Germany recently published ("Application of International Law in Cyberspace") their stance concerning the applicability of international law and rules to cybersecurity, cyberattacks, and cyberwarfare. The document is interesting and I briefly describe the important takeaways. Previously I had a look at a similar stance, for example, by the Netherlands or France.
Germany affirms that in their view international law (including international humanitarian law, i.e. the laws of armed conflict) apply in its entirety to cyberspace (“without reservation”). The devil is in the details - they apply but it still leaves open how these are interpreted and how exactly they apply. The many States think about this recently, as certain points in the “how” are still unclear. The German stance is focusing on selected aspects of interpretation.
They have a nice definition of cyber operations: “term ‘cyber operation’ more narrowly refers to the ‘employment of cyber capabilities to achieve objectives in or through cyberspace”.
The principle of sovereignty applies in cyberspace.
“By virtue of sovereignty, a State’s political independence is protected and it retains the right to freely choose its political, social, economic and cultural system. Inter alia, a State may generally decide freely which role information and communication technologies should play in its governmental, administrative and adjudicative proceedings. Foreign interference in the conduct of elections of a State may under certain circumstances constitute a breach of sovereignty”.
These are examples of activities that violate sovereignty:
- physical effects and harms in the territory of a State
- “certain effects in form of functional impairments with regard to cyber infrastructures located in a State’s territory”. Sounds like disruption, temporary or prolonged, including ransomware (“... this may also apply to certain substantial non-physical (i.e. software-related) functional impairments…”).
But some operations are fine: “negligible physical effects and functional impairments below a certain impact threshold cannot – taken by themselves – be deemed to constitute a violation of territorial sovereignty.“. Sadly, no examples were given. What are the negligible physical effects?
Cyberattacks on critical infrastructure
They do not in and on itself mean anything. These would need to result in some effects.
“the fact that a piece of critical infrastructure (i.e. infrastructure which plays an indispensable role in ensuring the functioning of the State and its society) or a company of special public interest in the territory of a State has been affected may indicate that a State’s territorial sovereignty has been violated“
“... States are under an ‘obligation not to allow knowingly their territory to be used for acts contrary to the rights of other States"
The ‘due diligence principle’, which is widely recognized in international law, is applicable to the cyber context. This means that States must be wary of the things happening on their territories. For example, not allow to be infested with cyber-crime gangs that are, maybe, tolerated.
For example, tampering with the election process is not OK but it has to have some specific effects:
“ that malicious cyber activities targeting foreign elections may – either individually or as part of a wider campaign involving cyber and non-cyber-related tactics – constitute a wrongful intervention … disabling of election infrastructure and technology such as electronic ballots, etc. by malicious cyber activities may constitute a prohibited intervention, in particular, if this compromises or even prevents the holding of an election, or if the results of an election are thereby substantially modified. ”
Once again, no examples were given. Except for this:
“spreading disinformation via the internet, may deliberately incite violent political upheaval, riots and/or civil strife in a foreign country, thereby significantly impeding the orderly conduct of an election and the casting of ballots. Such activities may be comparable in scale and effect to the support of insurgents and may hence be akin to coercion in the above-mentioned sense. “
So again, significant effects matter. It would have to be on the level of “supporting of insurgents”, so merely spreading disinformation is not sufficient. It has to lead to specific actions.
Use of force
Cyberattacks may constitute a use of force in itself but it is perhaps unlikely to happen. However, it is very imaginable that cyberattacks may and will coincide with a broader campaign employing actions in other domains as well (i.e. kinetic operations).
“Cyber operations can cross the threshold into use of force and cause significant damage in two ways. Firstly, they can be part of a wider kinetic attack. In such cases they are one component of a wider operation clearly involving the use of physical force, and can be assessed within the examination of the wider incident. Secondly, outside the wider context of a kinetic military operation, cyber operations can by themselves cause serious harm and may result in massive casualties“
Such attacks would rather trigger international humanitarian law (IHL), which applies during conflict time:
“Germany defines a cyber attack in the context of IHL as an act or action initiated in or through cyberspace to cause harmful effects on communication, information or other electronic systems, on the information that is stored, processed or transmitted on … The occurrence of physical damage, injury, or death to persons or damage or destruction to objects comparable to the effects of conventional weapons is not required for an attack in the sense of art. 49 para. 1 Additional Protocol I to the Geneva Conventions”
Which has the following meaning: ""Attacks" means acts of violence against the adversary, whether in offence or in defence".
Targeting persons and objects in a conflict situation
Certain people may be legally targeted by military means. Who and when? Those who engage in operations:
“ for example, ‘electronic interference with military computer networks [...], whether through computer network attacks or computer network exploitation, as well as wiretapping [...] [of an] adversary’s high command or transmitting tactical targeting information for an attack’, could suffice in order to consider a civilian person as directly participating in hostilities“
Similarly, some objects may be legally targeted by the military (this may include data centers):
“...a civilian object like a computer, computer networks, and cyber infrastructure, or even data stocks, can become a military target, if used either for both civilian and military purposes or exclusively for the latter “
Prohibition of certain malware
This is self-explanatory:
“Thus, computer viruses designed to spread their harmful effects uncontrollably cannot distinguish properly between military and civilian computer systems as is required under IHL and their use is therefore prohibited as an indiscriminate attack. In contrast, malware that spreads widely into civilian systems but damages only a specific military target does not violate the principle of distinction …”
Such malware, of course, would have to be specifically designed to work in this way.
Malware must have a kill-switch?
To spare purely civilian facilities, malware or tools must navigate around such systems. They maybe should contain a kill-switch that would allow their deactivation:
“This might encompass gathering intelligence on the network in question through mapping or other processes in order to assess the attack’s likely effects. Also, the inclusion of a deactivation mechanism or a specific configuration of the cyber tool which limits the effects on the intended target might be considered. Moreover, if it becomes apparent that the target is not a military one or is subject to special protection, those who plan, approve or execute the cyber attack must refrain from executing or suspend the attack”
It remains to be seen/defined how to compel the design of a kill-switch that would work in practice, so as not be viewed as a tool that would make the attack code less effective (which could maybe make the idea of such functionality less acceptable to the party to the conflict?)
Attribution and proxies
States may attribute cyberattacks to others, and States using proxies to execute operations are accountable for their actions. However:
“the State is not required to have detailed insight into or influence over all particulars, especially those of a technical nature, of the cyber operation“
This would mean that the State does not need to be made aware of the specific details or technicalities of operations.
No need to show proofs of attribution even if it's nice to have
Some States (i.e. Russia/etc) want to establish a cyber norm that would require publication of evidence of attribution (to refrain from “baseless accusations”). Cyber norms concerning the “substantiated accusations” already exist (and are supported by Germany). But it seems that the general picture at this moment looks a bit different:
“Germany agrees that there is no general obligation under international law as it currently stands to publicize a decision on attribution and to provide or to submit for public scrutiny detailed evidence on which an attribution is based”
EU Council sanctions are not State attribution
European Union has a vehicle of cyber sanctions. But such a mechanism is not to be equated with attribution:
“the adoption of targeted restrictive measures against natural or legal persons, entities or bodies under the EU Cyber Sanctions Regime does not as such imply the attribution of conduct to a State by Germany in a legal sense”
After becoming the victim, a State may engage in retorsions. These may include the issuance of a communication (angry letter, finger-pointing), sanctions, etc. But also more direct operations. Before the potential cyber-enabled retorsion, a State may also engage in reconnaissance, so maybe hack into systems to see what may be the options:
“A State may – a maiore ad minus – engage in cyber reconnaissance measures in order to explore options for countermeasures and assess the potential risk of side effects if such measures fulfil the requirements for countermeasures.“
Of course, such cyber-reconnaissance may also be viewed as “cyberattacks” by some.
“assessing whether the scale and effects of the cyber operation are grave enough to consider it an armed attack is a political decision”.
This means no automatic decision are ever made. Merely because an attack or operation happened, does not guarantee that any particular or automatic response will follow. Such decisions are always political. The extent of the damage (physical, injury, deaths, …) is only a factor to consider. The response, if any, may happen with the use of any means - not only cyber.
These are sound interpretations of certain international rules. No technical interpretation is offered. It is also acknowledged that going any further “may require an intensified pooling of technical and legal expertise”. So interesting times ahead. What is important is for such assessments to be grounded both in policy and technology. It would be difficult (if impossible) to think about these two worlds separately. It has to happen at the same time. This is an important necessity and a challenge for States or international organisations, as doing so may not be so simple.