Law and Cyberwarfare: The Need for International Humanitarian Law to go Online
By Mitchell Purdy
“Because war . . . war never changes.”[1] While this maxim may be interpreted as an observation about the never changing, brutal reality that is war, the means by which wars are fought certainly have changed. One such new means of countries engaging in militaristic conflict is commonly referred to as cyberwarfare. Cyberwarfare can be defined as “war conducted in and from computers and the networks connecting them, waged by states or their proxies against other states.”[2] With this new theater of war, there also comes a need for new international humanitarian laws to attempt to regulate its use. “International humanitarian law is a set of rules which seek to . . . limit the effect of armed conflicts,” and serves as the law of war.[3] The recent cyberattack allegedly conducted by Russia against the Ukraine[4] serve as a recent reminder of the need for the international community to address the currently underregulated issue of cyberwarfare.
Regarding the previously mentioned allegation of a cyberattack perpetrated by Russia against the Ukraine, it is important to note that there is not currently definitive proof that Russia committed the attack, though Ukrainian officials have publicly stated that it was Russia.[5] The cyberattack resulted in the defacement of multiple Ukrainian government websites, though this may have been a diversion to infect government computer systems with destructive malware.[6] The Ukrainian government further alleged that the cyberattack is only part of what it referred to as a “hybrid war,”[7] which is understood as being the use of a mix of conventional military tactics and more modern cyber options. While it is not conclusive evidence of Russia’s involvement, it is relevant to note that the recent attack was disguised to look like ransomware, similar to the NotPetya virus which, in 2017, resulted in approximately $10 billion in damages globally.[8] In 2018, the CIA attributed the NotPetya attack to Russian military hackers.[9] Given the potential financial and human costs that can be caused by cyberattacks, it is in the collective interests of all nations that there be defined rules of war on the cyber battlefields of today.
While cyberwarfare may be a very recent problem facing the world, the international community has experience dictating the acceptable rules of war in the form of the Geneva Conventions. The Geneva Conventions are a series of treaties “whose purpose is to provide minimum protections, standards of humane treatment, and fundamental guarantees of respect to individuals who become victims of armed conflicts.”[10] The Geneva Conventions serve as the centerpiece of international humanitarian law and have been ratified by all of the world’s nations.[11] When compared to this level of unanimity, the world is nowhere close to being as unified with respect to the rules for how to engage in a cyberwar.
A related component of the regulation of armed conflict is jus ad bellum, which “refers to the conditions under which States may resort to war or to the use of armed force in general.”[12] Since the end of the First World War, there has been a general trend towards outlawing war.[13] This trend would be seriously undermined if nations were allowed to engage in cyberattacks against their enemies simply because the world’s nations have yet to regulate when and how such attacks may be conducted. While the question of whether or not, or alternatively to what extent, current international humanitarian laws apply to cyberwarfare is a subject a debate,[14] the global benefit from regulating the use of cyberwarfare is as inherent as the benefit the world experiences from having rules to war generally.
While there have been proponents of different forms of what has been referred to as a Digital Geneva Convention, Microsoft’s president Brad Smith made a notable proposal at the 2017 Recreational Software Advisory Conference.[15] Mr. Smith proposed “a neutral international organization that would investigate state-sponsored cyberattacks,” as well as calling on governments to take actions to “protect civilians during times of peace,” and for “private-sector [technology] companies to pledge to protect their users from all cyberattacks – no matter what their possible origin – and to never assist nation states in carrying out offensive operations in cyberspace.”[16] A version of these proposals need to be adopted, as five years later cyberattacks are being used as part of a complex system of assault to politically, militarily, and economically weaken a nation without declaring war.[17] Ultimately, if the world believes that there should be rules to war, then there also need to be rules to cyberwar. The need for collective action exists now, and it is the responsibility of the world’s nations to answer the call.
[1] Ulysses S. Grant, Quotes, Good Reads, https://www.goodreads.com/quotes/7442667-i-have-never-advocated-war-except-as-means-of-peace (last visited Jan. 16, 2022).
[2] John B. Sheldon, Cyberwar, Britannica, https://www.britannica.com/topic/cyberwar (last visited Jan 16, 2022).
[3] What is International Humanitarian Law?, International Committee of the Red Cross (July, 2004), https://www.icrc.org/en/doc/assets/files/other/what_is_ihl.pdf.
[4] Yuras Karmanau, Ukraine says Russia behind cyberattack in 'hybrid war' move, Associated Press (Jan. 16, 2022, 1:34 PM), https://abcnews.go.com/International/wireStory/ukraine-claims-russia-cyberattack-hybrid-war-82294907.
[5] Id.
[6] Id.
[7] Id.
[8] Id.
[9] Ellen Nakashima, Russian military was behind ‘NotPetya’ cyberattack in Ukraine, CIA concludes, The Washington Post (Jan. 12, 2018), https://www.washingtonpost.com/world/national-security/russian-military-was-behind-notpetya-cyberattack-in-ukraine-cia-concludes/2018/01/12/048d8506-f7ca-11e7-b34a-b85626af34ef_story.html.
[10] Geneva Conventions and their Additional Protocols, Cornell law School, https://www.law.cornell.edu/wex/geneva_conventions_and_their_additional_protocols (June 10, 2019).
[11] Rules of War: Why they matter, International Committee of the Red Cross (Aug. 12, 2021), https://www.icrc.org/en/document/rules-war-why-they-matter.
[12] What are jus ad bellum and jus in bello?, International Committee of the Red Cross (Jan 22, 2015), https://www.icrc.org/en/document/what-are-jus-ad-bellum-and-jus-bello-0.
[13] Id.
[14] See James A. Lewis, A Note on the Laws of War in Cyberspace, Center for Strategic and International Studies (April, 2010), https://csis-website-prod.s3.amazonaws.com/s3fs-public/legacy_files/files/publication/100425_Laws%20of%20War%20Applicable%20to%20Cyber%20Conflict.pdf.
[15] Eugene Kaspersky, A Digital Geneva Convention? A Great Idea, Forbes (Feb. 15, 2017, 11:30 AM), https://www.forbes.com/sites/eugenekaspersky/2017/02/15/a-digital-geneva-convention-a-great-idea/?sh=1484b56d1e6e.
[16] Id.
[17] See Karmanau, supra note 4.