On 12 December, Ukraine’s largest mobile network, Kyivstar, was hit by a cyberattack that disrupted air raid sirens and stopped people from receiving text alerts warning them of Russian air assaults. The UK’s Ministry of Defence said it is probably ‘one of the highest-impact disruptive cyberattacks on Ukrainian networks’ since Russia’s full-scale invasion. A group called Solntsepyok, linked by a Ukrainian security official to Russian military intelligence, claimed responsibility for the attack.
Kyivstar Chief Executive Officer Oleksandr Komarov called the attack ‘a result of’ the war with Russia. ‘War is also happening in cyberspace. Unfortunately, we have been hit as a result of this war’, he said on Ukrainian television.
At the time of writing, Moscow hadn’t commented on the attack. A criminal investigation into the incident is ongoing in Ukraine.
První na světě
The war in Ukraine illustrates that cyberattacks are now a feature of warfare, with the head of Ukraine’s State Service of Special Communications and Information Protection describing it as ‘the world’s first full-scale cyberwar’. Previous attacks have targeted the country’s energy and utility providers, and also emergency services have at times been affected, he said.
Many principles and rules of international law are technology-neutral and they apply to cyber operations just as they do to kinetic warfare
Kubo Mačák
Professor of International Law, University of Exeter
International Criminal Court [ICC or ‘the Court’] Prosecutor Karim Khan has pointed to the possibility of cyberattacks constituting war crimes, crimes against humanity, genocide and the crime of aggression. Despite cybercrimes not being mentioned specifically in the Rome Statute, ‘such conduct may potentially fulfill the elements of many core international crimes as already defined’, Khan says in an article published in Zahraniční politika magazine, in which he announced the Court’s intention to investigate cybercrimes. His office has been working on a policy paper covering cybercrimes, as its initial focus.
Kubo Mačák is Professor of International Law at the University of Exeter and former legal adviser at the International Committee of the Red Cross in Geneva from 2019 to 2023. ‘Given the ongoing conflict in Ukraine and the allegations of cyber war crimes, there is an increased likelihood that such crimes could be investigated [at the ICC] in the future’, he says.
Prior to Khan’s announcement, researchers at UC Berkeley’s Human Rights Center submitted a total of five cases of Russian cyberattacks on civilian infrastructure in Ukraine to the ICC, which they believe should be investigated as possible war crimes. They argue that these are examples of attacks on civilian objects or attacks that are indiscriminate – both are prohibited under the laws of war – and show a larger-scale tactic and pattern of how Russia’s intelligence services operate.
The submission includes attacks on Ukraine’s power grid in December 2015, December 2016 and April 2022. It further includes the NotPetya malware attack in 2017 that caused over $10bn in damage and hit over 60 countries, and the attack on the Viasat satellite modem network used by Ukraine’s military on the day of the invasion, which also affected several European countries.
‘Depending on the available political will and the speed with which the ICC will build up the necessary expertise, I can imagine that such calls might translate into actual investigations in the near to mid future’, says Mačák.
Victor Zhora, Chief Digital Transformation Officer at the State Service of Special Communication and Information Protection of Ukraine, told Politico that Ukrainian officers are sending evidence of cyberattacks conducted in coordination with conventional attacks to the Hague. He said that digital infrastructure such as power grids, data services and critical infrastructure have often been targeted in conjunction with physical strikes on targets such as power plants.
Zákony války
As with traditional means of warfare, there is apparent agreement that cyber operations in wartime are also subject to the laws of war. ‘The existing international legal framework, including the Rome Statute, does not explicitly address cyber war crimes, primarily because these laws were drafted before the advent of cyber warfare. However, many principles and rules of international law are technology-neutral and they apply to cyber operations just as they do to kinetic warfare’, says Mačák.
In an opinion concerning the legality of the threat or use of nuclear weapons, the International Court of Justice stated in 1996 that international humanitarian law (IHL) ‘applies to all forms of warfare and to all kinds of weapons, those of the past, those of the present and those of the future’, thereby outlawing the targeting of civilians and civilian objects, indiscriminate attacks and awarding protective status to medical services and personnel also with new means of war, such as cyber operations.
The International Committee of the Red Cross (ICRC), as ‘guardian’ of international humanitarian law, has said that ‘there is no question that IHL imposes limits on cyber operations during armed conflicts – just as on any weapon, means and method of warfare used by a belligerent in a conflict, whether new or old’.
The organisation is also of the view that if the ‘effects’ of cyber operations are similar to those caused by traditional warfare such as bombs or missiles, such actions could initiate an international armed conflict. While this view is supported by a range of states, this legal question ‘remains unsettled’, says Mačák.
Any investigations at the ICC would have to address the challenges of interpreting existing law in relation to cybercrime. Katrin Nyman-Metcalf is Adjunct Professor at the Department of Law at Tallinn University of Technology in Estonia. She says that while the interpretation of existing law and how it applies to cybercrimes can be ‘very complicated’, it is a better alternative to creating new laws as existing precedents and interpretations can help with prosecution. On top of that, she says, ‘the geopolitical situation is hardly such that new international treaties would be possible’.
Technical expertise at the Court
One of the biggest challenges when investigating cybercrimes may be to attribute the conduct to specific individuals. ‘The anonymous and complex nature of cyberspace makes it difficult to definitively trace the origins of a cyber operation and establish a clear line of command. This challenge is compounded by the high standard of proof required in criminal proceedings’, says Mačák.
The lack of physical weapons or the need to be in a specific location to conduct attacks might allow states space to deny involvement. ‘It is very easy for a state to claim that activities were only those by private citizens. The fact that you can be placed anywhere in the world and do not need to be on the territory of the aggressor makes it even more challenging to determine who is really behind an attack,’ says Nyman-Metcalf.
Another challenge includes assessing the damage of any cyberattack, to establish whether the effect of the operation is such that it would be grave enough to be prosecuted at the ICC – the Court only investigates ‘the most serious crimes’. While the effects of most cyber operations are not clearly visible, the consequences can nonetheless be far-reaching.
‘When the computers or networks of a State are attacked, infiltrated or blocked, there may be a risk of civilians being deprived of basic essentials such as drinking water, medical care and electricity. If GPS systems are paralysed, there may be a risk of civilian casualties occurring – for example, through disruption to the flight operations of rescue helicopters that save lives. Dams, nuclear plants and aircraft control systems, because of their reliance on computers, are also vulnerable to cyberattacks’, the ICRC states.
v Tallinn Manuál o mezinárodním právu platném pro kybernetickou válku, written at the request of NATO, the authors stated that damage is caused when civilian infrastructure or a civilian network is rendered dysfunctional.
The immediate focus of the ICC might be on incidents in which both conventional and cyber means are used to overcome these challenges, according to Mačák. ‘This approach may help overcome the twin challenges of gravity and attribution. The situation in Ukraine,
Lindsay Freeman is the Director of Technology, Law and Policy at the University of California, Berkeley’s Human Rights Center, whose team urged the ICC to investigate cybercrimes committed in Ukraine. She says that some aspects of a crime – such as intent – might actually be easier to prove for cybercrimes than for atrocity crimes committed by other means. ‘If in an armed conflict a missile hits a nuclear power plant, there’s always going to be that defence of “that’s not what we were aiming for”. But with the unique nature of using cyber means and methods in warfare, there are incidents where we can show hackers were in the system doing over six months of reconnaissance’, she says.
To investigate cases involving cybercrime, Khan has said that the Court is ‘actively working to consolidate and upgrade its information systems architecture and technical capabilities’.
‘Overcoming these attribution difficulties is crucial for successful prosecution, but it requires sophisticated technical capabilities and international cooperation,’ says Mačák.
Leila Sadat is a former member of the IBA War Crimes Committee Advisory Board and Special Adviser on Crimes Against Humanity to the ICC Prosecutor from 2013 to 2023. She has previously emphasised the difficulties relating to the technological sophistication needed to identify perpetrators and the challenge of recruiting or training Court personnel with the technical expertise to work on such cases.
‘Interestingly, the more advanced the cyber world gets, it may mean that old-fashioned spying through personal relations gets all the more important, as that may be the only way to find out the real connections’, says Nyman-Metcalf.
A blurred line between civilians and combatants
The large number of civilian hackers active in places where there is armed conflict are further complicating the issue of attribution. The ICRC has said that, in particular since Russia’s full-scale invasion into Ukraine, the number of civilians involved in digital operations during armed conflict is ‘unprecedented’. Civilian hackers operating for Russia as well as Ukraine have targeted civilian objects, such as banks, hospitals and government services.
This ‘worrying trend’ has led the ICRC to create eight rules for civilian hackers to abide by, not least for their own safety. They are mostly a reiteration of some of the most important principles of international humanitarian law, such as a prohibition on targeting civilians and medical facilities, as well as on indiscriminate attacks, and the obligation to adhere to the principle of proportionality.
Despite initial scepticism, pro-Russian hacking group Killnet and the group The IT Army of Ukraine have both said they will comply with the rules, according to the British Broadcasting Corporation (BBC). Killnet has been said to have close links to Moscow, but the group itself denies this.
While most hackers are physically removed from the places where hostilities take place, the ICRC points out that their involvement in the conflict blurs the line between civilians and combatants, and thereby endangers civilians. If captured, civilian hackers won’t be treated as prisoners of war, but may be prosecuted as criminals or ‘terrorists’ instead, the aid group warns. The authors of the code of conduct also warn that violations of the rules of war could amount to war crimes.
Yola Verbruggen is a freelance journalist and can be contacted at yolav@protonmail.com
Image credit: sizsus/AdobeStock.com
The damage caused by cyberattacks in the war in Ukraine pales in comparison with the atrocities of the fighting on the ground. But that does not mean it is not happening, or that civilians are spared.
This content was published on May 4, 2022 — 09:00 May 4, 2022 — 09:00
Dorian Burkhalter
Dorian covers the work of international organisations based in Geneva.
Další jazyky: 9 (en originál)
- Deutsch (de) Wann ist ein Cyberangriff ein Kriegsverbrechen?
- Español (es) ¿Cuándo un ciberataque es un crimen de guerra?
- Português (pt) Quando um ataque cibernético é um crime de guerra?
- 中文 (zh) 网络攻击何时可以算作战争罪行?
- عربي (ar) متى يُعدّ الهجوم الإلكتروني جريمة حرب؟
- Français (fr) Une cyberattaque peut-elle être un crime de guerre?
- Pусский (ru) Когда кибератака становится военным преступлением?
- Italiano (it) Quando un cyberattacco è un crimine di guerra?
- (uk) Коли кібератака стає воєнним злочином
On February 24, the day Russia launched its invasion of Ukraine, a cyberattack targeting the KA-SAT satellite internet service disrupted Ukraine’s military communications. The attack, which United States officials attributed to External link Russia’s military spy agency, spread further than Ukraine’s borders. It left tens of thousands of people across Europe, from France to Ukraine, without internet access. Some 2,000 wind turbines in Germany remained offline External link a month after the attack.
A day later, a border control station between Ukraine and Romania was hit External link by a data-wiping malware – a malicious software – that slowed the processing of refugees seeking to flee the country. The authors of that attack remain unknown.
These are two of the 35 significant cyberattacks against critical and civilian infrastructure in Ukraine that the CyberPeace Institute, a Geneva-based NGO, has recorded on its website External link since the start of the war. Bruno Halopeau, the organisation’s chief technology officer and head of cyber analysis, says that although most of the attacks targeted military objectives, public institutions, and the media, civilians were – intentionally or not – affected too.
Attacks against civilians may under international humanitarian law (IHL) amount to war crimes.
“We monitor the situation and collect evidence so that if at some point there is an investigation, we are in a position to provide evidence of what happened,” says Halopeau. On its website, the NGO lists and describes the cyberattacks, the societal harm they caused, and details about their attribution.
“What we publish on our website is a fraction of the information we have,” says Halopeau. That information, he says, is available for potential future legal proceedings. The CyberPeace Institute also collects this evidence to assess whether countries respect the international treaties they signed, and to identify gaps in the law.
Law of war in a digital age
International humanitarian law – also known as the law of war – imposes limits on the conduct of hostilities and seeks to protect civilians, medical personnel, wounded soldiers, and prisoners of war.
Directly targeting civilians is prohibited. Using weapons whose effects cannot be limited to military objectives is too. In the physical world, that means, for example, not targeting a hospital, or not shelling densely populated areas. But in the digital world, things get more complicated.
Halopeau says it is very difficult to design a malware that only affects specific systems and not a wide range of them. The KA-SAT internet service hack illustrates this.
The current war between Russia and Ukraine, which has spilled into cyberspace, is also blurring the line between civilians and soldiers.
On February 26, the government of Ukraine called on External link amateur hackers of the world to join its “IT army” and launch attacks against Russian objectives. Anonymous, a global hacker collective, declared External link on the first day of the war that it was engaging in a cyberwar against Moscow.
Halopeau doubts many cyber warriors are aware of what their participation in the conflict implies under IHL.
“By taking an active part in this conflict, they may unknowingly lose their legal protection as civilians and be treated as combatants. They are subject to retaliation from the state they attack and are subject to potential prosecution after the war,” he says.
Guardian of international humanitarian law
As the guardian of IHL, the International Committee of the Red Cross (ICRC) pays close attention to the latest developments on the battlefield, engages confidentially with states to remind them of the existing rules, and gauges whether the law needs to be changed.
“We see a reality in which cyber operations become more frequent in armed conflicts,” says Tilman Rodenhäuser, a legal advisor at the ICRC. “And one of the key roles of the ICRC is to emphasise the potential human cost of such operations, the potential cost to civilians.”
IHL was established in a world in which cyberattacks did not yet exist. So are its rules still fit for purpose today?
“We cannot aim for new rules of armed conflict with every technological development that we see,” answers Rodenhäuser.
But aspects of the law remain open to interpretation. One of the oldest rules of IHL is the protection of civilian objects. For many years, civilian data – understood, for example, as confidential documents held in physical archives – could not legally be damaged or destroyed. But what does the law say if the same data is stored digitally?
“The protection of data is not explicitly addressed by the rules of international humanitarian law,” says Rodenhäuser, who adds that legal experts and states have diverging views on how IHL applies in this case.
For the ICRC, it is important that states interpret the existing law in a way that civilians and civilian infrastructure enjoy the same level of protection they did in the past. And that cyber weapons are subject to the same limits as traditional means of warfare.
“If states came forward and said: no actually, data is fair game, and data can be damaged and deleted in armed conflicts without legal consequences, then that would be a real humanitarian concern, and we would have to think about new rules,” Rodenhäuser says.
But new rules of international law have to be negotiated by states. Once a treaty exists, it must be signed and ratified – a long and complicated process, especially given that the current rules of IHL bind virtually all states.
“It is key that these agreed rules are also respected with regard to cyber operations because the vast majority of what we see as a threat to civilians is actually covered by the existing rules,” says Rodenhäuser.
The international community’s stance
Knowing if and how international law – including IHL – applies to cyberspace has been the subject of many multilateral discussions at the United Nations over the past two decades.
A breakthrough came in 2013, when a Group of Governmental Experts (GGE) produced a report adopted by consensus affirming that the use by states of information technologies was subject to international law. The question of how the law applies remained open.
In 2019, a new working group open to all 193 member states was established at the UN. Their goal was to follow-up on the findings of the governmental experts.
“The challenge was to bring back everybody around the table and re-establish the consensus,” says Jürg Lauber, Switzerland’s ambassador to the UN in Geneva and the former chair of the working group.
His task, Lauber says, was complicated by “increased political tensions among the big powers” and “attempts to rewrite the rules from a small group of countries”.
In the end, the working group too concluded that international law applies to cyberwarfare. But it too could not find an agreement on how to implement this.
“In substance there was progress, but it was not a huge leap. However, the support now is much broader because everybody had the opportunity to participate in the discussion,” says Lauber.
A new working group at the UN has been established for the 2021-2025 period.
“I hope that they can go further […] there’s clearly a gap between all member states agreeing on the applicability of existing international law, and what we see is happening with cybertechnology being used in an illegal way.”
Válečné zločiny?
Trying war crimes for atrocities committed on the physical battlefield is a long and difficult process that will take years. Cyberspace adds to this complexity.
Finding who is behind a cyberattack is very difficult, as they can easily be launched by proxies.
“It sometimes requires years of investigation to really understand how an attack was planned, how it was carried out, who ordered it, and to really know which individuals were behind it,” says Halopeau. Usually, real world information – if a government was involved, names of the people who worked at a certain time in a certain place, pictures, etc. – is needed to corroborate virtual traces, he adds.
“You need to combine a lot of information that is not immediately available. And this is in the best-case scenario where you more or less know that you only have one attacker,” says Halopeau.
In the war in Ukraine, nation states, but also criminal groups and individuals have conducted cyberattacks. “And then the liability of those people who took part will have to be defined and it’s going to be very complicated,” predicts Halopeau.
Halopeau thinks it is possible that some cyberattacks that have harmed civilians – such as the KA-SAT or the Ukraine-Romania border control hacks – might be of interest to the International Criminal Court (ICC), which has already launched an investigation into alleged war crimes on the ground in Ukraine. So far the ICC is not investigating cyberwarfare.
Despite the horrors, the war in Ukraine may serve as a lesson about the need to strengthen accountability processes in cyberspace, he says.
“This is one of the first conflicts where cyberattacks are used at this scale. […] So I think regarding international humanitarian law, there must be a discussion to recognize how cyberspace can be used to harm people and to prevent inappropriate behaviour.”
Edited by Imogen Foulkes.
V souladu se standardy JTI
Přehled probíhajících debat s našimi novináři naleznete zde. Prosím Připoj se k nám!
Pokud chcete zahájit konverzaci na téma uvedené v tomto článku nebo chcete nahlásit faktické chyby, napište nám na adresu english@swissinfo.ch.
Cyber-attacks: what are the risks for aid agencies?
This content was published on Feb 8, 2022 Feb 8, 2022 Healthy bank accounts and cyber vulnerabilities put aid organisations at risk, but cyber-attacks on them also have real humanitarian consequences.
Moře
Will Russia’s leaders be brought to justice for Ukraine war crimes?
This content was published on Mar 10, 2022 Mar 10, 2022 As the International Criminal Court opens an investigation on Ukraine, we look at the chances of Russia’s leaders being held to account for the war.
Moře
Explainer: what can the Red Cross do and not do in Ukraine?
This content was published on Apr 6, 2022 Apr 6, 2022 The ICRC fears false information about its work is putting at risk its staff and those it seeks to help. Here is what you should know.
Ukraine: what can stop the war?
This content was published on Apr 19, 2022 Apr 19, 2022 Inside Geneva host Imogen Foulkes asks whether war crimes investigations and sanctions might cause Moscow to reconsider its position in Ukraine.
Moře
Russia’s war in Ukraine highlights UN fault lines
This content was published on Apr 8, 2022 Apr 8, 2022 In some parts of the world, Russia’s war in Ukraine has highlighted fault lines that could have a wider impact on global politics.
Moře
How to counter lies and propaganda in war zones
This content was published on Mar 18, 2022 Mar 18, 2022 Disinformation has proved a powerful weapon in the Ukraine war. What’s fuelling this digital assault on truth and what can be done about it?
Moře
Sledujte nás ve vláknech
Nyní jsme také živě ve vláknech. Klepnutím na tento odkaz můžete sledovat náš nový účet a získat aktualizace všech našich příběhů ze Švýcarska.
