Attacking civilian infrastructure is nothing new during times of war. Most recently, Ukraine has felt the impact of numerous attacks against their infrastructure including power grids, railway systems, and dams by Russia in the forms of both physical and cyberattacks resulting in a range of effects for the common citizen. Throughout the course of the war, Russia has been accused of numerous war crimes. Which begs the question, should their cyberwarfare efforts also be classified as such?
An Act of War Versus A War Crime
When deciding whether a cyberattack should be considered a war crime, we must define what constitutes an act of war and what elevates an action to a war crime.
The International Humanitarian Laws (IHL) define an act of war as an event which results in damage to property, death, or injury to civilians. Meanwhile, the Correlates of War Project (COW), which collects empirical data on large state conflicts to systematically build scientific knowledge of war has described an act of war as “sustained combat, involving organized armed forces, resulting in a minimum of 1,000 battle-related fatalities.” In this case, cyberattacks alone are unlikely to equate an act of war. However, when used in conjunction with other forms of attack such as missile strikes or the incursion of armed soldiers, cyberattacks may then be viewed as ancillary to offensive measures.
While acts of war can result in significant collateral damage, war crimes are classified as actions which go above and beyond what is considered “normal or acceptable” damage to infrastructure, loss of life, or other actions typical of armed conflict. The United Nations has 7 primary pillars which it uses to determine what constitutes a war crime. Two (among others) that could be applied to the fallout of cyber attacks are as follows:
- Extensive destruction and appropriation of property, not justified by military necessity and carried out unlawfully and wantonly;
Other serious violations of the laws and customs applicable in international armed conflict, within the established framework of international law, namely, any of the following acts:
- Intentionally directing attacks against the civilian population as such or against individual civilians not taking direct part in hostilities;
While cyberattacks may not cause the same immediate destruction that bombs or landmines might, the resulting fallout could cause human suffering and loss of life that meets the above definitions of a war crime. For example, knocking out the power to populated area during the hot summer months could have the effect of causing the death of at risk populations such as the sick and elderly.
Due to the numerous types and frequency of cyberattacks, it’s important to consider the context and impact of each event to determine if it should be considered a war crime, act of war, or accepted level of risk. In this day and age, most nations have a certain level of acceptance concerning cyberattacks, in that a cyberattack does not inherently constitute an act of war, but rather the target and resulting fallout do.
However, with recent changes in the modus operandi of Russian cyberattacks, the needle has been moved much closer to potentially being considered a war crime. If one were to consider the example of the power outage now and realize the civilian deaths were in an area not considered strategically important, would that now constitute a war crime?
Russian Attacks on Civilian Infrastructure
One of the first displays of Russia’s destructive prowess came in December of 2015. As the eve of Christmas was quickly approaching, Ukrainian power companies around the country began to falter. Spread throughout their networks were two malwares known as BlackEnergy, first identified in the Russian cyberunderground in 2007, and KillDisk. KillDisk proved to be highly efficient at wiping any computer in its path, effectively destroying all their data. Taking it a step further, the actors involved in the destruction disconnected the Uninterruptible Power Supplies (UPS) used by the servers which operated the power stations, turning off the affected hosts.
Throughout Ukraine, its citizens were left without power for days in the cold. If this event resulted in the deaths of Ukrainians, it could be considered a war crime under the UN’s definitions due to the fact that the attacks were not used against a target of strategic importance and the citizens were not engaged in military operations against Russia at the time.
The recent escalation in conflict complicates matters further. Now that Ukraine is engaged in armed conflict against Russia, it becomes much more difficult to differentiate civilian targets from military targets, as well as determine what should be considered “acceptable collateral damage” versus “unnecessary or wanton destruction”.
As the war continues to rage on, a new TTP has begun to be utilized by Russian hackers. While the bombs drop across Ukrainian cities, their cyberforce readies themselves for the next round of attack. Coordinating shortly after the bombing subsides, DDoS (Distributed Denial of Service) attacks are launched against emergency services. Delaying response times for ambulances, police, and fire, these attacks are strategically used to hamper the aid to be provided to the average Ukrainian citizen impacted by the horrific devastation.
Russia has made clear that it will pair kinetic warfare with cyber, when strategically advantageous. The image below illustrates the timeline of how cyberattacks can correspond with physical attacks.
One such example of this hybrid warfare occurred during the opening days of the Russian invasion. A drastic increase in cyber attacks on Ukrainian universities were reported on February 24th and continued through February 28th, to coincide with the invasion. On the surface, there could be a case for a war crime if these universities did not hold strategic value or were associated with the Ukrainian military. However, this is yet another example of why classifying these actions can prove so difficult. It was determined that the threat actors were based out of Brazil.
With this information, it would be a complex task to prove that a) the hacks were more than a massive coincidence, and b) the threat actors were specifically instructed by the Russian government to target the universities.
It’s important to note that their cyber capabilities are not constrained to destructive weapons, they also include psychological and political offensives. Displayed on numerous occasions Russia has employed mass troll farms to sow discourse, attempt to sway elections, and disseminate fake news.
While not yet deemed an official term, cyberwarfare, including psyops campaigns, fall under the umbrella of “5th Generation warfare”, a concept still widely debated. How should cyberattacks of differing targets and outcomes be classified? Would any of these attacks be interpreted the same as dropping a bomb on a civilian target? As these methods continue to evolve so should our definitions of war crimes and acts of war.
A New World
President Obama provided a high-profile warning of the growing threat in the cyber domain in his February 12, 2013 State of the Union Address. He stated that “America must also face the rapidly growing threat from cyber-attacks” and “our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems.”
Today, that threat is as real as ever. In 2023 alone, we’ve seen numerous espionage, destructive, and propaganda based tools revealed by CISA, cybersecurity companies, and news outlets. These have included Snake, Bad Magic, Amezit, and Volt Typhoon to name a few.
On both sides of the fence, offensive groups have stepped out of the shadows to bear their arms and launch campaigns. The GRU has taken center stage in the hybrid warfare used against Ukraine since its invasion.
The United States answered the attacks conducted by Russian hackers by going all-in on a hunt-forward strategy, performing at least 47 operations in 20 countries to stop attacks at their source.
As cyber warfare and 5th generation concepts evolve, nations will need to decide how they define different levels of cyberattacks to determine the appropriate level of response. For example, not all cyberattacks, even those with significant fallout, could be considered severe enough to warrant a declaration of war.
One such example of this is Operation Olympic games, a joint effort between the United States and Israel, which birthed the malware known as Stuxnet. It is believed that due to it’s sophistication, development started in at least 2005. Its destructive capabilities were shaped to target Programmable Logic Controllers (PLCs) used by the Iranian nuclear enrichment facility located deep underground at a facility known as Natanz.
Spread through USBs, the malware was intricately designed to hop the air gap implemented at the facility and, without the operator’s awareness, drastically spin up and down the centrifuges. As a result, the machines would malfunction, effectively destroying themselves and setting back the Iranian capabilities. Despite the significant impact of this operation, it did not result in armed conflict or declarations of war from any nation involved. The significance, intricacy, and joint effort to create this malware set the stage and put the world on notice, the United States would step in where needed to destroy infrastructure it deemed undesirable.
Attacks against critical infrastructure seem to exist in a gray area where the threshold for risk tolerance seems to be loss of human life. While the world has yet to see a cyber attack result in large-scale death and destruction, the conflict in Ukraine and possible future conflicts appear to be pushing that red line.
What has been made clear by the actions of Russian and other state sponsored actors is that we are in a new world, one which has been defined by cyberattacks not only in the form of espionage, but also destruction of civilian infrastructure.
“Where do we draw the line?”
At what point, does cyberwarfare become an act of war? At what point does the use of malware to take down civilian infrastructure constitute damage to persons, property, or result in deaths? And, does attacking emergency services with cyberweapons equate to a war crime? In the traditional sense, these targets are off-limits to bombing. However, in a world without a true threshold for when cyber attacks equate warfare, we are left without answers.
A joint effort must be made to define the lines in the sand going forward, what is off limits, what constitutes an act of war, and what is a war crime. Until that happens, threat actors around the world will wage relentless attacks against their foes, without regard for the common citizen.