Cyberspace Has Rules: It’s Time to Enforce Them

Cyberattacks have targeted facilities in the United States, the United Kingdom, South Korea and Canada, countries that have the means to respond. What happens if such operations occur in countries that lack the capacity to defend against them?

October 20, 2021
The SolarWinds headquarters in Austin, Texas, December 18, 2020. (Sergio Flores/Reuters)

In December 2015, unknown persons conducted a cyberattack against three energy distribution facilities in Ukraine, temporarily disrupting electricity supply to consumers. The hack was quickly attributed to Russian actors, in part because it occurred in the aftermath of the 2014 Ukrainian revolution and continued territorial conflict over the Russian invasion and annexation of Crimea.

While Russian influence and espionage operations in Eastern Europe were not new, a cyber operation against Ukraine amid geopolitical disputes was. In retrospect, the Ukraine power grid attack can also be seen as an ominous early instance of what we are seeing far more of today: cyberattacks by both state and non-state actors against critical infrastructure, which can affect civilians.

As the world becomes increasingly interconnected and reliant on information and communication technology, cyberspace has become a new area of competition and potential conflict, including between states. Within the next decade, half the world’s population will be connected to the internet. If the digitization of our societies has been accelerated by the COVID-19 pandemic, so have the risks of increasingly sophisticated cyberattacks.

Since 2020, there has been an uptick in cyber operations against critical infrastructure such as power plants, water systems, hospitals and supply chains. These operations include attacks targeting SolarWinds, Microsoft Exchange, and Johannesburg’s electricity supply; a thwarted cyberattack against Israel’s water systems; Chinese state-linked infiltration of an Afghan telecom provider; and, of course, influence operations in elections and vaccine campaigns. Examples of ransomware, cyber theft, political and economic cyber espionage, sabotage of power grids, cyber surveillance of human rights activists, and information manipulation abound.

We are seeing two contradictory movements. On the one hand, consensus has been building for years on the application of international laws and norms in cyberspace, including international humanitarian law during war. On the other hand, state-led attacks increased in 2020 and are likely to follow this trajectory in the current era of growing geopolitical tension. Worse, as digital developments accelerate and technology becomes more affordable, the risk that non-state groups, including terrorists and rebel organizations, will gain access to cyberweapons, and use them to target civilians, is real.

The Digital World Is Not a Lawless Wild West

Cyberspace is not the lawless “Wild West” that UN Secretary-General António Guterres has depicted it to be. Neither was US Admiral Mike Gilday correct when he claimed that “we’re not fighting a war where international norms exist.” Digital peace has actually been the focus of discussions at the United Nations since 1998, with multilateral efforts focusing on the applicability of existing international law in cyberspace and the potential need for new regulations.

And while agreement has been slow to build, there is now a near-consensus among states that international norms, including the UN Charter and international humanitarian law, apply to cyberspace. Two UN-sponsored initiatives have played a crucial role in achieving this consensus: the UN Group of Governmental Experts on Advancing responsible State behavior in cyberspace in the context of international security (GGE) and the Open-ended Working Group on Developments in the Field of Information and Telecommunications in the Context of International Security (OEWG).

The GGE recognized the applicability of international law to cyberspace, and identified 11 non-binding norms of state behaviour during peacetime, as well as voluntary norms of responsible state behaviour. The year 2021 was a landmark, as the OEWG’s final report in March was unanimously adopted by 68 participating states, thereby supporting previous GGE reports.

While the norms’ adoption is not legally binding, it marked “the first time that a process open to all countries has led to agreement on international cybersecurity,” according to Josh Gold, writing for the Council on Foreign Relations.

Various multi-stakeholder commissions and coalitions have contributed to a clarification of the application and implementation of norms of behaviour in cyberspace. The 2018 Paris Call for Trust and Security in Cyberspace, a coalition of civil society and private sector representatives, agreed upon a set of guidelines to maintain peace and security in digital fora.

In 2020, a group of international lawyers created the Oxford Process to address how international law can be applied to the cyber domain in specific contexts, including vaccine research, information operations, health-care facilities and foreign election interference. The International Committee of the Red Cross (ICRC), through its Global Advisory Board on digital threats during conflict, can be applauded for pushing for the acknowledgement that international humanitarian law applies to cyber operations in times of war.

As the ICRC notes, “There is no question that [international humanitarian law] applies to, and therefore limits, cyber operations during armed conflict — just as it regulates the use of any other weapon, means and methods of warfare in an armed conflict, whether new or old.”

What will be the human consequences of cyber operations during armed conflict when civilians already lack protection and access to basic necessities?

A Crisis in the Making

However, these positive developments have occurred, as mentioned earlier, amid growing state- and non-state–led cyber operations. Norms are just words on paper if not applied. Clearly, not all wish to respect agreed-upon rules or to relinquish their cyber capabilities.

While espionage is the most common use for cyberattacks, geopolitical tensions, combined with rapidly evolving cyber tech, greater access, and global interconnectedness suggest that attacks with other objectives, such as sabotage and ransomware, may soon proliferate, with attendant rights violations.

The upshot is that policy makers must focus more on the human dimensions of cybersecurity. “Cyberspace” is tricky to define. Indeed, the “cyber world” is a combination of hardware, data, logistical and personal layers that exist across various domains and involve a multiplicity of actors. But to understand the human and economic impact of cyberattacks in the context of international law, it’s important to acknowledge the absence of a firm border between the virtual world and the physical one. In contexts of armed conflict, in particular, the ICRC states that international humanitarian law applies “whether cyberspace is considered as a new domain of warfare similar to air, land, sea and outer space; a different type of domain because it is man-made while the former are natural; or not a domain as such.”

To understand the potential real-life impact of malicious cyber activities, consider ransomware attacks on or sabotage of physical infrastructure such as health-care facilities, supply chains, power grids and water systems. According to recent research from Foreign Policy analyzing state-sponsored cyber incidents, 40 percent involved attacks on assets that have both physical and digital components. Imagine the economic and human consequences if a hospital is suddenly unable to provide care to its patients or if the entire population of a city is without heat and water for days because an attack paralyzes its systems.

At the moment, state-led cyberattacks, primarily led by China, Russia and Iran, have mainly targeted facilities in the United States, the United Kingdom, South Korea and Canada, countries that have the means to thwart or at least rapidly respond to attacks. But what happens if these operations occur in countries with weak infrastructure or that lack adequate capacity to detect and defend against malicious cyber activities? What will be the human consequences of cyber operations during armed conflict when civilians already lack protection and access to basic necessities?

We have already seen several examples of hybrid warfare. Amid the intensification of conflict between Israel and Palestine, the Israeli military bombed two Hamas cyber operation centres in the Gaza Strip in response to an attempted cyberattack. Russia coordinated targeted attacks against Georgia during the 2008 Russo-Georgian War and in Ukraine following the 2014 conflict over Crimea. Whether they affect communication networks, food and aid supplies for humanitarian agencies, or critical infrastructure such as electrical grids, cyber operations during armed conflicts can be a matter of life and death for civilians. Furthermore, the interconnectedness of cyberspace means that even if attacks aim to only target infrastructure vital to the military, there is risk that they will affect civilians as well. The delineation between military and civilian infrastructure is not so clear.

As state and non-state actors build up their digital arsenals, cyberattacks during wars are likely to increase, especially since operations are less costly and receive malicious benefit from the fact that digital attacks are difficult to attribute.

Let’s take an example from early 2021, when computer hackers tried to poison the water supply in Oldsmar, Florida, by increasing the amount of lye in the city’s water treatment system. While the United States has the capacity to check such attempts, many countries do not have the same capacity, especially in conflict situations. For centuries, enemies in war have deliberately polluted the water in order to harm civilians.

A similar problem can be observed regarding attacks on health-care facilities. One month into the pandemic, the World Health Organization was reporting a five-fold increase in cyberattacks. Indeed, armed attacks on health facilities and organizations in conflict have increased dramatically since 2016. If belligerents fail to respect international humanitarian law in the kinetic world, they are unlikely to do it in the virtual one, especially since attribution is much more complicated. To this point, cyber operations have not caused major human harm but, as the ICRC notes, industrial cyberattacks are “a crisis in the making.”

Bringing Norms to Life

The current increase in the malicious use of information and communication technologies is a worrying trend. Where does this leave us?

It brings us back to the idea of two contradictory movements in play. First, although consensus has been building about the applicability to cyberspace, in general, of international laws and norms — including international humanitarian law — there remains a lack of consensus and a certain amount of “cherry-picking” of the specifics. Debates continue over what constitutes an attack in the cyber world and when states can resort to self-defence, or about whether sovereignty should be accepted or rejected as a rule of international law.

Questions also remain about whether civilian data such as medical information, election lists and social security data should be considered as “civilian objects” that must be protected under international humanitarian law, since they are key to the functioning of modern societies. This lack of clarity could provide an opening for cyberattackers.

Second, despite a general consensus on the application of international law in cyberspace, the reality is that attacks continue. The normative framework is a start, not an end, and norms are broken all the time, both in peace- and wartime. What we are missing now is accountability.

Not only must there be capacity-building measures to improve the security of our systems, but states must also draw a clear red line when the rules are transgressed. How do we hold state and non-state actors accountable, especially when attacks deliberately target civilians? How do we put a human face on cyber operations to at least push for moral acceptance of the law? These questions require an answer.

Recently, the CyberPeace Institute launched a new initiative that tracks societal impacts of attacks on health facilities in order to influence policy and practice.

The GGE and the OEWG, as well as some multilateral initiatives, are aware of current gaps and need for more multilateral efforts. Indeed, the OEWG’s 2021 report reiterates that states, in cooperation with the private sector and civil society, have agreed to continue efforts to develop international law further in order to bring more clarity.

Once norms have been delineated and more measures agreed to, the most important step will be to hold to account those who act irresponsibly and endanger the lives of civilians. There is no time to waste: policy makers must not wait for the catalyst of a cyberattack with disastrous human consequences before they act. The rules have already been set: they should be enforced.

The opinions expressed in this article/multimedia are those of the author(s) and do not necessarily reflect the views of CIGI or its Board of Directors.

About the Author

Marie Lamensch is the project coordinator at the Montreal Institute for Genocide and Human Rights Studies at Concordia University.