When we typically picture warfare, we think of military grade weaponry associated with large-scale collateral damage. When we hear the term cyberwarfare, we may think of computer viruses, technological jargon, and elusive hackers shutting down IT systems. Despite their differences cyberwarfare’s regulations in international law are far more closely related to traditional warfare than one might expect. This poses new challenges for International Humanitarian Law have left many legal scholars and policy makers questioning whether conventional rules regulating armed conflicts can actually be extrapolated to cyberspace.
The NATO Cooperative Cyber Defence Centre of Excellence stands behind this approach through drafting the Tallinn Manual 2.0. This document makes use of extensive legal theorising to prove how current international legal norms can be applied to cyberwarfare. For this reason the Tallinn Manual 2.0 intends to only describe the lex lata, the law as it exists, rather than acting as a binding document or treatise. Other nations, most notably Russia and China, have instead pushed for more regulations on cyber warfare as part of the Shanghai Cooperation Organisation in 2009 and the International Information Security Code of Conduct in September 2011.
But which approach is the right one? Do we work with the established international laws we have or do we need to create succinct laws?
Cyber Attacks vs Armed Attacks: Can they be equated?
International Humanitarian Law applies in situations where there is an armed conflict. Due to the use of obsolete definitions on what constitutes an armed conflict, however, cyberattacks are often not deemed severe enough to trigger International Humanitarian Law. Cyberattacks need to be incorporated into the law of armed conflict more explicitly. This is because repercussions for civilians resulting from cyberattacks can be comparable, if not worse, than traditional armed attacks.
Paragraph 70 of Prosecutor v. Tadic, states that an armed conflict occurs “whenever there is a resort to armed force between States”. The term armed force presupposes that a cyberattack must cause physical damage to trigger the law of armed conflict. An issue that arises subsequently is that cyberattacks could have the same impact as kinetic attacks, but not be regulated under International Humanitarian Law. A cyberattack causing no physical damage, could shut down a computer network just as effectively as a well-placed air strike on an isolated military server. The implication on civilian lives in this situation would ultimately be the same if not more severe. While an air strike would certainly trigger the law of armed conflict, consequences of a cyberattack may not be regulated.
With a lack of consensus among states on the kinetic force of a cyberattack international law lacks an essential framework to assess the severity of an attack. One attempt to bridge this has been the inclusion of the “Functionality Test” introduced in the Tallinn Manual. This test outlined that “interference with functionality qualifies as damage if restoration of functionality requires replacement of physical components” (see Rule 30, Para. 10 of the Talinn Manual), making it more equivalent to conventional armed attacks on critical infrastructure.
These measures might be a first step but do not go far enough in encompassing the harm caused. Using this framework, an attack which damages a system but requires a day to repair would trigger International Humanitarian Law, while a cyberattack that takes a system offline for weeks would not. This means that rather than working on a scale which requires an attack to exceed the de minimis of intensity to be applied to the law of armed conflict, a cyberattack is expected to meet very precise specifications. States could easily target networks with the intention not to destroy them, aiming to shut down systems for a longer time than would be required to repair physical damage on a system, without the consequences being regulated under International Humanitarian Law. This inability to effectively trigger the law of armed conflict in cyberattacks comparable to physical attacks, shows the inadaptability of International Humanitarian Law. Without the rules of law prohibiting certain conduct in wartime situations, cyberattacks could have very harmful repercussions.
The Attribution Problem
As stated in Common Article 2, an armed conflict “may arise between two or more of the High Contracting Parties, even if the state is not recognized by one of them”. In order for these conditions to be met, however, the group launching the attack must be officially working as part of the military of a state. Issues begin to arise when attacks are either not attributable to a state or do not come directly from another states’ military. It is up to International Humanitarian Law to determine whether such an attack is merely a cybercrime or an armed attack.
With the internet being developed to facilitate anonymous communication, it is no easy feat to legally attribute cyberattacks to certain states. Over the past few months we’ve been learning more about the Solarwinds hacks and a water plant in Florida was hacked. The actor attributed in this situation carries with it immense political implications and makes all the difference in determining whether or not the law of armed conflict applies. But the nuances in what happens after we have attributed remain unclear, without succinct mention of cyber in international law.
With many of the foundations of International Humanitarian Law dating back to 1945, is it time we create new laws to regulate cyber attacks? Would it really help in identifying war crimes and attributing effectively?
By Carlos Beaujean
Carlos is a final year International Relations student at King’s College London and Editor of the Technology & Innovation Policy Center at KTT.
Schmitt, Michael N., and Nato Cooperative Cyber Defence Centre of Excellence. Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations. Manual 2.0 on the International Law Applicable to Cyber Operations. Second edition.. ed.: Cambridge : Cambridge University Press, 2017.
“Shanghai Cooperation Organisation.” The NATO Cooperative Cyber Defence Centre of Excellence, accessed 28th February, 2021, https://ccdcoe.org/organisations/sco/.
“An Updated Draft of the Code of Conduct Distributed in the United Nations – What’s New?” The NATO Cooperative Cyber Defence Centre of Excellence, accessed 28th February, 2021, https://ccdcoe.org/incyder-articles/an-updated-draft-of-the-code-of-conduct-distributed-in-the-united-nations-whats-new/.
“How Is the Term “Armed Conflict” Defined in International Humanitarian Law?” Opinion Paper, International Committee of the Red Cross, Updated 17th March, 2008, accessed 28th February, 2021, https://www.icrc.org/en/doc/resources/documents/article/other/armed-conflict-article-170308.htm.
“A. ICTY, the Prosecutor V. Tadić, Appeals Chamber, Jurisdiction.” ICTY, The Prosecutor v. Tadić, ICRC, accessed 28th February, 2021, https://casebook.icrc.org/case-study/icty-prosecutor-v-tadic.
“Rewired Warfare: Rethinking the Law of Cyber Attack.” IRRC No. 893, International Review of the Red Cross, Updated September, 2015, accessed 28th February, 2021, http://international-review.icrc.org/articles/rewired-warfare-rethinking-law-cyber-attack.
“Convention (I) for the Amelioration of the Condition of the Wounded and Sick in Armed Forces in the Field.” Treaties, States Parties and Commentaries, International Committee of the Red Cross, 2016, accessed 28th February, 2021, https://ihl-databases.icrc.org/applic/ihl/ihl.nsf/Comment.xsp?action=openDocument&documentId=BE2D518CF5DE54EAC1257F7D0036B518.
“State Responsibility and Attribution of Cyber Intrusions after Tallinn 2.0.” Volume 95 – Issue 7, Texas Law Review, https://texaslawreview.org/state-responsibility-attribution-cyber-intrusions-tallinn-2-0/.
“US Considers Sanctions against Russia over Solarwinds.” Financial Times, 2021, accessed 28th February, 2021, https://www.ft.com/content/d7d67ea7-8423-4b9c-819d-761fa4a10fa0.
“A Cyber-Attack on an American Water Plant Rattles Nerves ” The Economist, Updated 9th February, 2021, accessed 28th February, 2021, https://www.economist.com/united-states/2021/02/09/a-cyber-attack-on-an-american-water-plant-rattles-nerves