Cyber Operations and International Humanitarian Law

Introduction

As of April 2023, there were 5.18 billion users of the internet in the world, making up 64.6 percent of the global population.¹ As our lives become increasingly digitised and the ‘internet of things’ grows, we are all the more exposed to the possibility of cyber operations in the event of an armed conflict. For instance, distribution networks for food, water, energy as well as healthcare, transportation, and businesses increasingly rely on information technology for their operations.² Cyber operations pose unique challenges for the law of armed conflict as unlike nautical, aerial, and terrestrial attacks, they occur both in the physical and systematic world.³ Moreover, the interconnectivity of cyberspace and the self-propagation of cyber tools beyond the launcher’s intentions increases the risk posed to civilians.

While the US’ Department of Homeland Security said in 2018 that the risk of cyber attacks now exceeds the risk of physical attacks, it has been argued that the law has not kept abreast with this new reality.⁴ This month, at the Diplomacy, Law and Policy Forum, we explore cyber operations under the laws of war. Our articles under this theme explore issues with the application of IHL to cyber operations, namely the challenges of whether data constitutes an object, the definition of an attack and the difficulties in attributing attacks conducted in the cybersphere to a state. This editorial will touch on the key questions that the international community needs to answer going forward in determining how the laws of war apply in cyberspace.

Application of IHL

Currently, over 100 countries are developing cyber capabilities and some have acknowledged that they have used them in an armed conflict. In 2015, US President Obama referred to cyberspace as the “new Wild West” in that it was vast and lawless.⁵ However, this does not accord with the understanding of many states, which is that the cyber domain is not a legal vacuum and that international law applies online just as it does offline.⁶ While cyber operations are not expressly mentioned in IHL, they are still governed by it, as alluded to in the Nuclear Weapons Advisory Opinion, in which the International Court of Justice held that IHL applies “to all forms of warfare and to all kinds of weapons” including “those of the future”.⁷ Therefore, the question then becomes how does IHL apply to cyberspace? This remains complicated and requires further state practice to determine how the rules of war can continue to apply in the non-physical realm. The Tallinn Manual does attempt to shed some light on these issues but its findings are merely persuasive and not binding.⁸ The key debates which remain contested are explored in more detail below.

Threshold for an Armed Conflict

Cyber operations complicate issues of classification of armed conflicts as they can cause disruption without physical damage and are often transborder.⁹ The threshold for an international armed conflict is low in that it merely requires the resort to force between two states.¹⁰ It is not clear when a cyber operation may amount to an IAC between states. Schmitt argues that there must be a de minimis standard stating that “much the same way that a soldier throwing a rock across the border does not propel the States concerned into international armed conflict, it would not suffice, for instance, to merely disable a single computer that performs non-essential functions”.¹¹ However, beyond this it is unclear where the threshold falls in triggering an IAC between states and whether state practice will evolve to include disruptive denial of service attacks or the deletion of critical data into this de minimis standard.

The requirements for a non-international armed conflict pose even greater difficulties in cyberspace. These criteria, as laid down in the Tadić judgment, are protracted armed violence and an organised armed group.¹² In terms of the intensity of violence, no cyber attack has yet reached this threshold, as singular and sporadic cyber operations, even if they do not cause physical damage or injury, would not amount to a civil war.¹³ Geiss argues that “network intrusions, cyber exploitation operations, data theft and data manipulation, as well as random denial-of-service attacks carried out by a non-State actor, while they would fall into the realm of domestic criminal law and could arguably amount to “attacks” in the sense of Article 49 of Additional Protocol I if carried out in the context of an already ongoing armed conflict, would not suffice to trigger a non-international armed conflict in view of the intensity threshold required for this particular conflict category”.¹⁴ This seems to equate the definition of an ‘attack’ which will be explored later with the requirement of ‘protracted armed violence’ in determining the threshold of a NIAC. Therefore, violence would require physical harm or destruction. Similarly, the Commentary to Rule 83 of the Tallinn Manual also includes a non-exhaustive list of activities that would not fulfil the intensity criteria, including network intrusion, the deletion or destruction of data, computer network exploitation, defacing websites, data theft, and blocking certain Internet functions or services.¹⁵ Though experts were then split as to whether non-destructive but severe cyber operations would be sufficient to meet the criteria for a NIAC.¹⁶ This interpretation of the requirements of a civil war may see some evolution over time as these ‘incidents’ become more common. This may be particularly so when an organised armed group only wages cyber attacks against a state which severely disrupts civilian life yet causes no physical damage.

Another issue is that of the level of ‘organisation’ required for an armed group to be involved in a NIAC. Many individual hackers or virtual groups even if they act collectively may not qualify as ‘organised’ especially since it may not be possible to identify their members who may only be united by ideology.¹⁷ An example of this may be ‘Anonymous’, the group of hacktivists which have been linked to a number of high-profile cyber incidents.¹⁸ Due to their decentralised command, inability to enforce discipline within the group, and the lack of capacity to ensure their membership complies with the laws of war, it is unlikely they would fulfil the criteria of an organised armed group.¹⁹ Therefore, even if they did wage war against a state, in which protracted armed violence was involved, the lack of organisation would mean it would not constitute a NIAC.

Data as an Object

The question regarding whether data is a civilian object or not is significant as civilian objects are protected under the principle of distinction from being deliberately targeted during an armed conflict. There are two divergent views on this. The first argues that data is not an object and thus it is not covered by the rules on targeting unless the cyber operation in question affects tangible components of cyber infrastructure.²⁰ This is because data is not visible or tangible to constitute an object. The second view argues that data is an object and thus the cyber operation against it resulting in its destruction, erasure or alteration must comply with the requirements of IHL.²¹ Proponents of this view argue that an evolutive interpretation of the term object would bring data within its meaning in the current age. Moreover, visibility or tangibility is not a requirement for something to be an object and that the object and purpose of IHL necessitates an expansive interpretation.

While the ICRC agrees that the question of civilian data constituting an object is not yet resolved by the international community, it does argue that essential civilian data, such as medical data, biometric data, social security data, tax records, bank accounts, companies’ client files or election lists and records, are essential to the functioning of civilian life and that IHL protections should extend to that data.²² Operations against civilian data which would delete or tamper with it could cause more harm to civilians than destroying tangible, physical objects.²³ As a result, it would not seem compatible with the rationale of IHL and its object and purpose to preclude that from being protected by IHL and would result in a significant protection gap.²⁴ Indeed, it does seem odd that information in paper form would be protected as an object, while the same civilian information stored digitally would not.

Definition of Attack

Attacks are defined as “acts of violence against the adversary whether in offence or in defence”.²⁵ It is accepted that cyber operations which entail physical damage or destruction are considered attacks under Article 49 of Additional Protocol I. The Tallinn Manual 2.0 also states that a “cyber attack is a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects”. Defining an operation as an ‘attack’ means as a result that the cardinal principles of distinction, proportionality, and precaution necessarily attach to them as their application is contingent on their being an ‘attack’.

However, the ICRC takes the view that a cyber operation which ‘disables’ an object even if it does not cause physical damage or destruction qualifies as an attack.²⁶ This is known as the ‘loss of functionality’ approach and is premised on the fact that “an overly restrictive understanding of the notion of attack would be difficult to reconcile with the object and purpose of the IHL rules on the conduct of hostilities”.²⁷ This finds further support in the fact that the neutralisation of an object can be a possible result of an attack (as distinct from its destruction or capture) under Article 52(5) of Additional Protocol I. This adds credence to the notion that the planning of such a cyber operation which would entail loss of functionality would have to comply with the cardinal principles of distinction, proportionality and precaution.

Attribution

The issue of attributing cyber attacks to a state is twofold; the primary issue is a technical one in forensically identifying the perpetrator of the attack in the anonymity of the cybersphere and the second question is whether that the perpetrator’s conduct can be attributed to a state under the law of state responsibility.²⁸ Given the ease with which perpetrators can obscure their location and identity through botnets and other means, it is extremely difficult to establish a link between a cyber incident and the attacker, and there is a risk that blame may be misattributed.²⁹

In light of these issues, some propose a strict liability model for cyber attacks in which states will be indirectly responsible for all breaches of international law taking place within their territory. Another state may then take countermeasures against that state for allowing the cyberattack to take place on its territory and it encourages states to act swiftly against those conducting attacks from its territory and to cooperate.³⁰ However, there are issues with this approach, namely that countermeasures are often a resort for the more powerful against the weak powerful and the efficiency of the most frequently used countermeasure, sanctions, are up for debate. Moreover, even if a state is violating its obligation to ‘police’ its territory or tolerating attacks, it is not responsible for those attacks under international law.³¹ Therefore, reducing the threshold for responsibility for cyber attacks alone, when these are notoriously difficult to prevent, may be a worrying development in the field of state responsibility.

Conclusion

Cyberspace is the new frontier of conflict and brings with it its own challenges and dangers. The rationale underpinning the laws of war and its cardinal principles is to reduce the suffering of civilians in an armed conflict. As our lives become increasingly online, this suffering must also be prevented in the digital and analogue world. The laws of war subsequently must be applied in a way which allows for an evolutive and expansive interpretation taking into account the colossal way in which our lives have changed through the advent of information technology. Any regime of law which cannot adapt to suit this new reality risks becoming irrelevant in the twenty-first century.