Abstract
Despite the fact that heightened geopolitical tensions brought about by the Russia-Ukraine Conflict may spur a stalemate in the UN’s consensus-based efforts to advance international law and norms in cyberspace, the conflict has given rise to a number of challenging questions of international law applicable to cyberspace in armed conflict, notably regarding the extent to which the existing relevant rules of international law are applicable and at what point we need the development of new rules tailored to the unique features of cyberspace. With that in mind, aiming to offer some key takeaways from the conflict, this chapter attempts to explore: (1) whether and when Ukraine’s cyber volunteers could be deemed as engaging in unprivileged belligerency; (2) what the legal consequences would be in that case; and (3) what kind of responsibilities and obligations Ukraine and the third States would incur from those acts of unprivileged belligerency.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
See, eg, Stokel-Walker (2022).
- 2.
See, eg, Landau (2022).
- 3.
Lewis (2022).
- 4.
- 5.
See United States Senate (2022), p. 3.
- 6.
See North Atlantic Treaty Organization (NATO) (2022).
- 7.
See Microsoft (2022) p. 5.
- 8.
See, eg, BBC (2022).
- 9.
See the official website of IT Army of Ukraine: https://itarmy.com.ua/?lang=en.
- 10.
See the dedicated channels of the IT Army of Ukraine: https://t.me/s/itarmyofukraine2022.
- 11.
See Soesanto (2022), p. 4.
- 12.
See also Soesanto (2022), pp. 15–19, Waterman (2023) (“it is not only hacktivists who clutter up cyberspace during time of conflict. Just as looters and marauders take advantage of the chaos of war in real life, so cybercriminals have sought to monetize the online chaos that accompanies digital conflict… Using the fog of war for profit, cyber criminals commit financially motivated crimes and just sign themselves as the IT Army or KillNet.”).
- 13.
Soesanto (2022), p. 4.
- 14.
See United Nations (2021).
- 15.
See, eg, Schmitt (2017), pp. 415–419 (Rule 92).
- 16.
- 17.
See UK Ministry of Defence (2005), para 4.3.3.
- 18.
ICRC (2009), p. 23.
- 19.
Prosecutor v. Tadić, IT-94-1-A, ICTY, Appeals Chamber, Judgment, July 15, 1999, para 145.
- 20.
Soesanto (2022), p. 28.
- 21.
Soesanto (2022), pp. 23–24.
- 22.
See Schmitt (2017), p. 405, para 11.
- 23.
Schmitt (2017), p. 405, para 12. On the other hand, it may be meaningful to keep putting its own uniform on as it allows a combatant to justify the compliance with the prohibition on perfidious acts of feigning civilian or non-combatant status. See, eg, Mačák (2021), p. 420.
See Schmitt (2017), p. 406, para 14.
- 24.
Ministry of Foreign Affairs of Japan (2021), p. 50.
- 25.
Soesanto (2022), p. 28.
- 26.
See Schmitt (2017), pp. 389, 404–405.
- 27.
See, eg, Soesanto (2022), pp, 7–19.
- 28.
See, eg, Miller (2022) (“Victor Zhora, the deputy chair of Ukraine’s State Service of Special Communications and Information Protection, a key Ukrainian cyber agency, stressed in an interview that the IT Army has no government connection, but also described the group as invaluable. … Ukraine doesn’t perform any offensive operations and does not coordinate the IT Army, but considering the level of destruction, the level of evil that Russia’s doing in Ukraine, we are grateful to all people that contribute to the weakening of our enemy,” Zhora said.”), New York Times (2022) (“We not only defend ourselves, but we are able to counterattack with the help of our cybervolunteers”).
- 29.
It is generally understood that a territory is considered occupied when it is under the effective control of the hostile armed forces, in view of Article 42 of the Hague Convention on the Laws and Customs of War on Land of 1907 which sets out the following: “Territory is considered occupied when it is actually placed under the authority of the hostile army. The occupation extends only to the territory where such authority has been established and can be exercised.” See, eg, International Committee of the Red Cross (2012), p. 7, Ferraro (2012), pp. 136–139.
- 30.
See also Buchan and Nicholas (2022).
- 31.
See generally Olson (2015), pp. 911–938. Some countries like the United States, as a non-contracting party to the API, have underlined that unprivileged belligerents should be classified as the persons distinct from combatants and civilians for their treatments as a matter of customary international law applicable to armed conflict. See, eg, United States Department of Defense (2016), para 4.3.1 (“Although seldom explicitly recognized as a class in law of war treaties, the category of unprivileged belligerent may be understood as an implicit consequence of creating the classes of lawful combatants and peaceful civilians. The concept of unprivileged belligerency, i.e., the set of legal liabilities associated with unprivileged belligerents, may be understood in opposition to the rights, duties, and liabilities of lawful combatants and peaceful civilians. Unprivileged belligerents include lawful combatants who have forfeited the privileges of combatant status by engaging in spying or sabotage, and private persons who have forfeited one or more of the protections of civilian status by engaging in hostilities.”). See also Anderson (2007). On the flip side, a number of experts emphasize that there is no intermediate status under the law of armed conflict, which is also adopted by the ICTY which opined that “there is no gap between the Third and the Fourth Geneva Conventions. If an individual is not entitled to the protections of the Third Convention as a prisoner of war, (or of the First or Second Conventions) he or she necessarily falls within the ambit of Convention IV, provided article 4 requirements are satisfied.” Prosecutor v. Delalic, Case No. IT-96-21-T, Judgment, November 16, 1998, para 271. This is also the view shared by the ICRC. International Committee of the Red Cross (2007), p. 727.
- 32.
Corn (2011), p. 289.
- 33.
See, eg, Olson (2015), pp. 915–917.
- 34.
See, eg, International Committee of the Red Cross (2009), pp. 83–85.
- 35.
As for the temporal issue of the notion of “unless and for such time as,” see, eg, Boothby (2010), p. 742.
- 36.
See International Committee of the Red Cross (2009), p. 16.
- 37.
United States Department of Defense (2016), para 5.8.1.2.
- 38.
See Schmitt (2017), pp. 428–432 (Rule 97).
- 39.
See International Committee of the Red Cross (2009), pp. 41–64.
- 40.
For instance, the hacktivist group, “disBalancer” (https://disbalancer.com/) has been engaged in cyberattacks to help Ukraine liberate from Russia, using the DDoS tool called “Liberator,” and professes its relationship with the Ukrainian government, advertising that “We’re acting in coordination with the Ministry of Digital Transformation of Ukraine.” See, eg, Soesanto (2022), pp. 15–19.
- 41.
See, eg, Jin (2022).
- 42.
See, eg, Duguin and CyberPeace Institute (2022) (“The publication of large volumes of sensitive data has become part and parcel of the cyberthreat landscape during the conflict. Acting in the name of anti-war activism, collectives have conducted a significant number of hack-and-leak attacks which lead to sensitive customer and corporate data, including personal data, being made publicly available. These attacks raise significant questions relating to the protection of individuals, data protection, and the potential for malicious use of this data in the future.”). As for impacts of malicious cyber operations on humanitarian sectors, see also Marelli (2023).
- 43.
Soesanto (2022), p. 16.
- 44.
See Waterman (2023).
- 45.
See Conger and Satariano (2022).
- 46.
International Committee of the Red Cross (2009), pp. 38–39.
- 47.
See Mačák (2021), p. 420.
- 48.
See, eg, Radauskas (2023).
- 49.
Healey and Grinberg rightly observe this point: “Since Russia’s invasion of Ukraine, these cyber norms are being actively undermined—and not just by Russia. These “like-minded” states—many of them Western nations—that have mobilized to provide support to Ukraine in its plight against Russia should continue to do so and loudly call out Russian atrocities. But to ensure that these norms are globally respected, these States must not facilitate selective enforcement and ignore Ukrainian violations of this hard-negotiated diplomatic consensus.” See Healey and Grinberg (2022).
- 50.
Prosecutor General’s Office of Ukraine, Crimes Committed During Full-Scale Invasion of the RF, https://www.gp.gov.ua/.
- 51.
See, eg, Bothe et al (2013), pp. 620–621.
- 52.
See, eg, Sandoz et al (1987), para 3651.
- 53.
International Committee of the Red Cross (2016), p. 36, para 118.
- 54.
International Committee of the Red Cross (2016), p. 46, para 151.
- 55.
On the flip side, some experts argue that the obligation applies to the parties to an armed conflict alone. See, eg, Schmitt and Watts (2020).
- 56.
- 57.
As recent research that demonstrates the difficulty in applying the law as it is to cyberspace, see Neuman (2021).
- 58.
Tallinn Manual 2.0 derives Rule 152 on neutral obligations from Article 5, para 1 of HCV. See Schmitt (2017), pp. 558–560.
- 59.
Schmitt (2017), p. 559, para 5.
- 60.
See footnote 59.
- 61.
Tsagourias poses similar questions, stating as follows: “more critical issue is whether online recruitment on neutral servers but from sites controlled by Ukraine (for example by functionally controlling or exclusively managing the site) breaches Article 4 Hague Convention V. … Would Article 4 Hague Convention V apply if those recruited online remain physically within the neutral State? … If, however, one wants to look beyond the physical boundaries of the law and look at their digital version in the form of digital persona and digital territory as determined for example by IP addresses, it is possible to argue that Article 4 Hague Convention V does not apply because those recruited are digitally operating outside neutral territory.” See Tsagourias (2022).
- 62.
This controversial issue remains highly debated and entangled with other related issues, such as the definition of cyberspace and loss of data location in cybercrime investigation. Highlighting the virtual character, the UK government defines cyberspace as “the interdependent network of information technology infrastructures that includes the Internet, telecommunications networks, computer systems, internet connected devices and embedded processors and controllers. It may also refer to the virtual world or domain as an experienced phenomenon, or abstract concept.” See United Nations (2021), p. 115 n. 272. In a similar vein, as a view that underlines the de-territorial character of cyberspace, see Council of Europe (2013), p. 9, para 298 (“While the principle of territoriality will remain predominant, in particular with respect to jurisdiction to enforce, the applicability of this principle in “cyberspace”—where data are moving between, are fragmented over, are dynamically composed from, or are mirrored on servers in multiple jurisdictions—is in doubt. It is not possible to apply the principle of territoriality if the location of data is uncertain.”). By contrast, see Akande et al. (2021) (“what we often call ‘cyberspace’ is nothing more than a set of information and communications technologies that enable individuals to exchange and process information more efficiently, such as the Internet and other networks. As much as software, code and data play a significant role in how these technologies operate, they are necessarily made up of physical components or hardware, such as cables, satellites, radio waves, computers and their millions of silicon circuits, as well as the individuals who build, control and use software, hardware and data. Likewise, even if these multifaceted physical components cross national borders to create an imaginary ‘global information space’, as encapsulated in terms such as ‘The Cloud’, ‘World Wide Web’, or ‘Virtual Reality’, these remain very much grounded in tangible physical infrastructure as well as human beings of flesh and bone that are located somewhere in the world.”).
- 63.
To take a prominent example, UK has showed its hesitancy to recognize the principle as applicable to cyberspace as a legally-binding rule since a 2018 speech by then-Attorney General, Jeremy Wright. See UK Attorney General’s Office and The Rt Hon Sir Jeremy Wright KC MP (2018) (“Sovereignty is of course fundamental to the international rules-based system. But I am not persuaded that we can currently extrapolate from that general principle a specific rule or additional prohibition for cyber activity beyond that of a prohibited intervention. The UK Government’s position is therefore that there is no such rule as a matter of current international law.”).
References
Akande, D., et al. 2021. Old habits die hard: applying existing international law in cyberspace and beyond. EJIL: Talk! January 5, 2021. https://www.ejiltalk.org/old-habits-die-hard-applying-existing-international-law-in-cyberspace-and-beyond/.
Anderson, K. 2007. Unprivileged belligerents (or illegal combatants). Opinio Juris. January 17, 2007. http://opiniojuris.org/2007/01/17/unprivileged-belligerents-or-illegal-combatants/.
BBC. 2022. Musk says SpaceX will keep funding Ukraine Starlink internet. BBC News. October 16, 2022. https://www.bbc.com/news/world-us-canada-63266142.
Boothby, B. 2010. ‘And for such time as’: the time dimension to direct participation in hostilities. New York University Journal of International Law and Politics. 42: 741–768.
Bothe, M., et al. 2013. New Rules for Victims of Armed Conflicts: Commentary on the Two 1977 Protocols Additional to the Geneva Conventions of 1949, 2nd ed. Martinus Nijhoff Publishers.
Buchan, R., and T. Nicholas. 2022. Ukranian ‘IT army’: a Cyber Levée en Masse or civilians directly participating in hostilities? EJIL: Talk! March 9, 2022. https://www.ejiltalk.org/ukranian-it-army-a-cyber-levee-en-masse-or-civilians-directly-participating-in-hostilities/.
Conger, K., and A. Satariano. 2022. Volunteer hackers converge on Ukraine conflict with no one in charge. New York Times. March 4, 2022. https://www.nytimes.com/2022/03/04/technology/ukraine-russia-hackers.html.
Corn, G.S. 2011. Thinking the unthinkable: has the time come to offer combatant immunity to non-state actors? Stanford Law and Policy Review 22: 253–294.
Council of Europe. 2013. T-CY (2013). 30, November 5, 2013. https://rm.coe.int/CoERMPublicCommonSearchServices/DisplayDCTMContent?documentId=09000016802e712e.
Duguin, S., and CyberPeace Institute. 2022. How an armed conflict is destabilizing cyberspace for us all. CyberPeace Institute News. November 11, 2022. https://cyberpeaceinstitute.org/news/how-armed-conflict-is-destabilizing-cyberspace/.
Ferraro, T. 2012. Determining the beginning and end of an occupation under international humanitarian law. International Review of the Red Cross 94: 133–163. https://doi.org/10.1017/S181638311200063X.
Healey, J., and O. Grinberg. 2022. Patriotic hacking’ is no exception. Lawfare. September 27, 2022.
Heintschel von H.W. 2007. ‘Benevolent’ third states in international armed conflicts: the myth of the irrelevance of the law of neutrality. In International law and armed conflict: exploring the faultlines, ed. Schmitt MN, and J. Pejic. Brill.
International Committee of the Red Cross. 2007. International humanitarian law and the challenges of contemporary armed conflicts: document prepared by the international committee of the red cross for the 30th international conference of the Red Cross and Red Crescent, Geneva, Switzerland, 26–30 November 2007. International Review of the Red Cross 89: 719–757.
International Committee of the Red Cross. 2009. Interpretive guidance on the nation of direct participation in hostilities under international humanitarian law.
International Committee of the Red Cross. 2012. Expert Meeting: Occupation and Other Forms of Administration of Foreign Territory. Report Prepared and Edited by Tristan Ferraro.
International Committee of the Red Cross. 2016. Commentary on the first Geneva convention. Cambridge University Press.
Jin, H. 2022. SpaceX chief Musk warns that its Starlink system could be ‘targeted’ in Ukraine. Reuters. March 4, 2022. https://jp.reuters.com/article/us-ukraine-crisis-starlink-idCAKCN2L02N2.
Landau, S. 2022. Cyberwar in Ukraine: what you see is not what’s really there. Lawfare. September 30, 2022. https://www.lawfareblog.com/cyberwar-ukraine-what-you-see-not-whats-really-there.
Lewis, J.A. 2022. Cyber war and Ukraine. CSIS Report. June 16, 2022. https://www.csis.org/analysis/cyber-war-and-ukraine.
Mačák, K. 2021. Unblurring the lines: military cyber operations and international law. Journal of Cyber Policy 6: 411–428. https://doi.org/10.1080/23738871.2021.2014919.
Marelli, M. 2023. Opening an ICRC delegation for cyberspace. EJIL: Talk! February 9, 2023. https://www.ejiltalk.org/opening-an-icrc-delegation-for-cyberspace/.
Microsoft, 2022. Defending Ukraine: Early lessons from the cyber war. June 22, 2022. https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE50KOK.
Miller, M. 2022. Ukraine’s largest telecom stands against Russian cyberattacks. Politico. September 7, 2022. https://www.politico.com/news/2022/09/07/hackers-ukraine-telecom-00055060.
Ministry of Foreign Affairs of Japan. 2021. Basic position of the Government of Japan on International Law applicable to cyber operations. United Nations. May 28, 2021.
Neuman, N. 2021. Neutrality and cyberspace: bridging the gap between theory and reality. International Law Studies 97: 765–802.
New York Times. 2022. Russia-Ukraine War: Kremlin pushes for staging annexation votes; U.S. calls them a ‘Sham.’ September 20, 2022. https://www.nytimes.com/live/2022/09/20/world/ukraine-russia-war.
North Atlantic Treaty Organization (NATO). 2022. Statement by NATO heads of state and government. March 24, 2022. https://www.nato.int/cps/en/natohq/official_texts_193719.htm.
Olson, L.M. 2015. Status and treatment of those who do not fulfil the conditions for status as prisoners of war. In The 1949 Geneva conventions: A commentary, ed. Clapham et al. Oxford University Press.
Radauskas, G. 2023. Russia wants to legalize cybercrime for homeland. Cybernews. February 13, 2023. https://cybernews.com/news/russia-cybercrime-for-homeland/.
Sandoz, Y., et al. 1987. Commentary on the additional protocols of 8 June 1977 to the Geneva conventions of 12 August 1949. Martinus Nijhoff.
Schmitt, M.N. 2017. Tallinn manual 2.0 on the international law applicable to cyber operations. Cambridge University Press.
Schmitt, M.N., and S. Watts. 2020. Common article 1 and the ‘duty to ensure respect.’ International Law Studies. 96: 674–706.
Schmitt, M.N. 2023 ‘Strict’ versus ‘Qualified’ neutrality. Articles of War. March 22, 2023. https://lieber.westpoint.edu/strict-versus-qualified-neutrality/.
Soesanto, S. 2022. The IT Army of Ukraine: Structure, tasking, and ecosystem. cyberdefense report. Center for Security Studies (CSS). ETH Zürich. June 2022. https://css.ethz.ch/content/dam/ethz/special-interest/gess/cis/center-for-securities-studies/pdfs/Cyber-Reports-2022-06-IT-Army-of-Ukraine.pdf.
Tsagourias, N. 2022. Cyber neutrality, cyber recruitment, and cyber assistance to Ukraine. Articles of War, April 19, 2022. https://lieber.westpoint.edu/cyber-neutrality-cyber-recruitment-cyber-assistance-ukraine/.
UK Attorney General’s Office and The Rt Hon Sir Jeremy Wright KC MP. 2018. Cyber and international law in the 21st century. Gov. UK. May 23, 2018. https://www.gov.uk/government/speeches/cyber-and-international-law-in-the-21st-century/.
UK Ministry of Defence. 2005. The Manual of the Law of Armed Conflict. Oxford University Press.
United Nations. 2021. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by states, submitted by participating governmental experts in the Group of Governmental Experts on Advancing Responsible State Behavior in Cyberspace in the Context of International Security established pursuant to General Assembly resolution 73/266. UN Doc. A/76/136. July 13, 2021. https://ccdcoe.org/uploads/2018/10/UN_-Official-compendium-of-national-contributions-on-how-international-law-applies-to-use-of-ICT-by-States_A-76-136-EN.pdf.
United States Department of Defense. 2016. Law of War Manual. June 2015 (Updated December 2016). https://dod.defense.gov/Portals/1/Documents/pubs/DoD%20Law%20of%20War%20Manual%20-%20June%202015%20Updated%20Dec%202016.pdf?ver=2016-12-13-172036-190.
United States Senate. 2022. Posture Statement of General Paul M. Nakasone, Commander, United States Cyber Command, Before the 117th Congress Senate Committee on Armed Services. April 5, 2022. https://www.armed-services.senate.gov/imo/media/doc/5%20Apr%20SASC%20CYBERCOM%20Posture%20Statement%20(GEN%20Nakasone)%20-%20FINAL.pdf.
Stokel-Walker, C. 2022. Will Russia’s invasion of Ukraine trigger a massive cyberwar? New Scientist. February 23, 2022. https://www.newscientist.com/article/2309369-will-russias-invasion-of-ukraine-trigger-a-massive-cyberwar/.
Waterman, S. 2023. Ukraine’s volunteer cyber army could be blueprint for the world: Experts. Newsweek. February 21, 2023. https://www.newsweek.com/ukraine-war-cyber-army-attack-strategy-warfare-1780970.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this chapter
Cite this chapter
Kurosaki, M. (2023). Unprivileged Belligerency in a Deterritorialized Cyber Battlefield? Some Lessons Learned from the Russia-Ukraine Conflict. In: Furuya, S., Takemura, H., Ozaki, K. (eds) Global Impact of the Ukraine Conflict. Springer, Singapore. https://doi.org/10.1007/978-981-99-4374-6_16
Download citation
DOI: https://doi.org/10.1007/978-981-99-4374-6_16
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-99-4373-9
Online ISBN: 978-981-99-4374-6
eBook Packages: Law and CriminologyLaw and Criminology (R0)