Where is the Line Between Cybercrime and Cyberwar?

On April 27, 2007, Estonia began relocating the “Bronze Soldier of Tallin”, a Soviet-era monument commemorating Soviet soldiers killed while liberating Tallin from Nazi occupation, from its original location to an Estonian military cemetery. The Russian government strongly condemned plans for moving the statue. Beginning that same day, Estonia experienced a widespread and coordinated cyberattack on a previously unprecedented scale. The extensive distributed denial of service (DDoS) campaign targeted Estonian government websites, major media outlets, and finance and banking organizations, resulting in widespread disruptions in online communication throughout the country and delays in online financial transactions. While the Estonian government and other western observers were quick to blame the Russian government for the attack, the latter maintained it was the work of self-motivated Russian “patriots” without government involvement. While specific attribution of such an attack is inherently difficult, the fact that the attacks originated in Russia and that no Russians have been prosecuted by their government suggests at least tacit approval from the Kremlin and a new level of political boldness in adding cyberattacks to the Russian repertoire of wider information and influence operations. The fact that Estonia was a NATO member was cause for even greater concern.

In the aftermath of the attacks, the U.S, NATO, and other western governments were forced to grapple with the question of how to respond and how to navigate the blurry boundaries between cybercrime and cyberwar going forward. A year later, NATO established the Cooperative Cyber-Defense Center of Excellence (CCD COE) as a central point for cyber defense research, training, and monitoring activities for the alliance. The location of the center in Tallin was a symbolic effort to highlight the importance of cyber defense to NATO, but over a decade later there is little unanimity on where the line between cybercrime and cyberwar exists.

For over a century, the international norms regarding the acceptable causes for engaging in warfare and the acceptable manner in which to do so have been codified in various international agreements and conventions. The commonly accepted modern jus ad bellum legal framework for acceptable reasons for entering a war are defined in Article 2 and Article 51 of the UN Charter:

“All members shall refrain in their international relations from the threat or the use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the purposes of the United Nations… Nothing in the present Charter shall impair the inherent right of individual or collective self-defense if an armed attack occurs against a Member of the United Nations.”

The modern jus in bello criteria are derived from the Hague Convention, the various Geneva Conventions, and other international frameworks. For the U.S military, four primary principles are commonly recognized:

1. Distinction- distinguishing between military and civilian populations and targets
2. Proportionality- the incidental civilian suffering or damage must not be excessive in relation to the military advantage gained by an attack
3. Military Necessity- damage to the enemy is only acceptable to the level required to meet a military objective
4. Humanity/ Unnecessary Suffering- the methods and materials of warfare cannot be engineered to cause undue suffering to the enemy

Several international actors have argued that these same jus ad bellum and jus in bello protections should and do apply to the cyber domain. The International Committee of the Red Cross argues that it is imperative to ensure that cyber activities are directed at military targets and that civilian networks and infrastructure are spared to the greatest extent possible. Microsoft has argued that an additional “cyber-Geneva Convention” is necessary to establish norms in the cyber domain and limit the currently unconstrained nature of state sponsored cyber attacks.

The Department of Defense addressed the cyber domain directly in the 2016 revision of the Law of War Manual. The brief chapter lays out the U.S position that the aforementioned Law of War principles must be applied to cyberwar. The manual states that any cyber activity that produces comparable effects to a traditional attack can be considered a use of force under the jus ad bellum framework. Examples include triggering the meltdown of a nuclear plant, attacking civil transportation like airliners or subway cars, and crippling a nation’s military logistics network. Importantly, the manual projects that the inherent right to self defense gives a state the justification to respond to a cyber use of force with both cyber and non-cyber retaliatory force, and that cyber operations that do not meet the criteria of a “use of force” can still be responded to with activities that are also short of a use of force as defined by international law. While, as the manual itself states, the laws and norms of cyber war are still being shaped, the manual projects a strong voice in the debate and is a good first step for shaping international norms in the area.

The issue remains, however, that the current state of affairs presents many seams and grey areas through which state and non-state actors can conduct cyber operations. The difficulty in attributing attacks to a specific state actor and the plausible deniability provided by the utilization of proxy hacking groups has allowed cybercrime and cyberintelligence attacks to proliferate. Russia has utilized cyberattacks to compliment traditional military operations in both Georgia and Ukraine and as part of wider information operations in the Baltics, the U.S and Western Europe. The 2014 attack on Sony Pictures attributed to North Korea provides another example. The Stuxnet attack widely attributed to the U.S and Israel shows that the U.S is equally adept at exploiting these seams when the situation dictates. While the DoD Law of War Manual presents several obvious examples of acts of cyberwarfare, the most dangerous scenarios currently lie somewhere in between. To borrow the famous obscenity test from the 1964 Supreme Court Case Jacobellis v. Ohio, the exact line between cybercrime and cyberwar can best be summed up as “I know it when I see it.” The subjectivity and political calculation inherent in such a system will continue to make the cyber domain a potential flashpoint on the world stage in the years to come.