A report in The New York Times on the October 2020 breakdown of the Mumbai power distribution system points a finger at Chinese cyber hackers.
India’s financial capital faced severe disruptions following a major power outage, reportedly resulting from a grid failure.
The Mumbai Metropolitan Region, Navi Mumbai and Thane are just a handful of the areas that had electricity supply cut off.
Suburban train services across the Central and Western Railway were also suspended.
The outage is believed to have been caused by multiple tripping of lines and transformers at Kalwa-Padge and Kharghar.
Questions that arise on definition of combat and combatants:
While the truth may remain hidden, the discussion points to a macro issue.
- When, and under what conditions, would a non-kinetic strike, say a cyberattack, be considered an attack on the state?
- And under international rules of self-defence, what response would be considered legal?
- Would only a cyber counter-attack be justifiable or a kinetic response also be acceptable? Would a pre-emptive strike be kosher?
- These and other questions are knocking at our door, even as the definition of combat and combatants undergoes fast mutation.
About Cyber Attack:
A cyber-attack is an assault launched by cybercriminals using one or more computers against a single or multiple computers or networks.
A cyber-attack can maliciously disable computers, steal data, or use a breached computer as a launch point for other attacks.
Cybercriminals use a variety of methods to launch a cyber-attack, including malware, phishing, ransomware, denial of service, among other methods.
The universally accepted Lieber Code of 1863 defines a combatant.
It says, “So soon as a man is armed by a sovereign and takes the soldier’s oath of fidelity, he is a belligerent…”; all others are non-combatants.
An organised group of “belligerents” constitutes a regular armed force of a state.
The 1899 Hague Convention brings in further clarity of what constitutes a regular force.
- First, the force should be commanded by a person responsible for his subordinates.
- Second, it must have a distinctive emblem recognisable at a distance.
- Third, it must carry arms openly.
- And last, it must conduct operations in accordance with laws and customs of war.
Those who conducted the (yet unproven) Mumbai ‘cyberattack’ or the 2007 attack on Estonia’s banking system did not meet any of the four conditions of being called combatants, but still wreaked havoc.
A combatant, thus, needs to be redefined due to three reasons:
- First, a cyber ‘army’ need not be uniformed and may consist of civilians.
- After the cyberattack on Estonia, the government set up a voluntary Cyber Defence Unit whose members devote their free time towards rehearsing actions in case of a cyberattack.
- A rogue nation could well turn these non-uniformed people into cyber ‘warriors’.
- Second, cyber ‘warriors’ do not carry arms openly. Their arms are malicious software which is invisible.
- And finally, the source of the attack could be a lone software nerd who does not have a leader and is up to dirty tricks for money, blackmail or simply some fun.
- None of these meet the requirements of The Hague Convention but the actions of these non-combatants fall squarely in the realm of national security.
This raises two very basic inquiries that need deliberation:
State sponsored attacks are a highly rewarding and relatively low cost/low risk way to carry out espionage and military operations.
The likelihood of being able to attribute attacks back to a particular country with sufficient rigor is extremely low – and the success rate on any concerted effort is almost entirely assured.
Given this, countries that have pioneered the practice of cyber operations have enormously increased their capabilities.
- First, would the nation employing civilians in computer network attacks not be in violation of the laws of war?
- And second, if these people are considered as combatants, would the target country have the right to respond in self-defence?
- A response would be reactive, after the attacker has conducted his operation; hence, as a right of self-defence, would an act of pre-emption (through kinetic means and/or through cyber) be in order?
- This argument may appear far-fetched now but needs to be examined as India seems to have a new view on the concept of the right to self-defence.
View of the right to self-defence:
In a February 24, 2021 UN Arria Formula meeting on ‘Upholding the collective security system of the UN Charter’, the Indian statement says, “…a State would be compelled to undertake a pre-emptive strike when it is confronted by an imminent armed attack from a non-state actor operating in a third state.”
Cyberattacks may not kill directly but the downstream effects can cause great destruction.
International actions against hackers have been generally limited to sanctioning of foreign nationals by target nations.
In 2014, for the first time, a nation (the U.S.) initiated criminal actions against foreign nationals (five Chinese operatives of Unit 61398 of the People’s Liberation Army) for computer hacking and economic espionage.
A Cyber Attack is Preventable:
- Despite the prevalence of cyber-attacks, Check Point data suggests that 99 percent of enterprises are not effectively protected.
- However, a cyber-attack is preventable. The key to cyber defence is an end-to-end cyber security architecture that is multi-layered and spans all networks, endpoint and mobile devices, and cloud.
- With the right architecture, you can consolidate management of multiple security layers, control policy through a single pane of glass.
- This lets you correlate events across all network environments, cloud services, and mobile infrastructures.
- In addition to architecture, Check Point recommends these key measures to prevent cyber-attacks:
- Maintain security hygiene
- Choose prevention over detection
- Cover all attack vectors
- Implement the most advanced technologies
- Keep your threat intelligence up to date
Best practices include the following:
- Implementing perimeter defences, such as firewalls, to help block attack attempts and to block access to known malicious domains;
- Using software to protect against malware, namely antivirus software, thereby adding another layer of protection against cyber attacks;
- Having a patch management program to address known software vulnerabilities that could be exploited by hackers;
- Setting appropriate security configurations, password policies and user access controls;
- Maintaining a monitoring and detection program to identify and alert to suspicious activity;
- Creating incident response plans to guide reaction to a breach; and
- Training and educating individual users about attack scenarios and how they as individuals have a role to play in protecting the organization.
There is no guaranteed way for any organization to prevent a cyber-attack, but there are numerous cybersecurity best practices that organizations can follow to reduce the risk.
Reducing the risk of a cyber-attack relies on using a combination of skilled security professionals, processes and technology.
The question is, how long before this escalates to covert and/or overt kinetic retaliation.
India seems to have made its intentions clear at the UN meet, but this is a game that two can play; if not regulated globally, it could lead to a wild-west situation, which the international community should best avoid by resolute action.