Is there a “cyber war” between Ukraine and Russia?
By Marco Roscini
Alarming headlines have recently started to appear in the media (see, for example, the CNN’s “Cyberwar hits Ukraine”). This, however, is sensationalism. What has actually happened so far is limited disruption of mobile communications through Distributed Denial of Service (DDoS) attacks. In addition, certain state-run news websites and social media have been defaced and their content replaced with pro-Russian propaganda. In the months that preceded the current crisis, Ukrainian computer systems were also allegedly targeted by “cyberspies”.
If the above scenario sounds familiar it is because it isn’t the first time that cyber operations have occurred during a military crisis involving the Russian Federation. In 2008, immediately before and after the Russian troops entered the secessionist Georgian province of South Ossetia, several Georgian governmental websites were defaced and their content replaced with anti-Georgian propaganda, while DDoS attacks crippled the Caucasian nation’s ability to disseminate information. Estonia was also the target of severe DDoS attacks in 2007, although in the context of a political, and not military, confrontation with Russia. In neither case has it been convincingly demonstrated that Russia (or any other state) was responsible for the cyber operations. The same can be said of the cyber operations against Ukrainian computer systems and websites, which have also been, at least until now, far less severe than those on Georgia and on Estonia, leading some to suggest that Russia is exercising restraint in the use of its cyber capabilities.
Does international law apply in this scenario?
While the DDoS attacks and the defacement of websites obviously don’t establish on their own an armed conflict between Russia and Ukraine, the fact that they have been conducted in the context of kinetic exchanges of fire and a situation of occupation may potentially lead to the application of the law of armed conflict (jus in bello). Two points are important from this perspective. First, although there have been no extensive armed hostilities between Ukraine and Russia yet, it has been reported that at least one Ukrainian soldier has been killed and another wounded, allegedly by Russian military forces or pro-Russian militias. Unlike in non-international armed conflicts, the jus in bello applies to any shot fired between states, regardless of intensity thresholds. The Commentary to Article 2 common to the 1949 Geneva Conventions on the Protection of the Victims of War clearly states that “[i]t makes no difference how long the conflict lasts, or how much slaughter takes place, or how numerous are the participating forces” (p. 23). Secondly, the fact that Crimea is now under the control of the Russian forces determines a situation of occupation that also falls under the scope of the law of armed conflict (Article 2(2) of the Geneva Conventions).
However, the law of armed conflict would extend to the DDoS attacks and other cyber operations against Ukraine only if these have a “belligerent nexus” with the hostilities and the occupation. Otherwise, they would be mere cyber crimes and would fall under the scope of domestic criminal laws. To have a belligerent nexus, the cyber operations must have been designed to cause a certain threshold of harm to a belligerent (Ukraine) in support of another (Russia) (see Recommendation V(3) of the International Committee of the Red Cross (ICRC)’s Interpretive Guidance on the Notion of Direct Participation in Hostilities). Harm must be either death, injury, or destruction on civilian persons or objects, or military harm, whether physical or not (Recommendation V(1)). Even though they didn’t result in material damage on protected persons and property, then, the threshold of harm would have been crossed if the DDoS attacks and other cyber operations had at least aimed at affecting the Ukrainian government’s ability to communicate with and the operability of its armed forces, so to disrupt Ukraine’s military operations or military capacity. From the information available, we don’t know whether this is the case.
Do the DDoS operations against Ukraine amount to “attacks” under the law of armed conflict? The question is important because the rules on targeting and protecting civilians, including the principles of distinction and proportionality and the duty to take precautions, only apply to “attacks”, defined in Article 49(1) of Protocol I Additional to the Geneva Conventions as “acts of violence against the adversary, whether in offence or in defence”. I have argued elsewhere that a cyber operation is an “attack” in this sense whenever it employs cyber capabilities that produce or are reasonably likely to produce “violent” consequences in the form of loss of life or injury of persons, more than minimal material damage to property, or loss of functionality of infrastructures. From the available information, this doesn’t seem to be the case of the DDoS attacks against the Ukrainian communication systems and, even less, of the defacement operations. Cyber “espionage” also doesn’t normally affect the functionality of the accessed system or amend/delete the data resident therein. It doesn’t have “violent” consequences and is therefore not an “attack”, although it may be an act of hostilities.
To conclude, we can’t establish for sure whether the international law of armed conflict applies to the cyber operations conducted so far against Ukraine because we don’t know whether they were designed to militarily support Russia to the detriment of Ukraine. What we do know is that the operations in questions are not “attacks”, and therefore the rules on targeting don’t apply to them, whether or not they have a belligerent nexus.
Dr. Marco Roscini is Reader in International Law at the University of Westminster. He has written extensively in international security law, including cyber warfare and nuclear non-proliferation law. His most recent book, Cyber Operations and the Use of Force in International Law, has just been published by OUP. He is also the author of ‘Cyber Operations as Nuclear Counterproliferation Measures’, published in the Journal of Conflict and Security Law (2014). Dr. Roscini regularly blogs at Arms Control Law and can be followed on Twitter at @marcoroscini.
Oxford University Press is a leading publisher in international law, including the Max Planck Encyclopedia of Public International Law, latest titles from thought leaders in the field, and a wide range of law journals and online products. We publish original works across key areas of study, from humanitarian to international economic to environmental law, developing outstanding resources to support students, scholars, and practitioners worldwide. For the latest news, commentary, and insights follow the International Law team on Twitter @OUPIntLaw.