The aviation industry has long been a vital mode of transportation for people and goods around the world. However, with the rapid development of technology and the increasing dependence on digital systems, the industry has become increasingly vulnerable to cyber security threats.

Cyber attacks pose a significant threat to the safety and security of the aviation industry, as they can disrupt critical systems and cause potential harm to passengers and personnel. As the industry continues to rely on interconnected technologies, it is crucial for aviation organizations to prioritize cyber security measures to protect against potential threats and ensure the safe and efficient operation of their services.

Cybersecurity threats have become a major concern for aviation in the last five to ten years, mainly as a result of digitalisation processes becoming the norm in the sector.

In July 2021, a report was published by Eurocontrol titled "Airlines under attack: Faced with a rising tide of cybercrime, is our industry resilient enough to cope?" which outlined the increasing exposure of the Aviation Industry to rising levels of risk, as criminals, hackers, and state sponsored cyber-attackers all look to exploit vulnerabilities, cause chaos and fill their pockets at the expense of the aviation sector and innocent passengers.

The report was based on data from EATM-CERT (European Air Traffic Management Computer Emergency Response Team) service. This data showed that cyber-attacks are up in all threat categories, with a 530% year-on-year rise from 2019 to 2020 in reported incidents across the aviation industry, and with airlines targeted in 61% of all 2020 aviation cyber-attacks.

The report highlighted that 61% of all cyber-attacks in 2020 targeted airlines, almost twice as much as the two next biggest affected market segments combined and of the 335 fraudulent and fake refund websites discovered by the EATM-CERT team in 2020, 280 were impersonating IATA and A4E airline members, selling fake tickets and seeking to extract customer credit card data.

Moreover, 62 ransomware cyber attack was made in 2020, amounting to more than 1 per week. In 2021 a demand of cumulative amount of $50 Million USD was made by hackers and hacktivist groups.

What Constitutes Cyber-Attack?

The legality and use of cyber-warfare under international law remains ambiguous. This ambiguity is more concerning now than ever since most nations, particularly, the developed ones and increasingly, the developing ones, are becoming dependent on information technology for both, civilian and military purposes. Thus, opportunities increasingly arise for adversaries to strike inexpensively, remotely, and effectively with little risk. This has in turn, motivated both, state and non-state actors to conduct warfare in cyberspace. Hostile acts against a computer system and networks can be distinguished as destructive and non-destructive. The first form � "cyber attack" refers to the use of deliberate actions and operations � perhaps over an extended period of time - to alter, disrupt, deceive, degrade, or destroy adversary computer systems or networks or the information and (or) programs resident in or transiting these systems or networks.

The second form - cyber exploitation � is non-destructive and involves the use of actions and operations � perhaps over an extended period of time � to obtain information that would otherwise be kept confidential and is resident on or transiting through an adversary's computer systems or networks. The use of the wide-ranging term, cyberwarfare, does not provide a fitting description for a hostile attack in cyberspace due to its wide ranging impact.

The US Department of Defence provides a workable definition of "cyber-attack" in its DCSINT Handbook No. 1.02 of the US Army which states:
"The premeditated use of disruptive activities, or the threat thereof, against computers and/or networks, with the intention to cause harm or to further social, ideological, religious, political or similar objectives. Or to intimidate any person in furtherance of such objectives".

More appropriately, Council of Europe's Convention on Cybercrime which is a multilateral instrument aimed at combating cybercrime tries to define cyberattack. It requires the signatories to make laws and criminalise "the damaging, deletion, deterioration, alteration or suppression of computer data without right," as well as "the serious hindering without right of the functioning of a computer system" by similar means".

Most international legal instruments dealing with warfare have traditionally interpreted 'armed conflict' as conventional military warfare, including the International Humanitarian Law which distinguishes between two types of armed conflicts, i.e., international armed conflict between two opposing states and non-international armed conflict between governmental forces and non-governmental armed groups or such groups only.

Article 2 of Geneva Convention of 1949 states:
"In addition to the provisions which shall be implemented in peacetime, the present Convention shall apply to all cases of declared war or of any other armed conflict which may arise between two or more of the High Contracting Parties, even if the state of war is not recognized by one of them". Thus, defining cyberwarfare in context of the existing international instruments is difficult.

Biggest most recent cyber attack on aviation Industry in the last few Years

• On 25th May, 2022 following a massive ransomware attack on SpiceJet, hundreds of passengers were stranded at airports across India, particularly those airports where restrictions on night operations were in place. SpiceJet has not revealed which systems were targeted or what it did to overcome the attacks.
   
• In April 2022, Canadian low-cost airline Sunwing Airlines faced four days of extensive flight delays after the third-party software system it used for check-in and boarding was breached by hackers. The attack forced Sunwing to resort to manually checking in passengers in an effort to minimize disruption to its schedule and caused the Canadian authorities to suspend operations temporarily to ensure that the breach was remedied before flights could resume.
   
• In March 2022, in what appears to have been a retaliatory strike in response to Russia's invasion of Ukraine, an unidentified group (presumed to be the Anonymous Hacking Group) carried out an extremely effective attack on the Russian Federal Air Transport Agency. As part of the attack, all aircraft registration data and emails, totaling approximately a massive 65 terabytes of data, were deleted from the Agency's servers.
   
• In March 2022, SITA, an airline technology and communication provider that operates passenger processing systems for airlines, was the victim of a cyber-attack involving passenger data. SITA serves 90% of the world's airlines and disclosed that among the airlines affected were various major airlines including Air India, Japan Airlines, Lufthansa, Malaysia Airlines, and Singapore Airlines.

Major International Instruments Dealing With Cyber Attack

1. Convention for the Suppression of Unlawful Seizure of Aircraft (1970)- The Hague Convention was adopted in 1970 with the aim to criminalize offences committed on board the aircraft when the aircraft is in flight. Herein to attract the provisions the person must have seized or exercised control over the aircraft.
   
   The Convention may also be applied in cases where a passenger on board the aircraft takes control of the aircraft through a cyber-attack.
    
2. Convention for the Suppression of Unlawful Acts against the Safety of Civil Aviation (1971)- The Montreal convention of 1971 uses an effect-based method to identify offences that share the traits of being illegal, purposeful, and likely to jeopardise the safety of flying aircraft. The Montreal Convention unlike Hague convention does not require the person to be on board the aircraft and hence as such broadens its applicability by including any remote cyber attack on aircraft as well as on air navigation facilities.
    
3. Convention on the Suppression of Unlawful Acts Relating to International Civil Aviation (2010)- The Beijing Convention further expands the applicability scope to the cyber-attacks targeting the air navigation facilities defining them as signals, data, information, or systems necessary for aircraft navigation. Moreover, the Beijing Convention addresses any attacks on such facilities and aircraft conducted by cyber means.
    
4. Beijing Protocol (2010) - The Hague Convention of 1970 is supplemented by the Beijing supplementary Protocol of 2010, which broadens the definition of unlawful acts in light of technological advancements that could be used to perpetrate crimes against aviation. By incorporating the seizure of aircraft using any electronic and technological means within its scope, the legal document for the first time makes a clear reference to cyber security.
    
5. Annex 17 to Chicago Convention- Annex 17 provides for Standard and Recommended Practices dealing with Aviation Security.
   
   The Chicago Convention requires the Contracting States to establish and enforce laws to protect civil aviation from unlawful interference.
   
   It is important to keep in mind that cyberattacks may be considered acts of unlawful interference if they have a bearing on aviation safety. Within Annex 17, Standard 4.9.1 (measures relating to cyber threats) has been introduced, which requires States to develop and implement measures to protect their critical information, communications technology systems, as well as data used for civil aviation purposes from unlawful interference.
    
6. Article 3 bis of Chicago Convention- The Protocol Pertaining to an Amendment to the Convention on International Civil Aviation, signed in Montreal on May 10, 1984, which followed the aftermath of the KAL007 incident, is credited with introducing Article 3 bis into the Chicago Convention. Although this accident had a significant impact on the creation and implementation of this provision, its reach has been acknowledged as being wider than just establishing requirements for the interception of civil aircraft.

In particular, the first sentence of Article 3 bis states that "every State must refrain from resorting to the use of weapons against civil aircraft in flight"

Cyberattack And Attribution

It is pertinent to note that cyberattack are a plausible method employed by adversaries to jeopardise the safety and security of aviation in general and civil aviation, in particular. There are multiple instances where cyberattack is preferred over the traditional methods of attack (such as hijacking) in threatening an aircraft and its passengers' safety. There are several important considerations including the direct involvement of the State from which the attack originated, whether the state itself is complicit or not.

Also, whether the attack constituted the action of the state itself or individuals acting independently or otherwise. State responsibility in this context, is articulated by the International Law Commission's Draft Articles on Responsibility of States for Internationally Wrongful Acts (ARSIWA) of 2001.

Article 1 of ARSIWA states that, "Every internationally wrongful act of a State entails the international responsibility of that State". As Shaw states, "existence of an international legal obligation between states and a breach of such legal obligation are the prerequisites for State responsibility in International Law".[1] As per Article 2 of ARSIWA, determining whether there has been an internationally wrongful act by the state, requires a conduct of the state constituting an act or omission "(a) is attributable to the State under international law; and (b) constitutes a breach of an international obligation of the State".

It must be noted that conduct of a state includes both acts or omissions. It also needs to be emphasised that while a state is an organised entity under international law, it is also undeniable that it cannot act for itself. An act of state necessarily involves individuals or groups; it "can act only by and through their agents and representatives"[2] In consonance Article 4 of ARSIWA states that, "conduct of any State organ shall be considered an act of that State under international law, whether the organ exercises legislative, executive, judicial or any other functions, whatever position it holds in the organization of the State, and whatever its character as an organ of the central Government or of a territorial unit of the State".

The customary international law recognises that the state is completely responsible for its agents as was also observed in Armed Activities on the Territory of Congo case that, "[a]ccording to a well-established rule of a customary nature . . . a party to an armed conflict shall be responsible for all acts by persons forming part of its armed forces".[3] Thus, in case a cyberattack is conducted by any organ of the state it would be considered an act of the state itself. This extends, as per Article 5, ARSIWA, even to private entities that are not an organ of the State under article 4 but which is empowered by the law of that State to exercise elements of the governmental authority.

This conception holds consistency with the "effective control test". With respect to "omissions" under Article 2(a), a state should not knowingly allow an attack (cyberattack in the present context) to originate from its territory. This is what was held in Corfu Channel Case, where Albania was held liable for presence of mines in its territorial waters as "it was a sufficient basis for Albanian responsibility that it knew, or must have known of the presence of mines in its territorial waters and did nothing to warn their States of their presence".[4]

An even bigger challenge, in cyberwarfare in particular and, armed conflict in general, with respect to state responsibility emerges in considering whether an act of non-state actor can be attributed to state responsibility. Cases of this kind arise where state organs supplement their own action by recruiting or instigating private persons or groups who act as "auxiliaries" while remaining outside the official structure of the State. The G7 in its "Declaration on Responsible State Behaviour in Cyberspace" noted that the customary international law of State responsibility supplies the standards for attributing act to States, which can be applicable to activities in cyberspace.

In this respect, States cannot escape legal responsibility for internationally wrongful cyber acts by perpetrating them through proxies. Hacktivists are usually individuals, that possess sufficient capability to conduct cyber-attack and the nature of cyberspace permit them to conduct a cyberattack on a state from anywhere, including from a third state. Thus, any action against such individuals or groups in the third state raises question of violation of state sovereignty.

Article 51 of UN Charter dealing with use of force does not specifically deal with use of force against non-state actors, it leaves a loophole to be exploited by the non-state actors specifically under cyberwarfare, which is in itself a relatively new domain for international law.

While in the case of non-state actors, as provided in Article 8 of ARSIWA, that an act of persons or groups shall be considered an act of state under international law if the person or group of persons is in fact acting on the instructions of, or under the direction or control of, that State in carrying out the conduct . As was also observed in the Military and paramilitary Activities in and against Nicaragua case, where ICJ considered whether USA was responsible for actions of rebels against Nicaraguan government, the ICJ held that responsibility would entail "effective control" over the non-state actor group. Thus, state attribution can be made if the group are in effective control of the state.

Further, "overall control" test developed in the Tadic case is also notable along with Article 11 of ARSIWA which states that, conduct which is not attributable to a State under the preceding articles shall nevertheless be considered an act of that State under international law if and to the extent that the State acknowledges and adopts the conduct in question as its own. The United States Diplomatic and Consular Staff in Tehran case, an attack on US embassy by Iranian militants was endorsed by the State and thus state responsibility was imposed.

Acts of those without state endorsement presents a more complicated matter. While an act conducted by persons or groups under effective control of the State or endorsed by the state, or, a lapse exists on part of the state in not allowing its territory to be used by a state, may entail state responsibility. But if measures are taken by the state and yet, a cyberattack still manages to originate from its territory, the State should not hold state responsibility.

Conclusion
It can thus be concluded that the jurisprudence on state responsibility as enumerated in the Articles on Responsibility of States for Internationally Wrongful Acts of 2001 hold substantial applicability in context of cyberattack as perpetrated by both state and non-state actors.

The provisions relating to state attribution can be readily interpreted in the context of cyberattacks. Though, that being said, there are substantial issues particularly, with respect to the nature of cyberattacks itself that raises several complications with regards to both establishing responsibility of a state and the extent to which the responsibility of a state exists.

End-Notes:

1. M.N. Shaw, International Law (4th Edition, Cambridge University Press, 1997) 541.
2. German Settlers in Poland, Advisory Opinion, 1923 PCIJ Series B, No. 6 p. 22.
3. Armed Activities on the Territory of Congo (Dem. Rep. Congo v. Uganda), 2005 I.C.J. 116, 214.
4. Corfu Channel, Merits, judgement, ICK Reports 1949, p. 22-23.

Award Winning Article Is Written By: Mr.Zaier Ahmad

Authentication No: JU353214182381-15-0623