This essay was published on VentureBeat on December 19, 2021.
Smart people in my industry have noted the growing role of cyberspace in inter-state conflicts and called for the development of cooperative, global regulation and governance. There are a few ethical dilemmas that this raises, including one that not much has been written about: the morality of cyberattacks.
This is a topic that I’ve purposefully avoided so far for a simple reason: morality is so removed from statecraft that any discussion linking the two is bound to be essentially theoretical. Most, if not all countries in the world have a notion of “national interest” written in their laws or constitution – a concept which Jean de Silhon, in the 17th century, defined as “a mean between that which conscience permits and affairs require.”
At its core, the idea of national interest implies that states won’t, and in fact shouldn’t behave ethically at all times: Sometimes, furthering a nation’s strategic bottom-line takes precedence. It is a polite way of saying that arms deals, murder, black ops, and overthrowing democratically elected governments might be okay as long as there’s sufficient justification. The same applies, of course, to cyberattacks.
In this world where the rules dictate that morality may be suspended whenever it is convenient, what would be the point of developing ethical arguments for a more secure Internet? This necessarily leads the conversation toward the only angle that has any chance to sway decision-makers: the pragmatic reasons why it is in their immediate interest to regulate cyber offense.
The fallacy of cyber offense
Pragmatic discussions over any issue will generally boil down to a risk/gain calculus. Many stakeholders appear to be double-dealing in the digital age, advocating for responsible behavior publicly, while at the same time developing exploits and backdoors for the purposes of offensive operations through their intelligence services or even weakening security standards worldwide. Kaspersky’s Global Research & Analysis Team team (where I work) tracks over 100 advanced persistent threat (APT) actors, a significant portion of which are believed to be backed by states, due to their apparent financial means and the type of intelligence they appear to be after. If the decision to engage in offensive operations is rational, then it must mean that all these actors, at some point, have determined that they stood more to gain than to lose by doing so.
But how is this calculus achieved? Figuring out what can be gained from offensive operations is the easy part: States that engage in such behavior have precise data about the value of the intelligence they were able to collect, the edge that they could obtain in strategic fields, or even the progress they achieved through intellectual property theft. They know which systems they sabotaged and the impact it had on the targets. In other words, the gains are immediate and also easy to measure. But what about the costs of being victimized? Cyber espionage can seem painless, especially when you don’t know you’ve been attacked. Oftentimes, attackers remain undetected in victim networks for months, so one would imagine there are many cases where they are never found at all. And when they are, information available to defenders may not indicate what actions were conducted or what data was stolen. Consequences for such breaches tend to be indirect and hard to correlate with the original incident. To make matters worse, these attacks may target systems that are outside of the government’s direct control, such as those of efense contractors, actors from the energy sector, technology firms, etc. Depending on local laws, authorities might not even be informed of incidents that are discovered, since reporting requirements are not implemented everywhere.
To summarize, here is the fallacy of cyber offense: Every state has a very clear idea of the reward it gains from conducting cyberespionage but knows very little about what cost it incurs from attacks made against itself. For this reason, the perceived risk/reward ratio is skewed toward favoring offense. Based on the data available to decision-makers, there is a clear incentive for them to foster an ecosystem where offense can prosper. It is only by recognizing that this situation does not stem from a rational analysis but instead from a lack of information that we can hope to change minds.
A valid objection is that there may not be an alternative. Ben Buchanan frames the cybersecurity problem as a traditional game-theory dilemma, where the perceived increase in competitors’ capabilities leads to a choice between defensive and offensive actions. He identifies the diplomatic process as a possible means towards a mutually beneficial equilibrium where states agree not to conduct cyber-attacks against each other. But even then, a second prisoner’s dilemma emerges: What if one of the parties does not stay true to its word and chooses to betray the other one? That party would still reap all the benefits of cyber offence and might not even have to face consequences for it. On paper, game theory tells us that the rational course of action (when trust is nonexistent) is to be uncooperative.
Applying the same logic to a multi-stakeholder model, we recognize a case of the tragedy of the commons, where the pursuit of individual best-outcomes is detrimental to the ecosystem as a whole. In an environment where everyone is being uncooperative, anyone who tries to be gets abused. When everybody is already exploiting digital vulnerabilities, parties refusing to do so are at risk of irremediably falling behind and being attacked by all the others. In other words, the current behavior in cyberspace traps all its stakeholders in an uncooperative state, even when they know it to be contrary to their best interests in the long run.
This constitutes a strong case that unethical behavior in cyberspace is the only rational course of action. Yet contrary to the textbook “tragedy of the commons” scenario, cyberspace is not a resource that can be expended. The internet cannot be “spent” or irremediably destroyed due to bad behavior – there is always a way back. Furthermore, actors can take individual actions that make uncooperative behavior less efficient, more expensive, or even impractical – for example, improving their defense. The investments that go into purchasing malware platforms, exploits, or even whole cyber-offence teams are well documented. How many blue-teamers, threat hunters, and incident responders could be hired with only a fraction of this money? Shifting resources from offense to defense not only reduces a state’s exposure to foreign cyberattacks but also ends up degrading offensive capabilities as a whole by getting vulnerabilities patched, tools burned, and so on. It follows that any state actually has the power to engage in ethical behavior that positively impacts the ecosystem as a whole. Contrary to many game-theory dilemmas, all it needs is not trust in its peers, but only trust in its own abilities to perform defense effectively.
Solutions for “tragedy of the commons” situations usually involve regulation from a governing body, which becomes responsible for the establishment of practices that are fair to all parties. Such initiatives are ongoing, such as the UN OEWG and UN GGE on cyber, which aim to promote rules and norms for responsible state behavior in the cyberspace. For such talks to be productive, of course, each participant needs to be convinced beforehand that regulating offense serves its self interest. Otherwise, they may be tempted to argue in bad faith, undermine proposals, or leverage the overall process as a means to target their competitors’ capabilities.
The inevitability of cyber offense is often presented as fact, but it doesn’t have to be. What is the actual cost of living in the current, untrustworthy ecosystem? The fact that answering this question proves so difficult indicates that decisions we thought to be rational need to be reconsidered. Is there a practical way to escape the gravity field generated by the cyber-arms race? My answer would be yes: genuinely investing in better defense.
The question of whether cybersecurity is a zero-sum game would merit an article on its own. Whether it is or not, however, there’s no question that it is a game that not every state can be winning. In a way, one could suspect that a minority composed of the strongest players has purposefully engineered this ecosystem. In it, weaker actors feel like they have no other option but to participate in the arms race, yet they will forever find themselves lagging behind.
For them, and for the vast majority of the world, the only winning move may be not to play.