International Humanitarian Law and its Applicability to Cyber Warfare

Cyberspace is the colloquial term used to collectively refer to the virtual space that now occupies a significant position in our day to day affairs. Enabled by the omniscient and omnipresent Internet, Cyberspace has gone from a simple method of interpersonal communication to a driving factor behind the global economy and a borderless society that flourishes in the world of 1s and 0s. Internet usage is at an all-time high with no signs of slowing down, as more and more users begin using it. As of 2015, according to the International Telecommunication Union’s official facts and figures, 3.2 billion people use the internet. 2 billion of those are from countries denoted as “developing countries”. To put this in perspective, global penetration rate of internet has increased from 6.5% in 2000 to a whopping 43% in 2015. The significant user base of internet makes it abundantly clear that the Internet is no longer a privilege accorded to a select few in the modernized Western world; it is now a ubiquitous technology that has pervaded almost every single sphere of human existence.

It is hard to pinpoint any sector or segment of the modern industrial world that hasn’t been affected in one way or the other by the presence of the Internet. Logistics, communication, data handling and processing, transactions, monetary activities et al, have all undergone a sea change by mere virtue of their adoption of the Internet. The advent of consumer friendly Internet, no longer limited to its defence related origins, can be considered akin to the invention of electricity in that it helped the global economy to collectively undergo a sea change in terms of how things are done. The point to be made here is that the Internet has become an inseparable part of 21st century human existence. With such a tremendous development in technology, issues rise multifold in direct proportion to the expansion of the Internet’s reach and access. This article will not delve into the technical aspect of what enables nefarious entities to create problems through the presence of the Internet, but will rather focus on the ramifications of how cyberspace has opened up an all new platform for States’ existence, making them vulnerable to warfare of a kind hitherto unseen.

Indisputably, the Internet has become an indispensable part of state and economic machinery. Further, civilian and military cyber infrastructures often co-exist. This has enabled a more transparent system of democracy to prevail by way of an efficient and organized electronic system and database to provide uniformity across the country. India has the world’s largest database of personal information in the form of the Aadhar scheme where the biometric data of private citizens is stored along with residential addresses, details of family members and other such sensitive data that can easily be misused if in the wrong hands.

Cyberspace and Jurisdiction
Laws applicable to cyber activities face a simple issue; territorial boundaries do not exist in cyberspace. Laws are geographically bound and limited by their jurisdiction. In a world where boundaries do not exist per se and even the limited few that do can be bypassed by even the most basic of users, the law flounders. Jurisdiction is usually decided on the basis of the physical place where the crime was committed, or where it was planned and so on. In other words, jurisdiction entirely relies on a physical, tangible location. Multiple laws exist merely to determine the jurisdiction of the law. When more than one physical location is involved, jurisdiction can become a confusing situation, depending on the domestic laws applicable. This is further exacerbated in scenarios that involve more than one country. The moment a second country is involved in a legal issue, the matter of jurisdiction flares up and it takes a good while before the matter is resolved.

With the exponential growth of cyberspace making it an increasingly essential part of human life, concerns as to its governance also grow proportionately. Cyber Space is devoid of a physical presence and as such is difficult to demarcate into the same boundaries and limits as States. Furthermore, actors in any cyber act can work under the cover of anonymity and therefore make it nigh near impossible to attribute fault to them. Unlike conventional modes of warfare, cyber warfare can be undertaken by a very small number of people with limited resources and achieve devastating results on both civilian and military networks. Cyber warfare generally tends to happen across borders, perpetrated by people within State borders. The overlap between a borderless internet and a world defined by borders leads to a confusing situation as to the application of International Law to the parties involved in the matter.

The Internet is not a place in the technical sense, in that it does not exist in any one place. If every single computer or server is disconnected in, say, the United States of America, the internet will not cease to exist. As long as there are multiple devices connected to one another in some form, a version of the internet will always exist. The point here is that there is no specific physical location for the internet. This in itself is not the problem; the problem lies in the fact that anonymity on the internet is very easy to achieve, given the rise of encryption technology and the simple fact that personal identity on the Internet is easy to fake. For instance, the owner of a pirating website, one that made large amounts of money through hosting links for pirated media, was taken down recently after multiple years of flourishing on the internet unchecked, even though the website caused millions of dollars of damage in piracy and subsequent lost sales. Anybody with a reasonable amount of skill can secure their identity from being revealed on the Internet and this includes legal authorities.

This combination of general anonymity and a lack of geographical boundaries makes it very hard for any authority to decide on the jurisdiction of a cyber-crime.

Cyber-warfare and the Rules of War.
The debate over whether existing laws can be applied to crimes in cyber-space can be decided over whether such crimes can b
e treated as merely a new form of technology used to perpetrate violence. After all, we do not come out with new legislation for every new kind of tank or gun or helicopter produced by an army. However, one also needs to figure out if cyber-crime can actively be considered to be cyber-warfare. Crime is not an act of war. International law and regulations do not define what an act of cyber-warfare technically entails. Given the dynamic nature of the field, it may be hard to come up with an exhaustive definition, but that shouldn’t stop a comprehensive one from being made. The difficulty lies in whether any cyber attack can be considered to be an armed attack and whether the use of an internet network can be considered as a weapon of any kind. Since hackers and other entities that seek to commit cyber-crimes rely mostly on software and existing internet infrastructure, it is hard to qualify a basic tenet of internet infrastructure as a weapon.

This brings us to the context of cyber-crime. It is generally perceived that a single act of cyber-crime cannot be considered as an act of war or as an armed conflict. But what about cyber-crime committed in aid of or in furtherance of an armed conflict? If two countries are at war and one hacks into the military database of the other to commit acts of cyber-espionage, can this be considered an act of war? We do not know, because while the UN has defined most war crimes and also what defines an act of war, it does not include cyber crimes. However it is clear that even in times of peace, countries routinely commit acts of cyber-espionage in other countries. In 2016, the Democratic National Convention in the USA was hacked with its emails being leaked to the general public. Fingers have been pointed at Russia, blaming it for the attack. This is an important accusation to consider, because there is no definitive way that the blame can be pinned on Russia
itself, unless a State authority openly admits to such a claim. In other words, unless Vladimir Putin decides to declare that he or his government sanctioned such an attack, it is near impossible to fix the liability on anybody. Predictably enough, Russia has denied any connections with the hack.

In any case of Cyber Warfare, damage occurs similar to conventional warfare and yet the belligerent party may not even be identifiable. The small scale of operations also makes it easier for States to disavow the actions of the hostile parties and claim lack of liability. This makes the application of the rules of warfare, as laid down by International Humanitarian Law, harder. Some may even question the applicability of IHL in the first place. It is, however, undeniable that the ramifications of cyber warfare are felt in the real world and can cause legitimate financial and infrastructural damage to modern society.

The 2016 hack of the Democratic National Congress in the United States shows us yet another important aspect of the modern form of cyber-warfare; civilian infrastructure and state infrastructure overlap significantly. Just as the military often uses roads meant for civilian purposes, the military also uses the internet infrastructure that civilians do. Military networks utilize the same infrastructure, such as optic cables, satellites, routers, node etc. that civilian networks do. Any attack that takes down a military network will also take down the civilian networks. This is worrisome because of how many basic infrastructural needs are now “on the grid”, i.e, connected to the same networks. Electricity, water supply and traffic signals for instance are often on the grid, thereby making them vulnerable to attack. Unlike military databases, these are unlikely to be secured by advanced technology. This indicates that an attack on a military network will have consequences not limited to the military network alone, thereby causing harm to innocent civilians, which goes against the rules of war.

Conclusion; The Tallinn Manual and the Road Ahead
The Tallinn manual tasks itself with deciding whether traditional rules of war will apply to cyber-warfare. To put it succinctly, the manual asserts that traditional rules will indeed apply to cyber-warfare. The experts involved in the creation of the manual concluded that,

“…the mere fact that a computer (rather than a more traditional weapon, weapon system, or platform) is used during an operation has no bearing on whether that operation amounts to a ‘use of force’. Similarly, it has no bearing on whether a State may use force in self-defence.”

The manual is very thorough and comprehensively studies everything that could possibly interact in the realm of cyber space and IHL. In doing so, it highlights the main issues that concern the applicability of existing provisions of the IHL to cyber warfare. The manual settles on “Severity” as one of the major factors of differentiating whether an act of cyber crime can be considered a use of force or not:

“In this regard, the scope, duration, and intensity of the consequences will have great bearing on the appraisal of their severity. A cyber operation, like any operation, resulting in damage, destruction, injury, or death is highly likely to be considered a use of force. Severity is self-evidently the most significant factor in the analysis.”

In a true reflection of the rapidly evolving nature of the cyber-world, the Tallinn Manual is already set to be updated to “Tallinn Manual 2.0” which is expected to be finished by the end of 2016. The changes are expected to include new and updated conventions and modes of application of existing rules of International Law and warfare. The updated version of this document will be the latest and most comprehensive work on the application of IHL to Cyber Warfare and will hopefully settle the ambiguity and vagueness that surrounds this field now. The manual is a lengthy and comprehensive one that is way too vast to be succinctly summed up here. However, it is a concrete step in the right direction as it tackles the issue head on and with a sense of clarity that has largely been lacking so far in the international field of human rights.

The manual has been placed in the conclusion segment of this article to reflect its conclusive nature in terms of how it has handled the applicability of IHL to cyber space and the potential rise of cyber terrorism. However, modern cyber warfare has not been attributed to terrorists, but largely to State actions. States like Russia and the United States have a perennial cyber cold war going on that could escalate at any point, given the turbulent politics involved in their relationship. Unlike a physical act of terrorism, cyber terrorism and warfare works on an unimaginable scale with a relatively smaller set of resources. Combined with anonymity and difficulty of attribution, this leads to a potential situation of chaos that is disturbing to even comprehend.

International Humanitarian Law has always been a by-product of warfare. Traditionally, IHL has always evolved to compensate for crimes and horrors committed during major wars in the history of the world. For the first time since the modern advent of International Law itself, IHL has the opportunity to prepare itself for a form of warfare that is yet to cause enough damage to warrant being termed a war crime. Whether or not such warfare will occur is a matter of speculation, but that is no reason for the world to halt progress in the area. It is high time that the nations come together to secure the world from the threat of cyber warfare by putting together a system of laws and conventions under the United Nations framework, to limit the damage of any potential attacks in cyber space.


Leave a Reply