We must treat cyber wars the same as we treat conventional military encounters

Strategic Insight 004/2023

David J.Hickton

09 March 2023

We must treat cyber wars the same as we treat conventional military encounters

Pictures and videos emanating from Ukraine show the widespread destruction wrought by Russian troops during a year-long war that continuously generates news coverage. But there is another side to this conflict that is lesser known and harder to see.

A parallel war has been running alongside Russia’s conventional ground invasion, one that involves unrelenting cyber attacks across various segments of Ukrainian society, if with less success than many experts initially anticipated. Mixed results aside, this cyber warfare at times has been significant enough that lines are being blurred between where cyber attacks stop and conventional warfare begins.

Since the start of the invasion in late February 2022, Russian actors have attacked Ukraine with two primary goals: to damage critical infrastructure and to exfiltrate or destroy data. According to Ukraine’s Computer Emergency Response Team, more than 2,000 cyber attacks plagued Ukraine in 2022 alone. Taking it a step further, at least eight different forms of malware have been used by Russian saboteurs in the past year, according to Microsoft, 40 percent of which were targeted at “critical infrastructure sectors.” Other targets included Ukrainian government websites, financial institutions, energy and communication service providers, and media outlets.

Russia’s intense use of cyber attacks in Ukraine predates its ground invasion by at least eight years. When Russia invaded the Crimean Peninsula in 2014, suspected Russian hackers knocked out power to 230,000 customers in western Ukraine. Two years later, suspected Russian hackers used malware to disrupt Ukrainian airports, railways and banks. One month before its ground invasion last February, Russia launched a massive cyber attack targeting government institutions in an attempt to weaken Ukraine’s position ahead of the impending military action.

These types of crimes aren’t unique to Ukraine and exist in the absence of active war. In 2007, hackers attacked Estonia in what is believed to be the first major cyberattack on an entire country, crippling banks, government websites and media companies. Closer to home, a ransomware attack in 2021 disabled the Colonial Pipeline and created fuel shortages for days in the eastern and southern United States. That same year, hackers disabled 80 percent of the information technology infrastructure of Ireland’s health service, drastically disrupting patient care during a global pandemic in the worst known cyberattack on a health system in history.

There is little question that large-scale cyber attacks are only going to increase in frequency and intensity during war times and, as of now, there is little recourse to punish or otherwise deter cyber attacks against civilians during the fog of war. That’s why Ukrainian officials are trying to convince the International Criminal Court (ICC) in The Hague to investigate whether Russia’s cyber attacks could be classified as war crimes. This is the first time a government has made such a request; if the ICC agrees, it could drastically alter how these crimes are prosecuted in the future.

Of course, not every cyber attack that occurs during war should be considered a war crime. Ukrainian chief digital transformation officer Victor Zhora argued that cyber attacks supporting military operations that target critical infrastructure affecting Ukrainian citizens should be investigated by the ICC, pointing to the simultaneous shelling and cyber attack on a large Ukrainian power plant.

Even with that caveat, convincing the ICC to act could be a difficult task. Cyber attacks are not explicitly defined as war crimes under the Geneva Conventions, as digital warfare obviously wasn’t a consideration in 1949 when the conventions were ratified. It’s clear that international law isn’t keeping up with rapid advancements and tactics in modern warfare, and there are no guarantees the ICC will act. What happens if it doesn’t?

Regardless of ICC action, the American government will likely continue to make frequent use of the Computer Fraud and Abuse Act, subject to jurisdiction. In October 2020, for instance, the Department of Justice charged six members of the Russian Sandworm group, which is considered to be responsible for many attacks in Ukraine, with computer fraud and conspiracy. That kind of country-based accountability is encouraging, but it doesn’t replace the need for international legal frameworks to adapt to the changing landscape of war.

Governments across the world must adapt with new sets of rules and accountability measures that reach far beyond physical confrontation. Without proper deterrence, governments are going to continually push the envelope in conducting cyber wars in the shadows.

It’s time to treat cyber wars the same as we treat conventional military encounters: with clear and defined rules of engagement, and stringent penalties for bad actors who purposefully defy those rules. Treating cyber crimes as war crimes is a critical, albeit not the only, step in that process. We need to employ an all-tools approach to facilitate cyber deterrence.

David Hickton is a distinguished fellow at the Azure Forum for Contemporary Security Strategy. He is the founding director of the University of Pittsburgh’s Institute for Cyber Law, Policy, and Security, which hosts the Pittsburgh Task Force on Public Algorithms. He is a former U.S. attorney for the Western District of Pennsylvania.

This article was originally published in The Hill on 26 February 2023.

The Azure Forum is a nonpartisan, independent research organisation. In all instances, the Azure Forum retains independence over its research and editorial discretion with respect to outputs, reports, and recommendations. The Azure Forum does not take specific policy positions. Accordingly, all author views should be understood to be solely those of the author(s).