This article has been written by Dr Tamanna Khosla, a first year student of Lloyd college.

“Cyber warfare is as much about psychological strategy as technical prowess.”
― James Scott, Senior Fellow, Institute for Critical Infrastructure Technology                       

“We worried for decades about WMDs – Weapons of Mass Destruction. Now it is time to worry about a new kind of WMDs – Weapons of Mass Disruption.”
― John Mariotti

Introduction: What Is Cyber Warfare?

Cyber warfare is expounded as a cyber attack or series of attacks that target a country. It has the potential to devastate on government and civilian infrastructure and derange critical systems, resulting in harm to the state and even catastrophy of life.

Cyber warfare typically involves a nation-state carrying out cyber attacks on another, but in some cases, these attacks are also perpetrated by terrorist organizations or non-state actors.

The legal status of this new field is still unclear as there is no international law governing the use of cyber weapons. However, this does not mean that cyber warfare is not addressed by the law.

The Cooperative Cyber Defense Center of Excellence (CCDCoE) has published the Tallinn Manual, a  textbook that addresses rare but serious cyber threats. This manual explains when cyber attacks violate international law and how countries may respond to such violations.

The Tallinn Manual, published in March 2013, is the first comprehensive and authoritative attempt to analyze the application of international law to cyber warfare. Many countries including the United States, United Kingdom, Russia, China, Israel, Iran, and North Korea have active cyber capabilities for offensive and defensive operations. As states explore the use of cyber operations and combine capabilities, the likelihood of physical confrontation and violence playing out as a result of, or part of, a cyber operation is increased.

Principles of cyber law applied in international realm

a-Sovereignty in its traditional sense grants a state the ability to exert its authority over its national territory, which encompasses the different domains within that territory. This definition of sovereignty, though, does not provide guidance in cyberspace. Despite states’ apprehensions regarding the independent nature of cyberspace and the difficulty of applying law to such activities, states can and do exert control over the physical infrastructures of cyberspace located within their territory.The International Group of Experts sought to dispel the apprehensions   and provide support to states by noting in both Tallinn Manuals that “[t]heprinciple of State sovereignty applies in cyberspace,”.

Due Diligence

Due diligence is not a substantive provision of international law, but rather the standard that states must apply in preventing their territory from being used to cause transboundary harm. As communicated in Rule 6 of the Tallinn Manual, “a State must exercise due diligence in not allowing its territory, or territory or cyber infrastructure under its governmental control, to be used for cyber operations by other states.

Jurisdiction

Jurisdiction is defined as “the competence of States to regulate persons, objects, and conduct under their national law, within the limits imposed by international law.” The first rule on jurisdiction states, “[s]ubject to limitations set forth in international law, a State may exercise territorial and extraterritorial jurisdiction over cyber activities. This means that “in principle, cyber activities and the individuals who engage in them are subject to the same jurisdictional prerogatives and limitations as any other form of activity.” The Manual inscribes the three traditional types of jurisdiction— prescriptive, enforcement, and adjudicative. With respect to prescriptive jurisdiction, the Manual explains that states are basically unfettered with respect to prescriptive jurisdiction within their sovereign territory and can exercise prescriptive jurisdiction extraterritorially (meaning based on either location of the cyber activity or its effects) if based on one of the traditional bases for extraterritorial jurisdiction.

Rule 10 concedes that states can also declare extraterritorial jurisdiction through nationality, the protective principle, passive personality, and universality with respect to cyber activities outside their territory. one of the interesting questions with regards to nationality jurisdiction that remains uncertain concerns the cyber pursuits of a state’s nationals and whether a state can exercise its right over the citizens abroad  As with regards to prescriptive jurisdiction, states can exercise enforcement jurisdiction in their territory but have a more limited ability to exercise extraterritorial enforcement jurisdiction. The Tallinn Manual perspective is that international law, including specific treaties such as the law of the sea, outer space, and treaties concerning aviation activities, might support the exercise of enforcement jurisdiction abroad.

International Law of State Responsibility and Attribution

As stated in rule fourteen, “[a] State bears international responsibility for a cyber-related act that is attributable to the State and that constitutes a breach of an international legal obligation.”However, this rule is easier stated than applied, as the concept of attribution is not free from problems. The two interrogations important for attributing cyber operation to a state involve finding the source of the attack and the identity of the perpetrator. Tracing an attack to its source involves many technicalities due to the edifice of the cyberspace, and the “emergence of botnets and makes it even more difficult to trace the origin of the attacks”The  2009 cyberattacks on South Korea and the United States illustrate the difficulty in finding the origin of attacks: The commencing attack was suspected to originate from North Korea, but subsequent reports revealed that the attacks could be traced to the United Kingdom, Miami (Florida),and South Korea. Furthermore the Talinn report states, “ even if an attack packet can be attributed to the Internet Protocol (IP) address of a host computer, it is difficult to link the IP address to the actual perpetrator’’. “ Such “[a] perpetrator can decouple his physical identity from an IP address by using cyber cafes,public Internet facilities (e.g., libraries) and prepaid Internet address cardsthat can be purchased from service providers without any personal

cyber identification.” Another important point to note is that the advanced technologies available to belligerents allows them to disguise the location of their attacks, making it seem that the attacks were coming from the cyber infrastructure of another state than the one in which they

operate. Therefore, “[t]he mere fact that a cyber operation has been launched or otherwise originates from governmental cyber infrastructure, or that malware used against hacked cyber infrastructure is designed to report back’ to another State’s governmental cyber infrastructure, isusually insufficient evidence for attributing the operation to that State.”

Another debatable legal issue is the attribution of the acts of a private actor to a state. States have frequently used proxies to conduct cyber operation against the other states.86 However, the challenge is how to hold states legally responsible for cyber operations conducted by non-state.

Another contentious “legal issue is the attribution of the acts of a private actor to a state”. “States have frequently used proxies to conduct cyber operation against the other states”.However, the states legally responsible for cyber operations conducted by non-state actors. The International Court of Justice articulatedthe effective control test for the first time in the case of Nicaragua v.United States of America, in which the proof showed that the United States had financed and organized the Nicaraguan contras. However, the International Court of Justice ruled that the evidence was insufficient to show exercise of effective control by the United States over the contras, so the contra

war crimes that followed could not be attributed to the United States. Ifsuch a instance is extended in the cyber realm, then a state could provide militants with cyber tools, identify targets to be attacked, and select the date for the cyber operation to take place, and it would still not implicate

state responsibility.

.

Cyber Weapons and Opinio Juris

Traditional international law focused on kinetic weapons, but in the current cyber century, the prevailing international legal frameworks need to evolve to regulate the use of sophisticated cyber weapons that can lead to significant threats to states. Thus, laws need to be keep pace with

developments in cyber technologies. Yet another issue is the surreptitiousness surrounding actions of states in cyberspace. States rarely reveal the development of offensive or defensive capabilities that they undertake for cyber warfare nor do they disclose publicly their legal position or opinion juris in relation to cyber warfare.

International Human Rights Law

International human rights law is applicable to cyber-related activities. In defining the applicability, the Experts agreed, “as a general principle, customary international human rights law applies in the cyber context beyond a State’s territory in situations in which that State exercises ‘power or effective control’, as it does offline.”

Law of the Sea

Rule 45 states the general principle of applicability and confirms that “[c]yber operations on the high seas may be conducted only for peaceful purposes, except as otherwise provided for under interna tional law.” Based on, for example, the first two freedoms, both aircraft and vessels are entitled to conduct cyber operations over and in the high seas so long as they do not violate applicable international law.” With respect to military cyber opera tions, the Experts “saw no reason to deviate from the general principle that military activities not involving a prohibited use of force are within the scope of high seas freedoms and other internationally lawful uses of the sea, as set forth in Article 87(1) of the Law of the Sea Convention

I    Air Law

As against national airspace, cyber operations in international airspace are generally allowed. Rule 56 says “[s]ubject to restrictions thereon contained in international law, a State may conduct cyber operations in international airspace.” “States may not claim sover eignty over international airspace”. “Moreover, when conducting cyber operations in international air space, states are only limited by interna tional law proscriptions such as the prohibition on intervention and the use of force, or accepted navigation regimes such as flying over international straits”.

Space Law

Rule 58 propounds the difference in legal proscriptions on the use of cyber on the moon and other celestial bodies and in space more generally. The rule states “(a) [c]yber operations on the moon and other celestial bodies may be conducted only for peaceful purposes. (b) Cyber operations in outer space are subject to international law limitations on the use of force.” The specialists and scientists  concluded as a result of this rule that offensive cyber capabilities could not be placed on the moon, whereas no similar prohibition exists for outer space more generally.

CONCLUSION

The five legal challenges pointed out in this article provide insight into the primary issues that require the attention of the international community when discussing cyber warfare. The first issue is the absence of implementing laws dealing with cyber warfare. The second issue and challenge highlighted the inoperativeness of the existing complexity in applying the general principles of sovereignty and jurisdiction to cyber warfare. The last two impediments discussed in this article dealt with international law of state responsibility, attribution, and the secrecy of states with regard to their actions in cyberspace.

The world needs to acknowledge the fact that every event occurring in the pervasive domain of cyberspace has the ability to affect humanity as a whole. Cyber warfare, like any other type of war, has the capacity to bring humanity to aBI standstill. To meet these challenges, a legal regime is required that is broad enough to accommodate the developments in cyber operations. All inconclusive works like the Tallinn Manual are a suitable starting point for the creation of and explicit  treaty on cyber warfare, the implementation of which would prevent, deter, and mitigate future cyber operations. Therefore,peace in cyberspace is not a distant dream, but one that can be transformed into reality.

Reference

• The Tallinn Manuel
• https://www.icj-cij.org/case/70/judgments
• Michael N. Schmitt, “Below the Threshold” Cyber Operations: The Countermeasures Response Option and International Law,54VA.J.INT’L L. 697, 718–719 (2014)
• TALLINN MANUAL 2.0 ON THE INTERNATIONAL LAW APPLICABLE TO CYBER OPERATIONS (Michael N. Schmitt ed., 2d ed. 2017) [hereinafter TALLINN MANUAL 2.0].
• TALLINN MANUAL 2.0, id, at 2–3.
• TALLINN MANUAL 2.0, id
• https://www.icj-cij.org/case/70/judgments
•  See generally Michael N. Schmitt, “Below the Threshold” Cyber Operations: The Countermeasures Response Option and International Law,54VA.J.INT’L L. 697, 718–719 (2014)