Legal Implications of the Privatization of Cyber Warfare

Chapter 13
Legal Implications of the Privatization of Cyber Warfare

Lucas Lixinski


One of the most important emerging topics related to militarization and the conduct of war is that of cyber warfare.1 As technological capacity grows, populations and governments alike become more and more dependent on reliable internet connections and information placed only in the cyberspace. The whole financial market can no longer function without the internet and computers. The same can be said of air traffic and other sectors that would at first sight seem less network-dependant, such as energy distribution systems and hospitals. The fact that computers are so depended upon makes these sectors of human activity particularly vulnerable if their computers or networks were to be shut down.

Additionally, the internet is essentially a civilian place. Over 90 percent of all internet infrastructure is civilian-owned, and these communication capabilities are used for civilian and military purposes alike, blurring the civilian/military distinction that is so essential to the conduct of warfare.2 In that sense, the privatization of war, or the reliance upon contractors, Private Military and Security Companies (PMSCs) and other similar actors for the performance of duties that once fell under the exclusive domain of the State and its armed forces overlaps substantially with cyber warfare efforts.

In May 2009, the U.S. Presidency published a report called ‘Cyberspace Policy Review – Assuring a Trusted and Resilient Information and Communication Infrastructure’. In this report, the White House recognized that the U.S. had lagged behind in its response to the growing threat of cyber attacks, and it went on to highlight the importance of cooperation with the private sector.3 This has spurred a surge among military contractors and IT companies who started recruiting personnel and preparing themselves for the opening of tender processes before the U.S. military.4

It has been reported that all major U.S. military contractors have contracts in the field of cyber warfare with the military and intelligence agencies. These companies have also been cooperating towards building a ‘Cyber Range’, or a duplicate of the internet where they can test offensive and defensive techniques for cyber warfare.5

Along these lines, the United States Special Operations Command (USSOCOM) has, in its strategic plan for 2009, outlined the need for investment in cyber warfare capacity. However, unlike the White House report, this one focuses on the development of in-house capacity for cyber warfare and, more specifically, network-centric capabilities.6

What happens, then, when cyber warfare is privatized, when a contractor working simultaneously for the U.S., French and Saudi Arabian governments can, from his office in a commercial neighbourhood in London, set off an attack that disrupts the entire telecommunications grid of say, China? Who is responsible for the attack? And, more importantly, what happens when, by disrupting the telecommunications system, one satellite happens to fall back into the atmosphere, crashing into a school in South Korea, killing dozens of innocent children? Who bears responsibility for these issues? Is it the British government, for letting this person use its cyberspace to launch the attack? Is it one or all of the government of the States under whose service this contractor acts? Is it the Chinese government, to whom the satellite belonged?

These are some of the questions this chapter explores. This contribution deals with the topic of the privatization of cyber warfare and the legal consequences of violations of international humanitarian law (IHL) and human rights perpetrated in cyber conflict scenarios.

The discussion of this contribution will play out against a broader background of the impact of new technologies upon human rights, in particular with respect to relations between developed and developing countries. It has been suggested that cyber warfare is a valuable tool in the hands of militarily weaker states (which is the majority of developing countries) to try to level an otherwise deeply asymmetrical military battlefield. More specifically, because cyber war is much cheaper to undertake than conventional warfare, developing countries are in a better position to counter imbalances in military might against other adversaries.7

What does this mean in terms of regulation? Is this statement a means to suggest that, in the name of the emancipation of developing countries, cyber warfare should go unregulated? I would suggest no. While it is true that cyber warfare is relatively cheap to undertake, it is also true that a lot of the technological innovation that drives it still comes from developed countries. To imply that countries like the United states should enhance their cyber war capabilities in order to counter the possibility of developing countries catching up and mounting attacks against US structures (a form of cyber deterrence) is to make an unacceptable concession to American Exceptionalism (and the thinly veiled imperialism behind it).

This contribution’s central thesis is that the seeming regulatory vacuum of cyber warfare in international law does little in the way of creating an opportunity for developing countries’ countering of empire. Asymmetries existing in warfare in general, while diminished in some instances (and increased in others), are still essentially replicated in the context of cyber warfare, because of the concentration of technology in countries of the Global North. Countries in the Global South are actually in a position to benefit from stricter regulations of this type of war. To suggest that countries in the Global South would be at an advantage is nothing but a means to coopt international law once again as a means to cover-up (and ultimately justify) a hegemonic project stemming from the Global North.

The chapter will be structured as follows: the first part will look generally at cyber warfare, exploring the modalities in which it occurs, and the possibilities for its regulation, both in international humanitarian law and general international human rights law. Cyber-attacks differ substantially from each other, in that not all cyber-attacks meet the necessary threshold for calling international humanitarian law into application. There are, however, several rules that should be observed even when the gravity of such an attack does not amount to an ‘act of war’.

The second part is a reflection on the privatization of cyber warfare. It starts by examining policy developments that discuss the structuring of cyber warfare, as well as the argument of the supposed inextricability of the private sector from this area of the military. It then analyzes the issue of accountability of ‘private cyber warriors’ for acts that violate human rights and humanitarian law.

Cyber Warfare

The aim of this part is to refute the idea of the ‘legal vacuum’ of cyber warfare under currently existing international law, an idea that many have been quick to affirm.8 While it is true that more specific rules are necessary to address the specificities of cyber warfare, it is an exaggeration to say that there are no applicable rules that can help deal with certain situations, should they arise before a specific instrument is completed.

However, before debating this issue, it is important to understand what falls under the category ‘cyber attack’, and the effects of different types of technology-based warfare.

Fighting a Cyber War

Cyber war falls under the broader definition of ‘information warfare’. Information warfare, according to military sources, falls into three categories: (1) acts aimed at ‘maintaining information superiority while protecting against counter-information warfare’; (2) ‘using information as a weapon against the enemy’, or (3) the use of information systems to enhance the effectiveness of the use of force.9

The first two categories refer more broadly to intelligence and information gathering, whereas the third one refers to ‘technology-based warfare’ in a narrow sense. There are two main types of action that can be described as ‘technology-based warfare’, and that rely heavily on the cyberspace. The first one is what is known as ‘network-centric combat’. In this type of combat, soldiers are normally deployed to the field. The big difference is that they rely heavily on intelligence information and technology that enhances their capabilities, such as Global Positioning System packages, constant communication links with information units away from the theatre of war who keep feeding the soldiers with useful intelligence, equipment that can pick up on radio transmissions and from that determine the position and movement of enemy combatants, among others.10

While this is an important use of technology and the internet to enhance combat capabilities, it is not cyber warfare in the strict sense. However, there are specific implications to be taken into account here. For instance, the definition of combatant defines a combatant as a person engaging directly in hostilities.11 Until recently, this meant only the soldiers in the theatre of conflict, as any information was given to them prior to actual combat, and therefore intelligence agents did not participate in hostilities. However, direct and constant communication links imply that people far from the actual theatre of conflict, sometimes sitting in offices thousands of kilometres away in a civilian zone in a different country, are also participating moment by moment in hostilities. Are these people also to be considered combatants? While they cannot physically engage with enemies, they are an indispensable part of the capabilities of the soldiers on the field to engage enemies, and can make a significant difference in the outcome of a war, as they serve practically as the ‘super eyes’ of soldiers. Another example of this kind of activity is the use of remote control-operated drones that can bomb a target without the need for someone to be physically present to launch or detonate it.12

I submit that they should be considered combatants, to the extent that they in fact willingly contribute to the conduct of hostilities. The consequence of them being considered combatants is that the communication links they use, as well as their equipment, are legitimate military targets, either through cyber attacks or physical strikes (for instance, bombing the building where the computers used for information gathering and transmission are). But this finding means that the equipment cannot be placed amidst civilian property or otherwise protected property, as defined by international humanitarian law rules.

These techniques of information warfare are highly sophisticated, requiring equipment that is developed by wealthy countries in the Global North, and therefore out of reach for most of the world. This type of technologically-enhanced military capability therefore counters the suggestion that combat asymmetries could be evened out by developing countries; if anything, in fact, these asymmetries are further enhanced. Therefore, regulation that ensures this technology is used within certain boundaries, and in respect of basic principles of IHL (much in the same way as international law regulating biological warfare) is imperative.

But the most important type of technology-enabled warfare for our purposes is what is known as cyber attacks. Any attempt at defining a cyber attack would necessarily be broad and rather vague, but a working definition would be attacks conducted with the primary use of the internet with the goal of inflicting temporary or permanent harm to information systems, with or without consequences to the physical support of these systems or any other physical objects connected to them.

Some of the tactics used in cyber warfare include: espionage and intelligence gathering; ‘web vandalism’, or attacks aimed at defacing web pages, or causing servers to collapse by flooding it with innumerable requests through what is known as ‘Denial of Service’ (DoS) attacks (which is what happened in Estonia in 2007,13 and in the Russia-Georgia conflict in 2008);14 the posting of propaganda on the internet;15 distributed DoS attacks, which is a much stronger version of a normal DoS attack, in which a single person controls – through spyware software, worms and other malicious software – a large number of computers, which are all used to launch a DoS attack against a larger system; and disruption of equipment by, for instance, disrupting the communications system of precision bombs,16 or paralyzing software that controls the cooling system of a group of satellite antennas.17

The disruption of equipment can happen through the launching of viruses into the operational systems of the equipment to be affected, or by launching an Electronic Magnetic Pulse weapon against the targeted structures (that is, the building where the computers that command the equipment is). While this is an effective and seemingly ‘least destructive’ alternative to the bombing of a building, it can also cause a lot of collateral damage, as the pulse will affect all computers within a certain radius of its deployment, which can affect vital civilian systems.18 Another technique is the use of computer attacks to add imaginary targets to enemy computers (causing the enemy to waste efforts and weapons).19

Cyber attacks can be of two types, according to their consequences: there are cyber attacks the consequences of which are limited to the virtual world (such as attacks on websites and DoS attacks),20 while others may cause very tangible damage in the physical world (e.g., stopping a country’s electrical power distribution system, or causing a nuclear plant to collapse by disrupting its computer-operated cooling system).21

Some of the effects that can be obtained through cyber warfare are: (1) the destruction or disruption of infrastructure systems; (2) distracting the military, or diverting its energies, from detecting physical impending attacks22 (referred to in military circles as ‘hybrid warfare’);23 (3) intelligence theft;24 (4) general effects on military and civilian morale, which can be a side effect of an attack on another target, or the primary objective (such as propaganda built into governmental websites, or simply the psychological effect of having some concept of ‘social integrity’ breached from abroad).

These means of cyber warfare are certainly not exclusive to developed countries, and have in fact been deployed by developing countries. However, it is noteworthy that the advantage in the instances in which cyber warfare techniques were in fact used still rested with the wealthier party to the conflict, simply because they had more means available to them also for the conduct of cyber warfare. Again, the suggestion that combat asymmetries could be corrected by cyber warfare fails, and developing states are put at a disadvantage.

All these forms of cyber warfare, as well as their different effects and the different form of classification, indicates that there are very different degrees of intensity of a cyber attack. Consequently, there will also be different legal responses to these different degrees. I will now analyze these different possible legal responses.

The Matter of the Applicable Law

International Humanitarian Law

Cyber warfare can happen both in times of peace and times of war.25 Whether it happens during wartime or peace time will determine the legal regime applicable. Also, one has to take into account the different legal perceptions of each individual act of cyber warfare which, even out of context, can be seen as triggering different regimes.

Depending on the way an act of cyber warfare is legally perceived, there will be a different applicable regime. If an act of cyber war is seen as an act of use of force, then general principles of international humanitarian law should apply. If, on the other hand, one does not look at these acts as meeting the legal threshold for characterizing these acts as an ‘armed attack’ initiating an armed conflict, then the applicable regime should be the incipient international law on cybercrime and the general regime of international human rights law.

The definition of international conflict as a threshold for the application of IHL has been determined to be any situation in which a state’s armed forces breach the sovereignty of another state.26 In this sense, a cyber attack, if conducted by persons not enlisted in a state’s military forces, could not conceptually be an armed attack. However, one commentator has noted that ‘the reference to armed forces is more logically understood as a form of prescriptive shorthand for activity of a particular nature and intensity’.27 Taking this factor into account, and in light of the principles and purposes of IHL, one is led to conclude that an armed attack is an assault upon another state with military means to impinge upon territorial integrity and political independence.28 This definition can naturally extend to cyber warfare that is aimed at provoking direct destruction of property or loss of life in the physical world, to the extent one of the effects of these actions is precisely to cause internal unrest and weaken the governmental structure. It encompasses therefore actions aimed at, for instance, altering an airport’s air traffic control system (which could lead to airplane collisions), but not necessarily acts aimed at defacing a governmental website.

Moreover, if one chooses to apply IHL, one has to consider the questions of territory as a requirement for the determination of IHL regime. How is the international character of a cyber conflict to be determined? Is it to be presumed, or should there be some criteria for this determination? The ‘place’ where the conflict takes place, for instance, cannot be deemed a determining factor, for the computers engaged in the conflict need not be in the territories of the conflicting states.

Also, cyberspace can in itself be referred to as a new environment for military action, and it has been assimilated to the global commons (outer space and the oceans are the most common references) in the literature about it.29 There are certain differences, of course, at least to the extent that rules governing the oceans do create some sort of jurisdictional allocation, but the rules governing outer space are more easily applicable. And these become very relevant for analogical application: the core international treaty regulating the use of outer space explicitly determines that all activities (for our purposes, particularly military activities) of non-governmental entities in outer space must be authorized and continuously supervised by states parties to the relevant treaties. States are responsible for activities undertaken in outer space by governmental and nongovernmental entities alike.30 It further determines that states are responsible for damage caused to another state simply if the object that caused the harm has been launched from their territory.31 Rules governing outer space thus offer interesting insights and can be applied analogically to the regulation of cyber space.

One must be aware of differences, however. Possibly one of the reasons why responsibility for the acts of private entities is so easily attributable to the state in the outer space context is that outer space endeavours are large and costly enterprises, and the state from which one such enterprise is launched would hardly be able to deny knowledge of it; when it comes to cyber attacks, however, any person with a home computer can launch one such attack, as long as they have the necessary skills and training. This difference of scale and accessibility must be taken into account when trying to draw this parallel, but I suggest that the parallel can be drawn nonetheless, precisely because of the aspiration to protect a common space that is not subject to territorial borders.

Another important question is that of attribution. Assuming a cyber attacker does not identify herself/himself, how can this identification be done? Tracing the attack back is a long and often futile exercise, as most cyber traffic goes through a wide range of computers in disparate parts of the world, being hardly linear.32 Also, even if an attack can be traced back to a certain country, it is nearly impossible to determine whether the source is a state- or a privately-owned computer.33

Therefore, it would be nearly impossible to attribute an attack through these means. Even if attribution were possible, tracking the attack down to its source computer would not necessarily resolve the problem. For one, this computer may be just a smokescreen created by spyware software for the real attacker. Also, as private military contracting expands into cyberwar, to find that the computer responsible for the attack is one of a private military company does not say much, particularly if this company renders services to more than one state. The attacks of March 2009 in which intelligence computers in 103 countries were hacked and had information stolen by computers that could be traced back to China is an example. Even though the attacks were traced back to China, the Chinese government denied any involvement in the acts, and that more or less ended the affair, as there are no means to effectively prove that the attacks were commanded by Chinese authorities.

Further, the fact that there was no response to these attacks may serve as evidence of state practice in not considering them as armed attacks, at least not to the extent that it may trigger the application of Article 51 of the UN Charter (as a use of force) or international humanitarian law. Thus, one may be led to the conclusion that different forms of cyber attack will constitute armed attacks or not depending on the pervasiveness of their effects. Documented cyber attacks have so far done little more than blocking access to or defacing certain websites, and there have also been some alleged thefts of intelligence information. None of this, however, seems to be enough to trigger a military countermeasure, cybernetic or otherwise, which lends further credence to the notion that these forms of cyber warfare at least cannot be deemed to be armed attacks. If a cyber attack, however, ever has effects causing the loss of civilian life and/or property, the response might be stronger. Another possible interpretation is simply that a sufficient causal link between the attacks and the Chinese authorities could not be established. The analogical application of rules on outer space, however, would help shed light onto this situation, as all that would be required would be to determine that the computers were located in China.