Cyber Warfare and International Law: Overcoming Modern Challenges

Introduction

Cyber war has evolved at a breathtaking pace into one of the gravest national security challenges of the 21st century. Unlike traditional warfare, cyberattacks can cause devastating disruption without physical devastation, to critical infrastructure, to sensitive data and to destabilize economies. Cyberspace’s anonymity, in combination with its directness and the lack of borders and thermodynamic consequences, are most serious legal challenges namely the question of jurisdiction, of attribution, of responsibility, and potential liability, which are architectural features of cyberspace. The article discusses the applicability of current international legal regimes to cyber war, identifies the regulatory loopholes, and suggests remedies to combat the new dangers of cyber war.

Defining Cyber Warfare

Cyber war refers to politically or state-backed cyber attacks against computer systems whose purpose is to inflict damage, disrupt systems, or eavesdrop. The most common forms of cyber warfare are:

• Cyber Espionage: Illegitimate access to governmental or corporate data for the purpose of stealing confidential information. A good example of this would be the SolarWinds hack (2020) where a Russian group was behind the compromise of various U.S. government agencies due to vulnerabilities in the SolarWinds software.[1]
• Attacks on Critical Infrastructure: Super-disruptive cyberattacks on crucial services, including electricity grids, financial networks, or health networks. A good example is the NotPetya attack of 2017, where a Russian cyberattack on the infrastructure of Ukraine spread around the globe and hit companies worldwide.[2]
• Disinformation Campaigns: Deployment of cyber technology in disseminating false or deceptive information in order to affect elections or public opinion. Perhaps the most widely reported example is the alleged Russian interference in the 2016 United States presidential election.[3]

All cyber wars are defined by their ability to cause immense political, economic, and social harm but no greater than conventional physical violence.

International Law and Cyber Warfare: Applicable Frameworks

1. The United Nations Charter and the Use of Force (Article 2(4))[4]
   However, whether such prohibition can be made applicable to cyber warfare is doubtful. Tallinn Manual 2.0, an expert non-binding study, holds the opinion that cyber operations which cause physical damage or casualties can be construed as “armed attacks” under the UN Charter’s Article 51[5], on the basis of which the right of self-defence is authorized in the case of an armed attack. Thus, cyberattacks causing extensive destruction of infrastructure or casualties can invoke the right of self-defence of a state.

However, mere cyber activities at such a level as data stealing or spying will not equate to an armed attack hence creating a legal loophole. It would be hard for the member states in the UN Charter to determine their right to self-defense since such attacks are of a character that precludes us from identifying the physical effects.

2. International Humanitarian Law (IHL) and the Geneva Conventions
   International Humanitarian Law (IHL), which provides guidelines for the conduct of warfare, covers cyber warfare only if it is done through cyberattacks. IHL consists of basic principles, which apply to cyber war, such as:

• Principle of Distinction: Cyberattacks must be able to differentiate between civilian and military targets. Cyberattacks on civilian infrastructure, including hospitals or water supply systems, are forbidden under IHL.
• Principle of Proportionality: Damage resulting from a cyberattack should not be more than the military advantage. In case of civilian damage or disproportionate damage resulting from a cyberattack on the incapacitation of a military target, this would amount to a breach of IHL.

But still, applying IHL in the cyber world is problematic. The anonymity and sophisticated approach of cyberattacks makes it difficult to attribute them to specific states or institutions. Also, collateral damage in a cyberwar is hard to evaluate because its impact on civilians, if there is one, will show up after some time.

3. The Budapest Convention on Cybercrime (2001)[6]
   Since 2004, the Budapest Convention on Cyber Crime has been the sole legally binding treaty focusing on cyber crime. The conventional pays more attention to issues of cyber crime, such as hacking or Internet fraud, than to cyber warfare perpetrated by nations.

Moreover, the Budapest Convention has only gained limited international support. Significantly, key cyber actors such as China and Russia are not parties to it, which deprives the accord of universality. Such limited support confines it from being able to regulate state-sponsored cyber warfare and is used to emphasize the imperative for an open-ended international accord to regulate cyber warfare.

Major Challenges in Managing Cyber Warfare

1. Attribution Problems
   The biggest challenge of managing cyber warfare is the matter of defining the attacking entity and source of cyberattacks. Cyberattacks originate from a number of countries, and hence the attacking source and attacking entity are unclear, making it difficult to identify the attacking party state or entity. The Sony Pictures compromise in 2014 is one case where North Korea was blamed right away, but thorough forensics work determined that there was some North Korean involvement.[7]

Usually, the method of attribution is complex in nature as there is anonymity regarding who attacks and the usage of proxy or virtual private networks to disguise their location. These create problems for states trying to maintain appropriate responses under international law, particularly with self-defense violence, retaliation policies, or almost any military action against the offending state.

2. No Consensus on Definitions
   A second underlying subproblem is the absence of state consensus regarding what would be a “cyber act of war.” Disagreements on the threshold of cyber warfare, i.e., the definition of what is a cyberattack and the criteria to use in determining whether it would be an act of war, create legal ambiguity and complicate collective international action.

Others characterize cyberattacks that cause physical harm or disruption of infrastructure as acts of war, others whose purpose the attack was perpetrated under, and others the impact on state sovereignty. This variation leads to disproportionate state reactions and does not provide for the development of certain, global standards for reacting to cyber warfare.

3. Restricted Enforcement Mechanisms[8]
   Unlike conventional war for which there exists international law with enforcement authority, there is no international consensus with enforcement authority to regulate cyber war. The UN Group of Governmental Experts (UNGGE) has established norms of responsible state behavior in cyberspace but are not legally binding.

Lacking an effective system of enforcement, there is little hope of enforcing international law or states’ duty to obey international law or holding states accountable for conducting cyberattacks. Without legal sanctions against state-sponsored cyber war, state aggressors can conduct cyberattacks with impunity, without fear of reprisal or facing a court of law.

4. Asymmetric Cyber Capabilities
   The second is the presence of asymmetric cyber capabilities. While great powers possess enormous cyber resources, terrorists, hackers, and small powers can also conduct sophisticated cyberattacks. This makes it a case where the magnitude of available cyberattacks does not necessarily align with the power or size of the attacking power. Small countries or groups with limited resources can also inflict significant damage through the cyber space, evading conventional deterrence measures employed in conventional warfare.

This difference makes it tougher to have legal and strategic response to cyber war because international law will tend towards a state-centered view of war, and that may not be sufficient to address the non-state threat.

Conclusion

Cyber war poses a new and dynamic challenge to international law. The UN Charter, IHL, and Budapest Convention have some provisions, but they are insufficient in dealing with the complexity of cyberattacks. Attribution challenges, inconsistency of approach to definition, absence of enforcement capacity, and emergence of asymmetric threats also contribute to rule complexity. To be really able to solve these issues, the world should work better together, give stricter and clearer laws, be stronger in the attribution of cyber operations, and have extended enforcement powers. A comprehensive global cyber warfare treaty to specifically remove the aforementioned shortcomings and to secure and regulate that cyberspace for the benefit of all states would be a fantastic platform for such initiatives to be taken.

References

[1] Schmitt MN (ed), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (2nd edn, Cambridge University Press 2017).

[2] Convention on Cybercrime (Council of Europe Treaty Series No 185, opened for signature 23 November 2001, entered into force 1 July 2004).

[3]  Foreign & Commonwealth Office, UK attributes NotPetya cyber attack to Russian military (Press Release, 14 February 2018) .

[4] NATO, Wales Summit Declaration (5 September 2014).

[5] Ibid.

[6] UN General Assembly, Report of the Group of Governmental Experts on Advancing Responsible State Behavior in Cyberspace in the Context of International Security (19 July 2021) A/76/135 

[7] US Department of Justice, Report On The Investigation Into Russian Interference In The 2016 Presidential Election (March 2019) vol I 

[8] Indictment of Russian Intelligence Officers (US District Court for the Western District of Pennsylvania 2018) Case No. 1:18-cr-00215