Reclassifying Cyber Attacks as War Crimes

By Jeffrey Wells, NSI Visiting Fellow

Cyberattacks on critical infrastructure must be classified as war crimes. The escalating tactics of nation-state cybercriminals, exemplified by Russia in the ongoing war in Ukraine, demonstrate a clear alignment between their cyberattacks and the physical assaults carried out by their military. This convergence of tactics has reached a gravity that demands urgent action. We must recognize these cyberattacks as war crimes to mirror our condemnation of traditional acts of warfare.

Reclassifying cyberattacks on critical infrastructure as war crimes aligns seamlessly with the objectives outlined in in the 2023 US National Cybersecurity Strategy (NCS). The NCS emphasizes defending critical infrastructure, disrupting and dismantling threat actors, and forging international partnerships to pursue shared goals. We can proactively safeguard critical infrastructure and fortify our defenses against hostile actors by designating cyberattacks as war crimes as a deterrent.

The foremost consideration in this reclassification is the protection of the American people. Cyberattacks targeting critical infrastructure pose a significant threat to national security and jeopardize the safety of American citizens. By classifying these attacks as war crimes, we unequivocally convey that the United States will not tolerate such acts of aggression. It signals our unwavering commitment to take decisive action and hold the perpetrators accountable for their actions.

We must recognize that critical infrastructure forms the backbone of our economy, and any disruption or destruction can have far-reaching consequences. The committing of war crimes, which currently can include a wide range of actions that cause harm to individuals or property and are often characterized by their grave nature and the intentional targeting of civilians, prisoners of war, or other protected persons, carries severe repercussions. By specifically including cyberattacks on critical infrastructure as part of that definition, potential perpetrators must understand the ramifications before launching cyber offensives targeting critical infrastructure. Taking a proactive stance strengthens our defenses and serves as a deterrent, dissuading hostile actors from engaging in malicious cyber activities.

The United States should play a pivotal role in shaping the global narrative surrounding cyber warfare by leading the charge in reclassifying cyberattacks on critical infrastructure as war crimes. This proactive approach advances American influence and underscores our commitment to international norms and rules, such as the UN Charter and the Geneva Conventions. It sets an exemplary standard for other nations, encouraging collective action against cyber aggression and bolstering our influence in shaping a safer digital world.

Reclassification is imperative to uphold a rules-based international order — the established rules for safeguarding civilians and mitigating human suffering during armed conflicts. This classification ensures that the digital domain is not exempt from international law. Consistency in applying existing principles and laws ensures that no physical aggression goes unpunished, whether kinetic or digital.

The devastating cyberattacks on Ukraine’s power grid further solidifies the urgent need to classify cyberattacks on critical infrastructure as war crimes. These attacks have disrupted essential services such as hospitals and transportation systems. Ukrainian resilience aside — lives are lost and chaos ensues. The consequences are equivalent to a physical attack on civilian infrastructure, inflicting significant harm upon innocent civilians and violating their fundamental rights. By designating such cyberattacks as war crimes, we establish a robust legal framework to hold responsible individuals accountable and reinforce the protection of civilians and their essential services.

The convergence of tactics between nation-state cybercriminals and physical attacks demand our attention and condemnation. To achieve this, I urge policymakers, lawmakers, and international bodies to:

Establish clear legal frameworks: Work together to define and recognize cyberattacks on critical infrastructure as war crimes, ensuring that the laws and conventions that govern traditional warfare acts are extended to the digital domain. This will provide a solid foundation for holding responsible individuals accountable and ensuring justice prevails.