On April 16, Western governments blamed Russia over cyberattacks targeting network infrastructure worldwide. The attacks have affected network routers, switches, firewalls and network intrusion detection systems, according to The Guardian. Western leaders deemed cyber-offensive action the appropriate response to the purported Russian attack.
Earlier, Defense Minister Ryamizard Ryacudu, speaking at the international conference on cybersecurity in Jakarta on March 5, had argued that cyberwar posed a very real threat to national security, along with terrorism and drugs. It has been reported that a significant number of cyberattacks — exactly 205,502,159 — occurred in 2017, most of which were directed against government websites and categorized as cybervandalism, according to the Indonesia Security Incident Response Team on Internet Infrastructure.
Cyberwar is not governed in the 2001 Budapest Convention on Cybercrime, as this convention substantively deals with illegal access/hacking, interception, misuse of devices, computer-related forgery and fraud, child pornography, etc. To date, there is no binding international legal instrument encompassing cyberwar.
Nonetheless, a prominent document governing cyberwarfare is the Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, authored by distinguished international law practitioners and scholars with facilitation from NATO’s Cooperative Cyber Defense Centre of Excellence in Tallinn, Estonia.
That manual, however, does not express any opinion about the weaponizing of artificial intelligence or autonomous weapons, as recently discussed by the United Nations.
That manual not only substantively deals with the use of force by states in the context of military operations, but also examines key aspects of the public international law governing cyberoperations during peace time. Whereas, according to the manual, the term cyberoperation refers to the employment of cybercapabilities (cyberweapons, tactics and methods) to achieve objectives in or through cyberspace, the definition of cyberwar appears not to have been explicitly stipulated.
Nevertheless, an online glossary of the above NATO center indicates that cyberwar as is escalated state of cyberconflict between two or more states carried out by state actors against cyberinfrastructure as part of a military campaign. Cyberwar can be either declared war or de facto war with the absence of a declaration (ccdcoe.org).
In that context, cyberwar connotes a cyberattack carried out by state actors that can be compared to cyberterrorism, where an act/threat of violence (usually) by non-state actors creates fear or compliance in a victim or a wider audience for political endsas cited by the scholar Peter Grabosky.
States, however, may be responsible for cyberoperations directed against other states even though those operations are not conducted by state organs. The manual articulates, as supported by customary international law, that operations carried out by non-state actors shall be attributable to the state if the person or group acts under the instruction of, the direction of or the control of that state. Any state that sponsors the cyberattacks operations will also be held responsible for the damage caused.
Attributing responsibility for a cyberattack, is not an easy task for authorities, as digital evidence of cyberattacks exhibits peculiar challenges, inter alia, anticomputer forensics, distributed evidence and technical challenges. Even the victims of cyberattacks are often reluctant to report the attacks because of embarrassment, a lack of awareness, or ignorance of what to do. Often they simply put it down to experience, as researchers and reports note.
In Indonesia, even though neither the 2002 Defense Law nor the 2008 Electronic Information and Transactions Law deal specifically with cyberwarfare or cybersecurity, those pieces of legislation certainly admit that technological development decisively influences the form of threats to national sovereignty and political independence. In that connection, the Defense Minister promptly issued Ministerial Regulation No. 82/ 2014 on defense guidelines regarding cyberwar, cyberterrorism, cyberespionage, etc.
Indonesian authorities thus have powers to take defensive action or conduct counterattacks against cyberattacks that might prejudice national security. The International Law Commission in its draft articles on the “responsibility of states for internationally wrongful acts” incorporated countermeasures as action taken by a state in response to an international wrongful act of another state directed against the former state.
To invoke the right to conduct countermeasures, the action must be proportionate to the damage resulting from a cyberattack; otherwise it would be considered a mere reprisal in international law. Countermeasures are considered one of the preclusions of wrongfulness, whereas international law prohibits states from taking revenge.
All in all, the alleged cyberattack on critical infrastructure in the case between some Western countries and Russia provides insight for Indonesia to strengthen national cybersecurity whenever cyberwar is inevitable.
Thus authorities should identify public and private entities that provide essential services for the maintenance of critical societal and/or economic activities, such as energy (e.g. electricity, oil, and gas), transportation (e.g. air, rail, road and water transportation), banking and financial market infrastructure, the health care system, and digital infrastructure (e.g. telecommunication, internet service providers and online media players).
Apart from adopting and maintaining organizational and technical cybersecurity measures, operators of those services should promptly notify the authority for ascertaining risks with regard to whether or not a cyberattack has a significant impact on the continuity of essential services.
The authors are digital business and technology lawyers at Bahar law firm. The views expressed are their own.
Disclaimer: The opinions expressed in this article are those of the author and do not reflect the official stance of The Jakarta Post.