Binary Bullets: The Ethics of Cyberwarfare

Placeholder book cover

Fritz Allhoff, Adam Henschke, and Bradley Jay Strawser (eds.), Binary Bullets: The Ethics of Cyberwarfare, Oxford University Press, 2016, 296pp.

Reviewed by Saba Bazargan-Forward, University of California, San Diego


When we engage in cyberwarfare we use computing communications technology to gain unauthorized access to an adversary's computer networks for the purposes of exfiltration, disruption, or deception, in furtherance of imposing our political will upon that adversary (or to otherwise prevent them from imposing their political will upon us). This volume provides much-needed and timely ethical and legal analysis of cyberwarfare (including whether it counts as a form of warfare at all). It does so in an admirably interdisciplinary way; the contributors include not only philosophers, but military ethicists, legal theorists, political theorists, psychologists, and scientists. All the contributors have some background in thinking about this issue; several are pioneers in the field.

Because the issue of cyberwarfare is so new, and because the theorists make their points largely without the use of recherché examples (not a single trolley case is to be found here) they largely discuss the same cases -- i.e., the half-dozen or so instances of cyberwarfare that have occurred over the past dozen or so years. An advantage is that though the essays are independent and self-standing with few or no references to each other, they cohere quite well since they share not just a general topic but specific case-studies as well. A disadvantage, though, is that there is an unfortunate tendency for each author to reintroduce these case-studies in each essay; it would have been less tiresome for the reader if the editors has introduced the case-studies in the intro or in an appendix to which each contributor could then refer the reader.

The book has four parts. The first addresses the ethical and legal framework emerging from the advent of cyberwarfare. The second connects issues of cyberwarfare to issues in the just war tradition. Part three examine the roles of various agents who participate in cyberwarfare. And part four addresses the specific issues of privacy and deception as they pertain to cyberwarfare.

In what follows I will briefly summarize each article in the volume, reserving some select criticism for two of them.

George R. Lucas Jr.'s 'Emerging Norms of Cyberwarfare' provides an overview of the legal landscape pertaining to cyberwarfare, and argues that new moral and legal norms have begun to emerge. He specifies four such emerging norms. 1) Cyberattacks ought never to deliberately target civilians, civilian objects, or civilian infrastructure. 2) Collateral damage of cyberattacks should be kept at a minimum while inflicting only as much damage as is commensurate with the threat represented by the target itself. 3) A cyberattack is morally or legally equivalent to the use of armed force whenever it inflicts a harm or damage equivalent to what a conventional attack would cause. 4) When choosing between methods of force against a military target, the method capable of neutralizing the target with the least collateral damage is always preferable whenever feasible.

Michael N. Schmitt and Liis Vihul's 'The Emergence of International Legal Norms for Cyberconflict' tracks the historical development of legal norms pertaining to cyberwar and discuss their regulatory impact. In addition to serving as a useful reference and primer to international law on cyberwarfare, the essay also details the various impediments we face in translating emerging norms governing cyberwarfare into treaties and customary law. This includes the difficulty of verifying compliance with their terms and in effectively enforcing them.

Randall R. Dipert's 'Distinctive Ethical Issues of Cyberwarfare' argues that cyberwarfare -- a domain in which we have yet to develop concepts necessary to fully comprehend the activity within that domain -- is morally distinctive from more traditional forms of warfare. One of the key differences, he suggests, is that cyberattacks typically do not cause death or widespread destruction. When the intentional or foreseeable effect of cyberwarfare does indeed rise to the level and kind of harm typically seen in traditional forms of warfare, only then is there reason to think that traditional international law and ethics -- including just war theory -- applies. But more fundamentally, there is an important ontological difference, Dipert maintains, between cyberwarfare and traditional warfare that makes cyberattacks per se a fundamentally different category of attack (presuming that they do not cause deaths, injuries, or 'permanent destruction'). Specifically, Dipert says that malware is a type of software and that "software is of the nature of an idea or thought, but we do not generally consider ideas to be, literally weapons" (62). But it seems to me we can use this analogy to demonstrate the respect in which malware is indeed a weapon. If malware is like an idea, then forcibly implanting unwanted malware in a system -- especially damaging malware -- can be likened to brainwashing by forcibly implanting an idea or belief in someone's head. And brainwashing (covertly or not) as a procedure is surely an attack upon its victim. If ideas and beliefs can be weaponized by the means in which they are forcibly implanted, then it seems that malware can be as well. This cavil aside, Dipert nonetheless maintains that the differences in effect and in kind and between cyberwarfare and traditional warfare are ethically significant.

Eminent thinkers have maintained that we cannot conceptualize cyberwar as a species of war. David Whetham's 'Cyber Chevauchées: Cyberwar Can Happen' disagrees. To make his argument he compares cyberwarfare to the strategic role that chevauchées played in medieval warfare. Chevauchées were mounted soldiers who would plunder and pillage wantonly in enemy territory. This undermined the enemy's political legitimacy by demonstrating that they were unable to protect their own people, which, it was thought, pressured the enemy to sue for peace. Whetham argues that some cyberattacks play functional roles similar to chevauchées, which suggests that they can be conceptualized within a broader notion of war, contrary to what others have argued.

Ryan Jenkins's 'Cyberwarfare as Ideal War' argues that there is a significant potential upside to cyberwarfare. He point out, like Dipert, that it generally causes less collateral damage than conventional warfare. Whereas kinetic warfare ineluctably threatens noncombatants, Jenkins argues that cyberwarfare could, at least in principle, be more discriminatory and proportionate; in that respect cyberwarfare is morally preferable. But if Jenkins is correct, it suggests that the number of permissible cyberwars will be far greater than the number of permissible conventional wars, precisely because they more easily satisfy the constraints of proportionality and necessity. This itself is not necessarily a bad thing; but if for each cyberwar there is a risk that the victim will respond with conventional attacks, we might see a greater number of kinetic wars in the long run if maximally discriminate and proportionate cyberwars are countenanced in the way Jenkins suggests.

Brian Orend's 'Postcyber: Dealing with the Aftermath of Cyberattacks' applies his well-developed account of jus post bellum to cyberwarfare by arguing for associative rights and obligations following cyberattacks. Specifically, he argues that jus post bellum should emphasize: a) public accountability, b) discrimination and noncombatant immunity in postwar measures, c) reversal of cybertheft, if possible, d) punishment of cybercriminals, e) 'disarming' cybercriminals, f) compensation and targeted sanctions, and g) rehabilitative aid, including restoration of cyber facilities.

Matthew Beard's 'Beyond Tallinn: The Code of the Cyberwarrior?' argues that we have neglected to seriously discuss the morality of cyberwarriors: those who implement cyberattacks. Beard uses the martial virtues as a framework for discussing how we should think about the conduct of cyberwarriors. He does so partly by a) investigating how recent international agreements include explicitly and implicitly codes of conduct for cyberoperations, and b) arguing that the traditional warrior code is ill-suited to the cyberdomain. The positive code that Beard develops is framed around what he argues are the three functions of a cyberwarrior: espionage, sabotage, and assassination. With respect to the third role, Beard argues that intentional killing via cyberattacks should never be permitted. But against this, we might think that if we restrict such conduct then adversaries will repair to conventional means of killing which might have greater collateral damage; perfidious cyber-killing might be preferable (notwithstanding the thesis of Heather M. Roff's contribution below).

Daphna Canetti, Michael L. Gross, and Israel Waismel-Manor's 'Immune from Cyberfire? The Psychological and Physiological Effects of Cyberwarfare' presents their empirical studies of the kinds of psychological harms that cyberattacks cause; the results are interesting. In evaluating the psychological effects of cyberterrorism by drawing from laboratory-simulated cyberattacks, they concluding that cyberterrorism causes significant anxiety and substantially influences rational political thinking, to the extent that cyberterrorism violates the principle of noncombatant immunity even when it does not cause physical harm.

I have, however, some reservations about this view. Part of the revisionist project in work on the morality of war over the past fifteen years has been to argue that civilians can indeed bear some moral responsibility for the unjust wars their governments wage. There are various grounds for this responsibility. The most familiar and oft-cited grounds are causally contributory: civilians in developed and developing countries pay taxes funding their military, and through their everyday activities they maintain the economic and civil infrastructure necessary for their state to wage war. Less often cited are normative grounds for civilian responsibility. Civilians benefit from the protection that their armed services afford. But a moral hazard of this benefit is that the institution might go 'off the rails' by waging an unjust war. In such a case, costs are imposed on third parties -- i.e., on other countries. If the civilian beneficiaries can reduce those costs by absorbing some of them, then they should do so since it is unfair to shift the costs of a protective service to those who do not enjoy that protection.[1] But regardless of what the grounds of responsibility are for civilians, they generally do not rise to the level at which civilians can be intentionally killed or maimed. What harms, then, (short of bodily harms) can be intentionally imposed on civilians of a country waging an unjust war, where imposing such measures is necessary to save lives? The authors discuss in detail the sort of anxiety and distress that cyberattacks targeting civilians can cause; it seems to me that these are precisely the sort of sub-lethal harms to which civilians in a country waging an unjust war might be morally liable to suffer if necessary to prevent their military from killing unjustly. Under these sorts of circumstances targeting civilians with cyberattacks would be morally permissible. Of course, enshrining such a legal permission in the law would lead to the illicit over-application of such a permission. For this reason, the authors might be correct in arguing that cyberattacks targeting civilians should be illegal -- but not because, as the authors suggest, that targeting civilians is always or usually immoral.

David Danks and Joseph H. Danks's 'Beyond Machines: Humans in Cyberoperations, Espionage, and Conflict' investigates the cognitive constraints, biases, and heuristics of human agents across a range of roles pertaining to cyberwarfare, namely, those who: a) develop, b) target, c) defend, and d) witness the aftermath of, cyberaction. In accordance with Beard, Canetti, Gross, and Waismel-Manor, Danks and Danks argue that any conceptual or ethical evaluation of cyberwarfare will be incomplete absent an account of the psychological biases -- be they cultural or innate -- of the human actors involved in the aforementioned roles. They argue, in effect, that the epistemic difficulties endemic to conventional warfare (the fog of war) are magnified in cases of cyberwarfare.

The just war tradition distinguishes between licit deception (e.g., ambush) and illicit perfidy (e.g., feigning protected status).  Heather M. Roff's 'Cyber Perfidy, Ruse, and Deception' develops this distinction and applies it to various types of cyberoperations. She argues that though cyberoperations are by their nature deceptive, they are permissible so long as they do not operate by establishing a 'confidence nexus' in furtherance of killing, injuring, or capturing an adversary. This is a case in which the cyber-aggressor feigns the credentials of a civilian in order to deceive the adversary into believing that she has been accorded a moral or legal protection; the cyber-aggressor then exploits this false sense of security to kill, injure, or capture the adversary.

This essay is an outstanding contribution to the volume, but it ignores an important distinction between two kinds of perfidy. Part of what explains the constraint against perfidy in conventional warfare is that it protects civilians and others with similarly protected status (such as wounded soldiers, POWs, and surrendering soldiers). If we legally allow perfidy there will be an incentive to feign protected status in order to gain a tactical advantage over an adversary. This, in turn, will have a corrosive effect on the legally protected status of those genuinely entitled to that status as combatants begin targeting protected individuals under the belief that they might be combatants feigning protected status. There is, then, in addition to the wrongfulness of perfidy per se, a powerful prudential reason to disallow perfidy. But this prudential reason is absent in cases of cyberattacks. It is true that such attacks by their very nature feign civilian credentials; but there is no obvious analogue of a preemptive cyberattack against civilians mistakenly believed to be engaged in cyberwarfare. Cyber-perfidy does not incentivize attacking civilians in the way that conventional perfidy does. Hence cyberattacks -- even those resulting in bodily harm -- do not threaten to undermine obeisance to the convention of civilian immunity in the way that illicit perfidy in the context of conventional war does. Roff does not address this important disanalogy between the two kinds of perfidy. Properly addressed, the disanalogy suggests the following conclusion: cyberwarfare necessarily involves perfidy but it is not morally as bad as the illicit perfidy in conventional warfare since the latter but not the former undermines civilians' immunity.

Seumas Miller's 'Cyberattacks and "Dirty Hands": Cyberwar, Cybercrime, or Covert Political Action?' distinguishes in detail between cyberwar, cyberterrorism, cybercrime, cyberespionage, and what he calls 'covert political cyberaction' -- a species of covert political action. He argues that a plurality of inter-state cyberattacks are best understood not as acts of war or as criminal acts, but as a species of covert political action. He gives a preliminary ethical analysis of covert political cyberaction by arguing that it is understood as a species of 'dirty hands' action -- conduct that infringes a right in order to avert a sufficiently worse state of affairs. Note though that if Roff is right (in the previous article) that certain kinds of cyberattacks necessarily involve perfidy, it might be harder than Miller suggests to justify covert political cyberattacks. He also argues, though, that a retrospective and prospect form of the principle of reciprocity -- which permits one party to commit a verboten act if an adversary has committed it -- can be a justifying principle for covert political cyberattacks despite the fact that the principle is not justifying in its application to conventional warfare. The result is that there can be moral justifications for covert political cyberattacks other than that of self- or other-defense.

Michael Skerker's 'Moral Concerns with Cyberespionage: Automated Keyword Searches and Data Mining' investigates the morality of two types of national security electronic surveillance programs (both of which Edward Snowden revealed) -- those which analyze the 'metadata' of communication activity, and those which analyze 'keyword searches'. Skerker develops a standard for balancing coercive government action against respect for autonomy of inhabitants; he argues that it is possible for both types of national security operations to meet that standard. However, he argues that moral consistency requires that if we permit our government to conduct such operations against foreign targets, then it means we have no basis for complaint should those adversaries engage in similar operations against us. This suggests that to the extent we are concerned with infringements of privacy, we should adopt a conservative attitude toward intelligence collection by countenancing only the information-gathering tactics abroad that we use domestically.

In summary, this volume is philosophically rich, empirically informative, and eminently relevant; it is a must-read for anyone interested in the topic of cyberwarfare or war in general.

[1] Jeff McMahan argues for a version of this view in: Killing in War, Oxford: Clarendon Press, 2009, p. 215. See also Tadros, Victor 'Orwell's Battle with Brittain: Vicarious Liability for Unjust Aggression', Philosophy and Public Affairs 42 (2014), 42-77.