The “Tallinn Manual on the International Law Applicable to Cyber Warfare”, which was the result of a project initiated by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE), defines cyberwarfare as “the use of cyber operations by states or state-like entities as a means to conduct hostilities or armed conflict. It encompasses the deliberate and systematic use of cyber capabilities to disrupt, damage, or destroy computer systems, networks, or information, with the objective of achieving military or strategic goals.” The Manual also acknowledges that a variety of actions, such as intelligence gathering, espionage, destruction of vital infrastructure, economic sabotage, and the targeting of military systems and capabilities, can be part of cyber warfare. It emphasizes how governments may employ cyber tools in both offensive and defensive operations to obtain a tactical or strategic edge in conventional military operations. These cyber tools may include malware, DOS, DDOS, APTs, Zero-day exploits among other things. However, it is crucial to remember that the Tallinn Manual is a scholarly publication and does not have legal authority.
In the realm of cyber operations, various types of cyber tools are utilized, each serving distinct purposes. However, among the multitude of cyber operations, cyber espionage and cyber terrorism stand out as the most prevalent applications of these tools. These two cyber operations are discussed in detail ahead.
Cyber espionage involves the covert acquisition of sensitive information through digital means, often orchestrated by state-sponsored actors or intelligence agencies. Political and diplomatic intelligence gathering is a primary objective of cyber espionage. One of the major aims of cyber espionage is targeting political parties and diplomatic institutions, state-sponsored actors seek strategic information to influence policies and gain advantages in international relations, leveraging insights into foreign policies, negotiation strategies, and internal discussions.
Another critical facet of cyber espionage is the theft of military and defense secrets. Cyber attackers aim to infiltrate foreign nations and acquire classified information on military capabilities, operations, weapons systems, and national security strategies. The stolen data provides valuable insights into vulnerabilities, potential adversaries, and defense capabilities, granting an edge in future conflicts. Moreover, Intellectual property theft is also a prominent goal of cyber espionage, targeting corporations and research institutes. By infiltrating these entities, cyber actors can steal trade secrets and technological advancements, enabling economic and competitive advantages. The acquired intellectual property can be used to replicate innovations, undercut markets, or bypass costly research and development efforts.
A notable example of cyber espionage is the deployment of Pegasus spyware by the Israeli company NSO Group. Pegasus facilitated unauthorized surveillance of targeted individuals, including activists, journalists, and political opponents. The spyware’s capabilities allowed for the collection of sensitive information and monitoring of communications, highlighting the intrusive nature of cyber espionage activities.
Cyber terrorism refers to the malicious use of cyber tools to create fear, disrupt critical infrastructure, and inflict harm on individuals, organizations, or even entire nations. Cyber terrorists employ tactics such as launching destructive malware, conducting Distributed Denial of Service (DDoS) attacks, or targeting key systems to cause chaos and compromise societal stability. One facet of cyberterrorism involves targeting critical infrastructure, aiming to disrupt systems that control essential services such as power grids, transportation networks, or financial institutions. By infiltrating and compromising these systems, cyber terrorists can cause widespread chaos, economic disruption, and jeopardize public safety. Another alarming dimension of cyberterrorism is the utilization of online platforms for recruitment and radicalization purposes. Extremist groups leverage the internet’s reach and anonymity to recruit individuals, propagate extremist ideologies, and incite violence. This cyber-enabled radicalization can lead to individuals carrying out acts of terrorism or violence in support of their extremist causes.
An example of cyberterrorism is the Stuxnet worm, a sophisticated computer malware jointly developed by the United States and Israel. Stuxnet specifically targeted Iran’s nuclear program, aiming to sabotage its centrifuges. The malware caused physical damage to the centrifuges, exemplifying the potential of cyberterrorism to impact physical infrastructure and disrupt critical operations.
Regulatory Challenges of Cyberwarfare to IHL
The emergence of cyberwarfare presents significant regulatory challenges for the application of International Humanitarian Law (IHL). One of the primary challenges is attribution, as cyber- attacks are often conducted anonymously or through sophisticated techniques that make it difficult to determine the specific actors or states responsible. This attribution gap hinders the establishment of accountability under IHL, as it becomes challenging to assign responsibility for violations or breaches of the law.
Additionally, the issue of national jurisdiction further complicates the regulatory landscape. According to international law, state responsibility is typically determined by national jurisdiction. However, cyber-attacks can originate from various locations worldwide, and the involvement of non-state actors adds another layer of complexity. If the entity responsible for launching a cyber- attack is within a state’s national jurisdiction, that state can be held responsible under international law. However, in cases where cyber-attacks are launched from outside a state’s jurisdiction or by non-state actors, the application of traditional principles of state responsibility becomes less clear- cut.
Furthermore, the dynamic nature of cyberwarfare necessitates the development of new norms and frameworks within IHL. Traditional rules of armed conflict may not adequately address the unique challenges presented by cyber operations. The digital domain introduces complexities such as anonymity, rapid technological advancements, and the potential for far-reaching consequences. To ensure compliance with IHL in the context of cyberwarfare, there is a need to adapt existing legal frameworks and develop specific norms that address issues such as targeting, proportionality, and distinction in cyberspace.
Applying International Law to Cyber Warfare
As nations grapple with the challenges posed by cyber warfare, it becomes crucial to assess its implications within the framework of international law. Warfare conducted in cyberspace can be governed by the established principles of jus ad bellum and jus in bello, which guide the justifiability and conduct of armed conflict. Additionally, the Marten’s Clause provides flexibility in applying legal principles to evolving situations, such as the challenges posed by new forms of warfare like cyber warfare.
Jus ad Bellum & Jus in Bello
Jus ad bellum principles guide the assessment of cyber-attacks based on their effects, intent, and consequences to determine if they constitute a use of force. Qualifying factors include substantial harm, infrastructure disruption, and the potential national security threat. When a cyber-attack meets the criteria of use of force, the right of self-defense in line with Article 51 of International Humanitarian Law can be invoked in response. However, determining the use of force in cyber- attacks is complex, requiring case-by-case analysis and consideration of evolving legal considerations. The unique nature of cyber-attacks blurs traditional boundaries, making it challenging to apply existing legal frameworks to the digital realm. As the cyber threat landscape continues to evolve, international legal frameworks are adapting to address these challenges, including clarifying thresholds for self-defense and determining appropriate responses. Effective analysis of cyber-attacks within jus ad bellum necessitates a comprehensive evaluation while considering the evolving nature of cyberspace and the complexities of cyber threats.
Jus in bello principles play a crucial role in guiding the response to cyber-attacks. The first principle is proportionality, which requires that the response to a cyber-attack should be commensurate with the harm suffered. It emphasizes the importance of avoiding excessive or disproportionate retaliation, ensuring that the response is proportionate to the severity of the initial attack. The second principle is the distinction between military and civilian targets. In the face of a cyber-attack, it is imperative to maintain this distinction and refrain from targeting civilian infrastructure or non-combatant entities. This principle seeks to minimize harm to civilian populations and reduce the impact of cyber-attacks on innocent individuals and non-military entities. Lastly, the prohibition of unnecessary suffering is a fundamental principle that should be respected in the response to cyber-attacks. It prohibits the use of means or methods that cause unnecessary harm or suffering. This principle underscores the importance of conducting cyber operations in a manner that avoids undue harm and unnecessary suffering, even when responding to an attack.
Marten’s Clause, an important component of international humanitarian law, is relevant to cyber warfare. It allows for the application of legal principles even in situations where specific regulations are absent stating that the principles of public conscience and humanity should be the guiding notions in framing appropriate application of the IHL. In the context of cyber warfare, the Marten’s Clause emphasizes that the lack of explicit provisions does not grant immunity for actions that violate humanitarian principles. This clause provides flexibility in interpreting existing norms to address the unique challenges of cyberspace. It enables legal actors to assess cyber-attacks and ensure compliance with fundamental principles such as distinction, proportionality, and the prohibition of unnecessary suffering. By invoking the Marten’s Clause, the international community can adapt existing legal frameworks to govern cyber-operations, bridging the regulatory gap and upholding humanitarian standards in this evolving domain.