GS Paper III: Internal Security and Science and Technology  |  GS Paper II: International Relations | Source: The Hindu, Indian Express

Modern conflicts are no longer fought only on physical battlefields. Countries now attack each other’s digital systems — power grids, hospitals, banks, defence networks — without sending a single soldier across the border. The bigger problem: international law has no clear answer for when this becomes illegal, who is responsible, and how to punish the aggressor.

1. Understanding cyber warfare

Cyber warfare means the use of digital attacks by one country against another to damage or destroy critical systems — like electricity supply, banking, hospitals, or military networks. Unlike normal hacking for money, cyber warfare is state-sponsored and aimed at weakening a rival nation.

For example: 

• The Handala Hack Team — linked to Iran’s Ministry of Intelligence — carried out 85+ attacks on Israeli and United States targets between 2024 and 2025. 
• One wiping attack on a United States medical company was called the most significant wartime cyber attack on American soil. Iran simply denied all involvement.

This captures the core problem: attacks happen, real harm is caused, but no one is held accountable.

2. Why accountability fails

• Attribution problem — Attackers hide behind fake identities, proxy servers, and hacker groups across multiple countries. Even when governments know who did it, proving it legally is very hard.
• Plausible deniability — States fund proxy hacker groups and label them “activists,” so they can deny state involvement when caught.
• No clear legal threshold — A website going down for an hour is very different from hospital data being permanently wiped. International law does not say clearly when a cyber attack becomes an “act of war.”
• No effective court — The International Court of Justice needs both countries to agree to appear before it. That almost never happens in cyber disputes.

2. What does international law offer?

• Article 2(4) — United Nations Charter: Prohibits use of force between states. Applies to cyberspace in principle — but the threshold for what counts as “cyber force” is still unclear.
• Tallinn Manual (2013, updated 2017): A NATO academic study applying international law to cyber warfare. Says a destructive cyber attack can trigger right to self-defence under Article 51. But it is not legally binding — just expert opinion.
• Budapest Convention on Cybercrime (2001): World’s first cybercrime treaty — covers hacking, fraud, data theft. 81 countries have joined. Covers criminal acts only, not state-sponsored warfare. India is not a member.
• United Nations Hanoi Convention on Cybercrime (2024): First comprehensive global cybercrime treaty. Disputes can go to the International Court of Justice. But only Qatar has ratified it out of 74 signatories — needs 40 ratifications to become active. India has not signed.

3. India’s position

• India is rapidly digitising governance, banking, and defence — making it more vulnerable to cyber attacks and giving it a bigger stake in global cyber norms.
• Information Technology Act, 2000 — Section 66F (cyber terrorism, punishable with life imprisonment); Section 70 (protection of critical government systems).
• Indian Computer Emergency Response Team — Nodal agency for responding to cyber incidents and sharing threat intelligence.
• Defence Cyber Agency — Military tri-service command for offensive and defensive cyber operations under the Chief of Defence Staff.
• India participates in the United Nations Group of Governmental Experts and the Quad Cyber initiative — but has stayed out of both the Budapest Convention and the Hanoi Convention, citing sovereignty concerns.

UPSC Value Box

Term or Law or Framework	What it means and why it matters
Budapest Convention (2001)	First cybercrime treaty; 81 members; covers criminal hacking — not state warfare; India not a member
Hanoi Convention (2024)	First comprehensive United Nations cybercrime treaty; barely ratified; India has not signed
Tallinn Manual	Non-binding NATO expert guide applying international law to cyber warfare
Attribution problem	Legally proving who carried out a cyber attack — the biggest barrier to accountability
Plausible deniability	Using proxy hacker groups so states can deny involvement in attacks
Indian Computer Emergency Response Team	India’s nodal cyber incident response agency under the Information Technology Act, 2000
Defence Cyber Agency	India’s military cyber command under the Chief of Defence Staff

4. Way forward
5. Clear international norms: The United Nations must convert its 11 voluntary cyber norms into binding, specific standards with enforceable thresholds.
6. Independent attribution body: A neutral international agency — like the Organisation for the Prohibition of Chemical Weapons model — should investigate major cyber attacks and publish findings courts can use.
7. Ratify the Hanoi Convention: Major powers including India must join — with strong human rights safeguards to prevent misuse against dissent and journalism.
8. India must lead: Strengthen the Indian Computer Emergency Response Team and Defence Cyber Agency; build public-private partnerships for critical infrastructure; actively shape global cyber norms rather than stay on the sidelines.

Cyber attacks are causing real harm — to hospitals, power grids, and financial systems — yet aggressors face almost no legal consequences. For a rapidly digitalising India, this is not a distant problem. The gap between what the law says and what actually happens in cyberspace must be closed — through clearer norms, credible attribution, and the political will to hold states accountable.

UPSC Mains Practice — 15 Marks, 250 Words

Q.2. Cyber warfare is challenging traditional notions of sovereignty and the use of force. Examine the adequacy of existing international legal frameworks and suggest measures to strengthen global cyber governance.

Structure

Introduction: Cyber operations have become central to modern conflict — but international law has not kept pace. State the core problem: attribution difficulty, unclear thresholds, no enforcement.

Body — three parts:

1. Existing frameworks and their gaps — Article 2(4), Tallinn Manual (non-binding), Budapest Convention (criminal only), Hanoi Convention (barely ratified)
2. Why accountability fails — attribution problem, proxy groups, plausible deniability, no suitable court
3. India’s stakes — Information Technology Act, Indian Computer Emergency Response Team, Defence Cyber Agency, not party to key conventions

Way forward: Independent attribution body, binding United Nations norms, ratify Hanoi Convention, India to lead cyber diplomacy.

Must mention in your answer

Article 2(4) United Nations Charter Tallinn Manual Budapest Convention Hanoi Convention 2024 Attribution problem Indian Computer Emergency Response Team Defence Cyber Agency

Conclusion: Without credible attribution and enforceable accountability, cyber warfare will remain a consequence-free tool of state aggression — a threat India cannot afford to ignore.