On 28th June, 2017 the Jawaharlal Nehru (in Mumbai) port was hit by a malware (known as “Petya”) cyber-attack. As a result of the damage caused by this attack, one of the terminals at the Port was rendered inoperative leading to a disruption in the arrival and departure of cargo.1 Another malware known as “Flame” was found to be used, primarily, for the purpose of collecting information in the form of keyboard activity and skype conversations in the Middle East.2
Exceeding the two aforementioned attacks in damage caused was the “Stuxnet” malware, created by Israeli and American Intelligence Agencies, which was used to destroy centrifuges used in the Iranian Nuclear program.3
All of these incidents are examples of cyber intrusion which, in the words of the U.S. Department of Defence, are incidents of unauthorized access to data or an automated information system’.4 However, cyber intrusions are merely an umbrella term covering a broad degree of activities carried out through the digital medium. To be precise, incidents like the “Flame” attack can best be defined as cyber espionage; on the other hand, in cases like Stuxnet where state actors cause significant damage to a target digital network, then the term cyber warfare is applied.
This distinction is quite important from a legal point of view. A fair amount of consensus exists regarding the argument that cyber warfare is illegal from the point of international law and custom. Cyber Warfare has been defined as a cyber-intrusion of such scale that it causes damage and destruction to the extent that it involves “use of force” and resembles the effect of armed attacks.5 The position of law regarding international espionage on the other hand is much more ambiguous. This blog will work to underline the key differences between these two activities.
Cyber Espionage refers to activities in which a person obtains unauthorized access to information stored in digital format or computer and IT networks. Earlier in the article emphasis was placed upon the presence of “use of force” to unlawful cyber intrusions or cyber warfare. This idea of “use of force” as a defining factor for separating lawful and unlawful intrusions is provided in the Tallinn Manual. The Manual is an academic study which tries to apply principles of international law to cyber-intrusion in order to test their legality. Rule 66 of the manual states that “A State may not intervene, including by cyber means, in the internal or external affairs of another State.”6
The language of the Manual, admittedly, still leaves ambiguity about the exact point at which any intervention will become unlawful. However, the Manual does seem to consider the Stuxnet attack to be an example of “use of force”.7 Stuxnet had, as stated earlier in the blog, caused actual physical damage to the machinery used in the Iranian Nuclear Program by corrupting the software running the centrifuges used for purifying nuclear fuel.8 The classification of Stuxnet as an example of “use of force” is a result of the sources used by the authors to create the manual.
The Manual has relied, to a great extent, on the principles of the law of jus ad bellum or the law of war. One way of understanding this is that jus ad bellum becomes applicable to cyber intrusions when damage caused, to persons or property becomes analogous to that of conventional warfare.9 In turn, “use of force” has not just become a part of jus bellum but has also been used in Article 2(4) of the United Nations Charter. It provides that, “All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.”
So significant physical damage or tangible negative outcomes would help in classifying an act as an example of “use of force” and hence provide means to obtain remedies. But what about relatively less invasive means of intervention in the economic and political structures of another nation? The travaux préparatoire for Article 2(4) explicitly records that it was felt unnecessary to include economic coercion within the meaning of use of force.10 Finally the ICJ judgment in the Nicaragua case has portions which deserve to be quoted. Firstly, the court noted that, firstly, “intervention is wrongful when it uses methods of coercion”, and secondly, that “measures which do not constitute an armed attack may nevertheless involve a use of force.’11
So as far as the ICJ is concerned, coercion and not armed force is the defining trait of wrongful intervention. Going back to what was said by the International Group of Experts (IGE) that drafted the Tallinn Manual it was observed by them that acts of cyber intelligence, cyber theft or brief interruption of services would not come under the category of armed attacks.12
By Hamid Naved, Rajiv Gandhi National University of Law, Punjab