Introduction
War is no longer restricted to the idea of men dying on the battlefield by gunshots or artillery, war today encapsulates the essence of technological advancement. This tech-induced war is fought behind computers by targeting critical infrastructure such as nuclear reactors, power supply, public transportation, etc. It is the uncharted front of war. The Tallinn Manual defines cyberattack as a cyber operation which reasonably can be expected to cause injury or death to people or damage or destroy property. It can be offensive and defensive in nature. Critical Infrastructure is defined as physical or virtual systems and assets of a state that are so vital that their incapacitation or destruction may debilitate a state’s security, economy, public health or safety, or the environment.
A single cyberattack can wipe out or steal sensitive data, wreck electricity grids, block water supplies and even impact internal security by compromising a state’s confidential information These cyberattacks can disrupt society at large and can be used as an effective tool to exacerbate an ongoing war or even as standalone instances of terror.
This article discusses the urgent need for dedicated measures to protect civilians by delving into pertinent issues such as what constitutes a cyberattack significant enough to invoke International Humanitarian Law? The issues of state and non-state actors and how to counter disruption in International Cyberspace.
Cyberattacks in International Conflict
Cyberattacks have started to become a norm in international conflict. The FBI chief said in a speech that Chinese cyberattacks have started targeting civilian services including 23 pipeline operators and multiple companies. According to the USA, these attacks were carried out by groups as a response to the USA defending Taiwan’s freedom movement. Other instances of major cyberattacks such as in Israel-Palestine conflict have caused debilitating conditions for civilians in those regions.
The 2016 cyberattacks on Ukraine by Russia, was perhaps one of the most notorious incidents of cyberwar, which ushered the world into an unprecedented warfront. The rise of hacktivist groups has been a key reason for the rise of cyberattacks. Russian hacktivists went berserk on Ukrainian critical infrastructure with the attempt to cut out power supply for months. The Russian-Ukraine war is perhaps at the most advanced stage of cyber warfare where even the ICC is probing to address cyberattacks by Russia as war crimes,since they endanger civilian lives at a large scale by targeting critical infrastructure. The hacktivist groups are now being mobilised by states to carry out cyberattacks as conventional combatants. States are now heavily investing and preparing their own cyber armies.
Despite Cyberattacks having an impact on international conflict, there are no major international laws or treaties to deal with this issue. The international cyberspace is essentially an anarchy zone in most cases, where both state and non-state actors can suffer devastating consequences on critical infrastructure and civilian lives. The various international laws and treaties deal with war that exclude the modern day technological advancement and its interplay with war mechanisms.
Cyberattacks and International Humanitarian Law
International Humanitarian Law (IHL) was conceptualised and implemented in the 20th century with its primary focus on “armed attacks”. The International Committee of the Red Cross (ICRC) did issue its rules on cyberattacks by civilian hackers, however, the rules fail to make necessary definitions to address key issues. For example, the term “armed attack” is not defined in any international law and thus it makes it challenging to incorporate modern advancements in warfare such as cyberattacks on critical infrastructure within the scope of international law as armed attacks are presumed to be kinetic attacks in nature. The incompatibility of the existing IHL, which was created exclusively to deal with conventional warfare, poses uncertainty when it comes to cyberattacks. Hence, we must inquire into the existing legal literature to analyse how they govern cyberattacks.
Article 2(4) of the UN Charter emphasises that all members shall abstain from threatening or using force against the territorial integrity, political independence of any state, or in any way that contradicts the purposes of the United Nations. Articles 39 and 42 of the UN Charter outline only two exceptions to the prohibition on the use of force: actions authorised by the Security Council and acts of self-defence under Article 51. The UN defines aggression as the use of armed force by a state against another state’s sovereignty, territorial integrity, or political independence, or in any other way that is incompatible with the United Nations Charter. According to Jean Pictet, use of force is considered an armed attack if it is of sufficient scope, duration, and intensity.
IHL only applies to cyberattacks conducted during armed conflict. This is an inadequacy in law, given that cyberattacks targeting critical infrastructure are becoming more and more frequent. For example, the stuxnet incident of 2010, in which Iran’s nuclear facility was targeted by a powerful computer worm which led to physical damage of Iran’s nuclear enrichment facility. It is alleged that it was the USA along with Israel who committed the cyberattack for their political motives. If a nation initiates a cyberattack such as Stuxnet then it becomes inconsistent with the Charter of the UN and IHL must be applied.
The Tallinn Manual outlines international law principles for cyberwar in the principle of Lex Leta. Rule 1 defines sovereignty as a state having authority over the cyber infrastructure and cyber operations that are located within its borders. Rule 6 is imperative to consider the liability of non-state actors as it outlines a state is responsible for any cyberattack linked to it that violates international law. This responsibility also extends to any individual, group, or non-state actor acting on behalf of the government. Under Rule 26, countries can employ cyber or physical countermeasures in reaction to international unlawful acts perpetrated by another state. Rule 26 allows for the use of countermeasures based on necessity. When a cyber operation threatens critical infrastructure, a defending state may be able to use necessary provision of self-defence to respond with countermeasures, such as targeting a terrorist group’s network on another state’s cyber infrastructure. The Tallinn Manual offers numerous other rules and provisions that are unprecedented when it comes to cyberwarfare.
The present scenario of international cooperation has also seen some progress at the UN as the draft on Cybercrime Convention was presented in August 2024 which although does not emphasis on the IHL aspect but tries to deal with a broad range of cyber crimes through a collaborative effort. The convention is not in force or legally binding and does not directly address cyberwar itself, it still indicates a road ahead for international cooperation for cyberpeace is possible.
Suggestions For The Way Forward
The new domain of war is uncharted and poised with legal gaps hence we must look into some of the most imperative questions that it raises; First, there is a need to analyse which cyberattacks have the potential to invoke IHL as there is a lack ofstandardised categorisation of cyberattacks. The suggestion would be to assess if the cyber operation carried out would have similar consequences relative to kinetic attack to invoke 2(4) of the UN Charter. For example, in traditional warfare, shutting down a power grid would typically require physical attacks, but the same result can be achieved through a cyberattack. Depending on the intensity of the attack and its effect on civilians, cyberattacks can be categorised as invoking IHL. This perspective helps international law adapt to new technology, focusing more on the impact of the attack rather than the method used to deliver it.
Second, the cyberattacks committed outside the ambit of ongoing armed conflicts beg the question of whether a cyberattack that damages critical infrastructure amounts to an armed conflict? In Dem. Rep. Congo v. Uganda, the International Court of Justice concluded that the scale and duration of an attack constitute suitable parameters to examine in any model analysing a state’s offensive techniques and their consequences. If IHL is to be interpreted in line with its fundamental humanitarian objectives, it logically follows that cyber operations resulting in severe humanitarian consequences or incidents that are inconsistent with UN charter should be regarded as acts of armed force in par with kinetic attacks.
It’s not clear from Article 51 of the U.N. Charter whether a state can use force in response to actions by a non-state actor. This makes it difficult to figure out who is responsible for cyberattacks when non-state actors are involved. Since non-state actors involved in cyberattacks are not directly responsible under international law, dealing with these kinds of cyber threats is challenging within the framework of IHL. States have been exercising their hacktivists as conventional combatants and such can be inferred from the cyber war between Russia and Ukraine where both sides have engaged in cyberattacks. The liability of these hacktivists in international conflict remains uncertain as there are no international laws to deal with them. The suggestion here would be to have UN Cyber Peacekeeping missions.
Cyber Peacekeepers can combat large-scale cyberattacks in instances when states do not have the capacity to directly counter cyberattacks due to the absence of legal frameworks or due to a state’s inferior digital infrastructure. Cyber peacekeepers can step in to offer support to ensure cyberattacks do not escalate at an alarming rate while efficiently deterring cyberattacks that endanger civilian safety. These tools have the ability to reduce violence between governments and other parties, and prevent cyberwars from escalating.
To operationalize such missions, a framework would need to be developed addressing their missions, funding, and legal authority. International cooperation and collaboration between states, intergovernmental organizations, and private entities would be essential. Funding could be sourced through international organization model of the U.N while operational guidelines would ensure compliance with IHL.
Article 54 of the cybercrime convention deals with technical assistance which essentially mandates states to assist each other in certain circumstances. The enforcement of the cybercrime convention should be extended as an example to prompt the Department of Peace Operation (DPO) to form cyber peacekeeping missions under Article 54 of the convention or adopt a new framework specifically dealing with cyber peacekeeping.
Modus operandi of the cyber peacekeeping shall be similar in nature to the existing missions such as the funding shall be under Article 17 of the UN charter that mandates states to pay designated monetary shares and in certain cases, cyber peacekeepers can be paid by their respective nations as well. International cooperation can further be increased if the cyber peacekeeping missions are regulated by the UN Security Council (UNSC) under chapter VII of the United Nations Charter which powers UNSC to maintain peace and security in regions which are prone to cyberattacks and require international assistance.
The primary operational guidelines shall be firstly, to provide cybersecurity to critical infrastructure, secondly to trace and identify cyber criminals and thirdly to train the local personnel to be equipped to defend their sovereign cyberspace. These operational guidelines ensure that the functioning of the cyber peacekeeping missions are productive in nature.
Conclusion
Advancements in warfare may signal the prospect of large-scale cyberwars. However, cyber peace is feasible. Expanding the UN’s architecture into cyberspace remains achievable. The member states merely require to give authorization, guidance, resources, experience, and political support. This can be done while preserving cyberspace as an accessible and unregulated environment, a valuable resource for humanity.
To align cyberattacks with international humanitarian law (IHL), they should be evaluated based on their impact rather than delivery method. Cyber operations with effects comparable to kinetic attacks such as shutting down a power grid should invoke IHL if they harm civilians, per Article 2(4) of the UN Charter. Cyberattacks causing severe humanitarian consequences should be treated as acts of armed force. Furthermore, addressing non-state actors’ liability in cyber warfare, as seen in the Russia-Ukraine conflict, requires clarity. A potential solution is UN Cyber Peacekeeping missions to prevent escalations and protect civilians from large-scale cyberattacks.
Vishwaroop Chatterjee is an undergraduate law student at Rajiv Gandhi National University of Law, Punjab.
Picture Credit: Freepik
Jindal Forum for International and Economic Laws 