International Law and Cyber-Warfare

INTERNATIONAL LAW AND CYBER WARFARE Rishabh Shrivastava 10/20/2013 College of Legal Studies (CoLS), University of Petroleum and Energy Studies (UPES) Bidholi via Prem-Nagar, Dehradun 248007, Uttarakhand, India BA.LLB. (Hons.) (1st Year) with specialization in Energy Laws E-mail- [email protected] 10/20/2013 Electronic copy available at: http://ssrn.com/abstract=2342775 PREFACE:Today in the 21st century the internet is the life and blood of the modern economy. Whatever the field is, it is fully dependent on cyberspace. In powerful countries like U.S.A, Russia, Germany, China the control of these cyber units if fully with the military agencies only. Many researchers in this field believes that, due the high dependence of Military services on internet the fifth dimension for global war is now opened, which is more dynamic and powerful. Banking, industry, infrastructure, and education all the modern facilities provided by the state to its citizen are to full extent dependent on cyberspace for better results. What happens if a group of 300 hackers, attacks on your computer and espionage on every activity performed by you? What will be the condition of that individual? What are the elements that will be involved in such an activity? How does law address to it? Does law has clear stand on it? These entire questions can be addressed with the help of this article. My article aims at how the cyberspace has evolved itself from it natural criterion and now formally used for activities that are aggressive in nature. How the activities of cyber-space can trigger armed conflict? Now-a-days cyberspace is becoming more dynamic and is used by intelligence units, ministries, and departments for purposes that may result in wars or other conflicts. Therefore we have to equip the cyberspace with all possible measures, and the one of those is to have an understanding of International Law and Cyber-warfare. The concept of ‘force’ and ‘armed attack’ present in Article 2(4) and 51 of UN Charter, how it can be interpreted in context to Cyber-warfare. The different case studies provided by me, will help to understand the analytical review done by experts, because these cases provide the legal considerations to the horizons of the both the international law and the cyber-warfare. International Law and Cyber-Warfare Electronic copy available at: http://ssrn.com/abstract=2342775 Page 1 INTRODUCTION:The usage of Internet has become the fastest and most powerful technological revolution in the history of mankind. In just 15 years the number of internet users in 1995 that was 16 million has been skyrocketed to more than 1.7 billion in late 20101. Every individual, corporation, companies, trust are dependent on this service. The military reliance on this technology has opened the fifth domain of war-fighting next to the traditional domains of land, sea, air and outer space2. This trend raises the question of “how far can the domains of International law be juxtaposed to that of Cyber warfare”? Why Cyber Security is considered as the hot topic in context to International Law? For every Sovereign state it is very important for him to maintain that his civil society is primarily protected from crime and espionage on Internet. The society has a safe and secure access to the internet services. Today every nation is fighting with Cyber War. The biggest problem with these Cyber wars is that, these attacks are not carried through by the government hackers but through the criminal ones who steal the business secrets and financial information. If the information is being tracked down in its normal course of transmission between the sender and the receiver, then it will not result in smooth flow of Information between the individuals, organizations etc. What is Cyber Warfare and how it is unique? The term “cyber warfare” refers to warfare conducted in cyberspace through cyber means and methods. ‘Cyberspace” can be identified as a globally connected network of digital information and communications infrastructures, including internet, telecommunications network, computer systems etc. Cyberspace is unique in itself because it is the only man made domain. Cyberspace not being subject to geopolitical or natural boundaries, information and electronic payloads are deployed instantaneously between any point of origin and the point of receiving. The information travels in the form of multiple digital fragments through unpredictable routings before being 1 2 UK Government, ”a Strong Britain in an age of Uncertainty: the National Security Strategy”,2010,p.29 US Department of Defense, The National Military strategy for cyberspace operations, 2006,p.3 International Law and Cyber-Warfare Electronic copy available at: http://ssrn.com/abstract=2342775 Page 2 reconstituted to their destination. IP spoofing and use of botnets3 are some of the unique ways in sphere to cyber warfare How we are inventing Cyber war problem? In 1998 somewhat 3000 Chinese hackers attacked the Indonesian government sites. Since then there are more than 10,000 attempts to hack into major computer networks belonging to ministry of defense, banks, media etc. Cyber intrusions have the element of Espionage and theft present in them. These elements are categorized as ‘Computer Network Exploitation’ (CNE) but later on it was replaced by ‘Computer Network Attacks (CNA)’ but later on the most appropriate abbreviation for this wide practiced trend was ‘Computer Network Interference (CNI)’. Cyber Operations and Jus ad Bellum:The jus ad bellum is that body of law which governs the resort by states to force in their international relations. Today the most important source of jus ad bellum is ‘UN CHARTER’. If any cyber operations can amount to 1) an internationally wrongful threat or use of “force”, 2) an “armed attack” justifying to resort to necessary and proportionate use of “force” in selfdefense or 3) ‘threat to the peace’, ‘breach of the peace’ or ‘act of aggression’ subject to UN security council intervention will all be covered by UN CHARTER. The state sponsored Cyber Operations are qualifies as a use of ‘force’ against another state would not fall under the general prohibition of Article 2(4) of UN Charter, but would normally also trigger an international armed conflict. The occurrence of Cyber Operations amounting to an “armed attack” permits the attacked state to exercise its inherent right to self-defense through means of otherwise prohibited by the Charter including, most notably the resort to force. The Cyber Operations also amount to “threat to peace”, “breach to peace” or “act of aggression” is that it allows the UN Security Council to take measurable steps, including military force, in order to maintain or restore international peace and security under Article 2(4) and 51 of UN Charter. In addition the to the UN Charter, the International Court of Justice (ICJ) has pointed out in six cases4, the important rules of customary international law and general principles relevant to the A Botnet is an interconnected series of computers used for malicious purposes. A computer becomes “bot” when it runs the file that have bot software embedded in it 3 International Law and Cyber-Warfare Page 3 lawful resort to the force. Not only there must be armed attack or armed attack equivalent to justify the use of military force in self- defense, but the attack must be significant. It must be attributable to the state where the self -defense is being carried out the use of force must be the last resort and must be likely to succeed in achieving defense, and must be proportionate to the injury suffered. But the argument that usually arises by interpreting these statues of UN Charter is that, whether cyber operations can be classified as “force” if yes, then up to which degree of cyber operations can be classified in the category of Article 2(4) of UN Charter. The question is what extent of Cyber operations qualify as “force”? Cyber Operations as “Force”:Ordinary meaning of Force means both armed and unarmed forms of Coercion. The form of “force” given in UN Charter is practically synonyms to “armed” or “military” force. The real difficulty arises is to qualify the use of force in context to Cyber Operations is that do not, or not directly, cause death, injury or destruction. As a matter of logic, the Charter cannot allow that the prohibition of interstate be circumvented by the application of non-violent means and methods which, for all intents and purposes, are equivalent to a breach of the peace between the involved states. The UN Charter does not define what constitutes a wrongful “threat” of interstate force, the ICJ held that: [t]he notions of “threat” and “use” of force under Article 2, paragraph 4, of the Charter stand together in the sense that if the use of force itself in a given case is illegal—for whatever reason—the threat to use such force will likewise be illegal. In short, if it is to be 4 Nicaragua v. State of America, 27 June 1986 Iran v. United States of America, 6 November 2003 Democratic Republic of Congo v. Uganda, 19 December 2005 Estonia and NATO, Aril 2007 George- Russia, 2008 Stuxnet, 2009-2010 International Law and Cyber-Warfare Page 4 lawful, the declared readiness of a State to use force must be a use of force that is in conformity with the Charter.5 Overall there is no consensus as to the precise threshold at which cyber operations should amount to an internationally wrongful threat or use of force. The illegality of a cyber –operations may result from the violation of any obligation under international law. According to the article 2(4) of UN Charter, it prohibits the use of “force” between the states6 who are the participants in international community in their mutual international relations. It means that the use or threat of force must be legally attributable to the states only. In international law the acts are attributable to state only when there is some actors to perform the functions of the state, because there must be someone the engage the international legal responsibility upon. Such actors, person or entities are described as “state agents”. Thus the persons, actors and authorities who are not acting on behalf of the states are known as “non-state actors”. The cyber operations are not only carried by the government personnel and military officials but also by the increasing number of private contractors which fall under the category of “non-state actors”. The use of force by individual hackers and private contractors is not prohibited under the UN Charter, Article 2(4). While states providing significant support to these non-state actors is a fine example of use of “indirect force” that is being used by these State actors and the inference from the above situation is that the article 2(4) of UN Charter doesn’t have proper parameters to determine the use of “force” in context to Cyber Operations. Therefore still the Article 2(4) of UN Charter remains full of ambigousity in terms of setting “force” as an element of peace and security. Cyber Operations as “Armed Attacks”:From first instance an armed attack means a use of weapon. ICJ clarified that Article 51 of the Charter as just the other Article 2(4) and 42, applies “to any use of force regardless of the weapons employed”. Cyber -attacks are irrelevant to the use of biological, chemical or nuclear weaponry. They raise this question of its qualification as a ‘weapon’. Therefore in this context it has been noticed that: 5 6 International Court of Justice, Legality of the threat or use of Nuclear weapons, advisory opinion, 1996 Art. 4 of UN CHARTER. International Law and Cyber-Warfare Page 5 “It is neither the designation of a device, nor its normal use, which make it a weapon but the intent with which it is used and its effect. The use of any device or number of devices, which results in a considerable loss of life and/or extensive destruction of property must therefore be deemed to fulfill the conditions of an “armed” attack.”7 Whereas, the ICJ was interested in separating the more grave ‘force’ forms (constituting an armed attack) form less grave ‘force’ forms.8Unfortunately the courts subsequent failure to explain the further reasoning provided more confusion than insight and doesn’t able to co-relate the concept of “armed attack” to that of a “Cyber Operations”. The argument that often the researchers’ state is that: the injury caused by such warfare conducted by one sovereign state against the other automatically qualifies it for the conditions that are mentioned in Article 51 of UN Charter i.e. “a use of force” or “armed attack”. But this approach could also not be carried along to the great extent because it makes an individual study restrictive or too expansive. In order to come to adequate conclusion the Cyber warfare can be understood as the concept that disables an Infrastructure, which is known as the Cyber -attacks that incapacitate the Critical infrastructure.it is one of the far more better approach to qualify the cyber -attacks for the category of “use of force” or “armed attack” because ultimately the key concern for the states is the protection of these infrastructures only. Different or varied opinions and definitions are given on this concept, some of them are; 1- UN GENERAL ASSEMBLY- critical infrastructures include “those used for, inter alia, the generation, transmission and distribution of energy, air and maritime transport, banking, financial and e-commerce services, water supply, food distribution and public health, cyber operations are interconnected to it and affect their functioning”.9 2- EUROPEAN UNION- “Critical Infrastructure includes those physical resources and services and information technology facilities, networks and infrastructure assets which if disrupted or destroyed would have serious impact on health, safety, security or economic well- being of a citizen or the effective functioning of the government.10 Karl Zemanek, “Armed Attack”, in Rudiger Wolfrum (ed.), Max Plank Encyclopedia of Public International Law, 2010, $ 21. 8 Nicaragua Case 9 UN General Assembly resolution 58/199 of 30 January 2004. 10 European Commission, Green Paper on a European Programme on Critical Infrastructure Protection, document COM (2005) 576 final, 17 November 2005, annex.1, p.20. 7 International Law and Cyber-Warfare Page 6 3- SHANGHAI COPERATION ORGANIZATION (SCO)- Critical structure’- public facilities systems and institutions attacks on which may cause consequences directly affecting national security, including that of an individual, society and state.11 Therefore the only sphere of cyber operations where the International law is capable enough to qualify the cyber- attacks under the article 51 of UN Charter is this only, any cyber- attack that aims at damaging these critical infrastructures it will be deemed to be an “armed attack” or use of force” and thus will stand in relation to the article 51 of UN Charter. CONCEPT OF SELF-DEFENSE IN CYBER OPERATIONS:The basic function of the concept of self-dense in context to cyber operations is that the international law lies in protecting the legal order by balancing the rights of an attacking state against the one who is defending (state). Therefore, it permits the defending state to take measures necessary to repel an armed attack, even though this may require action otherwise prohibited under international law, most notably the use of interstate force. The justification for this permission is found in the initial wrongfulness of the offending state’s conduct and need to avert the harm likely to result from the wrongful conduct. To govern the exercise the right of self-defense is a matter of international customary law. These modalities comprise most notably the principles of necessity and proportionality. The principle of necessity defines the margin for the lawful self-defense in terms of what is objectively necessary to avert or repel an armed attack. The principle of proportionality determines to what extent the harm to be prevented justifies the harm done by the defensive act. The principle of necessity will only be applicable if the act of self-defense is done with the objective to revert or repel the armed attack. The aim of self-defense is not to react to the harm done but to prevent the materialization of harm potentially resulting from a threat. Therefore it will be erroneous to take the claim of ‘self-defense’ after the act has been committed. According to the modality of proportionality, action taken is self-defense is legally justifiable only to the extent that the harm it is expected to cause remains in reasonable proportion to the harm it aims to prevent. 11 Annex I to the Agreement between the Governments of the Member States of the Shanghai Cooperation Organization on Cooperation in the Field of International Information Security of 16 June 2009. International Law and Cyber-Warfare Page 7 So the inference that we could infer is that, Cyberspace is not permissible in response to harm which has already been done by hostile cyber operations, but only with a view to preventing or repelling an ongoing attack, and only to the extent actually necessary for that purpose. CAN CYBER OPERATIONS TRIGGER ARMED CONFLICT? Can cyber operations in and of them, trigger the applicability of International Humanitarian Law (IHL)? According to the 2008 opinion paper of International Committee of the Red Cross (ICRC), gave its legal opinion on the definition of armed conflict under IHL, it was as follows: 1- INTERNATIONAL ARMED CONFLICT- exists whenever there is resort to armed force between two or more states. 2- NON-INTERNATIONAL ARMED CONFLICT-are protracted armed confrontations occurring between governmental armed forces and the forces of one or more armed groups, or between such groups arising on the territory of a state. The armed confrontation must reach a minimum level of intensity and the parties involved in the conflict must show a minimum of organization. According to the opinion paper of ICRC no other type of conflict exists. Consequently the cyber operations can trigger the applicability of IHL to the extent they can give rise to all required constitutive elements of an international or non-international armed conflict. In the future, cyber warfare will further complicate the classification. Cyber operations have the potential for producing vast societal and economic disruption without causing the physical damage typically associated with armed conflict. International armed cyber conflict:As the title suggests that the conflict should be both INTERNATIONAL as well as ARMED. Generally the impression by seeing the latter criteria of the concept helps us to conclude that conflict consisting of cyber operations does not contains weapon and hence it appears not to be armed. Such a conclusion should be incongruous for cyber operations as they are highly destructive and even deadly in results. Article 2 provides that ‘any difference arising between two states and leading to the intervention of the members of the armed forces is an armed conflict within the meaning of Article 2 of UN Charter. IHL covers any dispute between the two states involving the use of their armed forces. Neither the duration of the conflict, nor its International Law and Cyber-Warfare Page 8 intensity, play a role: the law must be applied to its fullest extent required by the situation of the persons and the objects protected by it.12 Any cyber operation that amounts to an ‘attack’ in IHL terms would qualify as armed. Article 49(1) of Additional Protocol I defines attacks as “acts of violence against the adversary, whether in offence or defense”. The most important feature of cyber operations is that they are not at all violent but can lead to violent consequences. The ICRC has taken the position that a cyber -operation that disables an object is also an attack even when it does not cause physical damage.13 So apart from being the conflict ‘armed’ in nature it should also be ‘international’ in its context. The term international denotes actions conducted by, or attributable to, a state. Cyber-operations carried out by state agents like intelligence or law enforcement agencies, and private individuals will also fall under the purview of ‘international.’ Moreover the problem arise then, when it’s neither the state nor its agencies are operating but illegal groups and individuals. The classic example is ‘the hacktivist’ cyber campaign against Estonia in 2007. (Moreover they were not armed)14However if the state endorses and encourages the cyber campaign the groups or the individuals will fall under the ambit of international criterion and will be deemed ‘de facto’ organs of the state. Non-International armed cyber conflict:Non international armed conflicts are conflicts that are fought between the governmental authority and armed groups or between such groups within a state. The same definition has been adopted by international tribunals and in the statute of the international criminal court. Common article 3 refers to the ‘parties to conflict’. In considering this requirement, the ICTY has noted some degree of organization by the parties will suffice to establish the existence of an armed conflict. In Limaj, the ICTY looked to such factors as inter alia, the existence of a formal command structure, the creation of unit zones of operation, the issuance of orders, the establishment of a headquarters and he promulgation of disciplinary orders to find that the Kosovo Liberation Army qualified as an organized armed group in its conflict with the Federal Republic of Yugoslavia.15 The only clear inference that could be made through this situation is that; ‘individuals acting alone who conduct cyber operations against a state (or a particular armed 12 Y Sandoz and others (eds), commentary on the Additional Protocols of 8 June 1977 to the Geneva Conventions of 12 August 1949, para 62. 13 31st ICRC Conference 37. 14 See generally the discussions of these topics incidents in Tikk and others. 15 Limaj (n 42) paras 94-129. International Law and Cyber-Warfare Page 9 group) cannot meet the organized criterion. For example, despite the number of hacktivists involved in in the cyber operations against Estonia, they lacked the requisite degree of organization and therefore the operations did not amount to international non-international armed conflict. The primary obstacle to characterization of the group as organized would be its inability to enforce compliance with international humanitarian law. Additional protocol II implies that a requirement that a group be ‘under responsible command’ before a non-international armed conflict covered by the instruments exists.16 The term implies that there should be some degree of organization of the insurgent armed group or dissident armed forces, but this does not implies that there is hierarchical system of military organization similar to that of regular armed forces. It means an organization capable, on the other hand, of planning and carrying out sustained and concerted military operations, and on the other, of imposing discipline in the name of de facto authority.17 WARRIORS OF CYBER WARFARE:1- COMBATANTS- cyber operations are generally carried out by highly specialized personnel. To the extent that they are members of the armed forces of a belligerent state, their status, rights and obligations are no different from those of traditional combatants. According to the treaty IHL, armed force of a belligerent state comprise all organized armed forces, groups and units which are under a command responsible to that state for the conduct of its subordinates.18 This broad and functional concept of armed forces includes essentially all armed actors belonging to belligerent state and showing sufficient degree of military organization. 2- CONTRACTORS AND CIVILIAN EMPLOYEES- in recent decades, belligerent states have increasingly employed private contractors and civilian employees in a variety of functions traditionally performed by military personnel. Today this also, includes the support, preparation and conduct of cyber operations. As long as such personnel assume functions not amounting to direct participation in hostilities they remain civilians and if formally authorized to accompany the armed forces in an international armed conflict are even entitled to prisoner-of-war status in case of capture.19 16 AP II, art. 1(1) AP commentary, para 4663. 18 Art.43, AP I 19 Arts. 4(4) and (5), GC III 17 International Law and Cyber-Warfare Page 10 3- MEMBERS OF ORGANIZED ARMED GROUPS- in IHL, governing non-international armed conflict, organized armed groups constitute the armed forces of a non-state belligerent and must not be confused with the belligerent party itself or with the other supportive segments of the civilian population. Treaty IHL governing non-international armed conflict uses the terms civilian, armed forces and organized armed group without defining them. It is generally recognized, however, that members of state armed forces do not qualify as civilians, and the wording an logic of article 3, GC I-IV, and AP II suggests that the same applies to members of organized armed groups. 4- CIVILIANS- in the IHL, the concept of civilians encompasses all persons who are neither members of the armed forces of a state or non-state party to an armed conflict, nor participants in a levee en masse. As civilians they are entitled to protection against the dangers arising from military operations and most notably, against attack. In Cyber warfare this category is likely to include most non-state hackers not belonging to the military wing of an organized armed group. Contrary to combatants, however they do not benefit from immunity from prosecution for lawful acts of war (so-called ‘combatant privilege’) and therefore, can be punished by their captor for any violation of national law. 5- LEVEE EN MASSE- it refers to the inhabitants of a non- occupied territory who on the approach of the enemy, spontaneously take up arms to resist the invading forces without having had time to form themselves into regular armed units, provided to carry arms openly and respect the laws and customs of war. Participants of levee en masse are the only armed actors who are entitled not only to prisoner-of-war status, but also to the combatant privilege although by definition they operate spontaneously and lack sufficient organization and command to qualify as the members of armed forces. International Law and Cyber-Warfare Page 11 CASE STUDIES: INTERNATIONAL CYBER INCIDENTS AND IMPLICATION OF LAW:The purpose for doing the case study is to increase the level of acquaintance with the cyber security and its various dimensions that are discussed above. The case studies provide us detailed investigations into the world’s most serious cyber incidents that changed the horizons for both, the cyber world and the international law. These case studies will provide that what all elements of UN Charter and other statues were followed in, what legal implications followed it. Without getting practical knowledge, theory is unsubstantiated. Case studies provide altogether a greater competence to the legal network in context to cyber operations. This section will be dealing with the incidents directly describing the timeline, methods, targets and effects of the attack as well as the measures that were employed to cope with the attacks. It also discusses the origin of attack. It also discusses the legal lessons that should be drawn from these case studies. The two important case studies that I will be discussing in this section of the article are; 1- ESTONIA 2007 APRIL-MAY 2- GEORGIA 2008 JUNE-JULY International Law and Cyber-Warfare Page 12 ESTONIA 2007 APRIL-MAY:Time period:The Cyber warfare started in the capital city of Tallinn in Estonia, near Helsinki. The cyber warfare started on Friday, 27 April 2007 and ended on Friday, 18 May 2007. The bloody warfare went on for 3 weeks. Background of the incident:The political context and the background to the incident was that the Government of Estonia decided to relocate a Soviet-era WW-II era memorial from a central location in the capital city to a military cemetery. It was met by intense opposition from the Russian government and media. The protests that were going down against the removal work suddenly converted into brutish riots. It resulted in siege of the Estonian embassy in Moscow conducted by Nashi, a Russian political youth movement and the Ambassador was physically harassed. Information society indicators:The state was well versed with the e-solutions since mid-1990, by both the private and public sectors. The prevalent use of Internet was in the sections of banking, mobile parking and public transportation tickets, online voting in elections etc. internet was nearly accessible to the 98% of the territory and mobile penetration was somewhat to the whooping! extent of full 100%. The policy of the government was fully backed by internet technologies only, and the government was paperless since 2001. Incident facts:The methods the hacktivist used were; - DoS (Denial of service) and DDoS (distributed denial of service):These attacks helped in websites becoming inaccessible. The DoS is a concentrated malevolent effort to deny access to any electronic device, computer, server, network, internet etc.20 this can be accomplished in numerous ways like; ping-flooding, UDP flood and malformed queries, were mainly used in Estonian case. The effect of DDoS attacks were more severely noticed by users outside of Estonia as a large amount of queries were cut off in order to cope with excessive traffic and to filter out genuine queries. According to Arbor Networks 128 Unique DDoS attacks were detected on Estonian Websites. 20 Cyber warfare: a glossary of useful terms, Stratfor today, 1 March 2008 International Law and Cyber-Warfare Page 13 - Website Defacement - Attacking DNS server:A more dangerous trend was attacking the DNS servers managed by Internet Service Providers. Repeated attacks were observed between April 30 and May18. These temporarily disrupted the DNS servers in parts of the Country.21 - Mass e-mail and comment spam.22 Targets:The main targets of this attack were; - Primarily the servers of the institutions responsible for the Estonian Internet Infrastructure. - Secondly, governmental and political targets like Parliament, President, ministries, state agencies etc. - Thirdly, the services that were being provided by the private sector (e-banking, news organization etc.) - Lastly, the personal and random targets. Origin of the attack:The attack was mainly aimed from outside the Estonia, with computers of more than 173 countries involved. The early attacks were largely incorporated by nationalistically or politically motivated individuals and following instructions provided on Russian language Internet Forums and websites. The Second Phase of attacks had features of central command and control. The main point of interest was that the Russian state agencies have denied any involvement. Effect of the attack:The affected the sectors of commerce, industry and governance that relied on ICT infrastructure and electric communications in their daily conduct of business. Banks, media, corporations, institutions, small and medium sized enterprises etc. were also badly affected by this attack. The Social effect of this attack was that it hindered access to communication with public administration; there was unavailability of the information. Information flow to the outside world was impaired. 21 22 Cyber -attacks against the Republic of Estonia, supra Note Id. International Law and Cyber-Warfare Page 14 Measures taken:1- The first and the most major step taken by the Estonian government was that the response was coordinated by CERT-EE23, with assistance from system administrators and experts both within and outside the country. 2- Bandwidth increased, use of multiple servers or connections, firewalling, filtering out malicious traffic, application of security patches, use of attack detection systems, some sites were switched off to “lightweight mode”. These were some of the technical measures that were adopted by the Cyber experts of the Estonian Government. 3- The International Co-operation was organized by the Ministry of Defense. The information was spread to the partners in European Union and North Atlantic Treaty Organization. National CERTs assisted in locating and reporting sources of attack. 4- News about Estonia cooperating with foreign authorities to locate cyber criminals and bring them to justice reduced the number of spontaneous attackers. Legal lessons identified or learned:1- This case highlighted the need to raise international awareness about crimes against information society 2- Raised the question of efficiency of mutual criminal assistance treaties situation where the receiving party is unwilling to co-operate. 3- The traditional view of Substantive criminal law considers cyber-crime foremost as an economically motivated activity which may not be sufficient to satisfactorily respond to politically motivated cyber-attacks where the damaged legal interest is not the integrity, availability, confidentiality or the proper functioning and use of computer data, programs or networks, but the political, constitutional, economic or social structure of the state. 4- There are often differing legal requirements for what is permissible in criminal proceedings in the countries involved and the attackers may resort their activities to jurisdictions that attacked the country. International law lacks effective enforcement of mechanisms to ensure co-operation from the country in which the attacks originate, if latter in refuses to co-operate. 23 CERT-EE is the computer emergency response team for Estonia, established in year 2006. It is responsible for management of security incidence in . ee computer networks International Law and Cyber-Warfare Page 15 GEORGIA 2008 JUNE-JULY:Time Period:This Cyber conflict falls within the timeframe and context of a broader armed conflict that broke out in August 2008. This attack started on Friday 8 August 2008 and lasted till Thursday, 28 August 2008. The total duration of this attack was 3 weeks. Background of the incident:The reason that triggered the spread of cyber-warfare was the ongoing conflict between the Russian Federation and Georgia over South Ossetia. Information Society Indicator:The internet penetration was very low at about 7% of total population in 2008. The dependence on IT infrastructure was very low. There was limited option for connectivity to internet via land routes. The dependency of connection on Russia was very strong.24 Facts of the Incidents:The methods that were used by the warriors of the cyber warfare were; 1- DoS and DDoS attacks25 2- Distribution of Malicious Software:Several Russian blogs, websites and forums spreaded a Microsoft Windows batch script that was designed to attack Georgian websites.26 According to Steven Adair of Shadowserver, this script was posted on several websites and was also posted on several websites and was also hosted on one site as compressed downloadable file which contained an executable “war.bat” file within it.27 The same method was used in phase of Cyber-attacks against Estonia. 3- Website Defacement 4- Using e-mail addresses for spamming and targeted attacks. Targets:The main targets of this attack were; 1- Primarily, the government sites like the official sites of President of Republic of Georgia, Parliament of Republic of Georgia, and News portal of Georgia etc. 24 Stratfor Today, supra note 297. As explained in above incident 26 Adair, supra note 315. 27 A redacted version of the script could be accessed at http://www.shadowserver.org/wiki/pmwiki. php?n=Calendar.20080813. 25 International Law and Cyber-Warfare Page 16 2- Secondly, the News and media sites and online discussion forums 3- Financial Institutions Origin:The main suspect that was behind this superfluous cyber-attack was, organized Russian hackers groups. But there was no evident link found to the Russian Administration or state organizations guiding or directing the attacks. Moreover, the Russian Government has denied their involvement in the Cyber assaults. There is no conclusive evidence of who was behind the DDoS or defacement attacks. Effect:The main aim of this attack was to limit the Georgia’s opinions to distribute information regarding the ongoing Georgian-Russian military conflict to the outside world and the Georgian public, especially during the early days of Conflict. The main communication networks were affected. The problem was exacerbated by physical disconnections in the communications network infrastructure caused by war-activities. Measures taken:Attack mitigation coordinated by Georgian academic sector CERT who assumed the role of national CERT during the cyber-attacks. A state-mandated block was created on access to Russian websites for the dual purpose of information control and freeing up bandwidth. The assistance of other national CERTs of other countries was adopted by the state of Georgia. Legal lessons identified and Learned:1- Applicability of law of Armed Conflicts to cyber-attacks occurring during conventional armed conflict. 2- Measures available in national law to deal with wide scale cyber-attacks. 3- The right of the injured state to use force as a response against another state depends on the level of involvement of the source of the state. While state direction and/ or support of attacks can be seen as active involvement. Therefore justify a stronger reaction, mere toleration or inaction on behalf of the source state as passive forms of involvement do not make the source state as passive forms of involvement to make source state a target of lawful military operations. 4- Effective response to cyber-attacks of scale and type like the Georgia incident are quite limited under the law. Important is the promotion of effective international cooperation, International Law and Cyber-Warfare Page 17 as there is no way for a country to coordinate defenses against attacks originating from other jurisdictions. CONCLUSION:In the post-world war II era, cyber security has evolved from a technical discipline to the strategic concept. The power of the internet, our growing dependence upon it and the disruptive capability of cyber attackers now threaten national and international security. The nature of a security threat has changed a lot, but the internet provides a new delivery mechanism that can increase the speed, scale, and power of an attack. National critical infrastructures are now at risk. As a consequence, all future political and military conflicts will have a cyber-dimension, whose size and impact is difficult to predict. World leaders must address the threat of strategic cyber-attacks with strategic responses in favor of cyber defense. The nations will now have to adopt the technologies like that of deterrence, arms control and technology. Cyber-attacks deterrence lacks creditability because hacker skills are easy to acquire and because attackers are often able to conduct high-asymmetry attacks even while remaining anonymous to their victims. Cyber arms controls appear unlikely because cyberspace is too big to inspect and malicious code is even hard to define. However political will, perhaps in the wake of a future cyber-attack, could change the status-quo. The dynamic nature of Cyberspace makes it difficult to predict the next future cyber-attack, or how serious it could be. A key challenge for the national security planners is that the hacker tools and techniques required for cyber espionage are often the same as for cyber-attacks.28 Hackers today have enormous advantages over cyber defenders, including anonymity and asymmetry. In fact, if there is future war between major world powers, a significant degree of fighting will take place on the cyberspace only, and the first victim may be the internet itself. To shift the balance, the cyber defenders will need to increase the trust on hardware and software. More improved defense strategies should be there. Government will aslo have to play active role in this action packed future. 28 These may be differentiated by the terms computer network exploitation (CNE) and computer network attack (CNA). International Law and Cyber-Warfare Page 18 Whereas on the other hand, the International law have to furnish its sections related to ‘force’ and ‘armed attack’. The ambigousity related to these factors is not giving a convincing answer to the ones affected by the cyber-warfares. The societies, trusts and the NGOs will have to play more active role in supporting the statutory international law bodies related to the cyber-warfare. More opinions and research work should be conducted by the scholars to provide the law bodies with adequate amount of evidences. The problem of Jurisdiction, armed attack, international etc. have to be sort out as early as possible because there is hardly anytime left before the next Cyber-warfare takes place. International Law and Cyber-Warfare Page 19 AUTHORITIES REFERRED:1- Cyber Security and International Law by Mary Ellen O’ Connell, Louise Arimatsu, Elizabeth Wilmshurst 2- Cyber-warfare and International 2011 by Nils Melzer 3- Cyber Security without Cyber war by Mary Ellen O’ Connell, Journal of Conflict & Security Law, Oxford University Press 2011. 4- Classification of Cyber Conflicts by Michael Schmitt, Journal of Conflict & Security Law, Oxford University Press 2011. 5- International Cyber Incidents: Legal Considerations by Eneken Tikk, Kadri Kaska and Liis Vihul, 2010. 6- Strategic Cyber Security by Kenneth Geers, NATO Cooperative Cyber Defense Centre for excellence, 2011. 7- Charter of the United Nations and the Statute of International Court of Justice, San Francisco, 1945. RISHABH SHRIVASTAVA BA.LLB. (Hons.) (1st year) with specialization in Energy Laws College of Legal Studies (CoLS), University of Petroleum and Energy Studies (UPES) Bidholi via Prem Nagar, Dehradun-248001, Uttarakhand, India E-mail- [email protected] International Law and Cyber-Warfare Page 20