Law of war in a digital age or when is a cyberattack a war crime?
The damage caused by cyberattacks in the war in Ukraine pales in comparison with the atrocities of the fighting on the ground. But that does not mean it is not happening, or that civilians are spared.
On February 24, the day Russia launched its invasion of Ukraine, a cyberattack targeting the KA-SAT satellite internet service disrupted Ukraine’s military communications. The attack, which United States officials attributed toExternal link Russia’s military spy agency, spread further than Ukraine’s borders. It left tens of thousands of people across Europe, from France to Ukraine, without internet access. Some 2,000 wind turbines in Germany remained offlineExternal link a month after the attack.
A day later, a border control station between Ukraine and Romania was hitExternal link by a data-wiping malware – a malicious software – that slowed the processing of refugees seeking to flee the country. The authors of that attack remain unknown.
These are two of the 35 significant cyberattacks against critical and civilian infrastructure in Ukraine that the CyberPeace Institute, a Geneva-based NGO, has recorded on its websiteExternal link since the start of the war. Bruno Halopeau, the organisation’s chief technology officer and head of cyber analysis, says that although most of the attacks targeted military objectives, public institutions, and the media, civilians were – intentionally or not – affected too.
Attacks against civilians may under international humanitarian law (IHL) amount to war crimes.
“We monitor the situation and collect evidence so that if at some point there is an investigation, we are in a position to provide evidence of what happened,” says Halopeau. On its website, the NGO lists and describes the cyberattacks, the societal harm they caused, and details about their attribution.
“What we publish on our website is a fraction of the information we have,” says Halopeau. That information, he says, is available for potential future legal proceedings. The CyberPeace Institute also collects this evidence to assess whether countries respect the international treaties they signed, and to identify gaps in the law.
Law of war in a digital age
International humanitarian law – also known as the law of war – imposes limits on the conduct of hostilities and seeks to protect civilians, medical personnel, wounded soldiers, and prisoners of war.
Directly targeting civilians is prohibited. Using weapons whose effects cannot be limited to military objectives is too. In the physical world, that means, for example, not targeting a hospital, or not shelling densely populated areas. But in the digital world, things get more complicated.
Halopeau says it is very difficult to design a malware that only affects specific systems and not a wide range of them. The KA-SAT internet service hack illustrates this.
The current war between Russia and Ukraine, which has spilled into cyberspace, is also blurring the line between civilians and soldiers.
On February 26, the government of Ukraine called onExternal link amateur hackers of the world to join its “IT army” and launch attacks against Russian objectives. Anonymous, a global hacker collective, declaredExternal link on the first day of the war that it was engaging in a cyberwar against Moscow.
Halopeau doubts many cyber warriors are aware of what their participation in the conflict implies under IHL.
“By taking an active part in this conflict, they may unknowingly lose their legal protection as civilians and be treated as combatants. They are subject to retaliation from the state they attack and are subject to potential prosecution after the war,” he says.
Guardian of international humanitarian law
As the guardian of IHL, the International Committee of the Red Cross (ICRC) pays close attention to the latest developments on the battlefield, engages confidentially with states to remind them of the existing rules, and gauges whether the law needs to be changed.
“We see a reality in which cyber operations become more frequent in armed conflicts,” says Tilman Rodenhäuser, a legal advisor at the ICRC. “And one of the key roles of the ICRC is to emphasise the potential human cost of such operations, the potential cost to civilians.”
IHL was established in a world in which cyberattacks did not yet exist. So are its rules still fit for purpose today?
“We cannot aim for new rules of armed conflict with every technological development that we see,” answers Rodenhäuser.
But aspects of the law remain open to interpretation. One of the oldest rules of IHL is the protection of civilian objects. For many years, civilian data – understood, for example, as confidential documents held in physical archives – could not legally be damaged or destroyed. But what does the law say if the same data is stored digitally?
“The protection of data is not explicitly addressed by the rules of international humanitarian law,” says Rodenhäuser, who adds that legal experts and states have diverging views on how IHL applies in this case.
For the ICRC, it is important that states interpret the existing law in a way that civilians and civilian infrastructure enjoy the same level of protection they did in the past. And that cyber weapons are subject to the same limits as traditional means of warfare.
“If states came forward and said: no actually, data is fair game, and data can be damaged and deleted in armed conflicts without legal consequences, then that would be a real humanitarian concern, and we would have to think about new rules,” Rodenhäuser says.
But new rules of international law have to be negotiated by states. Once a treaty exists, it must be signed and ratified – a long and complicated process, especially given that the current rules of IHL bind virtually all states.
“It is key that these agreed rules are also respected with regard to cyber operations because the vast majority of what we see as a threat to civilians is actually covered by the existing rules,” says Rodenhäuser.
The international community’s stance
Knowing if and how international law – including IHL – applies to cyberspace has been the subject of many multilateral discussions at the United Nations over the past two decades.
A breakthrough came in 2013, when a Group of Governmental Experts (GGE) produced a report adopted by consensus affirming that the use by states of information technologies was subject to international law. The question of how the law applies remained open.
In 2019, a new working group open to all 193 member states was established at the UN. Their goal was to follow-up on the findings of the governmental experts.
“The challenge was to bring back everybody around the table and re-establish the consensus,” says Jürg Lauber, Switzerland’s ambassador to the UN in Geneva and the former chair of the working group.
His task, Lauber says, was complicated by “increased political tensions among the big powers” and “attempts to rewrite the rules from a small group of countries”.
In the end, the working group too concluded that international law applies to cyberwarfare. But it too could not find an agreement on how to implement this.
“In substance there was progress, but it was not a huge leap. However, the support now is much broader because everybody had the opportunity to participate in the discussion,” says Lauber.
A new working group at the UN has been established for the 2021-2025 period.
“I hope that they can go further […] there’s clearly a gap between all member states agreeing on the applicability of existing international law, and what we see is happening with cybertechnology being used in an illegal way.”
Trying war crimes for atrocities committed on the physical battlefield is a long and difficult process that will take years. Cyberspace adds to this complexity.
Finding who is behind a cyberattack is very difficult, as they can easily be launched by proxies.
“It sometimes requires years of investigation to really understand how an attack was planned, how it was carried out, who ordered it, and to really know which individuals were behind it,” says Halopeau. Usually, real world information – if a government was involved, names of the people who worked at a certain time in a certain place, pictures, etc. – is needed to corroborate virtual traces, he adds.
“You need to combine a lot of information that is not immediately available. And this is in the best-case scenario where you more or less know that you only have one attacker,” says Halopeau.
In the war in Ukraine, nation states, but also criminal groups and individuals have conducted cyberattacks. “And then the liability of those people who took part will have to be defined and it’s going to be very complicated,” predicts Halopeau.
Halopeau thinks it is possible that some cyberattacks that have harmed civilians – such as the KA-SAT or the Ukraine-Romania border control hacks – might be of interest to the International Criminal Court (ICC), which has already launched an investigation into alleged war crimes on the ground in Ukraine. So far the ICC is not investigating cyberwarfare.
Despite the horrors, the war in Ukraine may serve as a lesson about the need to strengthen accountability processes in cyberspace, he says.
“This is one of the first conflicts where cyberattacks are used at this scale. […] So I think regarding international humanitarian law, there must be a discussion to recognize how cyberspace can be used to harm people and to prevent inappropriate behaviour.”