It is essential to establish a clear distinction between cybercrime and cyber warfare. While the former encompasses a variety of criminal acts including identity theft, privacy violation, financial disruptions, trafficking etc., the latter is  the use of computer technology to disrupt the activities of a state or organization, especially the deliberate attacking of information systems for strategic or military purposes.

Since cyber enabled technologies are becoming ubiquitous from medicine to education and from banking to military applications, there is a necessity to focus equally on performance capabilities as well as in securing them. While such technical challenges can be gradually addressed over time, there, however, is a major gap in terms of the legalities related to cyber warfare. Several issues related to the ethics, proportionality, principles of engagement etc. need deliberation and the scope for both domestic and international laws is vast.

The attempt of this article is to list the various aspects related to cyberspace that pose challenges to governments in being secure. In addition, the discussion briefly touches upon a select few issues that are of relevance when it comes addressing the gaps in international legal context. The article concludes by listing out a path that can be adopted to address various issues related to better understanding cyber risks and the joint efforts required to create international legal mechanisms.

Over the last decade or so, there has been an increased effort towards achieving both offensive and defensive cyber arms capabilities resulting in a global “cyber arms race”. This period also coincides with a pronounced hike in the number of state sponsored cyber attacks both in the civilian and governmental domains, thereby clearly indicating the perception of various states regarding the use of cyber weapons, vastly increasing the likelihood of conflict.

The Indo-Pacific Region

The Indo-Pacific region (IPR) is home to some of the world’s top economies and ever since the era of globalization it has emerged as an innovation hub in cyber technologies. Issues related to cyber security have gained traction in the recent past and especially during the American trade war with China. According to US and its western allies, Chinese hacking groups such as APT-10 have been leading efforts in coordinating cyber attacks targeting US Naval personnel, American technology ventures and even NASA computers. India has also had its own share of being a victim of cyber threats originating from North Korea and the Petya cyber attack on Jawaharlal Nehru Port Trust, Mumbai with origins in Ukraine.

It should be emphasized here that the nations in the IPR face the risk of cyber attacks that are not only state-sponsored but also from non-state actors such as armed militias, individual hackers and also from terror organizations. In fact, in terms of absolute number of cyber attacks on countries, the biggest economies of IPR figure among the top 10 globally, this indicates the gravity of the issue. This is only likely to get exacerbated overtime with the emergence of network centric advanced technologies such as 5G, IoT etc. It is rather interesting to note that the vast majority of cyber attacks are state-sponsored with countries adopting policies to create cyber armies for the purpose of espionage, gathering intelligence, critical infrastructure disruption and finance.

Several countries in the region have been victims of financial cybercrime either by ransomware or outright theft online as in the case of the Bangladesh Central Bank, whose network was hacked, and an amount of about US$ 81 million was routed through the Philippines.

Apart from this, another significant aspect related to the downside of the cyberspace domain is cyber terrorism. Terror organizations like the ISIS have been at the forefront of propagating terror ideology through social mediums like Twitter, Facebook etc. The call for recruits into the ISIS caliphate not only resonated in the countries of the Middle East but also in advanced democracies such as France and the UK. Terror organizations thereafter have followed ISIS’ lead and have accelerated efforts towards a broader reach through radicalizing audio and visual media. Countering this is a huge challenge both to the intelligence and cyber security experts as this requires constant monitoring of the web content.

With the drive towards digitalization and data assuming primacy, cyber warfare in the future is likely to become even more complex and fast developing countries like India should invest in establishing versatile and robust cyber security architecture. The doctrine to deal with cyber threats should  have both posturing as well as deterrent capabilities in order to ensure that both state and non-state entities dither from launching a cyber attack.

Futuristic industrial systems with high degree of automation and autonomy will replace several routine jobs. Industries and business benefit from the same with a higher output from machines than humans completely avoiding fatigue. Hence, there is a constant need to keep these industrial systems up to date in terms of cyber security to thwart any cyber attacks that can lead to reduced productivity and economic costs.

The countries in the IPR are currently faced with the conundrum of choosing 5G operational equipment from source countries in order to install domestic high speed networks. The front runner being Chinese Huawei offering 5G technologies for lower costs compared to other networks. Countries such as India that have no choice but to buy 5G technologies are wary of privacy concerns as well as cyber security breaches. In addition, there is an increased pressure from competitor states like the US, who have threatened the world with retaliatory measures for acquiring Chinese technologies claiming infidelity of the networks. Hence cyberspace coupled with emerging technologies has the potential of impacting even the nature of relations between countries with far reaching consequences.

Perhaps the biggest threat that the utility of cyberspace poses is the undermining of democratic processes in adversarial countries by way of propaganda and misinformation campaigns while being located elsewhere. The character of democracy is witnessing a massive disruption due to the use of cyberspace both in the international arena like in the case of Russian interference in 2016 American elections in favor of President Donald Trump or domestically in the form of the recent anti CAA and anti NRC protests in India. This, interference in the internal politics of rival states can be viewed as a breach in sovereignty of a state and hence can be treated as an act of war or aggression. This, however, is a boon for non-democratic/authoritarian/dictatorial regimes which can launch such disinformation campaigns in democratic establishments while at the same time are at a vantage point with the ability of safeguarding themselves. With authoritarian regimes both in West and East Asia, the IPR is likely to face several challenges when it comes to cyberspace being used for disrupting democracy. This, therefore, throws open new questions such as the distinction between cyber and information warfare and the legal mechanisms that govern them.

Legal aspects related cyberspace

As mentioned previously, the breach of sovereignty of a nation through interference via cyberspace is a reality today. However, multilateral organizations as well as international legal practitioners are faced with new challenges in terms of adopting laws that define “aggression” which have an entirely new connotation in the context of cyberspace. Is a cyber attack to be viewed as an “aggressive move” or “an act of war”?

For example, the U.N. General Assembly (UNGA) Resolution 3314’s definition of aggression is insufficient in addressing such new threats coming from the virtual world. The temporal nature of these definitions is a consequence of the nature of conventional warfare of the 20th century and was adopted in 1974 much before any of the ideas regarding emerging technologies or even the internet was conceived. Hence there is a need to redefine such ambiguous expressions and incorporate legal jargon to encompass a broad range of scenarios that emerging technologies can present. The absence of such linguistic precision without explicit reference to terms like cyber attacks, cyber weapons, cyber aggression etc. results in the creation of grey areas that can compel states to use such tactics to achieve significant gains against their adversaries.

Another such Resolution that is relevant for this discussion is UNGA Resolution 2625 “The Declaration on Principles of International Law concerning Friendly Relations and Cooperation among States” which deliberates on acceptable behavior and conduct of states vis-à-vis other states in their interactions. As the resolution was passed in 1970, it again, just like Resolution 3314 is inadequate and falls short addressing aspects related to technological advancements of today. Hence, it is essential to initiate mechanisms to revise these existing resolutions and amend them in order to maintain their legal sanctity even today. There is a clear gap today when it comes to understanding emerging technologies among the legal fraternity and the makers of new technologies lack a legal understanding of the question of ethics. The rate at which legal structures are being formed to address issues related to emerging technologies is way behind the rapid pace of technological advancement. Hence, it is not only essential to revise existing laws but also to incorporate into them provisions that forecast the trends that emerging technologies are likely to usher in. It is also important to realize that making new international laws does not guarantee their implementation as states can remain signatories of them without actually ratifying them in their constituent assemblies. What international law does achieve is to outline broad practices that can be invoked at the times of crisis.

Towards creating a safer cyberspace

• It is essential to universally define terms like cyber-attack, cyber warfare, cyber terrorism etc. which ensures uniformity in understanding these issues globally. Thiswill bring in clarity regarding the nature and origin of the attack either by individuals or non state entities or states themselves.
• Understanding the nature of the cyber domain and remaining constantly up to date with emerging technologies is a prerequisite to initiating efforts towards establishing legal frameworks. This is essential because, in the cyber domain malware that infects systems can remain dormant until activated and then it can disable entire networks resulting in major economic loss. Such malicious software can be termed as a cyber weapon.
• There is a need for policy makers and legal experts to keep pace with the rapid advancement of technologies and frame laws that incorporate provisions by forecasting and understanding of futuristic trends.
• To initiate both regional and multilateral mechanisms to address issues related to cyber security and incorporate provisions to counter threats due to emerging technologies and bridge the gap in the legal structures. The adoption of recommendations as listed out in the “Tallinn Manual on the International Law Applicable to Cyber Warfare”. One such multilateral mechanism that has taken shape in the IPR is the Association of Southeast Asian Nations’ (ASEAN), Telecommunications and IT Ministers meeting (TELMIN) in an effort towards jointly combating cyber threats.
• Since cyber technologies are redefining every facet of human life, there is a need to customize legal provisions that are applicable to maritime and space domains. This is especially relevant in an era where autonomous vehicles, both underwater and aerial are becoming commonplace today. Both these domains are heavily dependent on cyber technologies for their functioning and have strategic significance in terms of global trade, communication, navigation and warfare.
• States need to view this as an opportunity to collaborate and jointly resolve these issues rather than looking at it from the point of view of strategic one-upmanship. In fact, states of the IPR which constitutes some of the most powerful economies as well as technologically advanced states can take an initiative towards such efforts.

In conclusion, cyber based technologies will increasingly play a  major role in our day to day lives. Such technologies not only have diverse and varied applications, they also have strategic significance. Understanding the nature of threats related to cyberspace is essential and the existing definitions and laws are inadequate to address various issues such as cyber warfare, cyber terrorism, cyber weapons, cybercrime etc. This is due to the adoption of international legal structures in an era before the advent of emerging technologies and cyberspace. Such challenges can be effectively addressed through joint efforts via both regional and multilateral mechanisms and adopting universal definitions and recommendations.

Sameer Guduru is an Associate Fellow with the National Maritime Foundation, India