CYBER ATTACKS: THE FIFTH DOMAIN OF WARFARE

This article is authored by Amisha Singla, second year student pursuing B.A.LLB. from Rajiv Gandhi National University of Law, Patiala, Punjab





In 2021, there were several sophisticated and serious cyber-attacks, the most of which were blamed on nation-state espionage groups looking to steal important data. This March, several zero- day vulnerabilities were detected in the Exchange mail server service of Microsoft. A conservative estimate states that the attack began in early January and more than 60,000 private companies and nine government agencies in US alone have fallen victim to it since then. A Chinese cyber espionage team has been blamed for the attack, which took advantage of flaws in Microsoft's email system to acquire data from the victims organization. In late May, even Belgium’s interior ministry announced that an intruder had accessed their entire computer system. Over the past many years, many countries have been the victim of such attacks. Cyber-attacks have increased in complexity and resiliency as a result of advances in information technology.


Use of Force under Cyber Attack


How cyberspace can be used to transfer threat of force? Stuxnet, considered world’s first cyberweapon and malware with the ability to infect Industrial Control Systems (ICS), was reportedly used by United States and Israel to target centrifuges at Iran’s uranium enrichment facilities outside Natanz. Launched in late June, 2009 via infected USB drives, Stuxnet resulted in loss of approximately 1000 centrifuges within five months. Regardless of how the malware is qualified, it is important to analyze the relation of such acts with the International Law Rules. Following the incident, it was discovered that the virus had propagated unintentionally and had infected more machines than had been anticipated. Considering the recent upsurge in cyber-attacks, it becomes a noteworthy point here that if malwares can be capable of causing physical destructions and functionality losses, can their presence be seen as a threat? Can a cyber operation, which does not itself use force, be considered a threat?


Do states have the authority to employ military action in the event of a cyber-attack? The United Nations Charter, Article 2(4), restricts member nations from threatening or using force against one another. However, it is widely assumed that it only restricts the use of armed force and not economic or political compulsion. In addition, the force must be unlawful (The International Court of Justice determined this in its Nuclear Weapons Advisory Opinion), and the threat may be implicit or explicit. In Nicaragua v. United States, the International Court of Justice (ICJ) found that the customary international law principle of non-intervention is coterminous with article 2(4) of the United Nations Charter, if involvement takes the form of "threat" or "use" of armed force. The scope of article 2(4) needs to be reinterpreted, with stronger states demanding expansive reading of the article because of the reason that cyber-attacks may act as a weapon of the weak, as cyber-attack could be much inexpensive and easy to launch than a conventional attack along with the added advantage of heavy reliance on computer networks by developed countries.


There are two exceptions to article 2(4)'s restriction on non-consensual "use" of force. Article 39 of the UN Charter empowers the Security Council to conduct collective security actions to reinstate international peace and security in the event of a "breach of peace" or "act of aggression." Article 51, which guarantees the right to justifiable self-defense against an armed attack, is another exception. A critical component is that the cyber-attack must be equal to an armed attack for a state to respond lawfully.


Cyber Attack as ‘Armed Attack’


The question of when a cyber-strike becomes an armed attack has been a source of debate among academicians. Certain violations of article 2(4) have not been considered ‘Armed Attacks’, and even the International Court of Justice has stated that modest invasions may be regarded as "frontier incidents," without triggering the right to self-defense. Only “most grave forms of use of force” shall be considered armed attacks.


Three points of view have developed from disputes about when a cyber-strike becomes an armed attack, allowing a state to use the principles of jus ad bellum for self-defense. The last technique, among the three techniques of the instrument-based, the target-based and the effects-based approach, is the most popular. This concept suggests that if a cyber-strike causes damage comparable to that of a kinetic attack, it is more likely to qualify the threshold.


One of the most prominent proponents of the effects-based theory is Professor Michael Schmitt (author of Tallin Manual), who proposed a legal framework (The Schmitt Analysis) in 1999 for determining when a state’s involvement in a cyber-attack be considered use of force. The model that he proposed consists of seven criteria representing major distinction between permissible (economic and political) and impermissible (armed) instruments of coercion. Though illuminating, the evaluation of these factors an imprecise and subjective. Such a wide-ranging enquiry is required for them, that they may not provide sufficient guidance to the analysts. Moreover, though these factors are treated as exhaustive, this was never intended by Schmitt.


Problems in Application of Jus Ad Bellum


When responding to a cyber-attack, a state must follow the standards of jus ad bellum. The concept of necessity dictates that force can only be used in self-de