In a modern war, with one keystroke, you can disable the entire infrastructure of the whole city.
The media in the Russian Federation and in other countries regularly report cyber attacks on the websites of state and commercial structures. At the same time, using the expression "cyber attack" and "cyber war", different people, apparently, put different meanings in them. In this case, we use the term “cyberwar” to refer to means and methods of warfare, which are operations that are carried out by or against a computer or computer network through an information flow, and when such cyber operations are conducted within the framework of an armed conflict within the meaning of international humanitarian law (IHL ). Many of the operations, called cyber attacks, are in fact illegal information gathering, such as industrial espionage, and occur outside the framework of armed conflicts. Thus, they are not subject to IHL. The Russian Federation uses the concept of “cyberwar” and defines it in its official documents as part of a broader concept of information warfare.
WITHOUT RIGHT TO PROTECT
It may seem strange that the International Committee of the Red Cross (ICRC) is interested in the phenomenon of cyber warfare. In fact, the ICRC constantly monitors the development, use or possibility of using new technologies in armed conflicts, such as unmanned aerial vehicles and robots. He tries to assess the real or potential implications of their humanitarian application, as well as to analyze how this application is governed by IHL. In connection with the application to existing technologies of already existing legal norms, the question may also arise whether these norms are clear enough if we take into account the peculiarities of these technologies and the predictable consequences of their use in humanitarian terms. From this point of view, new technologies in the telecommunications sphere are no exception.
The ICRC is particularly concerned about the phenomenon of cyber war because of the vulnerability of cyber networks and the humanitarian consequences that cyber attacks can cause. When computers or networks of any state are attacked, there is a danger that the civilian population may lose the most necessary: drinking water, medical care and electricity. When GPS systems are put out of action, it can also lead to human casualties: for example, if there are failures in the rescue helicopter flights, on which people's survival sometimes depends. Although the military potential of cyberspace is still completely understood, it seems that such attacks on transport systems, electrical networks, or even dams or nuclear power plants are technically possible. Such attacks can have far-reaching consequences for the well-being, health and lives of hundreds of thousands of people. Thus, the responsibility of the ICRC to remind you that in the event of an armed conflict it is necessary to constantly take measures to ensure that civilians and civilian objects do not suffer. In fact, cyber warfare is subject to IHL, just like any new species weapons or methods of warfare. There is no legal vacuum in cyberspace. Like a number of other states, the Russian Federation recognized the applicability of IHL to cyberwar in several documents, in particular, in the Fundamental Principles of the State Policy of the Russian Federation in the Field of International Information Security for the Period to 2020, signed by President Putin in July 2013.
In the same year 2013, the Tallinn Manual on International Law applicable to cyberwar was published. Although the manual was prepared at the suggestion of the Joint Center for Advanced Technologies in Cyber Defense of NATO, it is not part of the NATO doctrine, but is a non-binding document drawn up by a group of experts in a personal capacity. The ICRC has contributed to the work of this group of experts and generally agrees with the wording of the norms as set out in the part on the law of cyber armed conflicts. However, exceptions are possible when, in the opinion of the ICRC, the existing IHL norm is stricter or provides greater protection than the norm set forth in the manual. Although the Tallinn leadership is regional rather than global in nature, the ICRC welcomes the fact that a discussion on this topic has taken place and, of course, hopes that the guide will be useful for further discussion by states of these difficult issues. In Russia, a negative opinion was expressed about the Tallinn leadership, since it seemed to legitimize cyber war. Of course, it was not for this that the ICRC participated as an observer in the work of the group that formed this document. Through its participation, the ICRC sought to ensure that the leadership reflected the degree of protection that IHL provides to victims of armed conflicts.
A few years ago, the Russian Federation presented to the UN the “Rules of Conduct in the Field of Ensuring International Information Security” and a draft convention on the same issue. While these documents are much broader in scope than IHL, the ICRC is pleased to note the attention that the Russian Federation has been paying to this issue for some years now. Although the importance of IHL as the main branch of law that can regulate cyber warfare needs to be confirmed, the ICRC would not want to rule out the possible need for further development of the law, which would allow it to adequately protect civilians. The solution to this question is a matter of states.
ANONYMOUS ENEMY IN UNCERTAINTY CONDITIONS
What, according to the ICRC, are the most acute problems that cyber war creates for the application of IHL?
First, anonymity. In most cases, it is difficult, if not impossible, to establish who is guilty of a cyber attack. Since, from the point of view of IHL, establishing the responsibility of states and other parties to armed conflicts is a prerequisite for ensuring justice, anonymity creates great problems. If it is impossible to establish who carried out this cyber operation, it is extremely difficult to determine whether IHL is applicable to it at all. The solution, apparently, should be sought not only and not so much in the legal as in the technical sphere.
Secondly, is it possible to consider that cyber operations represent such a level of use of force that would allow to apply IHL to them? There is no doubt that the situation can be characterized as an armed conflict, when cyber operations are used in combination with traditional kinetic weapons. However, when cyber-operation is the first and perhaps the only hostile action, can this be qualified as an armed conflict within the meaning of the Geneva Conventions of 1949 and the Additional Protocols thereto? Although no one took responsibility for operations such as Staxnet in 2010 or cyber attacks on banks or television stations in Seoul in March and June of 2013. Such questions would undoubtedly arise if it were possible to establish that these operations were carried out by states. The attack using the Stuxnet worm resulted in physical damage to the Iranian centrifuge, while the Seoul 2013 attacks did not cause any physical damage. According to the ICRC, it will be possible to determine whether IHL is applicable to a particular cyber operation in the absence of any actions using kinetic weapons based on the future practice of states on this issue.
Thirdly, in situations where IHL is applicable, the question arises of defining a “cyber attack”, an extremely important concept for the rules governing the conduct of hostilities, especially in connection with the principles of distinction, proportionality and precautionary measures in attack. The Tallinn leadership defines a cyber attack as part of the IHL as “a cyber operation, whether offensive or defensive, which, as you can reasonably expect, will cause injury or death to people, or damage to objects or result in the destruction of the latter.” However, the very essence of the issue lies in the details, namely, what is considered damage in the cyber world. After intense discussion, most experts agreed that the loss of functionality to an object could also be a damage.
The ICRC believes that if the object became unusable, it does not matter how this result was achieved. This question is very important in a practical sense, since a more restrictive interpretation of the concept of cyber attack may mean that fewer IHL rules will apply to such operations and these will be less specific rules. Thus, for example, a cyber operation leading to the loss of functionality of a civilian network will not fall under the prohibition established by IHL on direct attacks on civilians and civilian objects. In this sense, Seoul cyberattacks that occurred in March 2013 can serve as a good illustration, assuming that IHL was applicable to them (which has not been established), since several civilian networks were for some time partially or completely incapacitated, but the immediate physical there was apparently no damage.
Fourthly, we are talking about the problems that creates for the application of IHL norms aimed at protecting civilians and objects, such a phenomenon as the unity of cyberspace. There is only one cyberspace, and the same networks, routes, and cables are used by both civilian and military users. The unity of cyberspace may make it impossible to distinguish between a military and civilian computer network during a cyber attack; if such an attack is carried out, the ban on indiscriminate attacks will be violated. The use of malicious software that is uncontrollably self-replicating and damaging civil cyber networks is also prohibited. In addition, the party to the conflict must do everything possible to assess the likelihood of collateral damage to civilians and civilian networks or objects during the attack, which would be excessive in relation to the direct and specific military advantage, and, if there is such a probability, refrain from attacks. But is it possible in Cyberspace to properly assess such collateral damage, including the indirect effects of a cyber attack?
This is only a brief overview of this topic. There are many other serious problems, such as the geography of cyber conflict, the application of the law of neutrality and the concept of sovereignty, the definition of cyber weapons, and the question of whether computer data are subject to the rules governing the conduct of hostilities. These problems point to the need for extreme caution when deciding on cyber attacks and their implementation in armed conflicts in order to avoid harm to civilians and networks. These problems also show how important it is for states that develop or acquire material assets for cyber warfare, both offensive and defensive, to evaluate their legality from the point of view of IHL, as well as in the case of any other new weapons or methods of warfare. Undoubtedly, this is the only way to ensure that their armed forces and other government departments that may be affected are able to comply with the obligations of these countries under international law in the case of using cyber potential during armed conflict. The fact that more and more states are developing a technical base for conducting cyber warfare, both defensive and offensive, only increases the relevance of this topic.