An area of particular concern for nations in the modern age is cyber warfare. Both individuals and states have the capability to conduct cyber espionage to steal government and business secrets, to disrupt online access for banking, government and private business, and even cause physical damage in the real world using cyber weapons. The United States and many other nations have already identified cyber war as the next frontier for both offensive and defensive strikes and given this undertaking several difficult questions emerge. Can a cyber-attack, which occurs in the digital environment, warrant a kinetic military response? If so, what is the threshold where a state becomes authorized to defend itself militarily? Do the laws of armed conflict apply in the cyber realm? Do international laws apply to cyber warfare? These questions are difficult because the answers aren’t explicitly addressed within existing ethical paradigms nor has international law been able to develop clear and concise guidance.
It is these questions that George Lucas, a noted military ethicist who currently specializes in cybersecurity and cyberwarfare, tackles in his latest book, Ethics and Cyber Warfare: The Quest for Responsible Security in the Age of Digital Warfare. Key to his argument is that Just War Theory and ethics in general are more than capable of analyzing this new phenomenon in order to establish guidelines. In addition, he shows that international law does have the means to address some of the questions that emerge when considering cyberwarfare. Ultimately, he breaks down cyberwarfare into two separate categories: effects based, which cause physical effects comparable to kinetic weapons, and state-sponsored hacktivism, which is focused more on political effects. This distinction is important in that effects based cyberwarfare constitute clear acts of war, whereas state-sponsored hacktivism is more difficult to evaluate.
Despite the difficulty in evaluating hacktivism, he states that normative policy is emerging to address its use. These norms are based on principles that cyber-attacks should not be directed at civilians or civil infrastructure but should be directed at military targets. These attacks should minimize collateral damage and be proportional to the threat, and cyber-attacks are equivalent to armed force when they inflict physical damage equal to a conventional attack. Thus, the majority of what has been termed cyberwarfare fails to meet criteria for use of force at all. The two well known cases are the use of Stuxnet to destroy Iranian nuclear centrifuges, and the Israeli use of a cyber-attacks to jam Syrian missile defense in order to bomb nuclear facilities.
Lucas adopts an easy to follow structure for framing the ethical issues in cyberwarfare, the common misconceptions of ethics within this realm, and the methodology that ethics might use to determine best practices. He likewise uses historical case studies to illustrate ethical concepts and drive home his points, focusing on four key cases: Stuxnet, Israel’s 2007 cyber-attack against Syrian missile defense, the hacktivist cyber-attack on Estonian websites in 2007, and Russia’s cyber-attack in Ossetia in 2008. To analyze these cases, he uses the Aristotelian method presented in Posterior Analytics to establish the emergent norms in cyberwarfare, analyzing which practices are better or worse based on operational effectiveness. Using this technique, Lucas highlights that one is able to get past the naturalistic fallacy of developing what ought to be done in cyberwar from what is done.
Lucas points out that the “classical social-contract portrait of international anarchy in interstate relations [is] in full force in the cyber domain” (p. 110) but that there is evidence that the “emergence of norms of responsible state behavior” will likely drive states to the bargaining table. Furthermore, he uses the Just War tradition and concepts of jus ad bellum and jus ad bello to present jus in silico, highlighting “nearly all principles of just war moral discourse that guide decisions and actions in conventional and irregular conflict would find their counterpart or analogue in the cyber domain” (p. 103).
Beyond the conceptual discussion of ethics in cyberwarfare, the author also applies ethics directly to the current U.S. domestic big data collection exposed by Edward Snowden. Here he gives a very even-measured analysis, determining that the key issue with the U.S. government collection program is that it was not presented and consented to by the American public. In exploring this issue, he presents the marked difference between a right to privacy and a right to anonymity, with the former holding more weight than the latter. The key components that make anonymity unnecessary are the fact that there is currently due process and adversarial review of material before individual anonymity is lost through government big data collection. The key caveat Lucas presents with regard to anonymity is a situation where the government does not have due process, adversarial review, and targets the dissenting population. In that type of environment, individuals then have a right to anonymity. However, anonymity is ultimately the opposite of transparency.
The real area of strength in the book is Lucas’s ability to both simultaneously defeat a ‘folk morality’ mindset and outline the ways that ethics contribute to addressing the moral considerations of cyberwarfare. Folk morality, which is rooted in self-interest and moral relativism, is convincingly defeated through contemporary examples of professions that adopted moral norms that have since seen universal adherence. Lucas uses the medical profession to illustrate this concept by highlighted that physicians “generated ethical codes composed of widely held normative moral principles that rest on something more morally substantive than mere risk management or the concentration of their self-interests” (p.95). This is a key element to the whole discussion of ethics in cyberwar because the cyber realm currently functions in anarchy. Were there no examples of small groups, or otherwise, coming together to outline rules for ‘the common Good,’ then there would be little reason to expect states who are driven by self-interest to self-restrain their cyber activities. Yet, Lucas demonstrates that it is not only possible, but also in states’ self-interest to implement ethics in cyberwarfare.
The point of weakness with the book is that the author stops short of outlining a clear code of ethics, despite making a strong case that one should exist. While he does demonstrate how elements of Just War Theory are applicable, specifically that the majority of cyberwar activities are justifiable as preventative war in the face of an imminent threat and that there are emerging norms of behavior, he leaves the articulation of a code of ethics to the cyber-warriors and the states that employ them. Given the pervasiveness of what he terms ‘folk morality’ in the very individuals he suggests should develop the code, it seemed shortsighted to not offer a framework rooted in real ethics/morality for those engaged in cyberwarfare to build off of.
Overall, the book is an excellent source for exploring the ethics of cyberwar and certainly provides food for thought regarding the different types of cyber-attacks and their implications. The reader is left with a firm understanding that ethics certainly do apply to this new frontier of conflict and how one should advocate for ethics integration. Despite the inherently technical nature of the cyber realm, the author presents his arguments and material in a way that both a technical expert or lay individual can follow. Beyond being an important text for those engaged in cyberwar defense and planning, it is worth the read for anyone who is concerned about internet privacy and anonymity.
William Ryan is a recent graduate of the MA in International Affairs program at the Frederick S. Pardee School of Global Studies at Boston University. He also has a BA in History from the University of Kansas and an MPA from Webster University. He is a U.S. Army Foreign Area Officer specializing in South Asia and has previously served in multiple positions focused on countering violent extremism in the Afghanistan/Pakistan (AF/PAK) region. His research focuses on U.S. relations with Central and South Asian states.