State violence has changed radically since the emergence of states in their modern form. These changes in violent action are bound up with – both cause and effect of – the transformation of the state itself over that time.Footnote 1 Transformations in state violence are also intimately associated with technological capacity.Footnote 2 States now have far greater ability to inflict violence than they have ever previously possessed, but they have not – fortunately – deployed all their violent potential.Footnote 3
Digital networks, including the Internet, are an era-defining set of communications technologies.Footnote 4 In addition to their social and economic benefits, digital networks subject individuals, organisations, and states to new and unpredictable risks. States are not always the masters of internet communications or infrastructure in their territory, and, as a corollary, they have a far greater reach than before into the territory of other states.Footnote 5
The element of the digital revolution that has most clearly affected state violence is a set of technologies often referred to simply as ‘cyberweapons’, but more precisely as offensive cyber capabilities (OCCs). Academic scholarship has argued that OCCs are less violent as a class of technologies overall; in US terminology, as an entirely new – and strategically equivalent – ‘domain’ of warfare.Footnote 6 This is so despite the prevalence of ‘cyber-bombs’, a ‘digital Pearl Harbor’, and other disaster scenarios that appear regularly in both the popular and professional imagination. OCCs thus seem to fit into the civilising logic identified by Norbert Elias and popularised by psychologist Steven Pinker in his well-known book tracking trends in human violence for millennia.Footnote 7 In Pinkerian terms, offensive cyber capabilities may be the better angels of our digital nature, because they are an addition to the coercive repertoires of states that is less violent than the alternatives.
This article assesses this proposition and thus contributes to scholarship on cyber conflict and International Relations. It shows how the strategic studies and International Relations literature on OCCs conceives them as non-violent by adopting a narrow definition of violence as lethal bodily harm. It then argues that this narrow definition of violence inadequately captures key analytical distinctions between the range of supposedly ‘non-violent’ harms associated with OCCs, especially in repressive contexts. Consequently, the concept of violence should be expanded to accommodate relevant violations that occur using OCCs. In short, OCCs relocate, rather than reduce, state violence.
More is at stake than analytical leverage. Expanding the concept of violence in relation to OCCs closely tracks current policy interventions that pursue the normative goal of reducing the level of cyber-related harms in international politics.Footnote 8 The dominance of a narrow conception of violence means that many states have used OCCs to undertake significant harmful actions in their own and each other's societies without recognising the extent of such harms. An expanded concept of violence as intentional proximate harm to areas of human value – including the body, affective life, and social relationships – not only provides greater analytical traction than broader notions of harm in understanding the impact of OCCs, but, by mobilising the normative weight of the concept of violence, also justifies a policy focus on countering and ameliorating those harms.
The intervention of this article – the expanded concept of violence – is theoretical. The aim is not to test the violence of OCCs systematically, but to provide a reconceptualisation that can capture relevant harms occurring in cyberspace. Further research should investigate this in more detail, using large-n and detailed qualitative methods to explore OCCs’ violent effects through long-term trends and in specific cases.
The article is structured in six parts. The first part defines OCCs. The second part introduces the existing strategic studies literature on OCCs, dominated by a narrow conception of violence as physical or lethal harm. The third part then explores the concept of violence in more depth, drawing on scholarship across philosophy and the social sciences. The fourth part applies this expanded conception of violence to OCCs, showing how it offers new ways of understanding harms occurring from both interstate and repressive uses of OCCs. The fifth part considers the risks of conceptual expansion, and the sixth part concludes by returning to the policy imperative introduced above.
What are offensive cyber capabilities?
OCCs are the combination of various elements that jointly enable the adversarial manipulation of digital services or networks.Footnote 9 These elements include technological capabilities such as infrastructure for reconnaissance and command and control, knowledge about vulnerabilities, in-house exploits and intrusion frameworks, and open-source or commercial tools. They also include individuals with skills in developing, testing, and deploying these technological capabilities, as well as the organisational capacity to perform ‘arsenal management’ and obtain bureaucratic and legal authorities for action.Footnote 10 Thus, the broad term OCCs includes what others see as cyber ‘weapons’ (that is, artifacts that can cause harm), in the sense of a sitting arsenal, but in addition highlights the organisational, technological, and human investment brought to bear in an ad-hoc and highly tailored manner for specific missions.Footnote 11 A prominent historical example of OCCs would be the ability to covertly manipulate the programmable logic controllers at the nuclear enrichment facility in Natanz (Iran) to degrade the enrichment centrifuges, often referred to by the name given to the worm implementing that effect, Stuxnet, but more aptly captured by the operation name given to the development and deployment of the capability, Olympic Games.Footnote 12 This operation was first discovered publicly in 2010 but with earlier versions operational several years earlier.Footnote 13
In the terminology of the United States Air Force, adversarial manipulation aims to disrupt, degrade, or destroy the targeted network or connected systems, or to deceive or deny adversaries access to that network or connected systems (the 5 Ds).Footnote 14 OCCs generally require some level of unauthorised access, unless their aim is only to ‘deny’ access to online services. They also usually involve external control of the network over the Internet, but this is not always the case: the Stuxnet malware was manually inserted into an ‘air-gapped’ industrial control network.Footnote 15 In addition to the 5 Ds, OCCs can also enable ‘exfiltration’ – the copying of data from the target network – because the same exploitation techniques are used prior to the ‘payload’ stage. Consequently, cyber espionage and preparation for disruption can (but do not have to) look identical from the victim's perspective, with sophisticated technical analysis and wider threat characteristics required to distinguish between the two.Footnote 16
Many states have developed and used OCCs in the last decade, including the United States and its allies, and we briefly review some key incidents, operations, and campaigns in the following paragraphs.Footnote 17 It should be noted that offensive cyber capabilities are often used by private actors on behalf of states, or by proxies.Footnote 18
In addition to the Stuxnet operation, the US also created a plan to use OCCs to disable Iranian networks nationwide in order to degrade and deny them to Iran in case of conflict (Operation NITRO ZEUS), developed under the current head of US Cyber Command, Gen. Paul Nakasone.Footnote 19 Another notable Israel-attributed virus discovered in 2011, Duqu, was also aimed at industrial control systems.Footnote 20 The Snowden disclosures in 2013 revealed cyber operations by the Five Eyes intelligence partners (US, UK, Canada, Australia, New Zealand), including ‘effects’ operations and offensive cyber operations enabling signals intelligence collection by UK's GCHQ.Footnote 21 Other US and allied cyber operations to collect intelligence and to deceive ISIS leadership were mounted against ISIS in Syria.Footnote 22 More recently, in both June and September 2019, the US claimed to have conducted cyber operations against Iran in retaliation to the downing of an unmanned US surveillance drone and attacks against oil facilities in Saudi Arabia.Footnote 23
States with a more adversarial relationship with the US, such as Iran, Russia, China, and North Korea, have also developed OCCs. Notably, an Iran-attributed data deletion attack in August 2012 (‘Shamoon’) on Saudi Aramco and Qatari company RasGas, re-engineered elements of US/Israeli OCCs discovered in Iran, to wipe data on and render thirty thousand computers dysfunctional.Footnote 24 This was followed by distributed denial of service (DDoS) attacks on US banks in 2012 among other incidents.Footnote 25
Some of the most serious incidents attributed to Russia to date include disruptive operations against Ukraine's electrical grid in 2015 and 2016 (Black/Grey Energy) and the NotPetya virus, which infected shipping company Maersk, among others, in 2017.Footnote 26 Subsequent OCCs attributed to Russian entities include a virus in Saudi petrochemical plants in 2017, which included a module that manipulated safety systems (Triton/Trisis).Footnote 27
Although Chinese OCCs have been used primarily for espionage,Footnote 28 North Korea has used OCCs for disruption, with the Sony Pictures hack-and-leak in 2014 claimed by ‘Guardians of Peace’, a hacker group attributed to the North Korean government. Infiltrations into the payment system underpinning international financial transactions (SWIFT) and the Central Bank of Bangladesh in 2016, and the ‘Wannacry’ ransomware that spread worldwide in 2017, including a brief paralysis of the UK's National Health Service, have also been attributed to North Korea.Footnote 29
However, despite the extensive deployment of OCCs by states, accompanied by a powerful narrative around cyber ‘hype’, OCCs have not caused destruction on a scale comparable to conventional weaponry. Despite extensive disruption from the incidents reviewed above, with significant economic losses, systems recovered shortly afterwards, albeit with intense effort, and no one died. This fact is the basis for a strand of academic thinking arguing that OCCs are less violent than other forms of military power, to which we now turn.
A narrow definition of violence
This section traces thinking on violence in key works on cybersecurity in International Relations and strategic studies. Although Thomas Rid's seminal article and book, ‘Cyber War Will Not Take Place’,Footnote 30 prompted a brief surge in debate on the concept of violence, the dominant strand of academic reasoning both before and after has been that OCCs are non-violent alternatives to conventional means, relying on a narrow concept of violence as lethal bodily harm. This section argues that such a narrow definition unhelpfully classes together a range of supposedly ‘non-violent’ harms associated with OCCs. Although scholars have frequently pointed to the importance of these harms, they nonetheless classify them equally as non-violent, missing an analytically useful distinction.
It should be noted that many of these scholars do not include espionage activity in their definition of OCCs.Footnote 31 However, given the extensive overlap between cyber capabilities deployed for espionage and disruptive purposes, we do not exclude such activity by definition, and examine its relevance for violence in subsequent sections.
The violence – or lack thereof – of OCCs was a key concern for scholars of technology and war well before the emergence of the cyber lexicon itself. Early on in the development of thought on the military potential of digital technologies, and well before the commonplace use of OCCs, John Arquilla and David Ronfeldt declared that ‘most netwars will probably be non-violent’,Footnote 32 while Giampiero Giacomello expressed doubts that computer network operations were likely to ‘break things and kill people (BTKP)’.Footnote 33 In the following decade, Ralf Bendrath concluded that ‘in bodyless cyberspace there is no room for physical violence’,Footnote 34 while Myriam Dunn Cavelty's investigation of US cyber policy argued that ‘dropping the word “war” in dealing with information activities … stresses or implies [their] non-violent nature’.Footnote 35 There were dissenting voices even in these early debates: Martin Van Creveld suggested in 2002 that the ‘greatest single shortcoming’ of his 1989 magnum opus The Transformation of War had been to omit information warfare, which could ‘lead to the deaths of millions’ in cases where electricity grids were shut off or stock markets crashed.Footnote 36
Following Stuxnet, such disaster scenarios abounded, provoking an extensive debate on their accuracy and questions of threat inflation and construction.Footnote 37 This literature followed securitisation scholarship in treating the question of violence tangentially, focusing more on the means by which threat representations gain prominence.Footnote 38 The strategic studies community, in contrast, focused directly on the lack of violence demonstrated by Stuxnet-type attacks. In 2011, Tim Maurer argued that ‘cyberwarfare costs fewer lives compared with traditional types of warfare’,Footnote 39 while Martin C. Libicki poured further cold water on the flames of cyber war, claiming that ‘there is scant indication that a full-blown attack could kill as many as a normal year's flu epidemic’.Footnote 40 Dorothy Denning suggested that Stuxnet itself presented ‘less harm and risk than the kinetic weapon’.Footnote 41 Although these scholars saw Stuxnet as merely less violent than conventional alternatives, others were more explicit in identifying violence with lethal bodily harm, as follows.
The question of violence was treated extensively in two influential exchanges: the first between Thomas Rid and John Stone, and the second between Erik Gartzke, Lucas Kello, and Jon R. Lindsay.Footnote 42 Rid approached OCCs through his examination of cyberwar. In doing so, he employed a narrowly physical view of violence disassociated from harm or damage: for example, stating that ‘non-violent cyber attacks could cause economic consequences without violent effects that could exceed the harm of an otherwise smaller physical attack’.Footnote 43 Stone's response argues that Rid's argument slips between violence and force, countering that ‘all war involves force, but force does not necessarily imply violence – particularly if violence implies lethality’.Footnote 44 For Stone, OCCs are a ‘violence multiplier’ rather than a force multiplier, illustrated by analogies with bombing raids that cause only building damage and a stiletto that kills with almost no force. Nonetheless, Stone's view of violence remains physical, focused mainly on lethal harm. Rid's response in turn is even clearer: titled ‘More Attacks, Less Violence’, he concludes that ‘the rise of cyber attacks reduces the amount of violence’.Footnote 45
Kello's treatment of violence is more cautious than Rid's, as he describes OCCs as not being ‘overtly violent’ or distinguishes them from ‘traditional violence’, leaving room for covert or non-traditional violence.Footnote 46 However, Kello's work is symptomatic of a wider movement in the field from questions of violence to questions of effect, as he focuses not on violence but on ‘potency’.Footnote 47 The concept of potency asks whether cyber weapons are efficacious or powerful, not whether they are violent.Footnote 48 More recent work by others along these lines also examines ‘dangerous’ instability rather than explicitly considering violence.Footnote 49
This movement away from violence is most explicitly made by Gartzke, who suggests that Rid's definitional debate ‘risks becoming a purely academic exercise’ if cyberwar fulfils the same strategic logic as traditional war.Footnote 50 Gartzke focuses on the potential of ‘the Internet to carry out functions commonly identified with terrestrial political violence’, rather than the question of whether those functions would also be violent if carried out over the Internet.Footnote 51 He addresses conceptual issues of damage and harm only briefly, arguing that cyberwar is less effective because damage is temporary, and its use degrades capabilities, so it should remain adjunct to terrestrial force.Footnote 52 Following this debate, the concept of violence is now used rarely by strategic studies scholars focusing on cybersecurity, including those reviewed above, and given little theoretical attention.Footnote 53
In sum, key works in the strategic studies literature on OCCs largely treat them as non-violent alternatives to conventional means, based on a narrow, physical (kinetic) and/or lethal definition of violence. This argument has been the basis for much of the subsequent research in the field focusing on specific strategic concepts, including deterrenceFootnote 54 and coercion.Footnote 55 Indeed, a lack of physical violence is part of the reason for the strategic utility of OCCs highlighted by this literature.
At this stage, we can be more precise about the contribution of this article to the literature above. We do not claim that scholars such as Rid, Gartzke, and Kello above, or other influential analysts such as Adam P. Liff, Richard J. Harknett, and Max Smeets, overlook or are uninterested in the harmful effects of cyber operations, particularly below the threshold of armed conflict – they undoubtedly are.Footnote 56 Indeed, their work highlights these harms as strategically relevant. Although Rid argued that – so far – the effects of cyber operations have not in and by themselves constituted ‘war’, he emphasised that OCCs cause harm through espionage, subversion, and sabotage. Kello introduced the notion of ‘unpeace’ exactly because the harmful effects of OCCs escaped the normal peaceful relations between states, but did not constitute warfare.Footnote 57 And Harknett and Smeets reconceptualised these effects below the threshold of war as cumulatively being able to shift the balance of power, in response to what they saw as a failure to appreciate the strategic impact of OCCs.Footnote 58
Instead, the point we make is that although these scholars insightfully and thoroughly discuss such harms, they nonetheless describe them all as non-violent according to a narrowly physical definition. If there were no analytical utility to expanding the concept of violence, then this point would be purely semantic and so of little theoretical interest. But we argue – and illustrate in detail in subsequent sections – that expanding the concept of violence adds analytical value by providing a useful way to parse different forms of behavior or action even within more structural categories of under the threshold competition or unpeace: some violent, some not, and some more violent, others less so, rather than a blanket ascription of non-violence. Importantly, although this discussion has remained within the strategic space of unpeace to highlight the theoretical relevance of the argument, it bears repeating that violent acts occur during peace, unpeace, and war, and so our expansion of the concept of violence can shed further light not only on acts below the threshold of armed conflict, but also acts above this threshold.
Finally, although this narrow conception of violence dominates the literature, it is not a consensus. The above works display internal tensions and disagreements about the relationship of OCCs to violence. Other scholars push against this narrow conception more explicitly. For example, Amir Lupovici recognises that ‘the question of whether they [cyber means] are means of violence remains open’, while Finlay notes that we ‘lack an account of how cyber operations relate to violence’ and proceeds to offer an account of violence situated in just war theory.Footnote 59 Tim Stevens, in turn, notes that ‘affective implications of cyber weapons’ should be included, ‘which might include feelings of insecurity or fear’, but does not theorise this further.Footnote 60 We think it is imperative to do so, but before we do so in the third section of the article, we first engage more closely with the literature on violence itself.
Expanding the concept of violence
This section presents an expanded concept of violence, defined as intentional proximate harm, focusing on these three aspects in turn: harm, intent, and proximity of means. We understand harm as the diminishing, damage, or destruction of areas of human value. We, in turn, identify three general areas of value: the body, affective life, and community. These are neither exhaustive nor generalisable across all times and places, because areas of value are socially and culturally constructed rather than biologically or naturally pre-given.Footnote 61 This expanded concept of violence draws on a range of literature on violence in security studies and International Relations more broadly.Footnote 62
The body is the most intuitive locus of harm. However, many forms of bodily pain are learned socially, rather than being an immediate, unmediated sensation. The distinction between bodily harm and harm to one's affective life, which includes psychological or emotional harm, therefore does not imply a ‘pure’ physicality of the body or a ‘non-physical’ quality to mental activity.Footnote 63 We then distinguish between affective life, which rests at the level of the individual, and community, which captures the value of relations between individuals as well as collective identities, practices, and histories.Footnote 64 These areas of value overlap and interact: harm to one can cascade into others, or characteristics of one can counter harm in others. For example, different harms result from the loss of a limb in communities that are more or less accepting of differently-abled people. Importantly, on this view threats of violence and coercion are themselves violent due to their impact on affective life and community; they create and spread fear and discomfort, and for coercive threats, introduce limits to freedom of action.
This threefold view of value is clearly much broader than the narrow, physical definition of violence in the previous section, but still selective. Fitting with the international security studies focus of this article, the definition is anthropocentric, as it does not include damage to robots, animals, and ecosystems unless that damage affects humans in some way. Similarly, it does not include damage to property or infrastructure unless such damage affects the areas of human value above (which, practically, will often be the case).Footnote 65 It also does not follow more ontological concepts of violence in viewing harm as a fundamental ‘reduction in being’, which is the basis for work on ‘dehumanisation’ as a violent act.Footnote 66
The breadth of this concept of harm means that there is no lower limit to whether an act is violent. This lack of a lower limit is often captured through the concept of a ‘micro-aggression’: an act that individually inflicts very little harm, but is nonetheless violent.Footnote 67 Consequently, specifying the severity of violent action is crucial; however, severity varies massively within and between areas of value and cannot be decided in the abstract.Footnote 68 Harm to the community may be commensurable to, or prioritised above, bodily or affective harms, and we consider several examples where this is the case in the following section.
The second aspect of the expanded definition is that violent acts must be intended to cause harm. Because only agents, not social structures, can be ascribed intent, our definition excludes ‘structural’ violence, where harm is caused by social structures such as gender, race, or capitalism.Footnote 69 Many discussions of violence treat intention as binary – an act was either intended or not – thus creating conceptual problems regarding accidental or ignorant action and harms that are outside the intended ‘target’ of violence (for example, ‘collateral damage’), or greater/lesser than anticipated. These problems can be sidestepped by treating intention as an agential but still socially ascribed quality (agents exist within specific social contexts), rather than a true purpose ‘within’ someone's mind. The intention condition then becomes one of reasonable knowledge or foresight that (a specific type, target, or level of) harm would occur.Footnote 70
We limit our discussion of violence to one specific type of agent: the state.Footnote 71 We do so acknowledging that political violence includes many non-state actors; indeed, many scholars argue that non-state actors are relatively empowered by cyber capabilities.Footnote 72 Added to this, many forms of violence relevant to OCCs (such as gender-based violence involving spyware) are often not directly associated with the state.Footnote 73 State violence, however, remains a foundational form in most accounts of OCCs and in political philosophy more widely.Footnote 74 Of course, states are not unitary actors and have developed sophisticated practices for collectively committing violent acts. Intelligence, security, and military agencies are the focal point of the most violent actions of the state, and when other state authorities (local municipalities, health and social care, etc.), use violence in extreme cases they rely on the intelligence, security, and military apparatus.
There is a large literature on how states justify their use of violence; however, due to space constraints, we do not address the question of how cyber violence is located within these justifications of violence more broadly.Footnote 75 It is nonetheless important to distinguish this question of justification – of the use of violence by states – from issues around the risks and subsequent justification of the conceptual change advocated by this article, which we consider in detail in the following sections.
The third aspect of the expanded definition is proximate means. Harms have many causes on multiple levels, and so we define a violent act as one that intends harm and is a proximate cause of that harm. Although this is partly a temporal matter of immediacy or distance, we recognise that proximate causes can be temporally distant, and more complex notions of causality assign causal weight among different acts using many factors, including the means by which harm was inflicted.Footnote 76 Although means of violence can be categorised in many ways, the most relevant distinction for OCCs is between material and informational means, or, in other words, how far the infliction of harm depends on the symbolic properties of objects.Footnote 77 Material and informational means are not mutually exclusive and the relationship between software and hardware is interdependent: transmitting information relies on certain material properties, while material objects are inconceivable without informational elements.Footnote 78 The distinction is, therefore, one of emphasis: whether the material or informational component is the primary way of diminishing or damaging one of the areas of value above.
An example may make the interaction between material and informational means clearer. The effect of armed unmanned aerial vehicles (UAVs) on state violence is another frequently discussed topic.Footnote 79 In stark contrast to OCCs, UAVs are usually considered as remote means of inflicting material or kinetic violence, even though the informational infrastructure enabling drones (and also sophisticated missiles) is as complex – and sometimes dependent on similar technologies – to OCCs. This is because UAVs cause harm by dropping bombs on people and property, whereas OCCs obviously do not. More precisely, for UAVs the causal weight of the missile outweighs that of the command and control infrastructure in the infliction of harm. In contrast, a hypothetical OCC use in a ‘critical infrastructure’ scenario that caused explosions similar in scale to those of a drone strike would still be an informational means of harm, as the symbolic properties of that critical infrastructure (its command and monitoring logics) would have the highest causal weight. However, this scenario requires a more thorough investigation of OCCs based on all three aspects of the expanded definition of violence outlined here – harm, intent, and proximate means – which is the subject of the next section.
Before turning to that section, it is pertinent to review how we have incorporated or deviated from previous work in proposing this expanded definition of violence. Our expanded definition follows a number of scholars and institutions that include psychological harm in the definition of violence.Footnote 80 We refined, for example, Claire Thomas's definition, including a more nuanced view of intended harms (that is, our areas of value). We deviated from the WHO definition, as only a more precise conceptualisation (that is, including causal proximity) can clarify the precise way a new means of action, in our case OCCs, should be classified as violent. The merits of such a deviation are shown in the next section.
Rethinking violence and OCCs
This section applies the expanded view of violence set out above to OCCs, arguing that including non-lethal and non-bodily harms means that OCCs relocate, rather than reduce, state violence.Footnote 81 More specifically, our threefold view of harm – with the body, affective life, and community as separate areas of value – consolidates several broader views on the harms caused by OCCs.Footnote 82
In an expanded definition of violence, uses of OCCs that are usually considered non-violent, such as website defacement or DDoS, can be violent acts. As indicated above, both whether such actions are violent and the severity of the violence is extremely context-dependent.Footnote 83 For a leisure-based streaming service, forcing people to wait for a website to load might be a minor irritation, while in other cases – Internet voting, denying a minority community a specific language resource or, in the case of the Mirai botnet, depriving whole nations of internet access – this could be a significantly harmful act of violence.Footnote 84 Repressive uses of OCCs, which are violent predominantly due to their impact on individuals’ affective life (through fear, trauma, and anxiety), and on communities (through ‘chilling effects’ limiting political speech, and the loss of minority identities),Footnote 85 are more likely to be considered violent in an expanded definition, although repressive uses of OCCs have also been connected to bodily violence.Footnote 86
However, our definition of harm implies that some uses of OCCs remain non-violent. The large DDoS attacks that targeted the US financial system in 2012 would only be violent if their impact could be traced to harm to specific individuals or communities. Similarly, the hacker Phineas Fisher's claim that ‘in the digital era, robbing a bank [using OCCs] is a non-violent act’ is also true unless damage is intentionally caused or reasonably foreseen to human bodies, affective lives, or communities.Footnote 87 More broadly, Agrafiotis et al.'s ‘taxonomy of cyber harm’ highlights a range of reputational and economic damage to organisations that, in our view, are only violent if they lead proximately to the diminishment of the three areas of human value above.Footnote 88 It is relatively simple to make such a connection for nearly all critical infrastructure cyberattacks. For example, in Matt Sleat's discussion of the ‘harm caused to vital human interests through degrading the functionality of computer systems necessary to a country's critical infrastructure’ it is not the infrastructure damage itself that is violent, but the ‘human interests’ (bodily, affective, and communal) that are affected.Footnote 89
Other forms of digital harm are excluded from our discussion due to the criterion of intent. Following our bracketing of structural elements of violence in the previous section, we similarly put aside the structural influence of digital technologies. This focus excludes harms created by system-level dynamics in internet governance, such as the economic incentives for writing vulnerable software or weakening encryption technologies to enable state decryption. Furthermore, the intent criterion is an especially complex issue for both interstate and repressive uses of OCCs, because state direction is frequently unclear or indirect. Interstate uses of OCCs often involve proxies and criminal groups, while both interstate and repressive uses rely on private contractors to provide technologies, expertise, and sometimes actual deployment. We recognise that ascribing a clear intent to any specific use of OCCs is a highly complex, time-consuming, and an arduous task; however, this empirical difficulty – and the policy challenges it creates – do not invalidate intent as a conceptual criterion of violence, in cyber or other realms.Footnote 90
The third aspect of the expanded definition of violence is proximate means, treated briefly in the contrasting comparison with armed UAVs at the end of the previous section. Cyber capabilities, as information systems, alter information (although through material networks), and so their capacity for violence is based on the added possibility of devaluing areas of value through informational means as well as or instead of material ones. This distinction is not always easy to draw: a pacemaker cyberattack that uses code to affect an individual's heart function clearly depends on symbolic properties, while the categorisation of a GIF that induces a seizure is not so obvious because the strobe light inducing epilepsy is not symbolic.Footnote 91 Stuxnet also demonstrates the impossibility of completely disentangling informational and material means: the virus damaged centrifuges by altering their rotational speed and pressure sensors, but its success depended on many material objects, from the test centrifuges constructed in the US to the USB drive physically carried by an agent into the enrichment facility.
Nonetheless, the ability of OCCs to inflict harm through informational means opens up a category of ‘non-kinetic’ violence, which furthers the insights of the strategic studies scholarship reviewed above.Footnote 92 These scholars also see proximity as a crucial aspect of OCCs: Rid suggests that harm from OCCs is ‘mediated, delayed and permeated by chance and friction’, while for Kello cyber-attacks ‘lack a proximate cause of injury’.Footnote 93 The expanded definition proposed here implies that OCCs can be sufficiently proximate to constitute violent acts despite their causal complexity. As explained in the previous section, sufficient proximity is a causal rather than geographic criterion, as OCCs can be operated with a reasonable certainty of effect from a vast distance.
To demonstrate the analytical value of expanding the concept of violence to distinguish between different kinds of under-the-threshold cyber operations, the remainder of this section provides illustrative examples in each of Rid's three categories of espionage, sabotage, and subversion. Within these categories, an expanded concept of violence usefully reorders the analytical space, helping us to understand and prioritise the range of harmful effects involved.
First, an expanded concept of violence requires us to reassess the harms caused by different forms of cyber-espionage. State-sponsored industrial or commercial cyber-espionage is unlikely to fulfil any of the three aspects of violence above: first, it often harms organisations rather than humans, especially property (including intellectual property); second, it is not usually intended to cause bodily, affective, or community harm, even if it does so accidentally; and third, even if there is an intent to harm, and a subsequent effect, it is not clear that the means by which this occurs (such as the transfer of patent designs) is sufficiently proximate to satisfy the third condition.Footnote 94
In contrast, cyber-espionage in repressive contexts, directly violating individual rights of privacy and indirectly creating ‘chilling effects’, may well meet our expanded criteria of intentional proximate harm on both affective and community levels. While espionage networks to spy on diaspora communities predate the Internet, they are relatively costly, tedious to maintain, and difficult to establish globally. Cyber capabilities transform this calculation, and potentially offer the home state an easy pathway to achieve global reach. The use of OCCs for repression would be non-violent in a narrow definition unless directly linked to arbitrary detention and torture. This conceptualisation is one of the reasons that advocacy groups and international human rights representatives have sought to tie commercial spyware identified on the devices of Saudi dissident Omar Abdulaziz and others to the murder of Jamal Khashoggi in the Saudi consulate in Istanbul in October 2018.Footnote 95
However, digital censorship and surveillance could also be conceived as relocated state violence. When individual groups are targeted by censorship technologies there are effects on affective life (individual identities, including gender and ethnic identifications) and communal areas of value (social relationships, and at the larger scale, national identities). Examples for such operations are plentiful and well documented, for example in the case of the Tibetan or Uighur minorities.Footnote 96 For surveillance, an expanded definition of violence including affective and psychological impacts would help to mobilise policy discussions on the regulation of commercial spyware to repressive states, without requiring specific instances of bodily harm to be associated with their use.
Second, regarding sabotage, a good illustration of the impactful use of OCCs is NotPetya, destructive malware originally spread via Ukrainian tax software.Footnote 97 Its initial infection, attributed to the Russian military intelligence directorate (GRU), led to a disruption of Ukrainian government functions in the context of Russian occupation of the Crimean Peninsula and the Donbas region, followed by global spread into a wide range of major multinational firms. In a narrow definition of violence, this would be non-violent as it did not cause bodily harm or death. The apparently non-violent yet impactful character of NotPetya has left scholars and policymakers struggling to capture its effects.
However, NotPetya is violent in an expanded definition, though the intent of the attackers is crucial in judging ‘how violent’ and consequently calibrating the policy response. At a more limited level, NotPetya could be interpreted as designed specifically to erode confidence in Ukrainian society, economy, and trust in the state, creating a collective feeling of vulnerability and causing harm at a community level. The malware was ‘designed to send a political message: If you do business in Ukraine, bad things are going to happen to you.’Footnote 98 In this reading, extensive international effects were collateral damage to the country-focused operational intent.Footnote 99 A contrasting judgement sees NotPetya's authors as fully culpable for intentionally producing global damage, knowing the malware would spread outside Ukraine. In this view, NotPetya was a carefully considered device for strategic signalling worldwide, using the destabilisation of global economic actors as a medium to send the message.Footnote 100 We do not seek to decide between these alternative interpretations here, but stress that, on an expanded definition of violence, both accounts are describing violent acts, though the second is more severe than the first as the intent covers a wider area of harm. Either way, this use of offensive cyber capabilities relocates interstate violence, by debilitating the affective lives of individuals and inflicting harm on communities.
Third, regarding subversion, OCCs have been frequently deployed in what are known as ‘hack-and-leak’ operations, where sensitive information is obtained through a cyber intrusion and then published online. The paradigm example is the compromise of the US Democratic National Committee (DNC) by the Russian military intelligence agency, the GRU, during the 2016 presidential elections, but such operations are far more widespread.Footnote 101 As a combination of OCCs with broader techniques of information and influence operations, hack-and-leaks are highly relevant to under-the-threshold state competition, but clearly not violent on a narrow definition. Moving to an expanded definition of violence, in contrast, helps us distinguish between hack-and-leaks that directly cause affective harms by publishing private personal data (kompromat) and so are violent, and those that leak affectively neutral but strategically valuable organisational capabilities, which are not. Empirical examples in the former, violent, category include reported operations against Al-Jazeera anchor Ghada Ouiess and the Sony Pictures Entertainment executive Amy Pascal, while ones in the latter, non-violent, category include the Shadow Brokers releases of US OCCs, and the leak of NHS documents before the 2019 UK general election.Footnote 102
Overall, this section has argued that OCCs can be violent even though we agree with the strategic studies literature that it is difficult, though not impossible, for them to cause bodily harm (and especially lethal bodily harm). An expanded concept of violence highlights non-bodily affective and communal harms caused by OCCs, suggesting that OCCs relocate rather than reduce violence. It therefore adds analytical value to current insights of strategic studies on the kinds of harm caused by cyber operations, parsing more finely different forms of espionage, sabotage, and subversion. It also emphasises that violent uses of OCCs are likely to occur in repressive situations, while canonical forms of cyber-espionage remain non-violent. Furthermore, the examples in this section underline that interference with data in a digitalised society may result in harm commensurate with or exceeding the destruction of physical objects or bodily injury.Footnote 103 Consequently, capturing affective and community harms as violence is not only analytically useful, but also normatively consequential, and we return to the policy implications of this shift in the conclusion. Before doing so, we consider the risks of this conceptual expansion.
The risks of conceptual expansion
There are several downsides of an expanded concept of violence in relation to OCCs, of which we address three in this section: manipulation, legal implications, and a consequent lack of focus. We see these three downsides as representing real risks, but nonetheless conclude that the analytical benefits above, combined with the policy benefits considered in the concluding section, outweigh these risks.
First, there is the question whether an expanded concept facilitates political and ideological exploitation, particularly as it does not have a lower threshold of harm. The risk of exploitation in this manner can be illustrated by the trajectory of the related concept of ‘cybercrime’. Although early international agreements on cybercrime, such as the 2001 Budapest Convention, sought to circumscribe the concept to cover only economic transgressions – fraud, identity theft, and so on – many national laws later expanded the concept to ‘content’ crimes, such as posting politically or socially undesirable content online.Footnote 104 This expansion, which provides repressive regimes with a new lever of information control, has begun to supplant the narrower definition of the Budapest Convention internationally.Footnote 105
Such manoeuvres should of course be tracked carefully to assess the consequences of conceptual manipulation for both established definitions and proposed alternatives. More specifically, one could expect an authoritarian state to target political opponents by using an expanded definition of violence to claim that cyber operations harming – for example – national unity are violent cybercrimes, and so should be punished accordingly. This article has argued that there are many violent (that is, intentional and proximate) uses of OCCs that cause harm to national or other communities, and so calling such action violent would not necessarily be misleading.Footnote 106 Even so, a repressive response against the perpetrators would likely be highly disproportionate to the initial harm, and so unjustified. As indicated earlier, state justifications for violence are outside the scope of this article, and so the justification of repressive violence through the identification of earlier violent uses of OCCs – although important – is also beyond the scope of our discussion.
Another downside is the potential implication of conceptual expansion on (international) legal understandings of armed conflict. Though such an impact is unlikely, as it would presuppose that our proposed expansion be broadly accepted by the international legal community and the community of states, we briefly anticipate such implications.
There are two major international legal frameworks that an expanded concept of violence for OCCs could affect: jus ad bellum, particularly its understandings of use of force and armed attack, and jus in bello, particularly international humanitarian law's (IHL) focuses on violence and the protection of civilians during armed conflicts. For the former, the expanded concept of violence may lead to more cyber operations being considered a use of force than a narrow conception.Footnote 107 Even then, an expanded concept of violence is unlikely to have any impact on the definition of ‘armed attack’, which is generally considered to be a higher threshold, depending on the scale and effects of the operation compared to physical precedents.Footnote 108 Importantly, when scholars speak about sub-threshold activity, they usually mean the threshold of armed conflict, which is determined by whether an ‘armed attack’ has occurred. Thus, although an expanded definition of violence implies more sub-threshold activity is violent (and potentially a use of force), it is highly unlikely to move the threshold itself.
With regard to jus in bello, it is important to note that IHL may apply before the notion of ‘armed attack’ has been reached, as IHL uses a different, ‘armed force’, criterium for its applicability.Footnote 109 Many IHL rules start with the notion of an ‘attack’, defined by Article 49 AP I of the Geneva Conventions as ‘acts of violence against the adversary, whether in offence or in defence’.Footnote 110 As for what constitutes violence, IHL would include death, injury, and physical damage, with some states and institutions also including ‘harm due to the foreseeable indirect (or reverberating) effects of attacks’.Footnote 111 The ICRC has argued that ‘an operation designed to disable a computer or a computer network during an armed conflict constitutes an attack as defined in IHL whether or not the object is disabled through destruction or in any other way.’Footnote 112 A too narrow reading would lead to the unsatisfactory result of logical but not destructive operations against civilian networks not being covered by IHL. Consequently, the ICRC authors argue that adopting an expanded concept of violence ‘constitutes one of the most critical debates for the protection of civilians against the effects of cyber operations’.Footnote 113
It is thus very clear that as a matter of IHL, a broader notion of violence leads to more protection against more acts for more people. Our proposition of the expanded definition of violence goes in the same direction as some of the expert commentary in international law.Footnote 114 However, just as different bodies of law have different notions of ‘attack’, different bodies of law have different criteria for what they consider the threshold to be for relevant acts of ‘violence’. Our analytical concept is in no way meant to be determinative for the international legal understandings of the term.
The third potential downside of conceptual expansion is to diminish the association of the concept of violence only with bodily harm by adding intentional proximate causes of affective and community harms. Some scholars diagnose this problem in the broader literature on violence, disagreeing sharply with the works reviewed in the section on the concept of violence above. For example, Stathis N. Kalyvas recommends keeping violence restricted to physical harm for fear of diluting the focus of political science on what constitutes an important and already diverse category of human behaviour.Footnote 115
Crucially, because violence is a normative as well as analytical concept, implicit in this view is an a priori prioritisation and condemnation of bodily over affective and community harm, which we reject. Even if we relied on other words such as harm, cost, or damage, instead of expanding the concept of violence – and specifying the qualities of intention and proximity each time – the normative connotations of violence would be absent from affective and community harms, reinforcing this instinctive prioritisation. We believe that this should not be a definitional matter but one of empirical investigation: in specific contexts, all of which are violent, what were the exact harms inflicted, and how were they experienced by those who were subject to them? We have sought to mitigate the risk of a lack of focus in this article by stressing the context-dependence of comparison between different kinds of harm, especially in the case of cyber operations. Insofar as scholarly and policy focus shifts as a result, this is not a conceptual error but an overdue recognition of the variety of harms humans can experience. In the conclusion of the article, we return to the benefits of our argument for policy, as well as theory, on OCCs.
Conclusion: Relocating violence, rethinking policy
The transformation and reinvention of state violence has continued into the digital age. The clearest manifestation of state violence in cyberspace is in offensive cyber capabilities: the adversarial manipulation of digital devices and networks for interstate competition and globalised repression. However, the literature on OCCs is dominated by a narrow definition of violence as bodily harm, classifying OCCs as largely non-violent. This narrow definition has both analytical and policy consequences. Analytically, it implies undue homogeneity across the wide range of strategically relevant uses of OCCs. At a policy level, it means that many harms caused by OCCs are un- or under-appreciated by states and other actors.
The account provided here provides greater analytical purchase on this expanding domain, as well as stronger normative foundation for action. An expanded concept of violence, including affective and community harms, reveals how OCCs relocate state violence through new means of repression and information manipulation, without simplifying or exaggerating their complex effects. Some readers may object that expanding the definition of violence is hazardous, diluting the devastating effects violent actions have on their victims and their communities. While we recognise this danger, we aim to show that the opposite is also true. Holding on to a narrow definition of violence leads one to misconstrue the harms resulting from the use of OCCs to the detriment of their victims.
Further research is required to substantiate this relocation with empirical data, including large-scale surveys of cyber conflict and extended case studies that trace the decision-making processes behind individual deployments. Further work is also needed to transfer this account of violence from states to semi- and non-state actors, as well as to examine the justifications for violent uses of OCCs in more detail.
This article has three main implications for theory and policy on cyber conflict. First, the affective and community harms caused by OCCs need to be identified, anticipated, and taken seriously in decisions about their use. Second, research and policy should focus on the most violent uses of OCCs, which may not be state-sponsored cyber-espionage or sabotage, but instead the adaption of authoritarian systems to rely on digital and globalised repression and rework existing practices of information manipulation against their adversaries. Third, and most importantly, adherence to a narrow conception of violence means that many states have undertaken significant harmful actions in their own and each other's societies without recognising them as such. Our current conceptual tools hamper institutional adaptation to counter and mitigate these broader harms, such as military doctrines and capabilities, intelligence capabilities, criminal laws, police support, victim counselling, and so on. Our redrawing of the concept of violence to include affective and community harms provides defensive actors with a stronger conceptual foundation to accurately measure harms exerted via digital means and then act to prevent them.
Are OCCs the better angels of our digital nature? We have argued that they are not; on an expanded concept of violence, OCCs represent not Pinkerian optimism, but a more complex relocation of state violence. The main contribution of this article is thus the application of an expanded conception of violence to better understand the impact of OCCs on individuals and societies. But the account of violence put forward here also has broader implications. Many other emerging security technologies, such as lethal autonomous weapons systems, raise similar questions about the extent and type of violence they cause, in part due to their reliance on informational as well as material means to produce harmful effects. The expansion of the concept of violence we have undertaken in this article could also be applied to other information-enabled technologies, to identify and ultimately work to ameliorate currently unseen forms of harm in global politics. Consequently, in addition to its main contribution in rethinking the violence involved in cyber conflict, our study also provides new insights into how to best conceptualise violence in international affairs more widely.
We thank our colleagues, the editors, and three anonymous reviewers for their constructive feedback and suggestions. Earlier versions of this article were presented at the International Studies Association (ISA) conference in Toronto in March 2019, the Center for Security Studies (CSS) research colloquium in July 2019, the Leiden Institute of Security and Global Affairs (ISGA) research seminar in November 2019, and to the Digital Democracy Workshop organised by the Digital Democracy Lab at University of Zurich in November 2020. We thank all participants for their helpful feedback.
Florian J. Egloff is a Senior Researcher in Cybersecurity at the Center for Security Studies (CSS) at ETH Zurich. His publications focus on the role of non- and semi-state actors in cybersecurity, the politics of public attribution, and the use of cyber intrusions for political purposes. He is the author of the forthcoming book Semi-State Actors in Cybersecurity (Oxford University Press, 2022). Author's email: firstname.lastname@example.org. Twitter: @egflo
James Shires is an Assistant Professor in Cybersecurity Governance at the Institute of Security and Global Affairs, University of Leiden. He is a Fellow with The Hague Program for Cyber Norms and the Cyber Statecraft Initiative at the Atlantic Council. He has written widely on issues of cybersecurity and international politics, including on cybersecurity expertise, digital authoritarianism, spyware regulation, and hack-and-leak operations. He is the author of The Politics of Cybersecurity in the Middle East (Hurst/Oxford University Press 2021). Author's email: email@example.com. Twitter: @jamessshires