3 May 2023

Can Cyber Attacks Be Considered War Crimes?

EMILIO IASIELLO

In mid-March 2023, the International Criminal Court (ICC) in the Hague issued an arrest warrant against Vladimir Putin, accusing him of committing war crimes in Ukraine. Among the charges levied included the deportation of children, rapes, mass killings, and widespread torture. Notably, the charges cited include the purposeful bombing of a civilian maternity hospital and a theater in March 2022. According to its mandate, the ICC can allegedly prosecute political leaders for “waging aggressive war,” which includes unjustified invasion, and especially intentionally directed attacks against a civilian population. Such offensives are in direct conflict with Article 8 of the Rome Statute of the ICC, though there is some skepticism over such an indictment as the ICC has no power to arrest suspects, and Russia is not a signatory to the agreement that set up the court.

This raises the question if similar criteria can’t also be applied to cyber attacks that occur during periods of conflict. In 2015, the United Nationals Group of Government Experts believed that International Humanitarian Law (IHL) applied to cyber attacks. This sentiment has been also expressed by the International Red Cross that believes that IHL limits cyber operations during armed conflict just like any other weapon. Therefore, by extension, cyber attacks that meet the threshold described in Article 8 of the Rome Statutes would ostensibly apply to cyber attacks as well. For example, purposeful cyber attacks against power grids during periods of inclement weather, or those disrupting emergency services and hospitals directly affecting people’s lives, or manipulating water facilities’ chlorine levels are the types that if severe enough could meet the threshold criteria that triggers Article 8. Though such a grievous attack has not yet transpired, the Ukraine conflict has shown that the more cyberspace becomes a battleground for state and nonstate actors, the greater the chances – and opportunities – for such an attack to occur as cyber attacks have become another tool to perpetrate warfare and are not always necessarily conducted under strict supervision or guidance.

Unsurprisingly, there are several challenges impacting such an adoption, especially when international bodies attempt to define terminology and set criteria by which terms are defined and categorized. Determining what constitutes an official cyber attack is one such example, as is distinguishing what targets are off limits. The Rome Statute on war crimes identifies civilian targets as “objects” and civilian objects as anything “which are not military objectives.” Therefore, when it comes to kinetic targeting, it is fairly easy to identify civilian edifices such as schools, religious buildings, hospitals, and private residences. But trying to view cyber attacks through the same lens becomes increasingly more difficult in a cyber environment where civilian-military network interconnectivity blurs the lines considerably, especially if military networks rely upon civilian infrastructure (e.g., satellites, undersea cables) for operability. An attack against a power grid that impacts military targets, but also collaterally impacts civilians is such an example. Another is the unpredictable nature of malware. Once deployed, malware is notoriously difficult if not impossible to contain and if deployed against a military target could spread to the civilian space. Even carefully scripted malware like Stuxnet which was created to affect specific air-gapped Siemens SCADA systems ultimately escaped into the wild and reached approximately 115 countries.
OODA Loop Sponsor

One of the biggest challenges in trying to methodize how cyber attacks can be considered war crimes is the fact that there isn’t a cyber weapon that can directly impact a human life, thereby removing an obvious way to determine cause-effect. Malware is not a physical contagion. Wipers do not bleed over into the physical world. A distributed denial-of-service attack is not equivalent to a barrage of missiles. Even the incident at the German hospital in which a patient died as a result of a ransomware attack required the disruption of the hospital network to cause a dying patient to be redirected elsewhere. Networks get the brunt of the abuse when it comes to cyber warfare, and while they may be expensive, they are entirely replaceable.

So, from the human perspective, trying to correlate cyber attacks with potential loss of human life is largely notional a exercise. The obvious disruption of healthcare and first-responder entities is the immediate concern, with perhaps SCADA attacks impacting other necessary civilian services like food and transportation a close second. But interestingly, most of the more alarming incidents against critical infrastructure (Irani actors altering chlorine levels, Chinacompromising several key power targets in India) have occurred outside of armed conflict. Even pre-current Ukraine war, Russian-affiliated cyber actors frequently attacked Ukrainian energy targets. None of these incidents rose to the level of war crime determination, no less an act of war.

Therefore, when trying to assess if a cyber attack is a war crime, perhaps it’s not the types of attacks (e.g., virus, worm, ransomware, wiper) that need to be considered, but the intent behind them, the targets struck, the impacts of their deployments, and the ramifications that resulted on civilians as a result. And that may be the biggest obstacle toward this end. With the Ukraine conflict providing an insight into the possibilities of how cyber can be incorporated into military operations, it does not appear that cyber weaponry has been the factor that some of have suspected. This calls into question whether cyber weapons will ever be relied on to cause the type of damage that could be interpreted as a war crime act. Even against critical infrastructure, a cyber-powerful country like Russia elected to use missile and dronestrikes against key infrastructure targets when it wanted to make sure it succeeded in achieving its military objectives, making any potential disastrous cyber strike pale in comparison to complete physical destruction of a target.

One thing is certain: cyber attacks are always evolving and will no doubt become more destructive in nature in the future. The extent to which they are used to cause elevated destruction and when remains to be seen. Still, there may not be a need to wait to see what it will take for future iterations of cyber attacks executed during conflicts to be classified as war crimes under Article 8. There is already a clause that considers other damages beyond harming lives to meet the criteria. Per a clause in Article 8, the “extensive destruction and appropriation of property, not justified by military necessity and carried out unlawfully and wantonly” to be war crimes. Though Article 8 does not provide a methodology to quantify what constitutes such extensive destruction either monetarily or structurally, these types of effects may be more appropriate to cyber attacks whose damages, and costs for remediation and recovery can escalate into the millions of dollars. Exercising this clause is the challenge, as it will require a group of empowered public, private, and academic officials to set measurable benchmarks, as well as their appropriate punitive responses, and communicate them globally, with the caveat that any criteria is subject to revision to keep pace with cyberspace development.

The beginning will no doubt be imperfect, as most beginnings of undertakings of this magnitude usually are. But for any meaningful progress to be made, there needs to be growing pains. This has troubled any international effort to codify norms of state responsible behavior in cyberspace, where they continually spin their wheels in pursuit of the perfect result instead of taking the necessary first step and understanding that necessary adjustments will be made along the way. There is a real opportunity to help this process along by using the Article 8 clause to effectively establish the parameters by which cyber attacks are conducted during periods of armed conflict, and the penalties for those breaching them. It won’t eliminate cyber attacks entirely but could dissuade many actors from using them against potential civilian targets for risk of incurring economic, legal, and/or military repercussions. And based on increasing development of cyber weaponry, that just might be the only deterrence achievable.

No comments: