top of page

Protecting Civilians in Cyberwarfare: A Prerequisite for Formulating a Unanimous Framework

This article has been authored by Sarthak Gupta



Metaphorically, Cyberspace is Neiberg’s fourth dimension of war, an interactive overlay that is superimposed on and supersedes the constraints of physical reality. Nevertheless, the cyber military operations can’t be placed in equilibrium with kinetic warfare but the precedentsinter alia including cases of Estonia, Georgia, and Iran have demonstrated the potential for such warfare in cyber-reliant societies. Cyberattacks have become much more advanced, producing catastrophic quantities of destruction on a worldwide scale while utilizing just primitive, readily accessible technology. As the expansion of mobile devices, artificial intelligence, automation, and the Internet introduces new vulnerabilities, threats have continued to escalate to an unprecedented peak. The use of cyber operations during armed conflicts has established itself as a new invisible war-battle domain, which requires due deliberation, regarding its legal positions and policy, for the allied states as well as for an individual state.


Civilian in Cyberwarfare: Breaking the Ice

International Humanitarian Law [IHL] has acknowledged the emergence of new technology under Article 36 and the Protocol Additional to The Geneva Conventions, but the issue of application of IHL under Article 2 of the Geneva Conventions (‘GC’) 1949, for use of cyber operations in armed conflict remains static. The approach falls inappropriate because it overlooks non-physical negative consequences. Destruction to particular data would become a crucial aspect of proportionality and distinction analysis if data were regarded as an object under IHL, irrespective of the nature of the implications. This article reflects theKubo Maák's argument, for an evolving interpretation of IHL in order to assure adequate civilian protection against cyber operations.


This further invites the following concern, whether the pre-existing laws [IHL] are clear enough concerning the notion of “attack” and ‘data’ inter aliaincluding the foreseeability of its impact on civilians. Cyberattacks, constitutes a number of questions about how IHL should be understood. For instance, the restriction against direct attacks on civilian infrastructure and arbitrary and exaggerated attacks extends exclusively to cyber operations that amount to attacks as defined by IHL. However, under IHL, the concept of cyber-attack has not been properly defined. In author’s opinion, States must acknowledge that cyber operations that impede the functionality of infrastructure are ought to be subjected to the standards regulating attacks under IHL in order to achieve the full spectrum of legal protection provided by fundamental IHL principles.


In 2017, attempts by a UN Group of Government Experts to create rules of accountable state behavior in cyberspace came to a screeching halt due to disagreements regarding the militarization of the internet and the applicability of international humanitarian law. Nonetheless, the escalating incidence and intensity of state-sponsored cyberattacks against civilians has necessitated the establishment of defined behavioral norms.Nevertheless, the recognition viaJus in Bello and the United Nations [‘UN’]is panoramic, but the identification of the application of the law remains challenging. Thus, a transparent universal framework is a prerequisite which inter alia states sovereignty, identification of threat, combatants, force, or overflight with wider scope definitions including the principle of Law of War.


Defining Cybercrime: Back to The Drawing Board

With state-sponsored cyber espionage outfits to mass-mailing ransomware gangs, cyber offenders exist in all flavors and dimensions. Two definitions were formed during the 10th United Nations Congress on the Prevention of Crime and the Treatment of Offenders on what constitutes a cybercrime and how it differs from a computer crime. The common definitionof Cybercrime is,‘any action in which computers or networks are used as a weapon, a target, or a location for unlawful behavior’.Further, as per Article 1.1 of the Stanford Draft International Convention to Enhance Protection from Cyber Crime and Terrorism, the term ‘cybercrime’ pertains to actions committed against cyber systems. The engagement of state in cyber warfare necessitates the deployment of computer viruses or cognitive dissonance operations to attack and attempt to destroy the computers or communication infrastructure of another state. However, it is challenging to differentiate between a cybercrime and cyber warfare since hacker parties that engage in illegal hackingagainst individuals or organisations are state sponsoredto operate in cyber espionage against individuals or otherStates. For instance, the WannaCry ransomware, which took down the United Kingdom's National Health Service and disrupted hundreds of medical appointments and surgeries, was reportedlysponsored by North Korea including using tools acquired from the National Security Agency of the United States [‘US’]. Chinese authorities have deployed an unparalleled amalgamation of mass surveillance, internet censorship, DNA collection, and artificial intelligence to confine thousands of ethnic Uighurs as a preventative measure. From the US to Kenya, state-sponsored misinformation efforts have undermined democratic institutions and compromised national elections.


The intention of the perpetrators is the essential in defining characteristic of cyber terrorism. It is widely construed as the deployment of computer network technologies to destabilize critical national infrastructures including power, transportation, and government operations, or to compel or coerce a government or the civilian population. It is necessary that the United Nations General Assembly First Committee [‘First Committee’] undertakes its endeavors to protect cyberspace and essential cyber infrastructure from all kinds of cyberattacks in order to ensure civilians lives.


The ‘Framework’

To protect the civilian, the state[s] must abide by the framework; which recognizesthe principle of distinction, restraining their attacks to military objectives, and that an attack must conform to the principles of distinction, proportionality, and necessity with the principle of precautions in attack and implies Rule of Engagement. These principles are “cardinal principles'' that constitutethe 'fabric of humanitarian law' as observed by the International Court of Justice. The deterrence of the proliferation of malicious ICT tools and techniques, with strengthening the resilience of the network and guarding them at the time of cyberwarfareis yet an affirmative policy. To bring homogeneity, a National Cyber Dese Strategy with Tallinn Manual as a guiding principle is a prerequisite, following the United Nations and ITU recommendations and policies.


This framework will not only identify cyber risks and develop defense mechanisms protecting civilians, but also assist the states in formulating priorities.Building the framework of cooperation among states, wherein the ‘capacity building’ as the pillar of the framework. Furthermore, States and Committees are contemplated to go beyond the UN and begin dialogues [Voluntary norms or functioning to collaboratively construe existing rules] over the framework with IEEE Cybersecurity Initiative (CYBSI)which provides online presence for security &privacy professionals;improve the comprehension of cybersecurityand on the other hand. Internet Society (ISOC) which is dedicated to keeping the Internet open, transparent, and user-defined.World Trade Organization’s role can be defined as constructing an agreement on pledges from states on not promoting/soliciting mercenaries and attack on trade infrastructure.


Infrastructure and Data: Hang in the Balance

With substantial advancement in the legal framework, the military also necessitates equilibrium which inter aliaincludes the issue of the scope of civilian data onto civilian objects of cyberspace. Consequently, Group of Governental Experts(‘GGE’) is silent on the prescribed option to respond to cyberattacks instituted by/with state involvement which can bring more complexity to the investigation and prosecution of the attack. To come before an International Court, without a statutory provision in the state with regard to use of cyber military operation during an armed conflict, would be perplexing. To prevent proliferation into cyber war, UNIDIR experts suggest a rule that permits the afflicted states to implement onlymeasures that do not constitute the use of force in countering or striking back to a cyberattack, which are yet to be established.Some experts recommend addressing the Security Council and implementing measures in cases where the perpetrator is a Member State. This necessitates the establishment of a threshold for the level of destruction inflicted by an attack in order to rationalize specific Security Council actions, even if the impact is not exclusively physical, but rather financial or political. The afflicted state may nevertheless consider the attack a war crime, prompting a question on the right to self-defense.


Even though a single attack would not exceed a dangerous threshold, coordinated attempts to undermine a country's economy or political stability might be termed a cyberwarfare campaign. Spite of the importance to protect against and counter to cyber warfare, the First Committee has not had appropriate chance to address self-defense, appropriate countermeasures to cyberattacks that threaten national essential computer infrastructure, as well as how to minimize escalation.


Apart from the issue of differentiation [in International Law] among the notions of cyberspace, cyberterrorism, and cybercrime, ineffectiveness is definitely attributing a cyberattack to a solitary actor or in plausibly linking hacker clusters to government criminal operations by efficaciously straddling the boundaries between cybercrime and cyber warfare. The rationale forthis impotence is the repudiation of the state for a national cybersecurity mechanism. To safeguard key cyberspace-based civilian infrastructure, it is therefore essential to defend cyberspace infrastructure itself. The State’s National Cyber Security should be revitalized to lay down military operations with transparency. Drawing and acknowledging the line of authority on the Military and Police within the state will contemplate cyber warfare’s anonymous and secretive complexion.


Leviathan Assemble: The ‘time has come’

Over the past two decades, the First Committee has made the modest headway on cyber security. Despite the committee's longstanding recognition of the necessity for capacity building and international collaboration, the absence of confidence among Member States and collectively accepted cyber standards, obstructs continued development. This is complicated by the premise that half of the globe has yet to formulate national cyber security or cyber defense policies and is uninformed of the cyber dangers, they confront. It will take years to form a unanimous International guiding principle. The operative notion is a regime, and yet it is time to construct a global cybersecurity regime. Constructing a catalog of measures to respond to the issue is an enormous political and diplomatic challenge but to ensure the safety of their civilians the leviathan[s] has to overcome this challenge.Although the tangible potential outcome of a calamitous attack to break into kinetic warfare between States is difficult to ascertain, the notion that there is a vulnerability is enough to form legal framework for cyberwarfare.


Comments


bottom of page