Welcome to our blog, the Human Righter. We shed light on contemporary human rights issues and comment on human rights developments. We dig deep into our focus areas within human rights, discuss SDGs and human rights. You will also find book reviews and analyses of new laws.
The past few months, leaders in Ukraine have shared information about Russian cyberattacks with the International Criminal Court (ICC). Ukraine hopes that ICC will investigate some of them as war crimes. However, the ICC has not yet investigated cyberattacks. But as cyberspace becomes more and more intertwined with all kinds of activities, the question of cybercrimes as war crimes is increasing in importance.
We talked to Tallinn University of Technology Adjunct Professor of Law, Katrin Nyman Metcalf to find out more. Katrin has been working for several decades on various topics where law and technology meet, not least cyberspace issues.
What is a cyber war crime? When would a cyberattack be considered a war crime?
There are rules about starting war (jus ad bellum) and rules that apply in war (jus in bello) or humanitarian law.
Many people find laws about warfare surprising – if relations have broken down to such an extent that states are at war, how can law have any importance? Rules to mitigate the worst effects of war have a long history with old agreements still in force: the Hague Conventions (late 1800s/early 1900s) and the Geneva Conventions (1949, with later protocols). The Rome Statute of the International Criminal Court (ICC) (1998, in force 2002) makes it possible to prosecute individuals for war crimes – something that also happened with the special tribunals for e.g. the former Yugoslavia or Rwanda, set up in the 1990s and seen as precursors to the ICC.
When war crimes were described in the conventions, physical, ‘real’ actions were intended. The wording used in Article 8 of the Rome Statute on war crimes may not immediately fit cybercrimes. The Article lists things like wilful killing, torture, extensive destruction of property and so on.
However, in the modern world, the way destruction and injury can be inflicted includes cyber elements. Law has to be interpreted according to the circumstances in which it is to be applied, looking at what it is that the rules intend to prohibit. Thinking like this, it is easier to see that cyberattacks could be covered.
A few words on the law about starting wars: this is against the UN Charter and customary law that bans the use of force. The crime of aggression is included in the Rome Statute. A war only in cyberspace, with use of force and aggression only there, is still seen as more of a utopia. Until now, cyberattacks complement kinetic or ‘real world’ attacks and aim at effects in the real world.
Has the ICC ever investigated cyberattacks? If not, why?
ICC has not yet looked specifically at cyberattacks.
Cyberspace may not be so new anymore, but still, the use of it for so many aspects of society is relatively recent. The kind of major effects on society that a cyberattack can have today were not known some decades ago. The nature of the ICC is such that only certain situations come to the court, which is a complement to national jurisdictions. Consequently there are relatively few cases and they deal with situations that may date back some years. ICC is paying attention to cyber-related issues, like how to use evidence from cyberspace, and it can be presumed that it will not be long until a case may also include cyberattacks as part of the situation that the court is investigating. Most likely this would be as a part of a broader conflict in which there are both kinetic and cyber activities.
Do cyberattacks fit into some of the laws governing war? If so, how?
International law applies in cyberspace. This has been concluded at the UN level and by states. The romantic notions when the cyberworld was very new, of a ‘brave new world’ where traditional law and jurisdictions had no place did no last when it became apparent how many areas of society that were affected by cyber technologies. Groups of experts working for UN have confirmed that also humanitarian law applies to cyberspace. The legal work for cyber consist more of seeing how existing law fits in a new environment and a lot of rules are found in different non-binding instruments like manuals or guidelines. Maybe the best known in the context of humanitarian law is the Tallinn Manual, which offers guidance on what principles mean in the new environment.
For something to be seen as a war crime in the meaning of the Rome Statute, there must be a war – an armed conflict – between the relevant parties.
This presents the first challenge: what is an armed conflict? This means that armed force has been employed between parties to a conflict and that such force can be attributed to at least one of them. Whether cyberattacks can amount to armed force is a question of interpretation. The best way to try to decide this is to look at the effects of the action: if it is possible through cyber activities to cause damage that resembles what traditionally was caused by weapons, it is possible to see this as an armed attack. If application of humanitarian law would be dependent on traditional (physical) weapons being used, we could soon have a situation where no aggressive action would be covered as warring parties would replace traditional weapons with cyber ones – why launch missiles if you can hack into air traffic control and make planes collide instead, to take a dramatic example. The International Court of Justice has stipulated (in the context of nuclear weapons) that law applies also to new technologies including new weapons. The protocols to the Geneva Conventions use the expression ‘acts of violence’ to show that the interpretation needs to be wider than classical armed attacks. The type of act and its effect matter more than exactly how or with what something was done. Unconventional weapons and a variety of groups engaging in aggression is not a new phenomenon.
Can we keep cybercrimes apart from other crimes, in the context of war crimes?
Legal work regarding cyberspace is to a large extent focused on analysing and proposing how existing law should apply to the new area, instead of drafting new laws. This is true for international as well as national law and it is reasonable as the cyber aspect is a tool – a way to do things and not an end result. The more integrated cyber aspects become in our daily lives, the more difficult would it be to keep everything cyber separate. This is true for criminal law, where many existing crimes have moved to the cyberspace but the elements of the crime remain the same (like fraud) and the development goes in that direction also for international crimes.
Are cyberattacks per definition (or perhaps otherwise almost always) indiscriminate or can we still keep in mind things like distinction, legitimate targets etcetera?
These notions are among the most important parts of the laws of war: how to decide whether something is a legitimate target. It is necessary to weigh military gain from destroying something against difficulties caused to the civilian population. It is not only in cyberspace and not only recently that many things are of dual use: military and civilian. This does not automatically mean that such things cannot be legitimate targets if the mentioned balancing leads to the conclusion that the military gain was significant enough. The Rome Statute (Article 8) mentions that ‘intentionally directing attacks against civilian objects, that is, objects which are not military objectives’ is a war crime.
What has changed with cyberspace is just how intertwined the different uses normally are. It is not that military and civilians may use the same thing in different ways for their respective purposes, even the ways they use it may be exactly the same – only the purpose is different. The principle of distinction – making a difference between military or civilian – may in practice be impossible and if that is the case, deciding what is a legitimate target is also (almost) impossible.
I stress the word ‘almost’ as what we still can do is to look at proportionality, effects, who is most affected by something, is this effect long-lasting or transitory and so on. It is possible to target a cyberattack very precisely in some contexts, so things are not necessarily indiscriminate. If a distinction is made may be a choice of the attacker – but the likelihood of indiscriminate attacks is nevertheless big.
Is it possible for cybercrimes to have sufficiently serious effects to constitute war crimes? In what circumstances?
Because cyber attacks do not create damage in the same direct manner as kinetic weapons do, it may be challenging to decide how serious the effects are and exactly what it is that causes a certain effect. However, by focusing on the consequences of an action rather than just on the action itself, it is easier to evaluate the effect.
The ICC mandate only covers actions of sufficient gravity –cyber or other. The gravity is decided based on scale, nature, manner of commission and impact, as stated in the Regulations of the ICC Office of the Prosecutor. When using these criteria, it is possible to reach the conclusion that even if the attack took place in cyberspace, it had such an impact that it was equivalent to a grave physical attack. Destruction of infrastructure via cyberattacks can have the same effect as destruction of physical installations and causing accidents e.g. on transport networks can directly lead to death or injury.
What does it take to investigate cyber war crimes?
For attacks in cyberspace, evidence will also be at least partially in cyberspace. This is a challenge also for the investigation of regular crimes and clearly the judiciary at all levels needs to knowledge of cyber forensics. Those who investigate cybercrimes must have some technical knowledge or access to experts who have such knowledge. We see in so many context how the cyber reality pushes for more interdisciplinarity and not just in academic studies! At the same time, effects of cybercrimes are felt ‘in the real world’, even more for war crimes than perhaps some regular crimes. Actions in cyberspace that have such effects that they amount to war crimes will affect society and these affects can be investigated in much the same way as other forms of attacks. However, the point made already about the challenge of attribution plays in here: even if it is possible to prove what happened, where the attack came from and what effects it had, to prove who was really behind it is very hard.
Do you know of any current or recent cases that merit being investigated?
It is sometimes mentioned in the debate that it has been surprising that the Russian aggression against Ukraine has not included more of a cyber element. Before the war broke out, many commentators assumed that new big wars would largely be cyberwars. This discussion ignores the fact that there have been numerous and serious cyberattacks from Russia against Ukraine as well as a number of such attacks against other states – Estonia was the victim of a massive cyberattack in 2022, the Czech and probably the UK post office have been targeted, etc.
What has happened is that cybersecurity has improved and mitigated the effects. For Estonia, it was noteworthy that the attack in 2022 was not noticed by ordinary people and we only know of it as it was reported by authorities afterwards –in marked contrast to the attacks of 2007 that were felt in many ways. Thus, the Russian war against Ukraine will sadly present a number of cases of war crimes that will merit investigation, possibly by the ICC.
Would it be complicated to prosecute a cyberattack as a war crime? If so, why?
I have referred to complications of attribution and a key question will be if it is possible to show that those who carry out certain actions do it on behalf to parties involved in the conflict. It is always difficult to determine with legal certainty whether non-state actors act on behalf of a government and we have many powerful groups that are capable of committing atrocities on a grand scale that are not representatives of any state. It may be difficult to even conclude that there is an armed conflict and exactly between which parties. Even if that can be shown and even if the persons carrying out cyberattacks can be identified, it is very difficult to determine with certainty that they were acting on behalf of a government. For a person to be tried for war crimes, the action must be an element of a war and not just a private activity of an individual.
The question of non-state actors in conflicts predates cyberattacks and to be able to include terrorist groups, groups seeking autonomy from existing states and similar in humanitarian law, there are criteria about degree of organisation like command, control, discipline and hierarchy. In this context we see how the nature of cyberspace is relevant. Individuals or groups can perform important actions, including against states, without the traditional kind of hierarchy and command structures. A state may engage persons to act for it but do it in such a manner that there is basically no evidence of this link. Proving who is really behind an attack is likely to be very difficult. Almost paradoxically, in the high-tech world, old fashioned human intelligence may be the best way to determine such links. But complication of investigating cyber war crimes cannot be a reason not to do it! It is unfortunately something we shall see more and more of.