Can Cyberattacks Be Considered a War Crime?

image provided by pixabay

This post is also available in: עברית (Hebrew)

International Criminal Court (ICC) prosecutors are currently investigating alleged Russian cyberattacks on Ukrainian civilian infrastructure as possible war crimes – the first ever confirmation that attacks in cyberspace are being investigated by international prosecutors.

This case examines attacks on infrastructure that endangered lives by disrupting power and water supplies, cutting connections to emergency responders, or knocking out mobile data services that transmit air raid warnings.

According to Cybernews, at least four major attacks on energy infrastructure are being examined, with one group of Russian hackers being looked at by the ICC being “Sandworm,” which is believed to be linked to Russian military intelligence. A team at UC Berkeley School of Law has been investigating Sandworm’s cyberattacks targeting Ukrainian civilian infrastructure since 2021 and reports finding five cyberattacks it said could be charged as war crimes.

The Sandworm group is suspected of many high-profile attacks, including a successful 2015 attack on a power grid in western Ukraine, an attack on the Ukrainian mobile telecommunications provider Kyivstar last December, as well as extensive cyber espionage against Western governments on behalf of Russia’s intelligence agencies.

Furthermore, while cyberattacks targeting industrial control systems (which consist of much of the world’s industrial infrastructure) are rare, Russia is known to be one of the nations that possess the means to carry out such attacks.

Now the question is- can a cyberattack be considered a war crime?

The body of international law covering armed conflict bans attacks on civilian objects, but there is no universally accepted definition of what constitutes a cyber war crime.

Although legal scholars drafted a handbook in 2017 called the Tallinn Manual on the application of international law to cyber warfare and cyber operations, experts interviewed by Reuters say it is unclear whether data itself can be considered the “object” of an attack banned under international humanitarian law, and whether its destruction (which could be devastating for civilians) can be a war crime.

Professor Michael Schmitt of the University of Reading, who leads the Tallinn Manual process, believes that the hack of Kyivstar (owned by the Dutch company Veon) meets the criteria to be defined as a war crime. “If the court takes on this issue, that would create great clarity for us,” concluded Schmitt.