The Idea That DoS Attacks Against WikiLeaks are War Crimes
A recent interview WikiLeaks founder Julian Assange did with Sueddeutsche Zeitung in Germany features Assange’s take on what happened with the Cablegate release, how the organization has managed to withstand cyber attacks, the organization’s suspicions about OpenLeaks founder and former WikiLeaks spokesperson Daniel Domscheit-Berg and how the organization thinks it has impacted the world.
One section that sticks out is Assange’s discussion of the denial of service (DoS) attacks the site has managed to withstand.
From a translation of the interview:
SZ: Last week there was a hacker attack which paralyzed the WikiLeaks website with a Denial-Of-Service attack. How capable of action are you technical wise?
Assange: Our website is almost daily under attack. But we have developed enough countermechanisms to fight off such attacks.
SZ: Who’s behind these attacks?
Assange: This ranges from mentally confused persons to governments.
SZ: Do you have evidence for that?
Assange: After our releases about China we witnessed attacks launched by Chinese government computers. Attacks on websites by governmental institutions however are a war crime, same asassaults on every other civilian infrastructure.
SZ: Is that enshrined in international law?
Assange: The international law is not that far yet.
The notion that the attacks on WikiLeaks are war crimes is something the organization has been promoting. On August 23, when it was hit with a DoS attack as it released 130,000 cables, the organization tweeted, “Are state directed Denial of Service attacks, legally, a war crime against civilian infrastructure?” and “Should we, legally, declare war on state agressors that commit infrastructure war crimes against us?”
Assange is right that international law is not that far along. But, ponder the concept of a cyber attack on WikiLeaks being a “war crime”—
Sharon Stevens, a practicing attorney who graduated from the University of Iowa College of Law, has published what looks like a dissertation on “internet war crimes” and the possibility of tribunals being set up to prosecute such crimes. She attempts to define what an “internet war crime” might be.
…Article 8(2)(b) of the Rome Statute lists “other serious violations of the laws and customs applicable in international armed conflict, within the established framework of international law.” As such, they would not apply to situations in which a cyber attack takes down a power grid or cripples a state’s financial system. Oddly, as broad and general as the definitions of these crimes are, they would not reach cyber attacks. Five of the activities listed are potentially relevant to the issue of cyber attacks: (1) directing attacks against a civilian population; (2) directing attacks against civilian, non-military objects; (3) launching attacks that will cause incidental injury or damage to civilians or civilian objects; (4) attacking undefended and nonmilitary objectives such as towns, villages, homes, or buildings; and (5) destroying or seizing the enemy’s property in a manner that is unnecessary for the prosecution of war. These acts seem to pinpoint some of the evils inherent to cyber attack.
Stevens writes all of this with the thought in mind that the individual committing the “war crime” is likely to be a non-state actor or terrorist and so the Rome Statute might not be able to prosecute such an act. “War crimes under the Rome Statute are limited to ‘grave breaches of the Geneva Convention,’” she writes, and the “Geneva Convention only applies to the acts of nations, not individuals (hence the justification for the US government’s decision to not treat “terror suspects” like prisoners of war). But, if in fact it is China (or perhaps the US) that attacked WikiLeaks, then this issue seems non-existent.
She examines whether a cyber attack “constitutes an armed conflict.” She notes Geneva Conventions apply to situations of war or “armed conflict.” So, could they ever be applied to attacks like a DoS attack? She finds it highly disputable that a cyber attack would constitute “armed conflict” and concludes neither the Geneva Conventions nor the Rome Statute should ever be applied to cyber attacks.
Stevens looks at whether the International Court of Justice (“ICJ Statute”) could ever be used to address “internet war crimes.” Noting that both the ICJ and the International Criminal Court (ICC) are weak because the US has gone to the nth degree to ensure the US military is exempt from the ICC, the likelihood that China and the US would not sign on to any convention on “information war crimes” is mentioned. This is all to suggest the ICC may not be the best international body to develop some kind of legal parameters for “information war crimes.”
What about the Cybercrime Convention, which has the support of the US government? Stevens demonstrates how conflicting rules on jurisdiction would make it difficult to use the Convention to go after “information war crimes.” The Convention does not impose “universal jurisdiction,” which as Amnesty International defines is the concept that “national courts can investigate and prosecute a person suspected of committing a crime anywhere in the world regardless of the nationality of the accused or the victim or the absence of any links to the state where the court is located.” If the Convention were to operate under this concept, Stevens finds show trials could result, as “the political motive for retribution would be high in prosecuting an alleged perpetrator of a cyber attack.”
Another issue is sovereign immunity—the doctrine that “a state cannot prosecute the officials of foreign countries for official acts.” Prosecuting someone suspected of cyber attacks would mean a country would be interfering in another country.
Finally, Stevens proposes the creation of rules for the Internet against attacks and the creation of a UN-mandated court that would work to keep “international peace and security through the enforcement of international humanitarian law.”
Of course, attacks on an organization like WikiLeaks do not and would likely never be considered attacks, which threatened international peace. In fact, it is much more likely that some laws of war updated to fit the era of Internet communications would permit state-sponsored attacks on WikiLeaks if countries were able to come together and designate the organization as some kind of rogue operation.
What would happen if an international body was tasked with making some kind of decision for or against WikiLeaks? Would the revelations from Cablegate, the disclosure of private conversations between US diplomats and the officials of countries worldwide, inevitably mean world leaders would vote against WikiLeaks?
Politically, if China is behind the DoS attacks, it seems they would vote against WikiLeaks. Russia would likely vote the same as China. The US would most certainly vote against WikiLeaks and, if one goes by the impact of the cables, India would vote against WikiLeaks. European powers might be a toss up (US pressure would ensure they voted against WikiLeaks).
What about the African and South American countries? Their votes would probably hinge on how much of an impact WikiLeaks’ release of the cables had on their country. Regardless of possible outcomes, setting up some way to handle “information war crimes” would be in the interest of organizations like WikiLeaks.
The thought of “information war crimes” is interesting in the same way that cyber warfare is a fascinating new concept. The new technology in the world makes it inevitable that world powers will be warring in cyberspace (in fact, read the cables; governments have already sparred in cyberspace). In that case, will there be digital freedom defenders who argue that certain acts constitute “war crimes” or “crimes against humanity”?
Critics may call Assange or WikiLeaks foolish or hyperbolic for suggesting the attacks are “war crimes.” However, the remarks seem to be the result of the organization reasonably wondering what kind of recourse they have in a world where law has yet to catch up with technology. Their operations depend on being able to protect their freedom of expression and if that is constantly under threat the organization seems justified in wondering what law might be able to do for protection or whether they would be justified in retaliating against cyber attacks.