Author: Seumas Miller
Relatively recent high profile cyber-attacks and/or acts of cyber-espionage include the following: the denial of service cyber-attack on Estonian banks, media and government web sites in 2007 perpetrated (it is presumed) by Russia; the Stuxnet malware attack—in which the software worm, Stuxnet, was used to disrupt Iran’s nuclear enrichment ICT (information and communication technology) infrastructure in the context of a joint US and Israeli operation (Olympic Games) established to disrupt Iran’s nuclear program; Operation Orchard—the Israeli bombing of a Syrian nuclear facility after they had penetrated of Syrian computer networks and ‘turned off’ Syrian air defence systems; Mandiant—the US computer-security firm which has documented ongoing Chinese cyber-theft and disruption of the websites and other ICT infrastructure of US corporations and government agencies; WannaCry – ransom-ware attacks on the UK National Health Scheme possibly emanating from North Korea.
Whereas cyber-attacks by terrorists have not thus far been common—due, presumably, to the lack of relevant technical expertise in the context of sophisticated state-based cyber-defence systems and a preference for high impact kinetic attacks, such as beheadings, suicide bombings, IEDs, car bombs, lethal shootings—recent international terrorist attacks, nevertheless, have relied heavily on ICT. For terrorist attacks are a lethal means of terrorizing members of some social or political group to achieve the terrorists’ political purpose. Accordingly, terrorism relies on the violence receiving a high degree of publicity; a degree of publicity necessary to engender widespread fear in the target political or social group.
Take the 9/11 attacks on the Twin Towers in New York. These were not cyber-attacks. However, qua terrorist attacks, the Twin Towers attacks were a huge success. They were a huge success from the terrorists’ perspective, not only because they killed almost 3000 people, destroyed an iconic building and disrupted, for example, global financial flows, but because they received an extraordinarily high level of publicity. Consider, for example, the endless repetition by global media outlets of the images and video footage of the hijacked planes crashing into the Twin Towers buildings.
Crucially, for our purposes here, much of the disruption, and certainly the extraordinary level of global visibility, was only enabled by ICT based, densely interconnected, international media networks, global financial systems and so on. The so-called Islamic State of Iraq of Syria (ISIS) has relied heavily on social media. It has not only created its own high quality production media text, images and video footage and communicated this propaganda globally it has also utilized social media for targeted recruitment purposes. Accordingly, in discussing cyber-attacks we should distinguish, but also keep in mind, non-cyber-attacks which, nevertheless, rely in very important ways on ICT.
Moreover, given the vulnerabilities attendant upon the emerging Internet of Things (IOT) and the setbacks to ISIS and AQ in respect of their attempts to establish their modern-day caliphate, it seems only a matter of time before jihadist terrorists embark on a sustained campaign of cyber-attacks in an attempt to wreak havoc on critical infrastructure.
A key problem in relation to cyber-attacks by nation-states on other nation-states and, therefore, in relation to the attempt to characterize them as quite literally acts of cyberwar is the so-called problem of attribution. Unlike most attacks in conventional wars or, for that matter, conventional crimes of assault or theft there is a major epistemic problem in cyber-security: the problem of reliably attributing responsibility and, conversely, the credibility of denial of responsibility on the part of culpable aggressors. Because harmful cyber-activity is difficult to distinguish from benign cyber-activity, and because actors in the cyber-world are densely interconnected by indirect pathways, it is often extremely difficult to pinpoint the source of a cyber-attack, or even to know that an attack rather than, say, a malfunction has taken place.
Moreover, the attribution problem is not simply a technical issue; it is not simply a matter of, so to speak, technical computer forensics. As with the determining of culpability for crimes in general, or ascribing responsibility for covert acts of aggression in wartime, there is a complex mix of rational and evidential considerations in play. These include: (i) elements of the framework of rationality, such as motive, ability and opportunity; (ii) physical evidence, for example as a basis for computer forensics; (iii) testimony. There is also the question of weighing the different kinds of evidence in play and the internal coherence of the overall narrative attributing responsibility to this or that actor.
However, a key problem in the case of cyber-attacks emanating from foreign nation-states, as opposed to from within a domestic jurisdiction, is the problem of access. It is not possible, for example, for the US to send a team of investigators, replete with computer forensics specialists, to China to the People’s Liberation Army building from which Mandiant claims cyber-attacks have emanated for the purpose of interviewing relevant personnel, removing the computers for forensic scrutiny and so on. China can both deny responsibility for the crimes in question and (on grounds of national sovereignty) deny access to investigators; yet without access to such evidence, criminal responsibility may be extremely difficult to prove and, as a consequence, denial of criminal responsibility may well be credible.
At any rate, the existence of the ‘problem’ of attribution and, as a consequence, the credibility of denial makes cyber-attacks an extremely useful tactic for nation-states seeking to avoid outright war but, nevertheless, engaged in the age-old strategy of covert political operations against other nation-states they regard as enemies but with whom they are not actually at war. Historically, the tactics deployed in covert political operations have included assassination of the political leaders of such ‘enemy’ states, the financing of coup d’etats and other insurrectionary movements, and destabilizing ‘enemy’ states by spreading disinformation and propaganda, deploying agent provocateurs and so on.
As we saw above, by contrast with nation-states, terrorist groups may well want to take credit for their attacks and maximize public awareness of these attacks and their responsibility for them. Accordingly, paradoxically, in the case of terrorism the attribution problem may well be a problem for the aggressors rather than the victims of the attack. However, this point should not be over-stated, given that culpable cyber-aggressors can deliberately furnish evidence of their culpability.
In the light of the above discussion, I suggest that many, if not most, cyber-attacks by state actors against other state actors, especially cyber-attacks by nuclear powers against other nuclear powers or their allies, can typically be appropriately regarded, not as acts of war, but rather as covert political operations—specifically, covert political cyber-attacks—which stop short of war. I suggest that many of the cyber-attacks emanating from China against the US (Mandiant) and emanating from the US against, for example, Iran (Stuxnet), or from Russia against Estonia and other European states, can be so regarded.
This is, as we have seen, not to say that there are not cyber-attacks which are, in fact, acts of war, for example Operation Orchard; I am not denying the possibility of what would be quite literally cyberwar. Nor am I settling the difficult questions broached above concerning the threshold settings for war. Moreover, there are many cyber-attacks which are neither acts of war nor plausibly characterized as covert political operations. For in some cases cyber-attacks have no political or military purpose and are neither conducted by nation-states (or their security agencies or proxies thereof) nor directed at nation-states (or at individuals or organizations qua members of a nation-state). For example, many cyber-attacks are simply crimes directed at corporations and carried out by criminals or criminal organizations for financial gain. Moreover, as already stated, cyber-attacks perpetrated by terrorist groups while politically motivated may well not be covert operations. Whether or not such terrorist cyber- attacks constitute acts of war is doubly problematic, given the controversies surrounding the classification of even kinetic attacks by terrorist groups as acts of war.
The actions that constitute the core of covert political actions are multifarious. As already mentioned, they include assassination, support for coups d’etat, sabotage, theft, spreading of disinformation, use of agents provocateurs, espionage, and so on. Aside from their political motivation they have another thing in common; they are harmful actions normally regarded as immoral. Moreover, as stated above, covert political action and, therefore, covert political cyber-action are typically illegal, either in terms of international or domestic law (or both).
In short, covert political actions and, therefore, covert political cyber-actions, are morally justified, if at all, by the greater good that they serve—specifically, the greater good that consists of the realization of their motivating political purposes. Naturally, the political purposes served by covert political actions do not necessarily morally justify these actions and, indeed, in many cases the political purposes themselves are not morally acceptable, for example covert operations conducted to further the political interests of the Soviet Union under Stalin or covert operations, such as terrorist financing or arms procurement, conducted by jihadist terrorist groups in the service of establishing a totalitarian theocracy of the kind advocated by ISIS.
However, the most appropriate moral category, or general description in the philosophical tradition, under which to file most covert political actions and, therefore, many, if not most, covert political cyber-actions is, I suggest, that of so-called dirty hands. Covert political action is typically a paradigm of dirty hands; doing what is wrong in order to achieve some (allegedly) greater good.
Here is it important to distinguish dirty hands actions from lawful and morally justifiable but, nevertheless, harmful actions. Presumably, the lethal and other harmful actions of soldiers in wartime, in so far as they comply with just war theory (both the jus ad bellum and the jus in bello) are not instances of dirty hands actions. Nor are the harmful actions of police officers, (e.g. the use of coercive force to effect an arrest), instances of dirty hands in so far as they comply with legally enshrined moral principles.
If this is correct then covert political action and, therefore, covert political cyber-action poses particular challenges, both for the law enforcement model of such actions and for just war theory. On the one hand, covert political cyber-action is (more or less) by definition action short of war; its whole raison d’etre is typically to harm an ‘enemy’ state without triggering war and, especially, in the case of nuclear powers, to avoid triggering nuclear war. So the application of just war theory is, at least for the most part, inappropriate; it largely misses its mark.
On the other hand, covert political cyber-action is (more or less) by definition unlawful. Accordingly, there is a strong moral presumption against its use. Yet, for reasons elaborated below, it does seem morally justified on some occasions and in some areas, for example cyber-espionage. So the application of the law enforcement model leaves the problem largely untouched; the problem being the apparent moral justifiability of many instances of covert political action and, therefore, of covert political cyber-action, notwithstanding their unlawfulness. An important exception to this is covert cyber-action performed by terrorist groups and certainly by jihadist terrorist groups; such action is, presumably, both unlawful and morally unjustified.
Although admittedly the distinction is not clear-cut let us, nevertheless, distinguish between two species of covert political cyber-action, namely, covert political cyber-attacks and cyber-espionage. As mentioned above, cyber-attacks do not include purely defensive measures such as firewalls and password protection. Again, as mentioned above, cyber-attacks, if successful, are harmful (directly or indirectly) in one or more of the following ways: (i) physical or psychological harm to human beings per se; (ii) physical destruction; (iii) cyber-harm, for example data destruction; (iv) institutional harm.
As already stated, covert political cyber-attacks are, in the paradigm cases, covert unlawful, harmful actions short of war undertaken by one nation-state against another nation-state (or non-state political actor) for political purposes.
Since such actions are typically unlawful an immediate response might be as follows: (i) one’s own government ought not authorize covert political cyber-attacks and one’s own security agencies ought to cease to carry out such attacks; (ii) foreign governments who authorize covert political cyber-attacks and their security agencies who carry them out ought to be investigated and, if appropriate, prosecuted and punished in accordance with (presumably) international law. In short the law enforcement model ought to be relied on to deal with this problem.
Unfortunately, in the case of covert political cyber-actions this law enforcement approach is not practicable, given the attribution problem and the current state of the international criminal justice system. This is not to say that it is not worth striving to bring into existence a more effective international criminal justice system in respect of cyber-attacks in general and covert political cyber-attacks in particular; quite the contrary, as in fact I suggest below. However, to reiterate, it is to say that full-blown application of the law enforcement model to covert political cyber-actions is not practicable at this stage in the development of the international order.
So the question to be addressed is: Can our own covert political cyber-attacks be morally justified in an overall context in which other nation-states are routinely engaging in such attacks on us and on one another? In short, can covert political cyber-attacks be morally justified in what is in effect a state of nature – a cyber-state of nature (if this is not a contradiction in terms)?
The existence of this cyber-state of nature notwithstanding, covert political cyber-attacks do need to be morally justified; I am not advocating a so-called ‘realist’ view of the international order. In particular, they need to be justified, at least in the first instance, by recourse to some morally weighty political purpose. For example, it was not morally justifiable for Russia to launch a covert cyber-attack on, say, Estonia’s ICT infrastructure merely because it judged it to be in its political interest to do so. On the other hand, if the US finds itself under frequent and ongoing covert cyber-attack from, say, North Korea, and these attacks threaten to destroy or seriously disrupt key US ICT infrastructure, then the US may well be morally justified on self-defense grounds in responding in kind.
So, on the one hand, we confront a cyber-state of nature and, on the other, we are not absolved from the need to provide moral justifications for our own covert political cyber-attacks. I suggest that a number of familiar moral principles remain in play albeit in a somewhat different form. The principles in question exist in both the criminal law (and are, therefore, in part constitutive of the law enforcement model) and in just war theory, albeit in somewhat different forms. First, there is the principle of self-defense, for example defense of a national infrastructure asset. Second, there is the principle of necessity; a cyber-attack might be morally justified if diplomatic means, for example, have been or would be ineffective. Third, there is the principle of proportionality; the US might not be entitled, for example, to destroy China’s ICT infrastructure if China has only been engaged in disruption of US infrastructure. Fourth, there is the principle of discrimination; it is prohibited to intentionally harm innocent third parties. However, as is typically the case in states of nature, there is another moral principle in play, namely, the principle of reciprocity. Roughly speaking, if you harm me then I am entitled to harm you, at least by way of providing a deterrence to any future harm to me that you might be contemplating. I note that the principle of reciprocity is not normally taken to be constitutive of just war theory nor is it typically invoked by proponents of the law enforcement model. However, it is a well-established principle, or set of related principles, applicable in various moral contexts.
 The material in this paper is derived from Seumas Miller “Cyber-attacks and ‘Dirty Hands’: Cyberwar, Cyber-Crimes or Covert Political Action?’ in (eds.) F. Allfhoff, A Henschke and B J. Strawser, Binary Bullets: The Ethics of Cyberwarfare ( Oxford: Oxford University Press, 2016) pp. 228-250.
 Seumas Miller Terrorism and Counter-terrorism: Ethics and Liberal Democracy (Blackwell, 2009) Chapters 4 and 5.
 For further discussion see Miller “Cyber Attacks and ‘Dirty Hands’” op. cit.