Scholars examine how international law policies can be applied to cyber warfare.
Hours before Russia invaded Ukraine, hackers attacked satellite infrastructure in Eastern Europe and cut off internet access and communication capabilities across Ukraine. This attack crippled Ukraine’s ability to coordinate its defenses and led to several early victories for Russia.
Cyberattacks on space infrastructure have been increasing in frequency and severity over the past two decades, and this most recent attack on Ukraine has led many scholars to discuss the best way to regulate cyberattacks on space infrastructure. In a recent article, Brianna Bace and Unal Tatar from the University at Albany and Yasir Gökce of Germany’s DB InfraGO AG propose methods to apply existing international law doctrines to cyberattacks.
Bace, Tatar, and Gökce emphasize that modern societies have become increasingly reliant on data gathered by space infrastructure. They explain that the financial sector, transportation and logistics, emergency services, and many defensive capabilities all depend on global positioning, navigation, timing, and satellite communication systems.
Bace, Tatar, and Gökce note that this increased reliance on space systems has led many international bodies, such as the United Nations, NATO, and the European Union, to propose applying current international laws to cyberattacks on space infrastructure. Although Bace, Tatar, and Gökce agree, they acknowledge several factors that have made the application of these laws to cyberattacks difficult and have prevented the creation of any global cyber laws.
Bace, Tatar, and Gökce argue that three factors unique to cyberspace make applying traditional international law challenging. Bace, Tatar, and Gökce specifically identify the interconnectivity of cyber systems, the lack of clear boundaries between the private and public sectors, and the divergence from traditional geographic concepts as the main difficulties.
Bace, Tatar, and Gökce also explain that space infrastructure has two unique vulnerabilities. First, they note that the commercialization of the space industry has led to complicated supply chains that do not sufficiently investigate and audit suppliers, which allows for potential attackers to install backdoor technology that allows for future access. Second, Bace, Tatar, and Gökce explain that satellites are difficult to repair or update once they are in orbit, and outdated technology is easier to hack.
Bace, Tatar, and Gökce analyzed proposals from different international organizations in light of these challenges to determine the best way to apply current international law norms to cyberattacks on space infrastructure. Bace, Tatar, and Gökce conclude that the following three legal frameworks in international law are the most applicable to these cyberattack scenarios.
The first framework Bace, Tatar, and Gökce discuss is the general principle of sovereignty. Bace, Tatar, and Gökce note that sovereignty is generally defined as “the supreme authority of every state within its territory.” They argue that because cyberattacks occur on territory controlled by nations and the attacks are conducted by persons or entities that states may exercise sovereignty over, cyberattacks can violate sovereignty if they breach territorial integrity or interfere with government functions.
The second framework that Bace, Tatar, and Gökce examine is the prohibition of intervention. They explain that a prohibited intervention is one that involves matters that a sovereign nation should be able to decide on freely for itself. Bace, Tatar, and Gökce contend that a cyber operation could be prohibited if it is coercive and impacts an internal or external affair of a nation that would otherwise be free from international obligations.
The final framework that Bace, Tatar, and Gökce discuss is the prohibition of the use of force. This law forbids nations from using or threatening to use force in their international relations, and Bace, Tatar, and Gökce explain two approaches exist to determine what counts as a use of force.
The first approach Bace, Tatar, and Gökce examine is a target-based approach. Bace, Tatar, and Gökce explain that this approach defines the “force” of an action based on how critical the target of the attack is. They note that this definition means any intrusion into a critical piece of space infrastructure would allow the targeted nation to respond with self-defense. Bace, Tatar, and Gökce contend that this definition is dangerous, however, because the importance of space infrastructure results in almost any target qualifying. Furthermore, they assert that ordinary system failures can be easily mistaken for an attack that could lead to misattributions and unjustified uses of self-defense.
For these reasons, Bace, Tatar, and Gökce prefer the second approach: the effect-based approach. Bace, Tatar, and Gökce explain that this approach considers a cyberattack a use of force if the qualitative and quantitative impacts are equivalent to an armed attack using conventional kinetic weapons, such as missiles.
Bace, Tatar, and Gökce conclude that these three frameworks could most reasonably include cyberattacks on space infrastructure. They recommend that international actors develop clear norms and legal frameworks—even if they do not align with the Bace, Tatar, and Gökce’s suggestions—because well-defined standards are the most important factor for international security.
