Contrary to what you may read in the popular press, there are rules when it comes to cyberattacks. Today, probably all countries regulate cybercrime in domestic law. All countries agree also that international law rules apply to cyberspace, including cyberattacks and also cyberwarfare. I recently covered positions of two example countries (Netherlands, France).
Here comes a meta-position. International Committee of the Red Cross (ICRC) published a position on the application of International Humanitarian Law (namely, Geneva Conventions + its protocols) to cyberattacks. Why meta? Because ICRC, as an independent and neutral entity, is traditionally treated very seriously by all, for example at the United Nations (UN).
Cybersecurity these days is treated very seriously. It is one of the top points of interest. Technology Information Security circles always wanted to reach this point, although the pursued debate direction might not always go in an anticipated way. The UN now hosts two inter-governmental expert groups that discuss cybersecurity.
I’ll summarise why the position of ICRC is very important.
International Humanitarian Law (IHL) is the basic rulebook that limits activity during armed conflict. It also warrants basic protection to civilians. Acknowledging that IHL applies to cyberattacks/cyberwarfare therefore should not be controversial, because all countries understand and accept the importance of this body of rules. While applying to armed conflict, the broad picture and messages are important in general. Furthermore, countries do use cyber attacks ("operations") outside of armed conflict. So while we do not (and never so far) experience any open cyberwarfare at all (like we did or do in case of airborne or naval warfare, for example), understanding the baseline rules are critical.
Why this is important? Curiously, IHL is the main point of disagreement in cybersecurity policy on the highest level. In fact, this disagreement led to a collapse of inter-government negotiations within United Nations in 2017:
“We cannot accept such affirmation, since it would legitimize a scenario of war and military actions in the context of ICT” [link].
One could expect this point of disagreement might exist today. So can we hope that the just-released reasoned position by ICRC will bring international community closer to agreement? (Of course, unless someone might seek for reasons to make progress more complicated).
On the other hand, merely agreeing that international law (like IHL) applies to cyberattacks is not enough. It is important to define and understand how it applies. And what this means not only on the policy level but also on a technical level. In many ways, this is what some countries are doing now (like the UK, France, Netherlands, etc.).
Internet and ‘cyberspace’ indeed pose unique challenges (I'm not going to enumerate them today). By its nature, the majority of the internet is civilian. So any military or offensive activity risks spilling over to civilian infrastructure and disrupting civilian spaces, not only the networks but also disrupting key protected facilities like hospitals, power grids, water sanitation, etc. This is the big pillar of International Humanitarian Law, which explicitly designates such facilities as off-limits.
This body of laws also makes it illegal to use some offensive cyber tools (‘cyber weapons’?) that would break the accepted rules of IHL. Such activities would be illegal if, for example, the tool in question was indiscriminate. ICRC position correctly points out that cyber tools can be technically targeted. To be indiscriminate (i.e. self-propagating destructive worm), such a tool needs to be deliberately designed, implemented and released. Likewise, to design a destructive cyber attack that would have the potential of crippling infrastructure (like cause a power cut), or possibly result in lethal effects, requires deliberate decision and will. Such direct effects would unlikely happen by chance.
However, countries are increasingly building their offensive cyber units and developing dangerous tools. As this happens, risks of miscalculation or mistake, are increasing, and some weird things happen even if falling short of the rules discussed in this post.
Need for new rules?
I'll end with the excerpt from the report:
Discussion should be informed by an in-depth understanding of the development of military cyber capabilities, their potential human cost, and the protection afforded by existing law. States need to determine whether existing law is adequate and sufficient to address the challenges posed by the interconnected and largely digital character of cyberspace, or whether it needs adaptation to the specific characteristics of cyberspace. If new rules are to be developed to protect civilians against the effects of cyber operations or for other reasons, they should build on and strengthen the existing legal framework
Whether new rules (i.e. treaties, or so) are to arrive is another story.
Find the hole (short) paper here. For context, look also at another recent deliverable from ICRC (report on humanitarian consequences of cyber operations).