Can Cyber Attacks be Considered an Act of War?

With the growth of the internet and automation of operating systems, nations have become dependent on a virtual base to maintainthe functioning of critical industrial control systems. However, in recent decades and recent military conflicts between nations and non-state actors, there has been a new way to attack the enemy: from the blockades in its virtual structure via cyber attacks.

These cyber attacks seek to undermine countries’ operating systems from hackers or artificial intelligences. However, this type of attack is not easy to trace from where it originated, which allows an anonymity of the attackers and the lack of concrete consequences against them.

The implications of this type of conflict, the Cyber Wars, still have great debate on how to treat it in international laws, not having clear definitions whether they are really considered acts of war or not, which creates a grey area within international relations.

 

 

What is Cyber Warfare

With the diffusion of digital systems and the operational use of the Internet in industrial control systems such as power stations, dams, train lines, banking system etc…, a new field of action within geopolitics has been created. With new digital tools, there are new vulnerabilities within international relations and nations themselves.  

The Cyber War takes place in this virtual-artificial field of information and operations. With the use of hackers and artificial intelligence, cyber attacks are within a gray area of war conflicts, because their duties are usually not accurate or stated.

 

This ambiguous position of a cyber attack brings several complications to international laws, as they can affect the essential functionalities of a country, causing physical damage to populations (if a country’s air traffic system is removed from the air it can cause tragic aircraft accidents, for example), but it can be done simply for espionage and information acquisition.

Because it is a relatively new technique, having its first case in Estonia in 2007, an update of the international laws is still necessary so that there is a clear approach that countries need to take in situations of cyber fragility.  

Cyber attacks do not have a universal and consensual definition of whether they can be considered acts of war or not, which is a further complication for international relations. This difficulty becomes a problem because it leaves to the interpretation of the countries whether they were/felt attacked or not, and depending on these interpretations can counter-attack and result in serious armed conflicts.

A gray area that is established in the Cyber Wars in the difficulty with the attribution of those who attacked instituting the existence of the conflict, but hardly of an assumed war. Relations are based on a fragile and vulnerable peace that is constantly threatened.

Cyber attacks are becoming more and more popular within countries’ defenses, due to the need for protection itself but to an advance in technological power. Russia is one of the leading nations accused of using cybernetic means for military and political purposes.

The difference between Cyber War and Kinetic War

The most traditional conflicts in history were exclusively in the field of physical attack, with bombs, missiles, weapons, tanks and etc. This type of attack is part of the “Kinetic War”, a term cited for the first time in 2002 in the book Bush at War, by Bob Woodward.

Kinetic military action is active warfare, with lethal forces acting on a material and physical level in the territory and fighting with the enemy.

The Cyber Wars are recent, popularized by the wide dissemination of digitization and the Internet seeking to change, interrupt or destroy the physical infrastructures controlled by systems or acquire exclusive information. By occurring in the virtual realm, they cause harm to nations, but in a more reversible way than in the Kinetic Wars.  

 

One means of attack does not exclude the other, including the tendency is that more and more military conflicts take place hybrid forms, with physical and digital attacks in sync, as well as information and disinformation campaigns.

Currently, wars occur in quick and incisively destructive steps. Conflicts such as Nagorno-Karabakh, which relied on the use of “intelligent” weapons (guided by I.A), are examples of the precision that military technologies are gaining.  

Still, because they are recent advances, they are based on the means of the Kinetic Wars and the physical impacts to weaken the enemy precisely, with the creation of guided bombs, armed drones and smart missiles, which leads wars to last less time for their high efficiency.

Military technologies are making advances at a fast pace like never before and the use of digital means to weaken enemy operating systems become a natural behavior.

Disabling the functionalities of a nation, at a distance and in a furtive-digital way, is a way to limit the advances in the country’s base, how to attack nuclear power plant operating systems and affect their military and energy capabilities or overload water treatment systems to contaminate and affect the population.  

Therefore, cyberattacks in general seek to overload systems until their collapse. This can result in physical disasters or remain only in the virtual field by hindering the enemy’s national functionalism.

Examples of cyber attacks supposedly made by nations

The first major case of a cyber attack occurred in Estonia in 2007, where the government suffered condemnations for the destruction of the Soviet historical statue of the Bronze Soldier by Russian-speaking media vehicles.

From this, bank and government systems were reported to fall and bombard spam in Estonian digital media. With the identification of Russian Ips as the origin of these attacks, it was assumed that the action was by the Kremlin and the Russian government, but they denied it.

Since then several other nations have reported having suffered virtual attacks, or made use of them to deal with the tensions of their geopolitical relations. Especially in the last decade, the popularization of cyber attacks has grown greatly by its difficulty in attributing, allowing nations to attack systems without being discovered.

In 2021, Iran denounced an attack on its nuclear enrichment facility Natanz through sabotage of the industrial control system made by the malware Stuxnet, probably created by Israel and the US (both countries deny their authorship to this day). The cyber attack damaged Iran’s nuclear centrifuges, but propelled the country to become more secure digitally and strengthen its cyber-defense by creating a hacker group known as APT33.  

Another example was the attack on United States in the system Solarwinds by the Russians in 2015, who have gained access to the information systems of private companies, public operations and American think-tanks. There has been a break-in to the systems of the Commercial Department, Treasury Department and Department of Energy of the United States government. Again, when accused, Russia denied having incited or originated these attacks.

The Russians are very active in this area and have another outstanding cyber attack event in their history: in 2017 with the hacker attack of Notpenya, in which crippled ports and paralyzed the cargo ship A.P. Moller-Maersk and other corporations, initiated in Ukraine and spread worldwide. This case is important because it was one of the first in which the digital attack caused physical impacts in countries and their economies (caused a loss of US$10 billion worldwide), opening the debate about cyber attacks being acts of war or not.

Is one country’s cyber attack against another an act of war?

The debate about the implications of the Cyber Wars has no consensus, due to its novelty and because of its ambiguous form.

An act of war has three main spheres to be materialized: universality, multilaterality and/or unilaterality. Universality occurs in the consensus among all the national states, a position normally taken by the UN. Multilaterality occurs when a set of states defines an attack, or a cyber attack; for example, if in the case of Estonia in 2007 NATO had stated that an act of war had occurred (which did not occur). Unilaterality, on the other hand, takes place within the framework of the independent sovereignties of each nation, when a country declares that it has individually suffered an act of war.

However, for many specialists, a cyber attack is only considered an act of war when it affects military systems and thus justifies and allows defense by legal and military measures, treating hackers as armed combatants. 

The war actions have qualitative and quantitative factors, and if we compare a bomb that was sent to the enemy country or the implosion of a control system of a nuclear power plant that leads to its explosion, the material effects are the same. Following this logic it would be possible to say that a cyber attack is only an act of war to cause physical damage.

Usually, in international military conflicts, the UN is in charge of declaring whether or not something is an act of war. However, as the definition of how to approach cyber attacks is unclear, it is not possible to have assert that they are yes or no acts of war.

This is a difficulty not only of the UN, but of other international organizations as well, such as NATO. In the case of 2007 in Estonia, a member state of NATO, the organization stated that the situation was not serious enough to call for mutual defense mainly because of the difficulties with attributing the origin of the attacks. Even so, NATO has also stated that, depending on the severity of a cyber attack, Article 5 of the Mutual defense may be called.

This field left to the interpretation of countries gives gap for different approaches to Cyber War. For example, in the US, Articles I and II of the national constitution give the president freedom to define what is an act of war or not. The American country has a key position on the international stage, mainly in the formation of laws and customs, moving only from the implications of the president’s decisions at the national level to a global level.

By individualizing the declaration of acts of war only to the national forces of the “attacked” countries, as there isn’t a universality on the definition of cyber attacks as an injury to national sovereignty or not, there is a discrediting of the digital sphere as a space of war.

With the lack of a position of a central nation like the United States on the international stage, its own centrality in the formation of laws begins to be questioned, since countries are not supported and assured by any means.

A Politico points out that using the concept of Cyber War will stop making sense in the near future, since more and more digital attacks will be natural in wars around the world.  

In January 2022, Ukraine again reported virtual instabilities that followed the behavior recorded by Notpenya. This type of attack is part of the hybrid tactics adopted by Russia, often implemented in a stealthy manner that allows plausible deniability. In the latter event, the investigations said that the attacks could have come from both Russia and its ally Belarus.

And what is the trend for the future of cyber warfares…

As hybrid wars are the future of armed conflict, And they have the great difficulty of coming into a gray area where there is no overt declaration of war. The combination of cyber attacks and the means of kinetic warfare makes conflicts more efficient, more invasive and less possible to identify their authors.

Without clear international mediation, what can be realized is a massive use of digital means to attack enemies without accountability. It is up to nations and private companies to invest heavily in their digital operating systems to defend themselves against this threat that will be ever more present in our future.