Abstract
A great deal of attention has been paid in recent years to the legality of the actions of states and state agents in international and non-international cyber conflicts. Less attention has been paid to ethical considerations in these situations, and very little has been written regarding the ethics of the participation of non-state actors in such conflicts. In this article, I analyze different categories of non-state participation in cyber operations and undertake to show under what conditions such actions, though illegal, might be morally defensible.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
This is despite the fact that Leiberman and Palin, it seems, did nothing to facilitate the government’s pursuit of Assange and WikiLeaks beyond speaking out in favor of it in the press.
For Russian attacks on Georgia, see International Group of Experts 2013. For Russian attacks on Ukraine, see Clayton 2014. Neither of these attacks seems to have caused widespread disruption. However, an earlier attack on Estonia in 2007 did. The international status of this attack, however, is a complicated question, addressed below.
Philpott characterizes the state simply as the modern form of polity that exercises sovereignty. It is Locke who emphasizes the state’s role in the preservation of property rights, an issue that will become important in the following. Sartwell begins with something like the definition that I lay out here, but adds the notion of legitimately exercising these powers. Sartwell goes on to challenge this definition, arguing that any definition of the state is problematic. In any case the question of legitimacy of state sovereignty is beyond the scope of this article, and these contributions provide, in my view, a reasonable working definition.
See, for example, Setianto 2007.
In the context of conflict classification in international law, whether cyber or kinetic, actions undertaken by the armed forces of that state are actions of the state (Schmitt 2012). Additionally, “cyber attacks conducted by other organs of a State, such as intelligence or law enforcement agencies, also qualify” (Ibid.). Private individuals may be considered state organs if they act “within the framework of, or in connection with, armed forces, or in collusion with State authorities” (Ibid.). Finally, attacks carried out by an entity that is not an organ of the state but nevertheless that the state authorizes to act on its behalf also qualify as de facto actions of an organ of the state (Ibid.). Those not meeting any of these conditions are non-state actors, though the situation can sometimes be complicated. In 2007, for example, in the context of a controversy about the location of a military cemetery, Russian hacktivists, acting apparently of their own accord, severely crippled banking and governmental systems of Estonia. Another complicated case is the 2013 attacks on the infrastructure of Israel including the Carmel Tunnels and Haifa’s water supply by the Syrian Electronic Army, a group of hackers who support Syrian President Bashar al-Assad (Sobelman 2013). In these cases, since they were not acting at the behest of or under the control of the state, these hacktivists would likely be considered non-state actors, though the degree to which the state tolerates, sanctions, and/or endorses this activity could tend to increase the likelihood of their actions being attributed to states (Ibid.). However, as we shall see, the willingness of an actor to be accountable to state control is a necessary condition for their actions properly being attributed to a state or a state organ.
This provision is, however, controversial, as Schmitt points out. A number of states including the USA refused to become party to AP 1 due, in part, to this provision (Schmitt 2012).
Granted, force or violence might not be the insurgent’s preferred method of overthrowing state power; however, by the time that an insurgency becomes an insurgency—literally an uprising—insurgents likely have realized that force may be the only means to accomplish this goal; hence, they forcefully rise up.
Whether any particular cyber attack qualifies as an armed attack for the purposes of international law is a complicated question depending on a number of factors. For instance, violent attacks are those that harm persons, achieve military objectives, or destroy property. Mere disruption without effects on military targets is not generally considered to rise to the level of being an armed attack, though this point is still controversial. The question of whether the attack is violent or armed is more of a legal issue than a moral one. The moral issue depends rather on the coercive nature of cyber attacks. This point is explored in detail below.
Lessig (2006), in the first chapter of Code: version 2.0, “Code Is Law,” describes the notion of cyberspace as beyond law that was popular among hackers and others in the early 1990s. While never precisely lawless, in what follows, I argue that particular technical features of the Internet continue to militate against an effective police presence in such a way that might in some cases justify extra-legal measures for self- and community protection.
Lessig (2006) provides a host of examples of this, though specifically, one might think about the case of Napster and other various attempts to legitimate piracy of software and other kinds of intellectual property that have been overtaken by passage of and enforcement of the Digital Millennium Copyright Act.
Anonymous is an extremely complicated and evolving case involving a divergent set of actors operating in a variety of contexts with a plurality of motivations and a loose set of ethical commitments. Gabriella Coleman and Stefania Milan have provided accounts of the history of Anonymous and analyses of the “group’s” ethical commitments. At least some of the cases have involved situations of vigilante-style justice where various individuals and/or groups acting under the name of Anonymous have sought to enforce social norms, protect the weak, and/or punish those they view as culpable. Many actions taken by these individuals and/or groups are also undertaken strictly for “the lulz,” slang for amusement. See, for example, Coleman and Golub 2008, Coleman 2011, Coleman 2013, and Milan 2012.
This issue becomes relevant in the context of notions of civil disobedience as direct action rather than merely a form of political speech, discussed below.
Crispin Sartwell defines coercion as depriving someone of their ideal choice conditions (Sartwell 2008). The primary distinction between vigilantism and civil disobedience, I will argue below, is that whereas the former uses coercion in taking direct action, the latter employs disruption.
This is probably a matter of degree in terms of the amount of harm inflicted by disruptive operations. A corporation might stand to lose quite a bit of money if its operations were significantly disrupted for an extended period of time, in which case such disruption would rise to the level of coercive force.
Dumsday has in mind actions of organized groups, such as the Guardian Angels who have taken it upon themselves to guard the subway system in New York City. He also has in mind a campaign of violence (or coercion) organized by a single individual.
It should also be noted that some kinds of actions still require coordination involving the virtual equivalent of a “fire order” so that the attack proceeds with its desired immediacy. DDoS attacks, while prepared for independently and without coordination by installing software such as LOIC, still require something like a single command to commence.
Though the issue of what counts as “the community” or which community counts is relevant here, particularly in the context of cyberspace.
The name of the group Anonymous, though, stems from the name attributed to non-attributed posters on the 4chan message board rather than some broad interest in anonymity while engaging in cyber action (Stryker 2011). Even so, the name is apropos.
These young men could not actively resist racial segregation because they weren’t subject to it. Nor could they do much (directly) against war policy in Southeast Asia or resist not being included in university decisions since one can’t very well resist non-inclusion, at least not directly.
This isn’t to say that speech isn’t often an important factor or even the main event in civil disobedience. A great tradition of non-violent resistance that includes such transformational figures as Mahatma Gandhi and Martin Luther King is based on the idea of civil disobedience as speech, specifically the making manifest of societal injustice through non-violent resistance. To what extent such a model of civil disobedience applies in cyberspace is an interesting question particularly since this mode of speech seems to necessitate a fully embodied engagement with those in power: very often, activists have made injustice manifest by allowing or refusing it to be inscribed on their physical bodies. See Gandhi 2010 and King 2010.
There is a very large debate and literature on the relationship between digital rights, communications rights, and online freedoms and human rights, a debate so large and involved that it falls beyond the scope of this paper. For a sampling of recent discussion, see Godwin 2003, MacKinnon 2012, Ziccardi 2013, and Jørgensen 2014.
Although not addressing just-war theory specifically, William Gay points to this consideration as the basis for ethics in international relations in both Kant, outlined in “Perpetual Peace,” and Hegel, developed in Philosophy of Right and Philosophy of History. See Gay 2006.
This provision is controversial. It could be argued that when a regime is engaged in crimes against humanity one is permitted (and probably obliged) to resist that crimes perhaps using coercive force to do so even if one’s probability of success against the regime is neither likely nor guaranteed. During World War II, Allied victory over the Nazi regime was not guaranteed and at various points did not seem likely. Nonetheless, the employment coercive force against this regime by members of the resistance and individuals would have to be considered legitimate and even praiseworthy in spite of a seemingly low probability of success.
One reviewer raises a very interesting question about benevolent treatment of (captured) digital identities. Could these be conceived in terms of rules regarding treatment of prisoners of war in conventional conflicts? The case is interesting because it points to questions regarding personhood in the digital age and what constitutes harm to one’s person, among other issues. Alternatively, one could consider benevolent quarantine for captured hardware or software systems. Given the dual-use nature of such systems and the amount of human intelligence involved in their construction, it might make sense to suggest that such systems though removed from the “battlefield” be returned to their owners unharmed after termination of hostilities. Unfortunately, an adequate consideration of these questions is beyond the scope of this paper. The questions raised nonetheless present a fascinating area for future research.
One might well ask, in cases 1 and 4, “‘good’ from whose point of view?” Dumsday seems to assume a univocal point of view and gives examples: prohibition “of theft and murder and drug running and all the rest” (58). But this leaves aside the real possibility that the goodness of a law is not always obvious and might well depend on one’s perspective. Dumsday posits a democracy, in which citizens presumably have some say in what laws are enacted and therefore some legal recourse when laws are defective (59). Even so, the question of the goodness of laws and for whom they count as good is a non-trivial matter. At a minimum, we might consider the case where the laws are considered to be good by potential vigilantes. While one might argue that a vigilante would never contemplate action in case 4 under such a definition, it is possible to imagine this occurring out of, say, an excessive enthusiasm for or desire to participate directly in law enforcement or the meting out of “justice.” In any event, case 1 remains non-trivial even under such a minimal definition of “good laws.”
See O’Connell 2012.
For an interesting take on the moral status of non-responsible threats, see Hannah 2012.
Bedau distinguishes between direct action and direct resistance. The former case is a special case of the later wherein the protestor uses her own body “as the lever with which to pry loose the government’s policy” (Bedau 1961, p. 657). I do not follow this usage here and use the term “direct action” as the more general case.
References
Additional Protocol I (1977). Protocol additional to the Geneva Conventions of 12 August 1949, and relating to the protection of victims of international armed conflicts (8 June 1977, entered into force 7 December 1978) 1125 UNTS 3 (AP I).
Anonymous (2010). Anonymous—Operation Payback—WikiLeaks ACTA Laws Message. YouTube. URL= http://www.youtube.com/watch?v=ub4bPZy376Y.
Aristotle. (1999). In I. Terrence (Ed.), Nicomachean ethics (2nd ed.). Indianapolis: Hackett Publishing.
Bedau, H. A. (1961). On civil disobedience. The Journal of Philosophy, 58(21), 653–665.
Brooks, D. (2014). The republic of fear. The New York Times, (p. A27). New York Edition.
Buchan, R. (2012). Cyber attacks: unlawful uses of force or prohibited interventions? Journal of Conflict and Security Law, 17, 212–227.
Clayton, M. (2014). Massive cyberattacks slam official sites in Russia. Ukraine: The Christian Science Monitor. March 18, 2014. URL= http://www.csmonitor.com/World/Security-Watch/Cyber-Conflict-Monitor/2014/0318/Massive-cyberattacks-slam-official-sites-in-Russia-Ukraine.
Coleman, G. (2011). Hacker politics and publics. Public Culture, 23(3), 511–516.
Coleman, G. (2013). Anonymous in context: the politics and power behind the mask. Internet governance papers, paper no. 3. Waterloo: The Centre for International Governance Innovation.
Coleman, E. G., & Golub, A. (2008). Hacker practices: moral genres and the cultural articulation of liberalism. Anthropological Theory, 8(3), 255–277.
Dewey, J. (1989). Ethics. In B. Jo Ann (Ed.), John Dewey the later works, 1925–1953, volume 7: 1932. Carbondale: Southern Illinois University Press.
Dinstein, Y. (2012). The principle of distinction and cyber war in international armed conflicts. Journal of Conflict and Security Law, 17(2), 261–277.
Dumsday, T. (2009). On cheering Charles Bronson: the ethics of vigilantism. The Southern Journal of Philosophy, XLVII, 49–67.
Gandhi, M. (2010). Freedom’s battle being a comprehensive collection of writings and speeches on the present situation. N.p.: Kessinger Publishing.
Gay, W. (2006). Spiritual and political dimensions of nonviolence and peace (Value Inquiry Book Series, Volume 182), especially Chapter 12, “A normative framework for addressing peace and related global issues,” (pp. 181–194). New York: Rodopi.
Godwin, M. (2003). Cyber rights: defending free speech in the digital age. Cambridge: MIT Press.
Green, S. (1994). Vigilantism and the common good. Contemporary Philosophy, 16(4), 17–22.
Hannah, J. (2012). The moral status of nonresponsible threats. Journal of Applied Philosophy, 1(29), 19–32.
International Group of Experts. (2013). In S. Michael (Ed.), Tallinn manual on the international law applicable to cyber warfare DRAFT. Cambridge: Cambridge University Press.
Jørgensen, R. F. (2014). Participation in the Internet era. In A. Tina & L. S. Østergaard (Eds.), Reclaiming the public sphere: communication, power, and social change (pp. 161–166). Basingstoke: Palgrave MacMillan.
King, M. L., Jr. (2010). I have a dream: writings and speeches that changed the world (pp. 83–101). New York: HarperOne.
Lessig, L. (2006). Code: version 2.0. New York: Basic Books.
Locke, J. (1980). In T. P. Peardon (Ed.), The second treatise of government. Indianapolis: Hackett.
Lootsteen, Y (2000). The concept of belligerency in international law. Military Law Review 166.
Lülf, C. (2013). Modern technologies and targeting under international humanitarian law. IFHV Working Paper 3(3). URL= http://www.ruhr-uni-bochum.de/ifhv/documents/workingpapers/wp3_3.pdf
MacKinnon, R. (2012). The consent of the networked: the worldwide struggle for internet freedom. New York: Basic Books.
Milan, S. (2012). The guardians of the Internet? Politics and ethics of cyberactivists (and of their observers). In Inter-Asia roundtable 2012: methodological issues in cyber activism research (pp. 167–191). Singapore: Asia Research Institute.
National Research Council. (2009). In W. A. Owens, K. W. Dam, & H. S. Lin (Eds.), Technology, policy, law, and ethics regarding U.S. acquisition and use of cyberattack capabilities. Washington: The National Academies Press.
O’Connell, M. E. (2012). Cyber security without cyber war. Journal of Conflict and Security Law, 17, 187–209.
Orend, B.(2008). War. The Stanford encyclopedia of philosophy (Fall 2008 Edition). In: E. N. Zalta (Ed.), URL = <http://plato.stanford.edu/archives/fall2008/entries/war/>.
Pappas, G. F. (2008). John Dewey’s ethics: democracy as experience. Bloomington: Indiana University Press.
Philpott, D. (2010). Sovereignty. In E. N. Zalta (Ed.), The Stanford encyclopedia of philosophy (Summer 2010 Edition), , URL = <http://plato.stanford.edu/archives/sum2010/entries/sovereignty/>.
Rodriguez, S. (2014). Refrigerator among things hacked in Internet of things cyber attack. Los Angeles Times, URL= http://articles.latimes.com/print/2014/jan/16/business/la-fi-tn-refrigerator-hacked-internet-of-things-cyber-attack-20140116.
Sartwell, C. (2008). Against the state: an introduction to anarchist political theory. Albany: State University of New York Press.
Saxon, D. (Ed.), (2013). International humanitarian law and the changing technology of war. Leiden and Boston: Martinus Ninjhoff Publishers.
Schmitt, M. (2012). Classification of cyber conflict. Journal of Conflict and Security Law, 17(2), 245–260.
Setianto, B. (2007). Somewhere in between: conceptualizing civil society. The International Journal of Not-for-Profit Law 10(1).
Sobelman, B. (2013). Israel beset by flurry of reported cyber attacks. Los Angeles Times.
Stryker, C. (2011). Epic win for Anonymous: how 4chan’s army conquered the Web. New York: Overlook.
Swaine, J. (2010). WikiLeaks ‘Revenge Attacks’ target Mastercard (sic.) and Visa. Telegraph, URL= http://www.telegraph.co.uk/news/worldnews/wikileaks/8190421/WikiLeaks-revenge-attacks-target-Mastercard-and-Visa.html.
Tsagourias, N. (2012). Cyber attacks, self-defence and the problem of attribution. Journal of Conflict & Security Law, 17(2), 229–244.
Turns, D. (2013). Cyber war and the concept of ‘attack’ in international humanitarian law. In S. Dan (Ed.), International humanitarian law and the changing technology of war (pp. 209–228). Leiden: Martinus Ninjhoff.
Welchman, J. (2001). Is ecosabotage civil disobedience? Philosophy and Geography, 4(1), 97–107.
Woodward, C. (2003). Estonia, where being wired is a human right. The Christian Science Monitor, URL= http://www.csmonitor.com/2003/0701/p07s01-woeu.html.
Ziccardi, G. (2013). Resistance, liberation technology and human rights in the digital age. Dordrecht: Springer.
Acknowledgments
I want to sincerely thank the two anonymous reviewers for their comments on an earlier version of this paper through which it has been substantially improved. Any errors and omissions that remain are, of course, my own.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
McReynolds, P. How to Think About Cyber Conflicts Involving Non-state Actors. Philos. Technol. 28, 427–448 (2015). https://doi.org/10.1007/s13347-015-0187-x
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s13347-015-0187-x