Wars have been fought on land, sea, air and now in cyberspace. Recently, many States and non-State actors have started engaging in more advanced techniques of launching attacks while relying on digital infrastructure. Cyber warfare is a relatively new domain in which attacks are being launched and there is a need to explore how this area is governed by international law. Currently, there is no treaty that deals specifically with the development and use of cyber warfare, however the Tallinn Manual, which is a non-binding document, explores the applicability of international humanitarian law (“IHL”) to cyber operations and how they are to be applied. However, there remain several issues within the legal framework suggested which require further clarification, this may even take the form of future state practice in this field. This paper will consider the application of IHL during cyber operations, and the challenges associated with it. It will analyse how IHL regulates cyber operations during an armed conflict and will assess the gaps in the current legal regime. The article will also seek to provide recommendations on how to regulate cyber operations during armed conflicts.
Cyber warfare refers to the “means and methods of warfare that consist of cyber operations amounting to, or conducted in the context of, an armed conflict, within the meaning of International Humanitarian Law.”1ICRC, ‘What Limits Does the Law of War Impose on Cyber Attacks?’ (2013) <https://www.icrc.org/eng/resources/documents/faq/130628-cyber-warfare-q-and-a-eng.htm> accessed 15 May 2022 Cyber-attacks may involve destroying financial records, causing cyber blackouts, disrupting stock markets, etc. These attacks can be lethal as well, when for instance, blackout in the air traffic control leads to airplane crash.2U.S. GEN. ACCOUNTING OFFICE, GAO/AIM-98-155, AIR TRAFFIC CONTROL: WEAK COMPUTER SECURITY PRACTICES JEOPARDIZE FLIGHT SAFETY 9 (May 1998). The first ever cyber-attack was reported in 2007 when riots were enabled through social media by Russia in Estonia.3Michael N. Schmitt, ‘PILAC Lecture on Cyber Operations and IHL: Fault Lines and Vectors’ (April 2015) Lecture at Harvard Law School <http://pilac.law.harvard.edu/events/cyber-operations-and-international-humanitarianlaw-fault-lines-and-vectors> accessed 15 May 2022. This social media campaign led to the shutting down of Estonia’s private and government systems.4ibid. There have been many similar instances where computer data of government systems and other private entities was hacked by State and non-State actors, which led to a blatant violation of the laws of warfare.
Applicability of IHL to Cyber Warfare and its Challenges
The current IHL regime does not specifically address cyber weapons in the way it has banned certain conventional weapons,5Convention on Prohibitions or Restrictions on the Use of Certain Conventional Weapons Which May be Deemed to be Excessively Injurious or to Have Indiscriminate Effects (and Protocols) (As Amended on 21 December 2001), 10 October 1980, 1342 UNTS 137. biological weapons6Convention on the Prohibition of the Development, Production and Stockpiling of Bacteriological (Biological) and Toxin Weapons and on their Destruction (adopted on 16 December 1971) 1015 UNTS. and chemical weapons.7Convention on the Prohibition of the Development, Production, Stockpiling and Use of Chemical Weapons and on their Destruction (adopted 13 January 1993). However, IHL is an adaptive body of law, which can be deduced from Article 36 of Additional Protocol I to the Geneva Conventions (“API”). This provision, also known as the ‘weapons review’ clause, requires States to conduct a legal review of a new weapon, means or method of warfare to determine if its employment would be prohibited under international law. It is clear from Article 36 that IHL is not restricted to weapons that were developed at the time when these laws were made. Hence, new and emerging technologies are also bound by the regime regardless of whether they have been directly addressed in the provisions of law or not. So when States adopt IHL treaties, they agree for these treaties to regulate their present and future conflicts. The International Court of Justice’s (“ICJ”) Advisory Opinion on the Legality of the Threat or Use of Nuclear Weapons supports this notion, where the court affirmed that the rules and principles of IHL apply to “all forms of warfare and to all kinds of weapons, including those of the future”.8International Court of Justice, Legality of the threat or the use of nuclear weapons, Advisory Opinion, 8 July 1996, para. 86. Therefore, as a new means and method of warfare, States are required to conduct a legal review of all “cyber weapons” to ensure compliance with IHL before using them in operations.
It is essential to establish the applicability of IHL to cyber operations as this regime accords various obligations as well as protections during armed conflicts. IHL is only applicable to cyber operations which occur during or in connection with an armed conflict. These conflicts are categorised into international armed conflicts (“IAC”) or non-international armed conflicts (“NIAC”). The category of armed conflict determines the rules applicable under IHL, therefore, it is necessary to consider what elements are required for each to determine which rules apply. Moreover, when it comes to cyber operations there are various challenges in determining when either an IAC or a NIAC exists with respect to the application of IHL.
International Armed Conflict
According to Common Article 2 to the Geneva Conventions of 1949, “the present Convention shall apply to all cases of declared war or of any other armed conflict which may arise between two or more of the High Contracting Parties, even if the state of war is not recognized by one of them.”9Common Article 2, the Geneva Conventions of 1949. The Commentary of the Geneva Conventions of 1949 further elaborates that whenever there is a resort to hostile armed force between two states, there is an international armed conflict.10D. Schindler, The Different Types of Armed Conflicts According to the Geneva Conventions and Protocols, RCADI, Vol. 163, 1979-II, p. 131. However brief or intense this resort to armed forces between States is, it would trigger the application of IHL.11Jean S. Pictet (ed) Geneva Convention IV relative to the Protection of Civilian Persons in Time of War: Commentary (ICRC 1958) 20–21 Moreover, the law has not prescribed any specific form for the resort to force,12Legality of the Threat or Use of Nuclear Weapons Case (Advisory Opinion)  ICJ Rep 226, para 89 (holding that the relevant rules of IHL apply “to all international armed conflict, whatever type of weapons might be used”) (emphasis added) therefore hostilities between States may involve cyber operations or any combination of both cyber and kinetic operations. The issue arises when operations by non-state actors or private individuals can be attributed to a State which would render the conflict international. During cyber operations, States often act through private entities in order to preclude direct responsibility. In such situations it is crucial to establish “effective control” of the State over the cyber operation.13Case Concerning the Application of the Convention on the Prevention and Punishment of the Crime of Genocide (Bosnia and Herzegovina v Serbia and Montenegro) (Judgment)  ICJ Rep 43, para 405. Therefore, whenever two or more States are involved, having “effective control” over such entities, it would amount to an IAC, and thus the protections and obligations provided under the Geneva Conventions would be applicable. Such control is more difficult to establish in cyberspace as the location of the perpetrators or the machine from which the attack is launched all may be in different jurisdictions, with responsibility all the harder to establish.
Non-International Armed Conflict
When it comes to a NIAC, the following criteria needs to be satisfied as entailed in the Tadic case14ICTY, The Prosecutor v. Dusko Tadic, Judgment, IT-94-1-T, 7 May 1997, para. 561 whereby i) the hostilities must reach a minimum level of intensity; and ii) non-governmental groups involved in the conflict must possess a sufficient level of organisation.
It appears that no cyber attack by a non-State actor has ever risen to meet the required intensity of violence to trigger a NIAC. Singular and isolated cyber attacks such as data deft, network intrusions would not launch a NIAC as the requisite threshold of “protracted armed violence” would not be satisfied in such attacks. However, they may occur once a NIAC is already established when they would be part of the hostilities. Another element that needs to be fulfilled is that a NIAC can exist only between parties that are sufficiently “organised” and have the capacity to sustain military operations. For this reason, there must be a distinct armed group with a visible and verifiable organizational structure.15Prosecutor v. Limaj, Case No. IT-03-66-T, Judgment (Trial Chamber), para. 129 (Int’l Crim. Trib. for the former Yugoslavia Nov. 30, 2005). This is difficult in cyberoperations which may be conducted through a disorganised group of hackers with little coordination or cooperation with each other.
Regulation of 'Cyber-Attacks' under IHL
As discussed in the previous section, IHL is applicable to cyber operations that take place during armed conflicts, this section will now delve into how IHL regulates cyber operations to ensure that there is no violation of international law. IHL consists of a set of rules and principles, in light of which, various protections are available during armed conflicts. According to the criteria described above to qualify for an armed conflict, either of an international or non-international nature, there must be an attack. Article 49 of API defines ‘attacks’ as “acts of violence against adversary, whether in offence or defence”. According to the Tallinn Manual, a cyber attack is a “cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects”.16Tallinn Manual, Rule 30. There is a general notion that an attack consists of some form of physical damage, however in cyber operations the rights of others may be violated without causing any physical damage. Would this amount to an ‘attack’ in its true sense? According to the ICRC, an operation that leads to disabling a computer or a computer network would constitute an ‘attack’ within the ambit of IHL.17ICRC, International humanitarian law and the challenges of contemporary armed conflicts, 2011, p. 37; ICRC, International humanitarian law and the challenges of contemporary armed conflicts, 2015, pp. 41-42. Therefore, destruction caused by cyber operations would amount to an ‘attack’ and enable the applicability of IHL on cyber operations. However, some argue that there must be extinguished or reduced functionality due to such an operation for it to amount to an ‘attack’. For instance, the temporary disruption of functionality of cyber infrastructure can lead to death, injury, destruction or damage, such as leading to the crash of an aircraft. As it stands, there is not yet consensus as to whether an attack entails injury, death, damage or destruction or whether the broad approach requiring a loss of functionality would suffice.
Protection under IHL
The reason why the definition of an ‘attack’ is so important is because IHL’s cardinal principles, namely those of distinction, proportionality and precaution, all hinge on their being an established ‘attack’. These core principles are discussed below:
Principle of Distinction
One of the most important principles of IHL is the principle of distinction which aims to reduce human suffering and protect civilians during armed conflicts. This protection has been codified in Article 48 of API whereby distinction must be created between civilian objects and military objectives. Only military objectives can be targeted during an armed conflict, and the deliberate targeting of civilian objects is a violation of IHL which amounts to a war crime. The customary definition of military objectives can be found in Article 52(2) of API whereby “military objectives are limited to those objects which by their nature, location, purpose or use make an effective contribution to military action and whose total or partial destruction, capture or neutralization, in the circumstances ruling at the time, offers a definite military advantage”.
While the rules of IHL apply to both kinetic and cyber operations, however the application of such rules during cyber operations can be tricky because such rules were made keeping physical/ kinetic operations in mind so it is not always clear how these rules would apply to cyber operations. For instance, in this case, would data qualify as a military objective or civilian object under IHL? Two main views have emerged with respect to this. According to some experts, the definition of an ‘object’ can only be limited to physical properties i.e. something that is visible and tangible.18Tallinn Manual 2.0, commentary to rule 100, paras 5-6. They believe that IHL rules would not be applicable on cyber operations unless it involves some form of physical effect and/ or a loss of functionality of the target system or network.19ibid. Whereas, other experts are of the view that data can be defined as an ‘object’ as data is susceptible to being attacked and destroyed.20Kubo Mačák, ‘Military Objectives 2.0: The Case for Interpreting Computer Data as Objects under International Humanitarian Law’ (2015) 48 IsrLR 55, 73. Consequently, when States or non-State actors hack into essential civilian data during an armed conflict such as medical data, biometric data, social security data, tax records, bank accounts, companies’ client files or election lists and records, it could be considered a violation of the principle of distinction.
Another major challenge with respect to the distinction between civilian objects and military objectives is regarding the classification of civilian data as a ‘civilian object’. While the laws of armed conflict have defined civilian objects and military objectives, it is unclear whether ‘civilian data’ such as medical data, biometric data, tax records, social security data etc. would be considered as ‘civilian object’ in the context of cyber operations. Traditionally, data is not considered an ‘object’.21TALLINN MANUAL 2.0 ON THE INTERNATIONAL LAW APPLICABLE TO CYBER OPERATIONS 437 (Michael N. Schmitt ed., 2d ed. 2017). The Tallinn Manual reached this conclusion by viewing data as ‘intangible’ and thus outside the ordinary meaning of ‘object’. However, an attack would still be deemed to be launched when due to targeting of data, the functionality of the other State’s computers or cyber systems is disrupted.
Principle of Military Necessity and Proportionality
While States and non-State actors must not target civilians and civilian objects during an armed conflict, however if they are made a subject of an attack then the principle of military necessity and proportionality must be respected. Under Article 51(5)(b) and 57(2)(iii), the collateral damage to civilian objects should not be in excess to the concrete and direct military advantage gained from an attack on a military objective. It can be said that proportionality restricts the employment of force through warfare as the principle of proportionality requires that the “loss of life and damage to property incidental to attacks must not be excessive in relation to the concrete and direct military advantage expected to be gained”.22U.S Department of Army, Field Manual 27-10, The Law on Land Warfare, para. 41 (July 18, 1956). With the growing use of cyber attacks, it is important to determine when these attacks become disproportionate to civilians. Proportionality, in simple terms, can be defined as a restraint on force. Therefore, it is vital to exercise proportionality when launching cyber attacks in order to ensure that the attack launched is within the realms of IHL and does not exceed such limitations.
According to the Tallinn Manual, the principle of proportionality is also applicable to cyber operations.23Tallinn Manual, at 159. While the Tallinn Manual affirms that the law of armed conflict applies to cyber operations, which is why the standard of proportionality also needs to be maintained, the issue with applying this principle to cyber operations persists. Nowadays, there are systems with dual-use i.e., such systems can be put to both military and civilian use simultaneously. Such systems include power plants that supply power to both civilian and military areas, and air traffic control systems supporting both civilian and military bases. The application of the standard of proportionality to cyber warfare would require for there to be a distinction between dual-systems. While dual-use systems can be considered as military targets, however, civilian usage of such systems complicates the applicability of the proportionality standards. Attacking dual-systems would lead to collateral damage.
Another issue that persists with the application of proportionality during cyber operations is the ‘knock-on effects’, which can be defined as ‘the indirect consequences that flow from the direct results of a given action’.24Eric Talbot Jensen, Unexpected Consequences from Knock-on Effects: A Different Standard for Computer Network Operations?, 18 AM. U. INT’L L. REV. 1145, 1176 (2003). While it is responsibility of the commander to keep in mind the ‘direct effects’ which can be defined as ‘immediate, first order consequences, unaltered by intervening events or mechanisms’,25Chairman, Joint Chiefs of Staff, Joint Publication 3-60: Joint Targeting, at I-10 (2007), available at http://www.bits.de/NRANEU/others/jp-doctrine/jp3_60(07).pdf. it becomes difficult to consider the ‘indirect effects’ which are ‘the delayed and/or displaced second or third and higher order consequences of actions created through intermediate events or mechanisms’.26ibid. Due to the expansive nature of cyberspace, it becomes difficult to ascertain the ripple effect of such attacks and determine how such attacks can affect those who are outside the initial sphere of attack. Moreover, the interconnectedness of cyber systems further complicates the predictability of knock-on effects.
Principle of Precautions in Attack
The principle of precautions in an attack has been enunciated in Article 57 of API and is customary and therefore binding on States in both an IAC and NIAC.27Tallinn Manual, commentary on rule 52. The principle of precautions in attack can be categorized into active and passive precautions. Action precaution means the steps taken before an attack is launched. These preventive steps aid in identifying targets to ensure that no civilian or civilian object is targeted during these cyber operations. Whereas, passive precaution are the steps that must be taken after a cyber attack has been launched whereby parties to the conflict are under an obligation to protect civilians from the dangers of these cyber attacks. Therefore, during a cyber operation, commanders and all other persons in charge must comply with this legal obligation.
This principle requires the commander to take ‘feasible’ actions in an attack which means that the commander should consider anything that is ‘practicable or practically possible, taking into account all circumstances ruling at the time’.28Reservation Letter from Christopher Hulse, Ambassador from the United Kingdom to Switzerland, to the Swiss Government (Jan. 28, 1998), available at http:// www.icrc.org/ihl.nsf/NORM/0A9E03F0F2EE757CC1256402003FB6D2?OpenDocument. Before a cyber operation, the commander would be required to take ‘feasible precautions’ whereby the commander should determine the effects of the attack on the civilians and civilian objects in the exercise of his constant carry. However, if the commander is unable to determine the attack’s extent, he cannot launch the attack. Moreover, the application of this principle is limited to the circumstances of the commander at that time which can easily lead to complications at a later stage. For instance, if prior to the attack the commander has determined that the attack would not cause damage to civilians or civilian objects but later the malware may spread to a civilian network that the commander was not aware of earlier. It is pertinent to note that this principle originated with a ‘geographic’ focus which makes it difficult to apply to cyber operations especially since these often occur at a speed of milliseconds.
Attribution of Conduct in the Cyberspace
While it is easy to identify the perpetrators of kinetic warfare, the same is not easy in cyberspace. Nowadays, due to the advancement of technology, anyone around the globe can engage in cybercrimes while hiding their identities by using proxies, thus making it almost impossible to assign responsibility to States for this conduct. The attribution of cyber operations is crucial to make sure that actors who violate IHL are held accountable. Under international law, States are held responsible for conducts that are attributable to them. According to the Draft Articles for Responsibility of States for Internationally Wrongful Acts, 2001 the conduct of the following are attributable to the State for which it will be held accountable under IHL:
- State organs;
- Persons or entities upon which the State exercises governmental authority;
- Persons or groups acting under the State’s control; and
- Private persons or groups whose conduct the State adopts as its own.
Therefore, attacks launched in cyberspace against another state by government organs, private companies, or persons, whose conduct the State adopts as its own or upon whom the State exercises its control or power would be attributable to the State itself, and the State would be held accountable for the violations of international law through such cyber operations. However, there are major challenges with this approach. It becomes extremely difficult to accord attribution to cybercrimes as attackers deliberately hide their identities and stage their attacks which makes it difficult to find out who caused the attack. Consequently, it becomes incredibly difficult to establish the chain of command and hold any State responsible for cyber attacks upon another State. However, it may be possible through evidence of where the machine launching the attack is located or through human intelligence which could provide the perpetrator’s identity. Therefore, attribution may not be impossible in all circumstances.
As discussed, IHL is applicable to new means and methods of warfare, thus these sets of rules would be applicable to cyber warfare during both IAC and NIAC. Keeping in mind the laws of armed conflict, it is essential to respect the three core principles of IHL i.e. the principles of distinction, proportionality and precaution in an attack. However, when the laws of armed conflict were made, such advanced technologies were not in place, which is why it is the need of the hour to introduce new laws that deal directly with cyber warfare as there persists certain complications with the applicability of the three cardinal principles of IHL during cyber operations.
While IHL is applicable to cyber warfare, its scope is very limited whereby the current IHL regime only requires a legal review to be conducted of such weapons and requires for these ‘new means and methods of warfare’ to be in compliance with the three cardinal principles of IHL i.e. principle of distinction, proportionality and precautions in attack, the law does not focus on other areas, such as attribution of cyber attacks. In addition to this, the current war law regime protects civilians and civilian objects from atrocities during armed conflicts, however the same becomes ambiguous when it comes to cyber operations as military and civilian cyber infrastructure are interlinked with each other which makes it difficult to accord protection to civilian cyber infrastructure. Hence, there is a need to introduce a special treaty that deals with cyber warfare in detail while focusing on the findings of the Tallinn Manual regarding the analysis and applicability of IHL on cyber warfare for the purposes of improving cyber security.
Furthermore, focusing on the limitation of the applicability of the principle of proportionality during cyber operations, it is crucial to develop a proportionality standard in a unified international treaty that needs to be observed by parties to a cyber operation in order to avoid lethal cyber consequences. Militaries need to conduct a proportionality analysis before any cyber-attack that may cause incidental damage to civilians or civilian objections. Moreover, militaries must exercise the ‘constant care standard’ as stipulated in the API when conducting cyber operations even when these operations are not categorized as ‘attacks’ to protect civilians and civilian infrastructure. Militaries should also consult cyber experts to be aware of the impact of their attacks or operations on a particular system. This will help them determine the level or degree of anticipated harm incidental to the life of civilians or civilian objects. Moreover, nations should take precautionary measures such as providing systems with warning of attacks, training civil defense forces and monitoring networks in order to segregate between civilian objects and military objectives during cyber operations.
The opinions expressed in the articles on the Diplomacy, Law & Policy (DLP) Forum are those of the authors. They do not purport to reflect the opinions or views of the DLP Forum, its editorial team, or its affiliated organizations. Moreover, the articles are based upon information the authors consider reliable, but neither the DLP Forum nor its affiliates warrant its completeness or accuracy, and it should not be relied upon as such.
The DLP Forum hereby disclaims any and all liability to any party for any direct, indirect, implied, punitive, special, incidental or other consequential damages arising directly or indirectly from any use of its content, which is provided as is, and without warranties.
The articles may contain links to other websites or content belonging to or originating from third parties or links to websites and features in banners or other advertising. Such external links are not investigated, monitored, or checked for accuracy, adequacy, validity, reliability, availability or completeness by us and we do not warrant, endorse, guarantee, or assume responsibility for the accuracy or reliability of this information.
Amna Adnan Khawaja
Amna Adnan Khawaja, an LL.B graduate from Kinnaird College for Women, is currently working at Ali Khan Law Associates. Further, she is the Editor-in-Chief of Blackstone Law Journal, and coaches the students of Blackstone School of Law for national and international moot court competitions. Her interest lies in the fields of corporate law and international law, and she manages to juggle between the two on a day-to-day basis. She can be reached at [email protected].