Russian Cyber Operations and Ukraine: The Legal Framework

Last week, hostile cyber operations targeted approximately 70 Ukrainian government websites, including that of the Cabinet. Affected sites included Diia, the most widely used site for handling online government services. The operations included posting the message, “Ukrainians! All your personal data was uploaded to the internet. All data on the computer is being destroyed. All information about you became public. Be afraid and expect the worst.” Cyberwire has suggested that “[t]he attacks seem to be simple defacements, an influence operation, and not the data-destruction and doxing the message claims.” Most services are back online.

The operations were launched the day after diplomatic talks between Russia and the West over Russian troop concentrations along Ukraine’s border broke down. To date, they have not been officially attributed to Russia. However, suspicion of Russian government involvement looms large, especially given that State’s role in  past cyber operations against Ukraine, like the 2014 national elections hack, operations against its power grid in 2015 and 2016 and the 2017 NotPetya attack, which resulted in over $10 billion in losses around the world. A Ukrainian Foreign Ministry official told Reuters that “It’s too early to draw conclusions, but there is a long record of Russian (cyber) assaults against Ukraine in the past.” And Ukraine’s Security Service, the SBU, has indicated that preliminary investigation points to “hacker groups linked to Russia’s intelligence services.”

NATO’s Secretary-General, Jens Stoltenberg, “strongly condemn[ed] the cyber attacks on the Ukrainian Government” and noted that NATO has long worked with Ukraine to strengthen its cyber defenses. He confirmed that “Allied experts in country are also supporting the Ukrainian authorities on the ground” and that NATO and Ukraine will soon “sign an agreement on enhanced cyber cooperation, including Ukrainian access to NATO’s malware information sharing platform.” Stoltenberg pledged continued “strong political and practical support for Ukraine.”

The incident raises many complex issues about the legal character of the cyber operations. Until further information about their source(s), nature, and consequences is made public, it is impossible to reliably assess them with the legal granularity they demand. Therefore, this post is limited to discussing the broad legal framework for cyber operations against Ukraine. The question is which bodies of international law govern which cyber operations targeting Ukraine, now and in the future.

Jus ad Bellum

 The operations against Ukraine do not directly implicate the jus ad bellum prohibition on the “use of force” found in Article 2(4) of the UN Charter and customary international law. This is so for two reasons. First, although the threshold at which a cyber operation amounts to a use of force is unsettled (see Tallinn Manual 2.0, Rule 69), it is unlikely that States would consider a short, non-destructive and non-injurious denial of service operation as qualifying. While several countries, notably France and Norway, have confirmed a willingness to treat cyber operations that cause neither physical damage nor injury as a use of force, the operations about which they have opined are of a “scale and effects” that far exceeds those experienced by Ukraine (the standard for assessment that appears to be emerging. See, e.g.,  Australia, Finland, Germany, the Netherlands, New Zealand).

More importantly, cyber operations at the use of force level attributable to Russia—either because they are conducted by State organs like the GRU or by non-State actors operating pursuant to Russian “instructions or direction or control (see Articles 4 and 8 of the Articles on State Responsibility, respectively)—would be subsumed within the ongoing use of force violation that began with Russia’s 2014 unlawful occupation of Crimea and its actions elsewhere in Ukraine.

The same logic applies to the right of self-defense against an “armed attack” under Article 51 of the UN Charter and customary international law, including the right of collective defense by other States at the request of Ukraine. In my view, Ukraine’s right of self-defense was triggered by the Russian non-cyber armed attack against the country and remains intact due to the ongoing belligerent occupation of Ukrainian territory and other hostile Russian operations, including cyber operations. Therefore, whether individual cyber operations or campaigns by Russian intelligence or military organizations, or by non-State hacker groups acting “on behalf or with the substantial involvement of Russia” (the ICJ’s standard for attribution of an armed attack in Paramilitary Activities, para. 195), rise to the level of an armed attack (see Tallinn Manual 2.0 Rule 71) has no bearing on a Ukrainian response. Instead, the proper law of self-defense question would be whether a Ukrainian response that otherwise would be unlawful is “necessary” and “proportionate” when considered in the context of its overall right of self-defense against the ongoing Russian armed attack (on those criteria, see Tallinn Manual 2.0, Rule 72). This would be very unlikely, especially since, in my view, States enjoy a wide margin of appreciation in responding to unambiguous armed attacks of such severity that it loses control of sovereign territory.

Finally, only States violate the use of force prohibition. Non-State cyber operations that are not attributable under the law of State responsibility to Russia would accordingly not violate international law. Rather, they may violate the domestic law of States enjoying prescriptive jurisdiction (see Tallinn Manual 2.0 Rules 9 and 10) over the activity. As to self-defense, non-State cyber operations reaching the armed attack level, which the current ones do not, would trigger the right to self-defense. This is the U.S. position and that of numerous other States. Still, it must be cautioned that some States and international law experts would limit application of the right of self-defense to armed attacks mounted by non-State actors that meet the aforementioned Paramilitary Activities criterion. This appears to be the view of the majority of the ICJ’s judges (see Wall advisory opinion, para. 139, and Armed Activities judgment, para. 146).

International Humanitarian Law

The jus ad bellum is a body of law distinct from international humanitarian law (IHL). Therefore, whether cyber operations are an aspect of an ongoing use of force and armed attack or not, IHL will apply as long as an international armed conflict between Russia and Ukraine continues.

IHL applies upon a declaration of war, belligerent occupation by one State of the territory of another, or existence of “hostilities” between two or more States (1949 Geneva Conventions, Common Article 2). Without question, an international armed conflict is underway between Russia and Ukraine based on Russia’s occupation of Ukrainian territory. But for the occupation, Russia’s support of Ukrainian rebel forces in eastern Ukraine, standing alone, might also qualify the situation as international armed conflict based on Russia’s “overall control” of those forces (Tadić, ICTY Appeals Chamber Judgement, para. 140). However, analysis of that issue is unnecessary given Russia’s belligerent occupation.

This presents the question of whether IHL governs cyber operations against Ukraine. It is simply incontrovertible that IHL encompasses cyber operations. Nearly all States that have spoken directly to the issue (see, e.g., the 2021 Group of Governmental Experts Report Compendium) have confirmed the position. So too have NATO and the EU. As the ICRC noted in its 2019 submission to the UN Open-Ended Working Group,

[T]here is no question that IHL applies to, and therefore limits, cyber operations during armed conflict – just as it regulates the use of any other weapon, means and methods of warfare in an armed conflict, whether new or old. This holds true whether cyberspace is considered as a new domain of warfare similar to air, land, sea and outer space; a different type of domain because it is man-made while the former are natural; or not a domain as such.

There was a bit of a hiccup on the matter during the 2016-2017 UN GGE, when a number of States, including China and Russia, refused to include the term “international humanitarian law” in the report that was to have been issued by the group. That unfortunate interlude was resolved by the 2019-2021 GGE in its 2021 Report.

The Group noted that international humanitarian law applies only in situations of armed conflict. It recalls the established international legal principles including, where applicable, the principles of humanity, necessity, proportionality and distinction that were noted in the 2015 report. The Group recognised the need for further study on how and when these principles apply to the use of ICTs by States and underscored that recalling these principles by no means legitimizes or encourages conflict.

With the applicability of IHL to cyber operations during an armed conflict definitively settled, the question becomes which operations are subject to IHL? In my view, it is indisputable that so long as there is a nexus between cyber operations and an ongoing armed conflict, those operations are subject to IHL’s prohibitions, limitations, and obligations. By “nexus,” I mean that the cyber operations are being carried out for reasons related to the armed conflict.

International tribunals have developed the concept of nexus during war crimes trials. Absent a nexus between an act and an armed conflict, the act cannot be a war crime, but instead is governed by domestic criminal law. The International Criminal Tribunal for the former Yugoslavia (ICTY) has explained, “the existence of an armed conflict must, at a minimum, have played a substantial part in the perpetrator’s ability to commit it, his decision to commit it, the manner in which it was committed or the purpose for which it was committed.” (Kunarac, ICTY Appeal Chamber Judgment, para. 58; see also Rutaganda, ICTR Appeals Chamber Judgement, para. 570). With respect to the applicability of IHL, the French Ministry of the Armies has similarly observed, “IHL applies to all cyberoperations carried out in, and in connection with, an armed conflict situation.”

By this understanding, a cyber operation cannot be considered part of an armed conflict without some connection to that conflict beyond its occurrence while the conflict is underway. For instance, even if conducted by a belligerent State, a cyber operation designed to steal intellectual property from its opponent solely for economic gain would lack a nexus to the conflict and would not be considered part thereof. Such operations are not subject to IHL’s strictures, but instead must adhere to the law governing peacetime cyber operations, such as the obligation to respect sovereignty (Tallinn Manual 2.0, Rules 1-5) and the prohibition on intervention into the internal or external affairs of other States (Tallinn Manual 2.0, Rule 66).

Cyber operations without a nexus to the armed conflict that are conducted by or attributable to a State are unlikely, for, in my view, every cyber operation intended to alter the relative likelihood of victory between the two States has a nexus to the conflict. These may take many forms. Obviously, cyber operations to weaken the enemy militarily in a direct fashion qualify, as in the case of targeting enemy command and control. The nexus may be less direct, as in mounting cyber operations that affect civilian economic activities or the provision of power when the intent is to generate unrest or distress among the enemy population. Even a cyber operation with no motivation other than maliciously hurting the enemy civilian population, as in using cyber to interfere with the delivery of social services, qualifies. The practical point is that absent a rationale wholly unrelated to the armed conflict, a cyber operation by one party to an armed conflict against its opponent will almost always qualify as an activity that is part of the armed conflict (and thus within the reach of IHL).

Note that most of the hostile cyber operations into Ukraine have not targeted military objectives, nor were they necessarily launched by Russian combatants. However, there is no requirement that an operation be directed at the enemy armed forces or mounted by military personnel before IHL applies. This is clear from the IHL prohibitions (and their related war crimes) on, inter alia, attacking civilians, the civilian population, civilian objects, and other protected persons and objects, which apply to anyone engaged in the prohibited acts. Moreover, an act of “direct participation in hostilities” by civilians, an IHL term of art used to identify civilians who are subject to lawful attack, occurs when it is “likely to adversely affect the military operations or military capacity of a party to an armed conflict or, alternatively, to inflict death, injury, or destruction on persons or objects protected against direct attack” (Interpretive Guidance at 46). Accordingly, cyber operations against Ukrainian non-military government or civilian cyber infrastructure, and those mounted by individuals such as so-called “patriotic hackers” who act entirely on their own, are governed by IHL rules so long as the operations have a nexus to the armed conflict.

Those rules are complex, as illustrated by the fact that the Tallinn Manual team (“International Group of Experts or IGE) identified 75 cyber-relevant IHL rules and provided nearly 200 pages of commentary on them. Some rules remain unsettled in the cyber context, like whether data is an “object” such that civilian data enjoys the protection of the rule prohibiting attacks on civilian objects. Robust discussion of how IHL’s rules apply to the past and future cyber operations in this conflict is beyond the capacity of this post.

However, one issue occupies a place of prominence. The fact that most of the operations into Ukraine have not been physically destructive or injurious raises the contentious issue of whether such cyber operations can amount to an IHL “attack.” If so, it is subject to the prohibition on attacking civilians, civilian objects, and other protected persons and objects; the prohibition on indiscriminate attacks; the rule of proportionality; and the requirement to take precautions in attack. There is widespread consensus that cyber operations causing “damage” do qualify as IHL attacks.

The concept of “damage” in the cyber context is increasingly understood as extending to the permanent loss of the affected cyber infrastructure’s functionality, as well as a loss of functionality necessitating physical repair (but see the Israeli position). Examples include operations requiring the replacement of the cyber infrastructure or components thereof like hard drives. Below that threshold, consensus breaks down as to the nature and severity of harm that amounts to damage under IHL (see Tallinn Manual 2.0, Rule 92). France has taken what is thus far the broadest approach to “attacks” in the cyber context.

[France] considers that a cyberoperation is an attack where the targeted equipment or systems no longer provide the service for which they were implemented, whether temporarily or permanently, reversibly or not. If the effects are temporary and/or reversible, the attack is characterised where action by the adversary is necessary to restore the infrastructure or system (repair of equipment, replacement of a part, reinstallation of a network, etc.).

This and other uncertainty as to the precise application of IHL rules in the cyber context will hinder conclusive analysis of the cyber operation against Ukraine, but the applicability of IHL rules to those having a nexus to the conflict is incontestable.

Finally, note that lawful combatants (Geneva Convention III, Article 4) who plan, approve, or execute cyber operations against military objectives in a manner consistent with IHL enjoy combatant immunity; they may not be prosecuted for their actions in domestic or international courts. However, others enjoy no such immunity.

Cyber Operations Beyond Belligerent Territory

Some of the operations against Ukraine have generated consequences well beyond the belligerent territory of Ukraine and Russia. The bleed-over effects of NotPetya, for instance, were global and hugely costly. However, the fact that consequences were caused beyond belligerent territory has no bearing on whether the cyber operations causing them are subject to IHL rules. The question is whether the nexus condition is met. So long as that condition is satisfied, consequences manifesting outside belligerent territory still matter in the application of IHL to the cyber operation, as in the case of assessing incidental injury and collateral damage pursuant to the proportionality rule.

The more problematic question is whether bleed-over of effects into neutral States violates the law of neutrality, which prohibits the exercise of “belligerent rights” on neutral territory (Tallinn Manual 2.0 Rule 151). The Tallinn Manual IGE struggled with this issue. Its members concluded that in some cases, bleed-over consequences into neutral territory could breach the neutrality of the State concerned. But for most of them, no breach occurs if those consequences are unforeseeable. The relationship between the law of neutrality and cyber operations is a matter that merits further study, not only concerning the bleed-over issue but also regarding when a State’s support to a belligerent against its enemy’s cyber operations breaches the obligation to maintain neutrality (Tallinn Manual 2.0, Rule 152).

Concluding Thought

 Unfortunately, the legal consequences of the Russian occupation of Crimea and other hostile Russian actions seems to have been forgotten or are being conveniently ignored by many States and commentators. But as a matter of international law, Russia is still using unlawful force against Ukraine, Ukraine has a continuing right of self-defense, other countries may come to its assistance in collective defense, and Russia and Ukraine are at war. Any analysis of the legal character of cyber operations that have occurred, and will occur, since 2014 is therefore subject to both the jus ad bellum and IHL.

***

Michael N. Schmitt is the G. Norman Lieber Distinguished Scholar at the United States Military Academy. He is also Professor of Public International Law at the University of Reading, Strauss Center Distinguished Scholar and Visiting Professor of Law at the University of Texas, and Professor Emeritus at the United States Naval War College.