Introduction

With the advancement of technology, relatively more complex methods of warfare are developing and spreading around the world. Cyber warfare and artificial intelligence are being blatantly used in international conflicts without any regulation. Cyberattacks saw an increase of 440 per cent between 2009 and 2018. While the use of cyber weapons purportedly started with the deployment of Stuxnet (2007) in Iran’s nuclear facilities, recent instances of the Russia-Ukraine war have brought the matter of cybersecurity to the fore of international law and security. Experts have been analyzing international law and trying to apply existing principles of international law that govern international conflicts in the context of cyber warfare. This international law governing conflicts is majorly classified into two parts – jus ad bellum (laws governing the commencement of war) and jus in bello (laws governing the conduct of parties in a war). Most nations agree with the applicability of international law in cyberspace while a few countries like Iran, China, Russia, and Cuba raise objections against it. They hold that such an application will lead to unnecessary militarization of cyberspace.

This two-part blog post aims to focus on assessing the applicability of international laws in protecting the interests of civilians in cyber warfare during international armed conflicts regardless of party affiliation, therefore it shall solely focus on jus in bello, also referred to as International Humanitarian Law (‘IHL’ for short). While these laws were framed to protect the civilians of countries engaged in ‘international and non-international armed conflicts’, the scope of this post is limited to international armed conflicts only. The assessment of this applicability is analyzed in reference to Tallinn Manual 2.0 (2017) which has been prepared by an international group of experts, led by Professor Michael Schmitt of the Naval War College, which was constituted by NATO’s Cooperative Cyber Defence Centre of Excellence (‘CCDCOE’ for short). Tallinn Manual 2.0 is a set of one hundred and fifty-four non-binding rules interpreting international law in the context of cyber warfare. Also, the findings of the International Committee of the Red Cross (ICRC) and the final reports prepared by the UN Group of Governmental Experts (GGE) 2021 and the UN Open Ended Working Group (OEWG) 2021 will be referred to for analysis in this post. 

In this part of the post, I shall analyse the applicability of IHL in cyberspace by following a factor-based approach. The factors required for application of IHL i.e., – an ‘armed conflict’, ‘sovereign territory’ and a ‘sovereign attacker’ (in case of international armed conflicts) – will be analysed with respect to their general understanding. This part shall argue there is inadequacy in the existing interpretation of IHL (hereinafter “existing IHL”) given by Tallinn Manual 2.0 and other reports for the regulation of cyber warfare. The second part of this post employs an impact-based approach for highlighting the insufficiency of IHL in preventing the unpredictable results of the cyberattacks. The second part would state the instances of the use of cyber warfare in the Russia-Ukraine War to substantiate the inadequacy in existing IHL in regulating cyber warfare. It shall also highlight the need of proper regulation of cyber warfare by enumerating the possible damages caused by it. This would refute the claims of the countries opposing the applicability of international law in cyberspace. The second part finally suggests some possible solutions to conclude thereof. 

Inadequacy in Existing Interpretation of IHL: In the Context of Cyber Warfare

The inapplicability of IHL terminology and concepts to cyber warfare

IHL or jus in bello is broadly laid down in the 1949 Geneva Conventions and their Additional Protocols of 1977 and 2005 along with some rules of customary international law. The experts have a consensus that cyber warfare occurring in an ‘international armed conflict’ will be regulated by IHL like any other new means of warfare. The ICRC Report 2020, the UN GGE reports, UN General Assembly resolutions on cyberlaw and final UN OEWG 2021 report affirm this consensus by endorsing the applicability of international law including the UN Charter to cyber warfare. However, the application of IHL to cyber warfare is complex and unclear due to the lack of a common lexicon and understanding of cyber operations in international law. This lack of understanding renders IHL inapplicable to various cyberattacks that may have a detrimental impact on civilians. There is an absence of a framework for classifying these cyberattacks as ‘international armed conflicts’ and there is uncertainty in the attribution of cyberattacks to the State/States. As per the present understanding, IHL applies during ‘international armed conflict’ that occurs when State/States employ the use of ‘armed forces’ to ‘attack’ or ‘interfere’ in the ‘territory’ of another State/States. Hence for the application of IHL – 1) the cyberattacks should fall within armed conflict under international law, 2) existence of criteria specifying the degree of cyber operations for it to be considered an ‘interference’ under, IHL, 3) a demarcation of sovereign territory must exist in cyberspace in order to establish that the attack was in the territory of another State/States and 4) the perpetrator of cyberattacks should be State or its agencies and not Cyber Non-State Actors (CNSA) as they would not come under armed forces employed by the State/States.

Presence of an ‘Armed Conflict’

As per Tallinn Manual 2.0, for the international law of war to apply the condition precedent is the presence of an armed conflict (Rule 80(2)). The manual further states that armed conflict is widely construed in the sense to include those instances of hostilities where cyberattacks are employed. Furthermore, it illustrates that cyberattacks on Estonia in 2007 that caused damage of $1 million were not regulated by IHL because they failed to rise to the ‘level of an armed conflict’ (Rule 80(3)). On the other hand, cyberattacks conducted in 2008 between Georgia and Russia were regulated by IHL because they were conducted in ‘furtherance of those conflicts’ (Rule 80(3)). Drawing from this position of experts stated in the manual, it will be challenging to regulate a cyberattack under IHL occurring outside an existing international armed conflict (Here, existing armed conflict is referred to the armed conflict between kinetic armed forces such as the war between Russia and Georgia in 2008) as there is no fixed parameter to determine which cyberattack rises to the ‘level of an armed conflict’ or can be considered an ‘attack’ or ‘interference’. ICRC Report says that those cyberattacks which are capable of causing ‘death, injury or physical damage’ or ‘disrupt essential services’ shall fall under ‘attack’ in IHL and be treated as ‘interference’. This assertion of the report fails to consider the complexity of cyberattacks where it is possible that the effects of cyberattacks may not materialize in a short period. The experts in another ICRC Report have agreed that cyberattacks may have lingering long-term civilian harm that exceeds the harm discernible during the attack. For instance, a cyberattack launched can impact the economic trajectory of a country. Hence, cyberattacks cannot be weighed on the parameter of immediate consequences such as ‘death, injury or physical damage’ or ‘disrupt essential services’ unlike warfare with kinetic armed forces where the damage is discernible in a relatively shorter period of time. Consequently, the suggestion about applying a parameter that is applied in attacks by kinetic forces is insufficient for assessing cyberattacks. The assessment of causal-impact of any cyberattack shall be done by experts capable of assessing the long-term impacts of cyberattacks on the basis of precedents and experiment drills. 

‘Sovereign Territory’ in Cyberspace

Another gray area pertains to the demarcation of a ‘sovereign territory’ which should be ‘attacked’ or ‘interfered’ in order to bring cyberattack under the regulation of IHL. The UN GGE 2021 states that nations have sovereignty over ‘ICT (information and communications technologies) infrastructure located within their territory’ (See Para 71(b)). However, cyberspace is an interconnected and fluid dimension where computer networks of different nations exist. It is possible that the cyberspace of nation A extends or overlaps with the cyberspace of nation B. The ICRC Report has acknowledged that several smaller nations depend upon the cyberspaces of other nations for their operations. This renders the demarcation of cyberspace into sovereign territories unclear. The experts in the manual suggest that ‘effects doctrine’ should be applied for determining in which ‘sovereign territory’ the cyberattack concluded (Rule 9(10) states, “the ‘effects doctrine’ deals with acts, including cyber operations, that do not originate, conclude, or materially take place in the State in question, but have effects therein). However, the manual adds that the doctrine is ‘not fully settled’ and ‘controversial’ (Rule 9(13)). Therefore, it is possible that amidst two warring countries a third nation may suffer damages due to cyberattacks on the warring nation’s cyberspace. The IHL would fail to regulate these cyberattacks on the third nation as there would be no clarity on whether the attacks or interference occurred in their ‘sovereign territory’ or not. The interconnectedness of cyberspace may also cause the unintended spread of cyberattacks on other nations’ cyberspace. Such an instance has occurred in the past where the third nations have suffered from a cyberattack intended to target a single nation. Stuxnet malware launched by the USA spread globally in several nations while it was supposed to target an air-gapped system only in Iran. Such a leak of a cyberattack on other nations may not drag them into ‘international armed conflict’ due to the ‘level’ requirement despite the damage suffered by civilians of those nations. Therefore, the existing IHL has no settled position as to what concluded effects constitute an attack or interference in a State’s sovereign territory. 

Anonymity of the cyber-attacker

The interconnectedness in cyberspace can further create complexities in attributing liability for a cyberattack to a nation. For the application of IHL in ‘international armed conflict’, it is necessary that there is an armed conflict between two or more States. However, a State may evade liability for a cyberattack originating from its geographical territory on the following grounds – first, there is no clear demarcation of territories in cyberspace, so nations have no established sovereignty over cyberspace; second, some other country may launch attacks from a nation’s territory without its knowledge; or third, the State may claim that the cyberattacks have been launched by Cyber Non-State Actors (CNSA). The manual states that cyberattacks of non-state groups can be attributed to a State only if the State exercised sufficient control over the attacking group and directed the attack towards the cyber targets (Rule 82(2)). However, this controlling test is insufficient as practically it is difficult to establish that the State is a controlling actor for a CNSA (Rule 82(2)). UN GGE 2021 Report also noted that for attributing a cyberattack to a nation, it should not merely originate from its territory but also the accusations of cyberattacks should be substantiated. The availability of evidence to support the accusations may lack in cyberspace due to its interconnectedness and opacity. In some cases, nations deliberately orchestrate the attacks through CNSA to avoid the liability that would accrue under Article 4 of the International Law Commission Articles on State Responsibility for Internationally Wrongful Acts to the government for the attack. Therefore, IHL will not be able to regulate those cyberattacks which may be launched by a State but international law fails to attribute it to the State or its State-controlled agencies. 

Even if it is clear that cyberattacks are being carried out by official state agencies and there is an international armed conflict, the application of existing IHL in such cyberwarfare may jeopardize civilian safety. According to Article 51(3) of Additional Protocol I of Geneva Conventions, a civilian loses the general immunity from attacks in an armed conflict given by Article 51(1) if he/she directly participates in hostilities. In several instances, civilian cyber operators from private sectors are used by the nations for launching cyberattacks. The protection given to civilians ends once they become part of the cyber forces of the State (Rule 96). In such cases, these civilian cyber operators may also lose protection against their personal civilian cyber infrastructure. The experts have warned the nations over the blurring of military and civilian roles in cyber-warfare and the consequences thereof. Once a civilian cyber infrastructure loses immunity against the attacks, the cyberattacks from the enemy may cause indiscriminate harm to several interconnected civilian systems. 

Conclusion

Therefore, the factors acting as pre-condition for application of IHL in international armed conflicts fail to cover the particularities of cyberspace. The suggestions given under Tallinn Manual 2.0 and other reports for applying the IHL to the cyberattacks in international armed conflict need reconsideration. In Part II of this post, the impact-based analysis will be presented along with the discussion of Russia-Ukraine war in order to highlight the exigency of developing a separate framework for regulating cyberattacks in international armed conflicts. 

You can read Part II here.

---

Smriti Jaiswal is a second year law school student at National Law School of India University, Bangalore.  

---

Image Credits: Shutterstock