Cyberattacks before and during the Ukraine conflict have targeted civilians and private companies as well as government agencies, demonstrating the legal gray area in which cyber operations often live.
Launching military operations against noncombatants is prohibited under international agreements. But placing legal boundaries specifically around what is permissible in cyber conflicts is fraught with complexity, said Ahmed Ghappour, an associate professor at Boston University School of Law.
“The application of any international norm to a particular cyber incident requires attribution of the incident to a state actor. The attribution must be reasonable in order to be legitimate, but international law lacks a definition for what qualifies as reasonable or legitimate in cyberspace,” he said.
Hacks launched against Ukrainian infrastructure in recent weeks include massive distributed denial of service attacks against banks that disrupted websites and automated teller machines. Online disinformation and psychological operations are targeting civilians.
Microsoft Corp. President Brad Smith said in a blog post on Monday that some cyber activity in Ukraine might violate existing rules of war. Microsoft researchers detected a new malware variant targeting critical infrastructure operators in Ukraine, which the company dubbed FoxBlade.
“These attacks on civilian targets raise serious concerns under the Geneva Convention, and we have shared information with the Ukrainian government about each of them,” he wrote.
Christopher Whyte, an assistant professor in the homeland security and emergency preparedness program at Virginia Commonwealth University, said that many treaties focus on the use of specific weapons, but cyber tools can be multipurpose in nature. A network scanner used to fix flaws in defenses, for instance, can also be used to find them in an adversary’s systems and inject malware.
Simply using cyber tools isn’t enough to trigger sanctions, which require attribution and evidence that attacks were meant to cause harm, he said.
“This is why there’s not really any prevailing, constraining political framework on cyber,” he said.
The growing prominence of hacktivists and volunteer hackers in the war also concerns analysts, along with a declaration from ransomware gang Conti, which said it would strike at the critical infrastructure of any country that attacks Russia.
“The involvement of nonstate actors complicates the international legal landscape — who is a combatant, and who isn’t?” said Lauren Zabierek, executive director of the cyber project at Harvard Kennedy School’s Belfer Center. “There will be a lot of reflection and discussion of lessons to be learned with how this has unfolded and how this may change the nature of conflict in the future.”
Write to James Rundle at [email protected]
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8