Written by Lina Laurinaviciute

Cyber Warfare: Between Games and Reality

Setting the background

A top secret super-computer which has a complete control over a nuclear arsenal and the countdown to World War 3 – such scenarios, as the one of a movie “War Games” (1983) were presented as the science fiction in the last century. Indeed, new expansions in the tactical as well as technical dimensions have changed the landscape of warfare where a cyber space battlefield became a realization of that fictional future.

Today, cyberspace exists in all critical infrastructure sectors: telecommunications networks, the electric grid, power plants, traffic control centers, financial sectors, etc. The same technology that enables us to have live video chat on our mobile phones or remote controls used to control air conditioning units also makes it possible to turn off the lights in a city on the other side of the globe.[1]

Usually, media as well as policy-makers refer to cyberspace when simply looking for a synonym to the Internet or describing anything electronic. However, cyberspace may be described as “a global domain within the information environment consisting of the interdependent network of information technology infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.”[2]

Similarly, such terms as “cyber operations”, “cyber attacks”, or ”network attacks” as well as the concept of cyber warfare are used in different contexts and different people appear to mean different things when they refer to them. In general, cyber operations are conducted against or via a computer or a computer system through a data stream. “Such operations can aim to do different things, for instance to infiltrate a computer system and collect, export, destroy, change, or encrypt data or to trigger, alter or otherwise manipulate processes controlled by the infiltrated system.”[3]

One of the main issues raised by “cyber war” is whether a cyber attack can rise to the kind of attack amounting to war. International Humanitarian Law (hereinafter IHL), also referred to as the laws of war, characterizes war as the resort to protracted and intense armed force by two or more parties. Armed conflict is either between States, characterized as international armed conflict, or between States or armed groups operating inside a single State, referred to as non-international armed conflict. The most well-known of the laws are the 1949 Geneva Conventions[4] and 1977 Additional Protocols[5], which present rules for protecting civilians and those hors de combat (wounded, sick and unable to fight soldiers) in land, naval, and air warfare.[6] As it can be expected, due to the development of new technologies, none of the provisions of these laws specifically mention cyber attacks.

Some researchers, such as Joel Brenner, are of the opinion that cyber attacks should not fall under IHL. As cyber warfare is not a kinetic action, it is not an armed attack and thus, IHL does not apply.[7] However, the growing importance of the use of information technology in military activities and its potential to gain military advantage in a more cost effective way, urges to look at it from the IHL perspective and determine the circumstances, under which cyber operations (as opposed to the traditional kinetic military operations) can constitute attacks within the meaning of IHL.

The fact that a new concept of a cyber attack has come into existence after the treaty laws were adopted, does not preclude the applicability of these laws. Article 36 of Additional Protocol I (hereinafter AP I) says that in the study, development or adoption of a new weapon or method of warfare, States Parties are under an obligation to determine whether their employment would, in some or all circumstances, be prohibited by international law applicable to them.[8] Also, in its 1996 Advisory Opinion on the Legality of the Threat or Use of Nuclear Weapons, the International Court of Justice held that “it cannot be concluded […] that the established principles and rules of humanitarian law applicable in armed conflict did not apply to nuclear weapons. Such a conclusion would be incompatible with the intrinsically humanitarian character of the legal principles in question which permeates the entire law of armed conflict and applies to all forms of warfare and to all kinds of weapons, those of the past, those of the present and those of the future”.[9] Hence, it has been well accepted already that “a lack of directly applicable treaty law does not create an international humanitarian law – free zone, where anyone can conduct hostile activities without rules or restraints.”[10] Due to the fundamental prohibitions, IHL was designed to be flexible enough to accommodate technological developments, including those that could never have been anticipated at the time.[11] It follows that cyberspace is not a distinct domain subject to a separate body of law.

In this framework, cyber warfare refers to means and methods of warfare that rely on information technology and are used in the context of an armed conflict. The experts of the recently issued Tallinn Manual on the International Law Applicable to Cyber Warfare (hereinafter Tallinn Manual), defined cyber weapons as “any cyber device, materiel, instrument, mechanism, equipment, or software used, designed, or intended to be used to conduct a cyber attack.”[12] It is also important to keep in mind that IHL is applicable in time of an armed conflict. Therefore, one of the challenges addressing war in cyberspace is to determine whether resort to cyber weapons can constitute an armed attack.

In accordance with Article 49 (1) of AP I “Attacks” means acts of violence against the adversary, whether in offence or in defence.[13] A “cyber attack” is very fact-specific and must be distinct from cyber espionage, which is done by many nations including recent cases of China, Russia, Iran and does not violate traditional interpretations of IHL. Examples of the cyber operations that have been carried out so far, such as a 2007 Israeli cyber-attack on Syria that disabled all Syrian anti-air systems so that the Israeli air-force could bomb a secret Syrian nuclear reactor site undetected or the 2007 attacks on Estonian banks and government websites as well as the 2008 Russian cyber attacks on Georgia during the South Ossetia War, do not appear to have had serious consequences for the civilian population.[14] However, they show that while the critical infrastructure of nations continually becomes more reliant on networks and cyberspace, the possible targets for cyber-attacks greatly increase. Logic bombs and computer viruses can disrupt everything from electric grids and the stock market to nuclear power plants and water treatment facilities. Therefore, potentially catastrophic scenarios, such as collisions between aircraft, the release of poisons from chemical plants, or the disruption of vital infrastructure and services cannot be dismissed. Such attacks would most likely have large scale humanitarian consequences and could result in significant civilian casualties and damages.[15]

Therefore, the situations when cyber activities result in death, injury, or significant destruction would likely be treated as a use of force.”[16] However, the determination of the threshold for the use of force, especially, in cases not involving physical harm, remains problematic. It might depend on the degree of damage that a computer network attack causes –“the greater the damage, the more likely the situation will be viewed as an armed conflict.”[17] The other factors, that may be significant for the classification of cyber operation as a use of force, include: immediacy (the speed with which consequences manifest), directness (the causal relation between a cyber operation and its consequences), invasiveness (the degree to which a cyber operation intrudes into targeted systems), measurability of the effects, military character of the cyber operation, extent of State involvement, and presumptive legality (acts not expressly prohibited by international law).[18]

Generally speaking, cyber operations are not violent in the sense of releasing kinetic energy, unless they qualify as an attack by virtue of their consequences, specifically injury or death of persons, damage or destruction of objects. Therefore, the principle of distinction between military and civilian objectives, prohibition of indiscriminate attacks, requirement to take the necessary precautions and abstain from attacks if civilian damage is likely to be excessive to the value of the military objective to be attacked are also applicable to such attacks and operate in the same way as to the attack which is carried out using traditional weapons.[19] Nevertheless, in practice, IHL faces some significant challenges dealing with cyber warfare.

Challenges applying rules of IHL in cyberspace

The challenges met by the international legal regulation in cyber warfare are due to the fact that cyberspace consists of innumerable computer systems across the world where civilian and military computer networks are highly interconnected.[20] A lot of military infrastructure relies on civilian computers or computer networks. It is estimated that 95 percent of world data and voice traffic is carried over fiber optic cables, providing shared bandwidth services to both public and private sectors. Indeed, the interconnectivity of military and civilian networks are so high that it is questionable whether a military-civilian separation in cyberspace is possible and, thus, if a military objective can accurately be targeted without any damage to the civilian cyber infrastructure. For example, 95 percent of American military communication goes through a civilian infrastructure.[21]

It is important to stress, that IHL prohibits indiscriminate attacks. The principle of distinction, as stipulated in the Article 48 of AP I, requires that parties to a conflict distinguish at all times between civilians and combatants and between civilian objects and military objectives.[22] In accordance with Article 51 (4) of AP I, an indiscriminate attack is defined as one which is either not aimed at a specific military objective or because the effects of an attack on a military objective are uncontrollable and unpredictable.[23] Attacks may only be directed against combatants or military objectives, which in pursuant to the Article 52 (2) [24] AP I are the ones that make an effective contribution to the military actions of the adversary and in the circumstances at the time when they are attacked must give a direct and concrete military advantage to the attacker.

Military objectives, such as communication lines, command and control systems, computers or computer systems used in support of military infrastructure or for military purposes can be targeted. As long as the two conditions that determine a military objective are fulfilled and as long as the attack does not spill over to civilian damage and suffering, the act is legitimate. It follows that attacks via cyber space may not be directed against computer systems used in medical facilities, schools, and other purely civilian installations that has special protections against attacks, such as drinking water installations and irrigation works, dams, dykes, or nuclear electric stations that have the ability to release dangerous forces.[25]

Thus, the uncontrollable computer virus would be prohibited as an indiscriminate weapon in the same way that the use of a biological virus would be prohibited; while a destructive cyber attack that leads to the overheating and destruction of exclusively military cyber installations would raise no particular legal concerns. An obvious example would be the release of a virus or a range of viruses into the computer systems of a target State. Even if introduced only into the military network of a State, if the virus is virulent enough, it would soon seep out of that network and into civilian systems of the targeted State or even beyond to neutral or friendly States. Such viruses must most likely should be considered as indiscriminate because they cannot be directed against a specific military objective, and they would be a mean or a method of combat which effects cannot be limited as required by AP I even if aimed accurately at the intended target.[26]

Also, some dilemmas are raised on the use of social networks for military purposes. Indeed, in recent conflicts, it became a common practice to transmit military information via Twitter, Facebook and other social media. The experts of the Tallinn Manual agreed that such use of social networks would transform those facets of the social media networks that are used for military purposes into military objectives. However, the entire networks would not be subject to direct attack.[27]

Another problematic issue is the status of persons involved in cyber operations.

When activities related to cyber attack are performed directly by the personnel of armed forces, it is considered to be performed by a combatant and, thus, such person can directly be attacked and are subject to have prisoners of war status. The problem is that since the specific technical expertise of computer technology mostly lies in the civilian domain, the use of civilians for military activities can be a common practice. It follows, that civilians who are directly participating in hostilities (hereinafter DPH) can become legitimate targets. The involvement in DPH can be manifested through various forms. For example, civilians may be those who launch a cyber attack or they are used to maintain the computer programs or computer network from which a cyber attack is launched. However, the interpretation of the concept of DPH in activities related to cyber attacks, which results to the loss of protection under IHL, is still debatable.[28]

In addition, it is a fundamental rule of IHL that if a party to an armed conflict intends to carry out a cyber attack it is under a legal obligation to conduct a proportionality assessment and to take precautions before launching such an attack. Respect for these principles, as reflected in Article 57 AP1, includes the obligation of an attacker to take all necessary precautions in the choice of means and methods of attack in order to avoid or minimize civilian casualties and collateral damages. [29]For example, commanders must decide whether launching a worm attack on the network of the adversary is feasible or not because the functioning of a worm is such that it has a very high capability of infecting large networks, and that shows its capability of damaging civilian cyber infrastructure, including that of hospitals and banks.[30] In this view, collateral damage is perceived as the loss of civilian objects during military combat operations due to the violent character of war.

Collateral damage in order to get the direct and concrete military advantage is legal as long as it does not violate the rules of proportionality. According to them “[a] cyber attack that may be expected to cause incidental loss of civilian life, injury to civilians, damage to civilian objects, or a combination thereof, which would be excessive in relation to the concrete and direct military advantage anticipated is prohibited.”[31] Therefore, no collateral damage is acceptable if it is in excess of the anticipated concrete and direct military advantage.

In this regard, the development of new technologies may successfully contribute to the purpose of protection reflected in the core principles of IHL. In certain cases cyber operations might cause fewer incidental civilian casualties and less incidental civilian damage compared to the use of traditional weapons.

However, despite the advantages provided by the new technologies, the digitalization on which cyberspace is built causes another difficulty in applying the rules of IHL to cyberspace, as in most cases, it is difficult if not impossible to identify the author of an attack, the location from which it is being conducted, and to estimate its destructive potential. It is often necessary to work a way back in the chain of computers controlling other computers in order to figure out who attacked. This implies some sort of intrusive capability to identify who is attacking and thus complicates the attribution of conduct.[32]

However, from the general point of view, attribution is a practical/ technical problem in nature and therefore, can be resolved through practical or technical means, but not by means of the law. Hence, the tendencies of technological innovation may provide solutions to this practical difficulty much faster than we may anticipate today.[33] Till that day, the anonymity of communications rise difficulties on the attribution of responsibility to individuals and parties to conflict on which IHL strictly relies.

The experts of Tallinn Manual came to an agreement that “no State may claim sovereignty over cyberspace per se” and that “States may exercise sovereign prerogatives over any cyber infrastructure located on their territory, as well as activities associated with that cyber infrastructure.”[34] However, “the fact that a cyber operation has been routed via the cyber infrastructure located in a State is not sufficient evidence for attributing the operation to that State.”[35] Indeed, the technology for conducting offensive operations in cyberspace can be obtained anywhere, for instance, by mail order, while the knowledge needed to conduct some kind of cyber attack is available on the internet. Thus, many non-state actors, such as companies, terrorists, organized crime, patriotic hackers or even teenagers, can have influence.

In this regard, the International Court of Justice in its very first case on Corfu Channel, held that a State may not “allow knowingly its territory to be used for acts contrary to the rights of other States.”[36] For example, a State would be obligated to take necessary measures to end a cyber attack launched by a terrorist group from its territory against other States.

In addition, According to the Articles on State Responsibility, “[t]he conduct of a person or group of persons shall be considered an act of a State under international law if the person or group of persons is in fact acting on the instructions of, or under the direction or control of, that State in carrying out the conduct.”[37] The jurisprudence of the International Court of Justice suggests that the degree of control for attribution to occur shall reach the level of an “effective control” over non-State actors. Therefore, “merely encouraging or otherwise expressing support for the independent acts of non-State actors does not meet the threshold for the degree of control.”[38]

In this regard, the International Court of Justice in the Nicaragua judgment pointed out that the notion of an armed attack includes “‘the sending by or on behalf of a State of armed bands, groups, irregulars or mercenaries, which carry out acts of armed force against another State of such as to amount to’ (inter alia) an actual armed attack conducted by regular forces, ‘or its substantial involvement therein’.”[39] It follows that, for instance, providing an organized armed group with malware (funding, legal, practical support) to be used against another State would constitute a use of force, while only providing sanctuary to that group would not reach such level.

However, the more complicated question is whether a non-State actor’s cyber operations that are not attributable to a State can nevertheless qualify as an armed attack and thus can justify  as the use of force in self-defense against that non-State actor.

Article 51 of the United Nations Charter stipulates that: “Nothing in the present Charter shall impair the inherent right of individual or collective self-defence if an armed attack occurs against a Member of the United Nations, until the Security Council has taken the measures necessary to maintain international peace and security.” Concerning this issue, the position of the US government, for instance, has long been that “the inherent right of self-defense potentially applies against any illegal use of force. There is no threshold for a use of deadly force to qualify as an ‘armed attack’ that may warrant a forcible response.”[40]

An agreement can be reached that cyber operations resulting in death or serious injures of individuals or serious damage to objects can qualify as armed attacks. As mentioned before, whether a cyber use of force qualifies as an armed attack depends on its scale and effects. However, the defensive actions are also subject to the requirements of IHL (necessity, proportionality, imminency, and immediacy). It follows that, “[a] State that is the target of a cyber operation that rises to the level of an armed attack may exercise its inherent right of self-defense.”[41] Furthermore, “a State need not take the first cyber hit before acting to defend itself”[42] and, thus, by this approach the “anticipatory self-defense” is allowed under international law.

The way forward

The world of new technologies is neither a world of virtual games nor it is a science fiction. Warfare in a cyberspace can cause death and damage to the real world. However, technology, in itself, is neither good nor bad, “it can be a source of good and progress or result in terrible consequences at worst.”[43] Indeed, today, none of the so called natural domains (air, maritime or space) can function if cyberspace fails which would mean going back to the time of the messenger pigeon or a drawing board.[44]

Even though international laws do not specifically mention cyber attacks, cyber warfare is not emerging in a legal hole or creating a new legal crisis. Cyber operations can be treated as a means and methods of warfare and therefore, IHL rules, that set limitations to cyber attacks through the principles of distinction, proportionality and precaution are applicable. However, the above mentioned challenges, for applying the pre-existing legal rules to a new technology, points out certain gray areas that require further analysis to determine whether these rules are sufficient and clear in light of the technology’s unique attributes. Therefore, specific cyber warfare laws or even a comprehensive treaty might be adopted in the future as technologies evolve and their impact becomes better understood.

Indeed, policy makers and military leaders all over the world are considering the implications of cyber warfare and a number of countries have already taken steps to increase their cyber-warfare capabilities, whereas NATO has listed cyber-defense as a major initiative of its new Strategic Concept.[45] However, in a view of the current political environment, where states have varying views on cyber security, most probably the technology will develop faster than laws. Hopefully, it will not only bring new challenges but also will offer effective solutions for the successful application of IHL in cyberspace.