Can’t we just hack back China, if they hack us? Here’s what the law says.

Computer codes are inherently insecure. They can be the tools, but also the target of a cyber-attack. Not just one, but a spectrum of controls is required for maximum security. Still, 100% security is a utopian fascination. The attacker needs to succeed at one target, while the defender needs to be everywhere. It is no hidden truth that it’s the government’s duty to protect its subjects against any attack from a foreign enemy, but, it is unprepared to do it at such a large scale. Recently, a cyber security firm notified government agencies, media, and large companies in India against Chinese plans to hack them. The potential attack is about retaliating and “teaching a lesson to India”, against its stand on Galwan valley. Given that evidence is there to suggest that India has offensive capabilities, rather than defending all the time, can’t we hack back China, if it hacks us?

Why does cyber warfare suit nations?

The rules of warfare translate to maximum damage caused with minimum resources used. It is no science that attacking India with conventional methods is more than a challenge because of its geography. A more logical argument would follow that many high stakes are involved to indulge into a kinetic war. The prevalent situation with COVID-19 in the air, economies shrinking, growth stalling, dictates that apart from not looking good, any kinetic action would immediately invite international intervention. The cyber offensive strategy fits right into this premise and adds a new dimension to the pre-existing theatres of war.

The Cost-benefit calculation

It is easy to tilt the cost-benefit calculations in the attacker’s favor by preferring a cyber-offensive over the conventional kinetic one. Firstly, nobody needs to step a foot outside their cozy office. Secondly, it doesn’t require any reconnaissance. The attack is stealthy. The enemy is unable to discover for some time that it has suffered an attack. It may not even be able to credibly attribute the attacks to its origin. Tracing a hack is not easy given attackers use encryption and multiple hop points to reach the target. Also, there are so many hackers and associated groups lurking on the internet that the attacker can be easily lost in the crowd; pointing fingers isn’t as easy.

Thirdly, the attack can be molded as per requirements. It can be tactical/ strategic or outrightly destructive (Stuxnet, remember?). The attacker can limit the threshold of an attack an extent which does not call for any retaliatory measures. Damages can be inflicted on persons (NHS ransomware seize; connected medical devices such as a pacemaker), corporates (damages suffered by banks because of DDOS), government infrastructure (critical infrastructure; power outage; metro/ rail disruption), in both tangible and intangible ways. Lastly, the dynamics of engagement no more depend upon the geographic and economic prowess of a nation, but only upon malware skills of coders.

It was only last year (2019) that India demonstrated to the world its capability to destroy satellites through a missile and it was a huge success. India joined an elite club of countries having such a capability. But you’d be blown to know that China had gained ‘unauthorized accesses’ to orbital satellites long back in 2011! (It feels like the medieval period in the internet era, our phones didn’t even have HD screens or cameras or a gigabyte of RAM back then!)

Before getting to the legal aspect, can’t our defences hold any attack?

As pointed to earlier, the attacker needs to succeed at one target, but the defender has to be everywhere. There are a number of other complications. Hackers have incredibly outpaced the cybersecurity industry. Also, private companies own most of the internet infrastructure, not a government or a combination of governments. There is a huge skill gap, both in the private and the public sector. Even if the government develops the capability to deter attacks; corporates may not trust the government with their data.

The biggest of these problems is : defence is based upon an assumption that once traced, the attacker would be punished. But here, the attacker is a country itself, who would the aggrieved prosecute? A more lucrative option is to hire non-state actors and direct them to attack the cyberinfrastructure of another country. Even if one traces the attack’s origin, China and Russia would ignore requests for prosecution, as they have done in the past.

Where does India stand? Is it capable of launching an offensive?

It can be said that cybersecurity is just as important as defending land, air, and sea. Over time, a lot of defensive techniques have come up to protect against any largescale cyber-attack. However, being defensive always is not a winning proposition anymore. Responding to the looming threat, countries have brought into play cyber armies. Capabilities of the cyber armies are in continued development. India has also started to build capacity and capability, and the Cyber Defence Agency has begun operations. Details about the agency have been very scarce though.

However, a quietly inserted amendment into the Foreign Trade Policy in June 2020, reveals some interesting details. The amendment reads as below:

Note 1 6A021.b.5. includes “software” designed to destroy, damage, degrade or disrupt systems, equipment or “software”, specified by Category 6, cyber reconnaissance and cyber command and control “software”, therefor. …XXX…

The amendment carries the force of law. Importantly, the term “offensive cyber” was previously mentioned in a draft report authored by a committee under the MeitY. But this is the first strong suggestion as to the existence of Indian offensive cyber capabilities. (read more here).

Does the Indian law allow such a hack back?

Self-defence is the right of a person to defend his, or any other person’s body or property, against any potential harm. Under the Indian local laws, the IPC allows the right to self-defence. However, only a given variety of cases warrant the exercise of this right. If we consider hacking, then out of the given variety, we can looked upon it from the lens of criminal trespass and theft. (Section 104, IPC) Firstly, criminal trespass, as per Section 441 IPC, only caters to tangible property and not intangible property (data). Secondly, in the case of theft, as ruled by various judgments of the Supreme Court, must permanently dispossess the owner of the property from such property. That is simply not the case in data theft; the owner of the data still has a copy of data. Therefore, the local laws are insufficient to allow the exercise of such a right.

Does the International Law allow such a hack back?

In the realms of international law, Article 2(4) of the UN Charter explicitly forbids all signatories from ‘using force’ except when authorized by the Security Council, and when a signatory is exercising its inherent right to self-defence as per Article 51. Article 51 provides that nothing in the present chapter shall impair the inherent right of individual or collective defence if an ‘armed attack’ occurs against a Member of the United Nations. But it is unclear that what exactly qualifies as an ‘armed attack’ as the charter nowhere defines it, neither it defines ‘use of force’.

The ICJ has also refrained to clarify as to when a use of force escalates to an armed attack. There are two possible reasons for this ambiguity. First, the prohibition on ‘force’ is more reliable than banning deleterious consequences, which could be many. Second, if the term is clearly defined, attacks would be deliberately staged in a fashion that is just below the set threshold of an armed attack. Thus, before resorting to offensive defence, it would be imperative to determine if a use of force has reached the threshold of an “armed attack”, and also adjudge the scope, duration, and intensity of an attack. (those of you curious to read in detail may refer to this research paper)

What could a successful counter striking operation achieve, after all?

Any counter striking operation could produce legalized disabling and reasonably destructive effects. It could either completely destroy the target computer/ facility or temporarily disable it. To list out a few gains, counter striking would act as a deterrent by following the model of MAD (Mutually Assured Destruction).

What are the problems that a counter striking operation may face?

he first and foremost problems is the attribution of the attacks. One can surely vouch for, an eye for an eye, but before taking any action it would be crucial to determine as to who hacked who. Once determined, it is equally crucial to counter-strike within the scope of self-defence, following the principles of immediacy, necessity, and proportionality. Although the counter strikers get to choose the time and target, it is not as easy as perceived to carry offensive strikes. The attackers go through a “cyber kill chain”, composed of multiple steps (reconnaissance, building weapon, delivery, exploit, pulling out data, erasing tracks). It is important to get everything right, else the action could be blocked at any stage of the chain.

Also, irrespective of the destruction caused, a cyber offence lacks the signal that it intends to deliver. For example, if a country fires back with a missile, the other side knows that it’s retaliation, but launch a malware and it looks like another system failure. Lastly, satellites guide a missile and help it maintain the target trajectory. But a good malware has a head of its own, and it may result into friendly fire.

This article is based on the author’s research paper titled ‘The War Is Coming: Self Defence in Cyberspace). The research paper published with the International Journal of Legal Studies and Research, Vol. 8 No. 1 (March, 2019).