State-Sponsored Hacktivism and the Advent of “Soft War”
Not so long ago, cyber “activism” (on the Internet, at least) was limited to pranks, practical jokes, and random acts of vandalism. Pranksters attached software “viruses” to emails that, when mistakenly opened, quickly spread through your organization’s internal network, posting goofy messages and perhaps even erasing data on your hard drive. Cybervandals posted offensive messages or unwanted photos, or otherwise defaced your organization’s website for no apparent reason. About the only crimes committed in those early days were trespassing (technically, by “invading” your private company network or your computer itself) and destruction of property. Apart from mean-spiritedness or a perverted sense of humor, however, about the only reasons given for such malicious activities were a collective grousing by disaffected programmers and computer “geeks” about the monopolistic practices, and mediocre software distributed by Microsoft Corporation.
Malicious behavior in the cyberdomain, however, quickly evolved into a variety of more serious and sinister activities. On the one hand, it was not long before sophisticated individuals and criminal gangs exploited the very same software vulnerabilities as pranksters, but did so in order to steal your bank deposits, credit card numbers, or even your personal identity. On the other hand, cyber “activism” itself likewise evolved into ever more sophisticated acts of political sabotage: defacing or even temporarily shutting down government or commercial websites with so-called “DDoS” attacks (distributed denial of service), dispatching software “worms” that traveled from computer to computer, penetrating each machine’s firewall and virus protection software in order to gain control over the PC’s or laptops themselves, transforming each into a “zombie.” These individual machines were then remotely networked with others into a massive “botnet” controlled by political dissidents or criminal organizations, who, in turn, used them to launch DDoS attacks on banks and financial institutions and divert their funds to secret accounts.
“Hacktivism” is a term that came into somewhat indiscriminate use to classify all these distinctive and diverse acts of malevolence and mischief in the cyberdomain, ranging from straightforward crime and vandalism, to many forms of political protest carried out on the internet. Technically, the “hacktivist” is one who engages in vandalism and even in criminal activities in pursuit of political goals or objectives, rather than simply for personal satisfaction or financial gain. Well known individuals (like Julian Assange of WikiLeaks) and loosely-organized groups like Anonymous, LulzSec, and Cyberwarriors for Freedom resort to internet malevolence to publicize their concerns, or otherwise further their political aims. These concerns range from personal privacy, liberty, and freedom of expression to opposition to political regimes like Syria or Egypt.
In February 2014, Dr. Mariarosaria Taddeo of the University of Warwick, president of the International Association for Computing and Philosophy, organized an international workshop, sponsored by the UNESCO Committee on Cyber Security, in order to examine the ethical dimensions of hacktivism, as well as the challenges posed by the exponential increase in this form of cybermalevolence1. During those discussions, I described three distinct ways of being a hacktivist, symbolized in turn by the activities of WikiLeaks, the behavior of individual agents in the cyberdomain (like former NSA contractor Edward Snowden), and groups like Anonymous.
The three concerns I cited as motivations for each were, in the same order: transparency, whistle-blowing, and vigilantism. WikiLeaks purports, for example to provide greater transparency regarding the otherwise covert activities of government and large corporate organizations. The actions of whistle-blowers (like U.S. Army Private Bradley (Chelsea) Manning, and NSA Contractor Edward Snowden) aimed specifically to expose what each individual took to be grave acts of wrong-doing or injustice on the part of the U.S. government or military (in these specific cases). The internet vigilante group Anonymous, by contrast, is a bit harder to pin down, since the loosely organized federation’s individual members espouse a wide variety of disparate causes. The organization’s behavior in response to each chosen cause, however, clearly involves taking the law (or, in its absence, morality) into the group’s hands unilaterally. That is, based upon their shared judgments regarding immoral or illegal behavior by individuals, organizations, or governments to whom the group objects, the group launches attacks against selected targets ranging from the Syrian government of Bashir al Assad (for engaging in massive human rights violations), to organizations and individuals who might be engaged in perfectly legitimate security and defense operations to which members of Anonymous nevertheless object.
This is vigilantism. And, as its name suggests, the members of Anonymous cannot easily be traced or held accountable for their actions. As in all instances of conventional vigilantism, the vigilante’s judgment as to what or who constitutes a moral offense is deeply subjective, and often wildly inconsistent or otherwise open to serious question. Importantly, in all cases involving transparency, whistle-blowing and vigilantism, the burden of proof is on those who deliberately violate fiduciary duties and contractual (legal) agreements into which they may have entered, or who disobey or flout the law itself, in order to expose or protest against activities they deem to be even more egregious than their own actions. This comparative judgment on the part of the protestor or whistle-blower is technically known as “the Principle of Proportionality.” It demands of them that the degree of harm brought about through their own actions be demonstrably less than the harm already done by others to which they seek to call attention, or bring to a stop. The problem is that this comparative judgment is notoriously difficult to make. Vigilantes often exaggerate or misrepresent the harm against which they protest, and seriously underestimate the effects of their own activities on public welfare.
Otherwise, the remaining difficulty with such actions is that there is no independent or adversarial review of these decisions. According to what is likewise termed the “Principle of Publicity” or the “Principle of Legitimate Authority”, the final authority to evaluate the legitimacy of the protestor’s or dissident’s actions rest not with that individual, but with the wider general public, in whose collective interest the individual purports to act. So, in all these cases, it must be possible in principle to bring the individual dissident’s actions and intentions before an impartial “Court of Public Opinion” for independent review. The last criterion is the one most frequently ignored, and most often failed by both vigilantes and would-be whistle-blowers. They are prone to suffer from an abundance of self-righteousness.
The Advent of State-Sponsored Internet Activism
Having established this context for the discussion of cyberhacktivism generally, what now are we to make of its most recent evolution: namely, the rise of state-sponsored or government “hacktivism?” Nations and governments are entering the cyberfray alongside private groups, either attempting to combat or shut down other hacktivists and stifle dissent within their own borders, or instead, to pursue political objectives against other states that were traditionally resolved through diplomacy, economic sanctions, and finally, a resort to kinetic force. Many states at present appear to be resorting to massive cyberattacks instead. Such nations are thought to include pro-government groups or organizations in China (e.g., Shanghai Unit 61384 of the People’s Liberation Army), the Russian Federation, and especially North Korea. The “Russian Business Network”, a branch of organized crime in the Russian Federation, is believed to have cooperated with the government in launching a preemptive cyberattack on government organizations and military sites in the Republic of Georgia in 2008, prior to a conventional Russian military incursion into the breakaway Georgian province of Ossetia. The U.S. recently indicted five members of the Shanghai unit 61384 by name, for having been responsible for massive thefts of patents and trade secrets from U.S.-based aerospace and defense industries. The indictments were not expected to result in actual arrest and prosecution, but were intended instead to send a message to the Chinese government that its disavowal or denial of state accountability for these crimes under international law was no longer plausible.
One of the most interesting new developments is the work of Cyber Fighters of Izz ad-Din al-Qassam, an organization that takes its name from a prominent early 20th-century Muslim cleric and anti-colonialist. In 2012, on the anniversary of the 9/11 terrorist attacks in the U.S., this group allegedly carried out a massive DDoS attack on U.S. financial institutions. The attack was described in a Twitter post by the group as having been launched in retaliation for the continued presence on YouTube of the American-made film, “The Innocence of Muslims,” which portrays Islam and the prophet Mohammed in a very scandalous and unflattering light. The group vowed to continue the attacks until the offending film itself was removed from the Internet.
Two things stood out regarding the resulting, very serious disruptions of American financial institutions. First, despite its claim of independence, the group’s attack was not indiscriminate. The institutions targeted were primarily those that had complied with the terms of the ongoing U.S. economic sanctions against Iran. In particular, the group’s demand that a film be censored on account of its political or religious content seemed hollow: their leaders had to know that this was a demand that was beyond the power of a democratic government anywhere to grant.
The second oddity was that the anonymous Twitter site from which this group issued its September 2012 proclamation turned out to be the same account from which messages had flowed a few weeks earlier (allegedly from another vigilante group entirely) in the aftermath of a massive cyberattack on the internal computer network of ARAMCO, the Saudi Arabian oil giant. Those attacks, on 15 August 2012, allegedly carried out by an organization calling itself the Cutting Sword of Justice, erased data on all affected computer drives, and inserted in their place the image of a burning American flag. U.S. security officials seemed quite certain that the first of these attacks was an act of retaliation by Iranian agents in response to the damage done to their own nuclear and oil infrastructure by Stuxnet and Flame, respectively, both weapons attributed to (but never acknowledged by) the U.S. and Israeli governments.
Suppose all these allegations and counter allegations are true: in particular, suppose that the two attacks in close sequence in 2012 (and others since) were not carried out by distinct and independent organizations, but instead represent the coordinated actions of a state government (Iran), retaliating for similar attacks upon its cyberinfrastructure by other states (Israel and the U.S.). Add to these the known and ongoing, state-sponsored, malevolent cyberactivities of the People’s Liberation Army in China, the “Russian Business Network”, and North Korean operatives. The conclusion is that states, as well as individuals and dissident groups, are now directly and deeply involved in hostile activities that increasingly transcend the boundaries of traditional espionage, covert action, and the “dirty tricks” of the past. Rather, this ongoing, high-stakes, but low-intensity conflict carried out by states against one another has evolved into what several colleagues (e.g., Michal L. Gross, of the University of Haifa) are coming to call “soft war.”
Cyberhacktivism and "Soft War"
By analogy with the concept of “soft power,” “soft war” is a mode of warfare or conflict that is intentionally non-kinetic: i.e., it does not entail the use of conventional weapons, or the destruction that accompanies conventional armed attacks. But it is still a very grave matter. Real damage is done, and real harm is inflicted, although rarely (save in the case of Stuxnet) does this involve physical harm to physical objects. Rather, the conflict results in loss of information, loss of access to information processing, and an inability to carry out essential activities (such as banking, mining, medical care, trade, and commerce) that rely largely upon information processing.
Unlike the highly-publicized concept of a “cyberwar,” however, the weapons and tactics of “soft war” are not limited to the cyberdomain. They can involve state use of the media, including cyber social media as well as conventional media, for purposes of propaganda, confusion, obfuscation, and disinformation. Soft war could involve the use of non-lethal (or “less-lethal”) weapons in conventional attacks. For terrorist “pseudo-state” groups like Hamas, it could involve using civilian volunteers as “human shields” to deter conventional attacks on physical infrastructure or military installations by adversaries, one among a range of non-violent tactics termed “lawfare,” using the law itself (in this instance, the Law of Armed Conflict) to thwart an adversary.
The evolution of cyberconflict itself toward the “soft war” model of hacktivism, specifically, is quite different than the full-scale, effects-based equivalent of cyber “warfare” predicted by many pundits (such as Richard Clarke) during the last decade. The much-touted “cyber Armageddon,” or “cyber Pearl Harbor” was to be a massive disruption and destruction of conventional systems, like air traffic control and electrical grids, resulting in widespread death and destruction on parallel with a massive conventional war. But state-sponsored vigilantism and hacktivism appear to signal something quite distinct from this familiar, but often highly exaggerated and implausible scenario. This state-sponsored conflict is virtual, not physical; non-violent, rather than kinetic; but nevertheless quite destructive and malevolent in other respects, equally capable of causing massive social upheaval, or bringing about a “death by 1,000 cuts” through pilfering of industrial and state secrets, or by interference in trade, commerce, finance, medical care, and transportation.
And, just as with increased reliance on the exercise of “soft power” (diplomacy, sanctions, media relations and the like), the advent of “soft war” has distinct advantages for those nations that engage in it. Essentially, this kind of warfare substitutes cleverness and ingenuity for brute strength. It is less costly to wage, less destructive of property, of lives, and of national treasure (as well as international prestige). Yet it is quite capable of achieving the same political goals, when properly utilized, as “hard” kinetic war, as well as capable of undermining or fending off an adversary that relies solely upon “hard” war tactics. It is, in short, the equivalent of bringing Asian martial arts that rely on balance, timing, and tactical sophistication to bear upon an enormous, powerful, but wholly conventional bully. The martial arts expert can hold his or her own, and even prevail, even though smaller, lighter, and perhaps less physically strong than the bully.
This comparison is apt, since “soft war” is directly attributable to two Chinese military strategists, reflecting on the future of military conflict in the aftermath of the lopsided victory of U.S.-led coalition forces in the 1991 Gulf War against the conventional forces of Iraqi President Saddam Hussein. In a landmark essay in 1999 entitled “Unrestricted Warfare,” two senior colonels in the People’s Liberation Army, Qiao Liang and Wang Xiangsui, argued that the U.S. had become an international bully, physically too strong and too reliant on extensive war-fighting technology to resist by conventional means. Instead, they proposed, new forms of conflict needed to be devised, more indebted to subtleness and cleverness than to brute force, in the spirit of Sun-Tzu, in order to effectively oppose the brute physical power of the American “hegemon.”
There is no explicit regime under international law that specifically governs this kind of conflict. Ought there to be? Or is it sufficient to rely on state interests, and the norms emergent from accepted state practice, to serve as a guide for when, and for how, to engage in “soft war?” Ought the same or similar guidelines applicable to kinetic war also guide entry into and conduct during this “soft” mode of warfare as well? Or ought it to remain, as its original formulators speculated, “unrestricted” or “without bounds?”
Might we not reasonably require, for example, that states only engage in such conflict when presented with irreconcilable differences sufficiently grave to justify conventional use of force (as, admittedly, happened on both sides of the Iran/U.S.-Israel dispute over Iran’s nuclear weapons program)? And, as that example suggests, ought we to demand or reasonably expect that, when faced with the alternative of resorting to “soft” or kinetic warfare to resolve such disputes, that (consistent with a “Principle of Last Resort”), not only should all viable and reasonable alternatives short of war be attempted, but that the “soft war” alternative should always be chosen in lieu of the conventional resort to the use of kinetic force? Perhaps most importantly, might we demand, or reasonably expect, that nations engaging in such conflict with one another should do their utmost to avoid deliberate targeting of purely civilian, non-combatant individuals and their property, as is legally required in conventional war? Or, as in the example of using volunteer civilians as human shields, should attacks on financial institutions or civil infrastructure that merely involve a denial of access or service be subject to a more tolerant regime in which the combatant-noncombatant distinction is less viable, and perhaps less significant?
“Soft War“ and “Soft Law“
These are the questions waiting to be addressed and clarified in the wake of the advent of “soft war” generally, and specifically in the aftermath of the increased resort by state-sponsored agents to the kinds of tactics once limited to dissident individuals or non-state groups. While the lion’s share of such normative work has occurred within the context of existing international law (most notably, the Tallinn Manual of 2012), I myself have begun to believe that the legal framework will simply not suffice to provide reliable guidance in this new domain of conflict. There are a number of reasons for this skepticism.
Contributors to the Tallinn Manual, for example, including some of the most eminent legal minds in the world today, brilliantly attempted to interpret and extrapolate existing international law (the regimes pertaining to armed conflict and humanitarian treatment of war’s victims, and those pertaining to criminal activity in particular) so as to bring existing legislation to bear upon conflict in the cyberdomain. But as I have described above, “soft war” is not “war,” strictly speaking. Neither is it crime (although it sometimes involves the commission of otherwise-criminal actions by state agents). Finally, “soft war” includes, but is not limited to the cyberdomain. “Media war” is not “war,” and it is also not limited to cyberconflict. Use of non-lethal weapons, or tactics of “lawfare” (including human shields) not only occur outside the cyberdomain (and so are obviously not addressed in the Tallinn Manual), but (in the latter instance) are also designed precisely to frustrate the bright-line statutes of existing international law, turning the letter of the law against its underlying regulatory purpose.
Even in the cyberdomain alone, “soft war” tactics there are more akin to espionage than to war or crime, and are not explicitly addressed in international law, nor are state parties to existing legal arrangements eager to see such matters addressed there. In fact, this is the chief obstacle to pursuing normative guidance through the medium of law: those who are party to the law, and whose consent would be required to extend or amend it, are deeply opposed in principle to any further intrusion upon their respective interests and activities through treaty or additional legislation. Insofar as international law rests fundamentally upon what states themselves do, or tolerate being done, this opposition to further legislation (the one issue in the cyberdomain on which the U.S., Russia, and China seem to agree) seems a formidable obstacle to pursing governance and guidance through legal means. [The recent and spectacular failure of the Tallinn Manual to achieve widespread international acceptance or anything resembling U.N. endorsement beyond its NATO-country constituents provides an instructive case in point.]
This is not as unpromising as it might seem, however, when one recognizes the historical fact that the principle bodies of international law pertaining to conflict of any sort largely codify, after the fact, norms of certain kinds of practice that emerge from public reflection by the practitioners themselves upon the better and worse features of that practice, and upon the ends or goals ultimately served by these practices. Law and regulations give the appearance of being stipulative, and are thought to be imposed externally, often upon unwilling subjects or agents. Best practices, by contrast, emerge from the shared practices of the interested parties, and reflect their shared experience and shared objectives.
International law, seen in this light, is more properly understood as grounded in common accord, consensus, and voluntary compliance. Its inherently cosmopolitan character (often overlooked by politically-appointed “Committees of Eminent Persons,” eager to impose their terms of behavior on others) instead reflects Immanuel Kant’s conception of standards of regulative order that moral agents themselves have both formulated and voluntarily imposed upon themselves, in order to guide and regulate their shared pursuits. Their compliance with principles that they themselves have formulated is thus more feasible and readily attainable.
This is a somewhat prolix manner of expressing a doctrine known in international relations as “emergent norms.” This concept is encountered more broadly in moral philosophy as a kind of “trial and error,” experiential groping toward order and equilibrium, a process that Aristotle (its main theorist) described generally as the methodology of the “imperfect” sciences. The great contemporary moral philosopher, Alasdair MacIntyre, is chiefly credited with having resurrected this methodology in the modern era, from whence we can discern it already at work in the cyberdomain, as well as in the field of military robotics [as I have demonstrated extensively elsewhere in my formal publications on these topics.] Legal scholars, for their part, have dubbed this sort of informal and voluntary regulatory institution (as occurs in the Codes of Conduct of professional organizations, or the deliberations and recommendations of practitioners in the aftermath of a profound moral crisis) as constituting “soft law”.
What is required at the moment, it seems to me, is a coherent and discernable body of “soft law” for “soft war.” That is, the relevant stakeholders in the community of practice – in this case, frankly, adversaries engaged in the kind of low-intensity conflict that I have described under the heading of “soft war” – to formulate and publicize the principles that they have evolved to govern their practice. In earlier eras, like the Cold War, for example, espionage agents from adversarial nations evolved a sophisticated set of norms to govern their interaction and competition, designed largely to minimize unnecessary destruction, loss of lives in their respective clandestine services, mutual treatment of adversaries in captivity and prisoner exchanges, and other tactics designed to reduce the risk of accidental or unnecessary escalation of conflict (especially conflict that might cross the threshold of kinetic war in the nuclear era). All of these informal normative arrangements intended to facilitate, rather than inhibit, the principle aim or goal of espionage itself: reliable knowledge of the intentions and capabilities of the adversary. In the nature of things, there were no “councils” or “summit meetings,” and no published or publicized “codes of conduct.” Rather, these norms of prudent governance and guidance came to be “understood” and largely accepted (and complied with) by the members of this interesting community of practice.
What the broad outlines of the content of this “soft law” for “soft war” might be are already outlined above, utilizing somewhat more familiar “just war” terminology, which serves well for this purpose. Adversaries and stakeholders pursuing “soft war” have an interest, for example, in seeing that it does not accidentally “go kinetic,” or involve needless and unnecessary “collateral damage” to vital civilian infrastructure, especially of the sort that might lead to widespread physical destruction and loss of life. They share a common interest in proportionate response, and the dictates of military necessity, of the kind exhibited in the conflicts (allegedly) between the cyberwarriors of Iran, the U.S., and Israel described above. And adversaries like the U.S., China, and the Russian Federation, still locked into a preliminary mode of “unrestricted” or limitless warfare, need to consult more directly and frankly than has been possible to date on where common interests lie in imposing boundaries and regulative order on their “soft” conflicts, before the incessant damage being done on an ongoing basis to all parties to these conflicts forces an escalation into something far more serious and irreparable.
On a positive note, this increased resort to “soft war” tactics, including cyberconflict, holds promise that the very real conflicts and disagreements that have often led nations to make war upon one another may themselves evolve into a mode of authentic opposition and conflict resolution that nonetheless ends up resulting in dramatically reduced bodily harm and loss of life, while doing less damage – and more easily reversible or repairable damage – to the property of adversaries and innocents than was heretofore conceivable in conventional conflict.
George R. Lucas, Jr. recently retired as Distinguished Chair of Ethics at the U.S. Naval Academy (Annapolis, MD) and is also Professor Emeritus of Ethics & Public Policy at the U.S. Naval Postgraduate School (Monterey CA). Currently, he is visiting guest professor at the Reilly Center for Science, Technology and Values at Notre Dame University (South Bend, IN). His most recent book is “Military Ethics: What Everyone Needs to Know” (Oxford University Press, 2015), and he is the editor of the “Routledge Handbook of Military Ethics” (2015). He is President of the “International Society for Military Ethics” (ISME), and newly-appointed director of the multi-institutional “Consortium on Emerging Technologies, Military Operations, and National Security” (CETMONS).