Bloodless Cyber Invasion and the Right to National Self-Defense

(1)

I

Bloodless Cyber Invasion and the Right to National Self-Defense

Master’s Thesis

Department of Political Science

UNIVERSITY OF OSLO

Lea Kristina Petronella Bjørgul Spring 2021

Word count: 23 221

(2)

II

(3)

III

Abstract

In conventional warfare, its accepted that if a state finds itself under attack, it’s entitled to respond – either with defensive force, or with a counterattack. But its less clear how countries should respond to cyberattacks. Despite this uncertainty, several governments have indicated that they under certain circumstances are willing to use traditional military force to retaliate against cyberattacks. The current consensus within just war theory and international law is that states may only respond to cyberattacks with military force when they intentionally and directly product significant death and physical destruction. I claim that this conclusion is implausible because cyberattacks which do not produce significant physical effects have the potential to to create similar political outcomes as traditional military attacks. Most importantly, they have the potential to seriously undermine the sovereignty and right to political self-determination of the citizens of the targeted state.

Consequently, this thesis investigates the following question: Under which conditions could a conventional attack be morally justified by an enemy “bloodless” cyberattack?

With traditional just war theory as my main theoretical starting point, I approach this question by focusing on the jus ad bellum criteria of just cause and proportionality and conduct a normative analysis using the method of reflective equilibrium. I argue that a conventional attack could be morally justified by an enemy bloodless cyberattack when the conditions laid out in this thesis are met, provided that the cyberattack in question has been attributed to a specific state actor and the remaining jus ad bellum criteria are fulfilled.

(4)

IV

Acknowledgements

There are many people whom I owe my sincerest gratitude. The process of writing and completing this master thesis has been very challenging. Starting off with “COVID fatigue”, and not having access to a proper workspace at the University of Oslo, nor at NUPI, are important reasons for this. However, due to the help and support of the following group of people, I was able to push through and complete this thesis.

First, I want to thank Andreas Brekke Carlsson for confirming that my research question was an interesting one and worth going forward with. Second, I am extremely grateful for the guidance provided by my supervisor at the University of Oslo, Professor Raino Malnes. You have been more than generous with your time, advice, and with your ability make me stay on track. Third, The Norwegian Institute of International Affairs (NUPI), and the members of the Centre for Digitalization and Cyber Security Studies have provided me with useful insight during the past semester. I am also grateful to Ole Jacob Sending and my fellow graduate research assistants who provided me with useful comments at our master seminars.

Finally, this thesis would not have been completed and handed in within the original deadline this semester without the emotional support from my partner, Sturla, and my parents. You pushed me to continue my work when I needed it the most.

Any mistakes or misperceptions are my own only.

Lea Kristina Petronella Bjørgul, Oslo, June 21, 2021

(5)

V

1.0 Introduction

“Cyber-related risks are a global threat of bloodless war….”

– Prime Minister of India, Narendra Modi (Narendra Modi, 2015)

This statement by India’s prime minister reflects the core of the questions which will be explored in this thesis. If we agree that there can be such a thing as a bloodless cyberwar, what should the moral principles governing it look like? In conventional warfare, its accepted that if a state finds itself under attack, it’s entitled to respond – either with defensive force, or with a counterattack. But its less clear how countries should respond to cyberattacks (Finlay, 2021).

Despite this uncertainty, several governments have indicated that they under certain circumstances are willing to use kinetic force to retaliate against cyberattacks. The UK’s 2021 Strategic Defense Review confirmed the creation of a “National Cyber Force” tasked with developing effective offensive responses to cyberattacks, which could even include responding to them with nuclear weapons (ibid), and the United States has previously adopted the principle that retaliation against cyberattacks may take the form not only of cyber-counter-attacks, but also attack by conventional military means (Alexander, 2011). However, it is far from obvious that responding to cyberattacks by use of conventional physical means would be a morally permissible response. Consequently, careful ethical consideration should take place before we finally decide upon appropriate responses to cyberattacks.

A well-established ethical framework designed to consider the permissibility of waging war is the just war framework. Within just war theory, the act of aggression¹ has long been understood as the use of physical or violent means to achieve a political objective. However, this definition of aggression has the implication that no cyberattack would justify a military response because cyberattacks do not appear to use physical or violent means - they only involve the manipulation of computer code. To many, this seems like an implausible implication due to the potentially grave consequences of cyberattacks. As a result, it has been suggested that the nonphysical or

1 The main type of action that can potentially serve as Just Cause for an immediate and unilateral military response (i.e. trigger the right to national self-defense). Other situation which later have been more or less accepted as justifying a military response are connected to the right to protect (R2P) and preemptive war. These situations will not be discussed in this thesis.

(7)

2

nonviolent nature of cyberattacks is irrelevant as long they produce significant physical effects.² This is also the current consensus within the legal community (Schmitt et al., 2013, pp. 48-49).

In other words, contemporary legal and philosophical scholarship appears to have settled on a definition of “force” that applies the existing laws of war to actions within the cyber domain only when these actions are likely to result in conventional physical harm (Petkis, 2016, p.

1431).

However, this solution implies that it is morally (and legally) impermissible to respond with physical force to cyberattacks which do not cause significant physical effects (henceforth referred to as “bloodless” cyberattacks), but which nonetheless cause serious violations to a state’s sovereignty and right to political self-determination. An illustrative example is that of direct foreign election meddling: State A could potentially hack voting machines during a democratic election in state B, change x number of votes, and consequently change the election results. This would not be defined as an act of aggression according to the current consensus within JWT and international law, and state B would not be justified in responding to this incident with physical force. In my opinion, something seems off about this outcome. This disconnect, between the current legal and philosophical consensus on the one hand, and my (and possibly others) contradicting moral intuition on the other, is the motivation behind the following research question:

Under which conditions could a conventional attack be morally justified by an enemy “bloodless” cyberattack?

In other words, this thesis aims to investigate whether (or which) cyberattacks which do not cause significant physical effects, could justify a response using armed kinetic force.

To explore this question, the ethical framework of JWT serves as a useful starting point, as its purpose is to ensure that war is morally justifiable. This is done through the consideration of a series of criteria referred to as jus ad bellum, which must be met for war to be morally permissible. This thesis will focus on two of these criteria; just cause and proportionality. With this focus, the following two research questions have been derived:

2 See for example Cook, James. (2010). “Cyberation” and just war doctrine: A response to Dipert’, The Journal of Military Ethics Vol 9(4), pp. 411–423; Roscini, Marco. (2010). World wide warfare - “jus ad bellum” and the use of cyber force. Max PlanckYearbook of United Nations Law Vol 14, pp. 85–130; Silver, Daniel. (2002).

Computer network attack as a use of force under Article 2(4) of the United Nations Charter. International Law Studies Vol 76, pp. 73–97; Eberle, Christopher. (2013). Just war and cyberwar. The Journal of Military Ethics Vol. 12(1), pp. 54–67.

(8)

3

1) Can a bloodless cyberattack constitute just cause, and thus trigger the right to national self-defense?

2) Should a traditional military response be considered a proportional response to a bloodless cyberattack (and if so, under which conditions)?

These are normative questions. Consequently, I will use the most established method with normative political science, which John Rawls refers to as reflective equilibrium, to approach these questions. Answering the two questions posed above will only provide a partial answer to the main research question. This is because the remaining ad bellum criteria (which are not discussed in this thesis) also need to be met for a violent response to be an all-things-considered justified response to a bloodless cyberattack. Thus, this thesis’ aim is to come one step closer to a possible answer to this question.

The thesis has the following structure: Chapter 2 will provide some background on the concept of cyberwar, summarize previous research on this field, and explain the importance of the knowledge gap this thesis aims to fill. In chapter 3, I will describe the methodological approach, reflective equilibrium. In chapter 4, I will present and explain some key terms and concepts used throughout this thesis, as well as describe the main elements of just war theory, which serves as the main theoretical starting point of my investigation. Chapters 5 and 6 will address the questions of just cause and proportionality, respectively. Chapter 7 summarizes the key findings of the normative investigation, discusses their implications and contribution to the broader literature on the ethics of cyber warfare, as well as present suggestions for further research.

(9)

4

2.0 Background

For many years after its introduction in the early 1990s, the cyberwar concept was given little attention. However, because of the sharp increase in the use of cyberattacks both in and outside regular conflict, global awareness of cyberwar has risen sharply during the last decade (Arquilla, 2013, p. 80). A target in cyberspace is arguably more attractive than targets in the physical domains due to the low costs, together with the fact that the state carrying out the attack does not have to deal with deploying troops into enemy territory, nor consider the political risk of casualties. Furthermore, cyberweapons can be used to attack more or less anonymously at a distance while still causing much mayhem on targets ranging from banks to media to military organizations or democratic institutions. A natural consequence of these advantages is that cyberweapons would be an excellent choice for an unprovoked surprise strike, and we now see that nations and governments are increasingly pursuing political objectives against other states that were traditionally resolved through diplomacy, economic sanctions, and finally a resort to kinetic force, through massive cyberattacks instead (Lin, Rowe & Allhoff, 2012).

Given how cyber systems can be weaponized, it seems natural that ethicists should build

“cyberwar” into existing just war theory. But not everyone agrees. Matt Sleat (2017, p. 324) identifies three lines of thought within this debate. The first group of academics is referred to as “Sceptics.”³ In short, they doubt whether the cyber domain raises new ethical questions and prefer to categorize cyberattacks as actions which fall below the threshold of war, such as espionage etc., and thus question whether cyberwar is even possible. “Radicals,” meanwhile, believe cyberwar requires a wholesale rethink, and are building an entirely new theory of “just information war.”⁴ The underlying assumption upon which radicals’ build their claim is that cyberattacks are fundamentally different from physical force. After all, while conventional military force targets human bodies and their built environment, cyberattacks mainly harm data and virtual objects. Lastly, we have a group of academics we can refer to as “Moderates.” They accept that cyberwar creates some interesting novel moral, philosophical, and legal questions,

3 See for example Crisp, Roger. (2012, June 19). Cyberwarfare: No New Ethics Needed. Practical Ethics.

http://blog.practicalethics.ox.ac.uk/2012/06/cyberwarfare-no-new-ethics-needed/ ; Gartzke, Eric. (2013). The myth of cyberwar: Bringing war in cyberspace back down to Earth. International Security, Vol 38(2). pp. 41-73;

Rid, Thomas. (2012) Cyber War Will Not Take Place. Journal of Strategic Studies, Vol 35 (1). pp. 5-32.

4See for example Taddeo, Mariarosaria. (2016). Just Information Warfare.Topoi, Vol 35). pp. 213-224

(10)

5

but believe that just war theory contains resources that can be expanded or amended in order to capture the ethical issues that the innovation of cyberwarfare has generated⁵ (ibid. pp. 25-26).

According to this last group of academics, the main moral questions regarding cyber warfare divide themselves in the following way (Dipert, 2010, p. 392):

1) Is a cyberattack morally justified in response to an enemy conventional attack?

2) Is a cyberattack morally justified in response to an enemy cyberattack?

3) Is a conventional attack morally justified by an enemy cyberattack?

4) Is a cyberattack morally justified in cases where the enemy has launched neither a cyber- nor a conventional attack? (With United Nations sanction, preemptively, preventively or for some other reason).

5) Once a war (cyber- or conventional) has begun, what kinds of cyberattacks are morally justified?

As Dipert (2010, pp. 392-393) points out, of the five questions, (1) and (2) would seem to be the easiest questions, subject to the restraints that might be posed by the issues in question number (5). A cyberattack by nation A on B would seem prima facie to justify morally a retaliatory cyberattack by B on A, at least one that is proportionate to A’s first strike. Likewise, a cyberattack in response to a conventional attack would seem to be at first sight justified, again subject to the issues raised in question number (5). Although there might be other jus ad bellum criteria that need to be considered, such as Proportionality, Likelihood of Success and Necessity, there do not seem to be any issues in questions (1) and (2) that are particular to cyberwarfare. Cases (3) and (4) are the most challenging cases.

As mentioned in the introduction, the starting point for this thesis is case number (3). Whether a conventional attack can be morally justified by an enemy cyberattack is a central question within cyber policy which has not been sufficiently dealt with by the existing literature. The research that has been conducted so far consists of both legal and philosophical debate⁶ and is

5 See especially Lucas, George. (2017). Ethics and Cyberwarfare: The Quest for Responsible Security in the Age of Digital Warfare. Oxford University Press.

6 See for example: Dipert, Randall R. (2010). The Ethics of Cyberwarfare. Journal of Military Ethics. Vol 9(4), pp. 384-410; Lucas, George. (2010). Postmodern War. Journal of Military Ethics. Vol 9(4), pp. 289-298; Smith, Patrick Taylor. (2018). Cyberattacks as Casus Belli: A Sovereignty-Based Account. Journal of Applied

Philosophy. Vol 35(2), pp. 222-241; Lucas, George R. (2013). Ethics and Cyber Conflict: A Response to JME 12:1. Journal of Military Ethics. Vol 13(1), pp. 20-31; Cook, Colonel James. (2010). Cybernation and Just War Doctrine: A Response to Randall Dipert. Journal of Military Ethics. Vol 9 (4), pp.411-423; Cook, James L.

(2015). Is There Anything Morally Special about Cyberwar? In Ohlin, Jens D., Govern, Kevin & Finkelstein, Claire (Ed.), Cyber War: Law and Ethics for Virtual Conflicts. Oxford University Press.

(11)

6

closely related to the right to national self-defense.⁷ In the following, I will briefly summarize the findings and conclusions of the research conducted thus far, and thereafter explain the knowledge gap this thesis aims to fill.

Within the philosophical literature (often synonymous with the Just War Tradition), the act of aggression⁸ has long been understood as the use of physical or violent means to achieve a political objective. Consequently, it has been argued that the just war tradition cannot accommodate cyberwar because cyberattacks do not appear to use physical or violent means as they only involve the manipulation of computer code (ref. the group referred to as “radicals”

above). However, given the potential consequences of cyberattacks, it seems implausible to suggest that no state can ever use military force to protect itself from them. As an attempt to solve this problem, some JW theorists (moderates) have argued that the nonphysical or nonviolent nature of cyberattacks is irrelevant as long they produce significant physical effects⁹(Smith, 2018, p. 222), and we have seen that cyber operations can indeed sometimes lead to physical harm, e.g. in connection to Stuxnet.¹⁰

This conclusion was also reached by the authors of the Tallinn Manual.¹¹ These legal experts argued that a cyber operation that causes significant damage, destruction, injury (to objects or individuals), or death, qualify as severe enough to be regarded as an act of aggression, in accordance with current international law (and thus trigger the right to self-defense) (Schmitt, et al., 2013, pp. 91-93).

To summarize, the nonphysical and nonviolent, but yet dangerous nature of cyberattacks has led to the argument that we need to reconceive the fundamental basis for evaluating when a state action represents a casus belli. As a result, a new consensus within the legal and

7 I.e. article 51 of the UN Charter which is explicitly referred to in NATO’s article 5

8 The only type of action that can potentially serve as Just Cause for an immediate and unilateral military response (i.e. national self-defense).

9 See for example Silver, Daniel. (2002). Computer network attack as a use of force under Article 2(4) of the United Nations Charter. International Law Studies. Vol 76, pp. 73-97; Schmitt, Michael. (1999). Computer network attack and the use of force in international law: Thoughts on a normative framework. Columbia Journal of Transnational Law, Vol 37. pp. 885-937; Hoisington, Matthew. (2009). Cyberwarfare and the use of force giving rise to the right of self-defense. Boston College International and Comparative Law Review. Vol 32(2).

Pp. 439-454.

10 Stuxnet (a software-worm) is widely believed to have been designed by hackers working for the U.S. and Israeli governments. It was used to disrupt Iran’s nuclear enrichment ICT (information and communication technology) infrastructure in the context of a joint US and Israeli operation (Olympic Games) established to disrupt Iran’s nuclear program (Fruhlinger, 2017).

11 The Tallinn Manual represents an attempt by a group of nineteen international experts to produce a non- binding document applying existing law to cyber warfare. See Schmitt, Michael N et al. (2013). Tallinn Manual on the international law applicable to cyber warfare. Cambridge University Press.

(12)

7

philosophical literature argues that the nonphysical or nonviolent nature of cyberattacks is irrelevant if they produce significant physical effects. The view is that a state is justified in using military force to defend itself unilaterally from attacks that produce significant death and destruction (Smith, 2018, p. 223). According to this view then, the answer to this thesis’ main question of whether a conventional attack is ever morally justified by an enemy cyberattack, is yes, if the cyberattack produces significant physical effects.

Now, over to the knowledge gap this thesis aims to fill. The theoretical consensus described above does not solve the moral issues connected to what will be referred to as “bloodless cyberattacks.” Simply put, the term “bloodless” refers to the kinds of cyberattacks which do not produce significant physical effects. But if they do not lead to significant physical consequences, should we have any issues with these types of attacks? To answer this, let us consider some recent attacks and developments.

In November 2014 North Korean operatives carried out an attack on Sony pictures over the pending release of the movie “The Interview” (Peterson, 2014). From the outside, the incident almost seemed funny. However, in reality, important principles were at stake (such as freedom of expression, violations of personal privacy and interference in the internal affairs of the United States). The impact on individual and corporate behavior in a sovereign land might not seem so funny if the circumstances were different.

In recent years we have also witnessed advanced attempts made by state actors to influence democratic elections through cyber influence operations, with the goal of affecting or changing election results. Attempts at indirect influence (such as the Russian social media campaign against the United States in 2016), as well as the possibility for direct foreign electoral influence through the hacking of voting machines, have illustrated that states now (or in the near future) might be able to achieve political goals (in this case regime change), through the cyber domain which previously typically needed the use of traditional military means.

Despite being non-violent and non-physical, the examples above illustrate that even “bloodless”

cyberattacks have the potential to create similar political outcomes as traditional military attacks. Considering their non-harmful consequences, what seems wrong about them? My intuition is that seem morally wrong because they have the potential to undermine the sovereignty and political self-determination of the citizens of the targeted state. The fact that cyberattacks can create such consequences, without crossing the threshold of aggression (as the term is currently understood in international law), highlights the cleverness and ambiguous

(13)

8

character of cyber weapons. The increased development and use of this new class of weapons has opened a debate about what modern war is, what kind of events should reasonably trigger a war., and thus how the term “aggression” should be understood. Furthermore, the fact that states can achieve some of the same political goals (e.g. undermine the political self- determination of the citizens of the targeted state) through bloodless cyberattacks as with traditional military means, further challenges the theoretical consensus about aggression defined as “significant physical effects.” In other words, the examples above demonstrate that cyberwarfare represent a significant challenge to our moral and legal understanding of war, and that there is a need for more in-depth discussions regarding when and how this new type of warfare should be used and regulated.

This thesis’ focus is on the question of whether a conventional attack can be morally justified by an enemy cyberattack, and more specifically, whether a bloodless cyberattack can trigger the right to self-defense and justify a kinetic response. The first part of the analysis in this thesis (chapter 5) will explore the most fundamental element of this question, namely whether a bloodless cyberattack can be considered just cause (i.e. be defined as an act of aggression), and thus generate a right to national self-defense. As indicated above, this question requires a new perspective on the term “aggression.” Is there a different theoretical approach that could be more fruitful when determining which types of cyberattacks that should generate casus belli?

One alternative that has been presented is a sovereignty-based approach (henceforth The Sovereignty View).

In short, The Sovereignty View argues that some actions — those which we should understand as ‘aggressive’ that potentially justify unilateral military actions in defense — are those that attempt to completely bypass or overwhelm the political deliberations of the target state and forcibly generate a particular political result (Smith, 2018, p. 223). It is important to note however, that such act would only generate a prima facie right to unilaterally respond with military force. In addition to Just Cause, the other ad bellum criteria would have to be met for the attacked state to be justified in responding to the cyberattack with a conventional attack.

Most importantly, any reasonable account of the justifiability of waging war ought to take account of proportionality. The second part of the thesis will therefore focus on the ad bellum criteria of proportionality

A particularly interesting and difficult moral problem arises when discussing proportionality in

“bloodless” cases. The question becomes whether an attack which does cause physical harm

(14)

9

can be proportional to a cyberattack which “only” violates a population’s right to political self- determination. There is a large literature discussing this dilemma in connection to conventional warfare (the bloodless invasion literature), but to my knowledge, no one has previously applied these arguments and considerations to the cyber domain.

This thesis will thus approach the main research question of under which conditions a conventional attack could be morally justified by an enemy bloodless cyberattack by focusing on the ad bellum criteria of just cause and proportionality. However, it is important to point out that the remaining ad bellum criteria (which will be further described in chapter 4) also need to be met to answer when a violent response could be an all-things-considered justified response to a bloodless cyberattack. Consequently, my investigation represents an attempt to get one step closer to answering this question.

(15)

10

3.0 Methodology

In this thesis I will use the most established method with normative political science, which John Rawls refers to as reflective equilibrium (Rawls 1999, pp. 18-19).¹² In this section I will first briefly describe the method of reflective equilibrium, before spending some extra time on a few central concepts within this methodology, namely intuitions and thought experiments.

Finally, I will describe four minimum requirements for good practice of this method.

3.1 Reflective equilibrium

In short, the reflective equilibrium approach consists in working back and forth among our considered judgments (or “intuitions”) about particular instances or cases, the principles or rules that we believe govern them, and the theoretical considerations (background theory) that we believe bear on accepting these considered judgments, principles, or rules, revising any of these elements wherever necessary in order to achieve an acceptable coherence among them. When we do arrive at an acceptable coherence among these elements, the method has succeeded, and we have achieved reflective equilibrium (Pettit, 2012, p. 20). With the term coherence I mean that one’s aim should be that the principles and intuitions have a meaningful relation to each other and consist as part of a coherent whole (Hansen 2016, p. 71). As part of the ideal of coherence, there is a demand for consistency. That something is consistent means that it is not a contradiction (Petersen 2016, p. 131). A useful example to illustrate this method is the point mentioned in the introduction of this thesis:

One of the guiding principles of just war theory has stipulated that aggression, understood as the use of physical or violent means to achieve a political objective, generates the right to self- defense (i.e. the right to respond to an attack with kinetic force). However, this leads to the implication that no cyberattacks can ever justify a kinetic response, as cyberattacks do not appear to use physical or violent means - they only involve the manipulation of computer code.

This implication intuitively seems wrong. As an attempt to solve this problem, some JW theorists have argued that the nonphysical or nonviolent nature of cyberattacks is irrelevant as long they produce significant physical effects. In other words, there was not a perfect overlap between the general principles we considered to be plausible and the intuitions we experienced

12 See also: Daniels, Norman. (1979). Wide Reflective Equilibrium and Theory Acceptance in Ethics. The Journal of Philosophy Vol 76 (5), pp. 256-282 and Daniels, N. (2018). Reflective Equilibrium. In E. N. Zalta (Ed.), The Stanford Encyclopedia of Philosophy.

(16)

11

when we thought about the implications of these principles. Consequently, adjustments were made to the principles of JWT.

3.2 Intuitions

What exactly is a moral intuition? It’s important to note that there is no well-established agreement among philosophers with regards to an exact definition of “intuition”¹³. As I will understand the term, a moral intuition is a moral judgement¹⁴ – typically about a particular problem, a particular act, or a particular agent, though possibly also about a moral rule or principle – that is not the result of inferential reasoning (McMahan, 2013, pp. 104-105). If I consider the act of killing an innocent bystander, I judge immediately that this would be wrong.

I do not need to consider my other beliefs to arrive at this judgement.

Despite some disagreement among philosophers with regard to an exact definition, it can be argued that they seem to agree on a set of criteria an intuition should satisfy to be called a

“considered judgment”. Klemens Kappel presents four features in his chapter of the book Metode i normative poitisk teori from 2016. Firstly, the criteria of spontaneity alluded to above.

The intuition that a certain action is morally right or wrong is arrived at in a spontaneous manner and is not the result of inferential reasoning or derived from a general ethical theory. Secondly, the intuition is not a moral judgement if it is affected by factors such as self-interest, tiredness, or other similar conditions. Third, the person who has the intuition needs to be aware of the empirical circumstances relevant to the case. And last, but not least, the intuition must be stable over time (Kappel 2016, pp. 229-247).

3.3 Thought experiments

How do moral intuitions come into existence? Intuitions appear as immediate mental reactions to thought experiments. As its name indicates, a thought experiment is an experiment in thinking. Brown (2007) describes thought experiments as “devices of the imagination used to investigate the nature of things.” Others characterize them as “picturesque arguments” (Norton, 1996, p. 334), or as mental procedures used to reveal something about the relationship between

13 Some philosophers also reject the idea that moral intuitions have epistemic authority. Peter Singer, for example, has suggested that we should assume that “all the particular moral judgements we intuitively make are likely to derive from discarded religious systems, from warped views of sex and bodily functions, or from customs necessary for the survival of the group in social and economic circumstances that now lie in the distant past.” On this assumption, he notes, “it would be best to forget all about our particular moral judgements”

(Singer 1974, p. 516 in McMahan, 2013, p. 106).

14 Broadly, there are two different approaches to moral intuitions. One could trust one’s immediate moral intuitions, or we can set a slightly higher threshold and only have faith in considered judgements (Malnes og Midgaard 2017, pp. 191-192; Nagel 1991, pp. 69-70). I will seek the latter in this thesis.

(17)

12

different variables (Sorensen, 1992, p. 186, 205). In the words of (Gendler, 1998, p. 398): “To draw a conclusion on the basis of a thought experiment is to make a judgement about what would happen if the particular state of affairs described in some imaginary scenario were actually to obtain. One might then use that judgment in developing a more general theory, just as one might use the result of an actual experiment.”

Brownlee and Stemplowska (2016, p. 6), consequently describes the conception of thought experiments in normative theory as “a multi-step process that involves (1) the mental visualization of some specific scenario for the purpose of (2) answering a further, more general, and at least partly mental-state-independent question about reality.”

Thought experiments thus offer a potentially powerful investigative and analytical tool in philosophy, that can help us to build or reject arguments (ibid., p. 1). With regard to the first, they can contribute to demonstrating the consistency or coherence of a set of principles or concepts, highlight congruities and similarities between different claims, reveal the scope of the application of a given principle, and bring forth intuitions not previously considered. They can destroy arguments through revealing a conflation of concepts or principles or highlight the counterintuitive implications of an argument (ibid). In short then, a thought experiment is the tool we use to bring about moral intuitions to investigate the validity of a theory or principle governing certain actions.¹⁵

Within just war theory, there are some disagreements regarding the question of what kinds of cases we should use to test our intuitions and our principles when thinking about the ethics of war. We can either start by thinking about actual wars and realistic wartime scenarios, paying attention to international affairs and military history. Or we can construct hypothetical cases to isolate variables and test their impact on our intuitions¹⁶ (Lazar, 2020, chapter 2.3.; Brownlee and Stemplowska, 2016, pp. 4-5). In this thesis my aim is to make use of thought experiments which are close to reality. However, due to the early stages of the use and development of

15 “Famous” examples of thought experiments in political philosophy: Philippa Foot’s/Judith Jarvis Thomson’s Trolley problem, G.A. Cohen’s Camping Trip (used as a starting point to challenge the idea that socialism is infeasible and counter-intuitive, and to consider whether societies are relevantly distinct from camping trips, or whether societies that cultivate the mechanisms to harness human generosity could be governed by socialist principles), and John Rawls’s Original Position (used to offer support for a liberal-egalitarian conception of justice (Brownlee and Stemplowska, 2016 pp. 2-3).

16 Some early revisionists relied heavily on highly artificial cases (e.g., McMahan 1994; Rodin 2002). They were criticized for this by traditionalists, who generally use more empirically-informed examples (Walzer 2006).

(Lazar, 2020, chapter 2.3).

(18)

13

cyberwar as a concept and our limited experience with cyberwar, some hypotheticals are required, in my opinion.

3.4 Four minimum requirements for good practice

Thomas Søbik Petersen suggests four minimum requirements which in his opinion are fundamental tools to develop political theory, and which ensures a satisfying practice of the method of reflective equilibrium. These will serve as the guiding principles of this investigation.

First, the criteria for evidence. This criterion simply implies that one should not make a claim without being able to support it to a satisfying degree. Second, the demand for precise definitions. With precise definitions the author makes sure that the reader understands what he/she is writing. The third criterion Petersen mentions is “empirical objectivity.” Because normative theory often needs to consider empirical claims, it is important to do this in an objective manner. And, lastly, the criterion of consistency, which simply means that one should avoid contradictions (Petersen, 2016, pp. 131-144).

(19)

14

4.0 Theory and definitions

This chapter will first present and explain some key terms and concepts used in this thesis. I will also attempt to clarify the how some of the terms used in the following chapters are defined and understood within the legal literature, to avoid any misunderstandings. This will hopefully ease further reading and clarify any uncertainties. Thereafter I will briefly describe the main elements of just war theory, which serves as the main theoretical starting point of the thesis’

investigation.

4.1. Definitions

War

A useful starting point to understand what we mean by cyber warfare, is to define the concept of war. One of the most influential understandings of this term stems from Prussian military general and strategist Carl von Clausewitz who defined war as “an act of violence intended to compel our opponent to fulfill our will.” (von Clausewitz, 1968, p. 101). In other words, according to Clausewitz, war is something organized and violent, and done for some second- order purpose. States do not go to war simply to commit violence, but to impose their will upon other states.

Cyberspace

As with the concept of war, various definitions of cyberspace or the cyber domain, have been put forward. One of them was presented in the 2014 report on cybersecurity by the National Academies in the United States, which provided the following rough definition: “Cyberspace consists of artifacts based on or dependent on computing and communications technology; the information that these artifacts use, store, handle, or process; and the interconnections among these various element….” (Clark, Berson & Lin, 2014, pp. 8-9).

Cyber warfare

Merging the two definitions above (of war and cyberspace) together, cyber warfare can be understood as “an act of violence conducted by, or targeted at, information communication technologies intended to compel our opponent to fulfill our will.”

Sovereignty and the right to political Self-determination

Sovereignty has long been established as a fundamental principle of the international legal order. Ruys and Verhoeven (2005, p. 310), for example, stress that state sovereignty “is and remains one of the basic pillars of international law and order and should not lightly be

(20)

15

violated.” The term “sovereignty” has had different meanings across history, but its core meaning remains the same: supreme authority within a territory (Philpott, 2020). Sovereignty is composed of several rights that states and their citizens possess that makes it possible to maintain a political community capable of self-determination (Smith, 2018, p. 227). Political self-determination typically refers to “the process though which political communities govern themselves by autonomously choosing how to act” (Renzo, 2018, p. 713). Smith (2018, p. 227) argues that two rights are especially important to maintain collective, political self- determination. The most obvious is the right to territorial integrity. And, second, political autonomy, defined as individuals and their collectives right to deliberate and implement policies as they see fit. In short, political self-determination can be defined as the people’s right to direct their own affairs within their own territory (ibid).¹⁷

Aggression versus Use of force versus Armed attack and the right to national self-defense The prohibition against threatening with, or use force against the sovereignty of other states, as stated by Article 2(4) of the UN Charter:

All Members shall refrain in their international relations from the threat or use of force against the territorial sovereignty or political independence of any state, or in any other matter inconsistent with the Purposes of the United Nations (Charter of the United Nations, 1945, § 2(4)).

There is no official definition of, or criteria for, “threat of use of force” or “use of force.”

(Schmitt et al., 2013, p. 47). The main exception to the prohibition of force is the “inherent right of individual of collective self-defense” against an “armed attack” recognised by Article 51 of the Charter as well as customary international law of self-defense. Both branches of the law seem to agree that what triggers the right to self-defense is an “armed attack” (ÖyküIrmakkesen, 2014, p. 6). This raises the question of what the difference is between “use of force” and “armed attack.”

Although no definition of what constitutes an armed attack is provided in the Charter, it has been accepted that an armed attack is a use of force, defined as such by its gravity and its effects

17 For examples of more robust discussions about political self-determination, see for example: Altman, Andrew

& Wellman, Christopher. (2009). A Liberal Theory of International Justice. Oxford University Press. Chapter 2;

Rawls, John. (1999). A Law of Peoples. Harvard University Press; and Walzer, Michael. (1985). The rights of political communities. In C. Beitz (ed.) International Ethics. Princeton University Press.

(21)

16

rather than by the instruments used. The IJC has stated that an armed attack is the “most grave form of the use of force.” In other words, not all types of use of force triggers the right to self- defense, only the gravest forms, which falls under the definition of “armed attack.” One could therefore say that there is a “force gap” between articles 2 and 51 of the Charter and that not every use of force can be replied by an exercise of the right to self-defense (ibid., pp. 5-6;

Schmitt et al., 2013, pp. 48-49).

Another similar term which is often used in the context of discussing the right to self-defense is “aggression,” which is used in Article 39 of the UN Charter. The term is further defined in the General Assembly Resolution on the Definition of Aggression; “aggression is the use of armed force by a State against the sovereignty, territorial integrity or political independence of another state, or in any other manner inconsistent with the Charter of the United Nations, as set out in this definition.” This definition is similar to Article 2(4) which prohibits the threat or use of force. However, it does not include the word “threat.” Consequently, it seems like an act of actual use of armed force is required for the action to be defined as aggression. Today, it is accepted by most that an armed attack necessarily constitutes aggression (ibid. pp. 4-5).

In short, according to international law, a threat or use of armed attack triggers the right to self- defense (Article 51), while other threats or uses of force (those which fall below the threshold of “armed attack,” do not. Furthermore, for an act to be defined as “aggression,” an actual use of force is required.

The terms defined above are legal terms. Within the philosophy literature, the terms “just cause”

and “casus belli” are used interchangeably to refer to acts of aggression or unfriendly acts which can potentially justify a unilateral military response by the victim state (“casus belli”, 2021).

In this thesis, the terms aggression, use of force, armed attack, just case and casus belli will be used interchangeably, and will refer to acts which should generate a prima facie right to respond with kinetic force (i.e. trigger a constrained right to self-defense).

I would like to make a small digression here.

Legal principles often serve as points of departure for my investigation of the morality of the use of force. At several junctures in the discussion, I will call attention to the current contents if international law pertaining to the use of force by states. However, I keep questions about morality and questions about legality apart. This being said it is clear that law and morality are related to each other. We often think of the law as representing right and wrong, morally

(22)

17

speaking. However, morality might not always be translatable into law, for example owing to consequentialist considerations. The latter point is important with respect to the subject matter of this thesis. Behind the prohibition of force articulated in article 2(4) of the UN Charter, and the high threshold for triggering its exception in article 51, lies a purpose of limiting the extent of international armed conflict (and the harms which follow) as much as possible the conclusions of this thesis may be invoked as an argument for lowering this threshold. Still, I do not take an explicit stand on the question of whether or not these conclusions provide a conclusive case for revision of the relevant parts of current international law.

4.2 Just war theory

Some academics reject the idea that war can ever be “moral,” while for others, no plausible moral theory can justify the horrors of war. The first group are sometimes referred to as realists, and the second as pacifists. The task of just war theory is to strike a balance between the two:

to justify some wars, but also to limit them (Lazar, 2020). In other words, just war theorists combine a moral aversion and skepticism towards war with the acceptance that war may (in certain situations) not be the worst option. The purpose of JWT then, is to ensure that the war in question can be morally justified. This is done through the consideration of a series of criteria, all of which must be met for war to be considered just. The criteria of the just war tradition thus act as an aid in determining whether resorting to arms is morally permissible (ibid).

The criteria are split into two groups:” right to go to war” (jus ad bellum) and “right conduct in war” (jus in bello). This thesis focuses on jus ad bellum. The ad bellum criteria are just cause, competent authority, right intention, probability of success, last resort, and proportionality (Mosley). Because this thesis focus is just cause and proportionality, these criteria will be described in greater detail in chapters 5 and 6.

Having a just cause is the first and arguably the most important condition of jus ad bellum.

Most theorists are of the opinion that initiating acts of aggression is unjust and gives a group a right to defend itself. However, without a clear definition of the term “aggression,” this proscription is quite open-ended (Mosley; Lazar 2020). As previously mentioned, the current consensus is that “aggression” can be defined as acts which cause significant physical effects and may justly be resisted.

The second ad bellum criteria is that resorting to war should always be the “last resort”

(necessary). This criterion implies that all other possible solutions must have been attempted (or seriously considered), before declaring war. In other words, going to war must be compared

(23)

18

to other available means to deal with the enemy. In short, the reasoning behind this requirement is what Clausewitz referred to as the “fog” of war. Larger conflicts often get out of control, and the danger of escalation and the resulting physical damage, as well as economic and social consequences have led to the natural recommendation that war should not be lightly accepted (Mosley; Lazar 2020).

The third criteria, proper authority, seems to be mostly resolved, and not very controversial¹⁸, as least in its ideal form. The proper authority to declare war obviously resides in the sovereign power of the state (ibid). In this thesis, as it will assume that all the ad bellum criteria are fulfilled, and only will explore just cause and proportionality, we will assume that all states possess the characteristic of this ideal (just) type of authority. Without going into too much detail, problems which could arise without this assumption is connected to the fact that all governments are of course not considered “just.” The notion of proper authority therefore normally requires thinking about what is meant by sovereignty, what is meant by the state, and what is the proper relationship between a people and its government (ibid).

Right intention is also less problematic (theoretically). The core of the concept is that a state choosing to initiate war should do so for the cause of justice, and not for other reasons, such as for example national self-interest (e.g. to gain strategic economic or political benefits). This implies that a state cannot justly initiate a war if reasons of national interest are paramount or overwhelm the pretext for fighting aggression¹⁹ (ibid).

The next principle is that of reasonable success. It is a necessary condition for waging just war but it is insufficient by itself. Provided that the victim state has a just cause and right intention, there must be a reasonable probability of success. The principle is consequentialist in that the costs and benefits of a campaign must be calculated (ibid).

The final guide of jus ad bellum is he principle of proportionality (ibid). Because this principle is a central part of the further analysis in this thesis, it will be further defined and explored in chapter 6.

18 Although some have expressed skepticism towards why the traditional notion of legitimate authority plays a role in determining the justness of war. See for example: Frowe & Lazar. The Just War Framework.

Forthcoming in Lazar and Frowe (eds). Exford Handbook of Ethics of War. New York OUP, p. 8:

https://helenfrowe.weebly.com/uploads/8/1/6/0/8160867/frowethe_just_war_frameworkoxhandbook.pdf

19 “Right intention” of course causes many philosophical problems, but these will not be discussed here.

(24)

19

5.0 Just cause

This chapter will address the following question: Can a bloodless cyberattack constitute just cause, and thus trigger the right to national self-defense? Before embarking on this question, I will briefly account for the relationship between just cause and the right to national self-defense as it is understood in the just war tradition.

5.1 Just cause and the right to national self-defense

A casus belli or just cause (occasion for war) is, as previously mentioned, an act or event that provokes or is used to justify war (Robinson & Davidson, 2001, p. 219). Traditional just war theory recognizes two kinds of justification for war: national defense (of one’s own state or of an ally) and humanitarian intervention.²⁰ This thesis’ focus is only on the first. The act which is considered to trigger the right to national self-defense, and thus seen as a just cause, is the act of aggression, which has long been understood as the use of physical or violent means to achieve a political objective (Lin, Rowe and Allhoff, 2012; Smith, 2018, p. 222). As mentioned in both the introduction and background chapters of this thesis, it has been suggested to amend this definition to aggression being acts which cause significant physical effects - due to (among other things) the implausible implications for cyber warfare. However, this adjustment still leads to the implication that most cyberattacks do not constitute just cause because they usually do not generate such consequences. In the following I will describe and discuss an alternative framework referred to as “The Sovereignty View,” which I consider to be a compelling (possible) justification for why some bloodless cyberattacks should constitute just cause. Then, I will briefly look at some implications of this framework our question and for the cyber domain.

5.2 A justification for the right to national self-defense in bloodless cases: the sovereignty-based approach

Before we embark on the details of The Sovereignty View, it can be useful to place it within the larger literature on the ethics of cyber warfare, which was briefly described in chapter 2. As mentioned, there can be identified different lines of thought regarding whether the introduction of cyber weapons raise new ethical questions, and if so, how they should be approached (ref.

sceptics, radicals and moderates). The Sovereignty View can be placed in the camp of the moderates, who are of the opinion that the new ethical questions that arise with cyber warfare

20 In recent years, the argument for a right to act in self-defense to pre-empt and anticipated attack has gained support in the West (in addition to aggressive acts already conducted and the principle of R2P/humanitarian intervention). This thesis will not explore this argument in relation to cyberattacks.

(25)

20

can be solved within the JWT framework. However, The Sovereignty View should be considered a further revision of the JW framework than the effects-based approached discussed in chapter 2.

In the following I will describe and discuss The Sovereignty View, which was first presented by Patrick Smith in his article “Cyberattacks as Casus Belli: A Sovereignty-Based Account”

from 2018. In short, Smith argues that “legitimate”²¹ states have a constrained right to unilaterally respond with military force to unfriendly actions that bypass or overwhelm the political deliberations of the target state in order to force a change in behavior contrary to the determinations of the people of the target state” (Smith, 2018, p. 222). Which arguments and considerations lie behind this conclusion?

The starting point for Smith is his critique of the theoretical consensus previously described (that attacks which causes significant physical harm are those which should be considered an act of aggression). Smith particularly highlights two issues with this view.

First, by arguing that only death and physical destruction are relevant, the current consensus implies that territorial faits accomplis²² and overwhelming invasions do not constitute casus belli. In the case of a territorial fait accompli, an enemy state will cross the border of another and occupy its territory before it is able to resist or respond. Consequently, the invaded country has no right to unilaterally respond in self-defense because the invading state did not cause any damage. Similarly, if an enemy state attacks another by overwhelming force, and the victim state consequently decides not to resist, either because it is too intimidated to do so or because it decides that it would likely lose a confrontation, the invaded country is not subject to armed attack according to the current consensus. One may attempt to answer this challenge by including violations of territorial sovereignty as another element of the consequences that give rise to a right to unilateral defense, but as Smith points out, it is hard to see how even relatively trivial acts of espionage, surveillance or economic cyberwarfare fail to violate the sovereignty of the target state in at least some minimal ways (ibid., pp. 224-225).

Second, Smith argues that the current theoretical consensus is implausibly inflationary regarding the types of political actions that give rise to a unilateral right to self-defense. His

21 Legitimate in the moral sense (Smith considers sovereignty to be a right that is gained through the state’s treatment of its citizens. One implication of this vies is that there would be a difference in the number of casus belli between legitimate and non-legitimate states. In this thesis however, legitimacy is understood as in article 1 of the Montevideo convention. (Montevideo convention, 1933, Article 1).

22 Territorial faits accomplis are about imposing gains at the expense of an adversary without getting into a larger war. They are not conquests of states via war, but limited land grabs based on the bet that the opponent won't risk a larger fight for the territory (Kofman, 2020).

(26)

21

broad point is that by arguing that rights to self-defense are generated by a specific set of consequences (physical), then the principled difference between economic pressure and cruise missiles, disappears. One possible answer to this challenge is to argue that the attack must directly produce death and destruction. As a response to this Smith argues that it is unclear why directness matters morally, despite the fact that actions that rely on relatively long causal chains often have less certain consequences than those predicated on short ones (ibid., pp. 225-226).

To summarize, Smith’s critique of the current consensus within JWT and international law is that by focusing on the harmful consequences of acts of war, they do not have good arguments for what the difference is between a traditional kinetic attack (such as a missile attack) and other political tools (such as economic sanctions) because they have the ability to cause the same harmful consequences. Furthermore, he claims that the implications of the current consensus are implausible because there clearly are alternative ways that an attack or invasion can undermine the legitimate interests of a polity beyond causing physical damage (as illustrated by the examples of territorial faits accomplis and overwhelming invasions).

In conclusion, if we choose to only focus on the significance of the physical effects of an attack, we include too many other things potentially as equivalents to conventional, armed, kinetic attack and hence, potentially as just cause for defensive armed force (such as economic sanctions).

As an attempt to solve the problems outlined above, Smith presents what he calls “The Sovereignty View.” As the name implies, this view is based on the Sovereignty principle.

Today, the norms of sovereignty are enshrined in the Charter of the United Nations whose articles 2(4) prohibits attacks on “political independence and territorial integrity” (Philpott, 2020). As mentioned in chapter 4, and as reflected in Article 2(4) of the Charter, sovereignty is constituted of a bundle of rights that states and their citizens possess that makes it possible to maintain a political community capable of self-determination (Smith, 2018, p. 227), whereby the two most essential rights that are fundamental to collective political self-determination is political autonomy and territorial integrity. Political autonomy is understood as individuals and their collectives’ right to deliberate upon and implement policies as they see fit, and territorial integrity as the right to control over territory (ibid).

The Sovereignty View is based on the rights to self-determination held by individuals and, derivatively, collectives (rather than focusing on characterizing a set of sufficiently serious consequences). According to The Sovereignty View, casus belli are generated when one state violates the political autonomy (the right to deliberate upon and implement policies as they see

(27)

22

fit) and/or the territorial integrity of the target state. Consequently, The Sovereignty View suggests that any action that violates the political self-determination rights of the political community gives rise to casus belli, and that a cyberattack is a casus belli when it is an imposition of will upon a community in order to generate specific, politically relevant result²³ (ibid., p. 229). It is important to note that it is not the case that any infringement on any person’s ability to self-determine in any spere generate casus belli. The rights we are interested in are those to political self-determination. As Smith points out, it might be possible to undermine a states’ cultural or economic position in ways that do not undermine anyone’s ability to engage – or engage adequately – in the political process that determine policy (ibid., p. 227).

Smith points to one potential problem with this argument: many minor and intuitively peaceful cyberattacks seem to violate the sovereignty of the target state. His solution to this problem is twofold. First, he points out that not all constraints on the political autonomy of a political community are equal. The key difference, he argues, is whether the unfriendly strategic action aims to achieve its political objective through or in spite of the deliberations of the target state.

As Smith puts it: “some unfriendly actions impose costs on the target state with the hope that the state will change its policy (such as economic sanctions); other actions attempts to force a change in policy despite resistance” (ibid., p. 228). Smith argues that only the latter - impositions of will - generate qualified rights to a unilateral military response in self-defense.

Second, even though one implication of the SW framework is that many trivial cyberattacks violate the sovereignty of the target state, and thus generate casus belli, many of them will also be “stopped” by the proportionality constraint (they only generate a prima facie right to self- defense) (ibid).

To sum up, The Sovereignty View suggests that an unfriendly strategic action generates a unilateral right to use military force in self-defense under two distinct circumstances:

23 This argument is (amongst other things) based on Smith’s argument that an action by state A which only puts pressure on state B to change its policy still treats its citizens as agents, while an action that forces a change in policy (despite the deliberations of the target state), treats the target as an object whose agency or judgement is irrelevant. According to this view, will imposition thus represent a particularly egregious violation of an agent’s right to self-determination (Smith, 2018, p. 230).

(28)

23

1) The unfriendly state may impose a set of costs that are sufficiently burdensome and sufficiently well-targeted that they undermine²⁴ the very ability of the targeted state to engage in political self-determination (ibid., p. 231).²⁵

2) The unfriendly state may impose its will upon the targeted political community.

This second casus belli have two features: firstly, it must be disposed/designed to overwhelm, bypass, or override resistance by the target state in order to achieve a particular objective and secondly, that objective must be of a relatively political character (ibid).

A few concepts within these two circumstances needs further evaluation and clarification. First, the concept of resistance. Smith argues that only minimal resistance is needed for this criterion to be fulfilled (ibid., p. 234). It seems that this is because resistance is a clear indication of whether the attack can be characterized as an imposition of will, rather than an imposition of costs. If I try to resist a certain act from being executed by someone else, this implies that I do not want that person do whatever he/she is attempting to do – it is being done against my will.

Examples of making resistance within the cyber domain could be to have passwords, firewalls, consulting with people responsible for IT security at your workplace etc. An implication of this is that hostile actions that give way immediately in the face of resistance are not impositions of will. If I withdraw when I am faced with any resistance whatsoever, then it is implausible that I am attempting to impose my will (ibid., p. 232).

Second, what exactly is meant by “the objective must be of a relatively political character?” or in other words, what gives an objective the characteristic of being of a political character?

According to Smith, “the cyberattack must be aimed at a relevantly political interest that is part of the self-determination of the target community“ (ibid., p. 231). What gives the objective a political character then, is the fact that it undermines, changes, or violates political or legal rights which are themselves outcomes of the political deliberations that constitute collective political self-determination (ibid). One consequence of this argument is that the explicit objective with the attack does not have to be to undermine or violate such rights in order for the attack to constitute casus belli. The goal of the aggressor could for example be economic or cultural on its surface (e.g. to gain an economic advantage by harming American companies)

24 To erode the base or foundation of OR lessen the effectiveness, power, or ability of, especially gradually or insidiously.

25 This implies that for example economic sanctions could become casus belli – if sufficiently burdensome and well-targeted.

Bloodless Cyber Invasion and the Right to National Self-Defense