Answer questions in paragraphs

209© The Author(s) 2017 E.D. Jacob (ed.), Rethinking Security in the Twenty-First Century, DOI 10.1057/978-1-137-52542-0_15

CHAPTER 15

INTRODUCTION This chapter concerns itself with the question “what duties does a state have to defend its citizens from cyber-attack?” Such a challenge is not novel in itself; arguably, the state’s fi rst duty is to provide protection and security for its citizens, 1 and that “cyber” is a new domain of state respon- sibility should not be cause for great controversy. The cyber-domain does, however, pose a novel context for what those duties are and how they ought to be discharged. This chapter looks at three related phenomena of state duty and how they play out in the cyber-domain. They are, can a cyber -attack meaningfully be said to be an armed attack justifying military response from the defender; what forms of cyber -response are permitted; and what services and resources should a state provide to its citizens to protect against cyber -attack?

This chapter is normative in its discussion—its concern is with what a state ought to do, and the theoretical framework that underpins discus- sion is largely taken from just war theory. Just war theory, understood as a moral theory that is complementary to but distinct from a legal theory, generally takes the position that a war and actions in war can only be

Duties to Defend: Ethical Challenges of Cyber-Defense

Adam   Henschke

A. Henschke ( ) National Security College , The Australian National University , Canberra , ACT , Australia

considered just if certain criteria can be met. 2 The fi rst set of these criteria are collectively referred to as the jus ad bellum criteria and are concerned with the justifi catory conditions necessary to be met in order for a decision to go to war to be considered just. They are generally considered to be the following: just cause, that there is a justifying cause for a state 3 to use organized violence; legitimate authority, that the person making the deci- sion to go to war is in fact the legitimate person to authorize such a deci- sion; right intention, that the decision to go to war is, in fact, that stated as the just cause; proportionality, the expected outcomes of war are better than the expected outcomes of not going to war; probability of success, that the aim of war has some reasonable probability or possibility of being met; last resort, that as many alternate options to war as is reasonable have been tried.

The second set of criteria are collectively referred to as the jus in bello criteria and are concerned with the limits of what those fi ghting a war can do in the theater of war. They are generally considered to be discrimi- nation, that only legitimate people can be knowingly targeted for lethal force; and proportionality, the desired outcomes of a given military action outweigh the harms of that action.

Given that these criteria are somewhat well established (though not without controversy), we need to ask if an explicit discussion of the state’s duties to defend is needed for cyber-events. This question is prompted by two key facts of the cyber-domain. First, events that occur in the cyber- domain are not physical. Second, the international community is some- what naïve or untested with cyber-events. On the fi rst point, Thomas Rid sums up the problem nicely; he states that war—by defi nition—must be violent, and as cyber-attacks and the like occur in the cyber-domain, they are—by defi nition—not violent. Thus, a cyber-attack cannot meaningfully be thought of as an act of war. 4 Following Rid’s reasoning, an attempt to apply just war criteria to cyber-attacks is wrong-footed from the start. So we have one key challenge: can a cyber-attack count as an act of war? And, given that the impacts of a cyber-attack are limited to the cyber-domain, should a cyber-attack be limited by the just war criterion of discrimination?

The second point is that we have limited direct experience with the impacts of full-scale cyber-attacks. This naivety has implications for the expected outcomes of the use of cyber-attacks. Furthermore, such naivety can bias people to believe that the risks of a cyber-attack are negligible. Richard A. Clarke and Robert Knake consider that we ought to be antici- pating and preparing for a “cyber Pearl Harbor,” that the use of offensive

210 A. HENSCHKE

cyber-weapons could cause devastation and shock on a catastrophic scale. 5 Given our limited direct experience with events in the cyber-domain, we may not know the full scale of a cyber-weapons impact in advance, thus challenging our estimations of proportionality and pointing to a potential shortfall in civil defense.

So at one end of the spectrum, we fi nd a position like that of Rid where “cyber-war will not happen” and at the other end is a position like that of Clarke, where we are simply waiting for a catastrophic cyber-attack. With such a range of expectations, the conceptual challenges around cyber are great. Given that the cyber-domain is one of the emerging areas of security for the present and future, such conceptual challenges need to be met by those concerned with the duties of a state to secure the cyber-domain.

To help illustrate this set of problems, consider this scenario: a defender state, call it “Defenseland,” is experiencing a series of organized, persis- tent, and sustained cyber-attacks. Moreover, Defenseland is highly cer- tain that the origin of these attacks is from a country called “Attackland.” Finally, Defenseland is highly certain the government of Attackland is behind the attacks. As yet, however, there is no kinetic element to the attacks: that is, the attacks are only being conducted in the cyber-domain. Moreover, for this scenario, no kinetic attacks are imminent. To be clear— at this stage and for the foreseeable future, Defenseland is only dealing with cyber-attacks.

What duties does Defenseland have in this scenario? If we take seriously the idea that a state has a duty to provide minimum conditions of security to its citizens, as key to its existence such duties are necessary (though not suffi cient) when facing cyber-attack. With this in mind, there are at least three ways of looking at Defenseland’s duties.

AN ISSUE OF JUST CAUSE The fi rst and arguably most pressing question is whether Defenseland would be justifi ed in responding militarily to the cyber-attacks. Given that there is high certainty that the attacks can be attributed to Attackland’s military, is there suffi cient moral justifi cation for Defenseland to launch a defensive military campaign against Attackland? Just war theory holds that a state needs a just cause in order for a military response to be justi- fi ed; otherwise, they themselves become an aggressor state. “Traditionally, just cause referred to a wrong that a state had committed, which initially

DUTIES TO DEFEND: ETHICAL CHALLENGES OF CYBER-DEFENSE 211

legitimated war as a response … [such as] unprovoked attacks on a State, either one’s own State or another State.” 6

The problem is that, if the attacks are limited to the cyber-domain and there is no “real” damage, it is not immediately clear if cyber-attacks qualify as just cause. And without just cause, any military response by Defenseland will itself be an act of aggression. The intuition underpinning this is that though Attackland are undoubtedly doing something against Defenseland, a cyber-attack is by defi nition going to be confi ned to the cyber-domain and thus not an act of war. “[M]ost cyber attacks are not violent and cannot sensibly be understood as a form of violent action. And those cyber attacks that do have the potential of force, actual or real- ized, are bound to be violent only indirectly .” 7 For Rid, if a cyber act is to have some impact on the physical realm, it is dependent on the physical realm, much like a parasite is dependent on a host: “Code doesn’t have its own force or energy. Instead, any cyber attack…has to utilize the force or energy that is embedded in the targeted system or created by it. Code, quite simply, doesn’t come with its own explosive charge. Code-caused destruction is therefore parasitic on the target .” 8 And without some actual attack, following just war reasoning, Defenseland would be in the wrong to engage militarily with Attackland.

Contrasting this view, however, is the idea that the means of attack do not matter—what is morally important are the impacts. If a cyber- attack causes harmful impacts, even indirectly, and those harmful impacts are signifi cant, then the fact that the attack was conducted through the cyber-domain should be irrelevant. Consider this analogy—if someone steals $100 from me, either by picking my pocket or by hacking my bank account—what matters is that $100 was stolen from me. The means are largely irrelevant. So too with cyber-attacks: if death and/or destruction occur as a result of a cyber-attack or from a missile—what matters is the amount of death and destruction, not whether it was done via cyber- means or with a missile.

A group of international legal experts sought to answer questions about the legal status of cyber-warfare, and drafted the Tallinn Manual on the International Law Applicable to Cyber Warfare , hereafter the “Tallinn Manual.” The Tallinn Manual expressly used functional equivalence as the basis for its reasoning. Rule 11, for example, states that a “cyber opera- tion constitutes a use of force when its scale and effects are comparable to non-cyber operations rising to the level of a use of force.” 9 The point here is about equivalence and impact. That is, if there are two attacks, a

212 A. HENSCHKE

cyber-attack that causes X effects, and a non-cyber operation that causes Y effects, and X and Y are equivalent, then we ought to treat them equally. Moreover, if Y effects would count as an armed attack justifying a mili- tary response, given the equivalence between X and Y, then consistency demands that X would count as an attack justifying a military response.

Further to this, the Tallinn Manual’s Rule 13 states: “A State that is the target of a cyber operation that rises to the level of an armed attack may exercise its inherent right of self-defense. Whether a cyber operation constitutes an armed attack depends on the scale and effects.” 10 Again, if the consequences of a cyber-attack are the same as an attack by traditional kinetic weapons, then a cyber-attack could plausibly be considered an act of war. Reasoning in this way, contra Rid, cyber-war is essentially the same as traditional war, but it is simply carried out by non-traditional means.

The harder question is what counts as a suffi cient impact to be con- sidered an armed attack. But note that this is not a problem particular to cyber-war—armed attack is a vague and contestable concept. The over- all point is that, following the reasoning of functional equivalence, if the impacts on Defenseland of Attackland’s cyber-attacks were to cause impacts that amounted to armed attack, whatever that would be , then Defenseland has a suffi cient condition of just cause, and assuming the other just war criteria are met, could thus potentially use military force on Defenseland.

A cyber-attack can theoretically count as a just cause. The question thus becomes whether a cyber-attack could conceivably cause impacts rising above a threshold of armed attack. Clarke states that cyber-warriors can “take over a network…steal all of its information or send out instructions that move money, spill oil, vent gas, blow up generators, derail trains, crash airplanes, send a platoon into ambush or cause a missile to detonate in the wrong place.” 11 Clearly some of these scenarios would be equivalent to an armed attack. However, the likelihood of such events occurring is very low. The brief conclusion here is that Defenseland could plausibly claim that Attackland’s cyber-operations are cause for war, though the chances of this occurring are unlikely.

A DUTY TO ATTACK Consider now that the scenario between Defenseland and Attackland has progressed. Attackland have claimed responsibility for the cyber-attacks on Defenseland, but have kept their attacks limited to the cyber-realm. Defenseland is now considering its responses and seriously considers a

DUTIES TO DEFEND: ETHICAL CHALLENGES OF CYBER-DEFENSE 213

full-scale military response to Attackland’s aggression. However, some in Defenseland’s military point to the jus ad bellum “last resort” criterion, to suggest that Defenseland should consider cyber-responses as a fi rst option. Their argument is that such a cyber-response is more measured, less vio- lent and easier to control than a full-scale military attack.

Part of this rationale is similar to the non-violence position advocated by Rid: a cyber-attack might plausibly be considered a violent act; how- ever, the majority of cyber-weapons still have their impacts largely limited to the cyber-realm. Moreover, given that Attackland are still only targeting Defenseland in the cyber-realm, responding in kind is permitted to use countermeasures. The Tallinn Manual refers to countermeasures under Rule 9, “A State injured by an internationally wrongful act may resort to proportionate countermeasures, including cyber countermeasures, against the responsible State.” 12 They describe countermeasures as

necessary and proportionate actions that a ‘victim-State’ takes in response to a violation of international law by an ‘offending State’. The acts compris- ing the countermeasures would be unlawful were it not for the offending State’s conduct. Such countermeasures must be intended to induce compli- ance with international law by the offending State. For example, suppose State B launches a cyber operation against an electrical generating facility at a dam in State A in order to coerce A into increasing the fl ow of water into a river running through the two States. State A may lawfully respond with proportionate countermeasures, such as cyber operations against State B’s irrigation control system. 13

So, perhaps those within Defenseland’s military offer sound counsel—they are afforded the opportunity to respond in self-defense against Attackland in kind, while limiting the harms of their own response.

However, it is not as simple as this as Defenseland has two sorts of duties that should affect the choices they make here. To paraphrase Brian Orend, even if Defenseland has resorted to war justly, they may be pros- ecuting that war in an unjustifi ed manner. 14 Basically, Defenseland’s duties extend beyond the duty to their citizens—they have a moral duty to take care with potential harms infl icted on any civilians. Moreover, they also have a set of duties to prevent attacks against their own citizens.

Defenseland have a set of stringent duties to the citizens of a target country, covered largely by the jus in bello just war criteria: they have a duty to discriminate between legitimate and illegitimate targets, and they

214 A. HENSCHKE

have a duty to ensure that their weapons are proportionate to the aims that they are seeking to achieve.

On the fi rst jus in bello criteria, that of discrimination, a military will run afoul of it if it should intentionally target non-threats. Defenseland’s soldiers, even their cyber-warriors “must exert every reasonable effort to discriminate between legitimate and illegitimate targets. How are [Defenseland’s] soldiers to know which is which? A legitimate target in wartime is anyone or anything engaged in deliberate harming .” 15 That is, only those who pose legitimate military threats to Defenseland can be targeted by Defenseland, such as Attackland’s military. Regarding citizens, “[i]f they do not participate, then they retain their immunity from such attack, and if they are nonetheless attacked, then this would signal a basis for a charge of war crimes.” 16 In short, Attackland’s civilians are not legiti- mate targets for Defenseland.

This duty to adhere to distinction can be further broken down into two sub-criteria: knowing who to hit, call this the intelligence sub-criteria, and being able to hit them, the precision sub-criteria. On the intelligence sub- criteria, an attacking force must know who are legitimate targets and who are illegitimate targets, and be able to tell the difference between them. That is, they must be able to keep the categories distinct. For instance, Defenseland would have to be able to reliably tell if a target is an active member of Attackland’s military or a civilian. On the precision sub-criteria, an attacking force must not only know who is a legitimate target, but they must be able to accurately hit them. It is no good, for example, to simply know that the Attackland cyber-General is in a civilian building, if they cannot reliably and precisely hit the General and the General only. If the ordinance is too large, such as blowing up the whole building, it would cause collateral damage to civilians around the General. Though this might be primarily considered an issue of proportionality (an issue discussed below), the precision of the attack is also a key moral element here. For instance, if the weapon simply hits any person within a given range of the general, then this would fail precision while still being pro- portional. As such, jus in bello distinction requires knowledge of the target and capacity to actually hit that target.

This causes special problems for cyber-weapons as a great deal of cyber- infrastructure is dual use. That is, it is used for both civilian and military purposes: cyber-infrastructure is primarily developed, maintained, oper- ated, and used by civilians.

DUTIES TO DEFEND: ETHICAL CHALLENGES OF CYBER-DEFENSE 215

This dual-use fact of cyber-infrastructure poses a problem for the Defenseland, as it may be very hard for them to know who is a legitimate target, much less to keep their cyber-attacks limited to such targets—the intelligence and precision sub-criteria here become quite demanding. The Tallinn Manual responds to this challenge, fi rst with Rule 39, “An object used for both civilian and military purposes—including computers, com- puter networks, and cyber infrastructure—is a military objective.” 17 Thus, if an object is used by both Attackland’s military and civilians, it might be considered a legitimate military target. However, Rule 50 states that “[a] cyber attack that treats as a single target a number of clearly discrete cyber military objectives in cyber infrastructure primarily used for civilian pur- poses is prohibited if to do so would harm protected persons or objects.” 18 This means that Defenseland can’t attack civilian infrastructure if the mili- tary objective is made clearly distinct. Further, Rule 52, Constant Care, states that “[d]uring hostilities involving cyber operations, constant care shall be taken to spare the civilian population, individual civilians, and civilian objects.” 19 Thus, Defenseland has to take a great deal of care in ensuring that they have relevant intelligence and can hit the legitimate targets with precision .

The second jus in bello criteria is proportionality, where the desired out- comes of the military action must outweigh the harms of that action. In this, if Defenseland take due care and target only legitimate targets, then the cyber-attacks must not be disproportional to the tactical aims. “What is involved here is the proportionality of means rather than ends. Economy or restraint is the basic imperative, and combatants are required to employ only as much force as is necessary to achieved legitimate military objec- tives and is proportionate to the importance of those targets.” 20 That is, the cyber-attack can’t produce harms greater than the immediate tactical aims of the attack.

However, with cyber-weapons there is a complication to proportional- ity: most cyber-weapons cannot be tested “in the wild.” That is, many cyber-weapons rely on coding weaknesses or exploits, and once they are exploited, it is only a matter of time until the attack has been recognized, and cyber-forensics have understood the weakness and attempted to cre- ate patches for the weakness. As such, many cyber-weapons do not get tested in the conditions in which they will be used, meaning that the actual impacts of a cyber-weapon will not be known prior to its use. Thus, it is hard to know in advance if a cyber-weapon will actually be proportional to the tactical aim when actually used.

216 A. HENSCHKE

Finally, bearing in mind countermeasures and building from both the problems of discrimination and proportionality, there is a risk of escala- tion. 21 That is, if Defenseland responds to Attackland, it can be hard to predict what Attackland’s perception will be, and how they will respond. Perhaps they don’t see Defenseland’s response as equivalent to the ini- tial cyber-attack, and so launch their own counter-response. Or perhaps Attackland don’t believe that Defenseland is properly respecting civil- ian use of cyber-infrastructure. Or, perhaps Defenseland’s cyber-attack impacts many more targets than Defenseland had anticipated. In all three conditions, Attackland now feels aggrieved and decides to respond with traditional military weapons, directly putting Defenseland’s citizens at risk of physical harm.

We now have a situation of escalation. The issue here is that Defenseland has put its citizens at the risk of becoming embroiled in a full kinetic war. The role that cyber-weapons have played is that they were seen as options of fi rst resort, an easy and less-violent way of responding to Attackland’s attacks. However, the reality is that Defenseland has now entered into a war that might have profound physical impacts on its citizens.

DUTIES TO PROVIDE CYBER-DEFENSE The fi nal area where Defenseland might have specifi c duties are to do with a duty to provide cyber-defense for its citizens. That is, does Defenseland have a specifi c set of moral responsibilities to defend its citizens? An oft- repeated line is that “The fi rst duty of the Government is to afford pro- tection to its citizens.” 22 In this sense, then Defenseland’s primary duty is defensive, and cyber would likely be included in this. But how is this duty to be discharged? The fi rst and most obvious way is self-defensive attack— as discussed above. Second, however, is the provision of cyber-defenses against attack.

In addition to self-defensive attacks, Defenseland (or any state) would need to have suffi cient cyber-capability to fend off attacks. This is largely exemplifi ed by CERTs—Computer Emergency Response/Readiness Teams. A recent RAND report on cyber-security stated that “over the last fi ve years the emphasis has changed from a focus on transnational, terrorist threat actors to a framing of cyber-security in terms of defense and increasingly offensive capabilities against cybercriminals, state actors and their proxies.” 23 The US CERT, for example, describes its mission as “US-CERT accepts, triages, and collaboratively responds to incidents;

DUTIES TO DEFEND: ETHICAL CHALLENGES OF CYBER-DEFENSE 217

provides technical assistance to information system operators; and dissem- inates timely notifi cations regarding current and potential security threats and vulnerabilities.” 24 Many other countries and companies have their own CERTs and, as mentioned, given the dual-use nature of much cyber- infrastructure, integration and cooperation between state and non-state cyber-actors are fundamental to a successful cyber-defense.

That said, if we take seriously the idea that a state’s fi rst duty is to afford protection to its citizens from attack, perhaps there is an additional responsibility for a state. Rather than simply limiting its duties to defend to responses to attack, perhaps they have a duty to prepare their citizens against attack. Consider, for example, the role of civil defense in the UK in the period between World War One and World War Two. Following World War One, the UK government initiated the Air Raid Precautions Organisation (ARP) which initially looked at seven main topics—warning, prevention of damage, maintenance of vital services, repair of damage, movement of the seat of government, legislative powers required, and departmental responsibility for all action recommended, and later added “education of the general public to realisation of the signifi cance of air attack.” 25 As the threat of Germany escalated the ARP’s role expanded, to include provision of 30–40 million gas masks for at risk population centers, 26 pumps to prevent the spread of fi res from German bombing and the development and supply of the “Anderson”: an air raid shelter for households. 27 The importance of civil defense increased in 1939 with the UK White Paper on Defense, that “advanced recognition of civil defense as a ‘fourth arm’  ” of national defense. 28 Sir John Anderson, who over- saw the ARP, was challenged by opposition government members who “believed it was one of the government’s fi rst duties to furnish protec- tion by ‘deep shelters’ of some kind for the public in the principal danger zones.” 29 The point here is that leading up to engagement with Germany in World War Two, the government of the UK and its citizens increasingly saw civil defense, especially the protection of civilians against attack, as an increasingly fundamental obligation to preparations in the likely war against Germany. Underpinning this was the principle of a government’s duty to afford protection to its citizens.

This duty to provide protection is deeply relevant to issues of cyber- security in a similar way to the provision of defenses against air attack in the UK leading up to World War Two. If a state’s citizens are vulnerable to attack, the state is in dereliction of duty to its citizens. Given the deeply integrated nature of cyber-infrastructure, there an increased risk of citizens

218 A. HENSCHKE

to the impacts of cyber-attack. Insofar as a state does indeed have a duty to protect its people from attack, then it would follow that a state such as Defenseland has a duty to provide some protections against cyber-attacks.

How would such a duty to protect be discharged? On this I can offer only general claims, but it would defi nitely include resources and support for effective and integrated CERTs that actively work with civilian and private cyber-actors as well as key international players and foreign allies to ensure that the relevant information about cyber-risks and cyber-threats is distributed.

Second is a provision of basic education for the populace at large. Typically, most breaches in cyber-security involve human failure at some stage in the process. Basic cyber-literacy with a component in cyber-security is an essential element to reduce the risk and impact of the human element in cyber-security failings. One idea is to produce something equivalent to basic road safety programs, evolving into provision and accreditation of something similar to a driver’s license for those engaged in particularly vulnerable and important elements of cyber-infrastructure.

Finally, in conjunction with the idea of basic cyber-literacy, there might be a requirement for government oversight and possibly provision of tech- nical support, including anti-virus software. This comes with a particu- lar caveat of concern, as following the revelations by Edward Snowden that state surveillance agencies have sought to compromise the informa- tional security and privacy of citizens and non-citizens, 30 people would be justifi ably skeptical of placing trust in a state agency to provide privacy respecting anti-virus software. On this then, perhaps a compromise is for a government sponsored agency to offer independently verifi able safety ratings for commercial anti-virus software. In this way, an educated public would have some assurance of the quality of the anti-virus software while maintaining a level of security from government intrusion.

CONCLUSION The basic outcomes of this chapter are that the cyber-domain does indeed pose signifi cant new challenges to security. In particular, the cyber-domain forces us to asses and re-assess the responsibilities that a state has to citi- zens, its own and others. Taking the moral precepts in just war theory as a foundation, we can look to this emerging domain with some way of defi n- ing some of those duties of government. While a cyber-attack can plau- sibly be thought of as a just cause, it is unlikely that many cyber- attacks

DUTIES TO DEFEND: ETHICAL CHALLENGES OF CYBER-DEFENSE 219

will be suffi cient to warrant kinetic responses from a state under attack. Moreover, while responding in kind might seem like a plausible fi rst resort, a more sustained ethical analysis of conditions of discrimination and proportionality, coupled with the risk of escalation, shows that a state should be very careful about resort to cyber-attacks. Finally, if the maxim of a state is to fi rst protect its citizen, this might require a state to provide a series of services to ensure that cyber-protection is well established before any such attack could occur.

NOTES 1. This idea, frequently attributed to Thomas Hobbes, saw an earlier

expression by British jurist Sir Edward Coke in the late sixteenth century, when he described “the relationship between sovereign and subject in terms of a ‘mutual bond and obligation,’ under which the subject owed allegiance or obedience, while the sover- eign was bound ‘to govern and protect his subjects,’  ” and was perhaps given its most concise formulation by US Representative John Farnsworth in 1867, when he said “The fi rst duty of the Government is to afford protection to its citizens.” Both quoted in Steven Heyman, “The First Duty of Government: Protection, Liberty and the Fourteenth Amendment,” Duke Law Journal 41 (1991): 513 and 508.

2. What follows is a very quick overview of the common criteria for a just war. Such criteria, what they mean, what they demand, and how they interact are controversial. For a good overview, see Brian Orend’s entry, “War,” in the Stanford Encyclopedia of Philosophy (Fall 2008), available at http://plato.stanford.edu/archives/ fall2008/entries/war/ .

3. For the purposes of this chapter, I’m going to assume the state as the primary focus for discussion. Though this is the most common position for discussions of just war theory, the re-emergence of non-state actors as key actors complicates and expands the broader discussion. However, it is beyond the scope of this chapter to cover those discussions. Michael Gross’ recent books provide useful cov- erage of some of these issues. See Michael L.  Gross, Moral Dilemmas of Modern War: Torture, Assassination, and Blackmail in an Age of Asymmetric Confl ict (Cambridge: Cambridge University Press, 2010) and The Ethics of Insurgency: A Critical Guide to Just

220 A. HENSCHKE

Guerrilla Warfare (Cambridge: Cambridge University Press, 2015).

4. See, in particular, Rid’s section on The Argument , pp. xiii–xvi. Thomas Rid, Cyber War Will Not Take Place (New York: Oxford University Press, 2013).

5. Richard A. Clarke and Robert Knake, Cyber War: The Next Threat to National Security and What to Do About It (New York: Harper Collins Publishing, 2010).

6. Traditionally, just cause referred to a wrong that a state had commit- ted, which initially legitimated war as a response … [such as] unpro- voked attacks on a State, either one’s own State or another State.

7. Rid, 12. Emphasis Original. 8. Ibid., 13. Emphasis Original. 9. Michael N.  Schmitt (ed.), Tallinn Manual on the International

Law Applicable to Cyber Warfare (New York: Cambridge University Press, 2013), 47–52.

10. Ibid., 53–59. 11. Clarke and Knake, 70. 12. Schmitt, 41–44. 13. Ibid., 41. 14. Brian Orend, The Morality of War (Peterborough: Broadview

Press, 2013), 111. 15. Ibid., 113. Emphasis original. 16. Larry May, “Killing naked soldiers: Distinguishing Between

Combatants and Noncombatants,” Ethics and International Affairs 19 (2005): 41.

17. Schmitt, 113–115. 18. Ibid., 131–132. 19. Ibid., 137–139. 20. Anthony J.  Coates, The Ethics of War (Manchester: Manchester

University Press, 1997), 209. 21. Herb Lin, An Evolving Research Agenda in Cyber Policy and

Security , http://cisac.fsi.stanford.edu/content/evolving-research- agenda-cyber-policy-and-security .

22. Heyman, 508. 23. Neil Robinson, Luke Gribbon, Veronika Horvathm, and Kate

Robertson, Cyber-security Threat Characterization: A Rapid Comparative Analysis (Stockholm: RAND Europe, 2013), ix.

DUTIES TO DEFEND: ETHICAL CHALLENGES OF CYBER-DEFENSE 221

24. “US CERT,” United States Computer Emergency Readiness Team , https://www.us-cert.gov/ .

25. Terence H.  O’Brien, Civil Defence (London: Her Majesty’s Stationary Offi ce, 1955), 14 and 16.

26. Ibid., 77. 27. Ibid., 187. 28. Ibid., 171. 29. Ibid., 190. 30. Glenn Greenwald, No Place To Hide: Edward Snowden, the NSA,

and the US Surveillance State (London: Picador, 2015).

222 A. HENSCHKE