A New Era in Cyberwarfare is About to Unfold

The on-going Russian invasion of Ukraine, which started on the 24th of February 2022, was preceded by a slew of pre-emptive cyber strikes in the form of targeted Distributed Denial-of-Service (DDoS) and wiper-like cyber-attacks on Ukrainian websites and institutions; since then, there have been similar retaliatory attacks against Russian websites and organizations. While cyber attribution is difficult at best, it is clear that government organizations (notably military and defense) and affiliated state-sponsored groups from both countries, as well as hacktivists (hacker activists) and organized cybercrime with pro-Russian and pro-Ukrainian support, are involved. The cyber landscape is set to become a very real and significant extension of the current invasion.

Most governments have developed cyberwarfare capabilities to some extent, but certainly those with the most advanced capabilities include the US, Russia, China, Israel, and most western European countries, as well as the broader Five Eyes coalition. Today, faced with the current conflict, many of them are primed for a cyber offensive against Russia. This is in large part an alternate effort to an actual military incursion on land which is not currently being considered. The real issue at stake now is to what extent cyber military operations align with international laws of war and how those nation states that are not directly involved can react. Actions undertaken during this conflict will set the stage for customary practice in terms of cyberwarfare between nation states, both for those actively engaged (Russia and Ukraine) and for those on the sidelines (NATO and others).

The Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations is probably the most instructive playbook on the topic but it is non-binding and, further, as a NATO-endorsed tool, it has not found acceptance by non-NATO members. To date, no legal framework has been internationally agreed, and so the likes of an applicable Geneva Convention do not yet exist for cyber operations. This current conflict may yet force the issue, however. Unfortunately, it is unlikely to happen before the conflict is over and the damage is done.

Regardless, national security agendas have driven internal development of offensive and defensive cybersecurity playbooks for some years now. Where they are not directly associated to military associations, they sit in a legal grey area. Currently, the issues of attribution and retaliation as they relate to cyber warfare are clearer for Russia and Ukraine because they are already engaged in armed conflict. The extent to which other countries can engage in such operations is uncertain. What is clear is that if cyber operations are deemed to constitute use of force, then they equate, at least according to international law, to an armed attack if they are intended to directly cause significant destruction, injury, or the death of human beings. This can trigger a victim’s state’s right to self-defense (subject to a requirement of immediacy) and can further allow them to use anticipatory self-defense if an armed cyber-attack is imminent. As such, if the US were to engage in such cyber operations against Russia, it might effectively equate use of force and trigger Russia’s right to self-defense, bringing both countries into armed conflict. The obvious difficulties lie in how to attribute stealth cyberattacks, especially by a nation state not directly involved in the armed conflict. Since there is little precedent, ultimately a nation state can dictate its own terms. Hacktivist and nationalist groups can further compound the issue, making attribution even more difficult.

The current armed conflict poses a lot of new issues that will need to be resolved from a cyber perspective. What is the threshold at which cyber operations should amount to wrongful threat or use of force? How does self-defense apply when cyber-attacks stem from non-military threat actors such as hacktivists? How can cyber weapons for use in armed conflicts be defined as such when many of these can be commercial off-the-shelf software?

Applying existing rules and procedures of international law to cyber warfare is limited although possible to a certain extent. Yet, an armed conflict is not the ideal time to be resolving these issues. Instead, the cyber warfare practices employed by Russia and Ukraine, and any of their respective allies, will eventually develop into customary law, to be later codified in treaties. As such, for those nations not directly involved in the armed conflict, it will be critical to tread very carefully on whether and how to engage in cyber operations in this conflict. Such behavior could have significant and serious repercussions on how international cyberwarfare is defined going forward.