Cyberattacks as war crimes

Yola Verbruggen, IBA Multimedia JournalistWednesday 10 January 2024

Russia’s invasion of Ukraine has shown the potential for very serious consequences from cyberattacks on energy providers and emergency services.

On 12 December, Ukraine’s largest mobile network, Kyivstar, was hit by a cyberattack that disrupted air raid sirens and stopped people from receiving text alerts warning them of Russian air assaults. The UK’s Ministry of Defence said it is probably ‘one of the highest-impact disruptive cyberattacks on Ukrainian networks’ since Russia’s full-scale invasion. A group called Solntsepyok, linked by a Ukrainian security official to Russian military intelligence, claimed responsibility for the attack.

Kyivstar Chief Executive Officer Oleksandr Komarov called the attack ‘a result of’ the war with Russia. ‘War is also happening in cyberspace. Unfortunately, we have been hit as a result of this war’, he said on Ukrainian television.

At the time of writing, Moscow hadn’t commented on the attack. A criminal investigation into the incident is ongoing in Ukraine.

The world’s first

The war in Ukraine illustrates that cyberattacks are now a feature of warfare, with the head of Ukraine’s State Service of Special Communications and Information Protection describing it as ‘the world’s first full-scale cyberwar’. Previous attacks have targeted the country’s energy and utility providers, and also emergency services have at times been affected, he said.

Many principles and rules of international law are technology-neutral and they apply to cyber operations just as they do to kinetic warfare

Kubo Mačák
Professor of International Law, University of Exeter

International Criminal Court [ICC or ‘the Court’] Prosecutor Karim Khan has pointed to the possibility of cyberattacks constituting war crimes, crimes against humanity, genocide and the crime of aggression. Despite cybercrimes not being mentioned specifically in the Rome Statute, ‘such conduct may potentially fulfill the elements of many core international crimes as already defined’, Khan says in an article published in Foreign Policy magazine, in which he announced the Court’s intention to investigate cybercrimes. His office has been working on a policy paper covering cybercrimes, as its initial focus.

Kubo Mačák is Professor of International Law at the University of Exeter and former legal adviser at the International Committee of the Red Cross in Geneva from 2019 to 2023. ‘Given the ongoing conflict in Ukraine and the allegations of cyber war crimes, there is an increased likelihood that such crimes could be investigated [at the ICC] in the future’, he says.

Prior to Khan’s announcement, researchers at UC Berkeley’s Human Rights Center submitted a total of five cases of Russian cyberattacks on civilian infrastructure in Ukraine to the ICC, which they believe should be investigated as possible war crimes. They argue that these are examples of attacks on civilian objects or attacks that are indiscriminate – both are prohibited under the laws of war – and show a larger-scale tactic and pattern of how Russia’s intelligence services operate.

The submission includes attacks on Ukraine’s power grid in December 2015, December 2016 and April 2022. It further includes the NotPetya malware attack in 2017 that caused over $10bn in damage and hit over 60 countries, and the attack on the Viasat satellite modem network used by Ukraine’s military on the day of the invasion, which also affected several European countries.

‘Depending on the available political will and the speed with which the ICC will build up the necessary expertise, I can imagine that such calls might translate into actual investigations in the near to mid future’, says Mačák.

Victor Zhora, Chief Digital Transformation Officer at the State Service of Special Communication and Information Protection of Ukraine, told Politico that Ukrainian officers are sending evidence of cyberattacks conducted in coordination with conventional attacks to the Hague. He said that digital infrastructure such as power grids, data services and critical infrastructure have often been targeted in conjunction with physical strikes on targets such as power plants.

The laws of war

As with traditional means of warfare, there is apparent agreement that cyber operations in wartime are also subject to the laws of war. ‘The existing international legal framework, including the Rome Statute, does not explicitly address cyber war crimes, primarily because these laws were drafted before the advent of cyber warfare. However, many principles and rules of international law are technology-neutral and they apply to cyber operations just as they do to kinetic warfare’, says Mačák.

In an opinion concerning the legality of the threat or use of nuclear weapons, the International Court of Justice stated in 1996 that international humanitarian law (IHL) ‘applies to all forms of warfare and to all kinds of weapons, those of the past, those of the present and those of the future’, thereby outlawing the targeting of civilians and civilian objects, indiscriminate attacks and awarding protective status to medical services and personnel also with new means of war, such as cyber operations.

The International Committee of the Red Cross (ICRC), as ‘guardian’ of international humanitarian law, has said that ‘there is no question that IHL imposes limits on cyber operations during armed conflicts – just as on any weapon, means and method of warfare used by a belligerent in a conflict, whether new or old’.

The organisation is also of the view that if the ‘effects’ of cyber operations are similar to those caused by traditional warfare such as bombs or missiles, such actions could initiate an international armed conflict. While this view is supported by a range of states, this legal question ‘remains unsettled’, says Mačák.

Any investigations at the ICC would have to address the challenges of interpreting existing law in relation to cybercrime. Katrin Nyman-Metcalf is Adjunct Professor at the Department of Law at Tallinn University of Technology in Estonia. She says that while the interpretation of existing law and how it applies to cybercrimes can be ‘very complicated’, it is a better alternative to creating new laws as existing precedents and interpretations can help with prosecution. On top of that, she says, ‘the geopolitical situation is hardly such that new international treaties would be possible’.

Technical expertise at the Court

One of the biggest challenges when investigating cybercrimes may be to attribute the conduct to specific individuals. ‘The anonymous and complex nature of cyberspace makes it difficult to definitively trace the origins of a cyber operation and establish a clear line of command. This challenge is compounded by the high standard of proof required in criminal proceedings’, says Mačák.

The lack of physical weapons or the need to be in a specific location to conduct attacks might allow states space to deny involvement. ‘It is very easy for a state to claim that activities were only those by private citizens. The fact that you can be placed anywhere in the world and do not need to be on the territory of the aggressor makes it even more challenging to determine who is really behind an attack,’ says Nyman-Metcalf.

Another challenge includes assessing the damage of any cyberattack, to establish whether the effect of the operation is such that it would be grave enough to be prosecuted at the ICC – the Court only investigates ‘the most serious crimes’. While the effects of most cyber operations are not clearly visible, the consequences can nonetheless be far-reaching.

‘When the computers or networks of a State are attacked, infiltrated or blocked, there may be a risk of civilians being deprived of basic essentials such as drinking water, medical care and electricity. If GPS systems are paralysed, there may be a risk of civilian casualties occurring – for example, through disruption to the flight operations of rescue helicopters that save lives. Dams, nuclear plants and aircraft control systems, because of their reliance on computers, are also vulnerable to cyberattacks’, the ICRC states.

In the Tallinn Manual on the International Law Applicable to Cyber Warfare, written at the request of NATO, the authors stated that damage is caused when civilian infrastructure or a civilian network is rendered dysfunctional.

The immediate focus of the ICC might be on incidents in which both conventional and cyber means are used to overcome these challenges, according to Mačák. ‘This approach may help overcome the twin challenges of gravity and attribution. The situation in Ukraine,

Lindsay Freeman is the Director of Technology, Law and Policy at the University of California, Berkeley’s Human Rights Center, whose team urged the ICC to investigate cybercrimes committed in Ukraine. She says that some aspects of a crime – such as intent – might actually be easier to prove for cybercrimes than for atrocity crimes committed by other means. ‘If in an armed conflict a missile hits a nuclear power plant, there's always going to be that defence of “that's not what we were aiming for”. But with the unique nature of using cyber means and methods in warfare, there are incidents where we can show hackers were in the system doing over six months of reconnaissance’, she says.

To investigate cases involving cybercrime, Khan has said that the Court is ‘actively working to consolidate and upgrade its information systems architecture and technical capabilities’.

‘Overcoming these attribution difficulties is crucial for successful prosecution, but it requires sophisticated technical capabilities and international cooperation,’ says Mačák.

Leila Sadat is a former member of the IBA War Crimes Committee Advisory Board and Special Adviser on Crimes Against Humanity to the ICC Prosecutor from 2013 to 2023. She has previously emphasised the difficulties relating to the technological sophistication needed to identify perpetrators and the challenge of recruiting or training Court personnel with the technical expertise to work on such cases.

‘Interestingly, the more advanced the cyber world gets, it may mean that old-fashioned spying through personal relations gets all the more important, as that may be the only way to find out the real connections’, says Nyman-Metcalf.

A blurred line between civilians and combatants

The large number of civilian hackers active in places where there is armed conflict are further complicating the issue of attribution. The ICRC has said that, in particular since Russia’s full-scale invasion into Ukraine, the number of civilians involved in digital operations during armed conflict is ‘unprecedented’. Civilian hackers operating for Russia as well as Ukraine have targeted civilian objects, such as banks, hospitals and government services.

This ‘worrying trend’ has led the ICRC to create eight rules for civilian hackers to abide by, not least for their own safety. They are mostly a reiteration of some of the most important principles of international humanitarian law, such as a prohibition on targeting civilians and medical facilities, as well as on indiscriminate attacks, and the obligation to adhere to the principle of proportionality.

Despite initial scepticism, pro-Russian hacking group Killnet and the group The IT Army of Ukraine have both said they will comply with the rules, according to the British Broadcasting Corporation (BBC). Killnet has been said to have close links to Moscow, but the group itself denies this.

While most hackers are physically removed from the places where hostilities take place, the ICRC points out that their involvement in the conflict blurs the line between civilians and combatants, and thereby endangers civilians. If captured, civilian hackers won’t be treated as prisoners of war, but may be prosecuted as criminals or ‘terrorists’ instead, the aid group warns. The authors of the code of conduct also warn that violations of the rules of war could amount to war crimes.

Yola Verbruggen is a freelance journalist and can be contacted at yolav@protonmail.com

Image credit: sizsus/AdobeStock.com