When is a cyber attack a war crime?


On February 24, 2022, the day Russia launched its invasion of Ukraine, a cyber-attack on satellite internet service (KA-SAT) disrupted Ukraine’s military communications. The attack, which US officials attributed to Russia’s military espionage agency, crossed the Ukrainian border. It has cut off the internet for tens of thousands of people across Europe, from France to Ukraine. The internet was cut off a month after the attack on about 2,000 wind turbines in Germany.

The next day, a border control station between Ukraine and Romania was infected with a malware that scanned the data that delayed the processing of applications for refugees seeking to flee the country. The perpetrators of this attack are still unknown.

These are two of the thirty-five major cyber attacks on critical and civilian infrastructure in Ukraine that the Electronic Peace Foundation, the Geneva-based NGO, has announced on its website since the start of the war. While most of the attacks targeted military targets, public institutions and the media, civilians were also intentionally or unintentionally affected, said Bruno Halupo, chief technology officer of the organization and head of the cyber analysis department.

In this regard, attacks on civilians under international humanitarian law could amount to war crimes.

“We are monitoring the situation and gathering evidence so that if an investigation is done at some point, we will be able to provide evidence of what happened,” Halopo said. The NGO lists on its website a list of cyber attacks, provides accurate information about them and the social damage they have caused, and identifies their nature.

He added: ‘What we publish on our website is a small part of the information available to us’. He said this information is available for possible future legal action. Furthermore, the Cyber ​​Peace Foundation compiles this evidence to determine whether countries respect the international treaties they have signed, and to identify loopholes in existing legislation.

Law of War in the Digital Age

In general, international humanitarian law, also known as the law of war, imposes restrictions on the conduct of hostilities and seeks to protect civilians, health and medical personnel, wounded soldiers and prisoners of war.

It is forbidden to target civilians directly. It is also forbidden to use weapons whose effects can not be limited to military targets. This means, in the real and real world, for example, not targeting a hospital or not bombing densely populated areas. But in the digital world, things are getting more complicated.

It is very difficult to design malicious software that only harms specific systems, rather than a wide range of them, Halopo said. This is demonstrated by the hacking of the KA-SAT internet service.

The current war between Russia and Ukraine, which has spilled over into cyberspace, is also blurring the line between civilians and soldiers.

On February 26, 2022, an external connection of the Government of Ukraine invited the world’s amateur computer hackers to join its ‘IT Army’ and launch attacks on Russian targets. Since the first days of the war, ‘Anonymous’, a worldwide group of computer network hackers, has announced that they are waging an electronic war against Moscow.

Halupo suspects that many cyber warriors are already aware of what their participation in the conflict under international humanitarian law entails.

He said: “These fighters could lose their legal protection by actively participating in this conflict as civilians and without their knowledge being treated as fighters.” They are vulnerable to retaliation by the state attacking them, and they are vulnerable to possible prosecution after the war. ‘

Guardian of international humanitarian law

As the guardian of international humanitarian law, the ICRC pays close attention to the latest developments on the battlefield, communicates discreetly with states to remind them of the rules in force, and determines whether the law should change.

“We are witnessing a reality in which cyber operations are becoming more common in armed conflicts,” said Tilman Rudenhuiser, Legal Adviser to the International Committee of the Red Cross, and its cost to civilians.

International humanitarian law has crystallized in a world where cyberattacks do not yet exist. Are his rules still sufficient today?

“We can not establish new rules of armed conflict every time we see technological development,” Rudenhuiser replied.

However, some aspects of the law are still subject to interpretation. One of the oldest rules of international humanitarian law is the protection of civilian objects. For many years, it was not legal to destroy or destroy civilian data, for example, understood as classified documents kept in a paper archive. But what does the law say if that data is stored digitally?

In this regard, Rudenheuser said: “The rules of international humanitarian law do not explicitly address data protection,” adding that legal experts and states have differing views on how to apply international humanitarian law in this case.

For the ICRC, it is important for states to interpret existing legislation in such a way as to ensure that civilians and civilian infrastructure enjoy the same level of protection they have enjoyed in the past. These electronic weapons are subject to the same controls as conventional means of warfare.

“If countries conclude that data is truly targeted, as it can be destroyed or erased during armed conflict without legal consequences, then the issue becomes a real humanitarian concern, and we will have to think about creating new rules,” he said. Rudenhuiser explains.

But states must negotiate the creation of new rules of international law. Once a treaty has been established, it must be signed and ratified. It is a long and complex process, especially since the current rules of international humanitarian law are virtually binding on all states.


Leave a Comment