CONTEXT Cyberattacks point to the need to rethink what constitutes a force and what a justified response can be.
- A report in The New York Times on the October 2020 breakdown of the Mumbai power distribution system points a finger at Chinese cyber hackers.
- While the truth remain hidden, the discussion points to a macro issues such as-
- When, and under what conditions, would a non-kinetic strike, say a cyberattack, be considered an attack on the state?
- And under international rules of self-defence, what response would be considered legal?
- Would only a cyber counter-attack be justifiable or a kinetic response also be acceptable?
- Would a pre-emptive strike be allowed?
- The universally accepted Lieber Code of 1863 defines a combatant.
- It says, “So soon as a man is armed by a sovereign and takes the soldier’s oath of fidelity, he is a belligerent…”; all others are non-combatants. An organised group of “belligerents” constitutes a regular armed force of a state.
- The 1899 Hague Convention brings in further clarity of what constitutes a regular force.
- First, the force should be commanded by a person responsible for his subordinates.
- Second, it must have a distinctive emblem recognisable at a distance.
- Third, it must carry arms openly.
- And last, it must conduct operations in accordance with laws and customs of war.
NEED TO REDEFINE COMBATANT
- Those who conducted the (yet unproven) Mumbai ‘cyberattack’ or the 2007 attack on Estonia’s banking system did not meet any of the four conditions of being called combatants, but still wreaked havoc.
- A combatant, thus, needs to be redefined due to three reasons.
- First, a cyber ‘army’ need not be uniformed and may consist of civilians.
- Second, cyber ‘warriors’ do not carry arms openly. Their arms are malicious software which is invisible.
- And finally, the source of the attack could be a lone software nerd who does not have a leader and is up to dirty tricks for money, blackmail or simply some fun.
NEED FOR DELIBERATION
- None of the characteristics of these non-combatants were met by the requirements of The Hague Convention but their actions fall squarely in the realm of national security.
- This raises two very basic inquiries that need deliberation.
- First, would the nation employing civilians in computer network attacks not be in violation of the laws of war?
- And second, if these people are considered as combatants, would the target country have the right to respond in self-defence?
- A response would be reactive, after the attacker has conducted his operation; hence, as a right of self-defence, would an act of pre-emption (through kinetic means and/or through cyber) be in order?
- This argument may appear far-fetched now but needs to be examined as India seems to have a new view on the concept of the right to self-defence.
INDIA’S VIEW OF THE RIGHT TO SELF DEFENCE
- In a February 24, 2021 UN Arria Formula meeting on ‘Upholding the collective security system of the UN Charter’, the Indian statement says, “…a State would be compelled to undertake a pre-emptive strike when it is confronted by an imminent armed attack from a non-state actor operating in a third state.”
- It adds that “this state of affairs exonerates the affected state from the duty to respect, vis-a-vis the aggressor, the general obligation to refrain from the use of force.”
IMPLICATION OF SUCH VIEW
- The statement indicates India’s clear departure from established practices, as India made its position clear on the question of the right of self-defence against the acts of non-state actors in international law.”
- The statement India when viewed vis-à-vis cyberattacks done by faceless persons who are non-combatants as per international law, opens up an avenue that requires careful examination; cyberattacks may not kill directly but the downstream effects can cause great destruction.
INTERNATIONAL ACTIONS AGAINST HACKERS
- International actions against hackers have been generally limited to sanctioning of foreign nationals by target nations.
- It was only in 2014, for the first time, a nation (the U.S.) initiated criminal actions against foreign nationals (five Chinese operatives of Unit 61398 of the People’s Liberation Army) for computer hacking and economic espionage.
- Now the question that lies is, how long will it take global nations to covert and/or overt kinetic retaliation against hackings.
- India seems to have made its intentions clear at the UN meet, but the concern is that, if not regulated globally, it could lead to a wild-west situation.
- Hence, there is a need to globally realise that cyberattacks may not kill directly but the downstream effects can cause great destruction.