![Sample our Humanities journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/5939/TOC-Subject-Sample-2021-Humanities.jpg"})
Abstract
While most normative evaluations of military cyber-operations have emerged from the legal community, this article assesses the legitimacy of such operations from a philosophical-ethical perspective. After reviewing the relationship between rights forfeiture and the jus ad bellum and jus in bello criteria of the just war tradition, it applies these criteria to several aspects of cyber-operations, including responses to cyber-activities, the use of cyber-capabilities affecting combatants and civilians, and the use of these capabilities by contractors. Finally, it briefly addresses the legitimacy of limiting rights to privacy and anonymity in service of preventing cyber-harm.
Notes
1. Among the outstanding legal thinkers on these issues are Michael Schmitt, Walter Gary Sharp, Sr., Charles Dunlap, Eric Jensen, and Sean Watts.
2. This article is the fruit of a 2011–12 research project conducted at the United States Naval Academy's Stockdale Center for Ethical Leadership by Center staff and the following fellows: Randall Dipert, State University of New York at Buffalo; Chris Eberle, US Naval Academy; Panayotis Yannakogeorgos, Air Force Research Institute; and Bradley Strawser, Naval Postgraduate School. Participating Naval Academy faculty and staff were: Michael Skerker; Major Kyle Phillips, USMC; and CMDR Michael Rak, USN. Additionally, the Center collaborated on this research with representatives from the US Cyber Command, National Security Agency, National Intelligence Council, Central Intelligence Agency, and Verizon.
3. For purposes of this paper, the ad bellum criteria are legitimate authority, just cause, right intention, last resort, reasonable chance of success, and proportionality; the in bello criteria are discrimination, military necessity, and civilian due care.
4. Contrary to the compelling thought of Perry (Citation2007), dignity alone renders these preconditions inviolable – not-to-be-violated; no other quality, such as ‘inviolability,’ is necessary.
5. The rich and sophisticated literature on forfeiture includes Wellman (Citation2012), Goldman (Citation1979), Simmons (Citation1991, Citation1992), Morris (Citation1991), Lippke (Citation2001), and Boonin (Citation2008).
6. The classic formulation of this compromise is from Aquinas:
By sinning man departs from the order of reason, and consequently falls away from the dignity of his manhood … and falls into the slavish state of the beasts, by being disposed of according as he is useful to others … Hence, although it be evil in itself to kill a man so long as he preserve his dignity, yet it may be good to kill a man who has sinned, even as it is to kill a beast. For a bad man is worse than a beast, and is more harmful, as the Philosopher says. (Aquinas Citation1948: Summa, II-II, q. 64, a. 2)
See also Ross (Citation1955: 60–61).
7. While one could add other harmful acts such as rape, maiming, and enslavement, this article will focus on life and life-supporting property for the sake of simplicity. ‘National interest’ is an often-cited but obviously insufficient standard.
8. This paper assumes that intentionality includes both a malevolent goal, and knowledge that these capabilities could achieve this goal. I am not certain whether invincible ignorance about capabilities’ effects would result in forfeiture and liability, but tentatively assert that it would not. Therefore, a cyber-attacker who caused casus belli-level harm, but neither sought nor could have foreseen it, would not incur liability – although a lethal response might be excusable. Assumed, of course, is due diligence in ascertaining the possible effects of a new technology.
9. An alternative way of construing ‘unjustified’ vis-à-vis unintentional aggressors is to deem them ‘not liable’ to lethal force. This latter formulation predominates in the outstanding work of Rodin (Citation2003) and McMahan (Citation2009).
10. While Rodin (Citation2003: 40–43) argues that necessity is a constituent aspect of liability, I recommend that the latter be associated with the act itself, not its context. In other words, a potential murderer has forfeited their right to life, and circumstances independent of their act then dictate how one may respond to this liability to harm. In either construal, necessity is a moral requirement. Catholic doctrine of capital punishment has recently integrated this notion of necessity. See John Paul II (Citation1995).
11. Implied in this formulation are two assertions: ad bellum, reasonable chance of success and proportionality constraints do not apply when only aggressors will be affected; and when civilians are involved, reasonable chance of success is also normative in bello. Note that there are two effects of the unintentionality of this collateral damage: from a virtue ethics perspective, the actor is not adversely affected internally; and relatedly, the actor is not liable to harm.
12. Legal analyses of just cause in the cyber-domain have focused on defining an ‘armed attack,’ to which UN Charter Article 51 allows self-defensive responses. Death/injury/destruction/damage-causing ‘uses of force’ of sufficient – using Pictet's taxonomy – ‘scope, intensity, or duration’ are armed attacks. In order to transcend debates over ‘sufficient’ effects (assuming parties can agree on the validity of an ‘effects-based’ approach, rather than ‘instrument-based’ or ‘strict-liability’ approaches), this article will prescind from this legal framework. For a helpful discussion on these legal tools, see Carr (Citation2010: 45–75).
13. The level of this theft-based harm is disputed, in part because companies are reticent to report it. A 2011 British Cabinet Office report estimated cybercrime's cost at 1.8% of gross domestic product (GDP), while a subsequent Ministry of Defence study asserted a lower level that was mostly comprised of security measures. See Business and Cyber-security, A Spook Speaks, The Economist, 30 June 2012.
14. I am indebted to Randall Dipert for identifying this issue. See also Dipert (Citation2010).
15. Malware creating ‘back doors’ would also fall under this analysis.
16. Dipert (Citation2013) rightly notes that the ‘sum or compound attribution method’ would not merely employ technical means. However, non-technical components of this method are likely to be inconclusive (i.e., using electronic and human intelligence sources to verify an attacker's identity) or are morally irrelevant (i.e., inferring from means and motive).
17. I am obviously calling into question the legitimacy of punishing for retributive and utilitarian (i.e., deterrence and public order) purposes, and would argue that public safety and reform should be the guiding purposes.
18. Internal attacks on military facilities via flash drives would be exempt from this critique – unless these facilities were connected to the Internet.
19. This limitation also often applies to kinetic weapons.
20. See, e.g., UN General Assembly (Citation1980).
21. For an extended exploration of this logic, see Strawser (Citation2010: 342–368).
22. Boost-phase ballistic missile defense systems may intercept missiles that are still over a launching state's territory.
23. See UN General Assembly (Citation1977), especially articles 51 and 52, and also articles 35 and 55–57. For an excellent legal perspective on this issue, see Schmitt (Citation2011), especially pp. 114–123. My ethical analysis supports the more restrictive conclusions of Knut Dörmann (Citation2004).
24. See Melzer (Citation2009), especially pp. 70–71.
25. Greatly simplified, US Code Titles 10 and 50 govern military and intelligence activities, respectively.
26. For seminal analyses of the nature and foundations of a right to privacy, see Thomson (Citation1975), Scanlon (Citation1975), Rachels (Citation1975), and McCloskey (Citation1980). See also Alfino and Mayes (Citation2003) and Skerker (Citation2010).
