*Megha Bhartiya

This is part two of a two-part article. Find the link to part one here.

Can the IHL regulate Cyberwars?

While there is a lack of targeted regulations, there are arguments that the IHL can fill the legal void of regulating the cyberspace. The IHL is a broad set of regulations that aims to limit the effects of armed conflicts on the basis of the humanitarian concerns that accompany them. One of the methods of reducing such effects is to limit the scope of warfare in armed conflicts. The IHL is also widely regarded as one of the most important frameworks under international law since it protects the people most vulnerable i.e., those stuck in a war-torn area.

Since the IHL limits different types of warfare and is inclusive of cyberwarfare, the argument that it may play a significant role in limiting cyber-attacks is legitimate and well-founded. The chief issue is that it only deals with armed conflicts, and hence attacks during peaceful times are left out of its ambit. Thus, cyberattacks outside of armed conflicts remain far more unregulated than those during armed conflicts. Internationally, until a country explicitly proclaims war against another, no amount of third-party speculation can make it recognized as so and thus, restricting wars-in-principle that lack formal declarations under the ambit of IHL is difficult.

Cyberattacks outside of Armed Conflicts

As discussed, a predicament arises when cyberattacks happen outside of armed conflict since they remain unregulated. The IHL only limits itself to armed conflicts. This renders it possible for State-sponsored cyberattacks to continue to cause damage without being condemned. Further, small-scale but frequent attacks on State institutions jeopardise their functioning, reduce their efficiency and induce an atmosphere of terror and anticipation for the next attack. People lose faith in the security their institutions provide and fear for their privacy since their data would be susceptible to attack at any moment, whether their country is at war or not. Thus, the IHL may be invoked to regulated cyberwar, but it fails to curb cyberattacks in their entirety since it excludes such attacks when they happen outside of armed conflicts. The global response is limited to three things – expressing solidarity, showing concern and condemning the attacks. There is no country-specific substantial response as well as no global response against the cyberattacks. Ultimately, even though Ukraine calls for a “Cyber United Nations”, which countries will support this idea remains unclear.

Consequently, there’s a pressing need to expedite the process of formulating a new regulation targeted towards international cybercrimes. This regulation must have an exhaustive definition of specific terms like “cyberspace”, “cybercrime”, “cyberattack” and “cyberwarfare”. The definitions must not be limiting and should allow for interpretation without the room to bypass the clauses or the regulation in its entirety. Most importantly, it must condemn cyberattacks irrespective of when they are conducted. A regulation with such exhaustive definitions and clauses that pertain to dynamic and difficult to trace technology would require intense deliberation. However, with reference to the Ukrainian crisis, there is a paucity of time. Even outside of it, a regulation is urgently needed to prevent attacks instead of focusing on damage control later on. Hence, the current predicament is as follows – the aforementioned regulation must be pushed for by each nation because if the ultimate goal of regulating the international cyberspace is achieved, it’ll benefit every member State. However, the cyberattacks faced by Ukraine pose a more urgent threat and waiting for a proper regulation to resolve the Ukrainian situation would be a long-haul. What we need now, is a quicker alternative solution to target Ukraine and prove tangible results. This alternative, I propose, should be to build  Task Force.

Conclusion:

Finding a Solution

In the current globalised world with expanding platform economies and states becoming increasingly dependent on digital structures for their institutions to function smoothly, it is imprudent and a rather careless mistake to ignore the importance and power that cyberspaces occupy in human life. Leaving such spaces unregulated is the second and most crucial mistake. The ultimate goal must be to devise and pass a targeted regulation that not only regulates cyberattacks during armed conflicts but also otherwise. The Russian attacks on Ukraine are an example of how countries suffer immensely due to cyberwarfare. Protecting its citizens’ rights thus acquires urgency. This urgency, in turn, eliminates the route of devising an entirely new regulation of international cybercrimes as an immediate solution since it ought to be a meticulous and time taking process. While it must be pursued actively for efficient regulation of the cyberspace in the near future, the need now is to find a quick alternative. What should then be the immediate step to reduce the damage, if not entirely solve the crisis in Ukraine and also act as an alternative solution to regulating cyberattacks?

Building a Task Force – The Alternative Path

The temporary route that the author proposes is to build a task force for the specific purpose of controlling the attacks. The task force model provides many advantages that cater to the problem at hand. While the final grouping made may have a wide ambit to help de-escalate the problems, one of its ambits can be administering technical support and investigating the damage done due to the cyberattacks on Ukraine’s mainframe. Task forces are time-bound, specialised units and are thus suitable for such a task that is seemingly isolated in nature yet, whose consequences may well be dire. The Joint Cybercrime Action Taskforce (J-CAT) of the Europol which aims to counter cybercrime within and outside EU can be taken as a template for the same. The proposed task force ought to be similar in nature to the J-CAT with respect to its objective of fighting cybercrime, but structurally it should be parallel to a UN established task force such as the Counter-Terrorism Implementation Task Force (CTITF). Additionally, countries can deliberate on the idea of invoking cyber-sanctions to keep State-sponsored attacks in check.

A recent report states that Ukraine and Poland have suffered ransomware attack that mirrored the Russian attacks. This makes it evident that the attacks on Ukraine must not be viewed in isolation, but instead be treated as a testament to the urgency of structuring the international cyberspaces. The first step towards achieving a regulated space as mentioned would be to acknowledge the insufficiency of IHL in controlling cyberattacks, largely because it only caters to armed conflict. The need now is to focus on curtailing such attacks, and the most effective immediate solution would be to build a task force for the same.

*Megha Bhartiya is a third-year student in The Rajiv Gandhi National University of Law, Patiala