AFIT alum Maj Benjamin Ramsey (PhD Computer Science, 2014 & M.S. Electrical Engineering, 2009) wrote an article titled “An Ethical Decision-Making Tool for Offensive Cyberspace Operations” published in the Air & Space Power Journal, Volume 32 Issue 3, Fall 2018. The full article can be read on pages 62-71 here. An excerpt of the article is below.
Disclaimer: The views and opinions expressed or implied in the Journal are those of the authors and should not be construed as carrying the official sanction of the Department of Defense, Air Force, Air Education and Training Command, Air University, or other agencies or departments of the US government. This article may be reproduced in whole or in part without permission. If it is reproduced, the Air and Space Power Journal requests a courtesy line.
Although international cyberspace espionage has been around for decades, offensive cyberspace operations (OCO) designed to create wartime effects are relatively nascent. The USAF added cyberspace as a domain in which it would “fly, fight, and win” to its mission statement in 2005, but the development of a sizable military OCO force in the US did not begin in earnest until the establishment of US Cyber Command (USCYBERCOM) in 2010. Meanwhile, only a few international examples of successful OCO integration into military operations have yet been made public. For example, OCO suppressed Syrian air defenses during the 2007 Israeli air strikes and coordinated OCO bolstered the 2008 Russian invasion of Georgia.1 As USCYBERCOM reaches full operational capability, it is imperative that it conduct OCO, not only in accordance with international law, but also in an ethically responsible manner.
The most comprehensive study to date on the applicability of international law to cyberspace conflict is the Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, in which 19 legal experts under the direction of Professor Michael Schmitt derived 154 black-letter rules from existing law.2 The legal experts reached a consensus on 108 of these rules, including some straightforward applications of the Law of Armed Conflict (LOAC) to civilian protections. Legal opinions were divided on the remaining 46 rules, 9 of which had significant aspects relevant to OCO but also eluded a majority opinion. This article recommends an ethical decision-making tool for OCO and uses those contentious nine legal rules from the Tallinn Manual 2.0 as example cases to consider ethical and sustainable norms in cyberspace.
Ethical and Legal Norms for Offensive Cyberspace Operations
The first ethical analysis of OCO by a moral philosopher was by philosophy professor Dr. Randall Dipert in 2010.3 In his work, Dipert articulated three of the most challenging aspects of OCO: operations can be nonattributable, defenses are expensive and failure-prone, and there are no rare or exotic components in OCO weapons that could inhibit their proliferation. Dipert also argued that existing international law and Just War Theory do not straightforwardly apply to OCO. Militaries can dramatically weaken opponent forces using OCO without necessarily causing death or permanent property damage, and thus circumvent the casus belli of traditional Just War Theory. Most importantly, Dipert predicted a long period to come of “low-level, multilateral cyberwarfare, a Cyber Cold War, as a game-theoretic equilibrium is sought.”4
Dr. Brian Mazanec, a defense and strategic studies professor, came to a similarly bleak conclusion in his rebuttal to optimism about international cooperation and order in cyberspace: “norm evolution theory for emerging-technology weapons leads one to conclude that constraining forms for cyberwarfare. . . may never successfully emerge.”5 The principal actors for OCO include the US, China, and Russia, none of which consider the emergence of constraining norms that would curtail sovereign options to be in their self-interest.6
Russia and the US appear to be trending toward a consensus that OCO: (1) should never deliberately harm civilians and civilian infrastructure, (2) should be directed at legitimate military targets with the aim of minimizing collateral damage, (3) are equivalent to kinetic attacks of equal harm, and (4) is constrained by the principle of economy of force.7 Unsurprisingly, these rules also appear in the Tallinn Manual 2.0 with substantial legal expert consensus.
Perhaps no legal area concerning OCO is more contested than that of jus ad bellum (right to war), or what OCO actions could trigger armed conflict. While China and the US have officially agreed to “pursue efforts to further identify and promote appropriate norms of state behavior in cyberspace,” a significant divide exists between the Chinese and US positions on OCO use of force.8 For example, the Chinese position is a strict positivist reading of the United Nations (UN) Charter’s prohibition on the use of force, and in March 2017 the first official Chinese cyber strategy called on all states to avoid cyberspace militarization.9 Conversely, the US position is that the “inherent right of self-defense potentially applies against any illegal use of force” (emphasis added).10 The perspective of the Tallinn Manual 2.0 falls between the Chinese and US extremes concerning the use of force; the Tallinn Manual 2.0 reflects the position in the 1986 International Court of Justice case of Nicaragua v. United States that there is a difference between “use of force” as used in Article 2(4) of the UN Charter and “armed attack” that justifies self-defense under Article 51.11 China, thus, rejects the Tallinn Manual 2.0 perspective as too permissive, and the US rejects the same perspective as too restrictive.
A compelling solution to the challenge of normalizing international OCO without imposing stipulations is to follow the successful example of how the 2009 Montreux Document on Pertinent International Legal Obligations and Good Practices for States Related to Operations of Private Military and Security Companies during Armed Conflict addressed private security companies.12 The Montreux Document underscored best practices that developed from the failure of existing laws and regulations rather than assert policies and restrictions on state operations. Events such as the 2007 Nisour Square incident in Baghdad, when US military contractors killed 17 civilians while escorting an embassy convoy, fostered international resolve to clarify “what the role for [private military and security companies] in armed conflicts is and should be.”13 The first half of the Montreux Document outlined pertinent legal obligations, and the second half outlined good practices for states to follow that were not legally binding. The Montreux Document stated early on that it was not the final word on the matter, but that this was also never the intention.14 Cyberspace is a domain different from all others in that the US is no longer the single dominant state for force projection; the multipolar nature of power and influence in cyberspace means that norms can only emerge from the shared objectives of all principal actors involved.
Read the remainder of the article here.