The WannaCry ransomware that hit the United Kingdom’s NHS early in May 2017 can also be used to buttress the implications of what might happen if there continues to be a free flow of unregulated cyber attacks in a situation of warfare. While there has been no substantial reason to perceive WannaCry as a cyber warfare weapon, its effects were also disastrous with over 300,000 computers affected in the UK alone forcing hospitals to revert to paper and pen methods or out rightly turn away patients. Not long after the WannaCry ransomware, Ukraine was hit by the Petya ransomware. Many allegations have been made by the Ukrainian government pointing at the Russian government, however, there have also been no publicly known clear evidence to back this up.
It can be deduced from the outcome of the various attacks that have happened o=ver the years that an attack on a nation’s critical infrastructure such as power plants, water system or healthcare will have crippling effects on unarmed civilians who are not direct actors of war in the event of a cyber warfare. It is quite important to point out that up until now, the entire area of cyberwarfare is largely unregulated. This article seeks to bring under scrutiny where the line should be drawn and what constitutes human rights violation in cyber warfare.
The Concepts of jus ad belum and jus in bello in the context of Cyber Warfare
The jus ad bellum is a universally accepted set of criteria that defines what exactly constitutes enough reason for a nation state to go to war. In other words, it provides a set of criteria that questions the justification or reasons for war. The jus in bello which is a principle in International Humanitarian Law (IHL) on the other hand establishes what should be acceptable and what is acceptable and what isn’t in war.
The concept of cyber warfare can be studied from the perspective of jus ad bellum which are the rules that regulate the use of armed forces by countries in relation to other countries i.e. what makes a war just. Jus ad bellum recognises the right of a nation to go to war and regulates the use of armed forces in the relationship between a country and another. It determines whether going to war is allowed and what is justified in war. Although, identification is difficult when it comes to the concept of cyberspace, Marco Rosini in his paper entitled; “World Wide Warfare- Jus ad bellum and the Use of Cyber Force” suggests that customary international law could be used to determine what constitutes a misuse and what doesn’t, when the concept of cyber warfare is concerned. Since jus ad bellum applies when armed conflict is involved and provides the right of an actor or nation to act in self defence, the question of what constitutes an armed attack in cyber operations have still remained quite unanswered till this date keeping it in mind that ‘armed’ is not the same as ‘force’. A typical gap that comes up in the question of jus ad bellum’s application in cyber warfare is the issue of it not involving a kinetic attack. Biological or chemical warfare for instance also do not involve the use of kinetic force in its application but are yet subject to both the jus in bello and jus ad bellum. It should be apparent that given advances in methods and means of cyber warfare, especially with the rate at which digital technology is evolving and in modern times, it will no longer be sufficient to apply an actor based threshold for application of the International Humanitarian Law, instead, a consequence based threshold will be more appropriate. Questions such as “will it result to mass suffering of unarmed civilians?” have to come into play and become the major deciding factor.
Jus in bello, on the other hand, regulates the behaviour or conducts of parties engaged in an armed conflict. The Jus in bello is also known as the international humanitarian law and its goals include to reduce the possibility of suffering during armed conflicts and to protect and help victims of armed conflict as much as possible. To begin with, there is no humanitarian law that has a provision which directly addresses computer network attacks or cyber warfare in general. The Tallinn Manual, however, which was created by an independent group of experts between 2009 and 2012 at the invitation of the North Atlantic Treaty Organization (NATO) Cooperative Cyber Defence Centre of Excellence apply the jus in bello principles to cyberspace by studying how international law is applicable to operations in cyber space. The Tallinn manual is, however, non-binding till this day.
Michael Schmitt argues that “all occurrences during armed conflict are subject to the application of humanitarian law principles since no void is lawless”. According to Schmitt, “since international custom” has been accepted as a source of law by virtue of Article 28 of the Statute of the International court of Justice, then there shouldn’t be any disagreement of its inapplicability based on the absence of particular general practice. His paper; “Wired Warfare: Computer Network Attack and Jus in Bello” also argues that since Jus in bello is applicable to the use of nuclear weapons in war, there is no reason it cannot be applied to cyber attacks. This argument is mainly based on conclusions from the paper; “Legality of the Threat or Use of Nuclear Weapons”. He further argues that “Humanitarian law principles apply whenever computer network attacks can be described to a state are more than merely sporadic and isolated incidents and are either intended to cause injury, death, damage or destruction (and analogous effects), or such consequences are foreseeable. This is so even though the classic armed force is not being employed.” From Schmitt’s argument, a cyber attack on a water supply system by agents of another country would implicate humanitarian law which is quite logical.
The Tallinn manual puts the responsibility of cyber operations directed against other nations either by the security agencies or individuals or groups acting under their direction on a nation. This manual also disallows the use of force in cyber operations. While there is no specific definition which clearly states what forms the use of force in the jus in bello, the writers of Tallinn Manual concluded that “any cyber operation that causes harm to individuals or damage to objects can qualify as a use of force. This does not include cyber operations that cause inconvenience or irritation”. The Tallinn manual recognises that cyber operations may constitute armed conflicts, depending on the circumstances surrounding it. At this point, it must be noted however that for jus in bello principles to preside over a cyber attack, it must form an “armed conflict”.
Country positions on Cyber Warfare
Different countries view and react to cyber attacks in different ways. According to the UK’s Government Communications Headquarters’ Cyber Security Operations Centre (CSOC), A cyber attack against the UK causing even minor damage would have a disastrous effect on public confidence in the government. According to a preliminary report produced by the CSOC, whose job is to continually monitor internet security, producing intelligence on botnets, denial of service attacks and other digital threats to national security, one of the problems hampering the prevention of cyber attacks is that an internationally agreed definition of cyber warfare remains elusive, with state actors making increasing use of hired criminals and ‘hacktivists’ to carry out deniable cyber attacks on their behalf. The United States Department of Defence also recognises the use of computers and the internet to conduct warfare in cyberspace as a threat to national security but also a platform for attacks.
Although the concept of cyber war is often exaggerated, there have been recent cases of conflict in which cyberwarfare has played very important roles. At the moment, there are no specific binding laws that dictate what is acceptable and what isn’t, the Tallinn manual has however put the jus ad bellum and jus in bello in a direction with regards to cyber warfare.
As capabilities to conduct computer network attacks increase in terms of both sophistication and availability, continued discussion is of absolute importance. We must avoid losing sight of humanitarian principles lest the possibility in warfare supplant the permissible. While the argument of armed force versus political cohesion might exist in the application of cyber warfare weapons, the major difference is the former’s physically disruptive capabilities. For example, turning off the electricity to a city to disrupt communication in another nation-state in time of warfare may be acceptable if doing so does not cause excessive civilian suffering. On the other hand, infecting a hospital’s machine with a worm and poisoning vaccinations of children may not be acceptable since that might lead to excessive civilian suffering.
While no cyber attack that can be categorised as “constituting an armed attack” has occurred till date, at the current rate of technological evolution, cyber attacks will reach this stage in the future. It should however be noted that since the existing law governing jus ad belum and jus in bello do not specifically address the unpopular issues that relate to cyber warfare, countries involved can potentially misrepresent the interpretation of jus ad bellum to serve national interests. Therefore, if the current International laws are to govern the applicability of cyber attacks adequately within the meaning of jus ad bellum and jus in bello, it must be subjected to further jurisprudential development and clarity else, new universally accepted laws governing cyberwarfare must be properly drawn out.
There is a need for an international agreement that deals specifically with cyber warfare and security and also corresponds with the provisions of the international laws. By international laws, we refer to the humanitarian law, human right law or a combination of these and other treaty systems. There is also a need to clearly spell out in plain and unambiguous terms, what is acceptable and what isn’t in cyber warfare.