Not Different, Not the Same: International Humanitarian Law’s Problem with Cyberattacks

*Anastasia Couch

I. Introduction

On the 175th day of war, the Ukrainian company “Energoatom” reported that Russian hackers launched a three-hour attack on its website.[1] Though the initial attack did not cause significant impact, the attempted assault raised a significant concern because Energoatom is Ukraine’s state nuclear power company.[2] The attack was not directly attributed to the Russian government but to Russia’s “popular cyberarmy” group, which, through its Telegram channel, prompted its followers to attack Energoatom.[3] The attack was the most powerful cyber operation directed at the website since the start of the Russian invasion of Ukraine.[4] As “the first major conflict involving large-scale cyber operations,” Ukraine is the testing site for how modern-era cyber warfare could look.[5] Cyberattacks define the ongoing Russian invasion,[6] and each instance impacts the international community’s ability to address them.[7]

II. Distinguishing between Cyber and Kinetic Operations

Kinetic operations are the “conventional” means of warfare, defined by the manifestation of physical force within the physical realm.[8] In contrast, cyber operations are defined by the origin point of their target in cyberspace; however, the effects can ripple into the corporeal world.[9] Cyberattacks are often executed alongside conventional methods to secure the same or similar goals.[10] For example, on March 1,2022, a Russian missile struck a Kyiv TV tower.[11] The same day, Kyiv-based media companies faced destructive attacks and data exfiltration through Russian-based cyberattacks.[12]

III. International Humanitarian Law Application to Cyber Operations in Armed Conflicts

International humanitarian law (IHL) has faced problems with cyberspace attacks for nearly two-decades.[13] After the 2022 United Nations Open-Ended Working Group (UN OEWG) on information and communications technology, the UN OEWG committee affirmed the applicability of IHL to the use of cyber warfare in armed conflict.[14] The global norm also bends in the same direction: many State and international organizations like the European Union (EU) and North Atlantic Treaty Organization (NATO) have likewise affirmed IHL’s applicability.[15]

However, there is no specific framework of law surrounding cyberspace, unlike fields such as space law which is the domain of codified international legal rules.[16] In the absence of an established framework, IHL resorts to definitions already within its structure: those for conventional warfare.[17] Many have criticized IHL’s applicability to cyber warfare, because the language of kinetic warfare does not easily translate to cyber warfare.[18] It remains to be seen whether the oversight of cyber warfare can ever be disentangled from kinetic warfare.[19] As recognized by the recent UN OEWG, two contentious factors keep cyber warfare on this threshold: determining what qualifies as an attack and attributing these attacks to actors.[20]

IV. The Consequences

A. Defining a Cyber “Attack”

Defining an “attack” is one of the primary principles of customary IHL, which has comprehensively provided prohibitions for its many forms, from the indiscriminate to the disproportionate.[21] However, there are diverging interpretations of how IHL governs cyberattacks that do not render “tangible” damage but only some loss of functionality, such as the effects of malware on network systems.[22] In theory, both cyber and kinetic means have similar “operational access” and impacts on the physical world.[23] The similarity ends in the distance between access and impact.[24] Where kinetic operations are nearly immediate between access and impact, cyber operations have a characteristic gap between the two, which yields a very different attack result.[25] This gap is what makes a cyber-attack that much more distinct: an incoming missile strike is guaranteed to be immediate, whereas the effects of a cyberattack can ripple and linger for months after.[26] 

The International Committee of the Red Cross (ICRC) has previously expressed concerns that a restrictive definition of “attack,” such as one that only encompasses results like death, injury, or physical damage, would remove the protection of IHL from many of the civilian targets of cyberattacks.[27] Many argue that cyber operations alone cannot reach these destructive capabilities[28] and lack the same impact of decisive results and assured, instant effects as that of kinetic operations.[29] As one source quipped, “No one has ever died by a cyberattack.”[30] However, Ukrainians have lost power in the middle of winter[31] and received spambot messages urging defection and treason against Ukraine.[32] Most cyberattacks may not have instantly visible, tangible results, but there is, with some certainty, still a felt effect. To be perceived as an attack and to fall under the protection of IHL, each of these examples would have to stretch the existing, constrained definitions currently found within IHL—the definitions that typically emphasize the dramatically immediate physical effects of kinetic warfare.[33]

B. Actor Recognition

Another core principle of customary IHL is the enforceable norm of a State’s responsibility for its actors.[34] Typically, a State is responsible for violations committed by its own forces and for the people it empowers to exercise governmental authority, people or groups acting on the State’s instructions or control, and actions by private persons or groups which the State “acknowledges and adopts as its own conduct.”[35]

Further, cyber warfare frustrates the opposition’s ability to identify and hold individual actors responsible, and, by extension, any affiliated or sponsoring State.[36] For example, members of military cyber units are considered combatants under IHL because they are members of the armed forces of a party to an international armed conflict.[37] However, advanced persistent threats (APT), like anonymous hacker organizations are not always clearly military or State-sponsored entities.[38] At the start of the Russian invasion, a private Brazilian hacker company attacked Ukrainian universities’ websites, an action not claimed by either Russia or Brazil.[39] On an even larger scale, Ukraine has amassed a cyber-army of volunteers, who, while undoubtedly retaining connections to Ukraine’s established defense forces, remain decentralized and without traditional State oversight mechanisms.[40] In the era of global privatized and decentralized forces,[41] it is no surprise that the trend extends to cyberspace. As a result, the often-elusive actors committing cyberattacks confound the old concepts of attribution under IHL.

V. Conclusion

The mass cyber army mobilization on both sides of the Russian invasion provides a glimpse into what the future of cyber warfare could look like: attacks performed largely by non-State or quasi-State forces. Consider the opening example again: an attack that yielded no physical result at the time[42] conducted by individuals recruited through a Telegram channel.[43] Not only was the effect markedly different from a conventional kinetic attack, but the associated actors evade the standard attribution of a State or state-sponsored actor. IHL stands to guide States and organizations toward a more detailed and specific understanding of cyberattacks, especially as global conflicts continue to wage new and evolving forms of conflict.[44] The language of kinetic warfare remains the standard, but for IHL to effectively address cyberwarfare, it must be informed of the similarities, and also the drastic differences, between the two.

*Anastasia Couch is a second-year day student at the University of Baltimore School of Law, where she is a Staff Editor for Law Review and a member of the Royal Graham Shannonhouse III Honor Society. In summer 2022, Anastasia interned with the Maryland State Ethics Commission and looks forward to interning with Citizens for Responsibility and Ethics in Washington (CREW) in the upcoming spring semester. Anastasia hopes to continue to work in government oversight after receiving her J.D. and currently pursues her passion by volunteering with Women for Weapons Trade Transparency.

Photo credit: Stefan Kuhn (This file is licensed under the Creative Commons Attribution-Share Alike 3.0 Unported license.)


[1] Ukraine Nuclear Power Company Says Russia Attacked Website,Al Jazeera (Aug. 16, 2022), https://www.aljazeera.com/news/2022/8/16/ukraine-nuclear-power-company-says-russia-attacked-website.

[2] Id. See infra note 41.

[3] Id.

[4] Al Jazeera, supra note 1; Joel Middleton & Samantha Lock, Russia-Ukraine War Latest: What We Know on Day 175 of the Invasion, The Guardian (Aug. 17, 2022), https://www.theguardian.com/world/2022/aug/17/russia-ukraine-war-latest-what-we-know-on-day-175-of-the-invasion.

[5] James Andrew Lewis, Cyber War and Ukraine, Center for Strategic and International Studies (Aug. 24, 2022), https://www.csis.org/analysis/cyber-war-and-ukraine.

[6] Id.

[7] Slate Herman, Cybersecurity and the U.N Charter: A Square Peg in a Round Hole, 19 Colo. Tech. L. J 217, 231 (2021).

[8] See Josiah Dykstra et al., Differentiating Kinetic and Cyber Weapons to Improve Integrated Combat, 99 Joint Force Q., 116, 116–17 (2020).

[9] Id.

[10] See Lewis, supra note 5.

[11] Microsoft Digital Security Unit, Special Report: Ukraine 8 (2022).

[12] Id.

[13] Ewan Lawson & Kubo Mačák, Int’l Comm. of the Red Cross, Avoiding Civilian Harm From Military Cyber Operations During Armed Conflicts 37 (2020), https://www.icrc.org/en/document/avoiding-civilian-harm-from-military-cyber-operations.

[14] Tilman Rodenhäuser & Veronique Christory, Capacity-Building Tools on “How and When” IHL Applies to Cyber Operations During Armed Conflict, 2 Cyber Peace & Security Monitor 13, 13 (2022).

[15] Lauren Gisel et al., Twenty Years On: International Humanitarian Law and the Protection of Civilians Against the Effects of Cyber Operations During Armed Conflict, 913 Int’l Rev. Red Cross 287, 299 (2021).

[16] Kubo Mačák, Unblurring the Lines: Military Cyber Operations and International Law, 6 J. Cyber Pol’y 411, 412–13 (2021).

[17] See Rodenhäuser & Christory, supra note 13, at 14.

[18] See Herman, supra note 7, at 230;Gisel, supra note 14, at 314; Mačák, supra note 15, at 416.

[19] See Gisel, supra note 14, at 304; Mačák, supra note 15, at 414.

[20] Rodenhäuser & Christory, supra note 13, at 14.

[21] See Gisel, supra note 14, at 312; Jean-Marie Henckaerts & Louise Doswald-Beck, Customary Int’l Humanitarian L.: Rules 3, 46 (2005).

[22] Michael N. Schmitt, Wired Warfare 3.0: Protecting the Civilian Population During Cyber Operations, 101 Int’l Rev. Red Cross 333, 339 (2019); Dykstra et al., supra note 8, at 118 (noting that, unlike most kinetic ops, the effects of cyberattacks on the physical world are often reversible, like the use of a decryption key to reverse the encryption used in ransomware).

[23] See Dykstra, supra note 8, at 118.

[24] Id. Operational access is “the ability to project military force into an operational area with sufficient freedom of action to accomplish the mission.” Id.

[25] Id.

[26] Id.; see also Mike McQuade, The Untold Story of NotPetya, the Most Devastating Cyberattack in History, Wired (Aug. 22, 2018), https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/

[27] See Schmitt, supra note 21, at 341.

[28] Lewis, supra note 5.

[29] Lewis, supra note 5; Dykstra et al., supra note 8, at 118.

[30] Lewis, supra note 5.

[31] Council on Foreign Relations, Compromise of a Power Grid in Eastern Ukraine, Council on Foreign Relations (Aug. 24, 2022), https://www.cfr.org/cyber-operations/compromise-power-grid-eastern-ukraine.

[32] See Microsoft Digital Security Unit, supra note 11, at 15; Lorenzo Franceschi-Bicchierai, Ukraine Accuses Russia of Using WhatsApp Bot Farm to Ask Military to Surrender, Vice (Aug. 24, 2022), https://www.vice.com/en/article/5dgemn/ukraine-accuses-russia-of-using-whatsapp-bot-farm-to-ask-military-to-surrender.

[33] Gisel, supra note 14, at 314.

[34] Henckaerts & Doswald-Beck, supra note 20, at 3; Lawson & Mačák, supra note 12, at 25.

[35] Henckaerts & Doswald-Beck, supra note 20, at 530.

[36] See Gisel, supra note 14, at 296.

[37] Mačák, supra note 10, at 419.

[38] Lawson & Mačák, supra note 12, at 13.

[39] Mark Maunder, Ukraine Universities Hacked As Russian Invasion Started, Wordfence (Aug. 24, 2022), https://www.wordfence.com/blog/2022/03/ukraine-universities-hacked-by-brazilian-via-finland-as-russian-invasion-started/. What makes cyberwarfare even more complex are the varying “domains” it touches–note that the Brazilian hackers attacked Ukrainian Sites via the Sweden-based hosting provider, which routed the malicious traffic involved in this attack. Id.

[40] Lorenzo Franceschi-Bicchierai, Inside Ukraine’s Decentralized Cyber Army, Vice (Aug. 24, 2022), https://www.vice.com/en/article/y3pvmm/inside-ukraines-decentralized-cyber-army.

[41] See generally, Sean McFate Mercenaries and War: Understanding Private Armies Today National Defense University Press: News (Dec. 4, 2019), https://ndupress.ndu.edu/Media/News/Article/2031922/mercenaries-and-war-understanding-private-armies-today/.

[42] Kate Conger & Adam Satariano, Volunteer Hackers Converge on Ukraine Conflict With No One in Charge, New York Times (Mar. 4, 2022), https://www.nytimes.com/2022/03/04/technology/ukraine-russia-hackers.html.

[43] Al Jazeera, supra note 1; Max Hunder, Zaporizhzhia Nuclear Plant Still Disconnected From Grid, Ukraine’s Energoatom Says, Reuters (Aug. 26, 2022), https://www.reuters.com/world/europe/zaporizhzhia-nuclear-plant-still-disconnected-grid-ukraines-energoatom-says-2022-08-26/. Though the initial cyberattack yielded no results, the affiliated nuclear plant was disconnected from Ukraine’s power grid. It is argued that the disconnection was due to kinetic ops and physical destruction to the electric lines, which perfectly captures the problem of cyber warfare. See discussion supra Section IV. a.

[44] Al Jazeera, supra note 1.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: