When Does a Cyber Attack Become an ‘Act of War’?

Recorded Future, a US-based firm, has reported that Chinese state-sponsored actors may have used malware to target India’s power grid system and seaports. According to the New York Times, which broke this story, Recorded Future has claimed in its report that the 12 October 2020 grid failure in Mumbai, may have been caused by this malware.

This report has come in the backdrop of escalating border tensions between India and China, which actually led to a deadly skirmish at the Line of Actual Control (LOAC) in June 2020. As there’s a history of hostility between the two nations, the legality of such cyberattacks becomes a serious question. Are these cyberattacks a part of a larger armed conflict or a means to unleash an armed attack? Can these cyberattacks be attributed to the ongoing conflict between the two sovereign nations?

Most importantly, can India interpret such attacks as an ‘act of war’ to legitimise ‘retaliation' under the law on armed conflict?

Almost every country is now using computer systems for their civil, security, and military infrastructure. This has made cyberspace attractive to both, state and non-state actors, to target the ‘vulnerable’ systems of rival countries to cause significant disruption at a far lower cost, in money and manpower, than conventional and mainly military options.

Countries with advanced cyber capabilities have shown keen interest in targeting cyberspace for strategic interventions in other countries.

1. In 2020, both Iranian and the American governments acknowledged cyber-attacks as central to their strategies.
2. In 2010, Stuxnet, which some consider India’s first genuine cyber weapon, reportedly destroyed a fifth of Iran’s nuclear centrifuges.
3. Russia has consistently targeted the critical civil infrastructure of Ukraine, leading to a large scale disruption to the internet as pro-Russian rebels took control of Crimea (2014), taking down the election commission 3 days before Ukraine’s Presidential elections (2014), and cutting off the power supply to around 250,000 people in western Ukraine.
4. In 2007, a major cyber-attack on Estonia’s banking and communications system led to 22 days of civil unrest.

USA has established ‘cyber commands’ as part of its Air Force and Navy. There is a consensus among NATO member-nations to invoke the principle of ‘collective self-defence’ when faced with complex cyber-attacks. South Korea and Saudi Arabia are also developing systems to “retaliate” when faced with “coordinated” and “sophisticated” cyber-attacks.

While experts are divided on whether the existing framework of the law on armed conflict (LOAC) should be extended to cyber-attacks or not, there is broad agreement on distinguishing different kinds of cyber aggression.

Every act of cyberspace targeting won’t amount to an ‘attack’ so as to invoke laws governing war. Centre for Strategic and International Studies, an American think-tank, argues that merely a violation of sovereignty is not enough. To invoke the right to self-defence under international law, an aggrieved nation will have to show that a cyber attack led to ‘substantial death’ or ‘physical destruction’ so as to qualify as an ‘armed attack’.

Therefore, the threshold is understandably high. Instances of cyber espionage or data theft would ordinarily not justify action or retaliation under the law on armed conflict.

The law on armed conflict consists of rules and state practices governing decisions to go to war and how to fight a war. Over the decades, the Geneva Convention, The Hague Convention, and the UN Charter, have been used to determine what amounts to ‘war’ and what kind of retaliation can be justified.

The existing framework for law on armed conflict doesn’t envisage cyber warfare. While some experts say that cyber warfare can be read into the existing legal framework, others argue that it is inadequate and a new legal framework is required. However, there is a consensus on the threshold of ‘substantial damage’ that every cyber-attack will have to meet to qualify as an act of war.

How should the states identify whether a cyber operation meets the threshold of an armed attack? Rule 11 of the Tallinn Manual provides the following tests for states to make their force assessment:

1. Severity: scope, duration and intensity of consequences to be considered
2. Immediacy: the sooner consequences manifest, the fewer opportunities states have to seek peaceful resolution of a dispute
3. Directness: cyber operations where cause and effect are directly linked
4. Invasiveness: more secure a target cyber system, the greater the concern as to its penetration
5. Measurability of effects: the more quantifiable and identifiable the consequences, the easier it is for states to assess use of force

Unlike conventional warfare, it is extremely difficult to conclusively identify the source of a transnational cyber attack. For instance, the Stuxnet attack against Iran is largely attributed to the US and Israel, but there’s no conclusive evidence for it. Similarly, while Germany blames Russia for hacking the computer systems of its Bundestag (Parliament), Russia is able to deny it, as there isn't sufficient proof.

Then there’s a problem of ‘spoofing’. Persons initiating a cyber attack can resort to ‘spoofing’, which is falsify the identity of their server. For instance, a cyber system in Russia can initiate an attack, but while doing so, can falsify the identity of its server to suggest that the attack was routed through China. This further complicates the problem of attribution in cyber warfare.

Some scholars, however, have suggested that states can act under the laws of armed conflict, even against non-state actors. They cite post 9/11 cyber operations of the US as a ‘state practice’ that has validated the use of retaliatory force against non-state actors as well.

The Tallinn Manual puts an obligation on states to not allow their cyber-infrastructure to be used for unlawful activities against other states. This obligation applies regardless of whether an attack is attributable to a state actor or not.

Scott J. Shackelford, an expert on the law of cyber warfare, argues that there’s no need to prove complete state control to attribute a cyber attack. Even if the state had an ‘operational control’ on the cyber-infrastructure used to target other states, the attack can be attributed to it.

Once the issue of attribution is resolved, or largely agreed upon, the next step would be to assess what level of cyber counter operation would be permissible under the law of armed conflict.

Mike Schmitt, an authority on cyber warfare and international law, argues that a state can still respond to a cyber operation that doesn’t meet the threshold of ‘armed conflict’ if the said cyber operation is part of an overall operation culminating in an armed attack or is an “irrevocable step in an imminent (near-term) and probably unavoidable attack”.

Experts are divided over treating cyber warfare and conventional warfare as the same under international law. But they all recognise the potential threats that cyber warfare can pose in the future, including the prospect of what Barack Obama called the ‘cyber arms race’.

The Weapons Review of the International Committee of the Red Cross (ICRC) has asked all states to ensure that the means of cyber warfare that they acquire or use comply with the rules of LOAC that bind all states.

Vincent Boulanin and Maaike Verbruggen of the Stockholm International Peace Research Institute (SIPRI) have argued for subjecting ‘cyber capabilities’ or ‘cyber weapons’ of states to a process that periodically reviews their compliance with the law on armed conflict. Such a legal review should address the following critical aspects of a state's cyber capabilities:

1. Is it, in its normal and intended circumstances of use, likely to cause superfluous injury or would it lead to unnecessary suffering?
2. Is it by nature indiscriminate? Under International Humanitarian Law, indiscriminate attacks are prohibited.
3. Would its use be intended to, or be expected to, breach LOAC rules? The LOAC prohibits the use of certain kinds of weapons in warfare.
4. Is there any provision of a treaty or customary international law that directly addresses it?

While the prospect of a ‘cyber warfare treaty’ sounds promising, it doesn’t address the whole gamut of complexities that underpin cyber operations. For instance, the distinction between ‘offensive’ and ‘defensive’ weapons will not help in the case of ‘dual-use’ technology.

Moreover, some experts have argued for regulation instead of the complete prohibition of cyber weapons.

Also, how would a 'cyber warfare treaty' cover private players?

The framework for incorporating cyber warfare into law on armed conflict remains sketchy and under-developed, despite substantial strides being made in the recent past. While there have been frequent advancements in cyber technology, customary international law has remaining more or less static. International law must now adapt to the volatility of cyberspace.