Tallinn Manual author: Petya malware attack likely war crime

Two prominent international law experts think the recent malware worm, if actually tied to Russia, constitutes a violation of the Geneva convention.
Rather than one continued operation, Turla's espionage missions have come in waves. (Getty Images)

If Russia was indeed behind the recent destructive malware attack known as Petya, then it should be considered a war crime, according to the lead author of the definitive guide to international law in cyber conflict.

Even though no one was injured or killed, they very easily could have been; the attackers appear to have targeted civilian infrastructure including hospitals and power companies; and they did so with an indiscriminate weapon, argues Michael Schmitt, a professor at the U.S. Naval War College and lead author of the Tallinn Manual, in an article in the European Journal of International Law.

But the reasoning only holds if Moscow was behind the attack — because Russia is already engaged in an armed conflict, albeit undeclared, with Ukraine, the nation originally targeted by the malware. Petya on its own isn’t be a big enough attack to count as a “use of force” in international law.

“A threshold question is, ‘Is the state that launched the attack in an armed conflict with the state impacted by it?'” explained Schmitt’s co-author for the blog article, U.S. Air Force Lt. Col. Jeffrey Biller, a judge advocate general, who stressed he was speaking in a personal capacity.


If there’s no conflict, peacetime rules — such as the U.N. Charter — apply, said Biller, currently assigned as a military professor at the Naval War College.

“There’s a fair amount of controversy about exactly where to draw the line” on what kind of cyberattack constitutes an “armed attack” — which would in-and-of-itself trigger a state of conflict and invoke the war-time provisions of international humanitarian law, Biller told CyberScoop. “There is pretty universal agreement, at least in the West, that cyberattacks which cause death, injury or physical damage qualify,” Biller said.

“That unanimity starts to break down” when you consider cyberattacks that cause no physical damage, but which nonetheless result in a permanent loss of function for vital infrastructure — such as destructive or “wiper” malware. It breaks down completely when the cyberattack causes only temporary loss of functionality, Biller said.

Given it’s still unclear exactly how widespread and permanent the damage from Petya is, it’s clear that — for a majority of legal scholars — it doesn’t qualify as an armed attack that would trigger a state of conflict.

“We don’t have a lot of evidence about the exact impact of this attack on the targeted networks,” Biller said, adding that much of the argument in the blog post was based on a “what if” scenario — “What if a state were behind Petya? …. What if it was [provably] Russia? … What would the implications be then?”


Between the Ukraine and Russia, the fighting predated Petya and “There’s no doubt” international humanitarian law applies, said Biller.

International humanitarian law, like the Geneva Convention, outlaws attacks deliberately targeting civilian objects and indiscriminate weapons which cannot effectively be targeted. Petya appears to have violated both prohibitions — assuming it qualified as an attack.

“Just because no one was killed, doesn’t mean … it was lawful,” Biller noted, using the analogy of a bomb aimed at a hospital that misses. “That’s still a war crime,” he said. If casualties were “foreseeable” — a judgement that had to be “factually determined, case-by-case” — then the attack was unlawful. “Part of your responsibility [as a warring power] is to … balance military necessity with the protection of civilians” and civilian infrastructure.

Likewise, he added, a combatant’s responsibility includes using weapons which are capable of being targeted or otherwise limited in their effects to lawful military targets. With self-replicating malware such as Petya, “You have no control,” he said, “as was demonstrated by the fact that the attack spread to so many other countries.”

Of course, in order to be covered by the Geneva Conventions, Petya would have to be considered an “attack.” Again, Biller said, there’s a lack of consensus about exactly how much damage has to be done by a cyber incident to qualify. Death or injury would definitely count, but permanent (and even more so, temporary) loss of function is controversial.


Some of the Ukrainian infrastructure hit by Petya (power companies, airports) might qualify as “dual-use” targets because they are sometimes used for military purposes. But as the article notes, “There is no evidence to suggest that their targeting in this case offered any military advantage. Other entities that were attacked, like banks, media organizations, and civilian healthcare networks, would only in rare cases qualify as military objectives. This being so, and assuming for the sake of analysis that the operation had qualified as an attack, Petya violated the prohibition on attacking civilian objects and, indeed, amounted to a war crime.”

Latest Podcasts