forum. This site is not to be used for contracting or commercial business.
  • This forum may not be used for the submission of any claim, demand, informal or formal complaint, or any other form of legal and/or administrative notice or process, or for the exhaustion of any legal and/or administrative remedy.

Army does not guarantee or warrant that any information posted by individuals on this forum is correct, and disclaims any liability for any loss or damage resulting from reliance on any such information. Army may not be able to verify, does not warrant or guarantee, and assumes no liability for anything posted on this website by any other person. Army does not endorse, support or otherwise promote any private or commercial entity or the information, products or services contained on those websites that may be reached through links on our website.

Members of the media are asked to send questions to the public affairs through their normal channels and to refrain from submitting questions here as comments. Reporter questions will not be posted. We recognize that the Web is a 24/7 medium, and your comments are welcome at any time. However, given the need to manage federal resources, moderating and posting of comments will occur during regular business hours Monday through Friday. Comments submitted after hours or on weekends will be read and posted as early as possible; in most cases, this means the next business day.

For the benefit of robust discussion, we ask that comments remain "on-topic." This means that comments will be posted only as it relates to the topic that is being discussed within the blog post. The views expressed on the site by non-federal commentators do not necessarily reflect the official views of the Army or the Federal Government.

To protect your own privacy and the privacy of others, please do not include personally identifiable information, such as name, Social Security number, DoD ID number, OSI Case number, phone numbers or email addresses in the body of your comment. If you do voluntarily include personally identifiable information in your comment, such as your name, that comment may or may not be posted on the page. If your comment is posted, your name will not be redacted or removed. In no circumstances will comments be posted that contain Social Security numbers, DoD ID numbers, OSI case numbers, addresses, email address or phone numbers. The default for the posting of comments is "anonymous", but if you opt not to, any information, including your login name, may be displayed on our site.

Thank you for taking the time to read this comment policy. We encourage your participation in our discussion and look forward to an active exchange of ideas.