The better angels of our digital nature? Offensive cyber capabilities and state violence

Abstract Transformations in state violence are intimately associated with technological capacity. Like previous era-defining technologies, global digital networks have changed state violence. Offensive cyber capabilities (OCCs) appear to constitute a major technological development that offers the potential for reducing state violence. This article asks: are OCCs really the better angels of our digital nature? Current scholarship in strategic studies, adopting a narrow definition of violence, conceives of OCCs as largely non-violent. This ignores how technology has given rise to new forms of harm to individuals and communities, particularly in the context of violent state repression. We propose using an expanded definition of violence, including affective and community harms, and argue that OCCs relocate, rather than reduce, state violence towards non-bodily harms. Even though their lethal effects are limited, OCCs are not, as is supposed, a non-violent addition to state arsenals. This conclusion has important implications for international affairs, including re-orienting defensive cybersecurity efforts and altering calculations around the perception of OCCs by adversaries.


Introduction
State violence has changed radically since the emergence of states in their modern form.These changes in violent action are bound up withboth cause and effect ofthe transformation of the state itself over that time. 1 Transformations in state violence are also intimately associated with technological capacity. 2 States now have far greater ability to inflict violence than they have ever previously possessed, but they have notfortunatelydeployed all their violent potential. 3igital networks, including the Internet, are an era-defining set of communications technologies. 4In addition to their social and economic benefits, digital networks subject individuals, organisations, and states to new and unpredictable risks.States are not always the masters of internet communications or infrastructure in their territory, and, as a corollary, they have a far greater reach than before into the territory of other states. 5he element of the digital revolution that has most clearly affected state violence is a set of technologies often referred to simply as 'cyberweapons', but more precisely as offensive cyber capabilities (OCCs).Academic scholarship has argued that OCCs are less violent as a class of technologies overall; in US terminology, as an entirely newand strategically equivalent -'domain' of warfare. 6his is so despite the prevalence of 'cyber-bombs', a 'digital Pearl Harbor', and other disaster scenarios that appear regularly in both the popular and professional imagination.OCCs thus seem to fit into the civilising logic identified by Norbert Elias and popularised by psychologist Steven Pinker in his well-known book tracking trends in human violence for millennia. 7In Pinkerian terms, offensive cyber capabilities may be the better angels of our digital nature, because they are an addition to the coercive repertoires of states that is less violent than the alternatives.
This article assesses this proposition and thus contributes to scholarship on cyber conflict and International Relations.It shows how the strategic studies and International Relations literature on OCCs conceives them as non-violent by adopting a narrow definition of violence as lethal bodily harm.It then argues that this narrow definition of violence inadequately captures key analytical distinctions between the range of supposedly 'non-violent' harms associated with OCCs, especially in repressive contexts.Consequently, the concept of violence should be expanded to accommodate relevant violations that occur using OCCs.In short, OCCs relocate, rather than reduce, state violence.
More is at stake than analytical leverage.Expanding the concept of violence in relation to OCCs closely tracks current policy interventions that pursue the normative goal of reducing the level of cyber-related harms in international politics. 8The dominance of a narrow conception of violence means that many states have used OCCs to undertake significant harmful actions in their own and each other's societies without recognising the extent of such harms.An expanded concept of violence as intentional proximate harm to areas of human valueincluding the body, affective life, The comprehensive study of deterrence and nuclear logics during the Cold War was primarily an effort to understand why and how such restraint is possible.For a recent discussion of a vast literature, see Keir A. Lieber and Daryl G. Press, 'The new era of counterforce: Technological change and the future of nuclear deterrence', International Security, 41:4 (2017), pp.9-49, available at: {https://doi.org/10.1162/ISEC_a_00273}.For example, see the recent statement by Nils Melzer, the UN Special Rapporteur on torture.Owen Bowcott, 'UN warns of rise of "cybertorture" to bypass physical ban', The Guardian (21 February 2020), available at: {https://www.theguardian.com/law/2020/feb/21/un-rapporteur-warns-of-rise-of-cybertorture-to-bypass-physical-ban}.and social relationshipsnot only provides greater analytical traction than broader notions of harm in understanding the impact of OCCs, but, by mobilising the normative weight of the concept of violence, also justifies a policy focus on countering and ameliorating those harms.
The intervention of this articlethe expanded concept of violenceis theoretical.The aim is not to test the violence of OCCs systematically, but to provide a reconceptualisation that can capture relevant harms occurring in cyberspace.Further research should investigate this in more detail, using large-n and detailed qualitative methods to explore OCCs' violent effects through long-term trends and in specific cases.
The article is structured in six parts.The first part defines OCCs.The second part introduces the existing strategic studies literature on OCCs, dominated by a narrow conception of violence as physical or lethal harm.The third part then explores the concept of violence in more depth, drawing on scholarship across philosophy and the social sciences.The fourth part applies this expanded conception of violence to OCCs, showing how it offers new ways of understanding harms occurring from both interstate and repressive uses of OCCs.The fifth part considers the risks of conceptual expansion, and the sixth part concludes by returning to the policy imperative introduced above.
What are offensive cyber capabilities?OCCs are the combination of various elements that jointly enable the adversarial manipulation of digital services or networks. 9These elements include technological capabilities such as infrastructure for reconnaissance and command and control, knowledge about vulnerabilities, in-house exploits and intrusion frameworks, and open-source or commercial tools.They also include individuals with skills in developing, testing, and deploying these technological capabilities, as well as the organisational capacity to perform 'arsenal management' and obtain bureaucratic and legal authorities for action. 10Thus, the broad term OCCs includes what others see as cyber 'weapons' (that is, artifacts that can cause harm), in the sense of a sitting arsenal, but in addition highlights the organisational, technological, and human investment brought to bear in an ad-hoc and highly tailored manner for specific missions. 11A prominent historical example of OCCs would be the ability to covertly manipulate the programmable logic controllers at the nuclear enrichment facility in Natanz (Iran) to degrade the enrichment centrifuges, often referred to by the name given to the worm implementing that effect, Stuxnet, but more aptly captured by the operation name given to the development and deployment of the capability, Olympic Games. 12This operation was first discovered publicly in 2010 but with earlier versions operational several years earlier. 13n the terminology of the United States Air Force, adversarial manipulation aims to disrupt, degrade, or destroy the targeted network or connected systems, or to deceive or deny adversaries 9 Dale Peterson, 'Offensive cyber weapons: Construction, development, and employment', Journal of Strategic Studies, 36:1 (2013), pp.120-4, available at: {https://doi.org/10.1080/01402390.2012.742014}.'Adversarial' simply means against the target's interests.access to that network or connected systems (the 5 Ds). 14OCCs generally require some level of unauthorised access, unless their aim is only to 'deny' access to online services.They also usually involve external control of the network over the Internet, but this is not always the case: the Stuxnet malware was manually inserted into an 'air-gapped' industrial control network. 15In addition to the 5 Ds, OCCs can also enable 'exfiltration'the copying of data from the target networkbecause the same exploitation techniques are used prior to the 'payload' stage.Consequently, cyber espionage and preparation for disruption can (but do not have to) look identical from the victim's perspective, with sophisticated technical analysis and wider threat characteristics required to distinguish between the two. 16any states have developed and used OCCs in the last decade, including the United States and its allies, and we briefly review some key incidents, operations, and campaigns in the following paragraphs. 17It should be noted that offensive cyber capabilities are often used by private actors on behalf of states, or by proxies. 18n addition to the Stuxnet operation, the US also created a plan to use OCCs to disable Iranian networks nationwide in order to degrade and deny them to Iran in case of conflict (Operation NITRO ZEUS), developed under the current head of US Cyber Command, Gen. Paul Nakasone. 19Another notable Israel-attributed virus discovered in 2011, Duqu, was also aimed at industrial control systems. 20The Snowden disclosures in 2013 revealed cyber operations by the Five Eyes intelligence partners (US, UK, Canada, Australia, New Zealand), including 'effects' operations and offensive cyber operations enabling signals intelligence collection by UK's GCHQ. 21Other US and allied cyber operations to collect intelligence and to deceive ISIS leadership were mounted against ISIS in Syria. 22More recently, in both June and September 2019, the US claimed to have conducted cyber operations against Iran in retaliation to the downing of an unmanned US surveillance drone and attacks against oil facilities in Saudi Arabia.States with a more adversarial relationship with the US, such as Iran, Russia, China, and North Korea, have also developed OCCs.Notably, an Iran-attributed data deletion attack in August 2012 ('Shamoon') on Saudi Aramco and Qatari company RasGas, re-engineered elements of US/Israeli OCCs discovered in Iran, to wipe data on and render thirty thousand computers dysfunctional. 24his was followed by distributed denial of service (DDoS) attacks on US banks in 2012 among other incidents. 25ome of the most serious incidents attributed to Russia to date include disruptive operations against Ukraine's electrical grid in 2015 and 2016 (Black/Grey Energy) and the NotPetya virus, which infected shipping company Maersk, among others, in 2017. 26Subsequent OCCs attributed to Russian entities include a virus in Saudi petrochemical plants in 2017, which included a module that manipulated safety systems (Triton/Trisis). 27lthough Chinese OCCs have been used primarily for espionage, 28 North Korea has used OCCs for disruption, with the Sony Pictures hack-and-leak in 2014 claimed by 'Guardians of Peace', a hacker group attributed to the North Korean government.Infiltrations into the payment system underpinning international financial transactions (SWIFT) and the Central Bank of Bangladesh in 2016, and the 'Wannacry' ransomware that spread worldwide in 2017, including a brief paralysis of the UK's National Health Service, have also been attributed to North Korea. 29owever, despite the extensive deployment of OCCs by states, accompanied by a powerful narrative around cyber 'hype', OCCs have not caused destruction on a scale comparable to conventional weaponry.Despite extensive disruption from the incidents reviewed above, with significant economic losses, systems recovered shortly afterwards, albeit with intense effort, and no one died.This fact is the basis for a strand of academic thinking arguing that OCCs are less violent than other forms of military power, to which we now turn.

A narrow definition of violence
This section traces thinking on violence in key works on cybersecurity in International Relations and strategic studies.Although Thomas Rid's seminal article and book, 'Cyber War Will Not Take Place', 30 prompted a brief surge in debate on the concept of violence, the dominant strand of academic reasoning both before and after has been that OCCs are non-violent alternatives to conventional means, relying on a narrow concept of violence as lethal bodily harm.This section argues that such a narrow definition unhelpfully classes together a range of supposedly 'nonviolent' harms associated with OCCs.Although scholars have frequently pointed to the importance of these harms, they nonetheless classify them equally as non-violent, missing an analytically useful distinction.It should be noted that many of these scholars do not include espionage activity in their definition of OCCs. 31However, given the extensive overlap between cyber capabilities deployed for espionage and disruptive purposes, we do not exclude such activity by definition, and examine its relevance for violence in subsequent sections.
The violenceor lack thereofof OCCs was a key concern for scholars of technology and war well before the emergence of the cyber lexicon itself.Early on in the development of thought on the military potential of digital technologies, and well before the commonplace use of OCCs, John Arquilla and David Ronfeldt declared that 'most netwars will probably be non-violent', 32 while Giampiero Giacomello expressed doubts that computer network operations were likely to 'break things and kill people (BTKP)'. 33In the following decade, Ralf Bendrath concluded that 'in bodyless cyberspace there is no room for physical violence', 34 while Myriam Dunn Cavelty's investigation of US cyber policy argued that 'dropping the word "war" in dealing with information activities … stresses or implies [their] non-violent nature'. 35There were dissenting voices even in these early debates: Martin Van Creveld suggested in 2002 that the 'greatest single shortcoming' of his 1989 magnum opus The Transformation of War had been to omit information warfare, which could 'lead to the deaths of millions' in cases where electricity grids were shut off or stock markets crashed. 36ollowing Stuxnet, such disaster scenarios abounded, provoking an extensive debate on their accuracy and questions of threat inflation and construction. 37This literature followed securitisation scholarship in treating the question of violence tangentially, focusing more on the means by which threat representations gain prominence. 38The strategic studies community, in contrast, focused directly on the lack of violence demonstrated by Stuxnet-type attacks.In 2011, Tim Maurer argued that 'cyberwarfare costs fewer lives compared with traditional types of warfare', 39 while Martin C. Libicki poured further cold water on the flames of cyber war, claiming that 'there is scant indication that a full-blown attack could kill as many as a normal year's flu epidemic'. 40orothy Denning suggested that Stuxnet itself presented 'less harm and risk than the kinetic weapon'. 41Although these scholars saw Stuxnet as merely less violent than conventional alternatives, others were more explicit in identifying violence with lethal bodily harm, as follows.
The question of violence was treated extensively in two influential exchanges: the first between Thomas Rid and John Stone, and the second between Erik Gartzke, Lucas Kello, and Jon R. Lindsay. 42Rid approached OCCs through his examination of cyberwar.In doing so, he 31 A view reflected in the discussions of the relevant UN Group of Governmental Experts (GGE), likely for political and legal convenience.employed a narrowly physical view of violence disassociated from harm or damage: for example, stating that 'non-violent cyber attacks could cause economic consequences without violent effects that could exceed the harm of an otherwise smaller physical attack'. 43Stone's response argues that Rid's argument slips between violence and force, countering that 'all war involves force, but force does not necessarily imply violenceparticularly if violence implies lethality'. 44For Stone, OCCs are a 'violence multiplier' rather than a force multiplier, illustrated by analogies with bombing raids that cause only building damage and a stiletto that kills with almost no force.Nonetheless, Stone's view of violence remains physical, focused mainly on lethal harm.Rid's response in turn is even clearer: titled 'More Attacks, Less Violence', he concludes that 'the rise of cyber attacks reduces the amount of violence'. 45ello's treatment of violence is more cautious than Rid's, as he describes OCCs as not being 'overtly violent' or distinguishes them from 'traditional violence', leaving room for covert or nontraditional violence. 46However, Kello's work is symptomatic of a wider movement in the field from questions of violence to questions of effect, as he focuses not on violence but on 'potency'. 47he concept of potency asks whether cyber weapons are efficacious or powerful, not whether they are violent. 48More recent work by others along these lines also examines 'dangerous' instability rather than explicitly considering violence. 49his movement away from violence is most explicitly made by Gartzke, who suggests that Rid's definitional debate 'risks becoming a purely academic exercise' if cyberwar fulfils the same strategic logic as traditional war. 50Gartzke focuses on the potential of 'the Internet to carry out functions commonly identified with terrestrial political violence', rather than the question of whether those functions would also be violent if carried out over the Internet. 51He addresses conceptual issues of damage and harm only briefly, arguing that cyberwar is less effective because damage is temporary, and its use degrades capabilities, so it should remain adjunct to terrestrial force. 52ollowing this debate, the concept of violence is now used rarely by strategic studies scholars focusing on cybersecurity, including those reviewed above, and given little theoretical attention. 53n sum, key works in the strategic studies literature on OCCs largely treat them as non-violent alternatives to conventional means, based on a narrow, physical (kinetic) and/or lethal definition of violence.This argument has been the basis for much of the subsequent research in the field focusing on specific strategic concepts, including deterrence 54 and coercion. 55Indeed, a lack of physical violence is part of the reason for the strategic utility of OCCs highlighted by this literature.
At this stage, we can be more precise about the contribution of this article to the literature above.We do not claim that scholars such as Rid, Gartzke, and Kello above, or other influential analysts such as Adam P. Liff, Richard J. Harknett, and Max Smeets, overlook or are uninterested in the harmful effects of cyber operations, particularly below the threshold of armed conflictthey undoubtedly are. 56Indeed, their work highlights these harms as strategically relevant.Although Rid argued thatso farthe effects of cyber operations have not in and by themselves constituted 'war', he emphasised that OCCs cause harm through espionage, subversion, and sabotage.Kello introduced the notion of 'unpeace' exactly because the harmful effects of OCCs escaped the normal peaceful relations between states, but did not constitute warfare. 57And Harknett and Smeets reconceptualised these effects below the threshold of war as cumulatively being able to shift the balance of power, in response to what they saw as a failure to appreciate the strategic impact of OCCs. 58nstead, the point we make is that although these scholars insightfully and thoroughly discuss such harms, they nonetheless describe them all as non-violent according to a narrowly physical definition.If there were no analytical utility to expanding the concept of violence, then this point would be purely semantic and so of little theoretical interest.But we argueand illustrate in detail in subsequent sectionsthat expanding the concept of violence adds analytical value by providing a useful way to parse different forms of behavior or action even within more structural categories of under the threshold competition or unpeace: some violent, some not, and some more violent, others less so, rather than a blanket ascription of non-violence.Importantly, although this discussion has remained within the strategic space of unpeace to highlight the theoretical relevance of the argument, it bears repeating that violent acts occur during peace, unpeace, and war, and so our expansion of the concept of violence can shed further light not only on acts below the threshold of armed conflict, but also acts above this threshold.
Finally, although this narrow conception of violence dominates the literature, it is not a consensus.The above works display internal tensions and disagreements about the relationship of OCCs to violence.Other scholars push against this narrow conception more explicitly.For example, Amir Lupovici recognises that 'the question of whether they [cyber means] are means of violence remains open', while Finlay notes that we 'lack an account of how cyber operations relate to violence' and proceeds to offer an account of violence situated in just war theory. 59Tim Stevens, in turn, notes that 'affective implications of cyber weapons' should be included, 'which might include feelings of insecurity or fear', but does not theorise this further. 60We think it is imperative to do so, but before we do so in the third section of the article, we first engage more closely with the literature on violence itself.

Expanding the concept of violence
This section presents an expanded concept of violence, defined as intentional proximate harm, focusing on these three aspects in turn: harm, intent, and proximity of means.We understand harm as the diminishing, damage, or destruction of areas of human value.We, in turn, identify three general areas of value: the body, affective life, and community.These are neither exhaustive nor generalisable across all times and places, because areas of value are socially and culturally constructed rather than biologically or naturally pre-given. 61This expanded concept of violence draws on a range of literature on violence in security studies and International Relations more broadly. 62he body is the most intuitive locus of harm.However, many forms of bodily pain are learned socially, rather than being an immediate, unmediated sensation.The distinction between bodily harm and harm to one's affective life, which includes psychological or emotional harm, therefore does not imply a 'pure' physicality of the body or a 'non-physical' quality to mental activity. 63We then distinguish between affective life, which rests at the level of the individual, and community, which captures the value of relations between individuals as well as collective identities, practices, and histories. 64These areas of value overlap and interact: harm to one can cascade into others, or 59 Amir Lupovici, 'The "attribution problem" and the social construction of "violence": Many public health organisations, such as the World Health Organization (WHO) and the US Center for Disease Control, explicitly distinguish emotional and physical harm as different kinds of violence.For a recent discussion, see Karlie E. Stonard, '"Technology was designed for this": Adolescents' perception of the role and impact of the use of technology in cyber dating violence', Computers in Human Behavior, 105 (2020), available at: {https://doi.org/10.1016/j.chb.2019.106211}.Similarly, Thomas includes intentionally inflicted psychological harm in her definition of violence; see Thomas, 'Why don't we talk about "violence" in International Relations?',p. 1834.While we follow the broader literature in treating 'physical' and 'bodily' as roughly synonymous in this article, ideally we would move away from the language of physicality altogether, as it implies the existence of a non-physical realm.Psychosomatic conditions demonstrate the complex connection between bodily and mental suffering (all of which is ultimately physical), and so even without the language of physicality this intuitive distinction dissolves on closer inspectionreinforcing our argument for expanding the concept of violence to include both sides.

64
The WHO defines violence as 'the intentional use of physical force or power, threatened or actual, against oneself, another person, or against a group or community, which either results in or has a high likelihood of resulting in injury, death, psychological harm, maldevelopment, or deprivation (our emphasis).'World Health Organization, 'Violence Prevention' (World characteristics of one can counter harm in others.For example, different harms result from the loss of a limb in communities that are more or less accepting of differently-abled people.Importantly, on this view threats of violence and coercion are themselves violent due to their impact on affective life and community; they create and spread fear and discomfort, and for coercive threats, introduce limits to freedom of action. This threefold view of value is clearly much broader than the narrow, physical definition of violence in the previous section, but still selective.Fitting with the international security studies focus of this article, the definition is anthropocentric, as it does not include damage to robots, animals, and ecosystems unless that damage affects humans in some way.Similarly, it does not include damage to property or infrastructure unless such damage affects the areas of human value above (which, practically, will often be the case). 65It also does not follow more ontological concepts of violence in viewing harm as a fundamental 'reduction in being', which is the basis for work on 'dehumanisation' as a violent act. 66he breadth of this concept of harm means that there is no lower limit to whether an act is violent.This lack of a lower limit is often captured through the concept of a 'micro-aggression': an act that individually inflicts very little harm, but is nonetheless violent. 67Consequently, specifying the severity of violent action is crucial; however, severity varies massively within and between areas of value and cannot be decided in the abstract. 68Harm to the community may be commensurable to, or prioritised above, bodily or affective harms, and we consider several examples where this is the case in the following section.
The second aspect of the expanded definition is that violent acts must be intended to cause harm.Because only agents, not social structures, can be ascribed intent, our definition excludes 'structural' violence, where harm is caused by social structures such as gender, race, or capitalism. 69Many discussions of violence treat intention as binaryan act was either intended or notthus creating conceptual problems regarding accidental or ignorant action and harms that are outside the intended 'target' of violence (for example, 'collateral damage'), or greater/ lesser than anticipated.These problems can be sidestepped by treating intention as an agential but still socially ascribed quality (agents exist within specific social contexts), rather than a true purpose 'within' someone's mind.The intention condition then becomes one of reasonable knowledge or foresight that (a specific type, target, or level of) harm would occur. 70e limit our discussion of violence to one specific type of agent: the state. 71We do so acknowledging that political violence includes many non-state actors; indeed, many scholars argue that Health Organization, 2020), available at: {http://www.who.int/violence_injury_prevention/violence/en/}.Following a similar definition, see Florian J. Egloff  In Schinkel's words, 'no general prima facie rule for the severity of violence can be given.This is, after all, not a mathematique sociale.' Schinkel, Aspects of Violence, p. 73.69 Galtung, 'Violence, peace, and peace research'.We do not mean to deny or downplay such harms, merely to recognise that they are beyond the scope of this article.Reasonable as judged by a socially constructed 'normal observer'.This is always a contextual issue, but one followed by legal traditions worldwide, even though they differ in setting levels of reasonable anticipation.71 Note, we do not limit the applicability of the expanded definition of violence by actor, but rather focus our discussion of violence on the state.non-state actors are relatively empowered by cyber capabilities. 72Added to this, many forms of violence relevant to OCCs (such as gender-based violence involving spyware) are often not directly associated with the state. 73State violence, however, remains a foundational form in most accounts of OCCs and in political philosophy more widely. 74Of course, states are not unitary actors and have developed sophisticated practices for collectively committing violent acts.Intelligence, security, and military agencies are the focal point of the most violent actions of the state, and when other state authorities (local municipalities, health and social care, etc.), use violence in extreme cases they rely on the intelligence, security, and military apparatus.
There is a large literature on how states justify their use of violence; however, due to space constraints, we do not address the question of how cyber violence is located within these justifications of violence more broadly. 75It is nonetheless important to distinguish this question of justificationof the use of violence by statesfrom issues around the risks and subsequent justification of the conceptual change advocated by this article, which we consider in detail in the following sections.
The third aspect of the expanded definition is proximate means.Harms have many causes on multiple levels, and so we define a violent act as one that intends harm and is a proximate cause of that harm.Although this is partly a temporal matter of immediacy or distance, we recognise that proximate causes can be temporally distant, and more complex notions of causality assign causal weight among different acts using many factors, including the means by which harm was inflicted. 76Although means of violence can be categorised in many ways, the most relevant distinction for OCCs is between material and informational means, or, in other words, how far the infliction of harm depends on the symbolic properties of objects. 77Material and informational means are not mutually exclusive and the relationship between software and hardware is interdependent: transmitting information relies on certain material properties, while material objects are inconceivable without informational elements. 78The distinction is, therefore, one of emphasis: whether the material or informational component is the primary way of diminishing or damaging one of the areas of value above.
An example may make the interaction between material and informational means clearer.The effect of armed unmanned aerial vehicles (UAVs) on state violence is another frequently discussed topic. 79In stark contrast to OCCs, UAVs are usually considered as remote means of inflicting material or kinetic violence, even though the informational infrastructure enabling drones (and also sophisticated missiles) is as complexand sometimes dependent on similar technologiesto OCCs.This is because UAVs cause harm by dropping bombs on people and 72 See property, whereas OCCs obviously do not.More precisely, for UAVs the causal weight of the missile outweighs that of the command and control infrastructure in the infliction of harm.In contrast, a hypothetical OCC use in a 'critical infrastructure' scenario that caused explosions similar in scale to those of a drone strike would still be an informational means of harm, as the symbolic properties of that critical infrastructure (its command and monitoring logics) would have the highest causal weight.However, this scenario requires a more thorough investigation of OCCs based on all three aspects of the expanded definition of violence outlined hereharm, intent, and proximate meanswhich is the subject of the next section.
Before turning to that section, it is pertinent to review how we have incorporated or deviated from previous work in proposing this expanded definition of violence.Our expanded definition follows a number of scholars and institutions that include psychological harm in the definition of violence. 80We refined, for example, Claire Thomas's definition, including a more nuanced view of intended harms (that is, our areas of value).We deviated from the WHO definition, as only a more precise conceptualisation (that is, including causal proximity) can clarify the precise way a new means of action, in our case OCCs, should be classified as violent.The merits of such a deviation are shown in the next section.

Rethinking violence and OCCs
This section applies the expanded view of violence set out above to OCCs, arguing that including non-lethal and non-bodily harms means that OCCs relocate, rather than reduce, state violence. 81ore specifically, our threefold view of harmwith the body, affective life, and community as separate areas of valueconsolidates several broader views on the harms caused by OCCs. 82n an expanded definition of violence, uses of OCCs that are usually considered non-violent, such as website defacement or DDoS, can be violent acts.As indicated above, both whether such actions are violent and the severity of the violence is extremely context-dependent. 83For a leisurebased streaming service, forcing people to wait for a website to load might be a minor irritation, while in other cases -Internet voting, denying a minority community a specific language resource or, in the case of the Mirai botnet, depriving whole nations of internet accessthis could be a significantly harmful act of violence. 84Repressive uses of OCCs, which are violent predominantly due to their impact on individuals' affective life (through fear, trauma, and anxiety), and on communities (through 'chilling effects' limiting political speech, and the loss of minority identities), 85 are more likely to be considered violent in an expanded definition, although repressive uses of OCCs have also been connected to bodily violence. 86owever, our definition of harm implies that some uses of OCCs remain non-violent.The large DDoS attacks that targeted the US financial system in 2012 would only be violent if their impact could be traced to harm to specific individuals or communities.Similarly, the hacker Phineas Fisher's claim that 'in the digital era, robbing a bank [using OCCs] is a non-violent act' is also true unless damage is intentionally caused or reasonably foreseen to human bodies, affective lives, or communities. 87More broadly, Agrafiotis et al.'s 'taxonomy of cyber harm' highlights a range of reputational and economic damage to organisations that, in our view, are only violent if they lead proximately to the diminishment of the three areas of human value above. 88It is relatively simple to make such a connection for nearly all critical infrastructure cyberattacks.For example, in Matt Sleat's discussion of the 'harm caused to vital human interests through degrading the functionality of computer systems necessary to a country's critical infrastructure' it is not the infrastructure damage itself that is violent, but the 'human interests' (bodily, affective, and communal) that are affected. 89ther forms of digital harm are excluded from our discussion due to the criterion of intent.Following our bracketing of structural elements of violence in the previous section, we similarly put aside the structural influence of digital technologies.This focus excludes harms created by system-level dynamics in internet governance, such as the economic incentives for writing vulnerable software or weakening encryption technologies to enable state decryption.Furthermore, the intent criterion is an especially complex issue for both interstate and repressive uses of OCCs, because state direction is frequently unclear or indirect.Interstate uses of OCCs often involve proxies and criminal groups, while both interstate and repressive uses rely on private contractors to provide technologies, expertise, and sometimes actual deployment.We recognise that ascribing a clear intent to any specific use of OCCs is a highly complex, time-consuming, and an arduous task; however, this empirical difficultyand the policy challenges it createsdo not invalidate intent as a conceptual criterion of violence, in cyber or other realms. 90he third aspect of the expanded definition of violence is proximate means, treated briefly in the contrasting comparison with armed UAVs at the end of the previous section.Cyber capabilities, as information systems, alter information (although through material networks), and so their capacity for violence is based on the added possibility of devaluing areas of value through informational means as well as or instead of material ones.This distinction is not always easy to draw: a pacemaker cyberattack that uses code to affect an individual's heart function clearly depends on symbolic properties, while the categorisation of a GIF that induces a seizure is not so obvious because the strobe light inducing epilepsy is not symbolic. 91Stuxnet also demonstrates the impossibility of completely disentangling informational and material means: the virus damaged centrifuges by altering their rotational speed and pressure sensors, but its success depended on many material objects, from the test centrifuges constructed in the US to the USB drive physically carried by an agent into the enrichment facility.
Nonetheless, the ability of OCCs to inflict harm through informational means opens up a category of 'non-kinetic' violence, which furthers the insights of the strategic studies scholarship reviewed above. 92These scholars also see proximity as a crucial aspect of OCCs: Rid suggests that harm from OCCs is 'mediated, delayed and permeated by chance and friction', while for Kello cyber-attacks 'lack a proximate cause of injury'. 93The expanded definition proposed here implies that OCCs can be sufficiently proximate to constitute violent acts despite their causal complexity.As explained in the previous section, sufficient proximity is a causal rather than geographic criterion, as OCCs can be operated with a reasonable certainty of effect from a vast distance.
To demonstrate the analytical value of expanding the concept of violence to distinguish between different kinds of under-the-threshold cyber operations, the remainder of this section provides illustrative examples in each of Rid's three categories of espionage, sabotage, and subversion.Within these categories, an expanded concept of violence usefully reorders the analytical space, helping us to understand and prioritise the range of harmful effects involved.
First, an expanded concept of violence requires us to reassess the harms caused by different forms of cyber-espionage.State-sponsored industrial or commercial cyber-espionage is unlikely to fulfil any of the three aspects of violence above: first, it often harms organisations rather than humans, especially property (including intellectual property); second, it is not usually intended to cause bodily, affective, or community harm, even if it does so accidentally; and third, even if there is an intent to harm, and a subsequent effect, it is not clear that the means by which this occurs (such as the transfer of patent designs) is sufficiently proximate to satisfy the third condition. 94n contrast, cyber-espionage in repressive contexts, directly violating individual rights of privacy and indirectly creating 'chilling effects', may well meet our expanded criteria of intentional proximate harm on both affective and community levels.While espionage networks to spy on diaspora communities predate the Internet, they are relatively costly, tedious to maintain, and difficult to establish globally.Cyber capabilities transform this calculation, and potentially offer the home state an easy pathway to achieve global reach.The use of OCCs for repression would be 91 Reis Thebault, 'A tweet gave a journalist a seizure: His case brings new meaning to the idea of "online assault"', Washington Post (17 December 2019), available at: {https://www.washingtonpost.com/health/2019/12/16/eichenwaldstrobe-gif-seizure-case/}.92 On 'non-kinetic', see Finlay, 'Just war, cyber war, and the concept of violence', p. 370.93   Rid, 'Cyber war will not take place' (2012), p. 9; Kello, 'The meaning of the cyber revolution', p. 24.Rid expands further on the 'indirect' violence of OCCs in 'More attacks, less violence', where he states that 'violence administered through computer code, as a result of its indirect nature, is bound to remain unqualified' (p.140).Rid's definition of 'qualified' here is complex, but essentially refers to the institutionalisation, even naturalisation, of state violence.For Rid, state power and force always, at their heart, involve bodily violence, and OCCs must therefore be somewhat external to this process.

94
For further argument regarding the difficulties in relating cyber-espionage directly to harm or economic disadvantage, see Gilli and Gilli, 'Why China has not caught up yet'.non-violent in a narrow definition unless directly linked to arbitrary detention and torture.This conceptualisation is one of the reasons that advocacy groups and international human rights representatives have sought to tie commercial spyware identified on the devices of Saudi dissident Omar Abdulaziz and others to the murder of Jamal Khashoggi in the Saudi consulate in Istanbul in October 2018. 95owever, digital censorship and surveillance could also be conceived as relocated state violence.When individual groups are targeted by censorship technologies there are effects on affective life (individual identities, including gender and ethnic identifications) and communal areas of value (social relationships, and at the larger scale, national identities).Examples for such operations are plentiful and well documented, for example in the case of the Tibetan or Uighur minorities. 96For surveillance, an expanded definition of violence including affective and psychological impacts would help to mobilise policy discussions on the regulation of commercial spyware to repressive states, without requiring specific instances of bodily harm to be associated with their use.
Second, regarding sabotage, a good illustration of the impactful use of OCCs is NotPetya, destructive malware originally spread via Ukrainian tax software. 97Its initial infection, attributed to the Russian military intelligence directorate (GRU), led to a disruption of Ukrainian government functions in the context of Russian occupation of the Crimean Peninsula and the Donbas region, followed by global spread into a wide range of major multinational firms.In a narrow definition of violence, this would be non-violent as it did not cause bodily harm or death.The apparently non-violent yet impactful character of NotPetya has left scholars and policymakers struggling to capture its effects.
However, NotPetya is violent in an expanded definition, though the intent of the attackers is crucial in judging 'how violent' and consequently calibrating the policy response.At a more limited level, NotPetya could be interpreted as designed specifically to erode confidence in Ukrainian society, economy, and trust in the state, creating a collective feeling of vulnerability and causing harm at a community level.The malware was 'designed to send a political message: If you do business in Ukraine, bad things are going to happen to you.' 98 In this reading, extensive international effects were collateral damage to the country-focused operational intent. 99A contrasting judgement sees NotPetya's authors as fully culpable for intentionally producing global damage, knowing the malware would spread outside Ukraine.In this view, NotPetya was a carefully considered device for strategic signalling worldwide, using the destabilisation of global economic actors as a medium to send the message. 100We do not seek to decide between these alternative interpretations here, but stress that, on an expanded definition of violence, both accounts are describing violent acts, though the second is more severe than the first as the intent covers a 95 Bill Marczak et al., 'The Kingdom Came to Canada: How Saudi-Linked Digital Espionage Reached Canadian Soil' (Citizen Lab, 1 October 2018); Agnes Callamard and David Kaye, 'UN Experts Call for Investigation into Allegations That Saudi Crown Prince Involved in Hacking of Jeff Bezos' Phone', United Nations Office of the High Commissioner for Human Rights (22 January 2020), available at: {https://perma.cc/EFY4-KZQX}.96 See, for example, Citizen Lab, 'Targeted Threats', Citizen Lab Website (2021), available at: {https://perma.cc/G74G-BFEY}.

97
In 'More attacks, less violence', Rid distinguishes between two views of sabotage: the now standard view where sabotage can include kinetic disruption, and a narrower historical understanding where sabotage is only temporary disruption, which 'has nothing to do with violence, neither to life nor to property' (p.141, quoting Giovannitti).Rid suggests that OCCs 'restrain violence and make that line easier to draw' (p.141), and so would likely simply consider NotPetya non-violent, foregoing the range of analytical options discussed here.Third, regarding subversion, OCCs have been frequently deployed in what are known as 'hack-and-leak' operations, where sensitive information is obtained through a cyber intrusion and then published online.The paradigm example is the compromise of the US Democratic National Committee (DNC) by the Russian military intelligence agency, the GRU, during the 2016 presidential elections, but such operations are far more widespread. 101As a combination of OCCs with broader techniques of information and influence operations, hack-and-leaks are highly relevant to under-the-threshold state competition, but clearly not violent on a narrow definition.Moving to an expanded definition of violence, in contrast, helps us distinguish between hack-and-leaks that directly cause affective harms by publishing private personal data (kompromat) and so are violent, and those that leak affectively neutral but strategically valuable organisational capabilities, which are not.Empirical examples in the former, violent, category include reported operations against Al-Jazeera anchor Ghada Ouiess and the Sony Pictures Entertainment executive Amy Pascal, while ones in the latter, non-violent, category include the Shadow Brokers releases of US OCCs, and the leak of NHS documents before the 2019 UK general election. 102verall, this section has argued that OCCs can be violent even though we agree with the strategic studies literature that it is difficult, though not impossible, for them to cause bodily harm (and especially lethal bodily harm).An expanded concept of violence highlights non-bodily affective and communal harms caused by OCCs, suggesting that OCCs relocate rather than reduce violence.It therefore adds analytical value to current insights of strategic studies on the kinds of harm caused by cyber operations, parsing more finely different forms of espionage, sabotage, and subversion.It also emphasises that violent uses of OCCs are likely to occur in repressive situations, while canonical forms of cyber-espionage remain non-violent.Furthermore, the examples in this section underline that interference with data in a digitalised society may result in harm commensurate with or exceeding the destruction of physical objects or bodily injury. 103onsequently, capturing affective and community harms as violence is not only analytically useful, but also normatively consequential, and we return to the policy implications of this shift in the conclusion.Before doing so, we consider the risks of this conceptual expansion.

The risks of conceptual expansion
There are several downsides of an expanded concept of violence in relation to OCCs, of which we address three in this section: manipulation, legal implications, and a consequent lack of focus.We see these three downsides as representing real risks, but nonetheless conclude that the analytical benefits above, combined with the policy benefits considered in the concluding section, outweigh these risks.
First, there is the question whether an expanded concept facilitates political and ideological exploitation, particularly as it does not have a lower threshold of harm.The risk of exploitation in this manner can be illustrated by the trajectory of the related concept of 'cybercrime'.Although early international agreements on cybercrime, such as the 2001 Budapest Convention, sought to circumscribe the concept to cover only economic transgressionsfraud, identity theft, and so on 101 See, for example, James Shires, 'Hack-and-leak operations: Intrusion and influence in the gulf', Journal of Cyber Policy, 4:2 (2019), pp.235-56; James Shires, 'The simulation of scandal: Hack-and-leak operations, the Gulf States, and U.S. politics', Texas National Security Review, 3:4 (2020).

102
For Shadow Brokers, this evaluation considers the leak itself, not the subsequent reuse of such capabilities afterwards.For Sony Pictures and Shadow Brokers, see Ben Buchanan, The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics (Cambridge, MA: Harvard University Press, 2020).On Oueiss, see Ghada Oueiss, 'I'm a female journalist in the Middle East: I won't be silenced by online attacks', Washington Post (8 July 2020).On the NHS documents, see Dan Sabbagh, 'Leaked NHS dossier inquiry focuses on personal Gmail accounts', The Guardian (19 December 2019).many national laws later expanded the concept to 'content' crimes, such as posting politically or socially undesirable content online. 104This expansion, which provides repressive regimes with a new lever of information control, has begun to supplant the narrower definition of the Budapest Convention internationally. 105uch manoeuvres should of course be tracked carefully to assess the consequences of conceptual manipulation for both established definitions and proposed alternatives.More specifically, one could expect an authoritarian state to target political opponents by using an expanded definition of violence to claim that cyber operations harmingfor examplenational unity are violent cybercrimes, and so should be punished accordingly.This article has argued that there are many violent (that is, intentional and proximate) uses of OCCs that cause harm to national or other communities, and so calling such action violent would not necessarily be misleading. 106Even so, a repressive response against the perpetrators would likely be highly disproportionate to the initial harm, and so unjustified.As indicated earlier, state justifications for violence are outside the scope of this article, and so the justification of repressive violence through the identification of earlier violent uses of OCCsalthough importantis also beyond the scope of our discussion.
Another downside is the potential implication of conceptual expansion on (international) legal understandings of armed conflict.Though such an impact is unlikely, as it would presuppose that our proposed expansion be broadly accepted by the international legal community and the community of states, we briefly anticipate such implications.
There are two major international legal frameworks that an expanded concept of violence for OCCs could affect: jus ad bellum, particularly its understandings of use of force and armed attack, and jus in bello, particularly international humanitarian law's (IHL) focuses on violence and the protection of civilians during armed conflicts.For the former, the expanded concept of violence may lead to more cyber operations being considered a use of force than a narrow conception. 107ven then, an expanded concept of violence is unlikely to have any impact on the definition of 'armed attack', which is generally considered to be a higher threshold, depending on the scale and effects of the operation compared to physical precedents. 108Importantly, when scholars speak about sub-threshold activity, they usually mean the threshold of armed conflict, which is determined by whether an 'armed attack' has occurred.Thus, although an expanded definition of violence implies more sub-threshold activity is violent (and potentially a use of force), it is highly unlikely to move the threshold itself.
With regard to jus in bello, it is important to note that IHL may apply before the notion of 'armed attack' has been reached, as IHL uses a different, 'armed force', criterium for its  The first Tallinn manual provides eight criteria to judge whether a cyber operation is a use of force: severity, immediacy, directness, invasiveness, measurability of effects, military character, state involvement, and presumptive legality.The first, third, and fourth criteria are potentially open to more permissive interpretations based on an expanded concept of violence, while the second (immediacy) is akin to the proximity criterion in the expanded conception.For more detail, see, for example, Michael N. Schmitt, 'The use of cyber force and international law', in Marc Weller, The Oxford Handbook of the Use of Force in International Law (Oxford, UK: Oxford University Press, 2015).For a more general discussion, see Tom Ruys, 'The meaning of "force" and the boundaries of the "jus ad bellum": Are "minimal" uses of force excluded from UN Charter Article 2(4)?',The American Journal of International Law, 108:2 (2014), pp.159-210.108 Nicaragua judgement, International Court of Justice.Note that the United States has not followed that interpretation and considers there to be no difference between 'use of force' and 'armed attack'.See NATO Cooperative Cyber Defence Centre of Excellence, Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (2 nd edn, Cambridge, UK: Cambridge University Press, 2017), Rule 69.applicability. 109Many IHL rules start with the notion of an 'attack', defined by Article 49 AP I of the Geneva Conventions as 'acts of violence against the adversary, whether in offence or in defence'. 110As for what constitutes violence, IHL would include death, injury, and physical damage, with some states and institutions also including 'harm due to the foreseeable indirect (or reverberating) effects of attacks'. 111The ICRC has argued that 'an operation designed to disable a computer or a computer network during an armed conflict constitutes an attack as defined in IHL whether or not the object is disabled through destruction or in any other way.' 112 A too narrow reading would lead to the unsatisfactory result of logical but not destructive operations against civilian networks not being covered by IHL.Consequently, the ICRC authors argue that adopting an expanded concept of violence 'constitutes one of the most critical debates for the protection of civilians against the effects of cyber operations'. 113t is thus very clear that as a matter of IHL, a broader notion of violence leads to more protection against more acts for more people.Our proposition of the expanded definition of violence goes in the same direction as some of the expert commentary in international law. 114However, just as different bodies of law have different notions of 'attack', different bodies of law have different criteria for what they consider the threshold to be for relevant acts of 'violence'.Our analytical concept is in no way meant to be determinative for the international legal understandings of the term.
The third potential downside of conceptual expansion is to diminish the association of the concept of violence only with bodily harm by adding intentional proximate causes of affective and community harms.Some scholars diagnose this problem in the broader literature on violence, disagreeing sharply with the works reviewed in the section on the concept of violence above.For example, Stathis N. Kalyvas recommends keeping violence restricted to physical harm for fear of diluting the focus of political science on what constitutes an important and already diverse category of human behaviour. 115rucially, because violence is a normative as well as analytical concept, implicit in this view is an a priori prioritisation and condemnation of bodily over affective and community harm, which we reject.Even if we relied on other words such as harm, cost, or damage, instead of expanding the concept of violenceand specifying the qualities of intention and proximity each timethe normative connotations of violence would be absent from affective and community harms, reinforcing this instinctive prioritisation.We believe that this should not be a definitional matter but one of empirical investigation: in specific contexts, all of which are violent, what were the exact harms inflicted, and how were they experienced by those who were subject to them?We have sought to mitigate the risk of a lack of focus in this article by stressing the contextdependence of comparison between different kinds of harm, especially in the case of cyber operations.Insofar as scholarly and policy focus shifts as a result, this is not a conceptual error but an overdue recognition of the variety of harms humans can experience.In the conclusion of the article, we return to the benefits of our argument for policy, as well as theory, on OCCs.The transformation and reinvention of state violence has continued into the digital age.The clearest manifestation of state violence in cyberspace is in offensive cyber capabilities: the adversarial manipulation of digital devices and networks for interstate competition and globalised repression.However, the literature on OCCs is dominated by a narrow definition of violence as bodily harm, classifying OCCs as largely non-violent.This narrow definition has both analytical and policy consequences.Analytically, it implies undue homogeneity across the wide range of strategically relevant uses of OCCs.At a policy level, it means that many harms caused by OCCs are un-or under-appreciated by states and other actors.
The account provided here provides greater analytical purchase on this expanding domain, as well as stronger normative foundation for action.An expanded concept of violence, including affective and community harms, reveals how OCCs relocate state violence through new means of repression and information manipulation, without simplifying or exaggerating their complex effects.Some readers may object that expanding the definition of violence is hazardous, diluting the devastating effects violent actions have on their victims and their communities.While we recognise this danger, we aim to show that the opposite is also true.Holding on to a narrow definition of violence leads one to misconstrue the harms resulting from the use of OCCs to the detriment of their victims.
Further research is required to substantiate this relocation with empirical data, including large-scale surveys of cyber conflict and extended case studies that trace the decision-making processes behind individual deployments.Further work is also needed to transfer this account of violence from states to semi-and non-state actors, as well as to examine the justifications for violent uses of OCCs in more detail.
This article has three main implications for theory and policy on cyber conflict.First, the affective and community harms caused by OCCs need to be identified, anticipated, and taken seriously in decisions about their use.Second, research and policy should focus on the most violent uses of OCCs, which may not be state-sponsored cyber-espionage or sabotage, but instead the adaption of authoritarian systems to rely on digital and globalised repression and rework existing practices of information manipulation against their adversaries.Third, and most importantly, adherence to a narrow conception of violence means that many states have undertaken significant harmful actions in their own and each other's societies without recognising them as such.Our current conceptual tools hamper institutional adaptation to counter and mitigate these broader harms, such as military doctrines and capabilities, intelligence capabilities, criminal laws, police support, victim counselling, and so on.Our redrawing of the concept of violence to include affective and community harms provides defensive actors with a stronger conceptual foundation to accurately measure harms exerted via digital means and then act to prevent them.
Are OCCs the better angels of our digital nature?We have argued that they are not; on an expanded concept of violence, OCCs represent not Pinkerian optimism, but a more complex relocation of state violence.The main contribution of this article is thus the application of an expanded conception of violence to better understand the impact of OCCs on individuals and societies.But the account of violence put forward here also has broader implications.Many other emerging security technologies, such as lethal autonomous weapons systems, raise similar questions about the extent and type of violence they cause, in part due to their reliance on informational as well as material means to produce harmful effects.The expansion of the concept of violence we have undertaken in this article could also be applied to other information-enabled technologies, to identify and ultimately work to ameliorate currently unseen forms of harm in global politics.Consequently, in addition to its main contribution in rethinking the violence involved in cyber conflict, our study also provides new insights into how to best conceptualise violence in international affairs more widely.

4
Early insights into characteristics of the digital era can be found in Manuel Castells, Rise of the Network Society, Vol. 1 (Malden, MA: Wiley-Blackwell, 1996); Ronald J. Deibert, Parchment, Printing and Hypermedia: Communication and World Order Transformation (New York, NY: Columbia University Press, 1997); James N. Rosenau and J. P. Singh (eds), Information Technologies and Global Politics: The Changing Scope of Power and Governance (Albany, NY: State University of New York Press, 2002).5 On the Internet and territory, see Didier Bigo, Engin Isin, and Evelyn Ruppert (eds), Data Politics: Worlds, Subjects, Rights (London, UK and New York, NY: Routledge, 2019), especially the chapter by Deibert and Pauly; also Daniel Lambach, 'The territorialization of cyberspace', International Studies Review (2019), available at: {https://doi.org/10.1093/isr/viz022}.6 This terminology emerged along with the creation of the US Cyber Command in 2009-10.For an influential statement, see William J. Lynn III, 'Defending a new domain', Foreign Affairs (2010), available at: {https://www.foreignaffairs.com/articles/united-states/2010-09-01/defending-new-domain}.7 Norbert Elias, The Civilizing Process: Sociogenetic and Psychogenetic Investigations (rev.edn, Oxford, UK and Malden, MA: Blackwell Publishing, 2000 [orig.pub.1936]); Stephen Pinker, The Better Angels of Our Nature: Why Violence Has Declined (New York, NY: Penguin Group USA, 2015). 8

98
Craig Williams quoted in Greenberg, Sandworm, p. 213.99 See, for example, 'Ukraine was clearly the central target', in Ben Buchanan, The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics (Cambridge, MA: Harvard University Press, 2020), p. 300.https://doi.org/10.1017/eis.2021.harm.Either way, this use of offensive cyber capabilities relocates interstate violence, by debilitating the affective lives of individuals and inflicting harm on communities.

103A
view also supported by the ICRC; see 'International Humanitarian Law and Cyber Operations During Armed Conflicts', position paper, International Committee of the Red Cross (ICRC) (Geneva, 2019).

104See,
for example, James Shires, 'Ambiguity and appropriation: Cybercrime in Egypt and the Gulf', in Dennis Broeders and Bibi van den Berg (eds), Governing Cyberspace: Power, Behavior, and Diplomacy (London, UK: Rowman & Littlefield Publishers, Inc., 2020), pp.205-26; Shires, The Politics of Cybersecurity in the Middle East, ch. 4. 105 Russian proposals for a new treaty on cybercrime in 2019incorporating content concernsare likely to dominate cybersecurity governance negotiations at the UN in the upcoming years.106Of course, the potential for exploitation partly depends on the truth of the claim.Where such claims are false, this is no more than one pretext for repression among many others. 107 https://doi.org/10.1017/eis.2021.
60 Tim Stevens, 'Cyberweapons: 61 We thus follow 62 Examples of key interventions in this large debate are Vittorio Bufacchi, 'Rethinking violence', , 'Intentions and cyberterrorism', in Paul Cornish (ed.), Oxford Handbook of Cyber Security (Oxford, UK: Oxford University Press, 2022).65 There is a long history of defining violence in a way that includes 'pure' property damage, following John Locke and political philosophy in the low countries of Northern Europe.See Schinkel, Aspects of Violence, p. 27.For an application to OCCs, see the extended discussion, especially the chapter by Simpson with a contrary view, in Luciano Floridi and Mariarosaria Taddeo (eds), The Ethics of Information Warfare (Switzerland: Springer International Publishing, 2014), available at: {https://doi.org/10.1007/978-3-319-04135-3}.Aspects of Violence, esp.pp.50-1; also Ilan Zvi Baron et al., 'Liberal pacification and the phenomenology of violence', International Studies Quarterly, 63:1 (2019), pp.199-212, available at: {https://doi.org/10.1093/isq/sqy060}.67 For recent debate over the definition and scientific applicability of this concept, see the several articles in Perspectives on Psychological Science, 12:1 (2017).