Introduction
In the previous part of this post, a factor-based analysis was presented that showed the insufficiency of IHL in regulating cyberattacks in international armed conflicts. It showed how the general understanding of ‘armed conflict’ and ‘sovereign territory’ under the existing IHL fails to cover the particularities of cyberspace. The main argument advanced in Part I is that the factors required as a precondition for the IHL to be applicable in any international armed conflict cannot have the same meaning as under conventional international armed conflict. Therefore, the suggestions given under Tallinn Manual 2.0 and other expert reports about applying the existing IHL to cyberattacks in international armed conflict need reconsideration.
In this part of the post, an impact-based analysis to highlight the inadequacy of IHL in regulating cyberattacks in international armed conflicts will be presented. The war between Russia and Ukraine will be discussed in order to show the exigency of developing a framework for regulating cyberattacks in international armed conflicts. Finally, the post will conclude with some suggestions advanced by the author.
Unpredictable Impacts of Cyber Attacks
Article 51(4)(b) and (c) state that indiscriminate attacks are prohibited which can be ‘anticipated’ to cause harm to non-targeted civilians without any distinction from military forces or infrastructure. However, in the case of cyberattacks, it can be unclear as to which attack can cause indiscriminate harm due following reasons – the difference in computer security available in military cyberspace and civilian cyberspace, the interconnectedness of cyberspace, and the inexperience of armed forces in conducting such operations. Generally, the protection available in civilian cyberspace is weaker than in military cyberspaces. Military cyberspace may have geo-fencing, system fencing or kill switches to guard against enemy attacks that civilian cyberspaces lack. Therefore, a cyberattack by an enemy that is designed for military purposes may have unpredictable consequences on civilian infrastructure.
The interconnected network of civilian cyberspace can cause the spread of a cyberattack and resulting harm to the civilians protected under IHL. The experts have flagged the concern regarding the absence of experience in launching cyberattacks. There are no tried and tested doctrines determining the effect of a cyberattack making the effect of an attack unpredictable. Hence, the provisions of existing IHL may not be able to protect civilians from cyberattacks in an international armed conflict due to the unpredictability of effects of cyber operations.
Cyberattacks in Russia-Ukraine War and Need for Regulation
The Russia-Ukraine war shows that the above-highlighted inadequacy in existing IHL is not merely theoretical in nature but has implications in a real-world scenario. The instances of cyberattacks on Ukraine started in 2014 after the armed conflict took place in the Donbas region with Russia. In 2015 and 2016, power grids in Western Ukraine and Kyiv were targeted respectively which resulted in electric blackouts for hundreds of thousands of civilians. In 2017, a destructive self-disseminating NotPetya malware was released on hundreds of organizations in Ukraine and consequently, it spread across the globe causing unprecedented damage of $10 billion. In March 2022, a case was filed against the Sandworm, an alleged hacker group launching these cyberattacks, in International Criminal Court for violating IHL i.e., committing war crimes. Lawyers and human rights activists from the Human Rights Center at UC Berkeley’s School of Law filed the case requesting the ICC to expand the scope of war crimes to include the violation of IHL by cyberattacks affecting civilians. This is the first instance where a case against cyberattacks has been filed under IHL and will serve as a deterrent in the future if Sandworm is convicted. However, the conviction will be full of challenges due to the lack of clarity in the application of IHL to cyberattacks.
Firstly, due to the absence of any existing international armed conflict, the prosecutors will have to prove that the cyberattacks gave rise to an international armed conflict. After establishing that cyberattacks rose to the ‘level’ of an armed conflict, secondly, it has to be proved that Sandworm is a State or State-sponsored agency. It has been alleged globally that Sandworm is controlled by Russia’s military intelligence agency GRU but there is no conclusive evidence of the same. Thirdly, it has to be proved that the attacked targets were not military targets and indiscriminate harm has been caused to the civilians. As power grids can be used for military and civilian purposes simultaneously, the blurred lines between military and civilian targets will have to be demarcated. The foreseeability of indiscriminate harm will have to be established in cyberattacks like NotPetya where the global spread of the malware could have been unintentional and unpredictable. The decision of ICC will give crucial insights on the applicability of IHL on cyberattacks, especially in the context of the ongoing Russia-Ukraine conflict that began with Russian invasion in February 2022.
Around 400 cyberattacks on civilians have been launched in Ukraine after the international armed conflict began with Russia. An instance has been reported where a Brazilian hacker group, supporting Russia, launched cyberattacks on Ukrainian Universities. In another cyberattack on Visasat, a U.S. broadband company, the effect of the disruption of services was not only on Ukrainian civilians but also on other European countries. European hospitals in the countries supporting Ukraine were targeted by another pro-Russian hacker group. Notwithstanding that these attacks are in furtherance of an existing armed conflict, the IHL cannot be applied to protect civilians in an ‘international armed conflict’ from such cyberattacks unless Russian control is proved on the hacker groups. The experts in the ICRC Report expressed concern about the impact of such cyberattacks targeting civilian infrastructure – hospitals, power grids, nuclear facilities, etc. – to state that resulting immediate and long-term harm can be immense. For instance, a hacker group called Predatory Sparrow whose affiliation to any State is not confirmed, launched a cyberattack that started a fire in a steel factory in Iran in July 2022. Even when civilian facilities are not direct targets, significant collateral damage can be caused due to the inadvertent spread of the attack.
The claim of countries arguing for the non-regulation of cyber warfare can be refuted due to the harm that cyberattacks can inflict on civilians. Cyber warfare is capable of causing disproportionate harm to civilians which can be mitigated if cyberattacks are regulated by IHL. The interpretation of IHL as per Tallinn Manual 2.0 – prohibits those cyberattacks which would cause excessive harm to civilian or civilian objects (Rule 113), requires constant care to be taken for sparing the civilians and civilian objects in a cyberattack (Rule 114), requires verification of the targets of a cyberattack as non-civilian and non-protected (Rule 115), requires a choice of loss-minimizing cyberattack (Rule 116) and other precautions to be taken before launching a cyberattack (Rules 117 – 120).
Nations can ensure abiding by these rules for protecting civilians in an international armed conflict by conducting drill operations to assess the impact of a cyberattack and launching it only after proper analysis of its results. However, the nations are likely to follow these rules only when there is accountability on them under IHL. Therefore, the rules stated in Tallinn Manual 2.0 will not become effective unless a framework emerging out from the common lexicon and understanding for the inclusion of cyberattacks in IHL is developed. UN GGE Report 2021 recommended for “adhering to a common framework of responsible State behavior in the use of ICTs in the context of international security.” The experts in the ICRC Report, UN GGE Report and UN OEWG Report endorsed the view that nations need to engage in discourse for further understanding of international law in the context of cyber warfare. The use of cyberattacks is likely to increase by the nations owing to less cost required in building a capacity for waging cyber war in comparison to a conventional war. Therefore, there is an imminent need of regulating cyberattacks in international armed conflicts.
Conclusion
Cyber warfare is emerging in international armed conflicts for waging war against other nations. There is a need for regulation of these cyberattacks under International Humanitarian Law for preventing harm caused to civilians. The existing interpretation of IHL for regulation of cyber warfare offered by several experts in Tallinn Manual 2.0 and other referred ICRC and UN reports is inadequate. The article has shown that this inadequacy results from – the absence of a common lexicon and understanding of IHL’s application to cyber warfare and the complexity of cyberattacks, in the form of interconnected cyberspace and the effects of cyberattacks, making them different from attacks by kinetic forces. Instances of cyberattacks in the Russia-Ukraine conflict show the implications of identified inadequacy and challenges in applying the IHL to cyberattacks as per the existing interpretation. Due to these inadequacies, there is an absence of accountability on nations to regulate cyberattacks which renders the rules of civilian safety in IHL, as interpreted by Tallinn Manual 2.0, non-functional. The nations need to develop a common framework through discussion for formulating an interpretation of IHL that takes into account the difference between cyberattacks and attacks by kinetic forces. The regulation of cyberattacks in international armed conflicts cannot be ignored given the increase in the use of cyberattacks by nations.
Smriti Jaiswal is a second year law school student at National Law School of India University, Bangalore. Click here to read Part I.
Image Credits: Shutterstock
Jindal Forum for International and Economic Laws 