Are we already in the middle of a cyber war? Or has warfare over the internet yet to happen? At first glance, the answer seems obvious: Attacks on computer systems in Estonia in 2007 or in Georgia in 2008 – during the war with Russia – led much of the German media to report that we had already reached the age of cyber war, introduced by Russia and leading to a collapse of the communications structure in both Eastern European countries.
This assessment was premature as profound investigations of the incidents could prove neither an authorship of a sovereign state nor serious harm as a consequence of the attacks. With regard to international law, essential requirements are missing to qualify the incidents as interstate war or armed conflict. It remains classified as a crime – and is punishable only if the affected countries have adjusted their penal codes to the challenges of internet crime.
The information scarcity
Nevertheless, the discussion about network-based attacks is of great importance, especially in light of the announced changes in the NATO strategy. The fact that possible incidents have been poorly documented until now does not mean that attacks within armed conflicts are technically impossible. Lack of knowledge must rather be ascribed to the confidentiality with which countries guard their network infrastructre.
Four important aspects deserve a closer look. The first question is whether the definition of war in the law of armed conflict is in need of a renewal. Cyber war does not have too much in common with the classical conflict scenarios that influenced the formulation of international law. Additionally, it is necessary to grapple with the impossibility of proving the source of an attack – and its implication for the right of self-defense. Compared to conventional warfare, it is often hard or impossible to trace the origin of a cyber war attack. According to some reports, computer systems from more than one hundred countries were involved in the attacks on Estonia. Until the possibility of retracing has improved, a certain degree of insecurity will remain and cast doubt on conventional arguments that justify a retaliatory strike.
Revaluating the scope of protection of international law
Additionally, we need to re-assess our dependence on critical infrastructure and the protection offered by international humanitarian law. Infrastructure can also imply the possibility of functioning food supplies or emergency aid. In conventional warfare, these are off limits to military planners and field commanders. Similar guidelines are required for internet-based warfare – for example, the maintenance of medical communications networks.
Finally, the technological development – and the possibilities of a military use of network technology that goes along with it – also influences the core area of peacekeeping. The world community needs to address the question of how the already dynamic structures of peacekeeping and de-escalation can be adjusted to the altered circumstances.