20 December 2023
The Event titled Cyber Warfare & Cyber Offences was advertised on the webpage of the Faculty of Law of University of Maribor (https://www.pf.um.si/) as an online event for experts of criminal law (judges, public prosecutors, defence attorneys, police officers and students). The invitation stated that all the attendees should send an email to the organizer of the event (prof. dr. Miha Šepec) in order to receive a Privacy Notice and that by registering to the event the participants agree with the use of their personal data according to the Privacy Notice.
In one month after the publishing of the advertisement on the webpage, 44 people applied for the online event. Attendees were mostly students of the Faculty of Law of University of Maribor (most were master students – 2nd grade of law study and some were PhD students – 3rd grade of law study). Some practitioners also applied for the seminar (interns at the District Prosecutor’s Office and interns at the District Court of Maribor).
The online seminar began on 20th December 2023 at 16:00 on the Zoom platform. The Lecturer, Prof. dr. Miha Šepec began by welcoming all the attendees, briefly explaining the schedule and reminding the attendees about the Privacy Notice. No one complained or left the seminar; therefore the Lecturer began with his lecture on Cyber Warfare and Cyber Offences.
The first question of the seminar was what is cyber warfare?
Cyber warfare has neither a single definition nor a clearly established legal definition. The specific of cyber warfare is that it is firstly connected with the army of an individual country – i.e. it is a military operation, and secondly that the range and scope of the crime is significantly wider, as it attacks more important targets with significantly more repulsive motives – paralyzing the country’s national security with attacks on its infrastructure, technological centres etc.
The lecture continued with legal definitions. The focus was not only on EU legislation but also on the UN conventions. The goal was to present legal definitions connected to cyber warfare such as cyber-attack, cyber espionage, cyber spying etc. The question was whether these acts are defined as criminal acts in the EU.
There is no legal document in the EU or UN that would directly address cyberwarfare, as the term as such has no clear legal definition. However, we can use numerous legal documents that indirectly address the topic of cyber warfare and cyber warfare attacks.
First being the UN Charter, which includes the rule of prohibition against the use of force, codified in Article 2(4) of the United Nations Charter. Article 2(4) provides that a UN member state cannot threaten or use force against the territorial integrity or political independence of another state, or in any way that diverges from the purposes of the UN. It should be emphasized that force in the sense of Article 2(4) in the context of cyber warfare attacks can only be understood when territorial integrity or political independence of a state is actually threatened by such attacks. Therefore, only serious military attacks that attack the very existence of the country are covered. It is quite unlikely that the UN will condone cyber attack on itself as use of force according to article 2(4) of the UN Charter.
There are however two workable solutions, either we deny that cyber warfare attacks are a form of modern armed warfare – and therefore are not regarded as the use of force in the sense of Article 2(4). Or another, more modern solution, according to which a cyber warfare attack, when attacking the territorial integrity or political independence of a state, can be considered the use of force according to Article 2(4). According to the first solution, everything remains in a grey zone and countries fight against these forms of attacks independently, while according to the second, such attacks must be reported to the United Nations, where a solution is then sought within the framework of the UN Charter.
International humanitarian law is covered by The Hague Conventions and the Geneva Conventions, which determine the fundamental rules of warfare and conduct, which is prohibited in every international armed conflict. The conventions do not mention cyber warfare, because at the time these conventions were written, the latter did not even exist.
A complex question is whether a cyber operation can itself trigger the application of international humanitarian law. International armed conflicts »exists whenever there is a resort to armed force between States«. But when is this point reached in situations involving cyber operations that do not physically destroy or damage military or civilian infrastructure? That remains unclear. One solution is the so-called hybrid solution or hybrid model. According to the latter, cyber attacks can constitute a violation of Hague and Geneva law only together with traditional war crimes, however, not by themselves.
Quite similar can be said for the Rome Statute of the International Criminal Court. The Rome Statute limits the authority of the Court to the most serious crimes against the international community as a whole. Typically, cyber attacks on their own will not be defined as war crimes under the Rome Statute. However, in combination with traditional war crimes (the hybrid model) this would be possible.
As cybercrime is an international phenomenon, it was necessary to harmonize international criminal legislation regarding criminal acts of cybercrime. The purpose of the Convention on Cybercrime was therefore to unify measures on the criminal material and criminal procedural level and thereby contribute to a better prosecution of cybercrimes.
The Convention on Cybercrime contains a basic list of crimes that signatories have to accept. At the time of the adoption of the Convention in 2001, this list was considered to be extremely advanced and contained all the most important forms of criminal acts in information systems. But in the twenty years since the adoption of the Convention, new forms of cybercrime acts have appeared, so today the Convention represents a minimum standard that should be followed by every advanced criminal legislation in the world.
The most important part for cyber attacks is, of course, the chapter on measures that must be taken at the national level. The substantive part defines the criminal acts that must be defined in the criminal codes of the signatory countries, while the procedural part defines the procedural provisions and guidelines that must be adopted in the procedural mechanisms of the signatory countries.
For cyber warfare attacks the most relevant articles of the Convention on cybercrime are the following. Illegal interception after Article 3 could be used in the case of cyber spying and espionage. Data interference after Article 4 and system interference after Article 5 are the two most relevant articles for cyber warfare attacks. They are present in any kind of attack on information system as the target – whether it be denial of service attacks, attacks to disrupt critical operations and systems, attacking and disabling critical systems and infrastructure, economic disruption by targeting economic establishments, surprise attacks in the context of hybrid warfare, and even sabotage. Computer related forgery (Article 7) and computer related fraud (Article 8) could be connected with cyber spying and espionage. Finally Article 6 (misuse of devices) could be connected to all types of cyber warfare attacks because it criminalizes any kind of production, sale, procurement for use, import, distribution or otherwise making available, devices, programs or codes that enable the perpetrator to perform one of the criminal offences listed in the Convention.
The Directive EU 2013/40/EU on attacks against information systems continued the work of the Convention on Cybercrime. The objective of the Directive is to approximate the criminal law of the Member States in the area of attacks against information systems by establishing minimum rules concerning the definition of criminal offences, relevant sanctions and to improve cooperation between competent authorities. The Directive does not bring drastic changes. Attacks that could already be prosecuted based on the definitions in the Convention on cybercrime can also be prosecuted based on the Directive.
Final topic of the seminar was the question whether there is a European criminal law in the sense that the EU acts as a sovereign state, formulates criminal acts, conducts criminal prosecution and sanctions perpetrators of criminal acts? The answer is clearly no. However, we could speak of European criminal law, when the EU protects its monetary interests through legislation that is enforced on its members. Only in this sense can we speak of European criminal law, where the Union itself is the creator of criminal law norms. However, the Union still depends on the Member States to enforce its regulations, as in itself EU has no means of physical coercion of individuals.
This harmonization takes place, on the one hand, through an assimilation obligation on the part of the Member States and, on the other hand, through the harmonization of substantive criminal law by means of the EU’s competence to approximate and annex criminal law pursuant to Art. 83(1) and (2) TFEU.
The lecturer concluded, that for the purpose of prosecuting cyber warfare attacks within the EU, there is no essential need to amend the EU legislation or to adopt new EU directives on the criminal material level, as the adopted legislation already covers the main offences. However he warned that current EU legislation is written for purposes of normal cyber attacks, it is not written for purposes of warfare attacks or war operations against Member States of the EU. In this regard the EU should evaluate whether more serious criminal incriminations on the EU level are needed.
The online seminar was concluded at 16:30, lasting altogether 30 minutes. The lecturer thanked the participants and finished the seminar.
Dr. Miha Šepec