July's issue in our third annual poll of Emerging Ethical Dilemmas and Policy Issues in Science and Technology is "state-sponsored hacktivism and 'soft war,'" which earned over 8% of the total votes. Below we've provided more information about this topic to serve as a resource to students, educators, journalists, policy makers, and concerned citizens.

It's not too late to vote on our list!

State-sponsored hacktivism and "soft war"

"Soft war" is a concept used to explain rights and duties of insurgents (and even terrorists) during armed conflict.  Soft war encompasses tactics other than armed force to achieve political ends. Cyber war and hacktivism could be tools of soft war, if used in certain ways by states in inter-state conflict, as opposed to alienated individuals or groups (like "Anonymous"). 

Click here to see a lecture by the Reilly Center's resident expert, George Lucas (President, International Society for Military Ethics; Director, Consortium on Emerging Technologies, Military Operations, and National Security). Click here to view an advanced copy of the preface from Lucas' upcoming book Ethics & Cyber Warfare: Law and Order for a Lawless Frontier.

hacker

We already live in a state of low-intensity cyber conflict. But as these actions become more aggressive, damaging infrastructure, how do we fight back? Does a nation have a right to defend itself against, or retaliate for, a cyber attack, and if so, under what circumstances? What if the aggressors are non-state actors? If a group of Chinese hackers launched an attack on the US, does that give the US government the right to retaliate against the Chinese government? In a soft war, what are the conditions of self-defense? May that self-defense be preemptive? Who can be attacked in a cyber war? We’ve already seen operations that hack into corporations and steal private citizens’ data. What's to stop attackers from hacking into our personal wearable devices? Are private citizens attacked by cyberwarriors just another form of collateral damage?

Below, we've provided links to commentary from outside sources in order to give multiple dimensions to the issues. The Reilly Center itself does not support any one perspective and citations of articles should not be considered endorsements.

Is software (malware) a sophisticated cyber weapon? 

Where do we draw the line between a cyber crime and acts of war? 

At what point do we consider a "hacktivist" state-sponsored? (Anonymous, for example, is not affiliated with any political entity.)

Are the US's clandestine activities such as secret data collection and surveillance acts of war? 

In 2007, Estonia's decision to move a WWII Russian memorial status from the capital city was followed by a massive DDoS cyber attack that disrupted governement and financial institutions. The attacks came from the Russian Federation and from within Estonia. Disavowed by the Russian government as an act of vigilantism by "patriotic dissidents," Estonia considered seeking military support from NATO, which would have forced the organization to label the cyber attack equivalent to a conventional armed attack. 

Would Iran be justified in calling the 2010 cyber attack of the Natanz nuclear power facility that destroyed 984 nuclear centrifuges an act of war? (The fact that Iran was forbidden from having this equipment to begin with may complicate the discussion.)

On the 11th anniversary of the 9/11 attacks, "The Cyber Fighters of Izz ad-Din al-Qassam" claimed responsibility for lauching massive DDoS attacks on U.S. financial institutions that had complied with economic sanctions against Iran. The attack was retaliation for an American-made anti-Muslim propaganda film found on YouTube called "The Innocence of Muslims" and an effort to get the company to take it down. (This group could be affiliated with an organization called "The Cutting Sword of Justice." which earlier erased data from a Saudi Arabian oil company.)

The 2014 hack of Sony Pictures, Inc. that resulted in the private data and e-mails being stolen and (in some cases) released to the public was a public relations disaster for the company. North Korea cyber activists apparently orchestrated the hack in response to the film "The Interview," which portrayed their leader Kim Jong-un in a comically unflattering light. This involved not just cyber crimes but extortion and blackmail. Does the US have a responsibility to go after any state-sponsored "hacktivists" that launched the attack on the US-based company? 

In a case where the effects are yet to be seen, the US Office of Personnel Management was hacked twice in April and June of 2015, resulting in the theft of information gained during background checks from over 20 million people working for the US Civil Service as well as prospective Federal employees and contractors. This information included social security numbers, background information, finger prints, financial information, and private mental health data. The government has not yet ascertained how the hackers intend to use this data, nor the motives behind the attack. It seems likely that the People's Liberation Army of China orchestrated the attack. But what now? 

Special thanks to George Lucas for his help identifying issues and questions. 

George Lucas

Click here to see a lecture by the Reilly Center's resident expert, George Lucas (President, International Society for Military Ethics; Director, Consortium on Emerging Technologies, Military Operations, and National Security). Click here to view an advanced copy of the preface from Lucas' upcoming book Ethics & Cyber Warfare: Law and Order for a Lawless Frontier.