Cyber Ethics Vex Online Warfighters
The United States wrestles with daunting guidelines to carry out warfare in the fifth domain.
A burgeoning breed of combatants fights in a convoluted new domain where no one has blazed a trail, where no history books offer lessons or guidance. These warriors sometimes use untested offensive and defensive network maneuvers to secure cyberspace, the increasingly important and congested battleground rapidly becoming the attack venue of choice.
The technology to succeed in this ongoing fight actually already exists, as does the well-trained work force, experts say. The question now hovers over what ethical guidelines the United States will employ to carry out cyber warfare—where dynamic real-world events shape the malleable rules of engagement.
“We are responsible for training technically and tactically competent leaders who are about to enter a world where they have to make decisions that have never been made before—in a very sort of cloudy and complex environment,” says Maj. Charlie Lewis, USA, chief of the Cyber Leader College at the Army Cyber Center of Excellence, Fort Gordon, Georgia. “We’re expecting a lot [from] these 23-, 24-year-olds.”
Military leaders must consider the ethics of warfare as they draft policies that will govern cyber operators’ missions in this disruptive experience of war, says Gen. Larry D. Welch, USAF (Ret.), the 12th chief of staff of the U.S. Air Force. “The cyberwarrior encounters a moral issue ... only if the legal order is seen as morally unacceptable. While that has been an issue in other domains in the past, it is, in fact, less likely in the cyber domain. Cyberwarriors simply do not face the kind of conditions that produced the My Lai massacre, for example,” Gen. Welch says of one of the most horrific incidents of U.S. violence against civilians during the Vietnam War. “They don’t operate out in an environment where [they are] responsible for the life or death of some set of warriors who operate alongside of them.”
The last time the United States faced such a massive paradigm shift that produced new warfighting doctrine was 70 years ago, following the deployment of the atomic bomb. “We’re in an analogous experience now with the advent of cyberspace,” says Col. Timothy S. Mallard, USA, the command chaplain at the Cyber Center of Excellence, who led a panel discussion on cyber ethics in August during AFCEA International’s TechNet Augusta conference. “What you have is the fifth domain of war. I want to start with the premise that the most dangerous thing we can do as a military … is to have an unconscious, unreflective practice of cyber war.”
Fundamentally, the Army’s ethical approach to cyber warfare varies little from the overall approach to all operations, offers Col. Jennifer Buckner, USA, Army Cyber School commandant. Cyberwarriors learn foundational cyber ethics, laws, policies and regulations; at least three cyber schools guide both the intelligence and cyber communities. “There are probably far more of the rules and ethics that we currently abide by … even in cyber, than some people would perhaps appreciate,” Col. Buckner says.
Still, several unanswered questions remain. What constitutes an attack? What are the rules? Would the cyber theft of a private company’s proprietary information by a nation-state be tantamount to an act of war?
“We see some very loose use of terminology that we apply to cyber that we don’t apply to other domains,” says Gen. Welch, the former president of the nonprofit Institute for Defense Analyses who now serves as a senior fellow there. “For example, what we would call espionage in other domains we call an ‘attack’ in the cyber world. What we call intelligence collection in other domains we tend to call an ‘attack’ in the cyber domain.”
An executive order issued in April, however, gave policy makers a little help with defining cyberspace missions by providing the clearest policy direction thus far for a national cyber response. The order calls for, in part, sanctions against foreigners who engage in significant malicious cyber-enabled activities. Titled “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities,” it details retaliatory steps and does not discriminate between private or nation-state actors.
Cyber assaults do not always merit a cyber-based response, Col. Buckner points out. “Much like any other incursion, it could merit a number of different responses depending upon the government interest,” she says. “Our job in the military is not to dictate or mandate a response, but rather to provide options for government leaders so if and when they decide to respond, we have the capability to do so. We offer a range of options that spans from very precise to a more overt action that gets everyone’s attention.
“We are the capacity that provides the ability to respond,” Col. Buckner states.
Many ethics discussions incorporate teachings from the just war theory, a doctrine that helps elucidate justifications of how and why wars are fought, Maj. Lewis says. “We discuss collateral damage—we discuss avoiding negative impact to the civilian population where feasible,” he shares. “It’s a complex environment. It is a much different environment than most people are typically used to, but we can still apply the exact same discussion points … in terms of difficult decisions that a cyber leader may have to make.”
Assessing collateral damage presents one of the greater difficulties. “With kinetic operations, we have a lot of practice in estimating collateral damage,” Col. Buckner says. “Sometimes, the second-, third- and fourth-order effects of actions in cyberspace we can’t predict with great certainty.”
Leaders concocting the moral standard for cyber warfare borrow too from religious doctrine, Gen. Welch offers. “There is a catechism of the Catholic Church, for example, that declares that the use of arms must not produce disorders greater than the evil to be eliminated,” he says. “The level of evil and disorder created is fairly straightforward when applied to [adversaries] dropping bombs or shooting or torturing human beings.”
It is less straightforward with cyber, where a strike could be nothing more than criminal behavior rather than a declaration of war, and boundaries are undefined. While international agreements for the so-called “traditional” combat domains of air, land and sea contain definitions of national sovereignty, in the cyber world this does not exist, Gen. Welch says. “If you enter the United States without some kind of official authorization, it’s a crime, and there’s no confusion about that. But in cyberspace, there’s mass confusion. I can wander around all over the Internet in China or Russia or any other country, and there is no concept that I have illegally entered that nation until I pass some kind of physical or conceptual boundary that is, in fact, not defined.”
Ethics discussions extend beyond the Defense Department’s perimeter to include what role, if any, the private sector should play in cyberspace operations. Although the military historically has relied on industry for help in defending the nation, such involvement in the already convoluted cyberspace proves worrisome, warned Adm. Michael Rogers, USN, director of the National Security Agency and commander of U.S. Cyber Command, at a recent industry event.
The country does not need cyber privateers, he says.
“I still believe that, in broad terms, the application of force … should be a [military response],” Adm. Rogers said during an SAP NS2 Solutions Summit in October. “I still believe that the nation-state is best posed to apply force. And I worry about what the implications are if we’re going to turn that over to the private sector.”
And vice versa. The November 2014 Sony Pictures Entertainment hack perpetrated by North Korea forced an out-of-the-ordinary military response to an otherwise criminal act. But failure to publicly acknowledge the hack and identify the aggressors risked sending mixed messages, Adm. Rogers said. He fears that nation-states or groups might “conclude this behavior must be seemingly acceptable or permissible,” or that businesses might conclude the government did not have their backs. “My concern was the private sector will say, ‘OK, if I can’t count on the government to do something, that means you’re turning this problem over to me,’” he shared.
“It’s the Wild West in some places already,” Adm. Rogers said. “You don’t need more gunslingers out on the street.”
The Sony hack and other high-profile breaches provide fodder for cyber operators in training, Col. Bucker says. “Every case, and certainly those that have been made public, allows us to further the discussion and advance the policy and terminology,” she says. “What is the correct response for a private company that normally wouldn’t merit a response by the government, yet [the breach] was publicly attributed to a nation-state? What is the appropriate response, and who carries that out?
“Every case, every example furthers the discussions on whether laws, policies and authorities are correct and how we might apply them,” Col. Buckner concludes.
The pervasiveness of cyber attacks is both a strength and a weakness of the domain, Gen. Welch offers. “Perhaps the vulnerability in the cyber domain is more worrisome because it has such a strong impact on our effectiveness in other domains.
“Is it a vulnerability that we just need to ring our hands about? No,” he adds. “We know how to protect; we know how to manage the vulnerabilities. We know how to deal with the risks. We just need to do it.”