Ethics and Cyber Warfare: The Quest for Responsible Security in the Age of Digital Warfare by George Lucas

Ethics and Cyber Warfare: The Quest for Responsible Security in the Age of Digital Warfare, George Lucas (New York: Oxford University Press, 2016), 208 pp., $36.95 cloth.

In Book II of Plato’s Republic, Adeimantus and Glaucon bemoan the state of humanity that requires us to consent to an externally imposed political order. Would that more people realized, Adeimantus laments, that by being unjust we are “living on intimate terms with the worst thing possible.” While this might seem anachronistic in a discussion on cyber warfare, let there be no doubt: George Lucas’s Ethics and Cyber Warfare is a contribution to the ongoing quest to structure a community around a public conception of the Good, in order that we might prove ourselves worthy of self-governance. It is a reminder of the disorienting effects of emerging technologies that this question has arisen once again in the context of cyberspace, and it is a testament to Lucas’s insight that his book advances this age-old project. At turns optimistic, regretful, and fiercely critical of previous debates, the book contributes much-needed scaffolding for these discussions.

Lucas’s book can be broken into several discrete projects. The first is to introduce and defend a new category of analysis: state-sponsored hacktivism. The range of malicious behaviors in cyberspace defies our traditional categories. Wading into this “epistemological crisis” can seem, in Mikhail Lermontov’s words, like fighting a battle at night with a phantom. Lest we think that these questions are merely academic, recall that Estonia, in the throes of the 2007 distributed denial-of-service (DDoS) attack that crippled its communications and banking systems, considered requesting military assistance from NATO, which would have required the judgment that this cyberattack was the equivalent of a conventional attack (p. 116).

The case of Stuxnet remains the most promising candidate for bona fide cyber warfare—that is, cyber operations with physical effects equivalent to those of conventional armed attacks. But short of this standard, which cyber actions should command our attention? The recent and deeply unsettling revelations of Russian meddling in the 2016 U.S. presidential election push the boundaries of our categories. Lucas’s category of state-sponsored hacktivism includes cyberattacks “explicitly intended . . . to impose the cyber aggressor’s political will upon its adversaries through nonpolitical means” (p. 9, emphasis in the original). This is, for Lucas, the new face of conflict in cyberspace, which lies “just under the threshold of full attribution and response,” and which makes this type of action all the more difficult to appraise and counter (p. 127).

A second project of Lucas’s book is to identify emerging norms in cyberspace and defend their normative force. Just as any group would chafe under the yoke of a legal regime imposed on them from above, any attempt at top-down legislation risks coming off as stipulative cultural hegemony. Our hope instead lies with the crystallization of emerging norms formed through a genuine process of reflection by practitioners. Governing cyberspace has proven no different. Witness, for example, the 2013 Tallinn Manual, which was an effort by legal scholars, convened by NATO, to apply existing international law to cyberspace. Its reception and influence have been mostly disappointing, however. The central problem with the Manual was that it “did not ‘emerge’ from any such authentic process,” but rather was deaf to the goals, values, and concerns of those it purported to govern, especially those besides NATO and its ideological allies (p. 76). Bottom-up norms, by contrast, arise out of “reflection on better and worse reasons for engaging in otherwise-proscribed behavior” by the relevant community of practitioners, namely, cyber warriors (p. 46, emphasis mine). And the good news is that the major powers in cyberspace—including Russia and China—are, in fact, “stumbling, blindly and inadvertently, toward a consensus about what behavior is permissible during a cyber conflict” (p. 118). Lucas outlines these norms, which are isomorphic to already broadly accepted moral norms of jus in bello conduct.

But the extent to which this consensus is superficial seems an open question. While parties may agree on the major premise, the minor premises remain the focus of intense controversy. What is initially promising agreement over, say, the principle of proportionality turns out to be illusory if we cannot agree on which particular instances of violence really are proportionate—and we have seen this disagreement play out in cyberspace.

The third project, taken up in the book’s final chapters, is a qualified defense of the National Security Agency’s surveillance infrastructure—which aims to track “any device, anywhere, all the time” (p. 11, n. 1)—as a tool of preventive war. Such an infrastructure is emblematic of “the new norm of responsible state behavior” (p. 160), criticizable according to Lucas only for having been shrouded by the pathological secrecy characteristic of the intelligence community (p. 142). Lucas suggests a list of constraints on surveillance, resembling, once again, a rough just war framework (p. 154). Though he acknowledges the evidence primarily missing from these debates—and necessary before the public could give meaningful consent—is whether the programs have been effective (p. 165, n. 2). Lucas finally laments that Snowden’s misguided whistleblowing betrays a broader ignorance among rank-and-file cyber warriors, and his book ends with a call for the development of a code of ethics for the profession, a project already helmed by some promising theorists.

Much of Lucas’s defense of the surveillance state depends on a rejection of calls for true anonymity in cyberspace, which he regards as fatal to efforts to attribute and interdict malicious action therein. Lucas treats this widespread concern with palpable disdain, saying “there is no legally justified or morally legitimate activity pursued anonymously that could not just as well be pursued with full transparency and disclosure in public” (p. 135, emphasis in original). I find this worrying. We have known at least since the 1975–1976 Church Committee that centralized retention of data can be an attractive nuisance. (The same lesson was reinforced recently by Operation Choke Point, a 2013 initiative asking banks to report “high-risk” transactions, such as payday lending, gambling, escort services, and gun purchases, to the Department of Justice. Operation Choke Point resulted in frozen bank accounts for many people who had done nothing wrong, and showed once again that a powerful surveillance apparatus in the hands of political actors will inevitably be bent toward controversial political ends.) Lucas places his faith in “rigorous adversarial review” and oversight of the NSA’s surveillance apparatus (p. 138). However, this faith seems untenable in light of the fact that the U.S. Foreign Intelligence Surveillance Court has rejected less than one-tenth of 1 percent of the surveillance requests brought before it, according to the Wall Street Journal (June 9, 2013).

While I appreciate the urgency of the threat and the wickedness of the problem of policing cyberspace, I remain uncomfortable in the knowledge that my communications, transactions, and movements are accessible through a system carved, ultimately, from the crooked timber of humanity. But I will happily admit that these disagreements do little to detract from my appreciation of the book and its contributions. I suspect that my worries could be neutralized while still retaining some form of government surveillance.

It is a hope as old as philosophy that we might outgrow our need for externally imposed order, that we might master our pleonectic and destructive impulses, and that we might collectively prove to be, in Adeimantus’s words, “our own best guardians.” Lucas laments in his preface that any account of cyber conflict quickly becomes outmoded (p. ix). This may be true of books that attempt to provide a snapshot of current events, and there is a respect in which Lucas’s work is already behind the times since our conversations have become consumed—for the moment—by Russian cyber intrigue. But other books are successful as foundations upon which later works can build. Ethics and Cyber Warfare manages to be both. Accessible, lucid, and brimming with insight, members of the academic, military, and intelligence communities would do well to read it carefully.

—Ryan Jenkins

Ryan Jenkins is assistant professor of philosophy and senior fellow at the Ethics + Emerging Sciences Group at California Polytechnic State University in San Luis Obispo. He studies the ethics of emerging technologies, including cyber war, driverless cars, and autonomous weapons.