Syed Qasim Abbas is a student of law at the Lahore University of Management Sciences (LUMS). His prime focus, and area of interest, is international law, under the light of which, he analyzes international diplomacy.
The internet, undoubtedly, has been one of the most contributive creations that have enabled man to connect over distances in a virtual capacity. The byproduct of this fruitful creation is consumer data, which in modern times has become a precious asset. Its misuse has the potential to affect civilian lives in unimaginable ways. Unfortunately, the trend of exploiting consumer data has grown by many folds in recent times. A small data breach puts a civilian’s cyber security at risk, which can eventually lead to a larger humanitarian crisis.
States and non-state actors are using this as a new tool to compete for personal benefits. As a result, warfare has proliferated in cyberspace, especially with the objective of breaching data to spy and exploit a country’s national secrets. According to the world’s cyber warfare statistics, cyber operations have increased by 440% between 2008 and 2018.
Recent examples from 2021 include operations by Iranian and Russian hackers on Japan’s Fujitsu system, the US State Department, and the Israeli medical infrastructure. These attacks stole credentials of medical officers, emails, and government files.
States across the globe are using cyberattacks as an alternative to using kinetic force. The motivation behind this is the potential of cyberattacks to create collateral damage, with minimal accountability, at very low costs. Hence, the chances of humanitarian harm have become very real.
Recognizing the proliferation of cyberattacks and their humanitarian risks, this article analyzes the applicability of International Humanitarian Law (IHL) on state-sponsored cyber operations that breach data independent of an armed conflict. It evaluates the protections available against such operations in jus in bello, simultaneously suggesting certain necessary changes that can ensure direct applicability of IHL on cyberattacks.
IHL’s Applicability to Cyberattacks
Cyber technology developed many years after the formulation of International Humanitarian Law (IHL), hence, IHL has no direct provisions relating to cyber warfare. However, ratifying states agreed on applying IHL’s customs to unpredicted war techniques of the future in the Martens Clause, which was made part of the Geneva and Hague Conventions. Consequently, one can argue that there is some indirect applicability of IHL to cyberattacks. But the absence of direct provisions leaves a legal lacuna that exposes civilians to humanitarian risks of cyberattacks.
IHL fails to apply to cyberattacks happening without an ongoing armed conflict. This is because kinetic use of force is a fundamental prerequisite for invoking IHL’s provisions. There should be some nexus between a cyber operation and an armed conflict to apply IHL, as recognized by rule 80 of the Tallinn Manual 2.0 (TM). Most of the time, a nexus is absent or inexplicit. In fact, states carry out most cyber operations with a motivation to exploit this legal lacuna. It allows them to escape any accountability under international law.
Examples of such operations are the cyberattacks conducted on Estonia by the Russian military in 2007. These attacks blocked the websites of many banks, state departments, and newspapers, making it difficult to enjoy the civilians right to freedom, speech, and information.
A similar attack happened in 2017 that affected England’s National Health Services (NHS). A hacking group targeted outdated Microsoft Windows Operating Systems by using a cryptoworm called “WannaCry” based on a stolen exploit developed by the United States National Security Agency. It took four days for the NHS to recover. In both cases, despite the fact that the attackers were identified they faced no legal repercussions.
Applying IHL’s Customs on the Threats to Cybersecurity
To apply IHL’s customs to cyberattacks, the international community must tweak the legal order by creating distinctive provisions within IHL for cyberattacks. Through an additional protocol to the Hague and Geneva Conventions, states can bypass the existing legal requirement of establishing a nexus between a cyber operation and an armed conflict.
For this, states must expand the definition of an armed conflict to the administration of inter-state hostilities through kinetic operations or cyberattacks, or both. A consensus must be reached that cyberattacks should be considered armed conflicts, which is also illustrated in rule 82 of TM.
With the aforementioned first step, some progress in this domain can be achieved. IHL’s existing customs – such as distinction, proportionality, humanity, and precaution – would be applicable to all kinds of cyberattacks. However, this will not be enough to protect data from the threats to cybersecurity under IHL. As mentioned in Article 48 of the Additional Protocol 1 of the Geneva Conventions and Rule 93 of the TM, the principle of distinction shields civilians and civilian objects from attacks. Data, however, does not classify as an object under IHL. This is also recognized under Rule 37 of the first edition of the TM.
Protecting Data under IHL
The breach of data must be curtailed as they impede the cyber security of the civilians and their right to privacy, and can lead to civilian injuries. Injury to civilians due to a data breach in their cyber security is excessive in relation to the concrete and direct strategic advantage sought, which makes such attacks disproportionate under IHL.
In order to protect civilians against threats to their cybersecurity, states must adopt technical and policy measures to limit data collection to necessity thresholds. This can be done in two ways: collecting only extremely relevant data, and making data retention an exclusive right for public services like health, national registration, and social-services provision.
Moreover, technical measures like proper data encryption must be used for civilian data and privacy protection to ensure that no breach in their cyber security occurs. All states must begin with updating the technology used for humanitarian purposes. This should be a lesson learned from the aforementioned WannaCry attack of 2017, which targeted outdated operating systems.
Protective measures like firewalls should be regularly updated. Due to the internet’s global usage, cyberattacks fail to distinguish between humanitarian and military contexts. Hence, developed states, under the principle of common but differentiated responsibility, should provide funding and assistance for capacity building in developing states.
The resources and funding from developed states can be channeled by using international organizations. However, in order for this to happen, these organizations need to expand their focus on addressing cyber operations. For building global capacity in collaboration with developing states, international organizations – like the International Committee of the Red Cross (ICRC) – must identify states like Singapore that have an abundance of resources as well as little threat of conflict.
These states can then function as cyber-host states where cyber assistance cells can be set up to develop technical capacity and human resources, which can be used to assist poor countries with the restoration of humanitarian services in cyberattacks. These cells can also help identify the geographical location of a cyberattack and produce neutral reports that help international courts adjudicate on the issue. All technical and policy measures can be made binding if included as efforts to be pursued by all signatory states of the aforementioned proposed convention.
The 2017 attack on the NHS showed that while the dependence of modern medical facilities on cyber technology makes treatment efficient, it also opens possibilities for newer kinds of threats. The Covid-19 pandemic has further highlighted that even for advanced nations, impediments on the functioning of medical facilities or other essential services can have catastrophic results.
Keeping this in mind, it is essential that the international community comes together to take legal, policy, and technical measures to ensure that no state or non-state actor tries to weaponize cyberattacks, by exploiting the threats to cybersecurity, to cause humanitarian losses. IHL must ensure its continued relevance and evolution in relation to cyberattacks to ensure that humans can reap the benefits of modern technology with minimal risks of a humanitarian crisis.
If you want to submit your articles and/or research papers, please check the Submissions page.
The views and opinions expressed in this article/paper are the author’s own and do not necessarily reflect the editorial position of Paradigm Shift.