Megha Bhartiya* (Part I in a 2-part series)

Introduction

Russia launched its war against Ukraine on 24 February 2022 after President Putin declared a “special military operation” allowing his forces to invade Ukraine. However, this attack did not come without a warning. Russian cyber-attacks against Ukraine have been a frequent occurrence since 2014 when the former illegally annexed Crimea, but just a month prior to the February invasion, one such cyberattack came with a foreboding message for the citizens of Ukraine. This cyberattack happened on 14 January, 2022, and this time, threatening messages in different languages were displayed on Ukrainian Government websites after being hacked. Some of them read, “… be afraid and expect the worse” which in hindsight, may be seen as a warning for the upcoming invasions. The threatening messages ultimately served as simple weapons of intimidation until the warning manifested themselves in the form of missiles raining down on the city of Kyiv. The day after the messages appeared, Ukrainian defence and banking platforms were also hit by another attack. A few months later in April 2022, Microsoft released a special report detailing Russia’s cyberattacks on Ukraine which continue even now as their war persists. Ukraine continues to defend its digital framework to the best of its abilities, however, predicting cyberattacks remains a challenge and countries which are engaged in active conflicts may find it difficult to not only predict them but also defend their cyberspaces consistently. This is mainly due to two reasons – firstly, cyberattacks by virtue of involving advanced technological weapons are difficult to detect and trace, and secondly, when a country is engaged in an armed conflict via land, air, sea or all three, a major portion of their resources gets diverted towards the tangible combat instead of cautionary predictive actions to protect their cyberspaces. The current crisis in Ukraine is an example of the legal void in the international regulation of cyberspaces. This legal void is with respect to two things – lack of targeted international legal framework to prevent and prohibit cyberattacks, and second, lack of targeted international legal framework to condemn and punish such attacks after their occurrence. It further presents militarization of cyberspace as an urgent issue.

The only regulation that may be deemed useful in the context of cyberattacks is the International Humanitarian Law (IHL) and while it may apply to the Ukrainian crisis. It is important to note that only a fraction of the IHL deals with cyberattacks which is why it proves to be a minor mitigation of the bigger problem of the lack of appropriate and targeted regulations to curb cross-border cyberattacks. The issue of concern here is lack of “targeted” regulations as mentioned. The primary focus of this article is thus, to propound the insufficiency of IHL in controlling cyberwar and then propose an alternative measure to prevent cyberattacks, especially in times of peace. Additionally, the suggested alternative in the form of a proposal to build a Task Force can also help resolve the current cyber crisis in Ukraine.

Critical Appraisal: 

Understanding Cyberattacks, War & Warfare

Contrasting views exist on the terms “cyberwar” and “cyberwarfare” where some define them differently and scholars use them interchangeably. These views pertain to different constituents of such attacks and several factors that make them dynamic. Currently, reputed encyclopaedias treat “cyberwar” and “cyberwarfare” as the same entities, this includes Britannica which defines the terms as – “war conducted in and from computers and the networks connecting them, waged by states or their proxies against government and military networks in order to disrupt, destroy, or deny their use.” Though exhaustive, the one big ailment this definition suffers from is the lack of treatment of “cyberwar” and “cyberwarfare” as two separate and distinct entities. Another closely related term, “cyberattack” boasts a large variety of definitions such as “unwelcome attempts to steal, expose, alter, disable or destroy information through unauthorized access to computer systems.” by IBM, “[is] an attempt to disable computers, steal data, or use a breached computer system to launch additional attacks.” by UNISYS, or even “Any kind of malicious activity that attempts to collect, disrupt, deny, degrade, or destroy information system resources or the information itself.” by CSRC and more. The lack of universal exhaustive definitions for terms addressing cyberwars and the likes is the first hurdle in the path of regulating the cyberspace. 

To resolve the same, the author wishes to propose simpler definitions that can be universally agreed upon, including for the term “cyberattacks”. A cyberattack should be construed as being different from a cyberwar, the former being, usually, an isolated one-time occurrence. On the other hand, cyberwar must be viewed as a strategically planned series of offences with the intention to either destroy or significantly damage a State’s operational capabilities. Cyberwarfare is the use of technology to cause harm for military purposes. It should include the methods, strategies and, ‘weapons’ employed during the cyberwar. Hence, the primary difference between ‘cyberwar’ and ‘cyberwarfare’ in the proposed definitions is that the latter should be viewed as a broad term used to refer to the methods and mode of war, while the former refers to the war itself. The weapons used in the digital space would naturally be unconventional, but they come with additional advantages that supersede the qualities of a physical arsenal. These include the fact that they are hard to trace back, do not have locational constraints, and are also exceptionally efficient.

Tracing Cyberwars to Platform Economies and Technological Growth

With the technological boom, new platforms have taken shape, allowing both utility and efficiency along with the benefits of convenient execution. This new era of platform economies and digital markets has become foundational to a digitally dependent world where the possibility of returning to the conventional methods of production and communication can no longer be a truly viable option for the majority. However, the more digitally dependent economies become, the more vulnerable they are to attacks on their cyberspace from a relatively advanced and technologically adept assailant. The rapid expansion of technology is accompanied by the possibilities of its misuse, and one such manifest possibility is through cyberwar as we witness today. Interestingly, such misuse is not the problem if there is a mechanism set in place to monitor, regulate, and eventually condemn such events. The lack of such mechanism poses the real threat. Currently, there are no international laws specifically targeted at regulating cyberspace. The IHL in this context covers cyberwars but is not a targeted regulation. This is because the IHL as a framework was not made with the sole objective of regulating cyberspaces and prohibiting cyberattacks, it is a broader framework which intends to mitigate the impacts of war based on humanitarian grounds. Additionally, even though it may apply to cyberwars, it only applies to armed conflict and thus even in case of cyberattacks, the IHL will only be applicable when they occur during an armed conflict. The only exception is the Budapest Convention on Cybercrime which came in force in 2004 and coordinates cybercrime investigations. The issue with this convention is that it only has 67 parties and Russia is not one of them. Russia chose to withdraw from the Convention by citing the reason that it violated its national sovereignty by allowing cross-border cyber-crime investigations.

One of the several reasons behind this absence of targeted regulation is the novelty of the technological space and its dynamism. The rapid expansion of digital platforms has increased the population that engages with the internet. This has, in turn, resulted in an increase in the population that is vulnerable to cyberattacks and whose data is susceptible to breach. Further, one can witness the growing digitalization of the health care sector with a majority of medical and even research institutions increasing their use of computers, internet and technology, in general, to make their work smooth. This would expose sensitive medical data, if unprotected, to cyber-attacks and may lead to dire consequences for the concerned patients. Even the peacekeeping forces in war-torn countries rely on technology to communicate and work effectively and are thus, susceptible to such attacks.

*Megha Bhartiya is a third-year student in The Rajiv Gandhi National University of Law, Patiala