An examination of the application of the twin war principles (jus ad bellum and jus in bello) to cyber warfare.
As the world gradually evolves into a global and digital village with almost everything related to mankind connected to the internet, from sophisticated military and healthcare equipment to simple bread toasters and fridges, the world has seen a rather worrying rise in the spate of cyber attacks. In a joint publication, the United States Department of Defence defined a cyber attack as “cyberspace actions that create various direct denial effects in cyber space (i.e. degradation, disruption or destruction) and manipulation that leads to denial that is hidden or that manifests in physical domains”.
The need to cripple the information sharing capacity has always been a key factor in warfare. As far back as the 1990s, the destruction of the enemy’s computers was usually carried out as a critical operation and was assigned to the pilot of an air bomber. Cyberwarfare and cyber weapons have drifted quite drastically from being a topic of theoretical discussions to a rather practical and delicate one over a short period of time. Every year, cyber attacks continue to grow in both number and crude sophistication. As far back as 2008, a worm was found by NASA on computers at the international space station. About three months after, pentagon computers were said to have been hacked by Russia.
Incidences of state sponsored cyber attacks have increased over the years. The first worm that was discovered to possess the ability to cause acute damage was the Morris worm in 1988. The Morris worm, which was developed by Tappan Morris had the ability to slow computers down to the point of being unusable hereby leading to a denial of service attack. By 2007, the Estonian government networks experienced several denial of service attacks from “unknown foreign intruders” not long after their disagreement with Russia over the removal of a war memorial. Also, in 2008, computer networks in Georgia were hacked by “unknown foreigners” while they were in conflict with Russia. As at 2010, more sophisticated malware was already being used. Stuxnet which will later briefly be discussed in this article was designed to interfere with Siemens industrial control systems in Iran, Indonesia among other places.
In 2011, the cyber attack against government agencies in Canada forced her major agencies to disconnect from the internet. By 2012, ‘Red October’ was discovered. Hackers exploited vulnerabilities in Microsoft’s Word and Excel programs to collect information from government embassies, nuclear firms, military installations and many other critical infrastructures. 2017 has had various forms of cyber breaches. From the WannaCry ransomware attack, the Petya ransomware attack to allegations of external interference in the elections in the United States of America. One thing has however been made very clear which is that the use of cyber-attacks by nation-states is a rapidly growing trend which is not about to end soon but instead will grow in all manner of sophistication.
The Concept of Cyber Warfare
Cyberwarfare involves politically motivated offensive or defensive actions by nation states or international organizations to penetrate, attack or try to damage another nation state’s computers or information networks either to cause damage or steal sensitive information. In summary, it is basically the use and targeting of computer networks in warfare.
A typical example of the criticality of cyberwarfare can be seen in the application of the stuxnet worm. Stuxnet was a computer malware (worm) that was designed for and used by a joint operation of the United States of America and Israel to destroy Iran’s nuclear program in an operation known as “the Olympic games”. An estimate of 1000 uranium centrifuges which made up approximately 10% of their uranium feeders were destroyed by stuxnet. This greatly reduced the Uranium production capacity of Iran and led to about 30% decrease in the enrichment efficiency of Iran’s nuclear weapons being built at that time.
The WannaCry ransomware that hit the United Kingdom’s NHS early in May 2017 can also be used to buttress the implications of what might happen if there continues to be a free flow of unregulated cyber attacks in a situation of warfare. While there has been no substantial reason to perceive WannaCry as a cyber warfare weapon, its effects were also disastrous with over 300,000 computers affected in the UK alone forcing hospitals to revert to paper and pen methods or out rightly turn away patients. Not long after the WannaCry ransomware, Ukraine was hit by the Petya ransomware. Many allegations have been made by the Ukrainian government pointing at the Russian government, however, there have also been no publicly known clear evidence to back this up.
It can be deduced from the outcome of the various attacks that have happened o=ver the years that an attack on a nation’s critical infrastructure such as power plants, water system or healthcare will have crippling effects on unarmed civilians who are not direct actors of war in the event of a cyber warfare. It is quite important to point out that up until now, the entire area of cyberwarfare is largely unregulated. This article seeks to bring under scrutiny where the line should be drawn and what constitutes human rights violation in cyber warfare.
The Concepts of jus ad belum and jus in bello in the context of Cyber Warfare
The jus ad bellum is a universally accepted set of criteria that defines what exactly constitutes enough reason for a nation state to go to war. In other words, it provides a set of criteria that questions the justification or reasons for war. The jus in bello which is a principle in International Humanitarian Law (IHL) on the other hand establishes what should be acceptable and what is acceptable and what isn’t in war.
The concept of cyber warfare can be studied from the perspective of jus ad bellum which are the rules that regulate the use of armed forces by countries in relation to other countries i.e. what makes a war just. Jus ad bellum recognises the right of a nation to go to war and regulates the use of armed forces in the relationship between a country and another. It determines whether going to war is allowed and what is justified in war. Although, identification is difficult when it comes to the concept of cyberspace, Marco Rosini in his paper entitled; “World Wide Warfare- Jus ad bellum and the Use of Cyber Force” suggests that customary international law could be used to determine what constitutes a misuse and what doesn’t, when the concept of cyber warfare is concerned. Since jus ad bellum applies when armed conflict is involved and provides the right of an actor or nation to act in self defence, the question of what constitutes an armed attack in cyber operations have still remained quite unanswered till this date keeping it in mind that ‘armed’ is not the same as ‘force’. A typical gap that comes up in the question of jus ad bellum’s application in cyber warfare is the issue of it not involving a kinetic attack. Biological or chemical warfare for instance also do not involve the use of kinetic force in its application but are yet subject to both the jus in bello and jus ad bellum. It should be apparent that given advances in methods and means of cyber warfare, especially with the rate at which digital technology is evolving and in modern times, it will no longer be sufficient to apply an actor based threshold for application of the International Humanitarian Law, instead, a consequence based threshold will be more appropriate. Questions such as “will it result to mass suffering of unarmed civilians?” have to come into play and become the major deciding factor.
Jus in bello, on the other hand, regulates the behaviour or conducts of parties engaged in an armed conflict. The Jus in bello is also known as the international humanitarian law and its goals include to reduce the possibility of suffering during armed conflicts and to protect and help victims of armed conflict as much as possible. To begin with, there is no humanitarian law that has a provision which directly addresses computer network attacks or cyber warfare in general. The Tallinn Manual, however, which was created by an independent group of experts between 2009 and 2012 at the invitation of the North Atlantic Treaty Organization (NATO) Cooperative Cyber Defence Centre of Excellence apply the jus in bello principles to cyberspace by studying how international law is applicable to operations in cyber space. The Tallinn manual is, however, non-binding till this day.
Michael Schmitt argues that “all occurrences during armed conflict are subject to the application of humanitarian law principles since no void is lawless”. According to Schmitt, “since international custom” has been accepted as a source of law by virtue of Article 28 of the Statute of the International court of Justice, then there shouldn’t be any disagreement of its inapplicability based on the absence of particular general practice. His paper; “Wired Warfare: Computer Network Attack and Jus in Bello” also argues that since Jus in bello is applicable to the use of nuclear weapons in war, there is no reason it cannot be applied to cyber attacks. This argument is mainly based on conclusions from the paper; “Legality of the Threat or Use of Nuclear Weapons”. He further argues that “Humanitarian law principles apply whenever computer network attacks can be described to a state are more than merely sporadic and isolated incidents and are either intended to cause injury, death, damage or destruction (and analogous effects), or such consequences are foreseeable. This is so even though the classic armed force is not being employed.” From Schmitt’s argument, a cyber attack on a water supply system by agents of another country would implicate humanitarian law which is quite logical.
The Tallinn manual puts the responsibility of cyber operations directed against other nations either by the security agencies or individuals or groups acting under their direction on a nation. This manual also disallows the use of force in cyber operations. While there is no specific definition which clearly states what forms the use of force in the jus in bello, the writers of Tallinn Manual concluded that “any cyber operation that causes harm to individuals or damage to objects can qualify as a use of force. This does not include cyber operations that cause inconvenience or irritation”. The Tallinn manual recognises that cyber operations may constitute armed conflicts, depending on the circumstances surrounding it. At this point, it must be noted however that for jus in bello principles to preside over a cyber attack, it must form an “armed conflict”.
Other Implications
As capabilities to conduct computer network attacks increase in terms of both sophistication and availability, continued discussion is of absolute importance. We must avoid losing sight of humanitarian principles lest the possibility in warfare supplant the permissible. While the argument of armed force versus political cohesion might exist in the application of cyber warfare weapons, the major difference is the former’s physically disruptive capabilities. For example, turning off the electricity to a city to disrupt communication in another nation-state in time of warfare may be acceptable if doing so does not cause excessive civilian suffering. On the other hand, infecting a hospital’s machine with a worm and poisoning vaccinations of children may not be acceptable since that might lead to excessive civilian suffering.
Conclusion
While no cyber attack that can be categorised as “constituting an armed attack” has occurred till date, at the current rate of technological evolution, cyber attacks will reach this stage in the future. It should however be noted that since the existing law governing jus ad belum and jus in bello do not specifically address the unpopular issues that relate to cyber warfare, countries involved can potentially misrepresent the interpretation of jus ad bellum to serve national interests. Therefore, if the current International laws are to govern the applicability of cyber attacks adequately within the meaning of jus ad bellum and jus in bello, it must be subjected to further jurisprudential development and clarity else, new universally accepted laws governing cyberwarfare must be properly drawn out.
There is a need for an international agreement that deals specifically with cyber warfare and security and also corresponds with the provisions of the international laws. By international laws, we refer to the humanitarian law, human right law or a combination of these and other treaty systems. There is also a need to clearly spell out in plain and unambiguous terms, what is acceptable and what isn’t in cyber warfare.
Joel Oseiga Aleburu is a Cyber Security Analyst and currently a researcher on Self Adaptive Privacy and Security . He is interested in encryption and vulnerabilities in general. Please feel free to send your questions to joelaleburu@gmail.com or contact him on Twitter: @joeloseiga
__________
Follow us on Twitter at @thesignalng
Copyright 2017 SIGNAL. Permission to use portions of this article is granted provided appropriate credits are given to www.signalng.com and other relevant sources.