Recapping “Cyber in War: Lessons from the Russia-Ukraine Conflict”
We are fast approaching the two-year mark of the massive escalation of Russia’s war of aggression against Ukraine. While much of this war has been fought in the physical realm, to devastating effect, cyber operations have also played a significant role, giving the world a glimpse of how wars between immensely cyber-capable States might play out in the future. There are numerous lessons to be learned from how cyber capabilities have been deployed throughout this conflict.
In 2021, the United Nations Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security (UN GGE) finally affirmed the applicability of international humanitarian law (IHL) to State and non-State actors’ uses of cyber capabilities in the context of armed conflict. It was a proposition that numerous States had taken as non-controversial since at least 2012. As important as these acknowledgments are, questions remain about how specific aspects of IHL govern wartime cyber operations, with States at times offering divergent views. The prominent role of cyber operations in the nearly ten-year Russia-Ukraine war highlights the need to evolve these understandings.
Building on the successful work of its First Annual Symposium on Cyber & International Law: The Evolving Face of Cyber Conflict and International Law: A Futurespective, the Tech, Law & Security Program at American University Washington College of Law, in partnership with the West Point Lieber Institute for Law and Warfare; The Federmann Cyber Security Research Center, Hebrew University of Jerusalem; the Center for International Law, National University of Singapore; and the NATO Cooperative Cyber Defense Centre of Excellence, held the Second Annual Symposium on Cyber and International Law – Cyber in War: Lesson from the Russia-Ukraine Conflict. As the title suggests, this year’s symposium explored the cyber dimensions of the Russia-Ukraine conflict to gain greater insights into the use of cyber tools as means and methods of warfare, the unprecedented involvement of the private sector and individual actors, and to identify lessons to apply to this and future wars.
Over three days, the symposium featured eight roundtable discussions with experts from around the world, as well as an opening panel on the cyber dimensions of the war in Ukraine. It concluded with a closing keynote from former National Cyber Director Chris Inglis.
The introductory panel and eight roundtable discussions focused on the following topics, accessible as video are here:
— Russia-Ukraine: The Cyber Dimensions
— Cyber “Attack” – Toward Greater Precision
— Accountability for Cyber War Crimes
— Cyber and the Role of Private Actors
— Human Rights in Cyber Conflict
— Cyber Neutrality
— Cyber Spill Over
— Regional Perspectives
— The Next War
What follows are short summaries of each session.
Russia-Ukraine: The Cyber Dimensions
Cyberspace has played a significant role in the ongoing war in Ukraine. Russia engaged in numerous cyber operations against Ukraine in the lead up to the February 2022 invasion. However, most operations did not have their intended effect. With assistance from third parties, Ukraine has developed expertise in cyber defenses since the beginning of the conflict in 2014 and has continued to learn from subsequent cyber operations. The private sector in particular has been critical in assisting Ukraine with its cyber defenses. Palo Alto Networks and Microsoft specifically have assisted Ukraine in setting up firewalls, protecting critical infrastructure, threat hunting, and data migration.
Initially, Russia’s cyber operations targeted critical infrastructure and sought to create societal disruption. As those operations proved largely unsuccessful, Russia shifted its strategy toward gathering intelligence and engaging in target-specific operations. It appears likely that Russia will continue to target Ukraine’s energy sector in conjunction with kinetic attacks heading into winter as it previous has. Such combined kinetic and cyber operations have proved challenging for Ukrainian defenses.
Cyber “Attack” – Toward Greater Precision
The concept of “attack” and how it applies to cyber operations has significant implications under IHL yet remains unsettled. How one characterizes a cyber operation determines whether targeting rules, the most extensive IHL regulation of means and methods of warfare, applies. The panel saw consensus that IHL is generally tech-neutral and applies to cyber just as it does to any other means and method of warfare. However, panelists identified and analyzed different State positions on the definition of cyber “attack” and the discordant approaches taken. They generally agreed that States are likely to take an effects-based approach to assessing whether an operation amounts to an “act of violence” as set out in Additional Protocol I, Article 49 but noted key differences in approach as to what types of effects qualify. A “loss of functionality” approach, which does not rest on physical destruction, is one approach, but not one accepted by all States.
Another consideration is the question of whether data are objects and can therefore be civilian objects. There are three approaches to this question: (1) data are objects, (2) data are not objects (3) some data are protected regardless, such as medical data. As is the case with the threshold for violence in cyber, there is no consensus on whether data are objects.
The panelists also discussed the very notion of what constitutes the “object of attack,” how that concept relates to the notion of cyber “targets,” and an emerging trend toward treating any foreseeable harm, whether direct or incidental, as amounting to an act of violence. There was a distinct lack of agreement among the panelists as to whether such an approach is consistent with the present framework of IHL.
Accountability for Cyber War Crimes
The International Criminal Court (ICC) and some State authorities are taking steps to prosecute a narrow category of cyber operations conducted in the Ukraine conflict which meet the legal definition of war crimes. While the ICC has announced it will prosecute such crimes as a matter of policy, holding fair and rigorous criminal trials require a lot of details to be worked out—from how they will get evidence from States, to how they will share it with defense teams, to whether they can secure their own cyber defenses considering the recent hack of the ICC. To meet these challenges, any institution that does this will have to learn from States’ experience building capacity to investigate and prosecute similar State-supported cybercrimes and build their own internal expertise.
Cyber and the Role of Private Actors
Private actors have played a central role in the war. This panel focused on how companies have assisted Ukraine, but also touched on individuals taking action on behalf of both Russia and Ukraine. One of the most crucial roles that private companies have played is assisting Ukraine in data migration. Soon after the invasion, Ukraine swiftly passed new laws permitting Ukrainian data to be migrated to foreign servers. This enabled companies such as CISCO and Google to safeguard Ukraine’s data from Russian cyber operations while ensuring that kinetic operations against cyber infrastructure did not result in the loss of data. CISCO has also been assisting Ukraine since 2014 to identify Russian cyber threats and build out Ukrainian networks to be more resilient in the face of constant attack.
Private individuals have also played a key role in the war. These individuals pose an issue under IHL, namely, to what extent their actions constitute direct participation in hostilities. Ukraine is a sensor-saturated battlefield with almost all citizens possessing a cellphone. Targeting apps that enable civilians to relay information about Russian positions and troop movements to Ukrainian forces are common in Ukraine. This opens the possibility of those civilians qualifying as directly participating in hostilities, subjecting them to attack. Further, groups such as the IT Army of Ukraine, comprised of civilian hackers who conduct operations against Russian targets, also risk directly participating in hostilities and being targeted.
Human Rights in Cyber Conflict
Developments in international human rights law, particularly the expansion of jurisdiction to extra-territorial activities, has led to States scrutinize the relationship between businesses and human rights norms. This scrutiny forces businesses to reconsider their actions in cyberspace in times of conflict but has also brought such organizations increasingly within the purview of international human rights law and monitoring institutions. The issue bleeds into the relationship between IHL and international human rights law. The panel regarded both bodies of law as complementary at times, as demonstrated by the possible extension of the duty of constant care to privacy interests. However, they can also conflict as exemplified by the tension between the ban on exposing prisoners of war to public curiosity and freedom of expression and information. Some State declarations on cyber operations accept the applicability of human rights law to cyberspace, much like IHL, and still other States express expansive views of extraterritoriality and positive duties in human rights law.
This panel acknowledged that the law of neutrality is being thoroughly tested by the Russia-Ukraine war. Neutral States agree to restraints on military involvement with parties to a conflict, presenting a potential issue for the United States and other States providing military aid to Ukraine. The United States relies on the doctrine of qualified neutrality to justify its military support. This concept permits States not party to a conflict to provide lethal support to States that are the victim of an unlawful war of aggression.
The law of neutrality is domain specific to land, air, and sea, although the general principles of neutrality apply to all domains. The law of neutrality as it applies to cyber space preserves the duty of States to prevent attacks from being launched from a State’s territory when the State has knowledge of such activity. The panel agreed that neutrality law does not impose an obligation on States to prevent non-State actors, such as its own citizens, from carrying out operations while outside the State’s territory. Nor does neutrality law obligate States to prevent their networks from being used by malign actors to facilitate cyber operations, as that would be highly impractical. The duty to prevent poses a potential issue for Ukraine as it has explicitly called for Ukrainians and others to engage in cyber operations against Russian targets.
Many actions and operations risk collateral impacts. Cyber poses unique risks in this regard due to the interconnectedness of the Internet. Malware installed on one or more networks may spread to networks and systems around the globe, such as NotPetya in 2017. The major question regarding cyber spillover is whether and when a kinetic response is justifiable. This question is mostly theoretical because States are reluctant to take positions before they have been in the position to act on such a scenario.
This panel agreed that the intent behind the spilled-over operation matters to the response analysis. Whether the intent was to have a specific effect may mean that the proportionality calculation was correct and therefore limit response options. Intent, however, is often difficult to prove. Also important are the principles of necessity and self-defense. Early on, the United States took the position that kinetic force is required for a kinetic response. This position may be shifting to include non-kinetic force. One panelist raised an example of the United States shooting an incoming missile out of the sky as justifying a kinetic response. Despite this fictitious missile having no kinetic effects on U.S. territory, the intent behind the missile being launched is what matters. Other examples of scenarios justifying defensive measures included major economic damage or election interference to the level of changing an outcome.
Regional and State positions on cyber issues are anything but uniform. It is imperative to understand these various positions to work toward a common understanding and ensure the international community is playing by the same rules in the future. To that end, this panel discussed perspectives from China, Japan, Singapore, India, and Latin America.
The Chinese panelist claimed that China has endorsed internationally agreed-upon ethical principles that avoid turning cyberspace into a new battlefield while also offering a definition of “cyber operation” that excludes information operations.
The Japanese panelist noted how, since Russia invaded Ukraine, Japan has faced a sharp increase in malware attacks. Japanese law enforcement has also ignored Japanese hackers taking action in Ukraine and Russia as they see such actions as having extraterritorial effects not requiring a law enforcement response.
The Singaporean panelist noted that IHL applies to cyber operations while discussing how Singapore considers some cyber-attacks as armed attacks which it reserves the right to respond to with force. This is due to the tech-centric way in which Singapore governs and the catastrophic impact certain cyber-attacks would have on Singapore.
The Indian panelist discussed India’s neutral stance on the war in Ukraine as well on cyber matters. India lacks a position on the applicability of IHL in armed conflict. This is largely due to India’s neighbors and not wanting to constrain itself in future operations.
Finally, the Latin American panelist discussed how there is no community consensus on cyber issues, although Costa Rica and Brazil have made important public statements.
The Next War
This panel sought to assess the extent to which trends identified in the Ukraine-Russia conflict would or would not continue into future warfare. The panel identified possible trends in cyber operations during high-intensity armed conflict. The panel agreed that cyber operations will be an integral part of future warfare, particularly during large-scale hostilities between technologically capable and reliant States. Cyber operations pose strategic and tactical advantages, but they also pose vulnerabilities. States will face strong incentives not only to acquire and use highly resilient and redundant networks, but also to hide military data and applications from enemy monitoring, especially within civilian digital infrastructure. This comingling of military objectives with civilian objects poses a difficult question as to whether existing rules would apply in the future.
State ambiguity on international legal issues in the face of armed conflict poses substantial questions for future armed conflict. States have an active role to play in forming, interpreting, and developing law applicable to cyber operations and armed conflict. However, States also may wish to preserve operational flexibility by maintaining ambiguous positions. While ambiguity has its strategic benefits, it often impedes the progressive development of international cyber norms.
Bringing the symposium to a close was former National Cyber Director, Chris Inglis. Mr. Inglis focused on three key lessons learned from the war in Ukraine. First, technology is critical and although it is not perfect, it should have agility, redundancy, and critical backup systems. Second, expertise matters more than technology. Third, coalition or joint defense is the most important factor to defend against aggressors.
Mr. Inglis stressed the need to build safety into networks at the point of conception and incorporate safety standards into cyberspace itself. He also stressed that government and the private sector must work together to grow expertise in cyber. Government and the private sector must overcome any impediments to responsibly shape the path forward. Finally, in the context of the importance of coalitions, he advocated for a cyber strategy where to beat one State, an aggressor must beat all States.
This symposium brought together a global group of leading experts on cyber issues to engage in robust discussions shaped by the war in Ukraine. These discussions fostered a greater understanding of cyber’s role in armed conflict and the future more generally. With the rapid developments of new technology such as artificial intelligence and quantum computing, it is more important than ever to continue these discussions in order to work toward international consensus. While many questions about cyber and its role in armed conflict remain, this symposium, with the help of its esteemed panelists, tackled many difficult issues to move the global discussion forward.
Russia-Ukraine: The Cyber Dimensions
— Moderator: Ellen Nakashima, Washington Post
— Discussants: Pete Renals, Palo Alto Networks; Fanta Orr, Intelligence Analysis Director, CST Digital Threat Analysis Center (DTAC), Microsoft; Oleh Skoryk, Cyber Security Department, The Security Service of Ukraine
Cyber “Attack” – Toward Greater Precision
— Moderator: Gary Corn
— Discussants: Kubo Macak, Exeter University (V); Captain Pete Pascucci, Fleet Cyber Command; Lt. Col. John Schreiner, USMC; Dr. Daphné Richemond-Barak, Lauder School of Government, Diplomacy and Strategy (IDC Herzliya)
Accountability for Cyber War Crimes
— Moderator: Arthur Traldi, Senior Fellow, Tech, Law & Security Program
— Discussants: Liina Lumiste, NATO CCDCOE; Adam Hickey, Mayer Brown; Lindsay Freeman, Berkeley Human Rights Center
Cyber and the Role of Private Actors
— Moderator: David Simon, Skadden
— Discussants: Jan Kleffner, Swedish Defence University; Lieutenant Colonel Laura West, U.S. Army Judge Advocate General’s Legal Center & School; Matt Fussa, CISCO; Kate Charlet, Google
Human Rights in Cyber Conflict
— Moderator: Yuval Shany, Federmann Cybersecurity Research Center
— Discussants: Asaf Lubin, Associate Professor of Law, Indiana University Maurer School of Law, and Visiting Professor at Columbia Law School; Mariana Salazar Albornoz, Former Rapporteur, International Law in Cyberspace, InterAmerican Juridical Committee; Tsvetelina Van Benthem, Oxford University; Jonathan Horowitz, ICRC
— Moderator: Davide Giovanelli, NATO CCDCOE
— Discussants: Hitoshi Nasu, Lieber Institute; Martin Dahinden, Ambassador of Switzerland (V); Kurt Sanger, Integrated Cybersecurity Partners, LLC; Eugenio Benincasa, Center for Security Studies, ETH Zurich
Cyber Spill Over
— Moderator: Eric Jensen, Brigham Young Law School
— Discussants: Marguerite Walters, Dep’t of State Office of the Legal Adviser; Matthew Waxman, Columbia Law School; Talita de Sousa Diaz, Chatham House (V); Duncan Hollis, Temple Law School
— Moderator: Danielle Yeow, Centre for International Law, National University of Singapore
— Discussants: Arun Mohan Sakumar, Postdoctoral Researcher, Leiden University; Isaac Morales Tenerio, Senior Director for Cyber Security and Data Privacy Communications, LATAM FTI consulting; Yang Fan, School of Law, Xiamen University (V); Masahiro Kurosaki; Prof of Intl Law and Director of Study of Law, Security and Military Operations, National Defence Academy of Japan; Paul Lie, MINDEF Legal Services, Singapore
The Next War
— Moderator: Sean Watts, Lieber Institute, West Point
— Discussants: Magdalena Pacholska, TMC Asser Instituut, University of Amsterdam; Major Tom Warschefsky, US Army Futures Command; Colonel Pete Hayden, US Cyber Command; LCDR Lauren Cherry, US Navy
Jackson Colling is a recent graduate of American University Washington College of Law (WCL) and a licensed attorney in the District of Columbia.
Photo credit: Unsplash