Introduction
On 12-10-2020, in the midst of India’s standoff with the Chinese troops at the Line of Actual Control at the Indo-China border, a power grid failure was witnessed in Mumbai which reportedly stopped trains on tracks, affected hospitals and practically brought the city to a halt. While the problem was rectified in 2 hours, representatives of the State of Maharashtra prima facie expressed concerns of sabotage and involvement of foreign actors[1]; this suspicion was further supported by a publication of The New York Times[2] which was based on research conducted by Recorded Future[3], a cybersecurity firm based in the US. The report alleged that as part of a Chinese cyber campaign against India, malware had been flowing into the Indian control systems used to manage electric supply. The attack was then linked by the cybersecurity firm to a Chinese State-sponsored hacking collective known as “Red Echo”. It was reported that the extent of the cyber invasion could have been much more severe, and suspicions have arisen around the power outage being a warning, a shot across the bow to send a message to the Indian Government for pressing its claims in the armed battle. While no conclusive report was released by India against China, the allegations raise valid concerns about the increase of cyberattacks and capabilities of such attacks to inflict harm on critical infrastructure and people of the country.
Over the past years, many countries have been subject to such attacks, ranging from allegation of interference in the US elections against Russia, cyber-attacks against Estonia[4] which resulted in a shutdown of national websites, leading to violent protests and subsequent deaths[5], to the infamous “Stuxnet” virus which was planted in an Iranian nuclear facility and targeted Iran’s nuclear centrifuges, making them spin out of control and destroying nearly 1/5th of Iran’s nuclear capabilities[6].
No international precedent exists regarding the regulation and analysis of the international cyberspace and subsequently neither does any specific international legislation which regulates and analyses the international cyberspace. Scholars often apply the existing principles of international law of jus ad bellum and jus in bello to these instances. However, this is subject to different interpretations where it has even been suggested that cyber operations could never be included in these provisions, regardless of their impact.
Jus ad bellum is the principle which seeks to regulate use of force and aggression; it broadly refers to conditions, at the satisfaction of which States may resort to use of armed force. The general prohibition regarding use of force, and its exceptions namely, self-defence and UN authorisation which are established under the UN Charter of 1945[7], Articles 2(4) and 51 constitute the primary ingredients of jus ad bellum.
This article will analyse the position of cyberattacks within the ambit of the provisions of jus ad bellum and whether these attacks could trigger retaliation through a nation’s right to self-defence.
Defining Cyberwarfare
The Tallinn Manual, which is widely considered to be the most authoritative non-binding international work on cyber force defines cyberspace as “the environment formed by physical and non-physical components to store, modify, and exchange data using computer networks.”[8]. However, the definition apt for the purpose of this paper is one espoused by the US Law of War Manual[9] due to its nature as expansive as well as precise.[10] The Manual states that cyberspace as a doctrinal manner is recognised “as an operational domain in which the armed forces must be able to defend and operate, just like land, air, sea and space”. Further holding that it is a global domain consisting of interdependent infrastructure technology infrastructure networks. This definition definitively identifies cyberspace as a fifth domain of war after air, sea, land, and space.
The definition for “computer attack” by the US Department of Defense classifies it as actions taken through computers to deny, disrupt, degrade, or destroy information residing in computers and networks. This has been widely accepted and applied by various international bodies such as the North Atlantic Treaty Organisation (NATO). The Tallinn Manual under Rule 30[11] defines cyberattacks as “an offensive or defensive cyber operation which is expected to cause injury to persons and damage to property”.
Therefore, cyberattacks can simply be classified as attempts by individuals to damage computer networks or utilise computer networks to inflict damage to persons and property. The factors distinguishing it from a regular or traditional use of force or attack is that firstly, these are normally, indirect and lead to problems in ascertaining liability to a particular State. Secondly, the nature of weapons is largely intangible, which can lead to difficulty in classification as a use of force.
These factors could assist in explaining the increased reliance on cyberattacks as an alternative to conventional methods of aggression for both State and non-State actors.
Application and interpretation of jus ad bellum vis-à-vis cyberattacks
Article 2(4) of the UN Charter[12] prohibits States from threat or use of force against territorial integrity or political independence of any State and Article 51[13] establishes the right of State to act in self-defence against an armed attack.
Despite repercussions on a par with traditional forms of aggression cyberattacks are not overtly defined under international legislative provisions. A UN Report[14] stated that in respect of information technology, the “UN Charter is essential and applicable.” Additionally, in its Nuclear Weapons Advisory Opinion[15], the International Court of Justice states that the provisions of the Charter were not meant to refer to specific weaponry and are applicable to use of force, irrespective of means employed.
The Tallinn Manual under Rule 11[16] states that a cyber operation would constitute as a use of force if scale and effects are comparable to those of conventional operations rising to such a level. The Manual suggested that the factors mentioned, scale and effects are the ones which considered by the ICJ to determine when an armed attack has taken place and are subsequently relevant to classify an act as a use of force. Under Para 10 of Rule 11, the Manual goes on to suggest parameters such as, “severity, immediacy, directness, invasiveness, effects, military character and presumptive illegality”. It is subsequently also suggested in the same rule that non-destructive acts which are only committed to undermine the confidence of State would not be classifies as a use of force. The “Stuxnet” attack against Iran is possibility the best example of a cyberattack which qualified as a use of force. Additionally, if the expansionist approach is, which states that physical destruction of property is not a necessity[17], in such a situation even the Estonian hack could be qualified as a use of force as it resulted in a denial of service.
The intent of Article 2(4) is to be prohibitory in nature and the permitted responses include sanctions and actions through the UN Security Council. However, only the classification as a use of force is not enough to sustain the self-defence justification for retaliation. As per Article 51, self-defence may be exercised if the use of force crosses the threshold of an armed attack[18]. The rationale of the International Court of Justice in Nicaragua case was that for an act of force to qualify as armed attack it must achieve a certain level of severity which differentiates it from a “mere frontier attack”.[19]
Primarily three approaches have been proposed by scholars to determine when a cyberattack transcends the level of use of force into armed attack, namely, (i) instrument based; (ii) target based (strict liability); and (iii) effects based.[20]
Instrument based.— According to this approach, the force is assessed in relation to the type of weapon used. This approach is derived from a bare reading of the provisions of the Charter and under this, the more a weapon is analogous to conventional military weapons the more likely it is to be classified as an armed attack. While placing reliance on the principles of ejusdem generis (of the same kind) and noscitur a sociis (a word is known by the company it keeps)[21] an armed attack which is carried out through a computer could never be classified as an act of aggression. It is presented that this method is a rather regressive method which oversimplifies the process. If this method is utilised, then even aggressive attacks such as those which destroy nuclear centrifuges or bring down entire power grids could never be held to be an attack merely because the approach is limited to conventional weapons.
Target based.— Unlike the previous theory, this focuses on the target of the attack and suggests that any attack against a nation’s critical infrastructure, would qualify as an armed attack sufficient under Article 51 to trigger self-defence[22]. According to the US Congress, critical infrastructure encompasses a wide range of sectors from agriculture to transport. However, the author feels that this approach is in complete contrast to the previous theory and if the widely accepted definition of critical infrastructure is utilised, nearly every attack would be qualified as an armed attack. Utilising this theory would have granted Iran retaliatory action against the US, or India against China if the power grid failure is considered.
Effects based.— This approach relies on overall consequences of an attack on the victim State and states that a cyberattack which produces damage comparable to that of a kinetic attack[23] is more likely to qualify the threshold than an attack which is comparable to political or economic sanctions. Out of the 3 this is the most widely accepted theory[24].
Problems in application of jus ad bellum
While cyberattacks may be interpreted under jus ad bellum to include offensive cyber operations, the laws are still meant for traditional methods of warfare and do not cater to distinct characteristics of cyberattacks such as: (i) attribution of State responsibility; and (ii) the impossibility of anticipatory defence.
(i) While it is not a requirement under Article 51 that the act must be performed by a State, it has been held by the International Court of Justice that only acts of States could trigger self-defence[25]. In Oil Platforms (Islamic Republic of Iran v. United States of America)[26] it was opined that to invoke the right, it must be proved that not only was an armed attack present, but it was also an act of another State. In regard to this, if an attack is done by a non-State actor, the “effective control test” mentioned in Nicaragua case[27] may be utilised, which states that if the insurgent group is so reliant on the State that the State has effective control over it, then it can be classified as an actor of the State. However, the biggest problem with regard to cyberattacks is responsibility attribution[28], and even if said link is established with a non-State actor, the link to the State is nearly impossible. In all the examples of cyberattacks mentioned this in paper, from Estonia to Iran, no defence could be invoked since no reliable link was effectively established.
(ii) According to Article 51, right to self-defence can only be triggered when an act has occurred and not as a pre-emptive measure. Self-defence can effectively not be used before the attack has been committed and when the Bush administration tried to make an argument against this to sustain the invasion of Iraq, the UN disregarded it[29].
The issue with this with regard to cyberattacks is that they can very often not be predicted either due to the seconds it takes to implement the act or due to the presence of malware which may lay dormant inside systems for a long time before they are activated. Even if the State is able to intercept the attack and is able to identify the attacker State and launch a counter-attack, such an evaluation may well turn out to be inaccurate which would result in the State becoming an aggressor.
Conclusion
Over the years, many such attacks have been alleged to be cyberattacks but as of today, none have ever been conclusively classified as one. The theories regarding application of laws to cyberattacks have various disputed views and the laws at present do not adequately address the distinctive attributes of cyberattacks. Subsequently, the laws of jus ad bellum can be manipulated by States to justify their actions such as has been pointed out regarding pre-emptive self-defence and there can be innumerable problems in ascertaining liability even if the perpetrator is found.
With the evolution of technology and increased dependence on such technology, there has been an increase on cybercrimes as well. And this is bound to increase in the coming future. Therefore, if international law has to interpret cyberattacks in a proper manner it must be subject to further legislative and judicial development where the present and possibly future technologies are adequately accounted for. The Tallinn Manual could be good starting point for the creation of such a binding legislative provision.
† BBA LLB 3rd year student at Jindal Global Law School. Author can be reached at 18jgls-aryan.d@jgu.edu.in.
[1] Maharashtra Cyber Police Suspects Cyber-Attack Behind Mumbai Power Outage (2-3-2021). Retrieved from <https://www.hindustantimes.com/cities/mumbai-news/maharashtra-cyber-police-suspects-cyber-attack-behind-mumbai-power-outage-101614654439868.html>.
[2] Sanger, D., and Schmall, E., China Appears to Warn India: Push too Hard and the Lights Could Go Out (28-2-2021). Retrieved from <https://www.nytimes.com/2021/02/28/us/politics/china-india-hacking-electricity.html>.
[3] China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions (24-3-2021). Retrieved from <https://www.recordedfuture.com/redecho-targeting-indian-power-sector/>.
[4] Fake News and Botnets: How Russia Weaponised the Web (2-12-2017). Retrieved on 13-4-2021 from<https://www.theguardian.com/technology/2017/dec/02/fake-news-botnets-how-russia-weaponised-the-web-cyber-attack-estonia>.
[5] Fake News and Botnets: How Russia Weaponised the Web (2-12-2017).
[6] Shubert A., Cyber Warfare: A Different Way to Attack Iran’s Reactors, CNN.com.
[7] Charter of the United Nations, 24-10-1945.
[8] Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (Michael N. Schmitt ed., 2013) (prepared by the International Group of Experts) (Member of the International Group of Experts).
[9] Department of Defense, Law of War Manual, United States of America, June 2015.
[10] Vaibhav Chaurasia (2017), Cyber Warfare and Laws of War, (LLM dissertation NLU Delhi).
[11] Charter of the United Nations.
[12] UN Charter, Art. 2, para 4.
[13] UN Charter , Art. 51.
[14] UNGA, Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, UN Doc. A/68/98.
[15] Legality of the Threat or Use of Nuclear Weapons, 1996 ICJ Rep 226.
[16] Charter of the United Nations.
[17] Titiriga, Remus, Cyber-Attacks and International Law of Armed Conflicts; a “Jus Ad Bellum” Perspective (19-10-2011), Journal of International Commercial Law and Technology, Vol. 8 No. 3 (July 2013), pp. 179-189, Milton Campos, 2014, v. 27.
[18] Holmberg E.J., (2015) Armed Attacks in Cyberspace: Do They Exist and Can They Trigger the Right to Self-Defence? (Thesis in International Law, Faculty of Law, Stockholm University).
[19] Military and Paramilitary Activities in and against Nicaragua (Nicaragua v. United States of America), 1986 ICJ 14.
[20] Hollis, D.B. (2007), Why States Need an International Law for Information Operations, Lewis & Clark Law Review, 11.
[21] Nguyen, R. (2013), Navigating “Jus Ad Bellum” in the Age of Cyber Warfare, California Law Review, 101(4), 1079-1129.
[22] Nguyen, R. (2013), Navigating “Jus Ad Bellum” in the Age of Cyber Warfare, California Law Review, 101(4), 1079-1129.
[23] Taşdemir, Fatma and Albayrak, Gökhan, The Law of Cyber Warfare in Terms of Jus Ad Bellum and Jus in Bello: Application of International Law to the Unknown? (23-12-2017) E-Journal of Law, Forthcoming.
[24] Hollis, D.B. (2007), Why States Need an International Law for Information Operations, Lewis & Clark Law Review, 11.
[25] Legal Consequences of the Construction of a Wall in the Occupied Palestinian Territory, Advisory Opinion, 2004 ICJ Rep 126; Military and Paramilitary Activities in and against Nicaragua (Nicaragua v. United States of America),1986 ICJ 14; Barnett, S. (2-9-2016), Applying Jus Ad Bellum in Cyberspace. Retrieved from <https://www.e-ir.info/2016/09/01/applying-jus-ad-bellum-in-cyberspace/>.
[26] 2003 ICJ Rep 4.
[27] Military and Paramilitary Activities in and against Nicaragua (Nicaragua v. United States of America), 1986 ICJ 14.
[28] Holmberg E.J., (2015) Armed Attacks in Cyberspace: Do They Exist and Can They Trigger the Right to Self-Defence? (Thesis in International Law, Faculty of Law, Stockholm University).
[29] UN Doc. A/59/565.
