Over the last few years Western experts began to pay a much closer attention to the problem of applicability of existing norms and principles of international law to the activities of the government in the information domain. Such a close scrutiny by the expert community followed the adoption of The Strategy for Cyberspace (2011) proposed by the USA which states that the existing norms and principles of international law are fully applicable to activities of governments in cyberspace.
In September 2012 Harold Honhgu Koh, Legal Advisor of the Department of State addressed the USCYBERCOM Inter–Agency Legal Conference with a report describing the American view on the application of the international law to cyberspace. The same ideas were apparently further promoted in the work of the international group of experts which resulted in The Tallinn Manual on the International Law Applicable to Cyber Warfare prepared and published by the NATO Cooperative Cyber Defense Centre of Excellence at its official webpage in early 2013.
It is worthwhile to point out that Russian experts in military use of information and communication technologies (ICTs) have been since the turn of the century studying the possibility of extrapolating the existing norms and principles of international law onto cyber warfare. As a result of this work the document titled The Russian Federation Armed Forces’ Information Space Activities Concept (2011) was handed over through diplomatic channels to the United States of America as part of the so-called exchange of White Books. The above document offers the Russian view on the problem of applicability of the existing norms of international law to military activities in the information space. The same year another document was developed with the title The Convention on International Information Security (Concept) which also describes the norms and principles of legal regulation of military activity of nations in cyberspace. The first international initiative in the area was the official document titled International Code of Conduct for Information Security, developed and submitted by the Shanghai Cooperation Organization to the UN General Assembly in 2011.
It shall be appropriate to take a moment to clarify the Russian view as exemplified by the major problems raised by Michael N. Schmitt a renowned expert in the field of international law and the head of the group of experts who developed The Tallin Manual in his article on the comparative analysis of the approaches to the problem of applicability of norms and principles of international law to cyberspace exercised by U.S. and NATO experts.
We would like to apologize in advance for any unintentional errors through translation and our interpretation of the source text. Let us now turn our attention to the list of major problems raised by Michael N. Schmitt in his article.
- Can cyber-attacks be classified as a use of force and shall they be prohibited through Article 2(4) of the UN Charter and generally accepted principles of international law?
When considering the problem of the use of force in cyberspace, the following should be noted: the UN General Assembly Resolution No. 3314 (XXIX) Definition of Aggression, of 14 December 1974 sets forth the general definition of aggression (Article 1), specifies the principal criterion qualifying an act of aggression (Article 2), lists all major acts of aggression (Article 3), indicates that the provided list is not exhaustive and subject to a decision of the Security Council other acts may be qualified as aggressive under the provisions of the United Nations Charter (Article 4). For instance, a cyber or electromagnetic attack on critical elements of the information infrastructure which are directly engaged in maintaining national and international security may be qualified as an act of aggression.
The United States have not subscribed to the above resolution; therefore its practical application is not yet possible. And at the same time, the U.S. National Military Strategy (2011) recognized the term “cyber-aggression”.
Presently the prohibitive principle of use of force or threat of force against territorial integrity or political independence of another state traditionally refers only to physical force. Taking into consideration the documents and legal practice of the UN, it is not yet possible to state explicitly whether a cyber-attack or cyber- operation shall be recognized as aggression, use of force or threat of force. This demonstrates the urgent need for a clear legal definition for the above concepts. We, therefore, we would like to recommend to include this problem into the UN Security Council agenda to adopt a legal definition for “aggression” that would be globally accepted and binding in its broadest sense, including, inter alia, the instances of cyber-aggression and its other subtypes.
- May a nation use its right for self-defense and collective defense referred to in Article 51 of the united nations charter in response to cyber- attacks which constitute an armed attack?
This question is rather analogous to the previous problem. The term «armed attack in the form of cyber-attack» requires a clear legal definition. Without solving this legal problem at the UN level one can envision no practical applications. Furthermore, technical means for urgent and reliable identification of sources of hostile cyber-attacks must be found.
As long as these problems remain unresolved, there is no clear understanding whether a nation has a right to military retaliation against states initiating cyber- attacks. When certain types of such attacks are qualified by the United Nations as armed attacks the victim thereof shall have a lawful right to self-defense. This, however, raises the issue of the nature of a symmetric or asymmetric retaliation (using conventional warfare). In this regard it is worthwhile to note that the adoption by NATO of an internal qualification shall have a legal effect only between the members to the Washington Treaty. Today, the only global legal solution to the problem is adoption of a corresponding international instrument by the UN.
Since a document like that yet remains to be passed a nation may appeal to the UN Security Council to qualify a cyber-attack in question as posing threat to peace or being an act of aggression to take necessary action reserved by the UN Charter.
- Should nations conducting military operations in cyberspace observe the sovereignty of other nations including in times of peace?
The Russian side gives an affirmative answer to this question without reservations. Although the information space itself is global in nature, the physical elements of the information infrastructure are located in national territories and therefore have a specific national identity. Having said that, we must recognize the fact that a nation may accommodate foreign or even international information systems. Determining a national identity of each such information system does not, however, pose an unsolvable problem and can be resolved through applicable legal proceedings.
Likewise, it is worthwhile to note that Article 32 of The Convention on Cybercrime adopted by the Council of Europe (2001)86 goes against the generally recognized principles of respect for national sovereignty and non-interference in the internal affairs of other nations by endorsing investigations affecting foreign computer networks without notifying the government of such nation.
There is yet another important aspect that the Russian side deems an interference in the internal affairs of other nations which relates to cross-border psychological information impacts which are, as a rule, conducted through the agency of electronic media. We are of an opinion that this issue can be resolved today based on the provisions of The Declaration of Principles of International Law and The Declaration on the Inadmissibility of Intervention in the Domestic Affairs of States and the Protection of Their Independence and Sovereignty which specifically states that “No State has the right to intervene, directly or indirectly, for any reason whatever, in the internal or external affairs of any State. Consequently, armed intervention and all other forms of interference or attempted threats against the personality of the State or against its political, economic and cultural elements, are condemned.»
Despite the fact that the above documents do not give a clear definition of the term «interference in the internal affairs of states», they nonetheless provide a list of actions which constitute such interference.
Later on the threat of intervention in the internal affairs of states was determined in more detail in The Declaration on the Inadmissibility of Intervention and Interference in the Internal Affairs of States88 adopted in 1981 at the 36th session of the UN General Assembly through the institutions of rights and obligations of states. The above international legal instrument defines the information component of a threat as follows:
- intervention in the information system and the media;
- any smear campaigns, abusive or hostile propaganda aiming to intervene or interfere in the internal affairs of other states;
- dissemination of false or distorted information which can be considered as interference in the internal affairs of other states or impediment to peace-keeping efforts, cooperation or friendly relations between states and peoples.
Considering the above legal definition it is possible to conclude that almost any information action involving a psychological impact conducted in peacetime against another state will have certain characteristics of interference in the internal affairs of such state. This applies, in particular, to the “democratization” projects that cannot justify any such action.
- Shall the humanitarian law be applicable to information attacks?
This general question gives rise to a number of more specific questions posed by Michael Schmitt in relation to the humanitarian law:
4.1. Should the principle of proportionality be observed when conducting a cyber-attack?
4.2. Should the attacking party distinguish between military and non-military targets and how dual-purpose infrastructure should be treated?
4.3. Should different types of cyber warfare be analyzed in terms of their compliance with the norms and principles of the humanitarian law?
4.4. Should nations be responsible for the actions in information space taken by persons authorized thereby?
The preamble to The Convention on Prohibitions or Restrictions on the Use of Certain Conventional Weapons Which May Be Deemed to Be Excessively Injurious or to Have Indiscriminate Effects (1981) states that “the right of the parties to an armed conflict to choose methods or means of warfare shall not be unlimited”. This principle is revealed in detail in the “basic norms” describing the permissible means and methods of warfare set forth in Article 35 of the First Additional Protocol of 1977 to the Geneva Conventions of 12 August 1949 on the Protection of War Victims, which clearly states that weapons and methods of warfare that cause excessive damage and unnecessary suffering are prohibited.
It follows from the above that cyber-attacks can be classified based on the scale and severity of their impacts. For instance, disruption of a national financial system, anthropogenic accidents and panic caused by through cyber-attacks may cause massive casualties among the civilian population and therefore, under the international humanitarian law and the principle of proportionality must be prohibited.
Furthermore, active international conventions ban or restrict the use of weapons having indiscriminate effects as they pose an equal threat both to military and civilian objects.
Therefore, information weapons that have indiscriminate effects, i.e. target both military and civilian objects must not be used as they cause excessive damage and unnecessary suffering. While planning attacks on dual-purpose facilities the overall effect for the military campaign must be considered. When such effect is high enough, then such dual-purpose facility may be recognized as military-purpose and treated accordingly. However, the principle of proportionality must not be violated, i.e. no excessive damage to civilian infrastructure shall be allowed. Such approach will require development of appropriate methodology and its practical application in operational and combat training of troops.
In accordance with Article 36 of Additional Protocol I to the Geneva Conventions, the study, development, acquisition or making operational a new type of weapon, including information weapons and means or methods of its application, it must be considered whether the use of such weapon, in some or all circumstances, go against previously adopted prohibitions. Such analysis should be primarily focused on identifying capabilities to inflict excessive damage or produce indiscriminative effects. Any such types of information weapons must be banned. However, not only appropriate analytical methods yet remain to be developed, but there is yet no generally accepted classification for information weapons.
The issue of responsibility of the state for the activities of the state authorized persons in cyberspace touches upon a much deeper problem of the parties involved in an armed conflict with the use of information weapons. Currently the norms of the international law recognize that a war may be conducted only between the armed forces of the states in conflict (combatants)92. The armed forces (both regular and nonregular troops) includes the police force, security personnel, volunteers, militia, partisans and civilians who on their own accord choose to offer the invading enemy armed opposition who have not had time to form regular troops. All the above categories are considered to be legitimate combatants when they meet the following conditions set forth by adopted conventions:
— have a commander who bears responsibility for their actions;
— have a distinctive emblem clearly visible from a distance;
— openly carry arms;
— comply with the laws and traditions of waging a war.
It is obvious that some of the above items are not only inconsistent with the specifics of cross-border information attacks, but cannot have direct practical applications for investigating such attacks. In particular, the legal status of «combatant» as relates to people active in cyber-space requires a well-developed international legal methodology or otherwise the problem of bringing offending states and their officials to justice deems to have no solution.
Finally we shall try to answer the generalizing question put forth by Michael Schmitt: «may the current generally recognized principles of international law be applicable to military operations in cyberspace?»
A comprehensive answer to the above question is based on all the previous arguments and, consequently, may not be unequivocally positive. It is absolutely clear that only a certain part of the existing norms and principles of international law can be extended to military activities in the cyberspace. However, even where such extension is possible, it will require the development of procedural norms or a specialized international legal methodology, as well as a number of important conditions relating to organizational, legal, and technological issues.
This article is based on a presentation delivered at the 7th Scientific conference of the International Research Consortium on Information Security, as part of the International Forum on «Partnership of state authorities, civil society and business community in ensuring international information security», held on 22-25 April 2013 in Garmisch-Partenkirchen, Germany. It is published on Digital.Report with an explicit permission from the conference organizers.