Hostname: page-component-78c5997874-94fs2 Total loading time: 0 Render date: 2024-11-14T10:06:40.221Z Has data issue: false hasContentIssue false

From defence to offence: The ethics of private cybersecurity

Published online by Cambridge University Press:  19 May 2020

James Pattison*
Affiliation:
University of Manchester
*
*Corresponding author. Email: james.pattison@manchester.ac.uk

Abstract

The cyber realm is increasingly vital to national security, but much of cybersecurity is provided privately. Private firms provide a range of roles, from purely defensive operations to more controversial ones, such as active-cyber defense (ACD) and ‘hacking back’. As with the outsourcing of traditional military and security services to private military and security companies (PMSCs), the reliance on private firms raises the ethical question of to what extent the private sector should be involved in providing security services. In this article, I consider this question. I argue that a moderately restrictive approach should be adopted, which holds that private firms can justifiably launch some cybersecurity services – defensive measures – but are not permitted to perform others – offensive measures.

Type
Research Article
Copyright
Copyright © British International Studies Association 2020

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

References

1 Maagt, Sem De, ‘Reflective equilibrium and moral objectivity’, Inquiry, 60:5 (2017), pp. 443–65CrossRefGoogle Scholar (p. 463); Norman Daniels, ‘Reflective equilibrium’, in Edward Zalta (ed.), Stanford Encyclopaedia of Philosophy (winter 2016), available at: {plato.stanford.edu/entries/reflective-equilibrium/}; Rawls, John, A Theory of Justice (rev. edn, Oxford: Oxford University Press, 1999)Google Scholar.

2 Rawls, A Theory of Justice.

3 All of the ethics of cybersecurity might be viewed as part of non-ideal theory, to the extent that it is concerned with potential circumstances of noncompliance (for example, cyberattacks by hackers), which prompt the need for cybersecurity in the first place. Notwithstanding, there are, in general, different degrees of ‘ideality’ – how much a non-ideal theory reflects the lack of compliance and of favourable circumstances. More idealised accounts of the ethics of private cybersecurity largely assume compliance and favourable circumstances (apart from the need for cybersecurity in the first place), whereas more non-idealised accounts focus on significant noncompliance and unfavourable circumstances. See, further, Pattison, James, ‘The case for the non-ideal morality of war: Beyond revisionism versus traditionalism in just war theory’, Political Theory, 46:2 (2018), pp. 242–68CrossRefGoogle Scholar.

4 Carens, Joseph, ‘Realistic and idealistic approaches to the ethics of migration’, International Migration Review, 30:1 (1996), pp. 156–70Google Scholar; Wolff, Jonathan, ‘Method in philosophy and public policy: Applied philosophy versus engaged philosophy’, in Lever, Annabelle and Poama, Andrei (eds), The Routledge Handbook of Ethics and Public Policy (London: Routledge, 2018), pp. 1324CrossRefGoogle Scholar.

5 Brown, Chris, ‘International Relations and international politics theory’, in Brown, Chris and Eckersley, Robyn (eds), The Oxford Handbook of International Political Theory (Oxford: Oxford University Press, 2018), pp. 4859CrossRefGoogle Scholar.

6 See Allhoff, Fritz, Henschke, Adam, and Strawser, Bradley Jay (eds), Binary Bullets: The Ethics of Cyberwarfare (New York: Oxford University Press, 2016)CrossRefGoogle Scholar; Randall R. Dipert, ‘Distinctive ethical issues of cyberwarfare’, in Allhoff, Henschke, and Strawser (eds), Binary Bullets, pp. 56–73; Floridi, Luciano and Taddeo, Mariarosaria (eds), The Ethics of Information Warfare (Dordrecht: Springer, 2014)CrossRefGoogle Scholar; Patrick Lin, Fritz Allhoff, and Keith Abney, ‘Is warfare the right frame for the cyber debate?’, in Floridi and Taddeo (eds), The Ethics of Information Warfare, pp. 39–59. See also Steven Lee, ‘The ethics of cyberattack’, in Floridi and Taddeo (eds), The Ethics of Information Warfare, pp. 105–122; Sleat, Matt, ‘Just cyber war? Casus Belli, information ethics, and the human perspective’, Review of International Studies, 44:2 (2017), pp. 324–42CrossRefGoogle Scholar.

7 Dipert, ‘Distinctive ethical issues of cyberwarfare’.

8 The seminal account is McMahan, Jeff, Killing in War (Oxford: Clarendon Press, 2009)CrossRefGoogle Scholar.

9 See, more generally, John Gardner, ‘The evil of privatisation’, Social Science Research Network (2014), available at: {//papers.ssrn.com/sol3/papers.cfm?abstract_id=2460655}; Pattison, James, The Morality of Private War: The Challenge of Private Military and Security Companies (Oxford: Oxford University Press, 2014)CrossRefGoogle Scholar; and Satz, Debra, ‘Some (largely) ignored problems with privatization’, in Knight, Jack and Schwartzberg, Melissa (eds), NOMOS LX: Privatization (New York: New York University Press, 2019), pp. 929Google Scholar.

10 It is also worth noting that the public/private distinction is used in myriad ways. It can be socially constructed by powerful actors and blur. See Weintraub, Jeff, ‘The theory and politics of the public/private distinction’, in Weintraub, Jeff and Kumar, Krisham (eds), Public and Private in Thought and Practice: Perspectives on the Grand Dichotomy (Chicago: University of Chicago Press, 1997), pp. 142Google Scholar; Owens, Patricia, ‘Distinctions, distinctions: “Public” and “private” force?’, International Affairs, 84:5 (2008), pp. 977–90CrossRefGoogle Scholar; Avant, Deborah and Haufler, Virginia, ‘Public-private interactions and practices of security’, in Gheciu, Alexandra and Wohlforth, William C. (eds), The Oxford Handbook of International Security (Oxford: Oxford University Press, 2018), pp. 350–64Google Scholar. Indeed, it may be more judicious for work on private security to focus on commercial security actors rather than purely the public/private distinction. Notwithstanding, I will use ‘public’ and ‘private’ in this article in order to be congruent with the widespread use of these terms in the literature on cybersecurity and on PMSCs. See, further, Leander, Anna, Commercialising Security in Europe: Political Consequences for Peace Operations (New York: Routledge, 2013)CrossRefGoogle Scholar.

11 For instance, Eberle, Christopher J., ‘Just war and cyberwar’, Journal of Military Ethics, 21:1 (2013), pp. 5467CrossRefGoogle Scholar; Lee, ‘The ethics of cyberattack’; Brian Orend, ‘Fog in the fifth dimension: The ethics of cyber-war’, in Floridi and Taddeo (eds), The Ethics of Information Warfare, pp. 3–24; Sleat, ‘Just cyber war?’.

12 For instance, Baker, Deane-Peter, Just Warriors, Inc.: The Ethics of Privatized Force (London: Continuum, 2011)Google Scholar; Feldman, William, Privatizing War: A Moral Theory (London: Routledge, 2016)CrossRefGoogle Scholar; Pattison, The Morality of War.

13 Cavelty, Myriam Dunn, ‘Cyber-security and private actors’, in Abrahamsen, Rita and Leander, Anna (eds), Routledge Handbook of Private Security Studies (London: Routledge, 2015), pp. 8999CrossRefGoogle Scholar (p. 89). I define a cyber-attack as an attempt to harm or infiltrate another computer network. Sometimes a distinction is drawn between a cyberattack (said to be undertaken for political purposes) and cybercrime (undertaken for criminal purposes). Hathaway, Oona A., Crootof, Rebecca, Levitz, Philip, Nix, Haley, Nowlan, Aileen, Perdue, William, and Spiegel, Julia, ‘The law of cyber-attack’, California Law Review, 100:4 (2012), pp. 817–85Google Scholar (pp. 830–3). But this requires identifying the attacker and their goals, which can be very tricky given the notorious difficulties of attribution. It can also be misleading since attackers can have multiple and complex objectives. Also note that cyberattacks can be undertaken by both states and non-state actors and that there is not a sharp distinction between a cyberattack and cyberespionage (the latter is one form of cyberattack).

14 McMurdo, Jesse Jacob, ‘Cybersecurity firms – cyber mercenaries?’, Homeland and National Security Law Review, 4:1 (2016), pp. 3578Google Scholar (p. 67).

15 Ibid., p. 68.

16 Wyatt Hoffman and Steven Nyikos, ‘Governing Private Sector Self-Help in Cyberspace: Analogies from the Physical World’, Carnegie Endowment for International Peace, Working Paper (2018), p. 32.

17 Taddeo, Mariarosaria, ‘On the risks of relying on analogies to understand cyber conflicts’, Mind & Machines, 26 (2016), pp. 317–21CrossRefGoogle Scholar.

18 Barack Obama, ‘Remarks by the President at the Cybersecurity and Consumer Protection Summit’, White House Archives (2015), available at: {obamawhitehouse.archives.gov/issues/foreign-policy/cybersecurity/summit}.

19 Christensen, Kristoffer Kjærgaard and Petersen, Karen Lund, ‘Public-private partnerships on cyber security: A practice of loyalty’, International Affairs, 93:6 (2017), pp. 1435–52CrossRefGoogle Scholar (p. 1438).

20 UK Government, National Cyber Security Strategy (2016–21), p. 10, available at: {www.gov.uk/government/uploads/system/uploads/attachment_data/file/564268/national_cyber_security_strategy.pdf}.

21 Jervis, Robert, ‘Cooperation under the security dilemma’, World Politics, 30:2 (1978), pp. 167214CrossRefGoogle Scholar (p. 203); emphasis added.

22 Galtung, Johan, ‘Transarmament: From offensive to defensive defense’, Journal of Peace Research, 21:2 (1984), pp. 127–39CrossRefGoogle Scholar (p. 128).

23 I largely follow here the definitions provided by the Center for Cyber and Homeland Security, which offers a detailed and plausible account: ‘Into the Gray Zone: The Private Sector and Active Defense against Cyber Threats’, Project Report 2016, George Washington University.

24 Ibid., p. 9.

25 Hoffman and Nyikos, ‘Governing Private Sector Self-Help’, p. 19; Center for Cyber and Homeland Security, ‘Into the Gray Zone’, pp. 10–11. Honeypots are sometimes viewed as active, depending on the degree of interaction with the attacker and whether they actively search out malicious servers. They also sometimes contain weaponised files that cause significant disruption once exfiltrated, although they may still technically be ‘defensive’, as the attacker is the one who transfers the infected file into their own network. Schmitt, Michael (ed.), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (Cambridge: Cambridge University Press, 2017), p. 174CrossRefGoogle Scholar.

26 Center for Cyber and Homeland Security, ‘Into the Gray Zone’, pp. 10–12; Wyatt Hoffman and Ariel Levite, ‘Private Sector Cyber Defense: Can Active Measures Help Stabilize Cyberspace?’ Carnegie Endowment of International Peace (2017), p. 8.

27 Center for Cyber and Homeland Security, ‘Into the Gray Zone’, p. 12. There are differences in how the precise boundaries of ACD and hacking back are drawn in the various accounts of them. Indeed, some offensive ACD measures (for example, botnet takedowns) might be deemed to be hacking back if the intent is to disrupt. Not much turns on this definitional issue here since I will argue that both offensive ACD and hacking back should be precluded. Some use ACD rather differently; for instance, the UK uses ACD to denote purely defensive measures rather than offensive ones. See Tim Stevens, Kevin O'Brien, Richard Overill, Benedict Wilkinson, Tomass Pildegovičs, and Steve Hill, ‘UK Active Cyber Defence: A Public Good for the Private Sector’, Cyber Security Research Group, The Policy Institute, King's College London (King's College London, 2019).

28 For instance, NotPetya cost Maersk and FedEx $300 million each, with a total cost estimated at US $10 billion. Borghard, Erica D. and Lonergan, Shawn W., ‘Cyber operations as imperfect tools of escalation’, Strategic Studies Quarterly, 13:3 (2019), pp. 122–45Google Scholar (pp. 132–3).

29 The notion of critical infrastructure has expanded, to include agricultural food systems, energy systems, health facilities, banking and finance, commercial and shipping services, with it being estimated that 85 per cent of the critical infrastructure in most Western states is in private hands. Bures, Oldrich and Carrapico, Helena, ‘Private security beyond private military and security companies: Exploring diversity within private-public collaborations and its consequences for security governance’, in Bures, Oldrich and Carrapico, Helena (eds), Security Privatisation: How Non-Security-Related Private Businesses Shape Security Governance (Dordrecht: Springer, 2018), pp. 119CrossRefGoogle Scholar (p. 4).

30 McMurdo, ‘Cybersecurity firms’, p. 42.

31 Etzioni, Amitai, ‘The private sector: A reluctant partner in cyber security’, Georgetown Journal of International Affairs, International Engagement on Cyber IV (2014), pp. 6978Google Scholar (p. 75).

32 ‘General Election 2019: “Cyber-attack” on Labour Party digital platforms’, BBC News (12 November 2012).

33 Traditional pure-play defence contractors such as ManTech, CACI, BAE systems, and Northrop Grumman have been increasing their activities to include cyber. See Maurer, Tim, Cyber Mercenaries: The State, Hackers, and Power (Cambridge: Cambridge University Press, 2018), p. 73CrossRefGoogle Scholar.

34 Ibid., p. 74.

35 Ibid., pp. 18–19.

36 Sales, Nathan Alexander, ‘Privatizing cybersecurity’, UCLA Law Review, 65 (2018), pp. 620–89Google Scholar (p. 635).

37 Ibid., pp. 641–2.

38 McMurdo, ‘Cybersecurity firms’, pp. 43–4.

39 Stevens et al., ‘UK Active Cyber Defence’, p. 5.

40 Eichensehr, Kristen E., ‘Public-private cybersecurity’, Texas Law Review, 95:3 (2017), pp. 467538Google Scholar (p. 496).

41 Hoffman and Levite, ‘Private Sector Cyber Defense’, p. 1.

42 Krahmann, Elke, States, Citizens and the Privatisation of Security (Cambridge: Cambridge University Press, 2010)CrossRefGoogle Scholar. Note here that, in large part, the article focuses mainly on the North American and European contexts of cybersecurity, although it will consider some issues for the Global South and for states in general.

43 Eichensehr, ‘Public-private cybersecurity’, p. 471; Dunn Cavelty, ‘Cyber-security and private actors’.

44 I assume here that the social contract applies to all major security threats, including those in the cybersphere.

45 Lin, Allhoff, and Abney, ‘Is warfare the right frame’, p. 50; Patrick Lin, ‘Ethics of Hacking Back: Six Arguments from Armed Conflict to Zombies’, Policy Paper on Cyber Security (2016), pp. 8, 10–11, available at: {ethics.calpoly.edu/hackingback.pdf}.

46 Rosenzweig, Paul, ‘International law and private actor active cyber defensive measures’, Stanford Journal of International Law, 50 (2014), pp. 103–18Google Scholar (p. 117).

47 These are documented extensively in the literature on the ethical problems posed by PMSCs. See Pattison, The Morality of Private War, and, more generally, Knight and Schwartzberg (eds), NOMOS LX: Privatization; especially, Satz, ‘Some (largely) ignored problems’. Even if some of these effects are not apparent yet for private cybersecurity, they might still materialise. As Kristen Eichensehr argues, although the private cyber sector may have started out ‘publicised’ to the extent that it currently plays a helpful role in protecting public values, ‘the private sector is a fickle guardian of public values, and business imperatives will not always align with public values’: Eichensehr, ‘Public-private cybersecurity’, pp. 537–8.

48 Leander, Anna, ‘The market for force and public security: The destabilizing consequences of private military companies’, Journal of Peace Research, 42:5 (2005), pp. 605–22CrossRefGoogle Scholar.

49 Christensen, Kristoffer Kjærgaard and Liebetrau, Tobias, ‘A new role for “the public”? Exploring cyber security controversies in the case of WannaCry’, Intelligence and National Security, 34:3 (2019), pp. 395408CrossRefGoogle Scholar (p. 404).

50 Schia, Niels Nagelhus, ‘The cyber frontier and digital pitfalls in the Global South’, Third World Quarterly, 39:5 (2018), pp. 821–37CrossRefGoogle Scholar (p. 826).

51 Ibid., p. 829.

52 Ibid., pp. 831–2.

53 Claassen, Rutger, ‘The marketization of security services’, Public Reason, 3:2 (2011), pp. 124–45Google Scholar (p. 143).

54 Camilla Turner, ‘Cyber attacks are one of the biggest threats that schools face, experts warn’, The Telegraph (17 March 2018).

55 Satz, ‘Some (largely) ignored problems’; Trebilcock, Michael J., Daniels, Ron, and Thorburn, Malcolm, ‘Government by voucher’, Boston University Law Review, 80:1 (2000), pp. 205–32Google Scholar (p. 224).

56 Etzioni, ‘The private sector’.

57 Avant, Deborah and Sigelman, Lee, ‘Private security and democracy: Lessons from the US in Iraq’, Security Studies, 19:2 (2010), pp. 230–65CrossRefGoogle Scholar (p. 245); Krahmann, States, Citizens and the Privatisation of Security, p. 249; Percy, Sarah, Regulating the Private Security Industry, Adelphi Paper (New York: Routledge, 2006), p. 21Google Scholar.

58 Cavelty, Myriam Dunn and Wenger, Andreas, ‘Cyber security meets security politics: Complex technology, fragmented politics, and networked science’, Contemporary Security Policy, 41:1 (2020), pp. 532CrossRefGoogle Scholar (p. 19); Irving Lachow, ‘The private sector role in offensive cyber operations: Benefits, issues and challenges’, Social Science Research Network (2016), p. 12, available at: {http://dx.doi.org/10.2139/ssrn.2836201}; Maurer, Cyber Mercenaries, p. 80.

59 Christensen and Liebetrau, ‘A new role for “the public”?’, p. 405.

60 Ibid.

61 Leander, Anna, ‘The power to construct international security: On the significance of private military companies’, Millennium, 33:1 (2005), pp. 803–26CrossRefGoogle Scholar.

62 Eichensehr, ‘Public-private cybersecurity’.

63 Christensen and Petersen, ‘Public-private partnerships’.

64 Benjamin Farrand and Helena Carrapico, ‘Blurring public and private: Cybersecurity in the age of regulatory capitalism’; Bures and Carrapico (eds), Security Privatisation, pp. 197–216.

65 Brad Smith, ‘Transcript of Keynote Address at the RSA Conference 2017: The Need for a Digital Geneva Convention’, San Francisco, 14 February 2017, p. 13.

66 On the latter point (that private cybersecurity firms construct the roles of various actors) Smith also asserts that ‘we are the world's first responders. Instead of nation-state attacks being met by responses from other nation-states, they are being met by us’: Ibid., p. 4.

67 Eichensehr, ‘Public-private cybersecurity’.

68 Ibid., p. 510. Many of the relationships are framed in terms of ‘public-private partnerships’, but how firms view this relationship is quite different to how governments do so. In short, both eschew responsibility for cybersecurity and assume that it is the responsibility of the other. Carr, Madeline, ‘Public-private partnerships in national cyber-security strategies’, International Affairs, 92:1 (2016), pp. 4362CrossRefGoogle Scholar.

69 Eichensehr, ‘Public-private cybersecurity’. On this issue for PMSCs, see Cohn, Lindsay P., ‘It wasn't in my contract: Security privatization and civilian control’, Armed Forces & Society, 37:3 (2011), pp. 381–98CrossRefGoogle Scholar.

70 Stevens et al., ‘UK Active Cyber Defence’, p. 20. The undermining of democratic accountability is a deeper problem with private cybersecurity, given that it could not be redressed by a feasible system of regulation since firms can simply choose not to provide their services, thereby rendering it difficult to ensure that the dictates of the democratic polity are realised. Pattison, The Morality of Private War, pp. 205–32.

71 Ibid.; Herbert Wulf, ‘The future of the public monopoly of force’, in Alyson Bailes, Ulrich Schneckener, and Herbert Wulf, ‘Revisiting the State Monopoly on the Legitimate Use of Force’, Policy Paper No. 24 (Geneva: Geneva Centre for the Democratic Control of Armed Forces, 2007), pp. 19–26.

72 This provides a deeper reason in favour of the public defensive cybersecurity since even if there were an effective system of regulation of private cybersecurity, it could not force unwilling private actors to protect those who cannot afford protection or whose protection is too risky; public defensive cybersecurity is required for this. See, further, Pattison, The Morality of Private War.

73 Dunn Cavelty and Wenger, ‘Cyber security meets security politics’, p. 23.

74 Hoffman and Nyikos, ‘Governing Private Sector Self-Help’, p. 48.

75 Ibid., p. 49.

76 Ibid., p. 42. In addition, if not ideal, a public monopoly may also fail to tackle the problems of inequality and democratic accountability (for example, as government bodies are not properly subject to democratic control).

77 Sales, ‘Privatizing cybersecurity’, p. 681; also see Hoffman and Nyikos, ‘Governing Private Sector Self-Help’, p. 10.

78 For an in-depth analysis of the effects on privacy, see Lucas, George, Ethics and Cyber Warfare: The Quest for Responsible Security in the Age of Digital Warfare (New York: Oxford University Press, 2017)CrossRefGoogle Scholar.

79 Stevens et al., ‘UK Active Cyber Defence’, p. 18.

80 I leave aside whether a global public monopoly might be ideally desirable.

81 See, for instance, McMahan, Killing in War; Lazar, Seth, ‘Necessity in self-defense and war’, Philosophy & Public Affairs, 40:1 (2012), pp. 344CrossRefGoogle Scholar; McMahan, Jeff, ‘Proportionate defense’, Journal of Transnational Law and Policy, 21 (2013–14), pp. 136Google Scholar; McMahan, Jeff, ‘Proportionality and necessity in Jus in Bello’, in Frowe, Helen and Lazar, Seth (eds), The Oxford Handbook of the Ethics of War (Oxford: Oxford University Press, 2018), pp. 418–39Google Scholar.

82 To be sure, if the negative effects on inequality and democratic accountability are very large, then the measure might still be impermissible under the principle of proportionality. If might, for instance, be better not to defend even one's own interests if doing so will deflect the attack onto others who are more vulnerable.

83 Private defensive cybersecurity should also, of course, still be subject to regulation nationally and internationally, and follow standards and best practice, such as the National Institute of Standards and Technology (NIST), Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 (April 2018).

84 Even when critical infrastructure is not at stake, there are other duties to protect individuals or groups at risk of significant harm (for example, when the violation of their privacy would lead to basic rights violations).

85 See, famously, Singer, Peter, ‘Famine, affluence, and morality’, Philosophy & Public Affairs, 1:3 (1972), pp. 229–43Google Scholar.

86 Etzioni, ‘The private sector’, p. 70.

87 Agrafiotis, Ioannis, Nurse, Jason R. C., Goldsmith, Michael, Creese, Sadie, and Upton, David, ‘A taxonomy of cyber-harms: Defining the impacts of cyber-attacks and understanding how they propagate’, Journal of Cyber Security, 4:1 (2018)Google Scholar, available at: {doi: 10.1093/cybsec/tyy006}; Etzioni, ‘The private sector’, p. 71.

88 Carr, ‘Public-private partnerships’, p. 57.

89 European Union, ‘The Directive on Security of Network and Information Systems (NIS Directive)’ (24 August 2018).

90 Those sympathetic to this view include Gandhi, Hardik, ‘Active cyber defense certainty: A digital self-defense in the modern age’, Oklahoma City University Law Review, 43 (2019), pp. 279309Google Scholar; Lin Allhoff, and Abney, ‘Is warfare the right frame’; Powell, Benjamin, ‘Is cybersecurity a public good: Evidence from the financial services industry’, Journal of Law, Economics and Policy, 1:2 (2005), pp. 497510Google Scholar; and Rosenzweig, ‘International law and private actor active cyber defensive measures’. Others call for some offensive cyber operations to be permitted, for example, Hoffman and Nyikos, ‘Governing Private Sector Self-Help’, p. 56 and Center for Cyber and Homeland Security, ‘Into the Gray Zone’.

91 To be sure, if your information is not reliable, it might not be permissible to target the terrorist. Also note that it is important here that the terrorists have already begun to act upon the plan; I leave aside the controversial issue of whether individuals can be liable for merely intending a culpable act (that is, which they have not yet enacted). See Alexander, Larry and Ferzan, Kimberly Kessler, ‘Danger: The ethics of preemptive action’, Ohio State Journal of Criminal Law, 9:2 (2012), pp. 637–67Google Scholar.

92 See, for instance, Buchanan, Allen, ‘Justifying preventive war’, in Shue, Henry and Rodin, David (eds), Preemption: Military Action and Moral Justification (Oxford: Oxford University Press, 2007), pp. 126–42CrossRefGoogle Scholar; Buchanan, Allen and Keohane, Robert O., ‘The preventive use of force: A cosmopolitan institutional proposal’, Ethics & International Affairs, 18:1 (2004), pp. 122CrossRefGoogle Scholar; McMahan, Jeff, ‘Preventive war and the killing of the innocent’, in Rodin, David and Sorabji, Richard (eds), The Ethics of War: Shared Problems in Different Traditions (Aldershot: Ashgate, 2005), pp. 169–90Google Scholar. To reiterate, any response must be proportionate to the degree of liability of the attackers. It would, for all intents and purposes, not be proportionate to use lethal or significant physical force in these cases, if the sort of harm from the attacker involves only property damage.

93 Reichberg, Gregory and Syse, Henrik, ‘Humanitarian intervention: A case of offensive force?’, Security Dialogue, 33:3 (2002), pp. 309–22CrossRefGoogle Scholar.

94 These problems are not unique to private cyber actors; they may also apply (to varying degrees) when states engage in offensive operations. I leave aside the issue of whether states should engage in offensive operations, which has been subject to significant attention already. See, for instance, Gandhi, ‘Active cyber defense certainty’; Lin, ‘Ethics of hacking back’; Iasiello, Emilio, ‘Hacking back: Not the right solution’, Parameters, 44:3 (2014), pp. 105–13Google Scholar; Orin Kerr, ‘The hackback debate’, Steptoe Cyberblog (2012), available at: {www.steptoecyberblog.com/2012/11/02/the-hackback-debate}; Brandon Valeriano and Benjamin Jensen, ‘The Myth of Cyber Offense: The Case for Restraint’, Policy Analysis, Cato Institute (15 January 2019); and Eugene Volokh, ‘The hackback debate’, Steptoe Cyberblog (2012), available at: {www.steptoecyberblog.com/2012/11/02/the-hackback-debate}.

95 Hoffman and Levite, ‘Private Sector Cyber Defense’, pp. 4–10.

96 Volokh, ‘The hackback debate’.

97 Kerr, Orin, ‘Virtual crime, virtual deterrence: A skeptical view of self-help, architecture, and civil liability’, Journal of Law, Economics, and Policy, 1:1 (2005), pp. 197214Google Scholar (pp. 204–05); Volokh, ‘The hackback debate’.

98 Rosenzweig, ‘International law and private actor active cyber defensive measures’, p. 108.

99 Nuala O'Connor, ‘Additional views of Nuala O'Connor’, in Center for Cyber and Homeland Security, ‘Into the Gray Zone’, p. 36.

100 Lin, Allhoff, and Abney, ‘Is warfare the right frame’, pp. 51–2.

101 The greater good here concerns the potential to access command and control machines and potentially compromise the attacker's home machine and identify other victims who do not yet know that they have been attacked. Stewart Baker, ‘The hackback debate’, Steptoe Cyberblog (2012), available at: {www.steptoecyberblog.com/2012/11/02/the-hackback-debate}.

102 See, for instance, McMahan, Killing in War.

103 Lazar, Seth, ‘Responsibility, risk, and killing in self-defense’, Ethics, 119:4 (2009), pp. 699728CrossRefGoogle Scholar.

104 Kerr, ‘The hackback debate’.

105 Kerr, ‘Virtual crime’; Kerr, ‘The hackback debate’.

106 Iasiello, ‘Hacking back’, p. 108.

107 Huang, Shane, ‘Proposing a self-help privilege for victims of cyber attacks’, George Washington Law Review, 82 (2014), pp. 1229–66Google Scholar (pp. 1254–6).

108 McMahan, ‘Proportionality and necessity’.

109 Volokh, ‘The hackback debate’.

110 Will Cathcart, ‘Why WhatsApp is pushing back on NSO group hacking’, Washington Post (29 October 2019).

111 Maurer, Cyber Mercenaries, p. 78; Sales, ‘Privatizing cybersecurity’, p. 640.

112 Sales, ‘Privatizing cybersecurity’, p. 642.

113 Maurer, Cyber Mercenaries, p. 78.

114 Ibid., p. 79.

115 Ibid.

116 Sales, ‘Privatizing cybersecurity’, p. 655.

117 Ibid.

118 For somewhat analogous issues with PMSCs, see Deborah Avant, ‘The implications of marketized security for IR theory: The democratic peace, late state building, and the nature and frequency of conflict’, Perspectives on Politics, 4:3 (2006), pp. 507–28.

119 Lachow, ‘The private sector role’, p. 12.

120 Iasiello, ‘Hacking back’, p. 110.

121 Lin, ‘Ethics of hacking back’.

122 Ibid., p. 17.

123 Also see Borghard and Lonergan, ‘Cyber operations as imperfect tools’.

124 Maurer, Cyber Mercenaries, pp. 3–4.

125 Iasiello, ‘Hacking back’, p. 111.

126 To the extent that regulation is feasible and would address the issues raised by private offensive cybersecurity, these issues are not deeper ones, although they are still are, of course, serious. (There are deeper issues with private cybersecurity in general, discussed in the first half of the article, which would apply to private offensive cybersecurity). Also note that it may be better to preclude states from engaging in offensive cyber operations, but, again, this is beyond the scope of this article.

127 Hoffman and Levite, ‘Private Sector Cyber Defense’, p. 4; Huang, ‘Proposing a self-help privilege’; Rosenzweig, ‘International law and private actor active cyber defensive measures’.

128 Hoffman and Levite, ‘Private Sector Cyber Defense’, pp. 14–15.

129 Ibid., p. 15.

130 Michael Schmitt (ed.), Tallinn Manual, p. 175. For instance, the Budapest Convention on Cybercrime does not cover important states such as Russia and Brazil and the Tallinn Manual has failed to gain widespread support from states. Mette Eilstrup-Sangiovanni, ‘Why the world needs an International Cyberwar Convention’, Philosophy & Technology, 31 (2018), pp. 379–407 (p. 388, n. 19). The Wassenaar Arrangement precludes states from exporting some offensive cyberweapons but covers only 42 states.

131 Michael Schmitt (ed.), Tallinn Manual, p. 130.

132 Eilstrup-Sangiovanni, ‘Why the world needs an International Cyberwar Convention’.

133 Ibid., p. 397. It might be worried that an ICWC would lead to authoritarian states increasing their violations of human rights domestically. However, this could be avoided if the ICWC is carefully crafted so as to focus on offensive measures. Moreover, it is unclear whether an ICWC would change existing practice where authoritarian states can already use extensive Internet controls.

134 Tim Maurer, ‘A dose of realism: The contestation and politics of cyber norms’, Hague Journal on the Rule of Law, available at: {doi: 10.1007/s40803-019-00129-8}; Eilstrup-Sangiovanni, ‘Why the world needs an International Cyberwar Convention’, p. 400.

135 Maurer, Cyber Mercenaries, p. 19.

136 Gandhi, ‘Active cyber defense certainty’, p. 300.

137 Valeriano and Jensen, ‘The myth of cyber offense’. This is notable with the Department of Defence's ‘Defend Forward’ posture, which concerns confronting threats before they reach US networks and the Director of the National Security Association Paul M. Nakasone's recent statements that the US will react robustly to cyberattacks. Taillat, Stéphane, ‘Disrupt and restraint: The evolution of cyber conflict and the implications for collective security’, Contemporary Security Policy, 40:3 (2019), pp. 368–81CrossRefGoogle Scholar (p. 375); Dina Temple-Raston, ‘How the U.S. hacked ISIS’, National Public Radio (26 September 2019), available at: {www.npr.org/2019/09/26/763545811/how-the-u-s-hacked-isis}.

138 Ibid.

139 Eilstrup-Sangiovanni, ‘Why the world needs an International Cyberwar Convention’, p. 386.

140 See, for instance, Eberle, ‘Just war and cyberwar’; Lee, ‘The ethics of cyberattack’; Brian Orend, ‘Fog in the fifth dimension’.

141 The cyber realm may not raise different fundamental challenges to the central moral principles in moral and political philosophy governing war and self-defence. My point, rather, is that it raises different applied issues. See Roger Crisp, ‘Cyberwarfare: No new ethics needed’, Oxford Practical Ethics blog (19 June 2012). See, further, Pattison, James, The Alternatives to War: From Sanctions to Nonviolence (Oxford: Oxford University Press, 2018)Google Scholar and Pattison, James, ‘The ethics of foreign policy: A framework’, SAIS Review of International Affairs, 39:1 (2019), pp. 2135CrossRefGoogle Scholar.