The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

The war in Ukraine tests how cyberattacks fit into rules for war crimes

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Welcome to The Cybersecurity 202! I’m back in business after getting an MRI yesterday. It is my earnest request to science that they figure out a way to make those less nightmarish to undergo. Even just, like, less noise would be a help.

Below: An investigation finds that Bangladesh bought surveillance tools, and a top TikTok executive visits Brussels. First:

Ukraine petitions International Criminal Court to investigate cyberattacks as war crimes

Ukrainian leaders in recent months have been sharing information about Russian cyberattacks with the International Criminal Court, hoping the organization will investigate them as war crimes.

It’s one of the first real chances to test whether and how cyberattacks fit into some of the laws governing war. Russia’s invasion of Ukraine is arguably the most prominent world conflict to date where coordinated, joint physical and cyber assaults are routine.

“When we observe the situation in cyberspace we notice some coordination between kinetic strikes and cyberattacks, and since the majority of kinetic attacks are organized against civilians — being a direct act of war crime — supportive actions in cyber can be considered as war crimes,” top Ukrainian cybersecurity official Victor Zhora told Shannon Van Sant of Politico in an interview that published this week, echoing past remarks.

Last spring, a group of human rights investigators and lawyers from the Human Rights Center at the University of California at Berkeley's School of Law also urged the Office of the Prosecutor for the International Criminal Court to consider war crime prosecutions of Russian government Sandworm hackers over the Ukraine attacks.

The International Criminal Court did not respond to a request for comment. But Lindsay Freeman, the director of technology, law and policy at the Human Rights Center, told Andy Greenberg of Wired that the prosecutor's office said it was considering the request.

Can it happen?

There is a consensus among legal and military experts that cyberattacks could at least theoretically qualify as war crimes under the Rome Statute, the treaty that established the International Criminal Court.

And the court is already investigating war crimes by Russia against Ukraine. “Ukraine is a crime scene,” the chief prosecutor for the court, Karim Khan, has said.

  • Ukraine isn’t a party to the Rome Statute, but accepted its jurisdiction after Russia's annexation of Crimea. Sandworm hackers in 2015 attacked Ukraine’s power grid, leaving hundreds of thousands of people without power for hours. 

Russian hackers have targeted Ukrainian critical infrastructure, with Zhora pointing specifically to attacks on DTEK Group, Ukraine’s largest private energy conglomerate. 

But there are reasons that prosecuting a cyberattack as a war crime would be complicated, said Paul Rosenzweig, a former DHS official who’s part of the cybersecurity law initiative at George Washington University.

“To be a war crime, it has to be totally directed at civilians, without any realistic possibility of military advantage,” Rosenweig told me. “The Russian argument would be, ‘By degrading their economy, we’re increasing the possibility that they’ll sue for peace, and that’s a significant military advantage.’”

  • Ukraine could make stronger claims if Russian attacks targeted hospitals, or wastewater treatment facilities in cities that aren’t anywhere near the front lines, Rosenzweig said.

Furthermore, the court’s hands are full with clear war crimes, from allegations of civilian massacres to the torture and rape of women and children, Rosenzweig said.

But for a variety of reasons, “the idea has considerable merit,” David Scheffer, who served as the first U.S. Ambassador-at-Large for War Crimes Issues, told me.

Russia targeting the energy grid “is an assault on the civilian population in a manner that is inhumane, particularly during winter in cold weather,” said Scheffer, now a senior fellow at the Council on Foreign Relations.

To argue that taking out a power plant was a move to gain military advantage, Russia would have to demonstrate via a “proportionality test” that the plant “has a direct and overbearing importance and significance to the military capabilities of the Ukrainian Armed Forces in that area,” Scheffer said. 

While Scheffer said he didn’t know the extent of the court’s in-house cyber expertise, they could bring in consultants to assist.

“I would be confident in saying that prosecutor Karim Khan — who is a very, very intelligent and up-to-speed and modern lawyer — he would have this as one piece of the Ukraine situation that he’s investigating,” Scheffer said. “He would not ignore this type of evidence.”

Splitting the difference between Rosenzweig and Scheffer is John Hultquist, vice president of Google unit Mandiant Threat Intelligence.

“We need to be doing everything we can right now to prepare for Sandworm or deter them,” Hultquist told Wired. “If you're going to do this, now is the time.”

  • On the other hand, “There's a stark difference between cyberattacks and attacks on the physical ground right now,” he told the outlet. “You simply cannot achieve the same effects with cyberattacks that you can when you're bombing things and tanks are rolling down streets.”

The keys

Bangladesh gets Israeli surveillance technology, investigation finds

Bangladesh and Israel don’t have diplomatic relations, and Israeli defense officials haven’t added Bangladesh to a list of countries allowed to get exports of key technology over fears that Pakistan could get them, Oded Yaron and Zulkarnain Saer Khan report

“Official documents cited in this report reveal for the first time four other transactions for the purchase of Israeli spy technology by Bangladeshi government agencies involved in human rights violations,” they write. “The technology enables them to surveil Bangladeshi citizens through their phone and to hack wireless networks and monitor internet traffic. The companies are either Israeli or foreign with a clear link to Israel, and some of the exports are by firms registered in the Virgin Islands, Cyprus and Singapore who seemingly act solely as middlemen.”

Three of the companies named by Haaretz — Passitora, Prelysis and U-TX Technologies — did not respond to the outlet’s requests for comment or declined to comment. A fourth firm, Coralco Tech, told the outlet that it doesn’t comment on its customers but uses “an internal vetting process that takes into account human rights violations.” It also said it reports company deals and gets necessary licenses from regulators like Israel’s Defense Ministry.

Bangladesh’s interior and foreign ministries didn’t respond to Haaretz’s requests for comment. Israel’s Defense Ministry didn’t respond when Haaretz asked whether it approved sales to Bangladesh, but it told the outlet that the ministry “acts, and will act, to enforce unapproved defense exports, including services and know-how — according to its legal authority.” It added that it “does not divulge information on the defense export policy, for security, diplomatic and strategic considerations.”

TikTok’s chief executive meets with E.U. officials

TikTok CEO Shou Zi Chew’s meeting with officials in Brussels comes as the app faces political pressure in the United States, where it has been banned on federal devices and on some state devices and networks, Politico Europe’s Clothilde Goujard reports. Ireland’s data protection regulator is also investigating the app over children’s privacy and data transfers to China.

“I count on TikTok to fully execute its commitments to go the extra mile in respecting E.U. law and regaining [the] trust of European regulators,” European Commission Vice President Věra Jourová said in a statement. Executive Vice President Margrethe Vestager said talks focused on getting ready for E.U. laws on content and competition. Justice Commissioner Didier Reynders said, per in a readout, that the “the rules are clear and must be complied with fully.”

Cyber insecurity

Everything you’ve been told about passwords is a lie (Shira Ovide)

Iowa school district cancels classes another day due to cyberattack (The Record)

U.K.’s Morgan Advanced Materials probes cybersecurity incident (Bloomberg News)

Government scan

NARA to publish first update to cybersecurity records rules since 2014 (NextGov)

Global cyberspace

Hackers hit websites of Danish central bank, other banks (Reuters)


  • Rear Adm. Michael Studeman, the commander of the Office of Naval Intelligence, speaks at an Intelligence and National Security Alliance event today at 9 a.m.
  • Gen. Paul Nakasone, who leads the National Security Agency and U.S. Cyber Command, speaks at a public forum on a government surveillance authority on Thursday. April Doss and Christopher Fonzone, the top lawyers at the National Security Agency and Office of the Director of National Intelligence, are also slated to speak at the event, which is hosted by the Privacy and Civil Liberties Oversight Board.
  • Cybersecurity practitioners meet with cybersecurity staffers on Thursday as part of Hackers on the Hill. 

Secure log off

Thanks for reading. See you tomorrow.