Written by Muhammad Hanif Asror
On June 15, 2020, Indian and Chinese troops clashed for six hours in a steep section of a mountainous region in the Galwan Valley, bashing each other to death with rocks and clubs. Four months later, Mumbai faced a massive power outage that lasted for about 2 hours in some areas, from 10 am till noon and 10-12 hours in other central Mumbai areas. The power outage brought a halt to train services, while hospitals had to switch to emergency generators to keep ventilators running amid a coronavirus outbreak among India’s worst. The Maharashtra government ordered an investigation and set up three committees to probe into the matter. The Maharashtra Security and Electricity Board requested the cyber cell to become a part of this investigation. According to a report by Recorded Future, a Massachusetts-based cybersecurity company, Chinese malware was flowing into India as skirmishes continued in Galwan Valley, lying in wait in the control systems that managed electricity supply across the country. Most of the malware was not activated, meaning that only a small portion of the malware led to the power outage in Mumbai. The report attributed this activity to a China-linked threat activity group.
The Mumbai cyber blackout was not the first cyberattack that sabotages electrical failure, similar cases like Russia’s cyber blackouts of Ukraine. in December 2015, sophisticated and synchronized cyberattacks on power companies of Ukraine caused cascading outages of regional energy grids, which influenced approximately 225.000 customers. International cybersecurity analysts have stopped just short of conclusively attributing these attacks to Russia; Ukraine’s president, Petro Poroshenko, stated, “the direct or indirect involvement of secret services of Russia, which have unleashed a cyberwar against our country.”. These “blackout wars” caused by terrorist sabotage of electric grids are a new warfare category that foreshadows an existential threat towards international cybersecurity.
DEFINING CYBERWARFARE
Some may claim that cyberwarfare is not relevant to academic security studies because ‘data packets don’t hold ground’ and/or no one has ever died from a cyberattack. Although it may be true that a cyberattack (using known existing technologies) is unlikely to cause massive casualties directly, it could still serve as an effective means of political coercion or brute force. The term ‘cyberwarfare’ applies strictly to computer network operations (CNO) whose means, if not necessarily its indirect effects – are non-kinetic. Cyberwarfare is conceptualized as including only computer network attacks (CNA) with direct political and military objectives – namely, attacks with coercive intent to cause as a means to some strategic and brute force end – and computer network defense (CND). The problems faced in defining a computer network attack as a use of force are due to its fundamental characteristics, which are indirectness and intangibility within the attack. The characteristics of ‘indirectness’ in cyber-attacks, which require action to be taken by a second actor (or object) to achieve the desired result, citing as an example the manipulation of GPS satellite systems to send an opposing force’s missiles off target or the invasion towards a specific region’s electrical grids resulting into blackout within the area of the region.
THE MORAL ISSUE OF CYBERWARFARE
The relevant entities in cyberwarfare are so unusual in comparison with the ordinary objects of daily life that the only useful way of thinking about them is by analogy. The relevant cyber entities include such things as the functioning of a system, software, and, more broadly, information entities. Consequently, moral reasoning about cyberwarfare requires either the consideration of analogies with more traditional moral problems or broader, less traditionally legalistic and clearer moral theories capable of application to all possible ethical events and states of affairs. It is perhaps understandable that the traditional morality of war, and laws of war, would not want to address such vague notions as the welfare or well-being of the civilian population and harm to them. The most obvious and undebatable damage of war is on human beings as organisms: they die. Nevertheless, a cyberattack may do such extensive damage to the well-being of a populace and to the functioning of a government that it would satisfy the casus belli (just cause) requirement of reasonable criteria for morally going to war. Likewise, there would seem to be a need for additional moral reasoning and additions to international law, such that militarily unnecessary damage to non-objects, namely, the functioning of civilian informatics systems, is limited in time of war.
THE LAWS OF WAR WITHIN CYBERWARFARE
There are two separate bodies of law that apply to cyber war: “jus ad bellum” – the laws governing a decision to resort to the use of force, and “jus in bello,” the laws governing the conduct of hostilities. The use of cyberattacks is governed by “jus in bello” or the Law of Armed Conflict. These laws are derived from international conventions and treaties (such as the Hague and Geneva Conventions) and from customary international law. They set forth rules that govern the use of force during armed conflict. “Jus ad bellum” rules guide a nation’s decision as to whether an incident justifies engaging in armed conflict or triggers the provisions of the UN Charter on a nation’s right to use force in self-defense (the right of self-defense applies whether the attacker is a State actor or a non-state actor). The provisions of the UN Charter provide the legal framework for the “Jus ad bellum” and decisions on the use of force in self-defense are:
- Article 2, paragraph 4, states,
“All members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.” - Article 51, which states,
“Nothing in the present Charter shall impair the inherent right of individual or collective self-defense if an armed attack occurs against a Member of the United Nations until the Security Council has taken measures necessary to maintain international peace and security.”
Article 51 of the UN Charter recognizes the inherent right of individual or collective self-defense of member states against any armed attack. Needless to say, it is extremely difficult to ascertain at exactly what point a computer network attack will rise to the level of an armed attack for invoking the provisions of Article 51. It is well established that self-defense is a customary law right, codified and contained in Article 51, which allows self-defense in response to an ‘armed attack’. However, the UN Charter does not provide a definition of ‘armed attack’, although, in Article 2(4), it would appear that the definition of ‘armed attack’ is dependent on the ‘scale and effects’ of an attack, which, in turn, must be sufficient enough to elevate such actions beyond the ‘mere frontier incidents’.
CONCLUSION
In conclusion, to define cyberwarfare as a state of conflict between two or more political actors characterized by the deliberate hostile and cost-inducing use of CNA against an adversary’s critical civilian or military infrastructure with coercive intent in order to extract political concessions, as a brute force measure against military or civilian networks in order to reduce the adversary’s ability to defend itself or retaliate in kind or with conventional force, or against civilian and/or military targets in order to frame another actor for strategic purposes. To trigger the right of self-defense, national authorities would need to decide if a cyber exploit constituted an armed attack. A cyber exploit that was a violation of sovereignty is by itself not sufficient. An exploit that did not directly cause substantial death or physical destruction would most likely not qualify as an armed attack.
REFERENCES
https://www.nytimes.com/2021/02/28/us/politics/china-india-hacking-electricity
MK Narayanan (2021), Forestalling a cyber Pearl Harbour, THG Publishing Private Limited, Chennai.
Oleg Ivanchenko, Eugene Brehniev, Ihor Kliushnikov, Boris Moroz (2021), Cloud Simulation and Virtualization
for Testing of Critical Energy Infrastructure Components, STARC, Ukraine.
https://www.wired.com/story/russian-hackers-attack-ukraine/
Adam P. Liff (2012) Cyberwar: A New ‘Absolute Weapon’? The Proliferation of Cyberwarfare Capabilities and
Interstate War, Journal of Strategic Studies, Princeton University, New Jersey
Randall R. Dipert (2010) The Ethics of Cyberwarfare, Journal of Military Ethics, Routledge.
James A. Lewis (2010) A Note on the Laws of War in Cyberspace, Center for Strategic & International Studies.
Charter of the United Nations Chapter I — Purpose and Principles (1945) Art. 2(4)
Charter of the United Nations Chapter VII — Action with respect to Threats to the Peace, Breaches of the Peace,
and Acts of Aggression (1945) Art. 51
Jae Sundaram (2017) Cyberwarfare and the laws of war, Journal on the Use of Force and International Law,
Routledge.