CYBER-ATTACKS MAY NOW BE CONSIDERED WAR CRIMES
By Erin Patrick Owens, Executive Director, Cyber Defense Center - published March 2022, cyberdefensecenter.org/news
Can cyber-attacks during armed conflicts lead to war crime prosecution? The answer is?YES…
On March 15, according to the?Associated Press, the US Senate unanimously approved a resolution to probe Russia by seeking investigations of war crimes over the invasion of Ukraine. Although the resolution itself does not carry the force of law, it does indicate that war crime investigations will be initiated. This means that all Russia conduct in the war will be assessed. This may include cyber-attacks since they have been used as hybrid warfare tactics by Russia in this armed conflict.?
We have been discussing the ambiguous concept of Cyberwar for years with no real consensus or precedent on “how” certain aspects of this battlespace would be treated in regard to cyber-attacks provoking, instigating, or escalating conflicts. We do know that cyber-attacks may invoke NATO collective defense articles now that cyberspace has been recognized by NATO at the 2016 Warsaw Summit as the 5th battlespace for warfare - making it subject to NATO’s collective defense articles. However, we are not yet sure how NATO will attribute such attacks to nation-states when the suspect nation-state denies their involvement in cyber-attacks. The possibility for false flag operations in cyberwarfare is significantly higher than in the more traditional and observable domains of warfare such as land, sea, air, and space. This makes successful attack attribution in cyberspace a timelier and more necessary step before retaliating against the attacker. In the meantime, any cyber-attack that occurs during an armed conflict could conceivably elicit or permit response and/or counterattack as a?condicio sine qua non?(necessary condition) under international law.
If indeed such predicating events can be classified as acts of war according to NATO, it is conceivable to expect that such attacks that occur during an armed conflict could also be subject to war conduct investigations and additional scrutiny by the international community. NATO’s position on cyberspace now implies that once cyber-attacks are sufficiently attributed in connection with the armed conflict, they could also become subject to war crime prosecution and even war indemnities following the conflict. The implications of which are rather extensive. For example, the 5th battlespace may prove to span traditional armed conflict timelines in which such war reparations and crimes are assessed or considered. In the case of the current armed conflict between Russia and Ukraine, Ukraine experienced a significant number of cyber-attacks preceding the invasion by Russia that were linked to Russia at the time they occurred but were not yet considered in association with an armed conflict. According to a recent Institute for Economics (IEP) article "The Unfolding Cyberwar in Ukraine", cyber-attacks in Ukraine have been persistent for the past decade with many successfully being attributed to Russia. IEP reports Ukraine experienced nearly 3/4 of a million cyber-attacks in a span of the last 22 months alone, which is nearly 31K per month preceding the invasion (397K attacks in 2020 and 280K in the first 10 months of 2021). So now that an armed conflict could conceivably be linked to this high volume of cyber-attacks that preceded the exchange of gunfire, these cyber-attacks may now be considered in scope of post-war investigations insofar as they are deemed necessary.?
Will these potentially linked cyber-attacks be assessed for conduct against the Geneva Convention in war crime investigations? It is generally unknown at this time how war indemnity and war crime investigations will account for 5th battlespace actions. As the world considers how cyber-attacks will be treated preceding and during an armed conflict, it seems apparent that direct or indirect cyber-attacks considered in association with an armed conflict, especially where war crime conduct is under investigation, will likely fall subject to these investigations. According to the?Stanford Law School Center for Internet and Society, “unless [an attack is] very carefully designed, [any] cyberattack could be a war crime.”
War crimes are defined under the Geneva Convention of 12 AUG 1949 (view articles here). The Geneva Convention affords specific protections for armed forces conduct, medical and religious personnel, prisoners of war, civilian persons, populations, aliens within territories in conflict, internees, etc. Following World War II and the multitude of indiscriminate humanitarian and infrastructure transgressions that occurred, it became apparent to the world that there was a need to establish international legal standards for humanitarian treatment in war.?When conduct during armed conflict is suspected in violation of the Articles of the Geneva Convention, war crimes are assessed and prosecuted within the International Criminal Court. Once an investigation is initiated, war crime allegations are assessed using four principles:
1) Proportionality?- This assessment determines whether the attack was conducted in proportion to the threat.
2) Necessity–?This assessment determines whether the attack was considered necessary in the conduct of warfare.
3) Precaution?– This assessment determines the conduct of the attacker and how they minimized harm to civilians and civilian infrastructure in the course of the attack.
4) Distinction?– This assessment determines how the attacker distinguished between military and civilian targets in the conduct of the attack.
Cyber-attacks raise interesting questions in regard to how these Geneva Convention Articles will be assessed and applied. There are obvious scenarios where cyber-attacks would certainly be included in war crime assessments and investigations because of impact to populations in violation to the Geneva Convention. Other scenarios are less obvious. Let's explore some potential scenarios and how they may be perceived or investigated as war crimes:
领英推荐
Scenario 1 – Cyber-attack contaminates the water supply to subdue a city under siege
Cyber-attacks against the water supply actively supplying water to the population of a city under siege by the attackers in an armed conflict (e.g., Mariupol or Kiev Ukraine) may be considered a war crime. By attacking the water supply to subdue a city under siege, a cyber-attack could increase the amount of sodium hydroxide, also known as lye, being distributed into the water supply. The chemical is typically used in small quantities to control the acidity of water. However, at higher levels, this chemical is dangerous to consume and effectively poisons the water supply and indiscriminately targets civilians. This particular attack vector is a real-world scenario attempted recently in the United States. In Florida, according to a?Reuters?report on February 8, 2021, an attempt like this was made to contaminate the water to a Florida town with a population of about 15K citizens.
This attack is clearly a war crime.?Assessing the principles of proportion and necessity might determine that the attacker had reliable intelligence that the entire city was directly participating in hostilities and that the attack was proportionate to the threat. When assessed alone, there is a problem in that a precise definition of the term “direct participation in hostilities” which does not exist according to ICRC. This is why the principles of precaution and distinction are so important. Humanitarian aid workers and organizations, civilians, and hospitals treating armed forces and/or civilians would realistically reside within the city at the time of the attack, therefore, such an attack would reasonably be viewed as a war crime under international law as it was conducted indiscriminately. Therefore, if such an attack were carried out as a cyber-attack, it could be determined that the attackers were indeed subject to the prosecution of war crimes as combatants. The same could be said for cyber-attacks on hospitals or humanitarian aid clinics in or around territories subject to the armed conflict.
Scenario 2: Energy grid cyber-attack in armed conflict territory
According to Patrick Lin, Director, Ethics and Emerging Sciences Group, California Polytechnic State University (Cal Poly) in his article on “Why cyberattacks could be war crimes” published by the?World Economic Forum, “By taking out an energy grid, you’re not only blacking out the enemy base, but also all local civilians. You will also infect innocent computers with malware — you used them to reach the energy grid — and this seems to break a bedrock rule in the Laws of Armed Conflict: the principle of?distinction, which requires that we never target non-combatants and spare them from the effects of an attack as much as possible.”
This attack may be a war crime when other conditions are present.?This scenario would appear to be a candidate for conduct consideration as a war crime if civilian loss of life is a consequence of the attack. As an example, if such conditions were investigated in Mariupol Ukraine and it was determined that a grid failure was attributed to a cyber-attack, it would appear indiscriminate. If loss of civilian life resulted from this condition, it would likely be a consideration in the investigation. However, loss of power alone does not in and of itself constitute a war crime. Power is routinely cut off to buildings in hostage or terrorist situations. Therefore, such an attack, whether carried out as a cyber-attack or by physically cutting off power, may not alone be considered a war crime. When coupled with other conditions such as weather, temperature, food supply shortages, humanitarian aid disruption, or water shortages due to the power disruption, the attack may become subject to a war crime investigation as conditions compound toward a humanitarian crisis.?
Scenario 3: Cyber-attacks impair, divert, or disrupt humanitarian aid
It is possible that cyber-crimes occurring during an armed conflict that exploit the refugee crisis or impede humanitarian aid may be considered war profiteering or conduct that may violate the laws and customs of international humanitarian law. By usurping funds from legitimate humanitarian aid organizations, misusing humanitarian aid emblems, or disrupting humanitarian aid missions, a cyber-attack may have adverse effects on civilians and non-combatants. Whether the cyber-attack is attributed to a Russian-linked group or not, such attacks may fall subject to Geneva Convention war crime assessments following the armed conflict. Fraudsters (false humanitarian relief organizations, missions, refugees, fraudulent GoFundMe campaigns, etc.), cyber-criminal groups (malware or cyber-attacks waged against hospitals, relief organizations such as the Red Cross, or organizations providing humanitarian aid in the form of resources, logistics, transportation, energy, shelters, funding distribution, etc. to refugees or against governments that are providing asylum to refugees), and those seeking to intentionally impede relief efforts may be subject to war crime investigations. This implies that ANY illegal cyber-attack during times of war could potentially be linked or affiliated to the war under such investigations.
These attacks are not yet clearly subject to war crimes.?Indirect consequences from cyber-attacks in the form of spill over incidents (collateral damage) from these attacks are much more difficult to assess. At this time, it should be considered very likely that war crime investigations and prosecution within the International Criminal Court will take place following the conflict between Russia and Ukraine. What should be of concern to any Russian-linked hacker (whether intentional or not) is that any cyber-attack occurring during the armed conflict between Russia and Ukraine could become subject to war crime investigations and war indemnities. This could result in previously unaffiliated groups to Russia becoming affiliated by association whether intended or not. Such investigations will likely draw stronger links to Russian state or Russian-linked bad actors once their association to the armed conflict itself is assessed. Investigations could reasonably include any cyber-attack during or even leading up to the war.?
In conclusion, there is a clear distinction in the prosecution of war crimes between?combatants and noncombatants. Cyber-attacks typically involve non-combatants but may have similar consequences to those traditionally inflicted by combatants. It is therefore reasonable to consider that cyber-attacks that occur as a part of an armed conflict, even if they precede an armed conflict, may indeed fall subject to war crime conduct assessments and war indemnity. It is also reasonable that any cyber-attack that is conducted during an armed conflict may have intended or unintended consequences within the conflict and could also fall subject to these investigations.?Therefore, when armed conflicts are active, such as what we are witnessing between Russia and Ukraine, all unrelated cyber-attacks should cease as to not be unintentionally linked to the conflict. As of July 2021,?Reuters?reported the United States President signed a memorandum to create "performance controls" for cybersecurity in the country's most critical companies.” He warned of these consequences associated with cyber-attacks could span multiple battlespaces. This recent action by the United States along with the classification of cyberspace as a dimension of warfare by NATO gives further support to the possibility that cyber-attacks could indeed be subject to post-war investigations. Any cyber-attack.?
See the Cyber Defense Center News (cyberdefensecenter.org/news) for this and other related LEVEL 4 - Cyber Conflict Cyber Defense Force Posture public advisories and related articles.
By: Erin Patrick Owens, Executive Director, Cyber Defense Center