Simply put, cyberwarfare is when States or other actors use offensive or defensive means against each other in the cyberspace. As it is an activity that is not bound by geographical limitations, it becomes the subject of international law in general. Moreover, where such hostile activity rises to the level of an ‘attack’ it is then governed by international humanitarian law because an attack initiates an armed conflict under this regime. However, the law faces multiple challenges when it comes to cyberwarfare as compared to physical war. The first and foremost issue is ascertaining how a cyber-operation amounts to an ‘attack’. Furthermore, once that determination is made, identifying the perpetrator in cyberspace posits certain difficulties thereby making it hard to classify the nature of the armed conflict. This factor also increases the chances of destabilizing international peace and security, as an attack may be shown to originate from virtually anywhere in the world, thus inciting mistrust within the international community.
In addition to highlighting these challenges under international humanitarian law, this research paper also aims to contextualize these issues for Pakistan. Although, as yet, cyberwarfare has not had dramatic humanitarian consequences, the rate at which other States are developing offensive and defensive cyber means is a cause for grave concern for Pakistan; especially in the light of multiple hacking and espionage incidents of State organs in recent years.
Therefore, it is recommended that the State must actively seek to address the cyber threats it faces by establishing a cyber-defence mechanism, ideally a unified cyber command. A cyber command would be capable of not only defending against future incidents, but would also identify security loopholes and integrate every aspect of cybersecurity from policy to implementation at every level of the State. It must be borne in mind that Pakistan is bound by existing international humanitarian law with regards to cyberwarfare and therefore must adhere to those rules while establishing a cyber-defence mechanism. However, where such rules are insufficient or remain inadequate, domestic cyber laws become relevant to determine State practice and may be built upon.