Ethics as a “Science of Happiness” in Cyber International Relations

In honor of Global Ethics Day on October 18, Carnegie Council and New York University (NYU) held a special cyber international relations and ethics convening. The event introduced students and faculty to applying systems thinking towards examining complex technical, geopolitical, and ethical challenges that encapsulate state relations in cyberspace.

The presentation was co-led by NYU Professor Christopher Ankersen and Zhanna Malekos Smith, a former professor of systems engineering at West Point, the United States Military Academy, and a current visiting fellow at Carnegie Council. The following article is a summarization of Malekos Smith’s remarks, including additional notes from the presentation for educators to leverage in their own lesson plans.

First, let’s discuss what do we mean by ethics?

While ethics has a myriad of definitions, Italian thinkers Luca and Francesco Cavalli-Sforza described ethics arising as “the science of happiness.” This concept refers to one’s capacity to feel empathy towards the suffering of others. Shifting us away from an ego-centric perspective in looking at one’s relationships and environment, and instead taking action to help those in need. “Just as crystal takes the color of the cloth upon which it rests, [e]thics also affects our own wellbeing” writes Matthieu Ricard in his book Happiness: A Guide to Developing Life’s Most Important Skill.

According to Ricard, a Nepalese French writer and Buddhist monk, practicing putting oneself in the other’s shoes and trying to imagine what it is like to be on the receiving end of a certain act, or experience, is part of compassionate ethics building. In turn, practicing compassionate ethics building in one’s day to day life, also allows one to better understand perspectives different from our own, thus fostering empathy and, ultimately happiness.

From a political relations standpoint, compassionate ethics building also advances our understanding of allies, partners, and adversaries.

As a teaching methodology, the NYU audience was introduced to a live role-playing exercise about ethical dilemmas in cyber international relations. The exercise helped students grapple with unpacking the various perspectives of stakeholders in this community and consider the ecosystem of factors that accompany programmatic risk management in systems thinking.

Hopefully, this article may serve as a case note for educators who may wish to incorporate the following cyber mini-play and discussion questions into their own classroom as a fun and interactive learning activity with students and professionals.

With special thanks to Mr. Alvaro Jimenez Jimenez.

Teaching Case Note

Cybersecurity is oft described as a team sport. Imagine that you and a team of experts were appointed to serve on a National Cyberspace Ethics Commission. Your goal is to develop consensus on a strategic approach to promoting adherence to international norms in cyberspace and defending the United States’ national interests in cyberspace.

The following Platonic-style dialogue highlights the perspectives of five contentious stakeholders and their opinions on responsible state behavior in cyberspace. Five actors play the role of either a policy hawk, dove, member of industry, a humorous policy cynic, and the meeting moderator, typically played by the educator leading this simulation. Why a dialogue form? The ancient Greek philosopher Plato valued this form of testing arguments, acknowledging that the search for the truth can only be gained through dialogue.

After the students perform the dialogue to the class, have the students form small breakout discussion groups of five, each electing to play one character from the cast of characters above, and together work through the three discussion questions for 15 minutes. The discussion questions are listed at the end of this article. At the end of this round, bring the class back together and have one representative from each breakout group report their group’s impressions and thoughts on the questions to the class.

SCRIPT:

The Great Cyberspace Ethics Dialogue

Scene: At a top-secret government location, we join the members of National Cyberspace Ethics Commission as they sit huddled around a conference table. We see a policy hawk, a dove, the moderator, industry stakeholder, and a snarky critic. Let’s listen in now.

Moderator: Thank you all for coming. As you know, the Biden-Harris administration released the new 2023 National Cybersecurity Strategy, which focuses on how the government should partner with the private sector in ensuring best practices and responding to malicious cyber activity. I propose we first reorient ourselves to the strategies’ five pillars. Any objections?

Hawk: Unacceptable! We, as a nation, have failed to establish a clear cyber doctrine. We need a playbook! We need to set expectations—something—to signal to the world when and how the U.S. will respond to cyberattacks. Friends, we cannot afford to sit idly by as other states just write the rules of the road here!

Snark: (Very sarcastic tone) Calm down. And you’re signaling enough to the world as it is; we were told to leave our phones outside.

Hawk: ’Twas a minor oversight.

Chair: Getting back to the main issue, ladies and gentlemen, before this Ethics Commission discusses any new business, it is imperative that we first address—(cut off)

Hawk: We need to draw a “red line” in cyberspace! A red line, signaling that if any government, or non-state actor, or lone hacktivist even places one toe over this red line, we are ready for them; locked and loaded, and ready to dance!

Snark: (Very sarcastic tone) Remind me never to go dancing with you.

Hawk: This is no laughing matter! Did you know that “Defense Department systems are probed by unauthorized users roughly 250,000 times an hour—over 6 million times each day.” Unbelievable!

Dove: I think Hawk raises a valid point. We appear to be building this “policy airplane” while flying it; however, I caution against a red-line policy as it diminishes our response options.

Industry: (Sad tone) I thought there would be coffee served at this meeting.

Snark: I blame the government.

Industry: At the very least there should be those tiny chocolate chip muffins, or sliced fruit!

Snark: Freshly squeezed orange juice, perhaps?

Hawk: (Gruffly) I like waffles.

Chair: Enough!

Dove: (A little irritated) Ahem! As I was saying, once an aggressor crosses that proverbial red line, and there is no follow-up action, it becomes embarrassingly ineffectual. For instance, do you recall in 2012 when U.S. President Barack Obama said that his “red line” with Syrian President Bashar al-Assad was if chemical weapons were used, but then did not enforce this after Assad’s regime killed almost 1,500 people in a chemical-weapons attack?

Chair: Dove, thank you for that insight, but we need to take things sequentially on the agenda to formulate a cohesive cyber strategy. Not only to shape the U.S. vision for cyber operations, but also to relay to the international community how we regard international law to apply to State conduct in cyberspace. First, we need to reach a consensus on what constitutes an act of war in cyberspace. As it stands, there is no standard international legal definition of a “cyberattack,” and I imagine each of us in this room has a differing opinion as to what a cyberattack is or is not. So, let’s discuss.

Dove: I propose we adopt the definition provided in the Tallinn Manual on the International Law Applicable to Cyber Warfare. Rule 30 reads that a cyberattack is a “cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects.”

Snark: What about harm to data? Your definition seems to fall short by not expressly mentioning damage to, or destruction of systems, data and information.

Hawk: What a sorry pedantic lot are we. Listen, friends, there should be less of a preoccupation with divining some prized definition here and more focus on what bad acts in cyberspace are an act of war. Typical examples of cyber activity that amount to a “use of force” under Article 2(4) of the United Nations Charter are (1) operations that trigger a nuclear plant meltdown, (2) operations that open a dam above a populated area causing destruction, or (3) operations that disable air traffic control resulting in airplane crashes.

Chair: Sure, all those examples have some form of high-level destruction, whether it be loss of human life or catastrophic physical damage. But what about cyber activity that doesn’t amount to an armed attack but wreaks havoc in other insidious ways? Why are we focusing on just kinetic effects? Shouldn’t attacking our election systems and judicial system constitute an act of war?

Dove: I agree, there is a danger in trying to hold fast to the traditional military definition of an armed attack as having physical, kinetic effects; this misses the nuances of aggressive cyber operations. From an ethics standpoint, however, should a cyber operation that harms data or produces misinformation be treated as an armed attack? I am concerned that we are lowering the threshold of conflict for states to go to war.

Snark: Eh, I think the future face of conflict will be much more subtle: think gray zone tactics, like Russia’s information operations and interference in the 2016 U.S. election and China’s malign foreign influence campaigns in the West. We don’t need to dwell on when a punch in the face, is a punch in the face. That’s self-evident. Acts of sabotage, influence operations, espionage and economic coercion are not new developments, but the ability to propagate and amplify the effects in cyberspace is.

Hawk: Which brings me back to my point at the beginning.

Snark: You like waffles.

Hawk: No! Yes! Not now! We need a playbook of responses to cyberattacks so that our opponents know full well what type of cyber misconduct will trigger a response from us and what to expect.

Chair: Bringing the focus back here—can we all agree that a cyberattack on our protected critical infrastructure constitutes an act of war? As a reminder, under the 2001 Patriot Act, critical infrastructure includes “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security[.]”

All: Go on.

Chair: Okay, assuming we agree to that, by classifying certain systems and assets as “critical infrastructure,” we are in effect signaling to our opponents that these targets are “out-of-bounds” and, if harmed, there will be serious consequences.

Industry: What about election infrastructure?

Snark: Yes, what is to be done, comrades?

Chair: It’s already included. Recall in 2017 that former DHS Secretary Jeh Johnson determined that election infrastructure should be designated as critical infrastructure as a part of “Government Facilities.”

Dove: I see. By applying the umbrella term of protected critical infrastructure to such systems, we are in effect signaling to opponents that these systems are “off-limits.” At least this is more flexible and breathable a doctrine than drawing a red line or designing a playbook that could be obsolete after a few years based on the pace of technological innovation.

Snark: In all seriousness, I really dislike the playbook idea. It’s too rigid, and to use it as a “signal” to adversaries is ill-conceived, because it weakens the element of surprise in military cyber operations. Why advertise how we would respond?

Hawk: But a playbook imparts clarity on how we would respond to an attack.

Snark: That may be true, but it sounds like what is really needed is a fluid planning model of cyber-based operating procedures and contingency plans. Options, rather, on how we may respond. We cannot plan for every form of attack, and a playbook is way too formalistic here. Further, we should preserve our right to respond to a hostile cyber act in a time, place and manner of our choosing; flexibility is key.

Dove: Flexibility and the right blend of transparency to signal our nation’s resolve and to promote global stability. To me, fluidity should animate a state’s analysis of whether the “scale and effects” of a cyber operation rise to the level of an “armed attack” under the Law of Armed Conflict, and how the victim state determines the proper legal basis for responding with force. Furthermore, for the planning model to be pragmatic, it must account for ambiguous conflict scenarios, as when the “armed attack” threshold is not met but the cyber act still produces harmful effects. Here, an exploration of imposing non-forcible countermeasures, like economic sanctions and legal indictments, must be considered.

Industry: Maybe that could be a useful quick fix but, in the long run, I am unconvinced. We’ve seen counter actions used in 2014 when the U.S. Department of Justice issued indictments against five Chinese military hackers for engaging in cyber economic espionage against U.S. businesses. But countries are still engaging in economic espionage—stealing trade secrets and IP data. Not good.

Snark: Yea . . . I remember in 2016 and 2018 the Justice Department issued indictments against several Iranian hackers for targeting U.S. banks, as well as the Bowman Dam in New York, and for stealing intellectual property from universities. Yes, it’s a slap on the actor’s wrist for bad conduct, but if the payoff is higher than the punishment, why stop?

Industry: Stopping for a coffee break would be nice.

Snark: (Nods in agreement) Seriously.

Dove: Sounds like our planning model should be flexible, taking ethics into consideration of course, and use a layered approach to deter bad conduct.

Hawk: Then we really don’t need a “playbook” per se.

Chair: And that is the brick we shall build from. Let’s break!

END.

Copyright © 2023 by J. Zhanna Malekos Smith

Group Breakout Discussion Questions:

1. With the upcoming 2024 U.S. presidential election, what is the role of the United States government and private industry in mitigating the risks of disinformation campaigns and malign foreign influence operations?
2. How can the United States work with its allies and partners to promote cyber resiliency and adherence to international norms of responsible state behavior in cyberspace?
3. Without crossing the legal boundary line of performing in hostile activities in an intranational armed conflict, what is the ethical role’ of foreign private industry in the Russia-Ukraine conflict?

Carnegie Council for Ethics in International Affairs is an independent and nonpartisan nonprofit. The views expressed within this article are those of the author and do not necessarily reflect the position of Carnegie Council.