Cyber Ethics: On the Use of Ethical Considerations in Hybrid Warfare
Abstract: This paper addresses the role of ethical considerations in hybrid warfare. In particular, it seeks to outline how cyber operations in the context of hybrid warfare can meet the demands of justice. However, the emerging field of cyber ethics faces several objections regarding its practical use. To the extent these objections can be avoided, ethics must avoid the grand schemes of regulation and take its cues from the strategic use of cyber capabilities. The paper will start with a brief outline of the problem of cyber ethics and situate “cyber” within the concept of hybrid threats. It examines the purposes of ethical considerations in cyber warfare, especially concerning the tension and possible convergence of ethics and strategy. Exploring the notion of justice as understood by ethics and international law, it finally discusses the uses of just war theory in cyber warfare.
Bottom-line-up-front: Cyber warfare seems to have little to do with ethics. What does it mean to take the ethical point of view in a field that is hallmarked by rapid technological development, high complexity, and uncertainty over the impact of attacks? This article argues that ethical considerations form an integral part of strategic thinking on using cyber capabilities.
Problem statement: How do norms for cyber warfare emerge from the cyber practice? How do ethics trace normative implications?
So what?: Compared to justice as understood by international law, cyber ethics provides a more flexible framework for cyber warfare. The findings may be put into practice by devising collaborations of ethicists with military practitioners and strategists. Practitioners would develop an ethical point of view in their core work. Ethicists would be included in workshops, negotiation processes, war-gaming exercises, and ultimately decision-making processes.
The Role of Ethical Considerations in the Use of Cyber Power
Cyber ethics can loosely be defined as the quest for responsible action in cyber warfare. As such, cyber ethics is not a settled science. A prevalent view in the emerging field of cyber ethics is the notion that we have a set of ethical principles ready to be applied to cyber warfare. This understanding misses two important questions. The first question is: Given that we can apply ethical principles, such as moral considerations on when and how to attack using cyber warfare – how do we do it? The problem is well known from the parallel emergence of international law for cyber warfare. The application of international law to “cyberspace” was aspirational, but it soon ran into insurmountable difficulties. The Tallinn Manual on the International Law Applicable to Cyber Warfare (2013) is the lasting document of both of great hopes and eventual disappointment. The project failed in one crucial respect: it did not set out binding rules for cyber warfare. For the time being, the great cyber powers have no interest in submitting to strict legal norms because such norms do not correspond to their self-interests. It is legitimate in principle for states to follow their self-interests. The state-centered world order may seem reprehensible, but it is also a blessing in disguise: The great cyber powers have no self-interest in a full-scale “cyberwar.” However, they seek to preserve the latitude to respond to violations with limited cyber attacks.
The application of international law to “cyberspace” was aspirational, but it soon ran into insurmountable difficulties.
The second important question is: Which ethics? Here the parallels to the more or less coherent body of international law end. We cannot presuppose a clear set of ethical rules and maxims derived from a continuous tradition reaching from Aristotle to Thomas Aquinas and via Hume and Kant to John Rawls and Jürgen Habermas. The ethical positions of these philosophers and the norms they propose are vastly different.
The very foundations of ethics are as controversial as applying ethics to a new policy field. The ethical tradition of Western philosophy is not a toolbox from which we can pick what we need. Inevitably we must ask which tools are suitable. In other words, ethicists disagree with one another. Their scholarly disagreements have no relevance for the practitioner for the most part. Nevertheless, they point to a deeper crisis in the foundations. Even the simplest concepts, not only the far-reaching interpretations are deeply controversial. The eminent military ethicist George Lucas referred to this lack of a conceptual order as the “epistemological crisis” posed by cyber warfare: “There is … a kind of incipient hysteria in the accounts offered, even in the facts themselves, let alone in the interpretations of past episodes …of cyber conflict, even after the passage of months or years … An epistemological crisis … stems from the complete lack of a comprehensive conceptual foundation or adequate interpretive framework from which to gather data, determine which data count as relevant evidence, and finally assemble that data into a coherent narrative … We find ourselves utterly lacking a broad conceptual foundation and adequate interpretive framework from which to establish order out of chaos.”
We are advised to not take cyber ethics for granted. And yet, establishing order out of chaos is precisely what we need cyber ethics for, despite the prevalent objections to ethics in the field. Granted, it is not clear from the outset what it means to take the ethical point of view in a field that is characterized by rapid technological development, high complexity, and uncertainty over the impact of attacks. Furthermore, it may seem that adversaries are not as concerned by ethical considerations as Western armies and alliances. If this assessment is correct, taking the ethical point of view comes with a tactical disadvantage. Furthermore, lastly, a recurrent objection by scholars and practitioners is that “cyber” is already sufficiently covered by international law. These objections are partly warranted: they reflect a common discontent with a specific style of cyber ethics – with the appeal to “values” and human autonomy, the grand schemes of cyber regulation, and the lofty hopes for eventual cyber peace. The field would certainly benefit from a more modest approach. Discussions on the ultimate foundations of ethics should largely be avoided. The following remarks seek to exemplify a common-sense perspective on ethics in cyber warfare.
Granted, it is not clear from the outset what it means to take the ethical point of view in a field that is characterized by rapid technological development, high complexity, and uncertainty over the impact of attacks.
Cyber ethics is necessary, at least for the reason that there are too many unexamined ethical premises in our assessment of a cyber conflict. These unexamined premises make finding adequate, workable, practical solutions difficult. Most likely, these premises are closely linked to far-reaching assumptions on the dangers, future spread, and possible containment of cyber warfare.
The Normalization of Cyber Warfare
Public attention toward cyber warfare reached its peak around 2009/2010 when the first large-scale cyber attacks (such as distributed denial-of-service attacks on Estonia and Georgia or Stuxnet) had demonstrated the future potential of cyber power in action. The scenario of a war being waged solely between computers and facilitating large-scale kinetic destruction was haunting. Cyber wars would be entirely virtual and cause great real-world damage, especially by large-scale attacks on critical infrastructures. The next great war was supposed to be a cyber war. As cybersecurity analyst Richard Stiennon summed up the prevalent assumption at the time: “Military and intelligence leaders agree that the next major war is not likely to be fought on the battleground but in cyberspace.” Cyber warfare appeared to be the next significant threat of humankind, comparable in scope and magnitude only to the nuclear bomb during the Cold War. Just like nuclear weapons, cyber weapons would be capable of wiping humanity from the face of the earth. Other catastrophic events came into play, too. Analysts and politicians used metaphors such as “Cyber Pearl Harbor” and “Cyber 9/11,” often interchangeably, to denote a catastrophe that would replicate or even exceed the destruction of previous military or terrorist surprise attacks.
Today there is no possible strategic scenario for such a stand-alone “cyberwar.” Instead, cyber attacks occur within the framework of hybrid warfare. Then, a future major war will most likely be a hybrid war. Cyber attacks will have a share, but they will not be the central or the decisive factor. They will remain below the threshold of full war or even an armed attack. Therefore they do not, for example, invoke Article 5 of the NATO treaty (even as military doctrines would allow this in theory). There may be pinpoint attacks designed to extract money, steal information, or send a message; and there are a few larger attacks that remain limited in their scope and impact. For the most part, though, there is not even an attack, but only the possibility of an attack. Cyber warfare is far more about the cognitive effect of possible war than actual warfare by cyber means.
Cyber power has been integrated into all sorts of weapons systems and the fabric of societies as a whole, and hence it does not stand out as the predominant domain of the future. “Cyber” seems to become more and more useful as a support role, such as disabling kinetic war infrastructure, stealing secrets, and spreading disinformation. It is one among various modes of conventional and irregular warfare, such as propaganda and disinformation, blocking of waterways, and kinetic attacks (which are likely to remain rare and limited in their scope). Cyber attacks may even occur without the slightest resemblance of actual warfare. As Ben Buchanan explains: “Cyber attacks have become a low-grade yet persistent part of geopolitical competition. They happen every day. Government hackers play an unending game of espionage and deception, attack and counter-attack, destabilization and retaliation. This is a new form of statecraft, more subtle than policymakers imagined, yet with impacts that are world-changing.” Cyber war largely takes place in a grey zone of war and peace, and there is no clear path to victory or defeat. It has become an integral part of peace, hence changing the very foundations of war and peace.
This normalization of cyber warfare has many ethical ramifications. Most notably, it prompts us to manage our expectations regarding regulating or abolishing cyber warfare. The ubiquity of low-key cyber operations may be a nuisance, and cyber power may pose a continuous strategic threat. However, escalation to the point of a cyber world war seems highly unlikely. Limited cyber operations can rather prevent a larger military confrontation, reduce civilian victims, and hence work toward the pacification of warfare. Abandoning cyber weapons altogether would almost inevitably facilitate a return to airstrikes and ground troops. Unless there was to be eternal peace in a universal world-state, we must live with cyber weapons, but we can seek to contain their destructive potential.
This normalization of cyber warfare has many ethical ramifications. Most notably, it prompts us to manage our expectations regarding regulating or abolishing cyber warfare.
Ethics and Strategy
The strategic changes in the use of cyber operations also compel us to reassess some of our moral judgments on the prohibitive use of cyber power. Most of all, they should no longer be grounded in fear of escalation. The logic of escalation – a holdover from the nuclear arms debate – states that small cyber operations will morph into a full cyber war. However, cyber operations do not escalate in the same way that nuclear attacks were supposed to do. As Michael Fischerkeller and Richard Harknett argue, “competitive interaction in cyberspace short of armed conflict in an agreed competition, as opposed to spiraling escalation,” provides a better explanation for the current dynamic in cyber operations. The strategic consequence is that cyber operations compel us to “compete robustly short of armed conflict.” The moral difficulty with this approach is that it requires Western states and alliances to operate in the grey zone of war and peace too.
The fact that cyber attacks remain below the threshold of war points to the emergence of a valid norm: the reasonable expectation of a devastating answer if the threshold will be crossed. This inconspicuous strategic finding provides the basis, however frail, for a normative order of cyberspace absent a fixed order of international law. Notably, this norm emerges from strategy and not from ethics. Cyber ethics should avoid the grand schemes of ethical reasoning and take its cues from the strategic use of cyber capabilities. Ethics needs plausible strategy.
Cyber ethics should avoid the grand schemes of ethical reasoning and take its cues from the strategic use of cyber capabilities. Ethics needs plausible strategy.
The close link between ethics and strategy is rather obvious in general terms. Both seek to determine the ends of human action. Both demand that we subordinate the choice of our tactical means to the attainment of these ends. Furthermore, both challenge us to determine which ends are appropriate and worth pursuing. Nevertheless, strategy is also vital as a limitation of ethical reasoning. Ethical schemes are often based on implausible assumptions on the future use of cyber technology.
It should also be noted that ethical norms that emerge from strategy are not as strict as written legal norms. Norms need to be understood broader and softer. In the first place, norms are assumptions on the expectable behavior of rational actors. These assumptions are largely derived from using cyber capabilities in practice and built in the retrospective judgment of this use. To a large extent, our understanding of cyber operations has been informed by a small number of large cyber operations – such as the DDoS attacks on Estonia (2007) and Georgia (2008), the Israeli air raid on a nuclear reactor in Syria that was prepared by a cyber attack on Syrian air defense systems (2008), Stuxnet (2010) or NotPetya (2017). Apart from the technical analysis, retroactive judgment is concerned with the political and diplomatic, legal and ethical assessment. Each of the operations are precedents that demonstrated a new type of attack, and each was instrumental for the emergence of norms for cyber warfare. Each was by design limited in its scope, and none had the potential for escalation or even reproduction.
Following how norms for cyber warfare emerge from the cyber practice points to a minimal understanding of ethics. Ethics thus understood does not create a normative framework waiting to be adopted by practitioners. Instead, it traces the normative implications in their actions, seeking to articulate the potentials for a normative limitation of cyber warfare. Nevertheless, this is only a part of the story. Cyber practitioners must be able to determine that their actions are just. Whereas they build resilient IT systems and infrastructure, ethics helps build resilience in the realm of ideas. In the ideal case, ethics would be programmed into a framework of response to foster a “culture” of resilience against the destabilizing forces of hybrid warfare.
Justice as Understood by Ethics and International Law
Cyber operations designed to remain below the threshold of war may point to a valid norm for using cyber capabilities, but that does not mean that these operations are justified. A great number of them are outrageous, and they must be stopped or disincentivized. Stopping or disincentivizing them is just, but not all means to stop or disincentivize them are just.
From here, we can easily trace some of the ethical challenges on the geopolitical level, in the concert of great cyber powers. Despite their great differences, cyber powers such as Russia, China, Iran, and North Korea have something in common: they use their cyber capabilities to challenge the Western order. Not taking chances, they largely refrain from open military confrontations. Their methods of choice include espionage, disruption, creating political instability, and state-sponsored terrorism. Western states and alliances have built great capacities to counter such operations. But they face uncertainties over the legal and moral foundations and the purpose of sustainable cyber defense. They become entangled in ethical dilemmas, which force us to rethink the very foundations of ethics.
Despite their great differences, cyber powers such as Russia, China, Iran, and North Korea have something in common: they use their cyber capabilities to challenge the Western order.
Hybrid warfare poses a great challenge beyond the pure military threat, especially to Western nations with their propensity to public debate. Often it is not even sure that there is war, or the openly visible aspect of warfare is only a part of a larger occurrence. Choosing the appropriate military response to violations is one thing, justifying it in the public sphere another. In the eyes of the public, the response may look frighteningly similar to the initial aggression. However, Western nations and alliances need cyber capabilities to defend themselves against a certain use of cyber capabilities. Hence they use the same capabilities for different purposes. The way they use these capabilities must be strategically sound and ethically justifiable.
To stop or disincentivize hybrid warfare, one must − at least for the foreseeable future − be willing to operate in the grey zone. Nevertheless, even in the grey zone, the demands of justice must be met. The demands of justice may even be stricter precisely because the course of action is not codified by law.
The general argument for just wars even beyond the limits of international law is less controversial than meets the eye. We all have a notion of justice beyond the positive law created by lawmakers and interpreted by the courts of various national or international institutions: We speak of “just” and “unjust” laws, thereby assuming that positive laws can be unjust. This manner of speaking is common in the case of unjust regimes (such as tyrannies) or when we sense that laws cannot sufficiently account for the specific circumstances. Hence we suppose a standard of right and wrong independent of positive law and higher than positive law – a standard by which we can even judge of positive law. Such a standard is prevalent in our moral intuition. We may not share the same view on justice and injustice, but we can even talk about justice and injustice beyond positive law based on this standard.
The difference between law and justice should not be understood as a strict disjunction. Historically speaking, many elements of just war theory – starting from the general notion that war is prohibited except for self-defense – found their way into Western nations' law and also into international law. Furthermore, justice without law faces a persistent danger: taking the moral high ground and losing the ground under its feet. And yet these qualifications cannot override a sense that the scope of legalism in hybrid warfare is limited. It is difficult to argue that international law could provide a sufficient normative foundation. It is equally difficult to dispel the notion that the strict adherence to international law comes with a strategic and tactical disadvantage for Western nations and alliances: Adversaries have learned to take advantage of it without being held accountable.
The argument can be made on a more principal basis. A sense of justice beyond law is indispensable to address whether war can be just – and without this question, one cannot even argue that war can be unjust. It is not surprising that cyber warfare has facilitated a resurgence of just war theory, although not without criticism.
Uses of Just War Theory in Cyber Warfare
The general argument against just war ethics is hardly compelling. The question is how just war theory applies to cyber warfare. Merely applying it presupposes that cyber warfare is a normal war with different means and that the difference of means is negligible. This presupposition, however, is doubtful: Except for a few cases, cyber attacks even remain below the threshold of war, at least in the classical understanding of war. How can the question of just war even be posed without actual war? To do so, the first task is to retain the flexibility of just war theory. Just war theory has been understood by proponents and opponents alike as a fixed set of rules. However, its lack of clarity in many important respects becomes easily visible, especially when it comes to the application to new modes of warfare. It is more appropriate to understand just war theory as a framework of interpretation. Provided with the necessary flexibility, it helps to retain some political latitude for the use of cyber weapons, which in turn will reduce the likelihood of war.
To recapitulate: Just war theory is concerned with the ius ad bellum (right to war) and the ius in bello (right in war). It, therefore, poses two different basic questions: When is war justified? And which sort of warfare is justified? Criteria of the ius ad bellum are the legitimate authority (legitima auctoritas), legitimate cause (causa iusta), the right intention (recta intentio), the last resort (ultima ratio), and the probability of peace (iustus finis). The ius in bello is concerned with the proportionality of means (proportionalitas) and the discrimination of soldiers and civilians. Not all of these criteria can easily be applied to cyber warfare or the context of hybrid warfare. But according to the classical understanding of just war theory, all of them must be met to justify war. At this point, we sense that applying just war theory to hybrid warfare embroils us in a task of infinite interpretation. A few remarks must suffice here.
Most notoriously, if hybrid wars make war and peace indistinguishable, it seems futile to determine a right to war. Decision-makers either escalate too quickly or respond too late: the margin between overreaction and complacency is thin. At this point, we inevitably fall short of a definite answer as to the right point of action. The only possible demand is that the cause of war and the conduct in war (and even in the grey zone of war and peace) must be just. This basic ethical demand must be adapted to the specific circumstances. In other words, justice must be “mutable” to cope with ever-changing situations, as the political philosopher Leo Strauss wrote in his seminal book Natural Right and History (1953): “A decent society will not go to war except for a just cause. But what it will do during a war will depend to a certain extent on what the enemy – possibly an absolutely unscrupulous and savage enemy – forces it to do. There are no limits which can be defined in advance, there are no assignable limits to what might become just reprisals … In extreme situations the normally valid rules of natural right are justly changed, or changed in accordance with natural right; the exceptions are as just as the rules.”
Criteria of the ius ad bellum are the legitimate authority, legitimate cause, the right intention, the last resort, and the probability of peace. The ius in bello is concerned with the proportionality of means and the discrimination of soldiers and civilians.
Following this understanding, the task of cyber ethics is not to provide a set of universally valid rules. Rather, it indicates a procedure to determine whether the deviation from the rules is in accordance with justice.
As a general rule, the least controversial criterion is the legitimate cause. Its application, however, is ripe with controversy. A legitimate cause of war is typically preceding aggression. The perennial question in the case of cyber attacks is whether the preceding aggression is sufficient to justify a counter-attack. Most likely, a cyber attack will not cause much, if any, physical damage. To use a phrase from the early days of cyberwar theory, cyber weapons are “weapons of mass disruption,” not weapons of mass destruction. Earlier theorists could not yet imagine how disruption would become a key element of hybrid warfare. Nations face an ever-greater strategic threat in the disruption of supply chains. But can ‘mere’ disruption ever meet the legal criteria of a legitimate cause? It seems that we need a thorough revaluation of key terms such as “attack,” “aggression,” and “damage” to salvage the legitimate cause.
The two criteria of ius in bello have a better footing in cyber warfare. Many technical questions, especially in international law, revolve around issues of proportionality. Thus far, it has been widely accepted that disruption will not be met with kinetic destruction. Rare exceptions with highly specific circumstances, such as the 2019 Israeli bombing of a Gaza building from which Hamas had launched a cyber attack, confirm this rule. But inevitably, hybrid warfare also challenges the rule. In the case of multi-vector attacks, it cannot be demanded that each part of the attack be answered in the same vector. The laws of proportion do not demand that the attacker choose the weapons of the opponent’s response.
The discrimination of soldiers and civilians – and hence the protection of civilians – is widely accepted at least in Western thinking on cyber warfare. But it is also being challenged by well-known phenomena such as cyber mercenaries and state-sponsored “hacktivism” carried out by concerned citizens.
The legitimate authority (legitima auctoritas), the right intention (recta intentio), and the last resort (ultima ratio) are notoriously difficult to adapt to the new context. Reflections on legitimate authority often lead to the point that the course of action is to be determined by international bodies (whereas this power was originally reserved for kings). It is for good reason that, for now, authority to wage war is reserved to sovereign states (and delegated to military alliances). As to the recta intentio, the minimal demand that wars cannot be waged for the acquisition of money still seems to stand, but the close link between cyber power and increased geopolitical competition in the 21st century calls for further interpretation of the rule. The criterion of ultima ratio is clearly modeled upon the European wars of the past, with their potential for unlimited destruction. It has therefore been met with little response in cyber ethics. As opposed to kinetic weapons, cyber power does not provide the weapons of choice for the last resort.
As to the recta intentio, the minimal demand that wars cannot be waged for the acquisition of money still seems to stand, but the close link between cyber power and increased geopolitical competition in the 21st century calls for further interpretation of the rule.
As to the iustus finis, a thorough revaluation bids us to manage our expectations: The prospects for a comprehensive cyber peace are slim, but the strategic calculus of cyber attacks ensures that a major cyber war is unlikely.
While cyber ethics is not a settled science, its core tenet − the quest for responsible action in cyber warfare − is already prevalent in our moral intuition. The emerging discipline of cyber ethics seeks to build on this foundation. It thereby aims to create a more comprehensive ethical framework for just action in cyberspace.
Cyber ethics cannot provide a set of definitive and universally valid rules. Instead, it helps determine whether the deviation from the rules (as specified by international law) is in accordance with justice. Nevertheless, cyber ethics also points to valid norms that emerge from the strategic use of cyber weapons. For instance, the fact that cyber attacks remain below the threshold of war points to the emergence of a valid norm: the reasonable expectation of a devastating answer if certain lines are crossed. This norm, emerging from strategy rather than from legal and ethical reasoning, has secured that a major “cyberwar” has not taken place and is increasingly unlikely to take place.
Nevertheless, cyber ethics also points to valid norms that emerge from the strategic use of cyber weapons.
There is much further study to do on the basis and possible outcomes of cyber ethics. It is recommended that this research not be limited to the academic world alone. Collaborations of ethicists with military practitioners and strategists must be devised to bridge the gap between theory and practice. Practitioners would not merely read about cyber ethics but also seek to develop the ethical point of view in their core work. Ethicists would be included in workshops, negotiation processes, war-gaming exercises, and ultimately decision-making processes. (The expert negotiations that preceded the Tallinn Manual, for example, excluded ethicists, hence solely relying on practitioners of international law.) In this environment of cyber practitioners, ethicists are well-advised to avoid the grand schemes of ethical reasoning and take their cues from the strategic use of cyber capabilities.
Dr Philipp von Wussow is a senior researcher at Goethe University Frankfurt am Main (Germany). He led a research project on cyber ethics at the Institute for Theology and Peace (Hamburg) from 2018 to 2020. The views contained in this article are the author’s alone.
 Ethical views in this paper are formulated from a common-sense perspective. In this perspective, there is no principal difference between military and cybersecurity practitioners, ethicists, and citizens. The term “we” refers to all of them.
 While the Tallinn Manual was explicitly devised as “a non-binding document,” the rules it sought to establish by applying existing international law to cyber warfare were meant to be “binding on all States.” Tallinn Manual on the International Law Applicable to Cyber Warfare, ed. Michael N. Schmitt (Cambridge/New York: Cambridge University Press, 2013), 1, 6. Ambiguities in regard to the status of the document and the validity of legal norms are an integral part of the Tallinn Manual.
 Brian M. Mazanec, The Evolution of Cyber War. International Norms for Emerging-Technology Weapons (Lincoln: Potomac Books, 2015), 211.
 George Lucas, Ethics and Cyber Warfare. The Quest for Responsible Security in the Age of Digital Warfare (New York: Oxford University Press, 2017), x–xi.
 Richard Stiennon, Surviving Cyberwar (Plymouth: Government Institutes, 2010).
 James Andrew Lewis, “Rethinking Cybersecurity. Strategy, Mass Effect, and States,” CSIS Technology Policy Program, January 09, 2018, https://www.csis.org/analysis/rethinking-cybersecurity. Unless otherwise indicated, all links were last accessed on 23 June 2021.
 Ben Buchanan, The Hacker and the State. Cyber Attacks and the New Normal of Geopolitics (Cambridge/London: Harvard University Press, 2020), 3.
 Michael P. Fischerkeller and Richard J. Harknett, ‘Persistent Engagement, Agreed Competition, and Cyberspace Interaction Dynamics and Escalation’, The Cyber Defense Review, December 09, 2019, https://cyberdefensereview.army.mil/Portals/6/CDR-SE_S5-P3-Fischerkeller.pdf.
 Lucas, Ethics and Cyber Warfare, ix; Michael Walzer, Just and Unjust Wars. A Moral Argument with Historical Illustrations (New York: Basic Books, 2015), especially 13−16.
 See Leo Strauss, Natural Right and History (Chicago/London: The University of Chicago Press, 1953), 2.
 Strauss, Natural Right and History, 160.
 Winn Schwartau, CyberShock. Surviving Hackers, Phreakers, Identity Thieves, Internet Terrorists, and Weapons of Mass Disruption (New York: Basic Books 2001).