The war in Ukraine has been the first opportunity to gauge cyber’s role in kinetic warfare and American University’s Washington College of Law symposium, “Cyber in War: Lessons from the Russia-Ukraine Conflict,” convened experts to discuss the conflict and how cyber fits into traditional understanding of international humanitarian law.

The conflict between Russia and Ukraine has brought many questions to the forefront among practitioners of international law. What is considered an attack in cyberspace? Are data tangible things? How do you meet the threshold for violence in cyberspace — should you take a means-based approach or effects-based? After three days of debate amongst conference stakeholders, it is clear that these questions will not be answered in a straightforward manner.

The international community is also grappling with these difficult concepts, as different states have various positions, which will make it extremely tough to prosecute Russian war crimes. The International Criminal Court of Justice (ICC) announced that it will be holding Russia accountable for war crimes committed in Ukraine, but the success of said prosecution will hinge on the international community having a unified understanding of how cyber fits into the law.

The symposium covered a myriad of relevant topics and themes, highlighting just how many aspects of international conflict are touched by cyber. Two clear themes emerged: the uncertainty around the role of private actors in the war in Ukraine and the different regional perspectives that experts are bringing to the conversation.

 The Role of Private Companies

Private companies have played a significant role in Ukraine: providing cybersecurity tools and infrastructure, migrating data to the cloud, protecting users from harmful disinformation, assisting with threat intelligence, and more. However, this assistance has not come without hiccups, new questions, and lessons learned.

One lesson learned highlighted that much of the cyber culture and way of thinking in Ukraine had to quickly change. Before the conflict, Ukraine had very stringent regulations around data localization, but given the cybersecurity threat posed by Russia, as well as the risk posed to technology infrastructure on the ground, Ukrainian leaders had to quickly pivot to storing data in the cloud, relying on the help of various Cloud Service Providers to make the transition.

Many of the questions posed on this topic were on the role private companies are playing in this conflict:

• To what extent do companies make themselves targets by aiding the opposing side?
• What liabilities do companies take on by helping?
• How will international law and rules around war and conflict be applied to private companies?
• What are the consequences of leaving critical defenses in the hands of private entities?
• What happens if companies that have been providing critical assistance suddenly pull out resulting in negative consequences?

Panelists did not have concrete answers for these questions, and eventually these and others will be answered as the international community reacts to this and future conflicts. Furthermore, many of these questions remain unanswered for cyber conflict more broadly, complicating the issues.

Panelists were adamant, however, that this will not be the last conflict with a large cyber component and as such, private and public entities need to strengthen the channels for cooperation, particularly in times of crisis. Additionally, to ensure future resilience, technology and cybersecurity regulations need to be outcome-based instead of prescriptive to enable companies to create solutions and to stay agile in developing fields.

Regional Perspectives

Another theme among participants were the regional perspectives on understanding cyber’s impact in the war in Ukraine.

For example, representatives from Singapore noted that the country has reaffirmed the application of international humanitarian law (IHL) to the use of cyber in armed conflict as well as the right to self-defense. Singapore has made clear that in certain circumstances they would regard a cyber-attack, which did not result in death or injury, as constituting an armed attack because of how intertwined their daily life is to the internet. In Singapore, most government services are held on an app that citizens use for health services, identification, and other purposes. Therefore, a disruption to these services would amount to the right to self-defense.

India, however, has taken a position of strategic neutrality, and has not openly called out Russia as an instigator in the Ukrainian conflict. Representatives from India explained that it was not in the country’s best interest to make a statement on cyber’s applicability in IHL as their focus remains on their supply chains and interdependence on Chinese technological imports. However, they noted that instead India has turned to making statements in non-binding agreements like in the United Nations Ad Hoc Cybercrime Treaty negotiations, in the QUAD forum, and in the G20.

A representative from the LATAM region expressed how difficult it was to characterize the region. While most countries have remained neutral to the conflict, some states have expressed extreme views on the situation. The region has seen an overall increase in ransomware attacks on service providers and critical infrastructure, which has caused an overall increased engagement in international discussions of cybersecurity reflecting a better understanding of cyber as a discipline among the LATAM region.

Lastly, in part because of these diverging perspectives, joint cyber operations can present their own challenges, depending on how each state interprets cyber in international law. Understanding a state’s position on these key issues will enable interoperability and the success of coalition operations in the future, which is an important lesson learned from Ukraine.

Conclusion

In his closing remarks, former National Cyber Director Chris Inglis emphasized that collaboration with international and industry partners was crucial for Ukraine defending itself against the Russian forces. Having the expertise necessary, remaining agile, innovating on the fly, and making the necessary investments into technological advancements are other core tenants of Ukraine’s approach that the international community should learn from and adopt in future efforts.

Inglis also highlighted the “secure-by-design” culture that organizations must inhabit, situating humans at the center of technology's impact, and prioritizing security and resiliency at every stage of research, development, and production of internet connected devices. These lessons will enable a state to best protect itself against the barrage of cyberattacks being committed by malicious threat actors.

The American University’s Washington College of Law symposium was hosted in collaboration with the Lieber Institute, West Point; The Federmann Cyber Security Research Center, Hebrew University of Jerusalem; The Center for International Law, National University of Singapore; and NATO’s Cooperative Cyber Defence Center of Excellence.

‍