https://orcid.org/0000-0002-8774-6889
![Sample our Law journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/5942/TOC-Subject-Sample-2021-Law.jpg"})
ABSTRACT
Which harms and benefits should be viewed as relevant when considering whether to launch cyber-measures? In this article, we consider this question, which matters because it is central to determining whether cyber-measures should be launched. Several just war theorists hold a version of what we call the ‘Restrictive View’, according to which there are restrictions on the sorts of harms and benefits that should be included in proportionality assessments about the justifiability of going to war (whether cyber or kinetic). We discuss two such views – the Just Cause Restrictive View and Rights-based Restrictive View – and find both wanting. By contrast, we defend what we call the ‘Permissive View’. This holds that all potential goods and bads should be included in proportionality decisions about cyber-measures, even those that appear to be trivial, and where the various harms and benefits are given different weights, according to their agent-relative and agent-neutral features. We argue further that accepting the Permissive View has broader implications for the ethical frameworks governing cyberwar, both in terms of whether cyberattack provide just cause for coercive responses, including kinetic warfare and cyber-responses, and whether cyber-measures should be governed by just war theory or a new theory for cyber-operations.
Acknowledgments
We would like to thank the reviewers for their helpful comments, as well as the audience of the Norwegian Practical Philosophy Network Workshop and the 11th edition of the Braga Meetings. Fredrik D. Hjorthen would like to thank the Research Council of Norway for their financial support (grant number 288654).
Disclosure statement
No potential conflict of interest was reported by the author(s).
Notes
1 To be sure, Rid argues that the effects of both attacks were ‘rather small’.
2 Russia denied the attack, but the Norwegian Police Security Service (PST) attributed it to the GRU-linked cyber-actor APT28, or Fancy Bear (PST Citation2020).
3 The attack was mitigated before the effects materialized.
4 These are discussed below.
5 For instance, Simpson (Citation2014, 141–54) argues that cyberattacks should be understood in terms of harm to property (and this provides just cause) and Finlay (Citation2018) argues that the notion of violence is a helpful way of capturing cyberwar.
6 Cyberwar may sometimes meet the first requirement but will not meet the second.
7 See, for instance, Horton (Citation2018).
8 To be sure, our account differs subtly in that McMahan views proportionality as comparing the measure to doing nothing, whereas we view it as comparing to not launching it. In this way, we can use proportionality to assess further actions (e.g. a cyberattack) when we are already doing something (such as military action). For an in-depth account of proportionality in war and the relevant counterfactuals, see Tomlin (Citation2021, 42–3).
9 We largely follow here the typology offered by the Center for Cyber & Homeland Security (CCHS Citation2016). The boundaries of Active Cyber Defence (ACD) and hacking back vary between accounts, with, for instance, the UK seeing ACD as purely defensive (Stevens et al. Citation2019).
10 Honeypots can be also be active if they, for instance, actively search out malicious servers. See Schmitt (Citation2017, 174).
11 Some might object that purely defensive cyber-measures such as the use of antivirus software do not raise questions about proportionality, given that no one is likely to be harmed (and no justification needed). While we agree that proportionality may not matter equally across all cyber-measures, we still argue that it is relevant. One reason why proportionality also matters for ostensibly harmless measures is that they involve opportunity costs. Assuming that opportunity costs matter for proportionality, at least when they represent a duty violation (Oberman Citation2019; Pattison Citation2020b), and that no state is currently in perfect compliance with their duties, proportionality assessments seem relevant. Another reason is that defensive cyber-measures may still lead to some harms, even if unintended, such as the deflection of attacks onto those who are more vulnerable and potentially the least well off (Pattison Citation2020a).
12 It might be replied that there should be a different ethics for offensive operations than for defensive operations. We do not preclude this but note reason for caution: offensive and defensive cyber-operations often blur, with operations sometimes having a mix of both elements.
13 Also, see McMahan and McKim (Citation1993) and Rodin (Citation2011). Kamm (Citation2011) endorses a different set of restrictions on the goods to be included. See Hurka (Citation2014) and McMahan (Citation2014). McMahan has shifted his view and now holds that ‘non – just-cause goods’, i.e., peripheral benefits, can be relevant for wide proportionality (which concerns the proportionality of those not liable), but still, as far as we understand, views only just cause goods as relevant to narrow proportionality (which concerns the proportionality of those liable) (McMahan Citation2014, Citation2018a).
14 He largely restates this account in Hurka (Citation2008; 2014Hurka Citation2014,), using the terminology of ‘independent’ and ‘conditional’ just causes.
15 In his 2010 chapter and 2014 article, Hurka very tentatively adds to the list of relevant goods. Peripheral benefits that result from achievement of the just cause are included, but not if they result from the means to achieving the just cause. For instance, economic benefits are relevant when they accrue from the achievement of a just peace at the end of the war and the stabilization of the region, but not when they result from the war economy during the war. Given the tentativeness with which he adds this suggestion (he states ‘I am by no means sure this view is correct’) we leave this aside here (2010Hurka Citation2010, Citation2014; McMahan Citation2018a, Citation2018a, 425).
16 Hurka’s account has been adopted by some of those working on issues related to cyber-conflict, such as Bellaby (Citation2016) and fields related to cyber, such as surveillance, e.g., Macnish (Citation2015).
17 For a useful typology of the harms that might result from cyber-measures, see Agrafiotis et al., (McMahan Citation2018b).
18 One could distinguish between direct and indirect benefits, but this seems less appropriate, given that Hurka is concerned with the just aims of an operation. It unclear to us how these could be indirect.
19 The fear of cybercrime is highlighted in Home Office (Citation2018).
20 It might be worth noting that while borders and networks may often coincide, this is not necessarily the case.
21 See, further, Eberle (Citation2016).
22 Indeed, it might be thought that there could be a version of the Just Cause Restrictive View that holds that there are different proportionality assessments for harmful and non-harmful measures, with peripheral benefits being included only with non-harmful measures. But, again, this would need to explain why we should assess harmful and nonharmful measures by a different standard.
23 A similar point could be made in terms of what McMahan, (Citation2018b) calls ‘narrow’ and ‘wide’ proportionality, which concern harms to liable and non-liable people respectively: peripheral benefits can still be relevant for wide proportionality judgments, especially in marginal cases, even if less weight than in narrow proportionality judgements.
24 There may be other potential defences of the Just Cause Restrictive View, applied from Brock’s (Citation2003) partial repudiation of peripheral benefits in medical ethics, such the notion that there should be ‘separate spheres’, or concerns over fairness and treating people as a means. These are considered – and repudiated – by Lippert-Rasmussen and Lauridsen (Citation2010) and Persad and du Toit (Citation2020), so we do not consider them.
25 We presume here that one can harm without transgressing rights, although, admittedly, this might depend on one’s understanding of harm. For our purposes, we presume that it makes sense to talk about harming someone who is liable to the harm because they lack the right to the protection (e.g., they are not the rightful owner of the goods in question).
26 On national partiality, see e.g., McMahan and McKim (Citation1993, 516).
27 For the view that the right to internet access is a basic right, see Reglitz (Citation2020).
28 Nickel (Citation2019) provides an excellent overview.
29 It might be objected here that because the measure would seemingly do no harm there is no need to consider proportionality. But even though there might not be any direct harms resulting from the measure, there can be indirect harms (for example if there are opportunity costs to the measure) and also unintended harms. See also footnote 11.
30 Someone might claim that the Permissive View implies that economic or aesthetic benefits through cyber measures can be commensurate with the harms of war, but these are not commensurable without adopting a problematic quantitative comparison. Note, however, that we do not hold that these things need to be strictly commensurable. To explicate, we can distinguish between strong and moderate forms of incommensurability. On strong incommensurability, it is strictly impossible to weigh values. They cannot be compared, and all-things-considered judgements are extremely problematic. By contrast, on moderate incommensurability values may be incommensurable, yet possible to weigh. Although it is impossible to plot them against a single value, such as utility, to provide a clear cardinal ranking, it is possible to provide a sense of their relative importance. Moderate incommensurability accepts value pluralism and the fact that values can still be weighed, for example through the method of reflective equilibrium. This view on incommensurability is also in line with much of Just War Theory and, more generally, the morality of self-defence, which attempts to offer determinate judgements that weigh various instrumental and non-instrumental considerations.
31 This means that our account must rely on a background theory of distributive justice. Such an account could take different forms, but for the present purposes a useful point of departure is John Broome’s account, whereby ‘fairness is concerned only with how well each person’s claim is satisfied compared with how well other people’s are satisfied’, and where fairness requires that ‘claims should be satisfied in proportion to their strength’ (Citation1990, 95).
32 Also see Pattison (Citation2020b).
33 This is a central theme of recent work on priority-setting in global health – Norheim, Emanuel, and Millum (Citation2020) – featuring many of the leading bioethicists. Also see Du Toit and Millum (Citation2016), Lippert-Rasmussen and Lauridsen (Citation2010) (replying to Brock Citation2003), and Sharp and Millum (Citation2018).
34 We are not even fully convinced that this is necessary for just cause since they could be a just cause to respond to cases where there is no wrongful action, such as natural disasters where the state lacks the capacity to address the situation, but leave this open here.
35 This goes further than Dipert, who argues that the ‘widely accepted “high” barrier for just cause – namely armed invasion by an enemy with an intention to use lethal force – does not seem to apply to many forms of cyberwarfare’ (2016, 66).
36 Here, McMahan uses the terminology of ‘basic, first-order principles of the morality of war’ rather than ‘deep morality’.
37 For instance, Fabre (Citation2012, 6) sees her account as ‘[u]nearthing first-best principles’.
38 Relatedly, the non-ideal approach to proportionality provides a response to another objection, namely that calculating all the potential goods and harms would be too time consuming and demanding.
39 See, further, Pattison (Citation2019).