Recently, Ilona Khmeliova, Secretary of the Economic Security Council of Ukraine, was invited to the No Name Podcast to share her expert opinion on how international law applies to cyberspace.
Highlighting current challenges in this area, she noted that international law fully regulates relations in cyberspace. This is an axiom that, unfortunately, is still not recognised by some states.
Of course, not all issues are regulated by special treaties, such as the 2001 Convention on Cybercrime. When cyberattacks are considered war crimes or acts of aggression, general rules and regulations have to be used. However, these international legal norms are sufficient to adequately qualify the relevant actions of the Russians. For example, international humanitarian law, which prohibits attacks against civilian objects, also applies to Russian cyberattacks. If there is a missile attack against Ukraine's critical infrastructure and a cyberattack on the same infrastructure, this proves that Russia has a systematic policy and deliberate actions. And the Russians must be held accountable for all their war crimes.
Using the example of the current war in Ukraine, Ilona spoke about the complexity of attribution and proof. Even when it comes to classical aggression, not all lawyers interpret certain events in the same way. For example, it is sometimes difficult to distinguish between an unfriendly act at the border and an armed attack. There are even more questions about what kind of cyberattack can be qualified as an act of aggression. Two criteria will be important: the intent to harm the sovereignty of another state and the scale of the attack and its consequences. In addition, the different dimensions of Russian aggression are interrelated, which in practice makes it much easier to qualify cyberattacks as war crimes. When it comes to international responsibility, there are two components. First, the international legal responsibility of Russia as a state. Second, the criminal responsibility of the Russian political and military leadership.
At the same time, the current international system demonstrates the inability, in some cases, to use traditional international legal approaches to regulate actions in cyberspace and the need to develop new legal mechanisms to effectively respond to cyber threats. Therefore, it is a positive trend that the security agreements that Ukraine has already signed with a number of states contain references to cyber aggression. Ilona also supported the development of a new international convention, but stressed that such a document should contain a clear algorithm for implementing the responsibility of the offending state. Another possibility is the use of a broader definition of aggression by the Special Tribunal, which Ukraine is currently advocating for.
Ilona also mentioned the United Nations Charter, which establishes the right of states to self-defense. According to Article 51 of the Charter, a country has the right to use force if it is attacked by an armed attack. Ukraine has enjoyed its inherent right to self-defense since 2014. In addition, all states have the right to assist Ukraine. This means that all actions by Ukraine and its allies are legitimate. And Russia's attacks, even on military targets, are a manifestation of the illegal use of force and aggression. This is the main difference in qualifying all actions, including in cyberspace.