All is Fair in Love and Cyberwar

By September 21, 2016 Cybersecurity Readiness

The Geneva Convention established rules and reinforced norms in war after the indiscriminate violence and the brutal treatment of other non-combatants during World War II.  The rules include, among other things, a prohibition on the torture and execution of prisoners, and a prohibition on the targeting of civilians, hospitals, critical infrastructure. No such rules exist in the realm of cyberwarfare.  In the absence of widely-accepted norms, almost anything is fair game: nuclear reactors, stock markets, cell towers, dams, and more. Cyberattacks on any of these could have indiscriminate and devastating economic, physical, or environmental effects. However, recent cyberattacks have prompted discussions in the international community to work toward establishing the necessary rules and norms to regulate cyberwarfare and cyberspace.

Cyberwarfare is tricky in the context of international law because it’s not war in the traditional sense: attacks typically don’t result in the deaths of people, but can still have costly effects.  States don’t always know how to respond to attacks that aren’t physical. This raises the question, how should states respond to cyberattacks?  Article 2(4) of the United Nations Charter declares that states shall refrain from the threat or use of force against other states, and this includes cyberattacks. The Charter also declares that not every threat or use of force justifies a response of force.  For example, it would not be appropriate to bomb a foreign capital in retaliation for a cyberattack on a movie studio.  States are finding it difficult to come up with appropriate responses to cyberattacks that don’t cause physical harm, so most victims of cyberattacks simply condemn the actions of their attackers for lack of a better option.

The US, EU, Russia, and most of the world agree that cyberattacks count as acts of aggression and a response, whether physical or cyber, is justified.  This nascent norm will ideally help protect states from rampant cyberattacks by introducing kinetic retaliation as a deterrent.  China is finding itself isolated as one of the few countries that believes cyberattacks don’t fall under acts of aggression.  However, the UN Group of Governmental Experts (GGE) committee, including China, unanimously agreed that if cyber operations take place during war time they are to be treated the same way as a physical attack.  This agreement is a step forward, it recognizes that cyberattacks can cause physical damage and that states have the right to physically defend themselves from a cyberattack.  Even if China or another state disagrees, they would be careful to launch a cyberattack against a state that believes it can launch a physical attack in response.

The majority of the world’s major players also agree that critical infrastructure should not be targeted by cyberattacks.  There is even general agreement between the United States, the European Union, Russia, and China on how critical infrastructure is defined.  Critical infrastructure are systems, both physical and virtual, that are essential to the daily functioning of a society. This includes roads and bridges, manufacturing and healthcare facilities, financial institutions, water and sewage systems, energy generators and transmitters, communications, etc. It would be against the Geneva Convention to target most of these systems in a conventional war. These same systems should be protected from cyberattacks under international law.

But non-state actors complicate efforts to establish rules and norms regarding cyberattacks.  Hacktivist groups like Anonymous, Impact Team, and others can engage in cyber operations on states or other entities without fear of retribution. Similarly,  independent hackers could easily be hired by a state to launch a cyberattack against another state, allowing countries to skirt whatever norms do exist as well as providing some deniability. The UN GGE committee declared that states should not knowingly allow hackers to operate within their territory, but this is almost impossible to enforce if it is in the interest of the host state to utilize these hackers.

The United Nations is deferring to GGE groups to build onto cyber-norms before presenting them to the General Assembly.  The GGE groups are working towards formally integrating cyberwarfare to the laws of armed conflict. Thus, the United Nations is still a few years away from establishing written rules and norms regulating cyberspace.  It took thousands of years of warfare to establish the Geneva Convention’s norms and rules for war.  It will not take that long for cyber norms to be established.  Most countries have already accepted that cyberattacks should not be used generally, and definitely not to target critical infrastructure.  Additionally, most nations agree that cyberattacks should be treated the same way as physical attacks.  These informal norms are a good start as they will protect the lives of citizens and deter attacks until formal universal norms are established.