A recent paper in the Michigan Telecommunications and Technology Law Review covered a topic that is extremely relevant right now. The paper argues that “disruptive” cyber operations are a new form of violence that should be adopted into the more traditional view of “attack” under international humanitarian law (IHL). It draws attention to a current debate over whether a cyber operation must result in physical damage, injury, or death to a civilian population in order to be considered an attack. It’s widely considered that a cyber operation that does result in such kinetic effects is an attack under IHL resulting in the application of IHL’s principles of distinction and proportionality. However, it is unclear whether operations that only cause interruptions to the functionality of a system, or “disruptive” operations, without kinetic effect should fall into the category of attacks.
Kilovaty’s paper uses the December 2015 operations against Ukraine’s power grid that resulted in widespread power outages as a real world example to illustrate his point that “cyber operations that do not result in direct kinetic effects such as death, injury, or physical destruction” are considered by many not to qualify as attacks and therefore do not trigger IHL considerations. The reason Kilovaty’s paper is extremely relevant right now is that there are actually a couple of much more recent campaigns with similar effects that further illustrate this point.
Since November 2016, there has been an unusually high frequency of destructive/disruptive cyber operations against government and critical infrastructure targets in Saudi Arabia and Ukraine suspected to be carried out by nation-state actors in Iran and Russia. They began around mid-November 2016 when reports emerged that destructive malware crippled the networks of government organizations and the agency responsible for running airports in Saudi Arabia. That initial round of incidents was followed up by a second at the end of November and a third in late January 2017. This final wave reportedly hit a wide array of government and private sector organizations in Saudi Arabia. Analysis of the malware used revealed it to be a new version of the Shamoon (or Disttrack) malware used in a 2012 cyber attack against a company in Saudi Arabia believed to have been carried out by operators Iran. While there has been no definitive attribution made with respect to the recent incidents, the similarity in malware and targeting are indicative of an Iranian actor.
During this same late 2016, early 2017 timeframe a different wave of operations unrelated to those in Saudi Arabia occurred in Ukraine. On December 6 Ukraine’s Ministry of Finance announced that it was the victim of a “coordinated cyber attack” that destroyed data and blocked access to its network. Media reports indicated that the treasury service and pension fund were also affected which resulted in pension and other government payments being blocked. In addition to the incidents against these financial agencies, there was also a suspected operations against the Ukrainian power company, Ukrenergo (http://www.reuters.com/article/us-ukraine-cyber-attack-energy-idUSKBN1521BA), which resulted in blackouts in Kiev.
Analysis of the malware and tactics used in these operations revealed them to be similar to those used in the previously mentioned December 2015 attack that left hundreds of thousands without electricity in western Ukraine. Although never definitively tied to the Russian government, the choice of target and sophistication of the operations point to a Russian actor.
Because of the types of malware used in the attacks described above, it seems possible that they would be considered attacks under current IHL because the destructive malware used may have rendered affected systems so inoperable that it resulted in the need to replace physical computers or components. That is a type of physical damage that would meet the current definition of “attack”; however, it’s unclear whether physical replacement was necessary. If it wasn’t necessary and malware was used to interfere with the victim systems without physical damage then these incidents may not be considered attacks under IHL just disruptive operations.
The conclusion that these incidents would not be considered attacks because they didn’t result in the need to physically replace affected systems and therefore IHL principles should not apply seems absurd. The 2015 operation against Ukraine’s electrical grid is a good example. Assume that the bad guys only used access to manipulate controls to shut off the power and didn’t use malware that had a destructive effect. The incident knocked out power to thousands of people in late December. Shutting of the power in late December in an area where it can get pretty cold could easily result in civilian casualties. While there don’t appear to be any reported injuries or deaths resulting from the outage why should that be the measuring stick? Someone has to get hurt or die before it is considered an attack? Other, non-weather-related casualties could also result if power is lost. However, under the rule that physical damage to property or civilian injury/death is necessary to label a cyber operation an attack would mean that the 2015 Ukraine incident would not be considered an attack unless the malware used had a destructive effect.
Including disruptive cyber operations against critical systems under the current “attack” umbrella would bring IHL’s principles of distinction and proportionality into play. This would require those launching disruptive operations to understand the nature of the systems being targeted. If attacking a particular system would result in widespread, indiscriminate damage it cannot go forward. Application of IHL to disruptive operations would result in more of a burden on the operators which many governments may be opposed to; however, to not provide IHL protections to disruptive operations targeting systems critical to civilian populations seems to undermine IHL’s humanitarian goal.