By Adrian Zienkiewicz and Eugene Matos De Lara
A virtual universe where assets and ideas are exchanged rapidly has become reality, and so too has the presence of a deep underbelly of the web that seeks to manipulate and steal valuable information.
Confidential information contained within complex computer networks is routinely targeted and cyberattacks are pervasive. Sometimes there are personal and financial motivations at play, but it becomes a uniquely geopolitical endeavor aimed at control and destabilization when backed by a State. Cyberwarfare is war in peacetime, and while not perceivable by ordinary citizens, it is ongoing daily through various retaliatory attacks. How is cyberwarfare constituted by international humanitarian law (IHL), and what are the legal voids?
Cyber warfare is a unique form of “force” enacted by a State, understood broadly through the lens of article 2(4) of the UN Charter, which a State must refrain from enacting and is irrespective of its duration or magnitude. Since government and financial institutions’ computer programs contain highly sensitive data, the breaching of these by a foreign entity are to be perceived as attacks on sovereignty. Even if not instigating a conflict, threats, coercion, or pressure applied through this manner are still discouraged.
The nature of the concept differs considerably with article 51; through this, cyberwarfare would have to be sufficiently coordinated, bearing enough evidence of its State involvement and motivations for it to be designated as an “armed attack”. The international community intends to keep cyberwarfare solely as a method of self-defense that must be considered through necessity, proportionality, distinction, and prevention of wrongful conduct before its occurrence. The notions must be considered with the heightened anticipation of the consequences of taking one path instead of the other. Thus, preemptively establishing virtual defense technologies would be appropriate. Still, for instance, it is not the case in harassing an opposing party’s networks to disrupt their military capabilities or disable entire power grids
Cyberspace shouldn’t be exploited as a frontier of conflict, although it often is. More than just protecting information, the promulgated objective is deterrence. Cyberwarfare could potentially provoke more open, conventional forms of armed conflict- an accumulation of consistent cyber attacks could be detrimental to a country’s progress- but it is, through jus in bello, itself a type of conflict. Protocol I of the Geneva Conventions, through article 49(1), asserts that “[a]ttacks means acts of violence against the adversary, whether in offence or in defence”, and cyberwarfare is precisely acts of hostility of a State against another.
Cyberwarfare indeed ascribes to the rules of IHL: civilians cannot intentionally be targeted, the same follows for essential infrastructure that provides basic resources, and so forth. That is why cyberwarfare, even through extensive operations, tends to be precise in its function and minimizes damage. A State wants to naturally lower the odds of having its operations intercepted, and a minor wrongdoing could simply be answered with an equal wrongdoing or condemnation. When done right, cyberspace is where anonymity and covertness commingle, therefore allowing a State to openly deny attacks even though they are the true perpetrators, further reducing accountability. While it’s a web of worlds within worlds and worlds apart from each other, it is possible to leave a trail in cyberspace and evidence could point to a State party committing some wrongdoing, although it’s oftentimes inferred.
Most attacks are committed by third party groups and even more are left unaccounted for. Also, attacks presenting patterns or targeting exceptionally specific programs can be proof of State sponsored actions, but liability is squashed or at the least greatly diminished when operating through an array of proxies. Cyber warfare is sophisticated, and despite occasional acts of overt sabotage, it is the subtle extraction of information that provides advantages without the other parties knowing it that is sought. Discovering facts that a State deliberately tried to keep secret could be used against them at the negotiation table, leaving them dumbfounded as to why its counterpart is adopting a particular stance.
All States that have the technological capacity, advanced or otherwise, participate in some form or another in this boundless warfare. It is incorporated by IHL, but is distinct enough for the international community to potentially advance a uniform regulatory body, a task that has not been envisioned yet. The Tallinn Manual serves as the most foremost study on cyber warfare, conducted at the behest of NATO, but it too demonstrates the difficulty of ascertaining the effects on objects that are both immaterial and intangible. There are constraints in quantifying losses when no visible damages are present, and when some attacks are negligible it is likewise difficult to find acceptable solutions. Some States such as the US, still the preeminent power in cyber warfare, have attempted to categorize cyberattacks according to their corresponding danger, increasing response efficacy all while weighing the notion of proportionality. The ICJ, as shown through Nicaragua v. United States, argues that peaceful countermeasures are a response to low level threat.
There is no end to sight of cyber warfare, as there is a functional contradiction between discouraging its perpetuation and its actual practice. The ability to gain an upper hand in any desired sector with insignificant consequences doesn’t act as a deterrent but rather an incitement. A State that doesn’t keep pace in cyberspace is bound to get left behind in the material world and is susceptible to foreign pressure. International resolutions can be adopted alongside diplomatic sanctions, but they will ultimately yield no change to the modus operandi of cyberspace activities.
There is an assortment of definitions for cyberattacks and there is no definitive way of attributing responsibility of a cyberattack to a State. The effective control test posited in the Nicaragua case contrasts with the looser overall control in Prosecutor v. Tadic. Other responsibility thresholds have been conceptualized, but international jurisprudence on cyber warfare is nonexistent. Obtaining remedies through international institutions is a tough challenge for States even when citing precedence due to legal knowledge on cyber warfare constantly morphing. Time will tell how the law can follow the practice when cyberspace continues to expand.
About the authors:
Author Adrian Zienkiewicz (LL.B., J.D.) is a law student at Université de Montréal. He has a marked interest for all spheres of public international law. Environmental and Energy Law are his real passions.
Co-Author Eugene Matos De Lara (MA, MBA, LL.L, JD, LLB, BA.pol.pad, BA.dvm, BA.sc PMP) is currently working for the International Institute for Middle-East and Balkan studies, based in Ljubljana, and the Geneva Desk for Cooperation. Multilingual internationally published legal graduate with an extensive corporate legal background, and exposure to private international law, international relations, politics, public administration and public affairs.