Cyber attacks let weaker countries challenge stronger ones, but it is unclear how the laws of war apply online.

In 2009, Iranian nuclear scientists noticed that some of the centrifuges at the Natanz enrichment site were spinning out of control while others were spinning too slowly. At the same time, the computers in the operating room were reporting that everything was normal.

The scientists would soon find out, when the centrifuges started exploding, that they had been attacked. The attack itself was a digital one, it was a code planted into the system by a Dutch mole who was pretending to be a mechanic at the site, and was later attributed to the US and Israel. Over 1,000 centrifuges were ultimately unbalanced to the point that they were destroyed and Iran’s nuclear programme was set back by a year.

Once it had recovered, Iran launched waves of their own cyber attacks against American banks and Saudi’s Aramco oil company, erasing data on tens of thousands of computers. “Iranians are unusually talented in cyberwarfare for reasons we don’t fully understand,” Google Executive Chairman Eric Schmidt said after Iran’s operation.

It seems clear why countries like Iran and North Korea would focus on cyber as a new frontier for conflict - while conventionally they are far, far weaker to the US, in cyber space they are not quite as weak. Moreover, they can take advantage of the US’ technological advancement which comes with its own vulnerabilities. Cyberspace, for weaker powers, is a preferable arena to war on the battlefield.

War in Cyberspace

During the Cold War, the Americans invested in research and development in order to ensure they could sustain communications in case of a possible Soviet nuclear attack. The internet was created as an incidental product of this research. As such, it has always been and remains a deeply militarised phenomenon.

Cyber attacks are the preferred method of warfare for many states because they offer a domain for cheap, fast and powerful tactics that are likely to become all the more ubiquitous as our dependence on the Internet of Things grows. As there is no global cyber treaty, and the 1945 United Nations Charter of the 1949 Geneva Conventions do not mention cyber operations, it has been contested whether international law governs cyberspace at all.

This is despite an International Court of Justice Advisory Opinion on Nuclear Weapons from 1997 which states that the laws of war apply “to all forms of warfare and to all kinds of weapons” including “those of the future”.

In 2013, a consensus was reached by the international community that international law does apply in cyberspace, despite Russia and Nicaragua arguing that cyberspace is a de facto ‘legal vacuum’ until a binding legal instrument is agreed upon which governs the domain. Even still, how international law applies remains controversial.

In 2017, at meetings of the UN Group of Governmental Experts, States failed to agree on how important aspects of war law, including the right to self-defence applied in cyberspace. Over 100 countries are developing military cyber capabilities with some having acknowledged their use in ongoing armed conflicts. The ways in which war law applies to cyber operations is therefore an incredibly important one.

Applying war law to cyber operations

There are a number of disagreements about how the cardinal principles of war law, reflected in the UN Charter and the Geneva Conventions, can be applied to cyber engagements. When it comes to the use of force, states generally agree that a cyber operation which produces comparable effects to those of a kinetic act would be prohibited under the UN Charter.

For instance, if a cyber operation causes a train collision or opens a dam above a populated area, that would be a use of force in the same way a missile attack would be. Some states also argue that loss of functionality of cyber infrastructure which does not cause any material damage would also be a use of force.

Similarly, when it comes to the laws of war, the question of what constitutes an attack is debated. The International Committee of the Red Cross’ view is that the laws of war are applicable to cyber operations during an armed conflict. Therefore, the cardinal principles of distinction, proportionality, and precaution (and their attendant protections for civilians) must be complied with when conducting cyber attacks.

For instance, a cyber attack on the network for a water treatment facility that provides water to only civilian populations would violate the prohibition on intentionally directing attacks against civilians. Similarly, a computer virus that uncontrollably spreads and destroys both civilian and military networks may be an indiscriminate attack.

While ‘attacks’ is defined in the law as “acts of violence against the adversary whether in offence or in defence”, some argue that impairing the functionality of cyber infrastructure also constitutes an attack, even if it is not physically harmed. If a cyber attack makes civilian networks dysfunctional, it would be governed by the laws of war. To suggest otherwise, it is argued, would not protect civilians from the effects of hostilities.

Data as an object

One of the key issues relating to the application of the laws of war to cyber operations is whether data, an intangible thing, can be protected as a civilian ‘object’. Some argue that the object and purpose of the laws of war require an evolutive interpretation which would include data as an ‘object’ and thus give it protected status in the case of civilian data. This is especially since arguing otherwise would mean that paper files would be protected whereas those online would not. In a day and age where so much is stored online, this would leave a protection gap. Others argue that data is not visible or tangible and therefore would not constitute an object to which protections would attach.

An interesting case study of this was provided in December 2023 when Ukraine’s military intelligence announced that it had hacked into Russia’s tax system and destroyed the entire tax database. If civilian data was an object, the destruction of this database would violate the laws of war. The contrary view would be that without physical damage, this operation would not attract the application of the laws of war, despite as the ICRC notes the fact that destroying essential civilian data “can quickly bring government services and private businesses to a complete standstill” and result in more civilian harm than if physical objects were destroyed.

As states build up their cyber capabilities, government datasets (be they taxes, electoral rolls, banking information, or social security) may be increasingly targeted as Ukraine’s attack shows. War law must be applied in a way which allows for an evolutive and expansive interpretation which accounts for the technological revolution and the impact it has had on our day to day lives. If it does not, it may risk becoming irrelevant in the coming years, leaving greater gaps in the protection afforded to civilians.

This article by Ayesha Malik was produced with the support of the International Committee of the Red Cross (ICRC) as part of the Legally Speaking podcast series. The views expressed are the author’s own.