Cyber attacks & the ethical dimension of the Google China episode

Two weeks ago, Secretary of State Clinton issued a statement on Internet rights for all, pledging to file a formal State Department protest regarding this month’s alleged Google China censorship and hacking. Now that there exists a real potential for damage in the physical world as a result of attacks in the cyber world, what makes us call something an attack, or an act of war? There are constant probes occurring online against private and governmental targets; our concern or lack thereof will determine our national response.

If another nation-state were to down the power grid, would that constitute an act of war? It seems so. But what if a lone operative were able to distribute the wrong user manual to electronic company employees? It hardly seems to meet the definition of “war,” yet could have expansive results. In Georgia and in Estonia, targeted cyber attacks crippled the national government; in Mumbai, cyber attacks accompanied bombings to impair the emergency response and perpetuate panic.

Yet cyber attacks do not elicit the same emotional reaction as bombs, and January’s attacks are another manifestation. Our reactions to China’s (allegedly) aggressive infiltration work against the US government, from Titan Rain to the East Asia Bureau and the Commerce Department attacks, are not the same as if they had sent tanks or hijacked a plane. If our concern were purely economic (measuring the loss), then one might expect our reactions to cyber attack-related damage to be the same as any other terrorist-related damage. But they don’t seem to be.

Harvard negotiation professor Robert Mnookin’s new book explores the ways in which emotional and moral aspects of a decision can affect our cognitive process: when we ask whether to bargain with a “devil,” purely economic rationale is not always the method we invoke to answer the question. Where we feel an inherent sense of evil– 9/11 and Al Qaeda; the Holocaust and the Nazis, for example– there is an extra layer in the decision-making process.

In the same vein, Nobel Prize winner Daniel Kahneman has written on the reasons our cognitive economics of reaction are not according to rational choice theory. “Rational” or not, cyber attacks seem to have a degree of sanitation that a bomb lacks. The backroom with a computer is layers away from the explosions and blood, even if the keystrokes result in the same destructive, even fatal, effects.

Our perception of the gravity of a situation seems tuned to our degree of visceral reaction– having a “face” to the threat is crucial (as recognized by psychologist Daniel Gilbert in his evolutionary-psychology hypothesis that global warming does not push our buttons like terrorism and other threats “with a mustache” do). Each time Osama bin Laden releases a new video, as he did last week, he stirs an emotional maelstrom. Consider too our national concern for one Natalie Holloway, as compared to the vast number of hunger- or cancer-related deaths in the world. We rationally recognize hunger and cancer as problems, but we spend irrational amounts of money to salvage one life because we have a face for both the victim and her alleged aggressor.

In fact, this seems to be one of the reasons why terrorists haven’t historically chosen to launch cyberattacks (any lack of technical savvy seems reconcilable if they contracted out, Bin Laden is a millionaire after all): with an eye towards getting under our skin, terrorists prefer to blow things up than hire a computer hacker to inflict an attack. But the latest news on the China Google hackings suggests the attacks may have been conducted by a Google insider, and if there were a showy way to use cyber weapons to effect death in the “kinetic” (physical) world, then terrorists–or other actors– may harness it.

The stakes soon will be as high online as they are offline. Most attacks so far have focused on accruing money (such as the $9M ATM scam the FBI uncovered last year) or aggressive social commentary (like the Estonia attacks following the removal of the Bronze Soldier of Talinn statue)– but war-scale damage to objects and people is a continuing prospect. Moreover, the cyber attacker may be uniquely freed of retribution to the extent that they can successfully anonymize themselves against forensic traces back to the “smoking keyboard.”

And of course we must hold ourselves accountable as well. As our reactions to cyberaggression are tempered by the sanitizing factor, our willingness to execute cyber attacks may be freed. A few days ago, the Pentagon called for a high-tech “Office of Deception” [PDF link] of sorts, to barely a raised eyebrow. In offensive cyber activities, the laws are cloudy and the work is classified–the Department of Defense acknowledges they are happening but releases no information.

Our sense of Internet rights must keep up with our sense of human rights, and when using or responding to cyber weapons, we ought to be cognizant regarding the effects of hard-wired perceptions of ethical distance upon our willingness to engage.

Merritt Baer is a Harvard Law School student in Cambridge, MA.