Before we launch into assertions and statements, it is important to identify what a cyber attack actually is. Unlike conventional warfare, which takes place in the physical world and has “real” physical effects recognisable to all, cyber attacks are themselves intangible, and whilst some may have a direct kinetic effect, others have indirect consequences.

Nils Melzer, of the United Nations Institute for Disarmament Research (UNIDR), wrote a research piece on cyber warfare in international law and also used the well-known “Tallinn Manual” on cyber operations, produced by NATO, for guidance.

Firstly, cyber attacks and cyber warfare take place in cyberspace; an electronic space that is created, maintained, and owned by public and private stakeholders. It differs from the traditional theatres of war (land, sea, air and space) in that it is entirely manmade and not subject to traditional physical boundaries like geographical borders. Cyber attacks must also be carried out through cyber means – in other words, the physical destruction of telecommunication networks by bombardment would not constitute a cyber attack.

The Tallinn manual goes on to place cyber attacks under the umbrella term of Computer Network Operations (CNO), under which there are three types of activity:

1. Computer Network Attack (CNA) – Operations aiming to “disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves.”

2. Computer Network Exploitation (CNE) – Operations aimed at collecting intelligence and data from adversary automated information systems or networks. This is linked to and has parallels with espionage.

3. Computer Network Defence (CND) – Actions taken to protect, monitor, analyse, detect, and respond to unauthorised activity within information systems and computer networks. And prevention of CNA and CNE through intelligence, counter intelligence, law enforcement, and military capabilities.

What is apparent where warfare is concerned, is that this terminology is specific to operations conducted in cyber space, and is distinct from the existing concepts of warfare in international law, which uses terms such as “force” (implying a physical element) and “armed attack” (implying the use of a weapon).

For example, Article 2(4) of the UN Charter, which prohibits the use or threat of force against the territorial integrity or political independence of a state, is one of the cornerstones of jus ad bellum, or, in other words, the legal restriction of going to war. The drafters of the UN Charter had the foresight to add a clause at the end, qualifying the prohibition to the threat or use of force to “or any other manner inconsistent with the purposes of the United Nations.” This “soft” language (i.e. malleable or open to interpretation) leaves a wide scope of debate as to whether it covers cyber warfare or not. Guidance can be taken from the Vienna Convention on the Law of Treaties, specifically Articles 31 and 32, which encourage interpreting such articles in good faith and state that the preparatory works of a given treaty or charter (known as Travaux préparatoires) can be examined to work out the object and purpose of a treaty. In the case of the UN Charter, these Travaux préparatoires include the documentation of the UN Conference on International Organisation, which shows that the prohibition on the use of force was only intended to include actions that cause direct injury, death, or destruction; other suggestions, for example by the Brazilian state, to include the threat of economic sanctions, was rejected during the conference in San Francisco.

Hypothetically speaking, certain cyber attacks, such as the halting of automated manufacturing systems, or the “blinding” of another state’s radar and air defences, do not include direct destruction, injury, or death. On the other hand, they can be seen as highly provocative and threatening, and therefore contrary to the UN Charter’s purposes of maintaining international peace and security. Whether they constitute an “armed attack” and whether states are therefore able to use force in response to such provocations is a separate matter.

This brings us onto Article 51 of the UN Charter, which provides the right of states to use force in self-defence if subjected to what amounts to an armed attack. The use of the word “armed” in this case implies the use of some form of weapon. Let us consider, hypothetically, a piece of software designed to shut down the military radar systems of a state. Would this programme count as a “weapon”? If not, then it would not be an armed attack. It may be provocative and contrary to the object and purposes of the UN Charter. It may even be a “wrongful act”, but it does not fulfil the criteria for replying with force in self-defence.

It can be argued that such software programmes can be considered weapons. In the International Court of Justice’s advisory opinion on prohibition of nuclear weapons ([1996] ICJ Rep 226) the court clarified that Articles 2(4) and 51 of the UN Charter do not refer to specific weapons, but any weapon (see paragraph 39). If we were to take guidance from the Vienna Convention on the Law of Treaties (UN 1155 UNTS 331)and define the term “weapon” in “good faith”, then it can be expanded to almost anything used by a state in a malicious attack against another.

There is a further complication to consider. In conventional warfare, attributing an action to a state is relatively straightforward. Proving that a state is responsible for an armed attack depends upon forensic and physical evidence that its armed forces, agents, or even those by proxy, has carried out a physical and material attack. With cyber warfare, or cyber operations, it is much easier to mask the source of an attack through what is known as “IP spoofing” (forging the address of the source of an attack) and the use of “botnets” (an interconnected network of computers that have been compromised with malicious software which allow them to be controlled). Even when the effects of the hacking are physical, it is difficult to prove the responsible party.

What becomes evident as one looks into this subject is that the language used can be considered outdated. The principles of jus ad bellum and prohibition on the use of force were set out in 1945, but the world has changed since then. Mils Melzer for the UNIDR concludes that:

“Overall, however, there still is no consensus as to the precise threshold at which cyber operations should amount to an internationally wrongful threat or use of force. In fact, there is not even an identifiable controversy with clear positions and conflicting criteria. The truth is that cyber operations, almost always falling within the grey zone between traditional military force and other forms of coercion, simply were not anticipated by the drafters of the UN Charter and, so far, neither state practice nor international jurisprudence provide clear criteria regarding the threshold at which cyber operations not causing death, injury or destruction must be regarded as prohibited under article 2(4) of the UN Charter.” – page 9 of his report on cyber warfare and international law for the United Nations Institute on Disarmament Research.

Conduct within Warfare

Whether a cyber operation amounts to an armed attack, and whether the aggrieved state may use such an incident as a legal casus belli (legal justification to commence conflict) is one question. The other is conduct within warfare, or once a war commences.

Cordula Droege writes in the International Review of the Red Cross(Volume 94 No 886 Summer 2012) about how the biggest concern over cyber warfare is the interconnectivity between the internet and civilian infrastructure. Most military networks rely on civilian infrastructure, such as undersea fibre optic cables. Civilian vehicles, such as shipping and passenger aircraft, rely on Global Position System (GPS) satellites which the military also uses. This means that it is increasingly difficult to differentiate one from the other. Even if the requisite differentiation is made, their interconnectivity means it is difficult to attack a military network without the risk of affecting the civilian population, and in turn the risk of endangering civilian lives. This means that the rule of distinction, a staple of international humanitarian law whereby a military must distinguish between civilians and legitimate targets, is not so easily applied in this case, even when care is supposedly taken.

One example of such an occurrence is the Stuxnet malicious “worm”, a piece of malicious software that targets automation systems known as SCADA (Supervisory Control and Data Acquisition), usually found within manufacturing and industry. It was uncovered in 2010, when it attacked and destroyed centrifuges belonging to the Iranian Nuclear Programme by causing them to spin and tear themselves apart. The first thing to note is that although it is speculated to have been developed by American and Israeli agents, the source of the attack was never uncovered. Attributing the responsibility squarely on anyone has been nigh impossible. Speculations were based on how the software code was written. Secondly, this is an example of a cyber attack, achieved through “cyber means”, but which nonetheless physically destroyed and damaged equipment. This is a demonstration of how infrastructure, be it power plants, water treatment systems, or even transportation, is somewhat automated and vulnerable to outside attack due to its interconnectivity. Despite this attack being specific in its nature and not affecting civilian lives directly and maliciously, it spread, much like a virus, and infected other systems within Iran, Indonesia, and India among others.

Whether the Stuxnet attack is in accordance with international law firstly depends on whether the perpetrating state or Iran considered themselves in a state of conflict with one another at the time. Only one of those parties is required to hold this belief for the rules of war to apply. If, for sake of argument, Israel was to be held to account, it can justify its action by stating that it is indeed in a state of war with Iran via its proxy, Hezbollah, in Lebanon, with which they have had hostilities. Secondly, it would depend on whether these centrifuges were being used to enrich Uranium purely for a nuclear weapons programme – rendering them a legitimate military target. Iran’s right to self defence in the face of this attack is also dependent upon whether it falls under the definition of an “armed attack” pursuant to Article 51 of the UN Charter. This real world example demonstrates how cyber warfare has a large scope for interpretation and debate.

Unsurprisingly, the way that states are approaching this new front of human existence varies wildly. The NATO produced “Tallinn Manual” is an attempt by an international governmental organisation to understand cyber warfare within the context of international law, and to prepare for it. Their Centres of Excellence, one of which produced this manual, aims at educating, training, and preparing Member States in their respective specialisations.

The United Kingdom has made efforts to introduce basic rules of conduct within Cyberspace during the Global Conference on Cyberspace. Also known as the “London Process,”, this is part of a series of conferences held around the world every two years. The general approach of the UK is that what is unacceptable offline, should by extension be unacceptable online, and not to “stifle” it any further or place too many restrictions. The UN Institute for Disarmament Research has suggested that this ongoing dialogue could be used as a “confidence building” measure between states, corporations, and non-governmental organisations and establishing “norms” of behaviour and transparency, as opposed to simply writing up an international treaty with more “hard” language (UNIDIR, Ben Baseley-Walker 2011). This is with the understanding that international law is shaped and created through state practice and opinio juris. Where enforcement is a challenge, the risk of isolation, – be it diplomatic or economic, – becomes the other de facto method of enforcement in which the international society of states partake.

Conversely, the Russian Federation has been attempting to draw up a treaty of sorts to regulate cyberspace since 1998 through the General Assembly. In 2008, the Federation contributed to drawing up such a multilateral treaty within the Shanghai Cooperation Organisaton, which includes China, Tajikistan, Kyrgyzstan, Uzbekistan, Pakistan, and India. This is a more direct and “top-down” approach, and whether it will work better than a “confidence building” measure is dependeant upon the more practical realities of cyber warfare. For example, if a treaty is drawn up between a group of states about the production of nuclear weapons, then monitoring the adherence to the treaty should be relatively simple. Though, the recent debacle between the United States and Iran would make one sceptic about just how useful treaties are in these matters. With cyber warfare, there are no Uranium enrichment facilities or satellite images of missile sites to point to. The problem of attributing cyber attacks to states, and the ease with which a party can disguise such an attack, means the international enforcement of such a treaty would prove problematic. From a cynical point of view, there is also the fear that such treaties may be used to justify tighter controls on a tool that allows people to communicate, document, and learn from one another.

Information War – Concluding Remarks

Cyberspace and the internet has become synonymous with the notion of “information sharing.” Before that, inventions such as the radio and the telegram were key to controlling the flow of information, and through that influencing public opinion. Governments have always used information technologies to achieve this purpose.

One of the key examples, which may be considered a “cyber operation” before its time, is known as the Zimmerman Telegram in the First World War. It was a communication sent by Germany to Mexico in 1917, proposing an alliance and encouraging Mexico to attack the United States to regain territory lost in 1836. British intelligence intercepted this private communication and made it public, helping to generate popular support within the United States for entering the First World War and arguably changing the odds to be infavour of the Allied Powers against the Central Powers. This particular example, if the official narrative is to be believed, shows the intelligence service of a nation seizing a rare opportunity to turn the tide.

More recently, in 2010, it was uncovered that the US Department for International Aid, USAID, developed a social network to be used in Cuba by ordinary Cubans. This was an exciting proposal in a country where internet access is tightly controlled and limited under the existing regime. The network was to be called Zunzuneo, and was designed to allow Cubans to communicate and share information cheaply. What is ominous, however, is how this network was advertised as a private enterprise and collected masses of data on users in order to gauge their political leanings. The reason? Sending out mass text messages, chosen at an opportune time, to trigger a revolution and eventually a regime change. An agent was even reportedly sent to install internet connection equipment not usually available to the public. Cyberspace was effectively created and used in an attempt to undermine a regime. As repressive as the Cuban regime is, when such projects come to light, they more often than not jeopardise the opposition and allow them to be painted as foreign agents with more ease.

The importance of influencing public opinion to, in turn, influence a hostile or allied state to one’s advantage has always been recognised, no matter the political system. The USA itself is now investigating social media influence during its most recent presidential elections, and the ever looming allegation that Russia was involved. It has become clear that the “information war” is a new reality built on the most pervasive manifestation of cyberspace in our everyday lives; the internet. Certain governments are therefore beginning to view the internet as an “achilles heel” to their social fabric, and their answer has been to impose tighter controls. China, which leads the world on cyber surveillance, has been exporting its analytical and surveillance tools to authoritarian governments and training their officials for some time. In a disturbing report by Freedom House, it is claimed that on a global scale, internet freedoms are actually on the decline.

As with any relatively new development, the global society seems to be grappling with how best to deal with cyberspace. What the individual sees as a tool that allows them to view and share content, a nation state sees at best as a weapon, or at worst, a thing to fear. The original principles around non-aggression and mutual respect of sovereignty are being challenged due to their outdated language and concepts. What this means for international law is that states now have the responsibility to shape what the future of cyberspace will look like: firstly through state practice and opinio juris, which forms the basis of customary law; secondly through any treaties they decide to draft. The coming decades will be critical as our dependency on the internet, both as individuals and governments, increases.

While seeming to look only as chaos, warfare and combat is governed by national and international laws set forth by international bodies. These laws came to be as the result of the event that occurred while in combat. The most famous set of international laws are the Geneva Convention. The convention seeks to be the foundation for all international laws in respect to the protection of the victims of armed conflicts (Pictet). The first Geneva Convention was held in 1864  as a result of the wounded soldiers being left in no man’s land during the 1859 Battle of Solferino. The wounded were left to suffer as neither side could attempt to rescue or aid their soldiers without becoming victims themselves. As a result, one of the soldiers who survived, Henry Dunant wrote about the experiences (Dunant) and sent his work to important figures within Europe. Eventually, Henry helped found the International Committee of the Red Cross in 1863(Sperry). It was within this committee that countries were able to call upon the nations of europe for the first Geneva convention which took place in Geneva, Switzerland in August 1864. At the end of the convention, the countries that came signed the Geneva Convention for the Amelioration of the Condition of the Wounded and Sick in Armed Forces in the Field (ICRC). This treaty only explicitly stated the following (Shaw):

  1. the immunity from capture and destruction of all establishments for the treatment of wounded and sick soldiers,
  2. the impartial reception and treatment of all combatants,
  3. the protection of civilians providing aid to the wounded, and
  4. the recognition of the Red Cross symbol as a means of identifying persons and equipment covered by the agreement.

The original treaty also consisted of ten articles(ICRC) which have been been revised since they were first written. At the end of the American Civil War in 1863 in which Abraham Lincoln signed the Lieber Code stating the how soldiers conduct themselves in times of war. Following the signing both of these treaties which stated the behaviour of soldiers in warfare came the Hague Convention of 1899 and 1907. These were a set of treaties set at peace conferences in the Hague that set forth the laws of wars as well as what constituted war crimes under international law. The laws that were signed into the treaty by all the major countries at the time drew many of the articles from the American signed Lieber Code. This was done as it was the first complete set of laws that encompassed the rules and regulations for behaviour at times of war. It included articles on the treatment of prisoners of war, truces, prisoner exchange, as well as the protection of civilians and their property. It also set forth the appropriate punishments for deserters. When the final treaty was signed in July 1899, the Hague Convention of 1899 was comprised of 3 main treaties as well as 3 declarations(Hague Conventions).

The first treaty was the Convention for the Pacific Settlement of International Disputes(Laws of War). This treaty allowed for the arbitration between countries. This also meant that there needed to be an official place where the arbitration would take place which lead to the creation of the Permanent Court of Arbitration. This treaty and count allowed for member states to settle disputes relating to sovereignty, national and maritime boundaries, human rights, etc(Dispute Resolution Services). The second treaty was the Convention with respect to the Laws and Customs of War on Land(Hague Convention). This outlined the treatment of Prisoners of War in accompaniment with the laws set in the 1864 Geneva convention. It also forbid the use of poisons, the killing of surrendered enemies, and looting of towns. The final treaty was the Convention for the Adaptation to Maritime Warfare of the Principles of the Geneva Convention of 22 August 1864(Treaty Database). This outlined the protection of marked hospital ships as well as requiring all marked hospital ships to treat any wounded or shipwrecked sailors. In all the treaties mentioned, all were signed by all parties at the Hague. The additional declarations however, were not unanimously signed. The first declaration was the Declaration concerning the Prohibition of the Discharge of Projectiles and Explosives from Balloons or by Other New Analogous Methods. This stated that for five years from the when the treaties are entered into force, any war containing the signing powered, cannot use balloons to launch projectiles or explosives. The wording of the treaty also encompassed any new technology as it referenced balloons or “by other new means of a similar nature”. In this treaty, all the major parties signed except for the United States and the United Kingdom. The second declaration was the Declaration concerning the Prohibition of the Use of Projectiles with the Sole Object to Spread Asphyxiating Poisonous Gases. This referred to banning the use of gas filled shells which would release some form of poison gas such as chlorine gas upon impact. This was signed by all the parties except for the United States(Treaty Database). The final declaration was the Declaration concerning the Prohibition of the Use of Bullets which can Easily Expand or Change their Form inside the Human Body such as Bullets with a Hard Covering which does not Completely Cover the Core, or containing Indentations. This stated that any of the countries that signed will refrain from using ammunition that expand or flatten easily in the human body. This was signed by all the parties except for the United States(Treaty Database). Once all the treaties were signed and ratified, they became into force on September 4th, 1900.

The second Hague Convention took place in 1907. It’s purpose was to expand upon the previous convention but also allow for any changes to account for technological advances. Specifically, the convention was to focus on naval warfare as Britain and Germany were in an arms race to build the most powerful navy. The convention consisted on 13 treaties, of which only 12 were brought into force. There was also a single declaration. The first was the Convention for the Pacific Settlement of International Disputes which was an expansion of the first treaty from the 1899 convention. The second was the Convention respecting the Limitation of the Employment of Force for Recovery of Contract Debts which stated that countries would not use military force to collect on debts. The third was the Convention relative to the Opening of Hostilities which defined the acceptable process which a country or state would follow when making a declaration of war. The fourth was the Convention respecting the Laws and Customs of War on Land which contained a few minor changes from the previous 1899 convention. The fifth convention was the Convention relative to the Rights and Duties of Neutral Powers and Persons in case of War on Land which defined the rights of neutral powers or people in the event of war.

As was the main purpose of this convention, the next seven conventions were directly related to naval and maritime combat. The Convention relative to the Legal Position of Enemy Merchant Ships at the Start of Hostilities stated that all merchant ships that belong to the instigating nation arriving at a port of the enemy at the beginning of a conflict shall be allowed to leave the port immediately or within a few days grace to move freely to another port. It also applies to ships that that has left its last port before the official commencement of the war as they are ignorant to the conflict at hand. The seventh treaty is the Convention relative to the Legal Position of Enemy Merchant Ships at the Start of Hostilities which states that merchant ships that are converted to become warships cannot have the same rights and duties as merchant ships unless they are directly under the authority, control and/or responsibility of the flying flags power. The eighth treaty is the Convention relative to the Laying of Automatic Submarine Contact Mines which encompasses the laws relating to setting ocean mines. It states that the use of unanchored mines is illegal along with the setting of mines along the port of an enemy where the only intent is to intercept commerical shipping. The ninth treaty was the Convention concerning Bombardment by Naval Forces in Time of War which banned the destruction of defenceless cities, towns, ports, or villages. However, if there is any form of military construction within, naval officers are permitted to destroy them and they would not be responsible for any collateral damage.  The tenth treaty was the Convention for the Adaptation to Maritime Warfare of the Principles of the Geneva Convention of 1906 which made updates to the third treaty of the 1899 Hague Convention as per the amendments that had been implemented in the 1864 Geneva convention. The eleventh treaty was the Convention relative to Certain Restrictions with regard to the Exercise of the Right of Capture in Naval War which made the mail of any party found at sea aboard an enemy or neutral ship prohibited from form of alternation. It also states that in the event of a capture, the mail must be delivered to the receiving party with the least delay possible. The twelfth treaty was the Convention relative to the Establishment of an International Prize Court which was intended to aid in the resolution of conflicts stemming from the capture of ships during times of war. This treaty was never ratified by any major party and did not become into force. The final treaty was the Convention concerning the Rights and Duties of Neutral Powers in Naval War which forbade any aggressing party from violating the sovereignty of any neutral party by any means. The only declaration in the 1907 Hague Convention was the Declaration Prohibiting the Discharge of Projectiles and Explosives from Balloons. This was only to extend the provisions set in 1899 until the third Peace Conference however it never took place.

As the world stepped into the first world war in 1914, the conventions agreed upon by all parties became ignored. In January of 1915, Germany became the first to violate Declaration Two of the 1899 Hague convention and Convention four of 1907 Hague convention when they used shells filled with xylyl bromide gas at the Russians in the Battle of Bolimov(Heller). By the end of the war, all parties involved would break the conventions forbidding the use of chemical or poison weapons. Moreover, Convention three would be broken by Germany when they invaded Belgium when they were declared themselves as neutral. The breaking of international law had no direct consequence on any parties however since Germany has lost, the 1919 Paris Peace Conference held Germany responsible for the war. In June of 1919, the Treaty of Versailles was signed by the allied nations and Germany. The treaty consisted of may points including monetary reparations and territorial concessions. The value Germany was to pay was assessed to be 132 billion German marks which was to go to specific Allied countries. The Treaty also forced Germany to disarm itself by reducing its armed forces and imposing sanctions on the nation.

As the world was reeling from the global conflict of World War 1, countries knew who had stronger armaments. To not seem weak and to protect themselves from another possible war, countries were looking to grow their forces; specifically their naval fleets. This would have turned into a full fledge arms race had it not been for the 1922 Washington Naval Treaty. In the treaty, the winning nations of the First World War agreed to limit their construction of their naval fleets as to limit and prevent an arms race. The treaty limited the construction of new ships and submarines by weight. All ships were limited to 10,000 tons. This treaty was only limiting the size of ships but not the quantity. It was minor loophole that the countries were able to exploit to continue their fleet building. As a result of this loophole, there was an arms race but it was scaled down.

As the world has seen the use of poison and gases used on the battlefields of the First World War even though all parties involved and signed two separate treaties that outlaws the use of chemical agents. Because of this, the Protocol for the Prohibition of the Use in War of Asphyxiating, Poisonous or other Gases, and of Bacteriological Methods of Warfare (or Geneva Protocol) was drafted in Geneva. The protocol stated that the “use of asphyxiating, poisonous or other gases and all analogous liquids, materials or devices being prohibited, their manufacture and importation are strictly forbidden in Germany”(ICRC). The language in this treaty was much more specific and encompassed nearly all forms of chemical weapons. The treaty also covered “bacteriological methods of warfare”(ICRC). In spite of many nations signing the treaty, there were still signatory nations that violated the treaty and used weapons. Japan had used mustard gas against Taiwan in Musha Incident(Criddy).

In 1928, as a response to the escalating global tensions, The Kellogg-Briand Pact (or Pact of Paris) was signed by world leaders(Kellogg-Briand Pact). This treaty stated that the signing parties would not use war to solve any disputes or issues regardless of what they are about or who may be involved. It promoted the use of peace talks to settle disputes rather than calling for war among nations. This pact would later become the foundation for the international courts that would try war criminals on an international level. The 1929 Geneva Convention saw two additional treaties signed into international law. The first was the Convention relative to the Treatment of Prisoners of War. This superseded all previous treaties regarding the treatment of POWs in times of combat. It consisted of a total of 97 articles. The articles covered what can and cannot be done by the prisoners or to the prisoners, what is to be provided to the prisoners, and how and when to release prisoners. Building off the first three articles of the 1907 Hague convention, this treaty became much more explicit on the treatment and eliminated large portions of gray area. In the same year, the Geneva Convention for the Amelioration of the Condition of the Wounded and Sick in Armies in the Field. This Convention superseded the 1906 and 1864 Conventions and was designed to cover areas that were found to be incomprehensive through the First World War. The updated treaty added that aircraft on medical missions were to be given similar protection as hospital ships. Many of the treaties signed remain enforced today with some being superseded by updated versions. It was only after the Second World War that the world saw the consequences of breaking international law.

Modern International Law (1945 – Present)

Following the Second World War, the League of Nations was replaced by the United Nations. The United Nations Charter was signed in 1945 and it became the basis of all future policies and treaties created by the UN. The charter bound all the nations who signed to act in accordance to its treaties and it was stipulated that treaty obligations become superseded by obligations to the UN. The charter consisted of 2 main parts; the preamble and the articles. The preamble acts as an introduction as it calls for peace and overall global security as well as a declaration that the signatory nations agree to the charter. The second part is divided into chapters where each chapter covers a subject matter such as sanctions and the use of military force. The following year in 1946, the Nuremberg Trials took place to try and convict members of the Nazi Party of war crimes and crimes against humanity. The trials were held by the International Military Tribunal in Nuremberg. Prior to the trials, the Allies examined the events of the Second World War and determined that the crimes committed by the Nazis fell into four categories:

  1. Participation in a common plan or conspiracy for the accomplishment of a crime against peace
  2. Planning, initiating and waging wars of aggression and other crimes against peace
  3. War crimes
  4. Crimes against humanity

The trail saw that 24 of the highest Nazi officials be tried and amongst those 3 were acquitted, 2 were not charged for various reason and the remaining were found guilty of their crimes and sentenced to prison or death. All those sentenced to death were hung. Following the Nuremberg Trials, a similar trial took place in the East where the Japanese would be brought to a similar tribunal style court. Just as the Nuremberg Trials, the accused crimes were divided into 3 categories. Class A was for those who were involved in the joint conspiracy to start and wage war. Class B was for war crimes and Class C was for crimes against humanity(Libguides).  Just as before, most of the accused were found guilty of their crimes and sentenced to prison or death. As a direct result of the crimes committed in the Second World War and the trials after, the International Criminal Court was created in order to try those convicted of international crimes of genocide, humanity and war crimes. The court is located in the The Hague, Netherlands.

Following the trials, the Geneva conventions began in order to fill in the gaps that become exposed during the Second World War. There were a total of 4 conventions that were signed into law in 1949. The first was the “Amelioration of the Condition of the Wounded and Sick in Armed Forces in the Field” which covered the treatment of the wounded and sick. The second was the “Amelioration of the Condition of Wounded, Sick and Shipwrecked Members of Armed Forces at Sea”. The third was the related to the treatment of POWs and the fourth was for the protection of civilians in times of war. These 4 conventions were based on previous conventions mentioned earlier, with minor modifications to reflect the lessons learned from the Second World War. In 1954, The Hague Convention reconvened with the  Convention for the Protection of Cultural Property in the Event of Armed Conflict. This convention was to focus on protecting cultural property in an armed conflict. This was in response to the mass looting and destruction of art in the Second World War. As we move forward into history into present day, there were many more conventions signed and introduced into international law. This was to account for the development of technology in order to prevent another conflict that could surpass the death toll of both World Wars combined. Some of the conventions relating to the use of landmines, incendiary weapons, lasers and nuclear weapons. The latest convention was in relation to the use of Cluster Munitions which was proposed in 2008 but was entered into force in 2010.

International Cyber Law

With technology advancing at its current rate, it would be improbable to think that the laws would be in sync with the advances. Many countries lag behind when updating their laws to account for cyber activities. Cyber attacks can categorized into 5 main categories; Intrusion, content, copyright, fraud and combination. Within these categories exists different types of crimes. The most common is “hacking” which would fall under the Intrusion category. Content attacks refer more to the content of the data and its legality. Crimes that would be classified under content would be the distribution of child pornography. Copyright crimes are what the name encompasses such as distributing software, movies or music. Fraud would cover crimes such forgery and internet bank fraud. Combination attacks refer to using more than one medium to execute the attack. This would cover more broad attacks such as laundering and terrorism. Unlike traditional combat which had laws covering the many different aspects of what occurs in a warzone, cyber has not yet reached that point. As a response to the delays within the international community, many smaller groups and organizations have come with their own responses and mandates. For instance, the Council of Europe have put forth a proposal that would create the world’s first convention for cyber crimes. Similarly, other smaller groups such as APEC and OPEC have proposed similar ideas. In 2001, the first and only international treaty about cybercrime was brought forth. The Convention on Cybercrime was looking to address cyber crime by uniting laws and increasing international cooperation(Council of Europe). The convention also sought to create procedures on the search of computer networks and the interception of data from networks. This also allows for making racist comments or the promotion of xenophobic propaganda through the use of computer networks a criminal and prosecutable offence. Beyond the few notes mentioned here, there are not any other agreed upon international treaty or laws relating to cyber crimes or cyber in general. The laws appear to only be at the national level however these laws only seem to reflect minor changes to account for the cyber update to that crime.

Analysis of Laws

To compare current laws surrounding combat to the laws surrounding cyber warfare and cyber in general would be unfair as there is not equal standing nor is there anything that would fit perfectly in both categories. This could be for a variety of reasons. The one that stands out the most is that many of the laws that now govern combat were the direct result of the many conflicts that have occurred. We have seen the use of chemical and biological weapons used on the battlefield as well as nuclear bombs decimate cities in one run. We watched as the Nazis committed mass genocide against the Jewish populous and the genocides continue from Armenians to the Tutsi of Rwanda. The treaties that were signed by nations and ratified by their respective parliaments as they had seen the direct result of what can occur when there is nothing to prohibit those actions. It is because we have seen the direct consequence of our inactions that we have come up with these laws to govern what we can and cannot do while in combat. This cannot be said with cyberwarfare and cybercrime. We have yet to fight a global conflict on the cyber battlefield. We cannot fathom what can occur therefore we cannot outlaw what we do not know.  Another reason that there are no cyber laws is that there is not feasible method of enforcing a treaty. For example, nuclear inspectors are able to inspect the weapon silos of the signatory nations. This is because the weapon is stored in that one silo. This cannot be said for cyber as it is not a physical item. It exists in cyberspace, which is accessible by everyone with an internet connection. Colonel Gary D Brown says that laws of war are “really dependant on thinking of things kinetically in the physical realm.” What this means is that the laws that are currently enforced about war came from what was seen in prior engagements and battles. Furthermore, to understand the damage behind an attack, you need to be able to see the damage that has occurred. Physically, that is a simple task, we can see that the bombing campaigns of the second world war leveled cities and towns, destroying monuments. In cyber, to what extent does something have to go to be considered a “glitch” to an attack. Major General Amos Yadlin of the Israeli Defense Intelligence believes that we “need to take all the vocabulary and terms used in strategy and military operation and adapt them into the cyber realm”

To be able to match our current laws on war, we need to be able to see what may happen and prepare for the worst. More importantly, there needs to be some discussion on what has occurred and who has done what. Ignoring the obvious and denying any involvement would be the naive approach that would be detrimental to developing safe practices in cyber warfare. Moreover, there needs to be global consensus on what would appropriate behaviours and what would be prohibited. Just as there was provisions in the Geneva Convention that banned the destruction of unprotected cities; there needs to be provisions that declare certain necessities such as heating and potable water off limits in cyberwarfare. By finding the middle ground and addressing the issues directly before, we can learn from the mistakes of our past and potentially avoid the loss of millions of lives simply by making these rules before we ever get in the situation where we need them.


1917 During World War I, The Cipher Bureau and Military Intelligence Branch of the U.S. Army was established. Their function was to provide codes for U.S. communications in WWI and attempt to decode enemy signals. On May 19th 1919, the Chief of the U.S Department of State approved creation of a Cipher Bureau, dubbed Black Chamber (Pre-1952 Historical Timeline).

1918 German engineer Arthur Scherbius introduced the commercial version of the Enigma cipher machine, it’s purpose is to encode and decode messages. This early model went under multiple revisions which would increase its cryptographic capabilities.

1926 Military version of the Enigma was deployed into service. This improved edition of the commercial model had an increased number of rotors allowing for more combinations. This version would be revised once, Enigma G, before being adopted by the German army.

1930 The German Army introduced their own version of the Enigma machine, known as the Enigma I. The major difference between this exclusive model and the commercial ones was the introduction of a switchboard, which greatly increased the cryptographic capability of the Enigma. This version was widely used by German military forces and government up to and during World War II.

1939 In response to the German Enigma machine, the British government approved funding for the development of a machine to decipher their secure communications. The Bombe was designed at Bletchley Park, UK, by a team led by Alan Turing. After some development the Bombe was capable of decrypting the Enigma machine cipher. This allowed the Allied forces to decipher German communication, disrupt German forces, and eventually defeat the Nazi Reign.

1943 The British codebreaker project, at Bletchley Park, builds Colossus. A large electronic computer that relies upon vacuum tubes for calculations, used for cryptographic purposes. Later models of the same design remain in use until the 1970s (Springer).

1944 Howard Aiken, working for International Business Machines (IBM) at the time, presented his design for the Automatic Sequence Controlled Calculator (ASCC). It was developed by IBM and developed at Harvard University, where it was referred to as the Mark I. It was a general purpose electromechanical computer that could be programmed through paper tapes and relied on vacuum tubes for computing calculations.

1945 The Manhattan Project is completed followed by the first atomic bomb test in history. Two versions (Fat Man and Little Boy) are shortly used in the destruction of the Japanese cities of Nagasaki and Hiroshima.

1946 The Electronic Numerical Integrator And Calculator (ENIAC) is developed for the U.S. Army’s Ballistics Research Laboratory. This general purpose electronic computer was used to calculate ballistic trajectories, then later to solve complex mathematical equations.

1947 John Bardeen, William B. Shockley, and Walter Brattain working in conjuction at Bell Laboratories to build the first transistor, which sparks revolution for microelectronics. This advancement allowed for smaller, cheaper, faster, and higher quality computers.

1948 The RAND (Research And Development) Corporation was created, implicating a direct partnership between the U.S. Air Force and the Douglas Aircraft Company.

1949 The Soviet Union tests their first atomic bomb, which would not have been completed without stolen information that was used in the joint British and U.S. Manhattan Project.

The Armed Forces Security Agency was created, intended to combine all U.S. military intelligence agencies together into a single entity.

Maurice Wilkes from the University of Cambridge Mathematical Laboratory develops the Electronic Delay Storage Automatic Calculator (EDSAC).This is the world’s first stored program computer.

1950 The Universal Automatic Computer (UNIVAC) is built, using magnetic tape for data storage as opposed to punched cards. It is the first truly commercial digital computer, the first model being delivered to the U.S. Census Bureau.

1952 The National Security Agency (NSA) was appointed to oversee all U.S. government signal intelligence collection efforts, including signal counterintelligence activities.

1957 The Soviet Union launches the world’s first artificial satellite into orbit, Sputnik.

1958 The U.S. government forms the Advanced Research Projects Agency (ARPA), later renamed the Defense Advanced Research Projects Agency (DARPA). an organization dedicated to preventing strategic surprise through technological development.

American electrical engineer, Jack Kilby, invented the integrated circuit while working at Texas Instruments. It was the first great leap forward in 10 years for microelectronics, since the completion of the transistor by Bell Laboratories back in in 1947.

Another American electrical engineer, Seymour Cray, working for Control Data Corporation finishes the first supercomputer. This machine pushed the limits of processing speed for any given technology at the time. Cray’s early model, which relied on transistors, will soon become obsolete to integrated circuit machines.

1968 Intel Corporation was founded by Gordon Moore in Santa Clara, California (Silicon Valley). They quickly become the world’s leading producer of microprocessors.

1969 ARPANet was established, which allowed a select number of government and academic facilities to interconnect their computer networks, thus enabling distribution of information.

1971 Intel released the first commercial microprocessor, a single chip four-bit CPU.

1972 The TCP/IP (Transmission Control Protocol/Internet Protocol) system was designed. This provided a precise model for data format, address, transmission, route, and reception by computers on a network.

1975 The Church Committee hearings in the U.S. Senate revealed that the NSA conducted illegal domestic surveillance, specifically against opposition of the Vietnam War.4

1976 Steven P. Jobs and Stephen Wozniak founded Apple Computer Corporation, designing  consumer personal computers designed for ease of use.

1978 The Foreign Intelligence Surveillance Act was passed, thus limiting the power of federal intelligence agencies to engage in domestic surveillance without the approval of the court.

1981 IBM announces the development of a home personal computer, which would be available for consumers. This was the first time computers would be available for the general public.

1982 A pipeline in Siberia, built using information stolen by KGB spies, explodes because of weakness purposely planted in the blueprints. The flaw was intentionally created to sabotage Soviet agents.

1983 MILNet, a dedicated network for the U.S. military, was split from ARPANet. Coincidently, this was the same year the movie War Games was released, where a hacker almost starts a nuclear war by compromising a Department of Defense (DoD) system.

1984 Congress passed the Computer Fraud and Abuse Act. It criminalized misuse of government computers. In 1996 it was expanded to include unauthorized use of any computer system.

Apple released its first Macintosh desktop computer available for the consumer to purchase, thus creating feasible competition for IBM computers.

1988 Developed by Massachusetts Institute of Technology student, Robert Morris, the Morris Worm was released from the MIT laboratory. It spread to UNIX systems connected to the Internet, and once infecting a machine it would self-replicated until the machine slowed to a halt. It revealed the lack of protection for such vulnerabilities.

Donald Gene Burleson was the first American citizen convicted for harmful access of a computer. Burleson wrote malicious code (logic bomb) destroying his former employer’s payroll data.

The Computer Emergency Response Team (CERT) formed by DARPA at Carnegie Mellon University in Pittsburgh, Pennsylvania as a response to the results of the Morris Worm.

1989 Tim Berners-Lee, British computer scientist, proposed the creation of the World Wide Web. This was a system of linked hypertext documents accessed via the Internet.

1993 Mosaic internet browser released. This made the internet accessible to home users

1994 The Air Force Rome Laboratories is hacked by Kuji and Datastream Cowboy. Kuji was a 22-year-old Israeli hacker. He was not prosecuted because his actions did not violate Israeli law. Datastream Cowboy was a 16-year-old British student who was charged with cyber crime. He pled guilty to the charges and received a fine.

1995  The Java programming language is released.

Amazon and Ebay are created. They later become the two largest online shopping places.

1997 The first infowar exercise is conducted by the US Department of Defence. It consisted of a “Red Team” whose job was to expose vulnerabilities. This exercise showed that the Red Team was able to access key systems using common, readily available technology.

1998 The U.S. federal budget includes $1.14 billion for critical infrastructure cyber security.

The company Google becomes incorporated by Larry Page and Sergey Brin while they are PhD students at Stanford University.

The Internet Corporation for Assigned Names and Numbers (ICANN) is founded. Its purpose is to serve as a main database in order to assign domain names for places on the internet.

The Digital Millennium Copyright Act (DMCA) is passed. It is an attempt to prevent piracy of digital media.

1999 Serbian hackers attack NATO servers. This disrupts NATO operations in Kosovo.

Unrestricted Warfare is released. It is a book of strategies that can be used to defeat the US. It covers a series of attacks such as cyber attacks.

2000 The I-LOVE-YOU virus spreads causing $10 billion in damages.

IBM releases its estimates on the cost of DDOS attacks. It states that online retailers can lose $10,000 per minute.

2001 An exploit in Microsoft’s Internet Information Server software allows for websites to be to be compromised for theft or destruction of data. This becomes known as the Code Red worm.

The European Convention on Cybercrime is passed

The U.S. Department of Homeland Security is established.

2002 NATO begins its Network Enabled Capabilities Transformation. It begins to adopt a network-centric warfare concept.

The Homeland Security Act is passed. This creates a cabinet-level department who are tasked to defend the nation, including its cyber infrastructure.

2003 The Titan Rain attacks steal 20TB of data from US government computers.

The SQL Slammer worm is released and it takes down the internet for 10 hours.

2007 Israel bombs a Syrian nuclear facility while using a cyber attack to take down Syrian radar systems

Estonia moves a statue of a Soviet soldier. This creates tension in the area and trigger what is now known the Estonia Cyber Attack where Russian hackers attack the nation’s cyber infrastructure.

The NSA commences PRISM, which is used to collect data on a mass scale.

The U.S. Air Force Cyber Command is created.

The NSA begin to infiltrate the networks of Huawei

2008 The U.S. military bans the use of flash drives as the rate of worm and virus infections increase

2010  The Stuxnet virus is discovered and reported.

2012 A spear phishing attack targets the US gas pipeline servers.

Iranian hackers launch DDOS attacks on Western Financial corporations.

2013 Edward Snowden releases the extent of the NSA surveillance program.

North Korea releases targeted malware to attack South Korea media

The .cn domain is taken offline with a DDOS attack

Israel foils a Syrian cyber attack that would have disrupted water to the city of Haifa

2014 The US indites five members of the Chinese PLA Unit 61398 for cyber espionage, cyber sabotage, and other computer crimes against private American corporations.

Hamas and Israel war in Gaza through the use of cyber attacks on their respective websites.

2015 The Adult cheating website Ashley Madison is hacked and its database leaked online.

T Mobile credit card company breached, releasing SSN, names, address and birth dates

2016 Ukraine’s powergrid is hacked and its SCADA systems exploited to take out power

The US DNC (Democratic National Committee) is hacked

2017 Petya Ransomware spreads worldwide, taking thousands of devices for ransom


Every aspect of our lives involve computer or internet connected devices in some form. It may not be common knowledge but down to the smallest detail, there is some device there that has been networked to allow for easy administration. As the technology world grows and develops more things that fit under the Internet of Things ideology, the more connected we are going to become. This does not happen without any consequence, there will still be conflicts and disputes between countries as the geopolitical climate of the world changes drastically. As countries become more technologically advanced, they too would make the transition towards cyber warfare as many already have. This advancement would also make them more technologically dependent. This paper highlighted the reasoning why a nation would move towards using cyber warfare. It has become too expensive in terms of dollar values and in terms of the human cost to fight wars with traditional combat. It has also highlighted the major cyber attacks that have taken place and what precedent they have set. The attacks saw that nothing was “off the table” and that anything and everything can be exploited in a cyber attack. To add to the woes, the analysis of international laws show no laws referring to cyber crimes. This means that unlike regular combat, where there are laws regarding what can and cannot be done, cyberwarfare can attack anything with no reprimands from the international community. There is also no international body looking to create cyber laws as there is the Geneva Convention for traditional combat. With all this at hand, it would be crucial for countries to bolster their cyber presence and capabilities in order to maintain any form of superiority on the global stage. All this can come to a head in the form of yet another global conflict, but it is a mystery on what will be used. Albert Einstein said in an interview “I know not with what weapons World War III will be fought, but World War IV will be fought with sticks and stones.”