In October 2020, a Chinese state-sponsored group known as ‘Red Echo’ allegedly orchestrated a malware attack that caused a two-hour long power outage in Mumbai, India. This possibility, brought to light in February 2021 by an American cybersecurity watchdog, has since been confirmed by Indian state officials. In this article, I will seek to analyze whether the Mumbai cyberattack constitutes a violation of international law by China, and if so, what response options are available to India.
Was the Red Echo Cyberattack Violative of International Law?
In order for a State act to be considered an ‘internationally wrongful act’, it must (i) be attributable to the State; and (ii) breach an international obligation of the State [Art. 2, Articles on State Responsibility 2001 (“ASR”)]. For the purpose of this piece, I shall assume that Red Echo was indeed responsible for the October 2020 cyberattack, and that this action was attributable to China. Hereon, I will restrict my analysis to the second limb of wrongfulness – i.e., whether China breached an international obligation.
It is generally agreed that the laws governing the legality of resorting to force (jus ad bellum) are applicable to cyberspace (see Tallinn Manual 2.0, Rule 1, 4). In this legal framework, Red Echo’s cyber operation may be arguably characterized as a breach of China’s obligation to refrain from the use of force against another State (Art. 2(4), UN Charter). However, there is no settled position on the threshold for an act to amount to a ‘use of force’. Therefore, an assessment must be made on the basis of customary international law and state practice. The UN General Assembly (‘UNGA’) has previously suggested that acts which damage infrastructure critical to providing public services, could amount to a use of force. Similarly, multiple States have asserted that a cyberattack could constitute a use of force, depending on its scale and effect (see Finland, New Zealand, and Australia). The Red Echo cyberattack caused a breakdown of public transport and healthcare in Mumbai, both important public services. Therefore, a cyberattack attributable to China would prima facie constitute a ‘use of force’.
That being said, a mere ‘use of force’ does not in itself entitle the recipient state to use self-defensive force unilaterally (i.e., without a UN Security Council Resolution permitting the same). Instead, a higher standard has to be met for the unilateral use of defensive force – the wrongful act committed must amount to an ‘armed attack’ (Art. 51, UN Charter). An examination of whether the Red Echo cyberattack amounted to an armed attack, or was merely a use of force, is critical in identifying the range of responses available to India in international law.
The threshold for an act to amount to an ‘armed attack’ is considerably higher than for a ‘use of force’. The UNGA has previously referred to military occupation, bombardment, and blockade in its definition of ‘acts of aggression’ (used interchangeably with ‘armed attack’) (Art. 3, UNGA Resolution 3314). Therefore, one approach is that the use of violent means is necessary to meet the armed attack standard. In other words, the lens of analysis used is whether the operation in question involved kinetic force, and not merely the scale and effects of said operation. This mode of analysis has since been adopted by the International Court of Justice (“ICJ”) to assess the occurrence of an armed attack (see Nicaragua v. United States (1986) ¶195, 210-211; Iran v. United States (2003) ¶51-64). In a paradigm where the focus is on the use of violent means and not scale and effects primarily, cyberattacks ipso facto would not constitute armed attacks. It must be cautioned, however, that to date, the ICJ has not had the occasion to discern an armed attack in the absence of kinetic force.
By contrast, another approach posits that cyberattacks can qualitatively amount to armed attacks, depending on the degree of damage they cause. This relies on the ICJ’s interpretation of ‘armed attack’ in the UN Charter to include any considerable use of force, irrespective of the weapons (or broadly, the means) used (Nuclear Weapons Advisory Opinion ¶39). In this vein, the determination of an armed attack would not be contingent on the medium used, but rather the degree of its impact. Arguably, this latter model is the appropriate framework to evaluate armed attacks for the future, due to the increasing emergence of cyberspace as a battleground. Therefore, the laws governing the use of force must also evolve to account for technologies that inflict damage without the means of kinetic force.
In the specific case of the Red Echo cyberattack, I submit that a case can be made for it to constitute an armed attack in the latter paradigm. It has been documented that during the power grid failure in Mumbai, civic hospitals were forced to curtail operations. This would amount to an attack on the medical infrastructure of one of India’s busiest cities during a pandemic, resulting in the deprivation of medical services. By virtue of its scale and effects, I submit that the cyber operation qualifies as an armed attack, rather than a mere use of force. Moreover, instruments in international humanitarian law have also previously recognized the impermissibility of an attack on the medical infrastructure of a State (see Art. 5, 9th Hague Convention). This shows that not only was the cyberattack wrongful in se, but that the resultant targets (hospitals) are also specifically in violation of China’s international obligations. In any case, in the next section, I will outline response options available to India in either paradigm, whether or not the cyberattack amounted to an armed attack.
How may India Lawfully Respond?
A response by leave of the UN Security Council is unlikely to materialize, due to China’s veto power on that body. India can hence rely on unilateral measures more viably. These may be grouped into acts of retorsion, and acts that are themselves internationally wrongful, but may be justified by relying on certain defenses within international law. Retorsion refers to acts that may be unfriendly, but not violative of international law obligations: such as sanctions, or severing diplomatic relations. Thus, they do not require the State involved to provide any defense or justification. As a result, should India use retorsion as a response, whether the Red Echo cyberattack amounted to even a use of force or an armed attack would be immaterial. On the other hand, there exists a range of available alternative responses (such as conducting counter-cyber operations against China) that are, when taken in isolation, wrongful in international law. However, they may potentially be permitted in certain specific circumstances, the applicability of which I shall discuss next.
First, I consider the resort to forcible measures as ‘self-defense’. As discussed previously, the plea of self-defense for a response that is wrongful in international law only arises when the State is responding to an armed attack, and not merely a use of force (Art. 21, ASR; Art. 51, UN Charter). There are two implications of the armed attack threshold here. For one, the responding State may only use non-forcible measures to respond to acts that do not constitute an armed attack. Additionally, should an armed attack occur, the degree of force available as part of the State’s right to self-defense is greater than in case of an ordinary response to a use of force by another State. Therefore, in order to resort to a forcible measure as self-defense, India must demonstrate that the Red Echo cyberattack met the high threshold of an armed attack. Another barrier against adopting this recourse would be the temporal limitation of measures taken in self-defense (see Nicaragua v. United States (1986) ¶237). The offending cyberattack occurred and concluded close to a year ago (at the time of writing), by when any reasonable self-defensive measure would also be time-barred.
Second, the plea of necessity as a defense for an internationally wrongful act is a potential option. A State may justify an act that is internationally wrongful, so long as it was performed out of necessity. Necessity requires that the State be protecting an ‘essential interest’ from a ‘grave and imminent peril’ (Art. 25, ASR). However, necessity as a defense may only be invoked during the existence of the ‘grave and imminent peril’, and not after such circumstances have passed (Hungary v. Slovakia ¶54-57). Once the period of necessity has elapsed, the State must adhere to its international law obligations once again (Art. 27(b), ASR). Therefore, even though India can argue that protecting its healthcare system, transport, and energy infrastructure constitutes an ‘essential interest’, the defense of necessity can no longer be invoked for a response. This is because, irrespective of whether the effects of this cyberattack posed a grave peril, the period of an alleged ‘imminence’ has elapsed since the conclusion of the initial Red Echo cyberattack.
Third, performing a countermeasure against another internationally wrongful act. A countermeasure is a response that would itself be wrongful in international law, but is permissible so long as it is used to induce a State breaching its international obligations to comply with the same (Art. 49, ASR). In the instant case, a countermeasure could involve targeted ‘hack backs’ against China’s own cyber infrastructure that inhibit its capacity to carry out cyberattacks against India again.
However, in any case, countermeasures differ from necessity defenses on a key count. Unlike necessity, countermeasures are only valid against the State guilty of the initial breach of international obligations (Art. 49(4), ASR). They would thus remain impermissible insofar as they breach obligations owed to third-party states. Critically in the cyber context, an attack that compromises China’s cyber infrastructure may also have adverse implications for other Asian economies that are closely integrated with the Chinese infrastructure grid following the Belt and Road Initiative. Therefore, India may find its hands tied should it choose to pursue meaningful countermeasures, due to the potential of breaches against third parties.
The circumstances of the Red Echo cyberattack leave a narrow range of options for India to respond unilaterally. While retorsion as a general response (such as downgrading diplomatic relations) is available, it does not perform the targeted purpose of dissuading future cyberattacks. On the other hand, targeted options such as “hack-backs” that could be justified as countermeasures or necessity may prove controversial, due to the difficulty in satisfying the thresholds to invoke those options. Justifying a response as self-defense may be the most accessible avenue for India to pursue presently, but the characterization of the Red Echo cyber-attack as meeting the armed attack threshold won’t necessarily find purchase with the international community.
Importantly, the political costs and benefits of an adopted course of action cannot be separated from the legal. Any discussion of potential response options such as this must also be contextualized within India’s diplomatic disposition to China, and the limited avenues that it leaves open. The lack of concrete American responses against Russia following repeated cyberoperations during and after the 2016 elections only goes to show that this is a global phenomenon, meriting greater discourse. That being said, these events present an opportunity for India to state on record its position regarding cyberattacks as armed attacks under international law. Such clarifications would inform State practice and thus customary international law, and continue the trend of States outlining their foreign policy re cyberwarfare (see France, Iran).
Aarohi Chaudhuri is a law student at the National Law School of India University, Bengaluru.
Image: Illustration by Aaron Byrd, NY Times, ‘Cyberconflict: Why the Worst Is Yet to Come’ (here) [modified].