I’ve written on this blog before about the ways in which I think political discourse in the US serves democracy poorly. A recent article by David Gewirtz at ZDNet on the subject of the moral status of DDoS attacks has prompted me to write about this topic again.
Gewirtz writes in response to the arguments of Molly Sauter, of MIT’s Center for Civic Media. Sauter summarizes her project like this:
In this project I am continuing my work on creating an framework for the ethical analysis of activist DDoS actions. Though distributed denial of service attacks have been used as a tool of digital activism for the past two decades, the past few years has seen an explosion in the popularization of the tactic and a sharp increase in the attention its use attracts from the media and state actors. All this attention has brought with it loud criticism from various stakeholders in the digital space, including other digital activists. However, both the tactic’s critics and defenders seek to declare the tactic as a whole good or bad, without a nuanced understanding of the variety of circumstances and contexts which can render the tactic’s use ethical or unethical. In this paper, I aim to lay down the preliminaries for a framework by which to perform an ethical analysis of activist DDoS actions.[1]
If you want more you can see Sauter describing her position in a talk she gave in December of 2012:
Be sure to stick around for the excellent Q&A session at the end.[2]
The point, as is clear both from the above and from the paper itself, which is well worth a read, is that designations of DDoS actions as being categorically either good or bad fail–largely because such designations are blind to important circumstantial and contextual factors that have direct implications for whether an individual DDoS act is morally acceptable or not. When such considerations are taken into account, of course it turns out that some DDoS attacks (theoretically at least) are morally acceptable while some are not. This, I feel, should be far from shocking.
Philosophically, there are a number of ways one could take issue with Sauter’s analysis without denying that a thoughtful, nuanced approach to the topic is better than a black-or-white approach. One could, for instance, question the legitimacy of eschewing analysis of types of actions in favor of their tokens on Kantian grounds. One could also question Sauter’s analysis along lines familiar to those who work on Just War theory. Unfortunately, Gewirtz doesn’t do any of that. To be fair, however, he’s not a philosopher so it’s uncharitable to hold this against him.
What he does do, and what is problematic in my view, is to deny that a nuanced approach to the moral evaluation of DDoS attacks is thoughtful and appropriate. He opts instead for the black-or-white view, coming down for the position that DDoS attacks are inherently bad. Gewirtz writes:
Without a doubt, there is absolutely no ethical, moral, religious, or righteous justification for a DDoS. Unlike civilized protests, DDoS attacks inflict damage and pain on a very large number of unwilling and unwitting victims, expose them to future infection, theft, and hardship, and result in astonishing financial losses.
There is no room for prevarication. A distributed denial of service attack is criminal and may well be a terrorist attack. There is no high ground here. If you participate in a DDoS attack, you’re either a criminal or a terrorist…and a fool.[3]
The second sentence of the first paragraph above gives Gewirtz’s premise for his strikingly severe conclusion. To his credit, Gewirtz does try to back that premise up. Largely, however, most of his concrete support revolves around the lost revenue and hours of labor attributable to DDoS attacks. To increase the punch of this line he gives an accounting of the lost revenue in terms of the jobs that it might have funded, but it isn’t at all clear that the revenue lost would have been spent that way. To the harmfulness to bystanders of DDoS actions, Gewirtz summons a parade of hypothetical horribles: disabled power grids in winter, hospitals gone dark, etc.. He does not assert that DDoS attacks done under form of protest have actually done any of these things, only that they might, or could do them. That brings me to my first criticism of Gewirtz’s argument. Too much of it is moved by hyperbolic, counterfactual worries about what could or might possibly happen as a result of a DDoS attack.
Before I give my objections to Gewirtz’s argument, I should first say that I’m willing to grant the illegality of DDoS attacks done as protest. That strikes me as a plausible reading of section 1030 (a) (5) of the Computer Fraud and Espionage Act. The CFEA is far from an uncontroversial piece of legislation, but until removed or amended it is the law.
I’m also willing to grant that a DDoS attack that actually and intentionally threatened physical harm to innocents/nonparties to the conflict would be morally wrong. I’m fairly certain that Sauter would too. Her account certainly gives her the resources to make such determinations.
Though I do not claim any special expertise in these matters, I also do not doubt that a DDoS attack could be used as part of a strategy to effect the kinds of harm that Gewirtz suggests in his hypotheticals. DDoS attacks are a tool in the cyberwarfare toolbox. This is plain. That is why they should be studied and scrutinized carefully–in much the way that Sauter and others are already doing.
What I do doubt–and here I begin my objections–is that the potential harm from a DDoS attack is grounds for categorizing all DDoS attacks as automatically or intrsinically immoral. Could a real cyber-terrorist use a DDoS attack to harm people? Certainly. But let us keep this in perspective. After all, until recently the TSA maintained that nail scissors were also potential instruments of terrorist mayhem. Snow globes are still on the list. (Think on this, lovers of kitsch…)
The logical problem with the line of argument that Gewirtz suggests turns on the premise that if a thing or technique can be used violently–and by ‘violently’ Gewirtz means ‘productive of any form of damage whatsoever, from lost revenue to lost lives’–then it is immoral and possibly terrorist.[4] As I’ve hinted above in a somewhat tongue-in-cheek way, this premise is subject to innumerable counter-examples. Are users of ballpoint pens categorically immoral and possibly terrorists because of the hypothetical possibility that a pen can be jammed into someone’s eye? Are wearers of neckties and belts immoral and possibly terrorist because those items of clothing could be used to strangle? Are house painters immoral, and possibly terrorists because their paints contain toxins that would be lethal, if ingested? I could go on but the point should be clear. Gewirtz’s critical premise collapses under the weight of counterexample after counterexample.
Even if it somehow survived the counterexamples, Gewirtz has a consistency problem with his premise. This is shown by the following question: Would Gewirtz support the use of DDoS attack against terrorist organizations, e.g. Jihadi websites or the entities that host & maintain them? I don’t know Gewirtz personally and so cannot claim to know for certain, but a plausible reading of the closing paragraphs of his writing in a post about the Stuxnet virus does make it seem as though he would:
…if Stuxnet is ushering in a new age of modern warfare, we must invest even more in a new age of modern digital defense.
It’s one thing to be able to attack a network of a specific enemy. It’s entirely another to be able to defend our networks against any and all possible attacks by any and all possible enemies.
We clearly have our work cut out for ourselves. Fortunately, America is full of highly innovative professionals and we’re certainly up to the challenge.
I don’t look forward to the day when we’re on the defending end of an attack like Stuxnet, but I do expect that day to come.
It’s our job to make sure we’re prepared. It’s also important for any attackers to think twice before attacking. Like the nuclear race before it, virtual attacks are also subject to a form of MAD (mutually assured destruction). If you attack us, we will attack you back and you will be badly hurt. [5]
If I am right in inferring from the above that Gewirtz would accept DDoS-ing an enemy under at least some scenario, then considerations like the intent behind the attack and the selection of target really do matter morally. So too, then, should considerations familiar to those who work in the just war tradition such as necessity and proportionality. This opens the way for analyses exactly like those Sauter is trying to give. The logic of the arguments here, then, should compel Gewirtz to admit that moral distinctions between different usages of the technique of DDoS attack are rather more than mere “prevarication”.
Okay then, so Gewirtz’s position isn’t internally consistent with his other commitments and is subject to a number of objections. His arguments simply do not show that DDoS attacks, despite their de facto illegality, must be classified as intrinsically evil. His attempt to gainsay Sauter’s far more careful analysis therefore falls apart. But so what? Bad arguments are legion on the internet. Why should we care?
We should care for two reasons. Firstly, because in invoking the specter of terrorism Gewirtz plays fast and loose in some very dangerous rhetorical territory. Secondly, we should care because there is a legitimate issue here about the moral evaluation of civil disobedience in the present political context of the US. I will start with the former.
The word ‘terrorist’ is second only to certain pejoratives used to refer to slaves in the Antebellum American South in the kinds of consequences it can invoke for a person. At the time of this writing it is abundantly clear that this society is willing to do anything to anyone to whom it even potentially affixes this label. Suspected terrorists–even if they are American citizens–are subject to indefinite detention, “enhanced interrogation” and perhaps even extrajudicial killing. I state this as fact. I’m not even going to broach the subject of the moral or political legitimacy of this state of affairs. The point for the purpose of this writing is that being thought a terrorist in this country can get you killed or worse. Let me say this again, so it is abundantly clear: We do not send terrorists to court in the US. We torture them and kill them. To call someone a terrorist is therefore to signal a personal endorsement of their torture, murder, or indefinite disappearance from society. This is not a thing to be done lightly.
This is why I think Gewirtz’s comparison of DDoS attacks of the sort engaged in by Anonymous to the terrorist attacks of September 11 is more than just forgivable internet hyperbole. It is irresponsible. There is a world of moral difference between someone whose only wish in life is to bathe in the blood of his sworn enemy and someone who, however misguided his politics may be, is making a bank’s website inaccessible for a few hours. I’m not saying the latter person is necessarily morally good. I am saying that that person is necessarily on higher moral ground than someone who wants to burn their enemies alive in a cascade of flaming jet fuel. To equate DDoS attacks with such enormity strains the bounds of credulity and good moral sense. To declare for such an equation in a public environment in which few people understand what terms like ‘hacker’ really mean, and in which even fewer understand the technological details involved, is tantamount to tarring digital activism in general with a very tainted and poisonous brush indeed. The result can only be a chilling effect both on public dissent and on independent, creative, innovative computing. I assert that society has a vested interest in both of these things. Of the two though, the former is clearly the more important for a functioning democracy. To encourage the suppression of dissent is to contribute to the toxic political discourse that gave birth to Anonymous in the first place, and that continues to erode the Constitutional rights for which Americans have been fighting and dying for over two-hundred years.
This brings me to my second rhetorical problem with Gewirtz’s argument–its conflation of acts of civil disobedience with immorality and terrorism.
Civil disobedience, almost by its very nature, involves the commission of illegal acts. It is not legal to block the streets with human traffic, to gather a large group of people without a permit, or to block access to places of business with one’s physical person. That said, it isn’t always–and certainly is not automatically or a priori–morally wrong to do so. Sometimes it is the only way to get a hearing. Sometimes, as the bus boycotts and peaceful struggles for racial equality in the 1960’s taught us, it’s morally necessary. Unfortunately, however, it is getting harder than ever to make one’s voice heard.
As I’ve written before, the media environment of the 24 hour news cycle overwhelmingly tends to parse all politics into a narrative of Establishment Left versus Establishment Right, and either ignores, dismisses or demonizes any view that it cannot place in that narrative. The class of political strategists, handlers and consultants operates the same way. This leaves those with political ideas and positions outside of the mainstream with very few viable options: Either offer yourself up to be co-opted by Establishment Left or Establishment Right, or try to operate outside the narrative. One can certainly organize outside of the narrative, but getting one’s authentic voice into the public discourse from that position, in practical terms, means civil disobedience.
Civil disobedience has a number of legally sanctioned forms, e.g. non-violent marches or demonstrations in “free speech zones”, but these forms are losing their efficacy owing to scant media coverage. Indeed, the media only seems interested when these events become violent. When they do it gives the mainstream media a chance to reinforce the dogma that anyone outside of Establishment Left or Establishment Right is a dangerous crackpot. Similarly, it gives everyone online a chance to assert absolutely anything about police behavior and state control, from the plausible to the outrageously conspiratorial. The result for the concerned person trying to figure it all out is a paralyzing Rashomon effect. No one knows what to think. This is where groups like Anonymous come into the picture.
Anonymous announces the targets of their DDoS attacks in various online venues, usually in advance, and states the reason they’re going into action against that target. The typical result is that clients of the targets lose access to their services for a short period. When you think about it, this strategy really isn’t all that different in its effects from the non-violent campus occupations of the 1960s. In both cases, the message is sent via the blocking of access. In the 1960s the blockage was physical. Now it’s digital. The police used to restore access by hauling the protestors away in vans. With DDoS actions, IT professionals restore access by cleaning up the mess. If anything, the DDoS attack represents a positive evolution of the non-violent protest because it is literally impossible for a DDoS attack to devolve into a riot that devours a city block, or a bloody, physical clash between protestors and police. Fewer hats on the ground is not a bad thing.
But that’s not to say that DDoS is a good thing, either. Neither physical protests nor DDoS attacks are very pleasant for those on the receiving end. I’m quite sincere when I say that really have compassion for the people who have to clean it all up, and for those who lose needed services during the attack. I’ve been in the latter role many times myself. That’s kind of the point of such actions though. People pay attention when their routines are disrupted.
It’s hard for most people, under increasing pressure just to make a living, to keep big ideas with low emotional valence–like political philosophies or positions on sentencing reform– in the forefront of their thinking. One way to get their attention is to charge those ideas with high emotional valence–make people angry or scared. Another way is to break into their daily routines with an interruption in the hopes that the gap the interruption causes will be filled by reflection about the reasons that motivate it. Emotional manipulation works more reliably, but trying to cause reflection is maybe just a bit more respectful of persons’ rational autonomy–even if it means the bills go out a day late. Phone calls will have to be made, but at least there will be some proof. High profile hacks tend to make page 8 or so of the paper.
To be honest I’m not quite sure what to think of Anonymous, beyond seeing the phenomenon it represents as one more sign that politics in this country are in unspeakably poor shape. I certainly cannot say that I endorse or even trust them. ( To do that I would need to know more about the world they’re trying to create–right now I just see people raising hell when they get angry.) That said, it seems to me that Anonymous’s tactic of causing disruptions in corporate services via DDoS attacks is of a piece with the rhetorical strategies of civil disobedience. That doesn’t mean that those attacks are always or automatically morally acceptable. I’m not at all sure that they are. Anons can be as wrong as anyone else. The point is that acts of civil disobedience, and DDoS attacks whether or not done under that rubric, need a careful, nuanced moral appraisal. To treat them all as the moral equivalent of terrorism is to refuse to think critically, and to exacerbate the woes of an already deeply troubled political discourse. The only result such carelessness promises is the further strangulation of the American political conversation. Instead, I suggest we take Molly Sauter’s advice. Let’s be more careful.
[1] Molly Sauter, “Towards a New Framework for the Ethical Analysis of Activist DDoS Actions“, at MIT Center for Civic Media, http://civic.mit.edu/blog/msauter/towards-a-new-framework-for-the-ethical-analysis-of-activist-DDoS-actions accessed February 26, 2013.
[2]Per Sauter, one correction to the talk: The EDT was not responsible for the Lufthansa action.
[3]David Gewirtz, “DDoS: Terrorism or legitimate form of protest?” at ZDNet Government, http://www.zdnet.com/ddos-terrorism-or-legitimate-form-of-protest-7000011845/ accessed February 26, 2013.
[4] This was made clear to me by Gewirtz in personal conversation on Twitter, 28 Febuary 2013.
[5] David Gewirtz, “Special Report: Stuxnet may be the Hiroshima of our time”, at ZDNet Government, http://www.zdnet.com/blog/government/special-report-stuxnet-may-be-the-hiroshima-of-our-time/9888, accessed 1 March 2013.
RAIL 
Leave a Reply