Dr Florian J Egloff, Dr James Shires
Cyberspace is everywhere. It is so prevalent that the concept has started to lose its functional utility – and, as the recent Facebook rebrand demonstrates, big tech companies still want to make cyber interactions even more seamless and attractive. For the majority of the world’s population with access to the internet, life offline is increasingly difficult to imagine; and for those without, this lack is increasingly understood as detrimental to their fundamental human rights.
Cybersecurity is the foundation of our online life, while cyber insecurity is its Achilles’ heel. Within this broader picture, offensive cyber operations by states are an important – but far from the only – cause of global cyber insecurity. The effects of state offensive cyber operations are wide, with harms ranging from leaked or deleted personal data to the non-functioning of critical infrastructures such as oil pipelines. Categorizing and prioritizing these harms is difficult, as scholars and policymakers struggle to draw standard distinctions between peace and war, espionage and covert action, and military and intelligence functions.
However, studies of offensive cyber operations have rarely engaged with these harms as forms of violence. When they have, violence was often conceived very simply: to break things and kill people. We think the time is ripe to refine our assessment of what violence means in a digital era. To that end, we have written two articles laying out what violence is in relation to offensive cyber operations, and how offensive cyber operations are integrated into the violent tools of statecraft. Together, these articles offer a new perspective on the harms of offensive cyber operations, and one which we hope helps sidestep or solve the longstanding controversies above. In this blog-post, we give you an overview of the results.
First, let’s take a step back, as the disciplinary evolution of political science and international relations has an important lesson for the study of offensive cyber operations. In reaction to what was seen as an overly statist focus on systemic or strategic issues (such as nuclear stability) during the Cold War, the subfield of political violence sought to reorient these disciplines towards the study of violent acts committed for political purposes, whether by states at war, by armed groups and other non-state actors in civil wars, or in situations of unrest and revolution. Their conceptual rationale was that these are all part of a single continuum of organized violence, and so studying them together makes good theoretical sense. Their normative rationale was that the moral aim of studying war and conflict is to prevent or ameliorate its devastating impacts, and so a focus on violence (rather than, for example, stability) directs attention to the problems we need to solve most urgently.
Issues of political violence may seem starkly removed from the study of offensive cyber operations, because the current consensus is that cyber operations are almost always non-violent. It is very difficult to use cyber means to cause death and destruction in the manner of missiles, machetes, or machine guns. The most impactful cyber operations to date have caused extensive disruption with significant economic losses, but in each case systems recovered shortly afterward – albeit with intense effort – and no one died. This lack of violence is even seen as the unique promise of offensive cyber operations, as states and other actors, such as financially-motivated cyber criminals, can achieve their goals in a more “civilized” way. Ransomware holds data hostage, rather than kidnapping real people. Offensive cyber operations could thus almost be seen as the “better angels of our digital nature”.
However, we think this reading relies on too narrow a definition of violence. The field of political violence is itself split between a narrow “minimalist” concept of violence referring to physical harm (often operationalized crudely as numbers of deaths), and a broader view of violence including psychological and community harms. This broader view of violence is gaining ground in international law, as scholars recognize the psychological and societal impacts of war and conflict, as well as in diverse policy arenas from cyber-bullying to intimate partner violence. The study of offensive cyber operations can also benefit from this broader view – which we term “harm to areas of human value” including bodily, affective, and community aspects.
This has clear consequences for the kinds of operations we study. While highly-targeted cyber-espionage campaigns such as SUNBURST make global headlines, and might well have strategic national security consequences (e.g. by transferring state secrets or commercial intellectual property), these are not the most violent consequences of offensive cyber capabilities. Instead, repressive use of surveillance operations, or the sabotage of critical infrastructure, could be much more devastating. Focusing on violence shifts us away from the disputed strategic impact of cyber-espionage towards more destructive operations. Conceptually, it means we should no longer privilege sophisticated state actors over cybercrime gangs or intimate partner surveillance; and normatively we should prioritize reducing harm over measuring shifts in the international balance of power.
In this expanded definition, when do cyber operations stop being violent? In terms of harm, there is no lower bound, and so context-specific assessments of severity are crucial. But our expanded definition includes criteria of intentionality – violence must be deliberate – and proximity – violence must be causally significant. Offensive cyber operations complicate both criteria. Many cyber operations have consequences far beyond those originally intended, due to the interconnectedness of digital networks, and at the same time they are far less causally proximate than kinetic weapons, as they manipulate information systems that are embedded in complex ways across state borders. Overall, the less deliberate and the less proximate the cyber component, the less violent the operation.
One might respond that this is all a bit abstract. Cyber operations don’t take place in a vacuum, and the important thing is not only the (lack of) violence of cyber operations, but also the violent consequences of their alternatives. The issue is relative, not absolute. We strongly endorse this view, and so in a separate article we put forward three logics of integration of cyber capabilities into violent state structures. These logics – substitution, support, and complement – weigh the benefits of using offensive cyber capabilities (OCCs) against an adversary instead of, as part of, and in addition to other means of violence, respectively.
Table 1. (Source)
The Three Logics of Integration and Their Effect on Violence
|Summary||OCCs replace other means of achieving a particular end||OCCs are combined with other means to help achieve that end||OCCs achieve an end not available by other means|
|Effect on violence (narrow definition)||Less violent||Less violent||Irrelevant|
|OCCs achieve the same end without or with less physical harm||OCCs are more precisely targeted, concerns of indirect effects limit use||Complementary effects of OCCs are not physically damaging so not violent|
|Effect on violence (broad definition)||Unclear||Unclear||More violent|
|Affective/community harms could outweigh physical damage depending on context||Affective harms occur even with better targeting, shift in not decreased repression||Affective/community harms caused by OCCs increase levels of violence overall|
What does this table show? Where many might think that substituting a conventional means of violence for a cyber operation leads to less violence, we argue that this is not necessarily so. Rather it is an empirical question, one of scale and scope of (also non-bodily) harm. The same can be said for supporting operations.
The most striking change is, however, in the area of complementary operations, i.e. offensive cyber capabilities that produce genuinely new forms of causing harm, for example digital repression or logical (but disabling) attacks against civilian data. Such complementary uses of OCCs are automatically nonviolent in a narrow definition, because they have not – so far – caused bodily harm or death. In a broader understanding, these operations increase overall levels of violence.
For example, with regard to interstate violence, the notorious NotPetya operation is violent, though the exact intent of the attackers matters for the judgment of its severity. Regarding repression, the complementary use of OCCs to create an environment of pervasive censorship and fear, as in Xinjiang, also implies increased violence on an expanded definition. When particular groups are targeted by censorship technologies, there are effects on affective life (individual identities, including gender and ethnic identifications) and communal areas of value (social relationships and, at the larger scale, national identities).
Worryingly, it is precisely these new forms of harm that are hardest to capture with a policy apparatus built for a non-digital era. Concerns around escalation as a result of offensive cyber operations should be reoriented toward violent escalation, recognizing that some uses of OCCs could be strategically escalatory – e.g. SUNBURST – but without an accompanying increase in violence.
Policy responses to cyber operations should also be calibrated based on their logics of integration: supportive and substitutive uses are more likely to be amenable to existing frameworks, while complementary uses present a far more novel policy challenge. Acknowledging complementary uses of OCCs and understanding their violent effects gives defenders a better grasp of the complexity of defending against adversarial actions across a mostly civilian cyberspace.
Where next? In the articles above, we mainly consider positive cases of integration where cyber capabilities were used instead of/as part of/as well as other means. Future research should also consider negative cases where actors decided not to use cyber operations, instead staying with more conventional tactics. In these articles, we also set aside the bureaucratic politics of cyber operations – questions around institutional manoeuvring, domestic dynamics, departmental hierarchies, and individual personalities – which are of course a crucial component of decisions about when and where to deploy these capabilities.
Ultimately, understanding cyber operations as a form of political violence helps us prioritize research and policy efforts to counter the harms they cause. The most violent uses of OCCs may not be state-sponsored cyber-espionage or sabotage, but authoritarian practices of digital globalised repression, the indirect consequences of disrupted critical infrastructures, and digitally-enabled interpersonal coercion.
Florian J. Egloff is a Senior Researcher in Cybersecurity at the Center for Security Studies (CSS) at ETH Zurich. He is the author of the forthcoming book Semi-State Actors in Cybersecurity (Oxford University Press, 2022).
James Shires is an Assistant Professor in Cybersecurity Governance at the Institute of Security and Global Affairs, University of Leiden. He is the author of The Politics of Cybersecurity in the Middle East (Hurst/Oxford University Press 2021).