Sanchit Gupta and Vaibavi S G
“The potential for the next Pearl Harbour could very well be a cyber-attack.”
-Leone Panetta
One cannot disregard the possibility of an Indian Pearl Harbour scenario for sure, albeit on a different realm; the cyber-space. The truth is, that number of cyber attacks have happened in the past and may actually be happening even as we are talking of it right now. A recent report from Microsoft revealed about 6 major cyber attacks by Russia on Ukraine after the invasion. These attacks “have not only degraded the systems of institutions in Ukraine but have also sought to disrupt people’s access to reliable information and critical life services on which civilians depend, and have attempted to shake confidence in the country’s leadership”, Microsoft states. The Russian interference with 2016 U.S. elections, Russian-sponsored 2017 NotPetya attack on Ukraine, the 2017 WannaCry ransomware attack on the British National Health Service, even the 2013 attack on Indian banks are enough examples all of which behove India to put concentrated efforts in this regard. Then, what is it that has kept many governments from developing cyber capabilities, dedicated research and defence mechanisms and legal protection against such cyber attacks?
Recently, experts in Europe conducted a cyber crisis exercise, one of the largest simulations the world has seen, known as Cyber Europe 2022, while on the other end of the globe, the president of a nation vowed to create cyber warfare reserve forces to respond better. The threat is real and is being recognised. The efforts are there but the urgency in their implementation is what is relevant at the moment.
Is The World Doing Enough?
Speaking of state sponsored cyber attacks, it is natural to assume that there might be some international instruments at place which keep a check on it. However, to our much dismay, it is to be noted that there is no single treaty explicitly dealing with cyber warfare in international law, which gives ample space to countries like Russia and China to carry out such attacks without any major sanctions. After the United States detonated nuclear bombs on Japan, it took two decades for countries to come to a consensus on the Limited Test Ban Treaty and the Treaty on nuclear non-proliferation of nuclear weapons. Technology changes as we breathe, and with it come newer threats. Living through this slow process of adaptation is something we cannot afford.
Curiously enough, a resolution 73/27 makes reference to a UN paper from 1981 that outlines states’ “duties” to refrain from meddling in other countries’ domestic affairs under any circumstance. However, the reality speaks of a different tale. The internet knows no bounds of sovereignty and non-interference. While a U.N. treaty on Cyber crime is underway, the question as to whether it will address state sponsored attacks is dubious. The treaty intends to provide for cooperation in cross border investigations, the extent of state regulation of the internet, and cyber crimes primarily. The aspect of state sponsored or state actors of cyber crimes or attacks is a grey area of talk. We need to understand that cyber attacks consist of cyber crimes but are different from it on levels, one being of a larger scale and two, being state sponsored. This being the case, it is highly unlikely for any state to provide cooperation in cases of state actors. Then what purpose do these talks and treaties serve?
Sceptics will opine that a rule is not a law when it is not obeyed and thus, even if we have a treaty in place, there will be countries who would violate it which insinuates that these treaties serve no purpose. This line of argument is, however, very problematic. The inherent flaw in it is the fact that if disregarded, violations can undermine norms or rules but do not make them obsolete. It is better to have something than to have nothing at all.
What’s more, even if the U.N. fails to formulate a comprehensive treaty on the subject, the international law sphere is still regulated by norms and customs. Customary practices are a valid source of international law and direct the world order accordingly. For instance, the polluter pays principle, principle of non-refoulement, the obligation to use international watercourses in an equitable manner are all examples of customary origin. These customs are extremely important even now as they help close the gaps within the treaty law and improve norms and accorded protection. But the immanent issue with these customs is that these do not develop overnight. It takes years of common practice to be declared as a custom and at present we do not seem to have a common strong custom of any kind in relation to cyber warfare and norms are of non-binding and voluntary nature. It thus, becomes obvious enough from the above discussion as to why developing an international law (treaty) in letter is critical.
The Indian Tale
India does acknowledge the threat that cyberspace can posit. It has brought about preventive measures in the IT Act 2000 as amended in 2008, like Chapter XI, but they are limited to cybercrimes by private actors and do not clarify India’s standing and its legal recourse as to the state sponsored cyber warfare. Much of its legal response would depend on the existence of an international law/treaty, the situation at hand and diplomatic relations, in addition to domestic law. Also, it has to come out of its nature of being defensive and must accustom itself to a deterrent cyberspace policy which is inclusive of every sector in the country. There are international norms dealing with cyberspace stability, however India must create internal capabilities to recognise violations and respond to it through internal procedures like sanctions and other influences. Another remedy that comes to rescue is having bilateral and regional treaties with other nations for cooperation, assistance and observance of ethical state behaviour in cyberspace. Such regional measures would create small blocks of guaranteed assistance and ethical conduct which would be much more effective against cyber aggressors.
India can also trail on the path of the European Union, by conducting a simulation exercise so as to check its cyber resilience power or use its diplomatic relations for creating taboo and enforcing sanctions. The required measures go beyond the confines of the legal realm and thus would be difficult to incorporate all of it within this one article.
Nevertheless, legally speaking, a lot is yet to be done at the international sphere and a lot can be done at the domestic arena as well.
Views are personal.
Authors are second-year law students at DNLU, Jabalpur.