By: Sruthi Venkatachalam, YLS ‘23

On Oct. 12, 2020, Mumbai, India’s financial capital, was hit with one of its worst blackouts in decades, leaving millions across the city without power for hours. The stock exchange and airports were able to function, but businesses were shut down and trains were delayed. Striking during the COVID-19 pandemic, the nearly 9,000 patients in 78 hospitals were a concern, but thankfully, all key hospitals were equipped with backup generators earlier that year. At the time, some officials stated that the outage occurred due to issues with “incoming supply to the main grid,” while others suspected sabotage from the Chinese government. A 2021 study by Recorded Future, a company that studies internet usage of state actors, corroborated the latter theory by piecing together the flow of malware and suggested that the Chinese government had been quietly placing malware in the Indian infrastructure following another stand-off between India and China in the Himalayas a few months prior. The study also found that most of the malware had never been activated.

This incident is not the first time a state actor is suspected of using cyber capabilities to shut down the power grid and illustrative of a reality where cyber-attacks have become a regular part of armed conflict. While there are not binding rules governing cyber-attacks in armed conflicts, as the ICJ Advisory Opinion on Nuclear Weapons has affirmed, humanitarian law applies to “all forms of warfare and to all kinds of weapons, those of the past, those of the present and those of the future.” As such, it is worth exploring the application of international humanitarian law (IHL) to various aspects of these attacks. This article will explore whether the pre-positioning of malware in an electrical grid during an armed conflict is a violation of IHL, concluding that while the activation certainly should be considered a violation, the mere act of pre-positioning is unlikely to be a violation.

Malware Attacks on Electric Grids

A malware attack on an electrical grid would, in most cases, be considered a violation of IHL. Those, like the Mumbai attacks, which predominantly attack civilian power grids are a clear violation of the basic IHL principle of discrimination. Article 48 of Additional Protocol I requires Parties to an armed conflict “at all times distinguish between the civilian population and combatants and between civilian objects and military objects and accordingly shall direct their operation only against military objectives.” While this Article demonstrates that it is a clear violation of IHL to attack civilian power grids, the question becomes more complicated once one contemplates those infrastructures that serve as both military and civilian use.

Electric grids can be classified as dual-use infrastructures, or those used simultaneously by the military and civilians. Thus, one could attack a legitimate military target, satisfying the IHL requirement of distinction, while causing critical damage to civilians. For analysis in this category, many experts turn to the IHL principle of proportionality. Article 51(5)(b) of Additional Protocol I states that “an attack which may be expected to cause incidental loss of civilian life, injury to civilians, damage to civilian objects, or a combination thereof, which would be excessive in relation to the concrete and direct military advantage anticipated” is prohibited. Within the context of dual-use infrastructure, this means that the effect on civilians must be weighed with regard to the military advantage of attacking that infrastructure. Suppose Country A attacks an electrical grid in Country B that is a legitimate military objective but also has a number of civilians and civilian objects in the area (i.e. schools, hospitals, roads and transportation networks, etc.). If Country A were to simply flicker the lights once, it would be unlikely that they would be violating this principle as damage would be minimal. However, suppose that Country A were to shut down the power area for an extended period of time. The number of civilian deaths or injuries that could foreseeably result (from hospital deaths to traffic accidents) could make such an attack disproportionate.

Proportionality calculations do not only factor damage to civilians, but also the military objective. Therefore, one could imagine a narrow set of instances where such an attack could be argued as proportionate. In discussing this issue, the authors of the Tallinn Manual 2.0 note that attacking a dual use electrical grid attack could result in “significant, albeit proportional, collateral damage” if an enemy is seeking to disrupt enemy command and control. However, they continue, if any other feasible option existed which would result in less civilian damage, that option must be selected. While there are certainly hypothetical cases where a state actor might be justified, such as the one suggested in the Tallinn Manual, a number of contemporary electrical grid cyber-attacks allegedly conducted by state actors have had dramatic effects on predominantly civilian infrastructure, raising doubts on the weight of a possible permissible military objective. Thus, based on the analysis of two fundamental principles of IHL, malware attacks on an electric grid, as allegedly conducted today, would generally be considered violations of IHL.

Prepositioning Malware in Electric Grids

While the use of malware to shut down electrical grid, as exhibited by most contemporary cases and allegations, would be violative of IHL, the question of whether pre-positioning malware in the grid is a violation is more complicated. Pre-positioning malware is the placement of malware within the electrical grid without the actual activation. If the malware remains inactive, then there are no adverse effects. The question then becomes whether the threat of the use of malware is a violation. Michael Schmitt addressed the issue whether pre-placement in critical infrastructure would be a violation of international law, concluding that because there is no kinetic effect and no established rules for sovereignty in cyberspace, it is likely not a violation. In IHL, it would similarly be unlikely that the mere placement of malware in an electrical grid would cause harm sufficient to be classified as a violation. A more appropriate analogue could be arming weapons systems, knowing that they can be mobilized to attack civilian populations. The threat of force against civilian objects is always present during armed conflict even though the actual use of such force would be a violation. Similarly, a threat of malware in a grid is unlikely to be a violation.

Despite this, there are a number of reasons why state actors should avoid placement malware in electrical grids. Pre-placement of malware in electrical grids is an aggressive tactic that, while not violative of IHL, certainly violates the spirit of IHL. As norms for cyber operations continue to develop, states should be cautious about taking actions that would harm civilians. Although one could argue the merits of the deterrent effect of such operations, developing such capabilities poses an enormous risk. While one administration might develop the with the intention of never using them, as the last four years have taught us, changing administrations may have differing views on the value of international law and IHL. The danger of its use will remain so long as the capability is developed and, so long as it poses such great consequences to civilians, such capabilities ought not to be developed.