Ukraine conflict spurs questions of how to define cyberwar
Legal scholars and cybersecurity experts are closely watching events in Ukraine with an eye on how the Russian invasion may redefine the laws of war for the cyber era.
Many agree that Ukraine’s conflict with Russia — an established cyber superpower that isn’t hesitant about flexing its muscle aggressively — could test the rules of war in new and unexpected ways. Some say it already has.
Exactly how these rules might be redefined is the subject of significant debate.
In recent days, authorities as disparate as the president of Microsoft and the chairman of the Senate Intelligence Committee have weighed in on how NATO’s Article 5 provision for “collective defense,” the Geneva Convention’s protections for civilian targets and other legal frameworks for armed conflict may be challenged in the coming weeks.
On Monday, Sen. Mark Warner, D-Va., and the chairman of the Select Committee on Intelligence, said at a Washington Post event that he is very concerned Russian cyberattacks could cripple Ukraine’s power grid, in an echo of what happened in 2015. While many experts have been surprised by Russia’s so-far minimal use of cyberattacks in this conflict, several also have speculated that it is only a matter of time before Russia unleashes them.
Peter Singer, a strategist and senior fellow at the center-left New America think tank and author of a book on cyberwar, said that while Russia has not yet committed “Geneva Convention-level” war crimes in the cyber domain, he believes that could quickly change.
“The first couple of days of the invasion were based on a really bad Russian assumption that this would be a quick and easy win for them,” Singer said. “As the war shifts … to them trying to grind down and collapse the Ukrainian state and society, the concern is just as the gloves have started to come off in their missile and airstrikes, that we’ll also see the same on the cyber side.”
Warner said he is also worried about what’s to come from the Russians in the cyber domain — and says it is very possible a Russian cyberattack could trigger NATO’s Article 5, drawing the United States and other allies into a broader conflict.
Cyberwarfare “doesn’t respect geographic boundaries,” Warner said. “It could end up bleeding into Poland … If American troops and a truck crashed because the lights were out you could get very close to Article V. So, we are still in uncharted territory.”
Some cybersecurity firms said they’ve already seen signs of wiper malware used in Ukraine spilling into neighboring countries.
Warner said he “absolutely” believes cyberattacks should trigger Article 5 — a power invoked just once since 1949, for the Sept. 11, 2001 terrorist attacks — just as a conventional military attack might. But he hedged, saying he doesn’t believe the U.S. and its NATO allies should predetermine how and whether to escalate “until we see what kind of Russian activities take place here.”
For its part, NATO has repeatedly confirmed that countries have the right to defend themselves in cyberspace. Writing in Just Security, international law professor Michael Schmitt said the real question is whether Russian cyber tactics qualify as an “armed attack.”
“The prevailing view is that, in the words of the International Court of Justice in [the 1986] Nicaragua [judgment], an armed attack is the ‘most grave form’ of a use of force,” Schmitt wrote. “Thus, the scale and effects of any Russian cyber operations would have to be especially severe before triggering the right of individual or collective self-defense.”
France, for example, has suggested a cyber operation would constitute an armed attack if it led to “substantial loss of life or considerable physical or economic damage.”
Warner said more dialogue is needed to guide the U.S. and its allies on how to handle cyberwar. He called for the “equivalent of a cyber Geneva Convention” to govern how cyber tools are used to perpetrate acts of war, an idea in circulation among cyber thinkers for several years.
But Singer said there is less ambiguity than Warner asserts and that an “armed attack,” whether committed in the cyber domain or on a physical battlefield, is not difficult to spot or respond to.
“I can’t think of a single war that started over the theft of information, or even a blockade without any violence,” Singer said. “It’s always the violence part of it that is the initiation of the war … It’s not about the means.”
Other defense experts questioned Warner’s contention that the U.S. would be drawn into an ally’s conflict based on a cyberattack. Aaron Hughes, deputy assistant secretary of defense for cyber policy in the Obama administration, doubts Article 5 would be easily triggered in the scenario Warner envisions, particularly given how hard it can be to provably attribute cyberattacks to specific attackers.
Hughes, now a non-resident expert at the Center for Strategic and International Studies, said he believes the administration would be unlikely to enter a conflict based on a cyberattack trigger of Article 5.
However, a near-term Russian cyberattack on Ukraine could lead the U.S. and allies to grapple with other questions such as how to treat virtual assets belonging to one country if they are stored in a second or third country, Hughes said.
“What are the notification considerations for the second or third country that we need to go through to get to that asset?” Hughes asked.
Adm. James Stark, who oversaw operations related to the Yugoslav Wars of the 1990s and most recently served as president of the Naval War College, said it can be very hard to prove attribution for cyberattacks to the degree needed to trigger an Article 5 response, particularly since Russia and China are skilled enough to cover their tracks and can even make their exploits look like the work of others.
What kind of cyberattack would create an Article 5 violation “is essentially a political question, which is going to have to be answered at the time,” he said.
Civilian vs. military targets
Questions about how to define cyberwarfare are not only being raised by government and defense officials but also by others. On Monday, Brad Smith, Microsoft’s president and vice chair, issued a statement about cyberattacks taking aim at Ukraine’s digital infrastructure.
Smith called the cyberattacks “precisely targeted” — unlike the malware which spread across the region in the 2017 NotPetya attack for which the U.S. has blamed Russia — but he said Microsoft remains “especially concerned” about recent cyberattacks on Ukrainian civilian digital targets, including the financial, agriculture, and energy sectors.
“These attacks on civilian targets raise serious concerns under the Geneva Conventions,” Smith said.
But Bobby Chesney, a professor at the University of Texas School of Law who writes on a variety of national security and cybersecurity issues, said in an email that the “relevant laws of war regarding attacks on civilian targets (which are generally unlawful already and clearly so) don’t have anything to do with the actual Geneva Conventions.” The Geneva Conventions are entirely focused on the treatment of people who are in the custody or power of a party to the conflict, Chesney said.
The existing framework for the law of armed conflict applies to cyberwarfare. Chesney said that given this it is very unlikely the Atlantic Charter, which was a statement of British and U.S. principles during World War II, will be significantly revised to account for cyberwar tactics anytime soon. He noted that while most international treaties were written before there was a cyber domain, they also pre-date many other battlefield technologies.
“The idea that technology opens up new ways for nations to fight each other doesn’t mean that the laws of war go out the window,” he said in an interview.
Chesney said uncertainties are inherent to all armed conflicts, citing sabotage and covert operations in physical warfare. But he acknowledged that with cyberwarfare there is an “additional layer of scale” to the uncertainty. For example, Chesney said there is debate about what types of cyberwarfare might count as “an attack in the way that an airstrike would count as an attack.”
A cyberattack on a bank website might impact civilians but would very likely not be treated with the same level of seriousness that disabling a power grid would, he said.
But it may not be troubling to let the rules for cyber engagement remain murky, he added, because it gives leaders leeway not to escalate a situation. NATO determining an Article 5 violation had occurred could lead to very serious consequences.
“Strategic ambiguity,” Chesney said, “isn’t always a bad thing.”
This story was featured in CyberScoop Special Report: War in Ukraine