Cyber Operations falling under “Attack” in IHL
Introduction
The increasing use of cyber operations during international armed conflict encapsulates the ever-evolving nature of the concept of warfare.1Kharel A, ‘The Proliferation of Cyber War and International Humanitarian Law’ (GlobalCampus of Human Rights – GCHR, 25 April 2022) accessed 3 June 2023 This development raises a number of concerns in today’s increasingly cyber-dependent societies, in which malicious cyber activities threaten to cause significant disruption to societies and harm to people.2Laurent Gisel , Tilman Rodenhauser and Knut Dormann , ‘Twenty Years on : International Humanitarian Law and the Protection of Civilians against the Effects of Cyber Operations during Armed Conflicts ’ (2020) 102 International Review of the Red Cross, Pg 3 States such as the United Kingdom (UK), the United States of America (USA) and Australia have publicly disclosed their use of cyber operations in their conflict against ISIS.3Ibid In addition, cyber operations have affected other countries involved in armed conflict, such as Georgia in 2008, Ukraine in 2015-2017 and Saudi Arabia in 2017.4Ibid, Pg 3 & 4 These incidents show an increase in cyber operations and evidence that the means of warfare are evolving, with almost 100 states having developed cyber military capabilities.5American Red Cross Society of International Humanitarian Law 2021,” Cyber Operations Under International Humanitarian Law “ ( 02 October 2021) < https://youtu.be/wyvhotzodTc> accessed 22 May 2023
This paper examines the meaning of “attack” under international humanitarian law (IHL), and whether cyber operations fall under the definition. There is a relative degree of consensus that cyber operations that cause injury or harm to objects or civilians constitute an attack; however, when it comes to other forms of harm, expert viewpoints differ. This paper suggests an effects-based approach, in which the effect and scale of a cyber operation can be used as criteria to decide what constitutes an attack. Those cyber actions that do not constitute an attack under the Protocol Additional to the Geneva Conventions of 12 August 1949 and Relating to The Protection of Victims of International Armed Conflicts, 19776Protocol Additional to the Geneva Conventions of 12 August 1949, and relating to the Protection of Victims ofInternational Armed Conicts (adopted 8 June 1977, entered into force 7 December 1978) (hereinafter referred to as “API”) can protect civilians from harm under other IHL rules, such as military operations and necessity.
This paper first examines the concept of cyberspace and its potential regulation under IHL’s general principles. It then explores the term “attack” under IHL as well as the fundamental concepts of distinction and proportionality. The final section analyses the difficulties in interpreting the term “attack” in the context of cyber operations as well as how the guiding principles of IHL, such as the rules of proportionality and distinction, apply.
Definition of Cyber Space
The term cyberspace was coined by William Gibson in his 1984 book, Neuromancer,7Rouse M, ‘Cyber Space ‘ (Techopedia, 5 June 2023) <https://www.techopedia.com/definition/2493/cyberspace > accessed 14 June 2023 as an “interdependent network of information technology infrastructures, and includes the Internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries.”8CSRC , ‘Cyber Space ‘ (Information Technology Laboratory, Computer Resource Center) <https://csrc.nist.gov/glossary/term/cyberspace#:~:text=the%20complex%20environment%20resulting%20from,exist%20in%20any%20physical%20form. > accessed 14 June 2023 The term “cyberspace” refers to the virtual computer world and, more specifically, an electronic medium that facilitates online communication.9Supra Note 7 Cyberspace is a domain in which people share information, interact with one another, participate in discussions or social media platforms, and take part in various kinds of other activities.10Vedantu, ‘Cyber Space and its Meaning ‘ (Vedantu, 13 June 2023) <https://www.vedantu.com/commerce/introduction-to-cyberspace > accessed 14 June 2023
Cyber Warfare: Does International Humanitarian Law Apply?
Whether IHL applies to cyber operations during armed conflict remains a matter of debate. While debate persists, according to the ICRC, there is no doubt that cyber activities during armed conflicts, or cyber warfare, are governed by IHL, just as any weapon, means, or method of warfare, used by a belligerent in armed conflict. The fact that cyber operations rely on new and constantly evolving technology does not exclude the application of IHL to the use of such technologies as means or methods of warfare.11Supra Note 2, P 12
Certain IHL norms are designed to anticipate the development of new means and methods of warfare and presumed that IHL would apply to them. An important and more recent IHL rule in this respect is enshrined in Article 36 of the API, which states that in the study, development, acquisition, and adoption of a new weapon, means, or method of warfare, High Contracting Parties must determine if their new weapon, means, or method of warfare would be prohibited by this Protocol or other international law.12API, Article 36 This assumption is based on the obligation that IHL applies to the new means and methods of warfare, which include methods of warfare relying on technology.13Supra Note 2, P 12 This was affirmed by the International Court of Justice in its Advisory Opinion on the Legality of the Threat or Use of Nuclear Weapons, where it held that established principles and rules of humanitarian law applicable in armed conflict apply “to all forms of warfare and to all kinds of weapons”, including “those of the future”, which in this case would include cyber operations.14Legality of the Threat or Use of Nuclear Weapons [1996] ICJ 3
The increasingly shared view of states and international organisations is that IHL applies in cyberspace and restricts its application in cyberspace. According to the UN Group of Governmental Experts Report 2013 and 2015, “international law, particularly the UN Charter, is applicable in the context of information and communication technology,” a conclusion confirmed by the UN General Assembly.15UN General Assembly, “Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security: Note by the Secretary-General” and UNGA Res. 73/27, above note 15, preambular para. 17; UNGA Res. 73/266, above note 15, preambular para. 12. Similarly, the European Union and NATO have accepted the application of IHL to cyber operations, and the Paris Call for Trust and Security in Cyberspace (supported by seventy-eight states as of April 2020) has reaffirmed the applicability of IHL to cyber operations during armed conflict as well.16Supra Note 2, P 13 In the Paris Call, states have expressed their opposition to the militarisation of cyberspace and concerns about the legitimisation of military cyber operations.17IBID, P 13, 14 However, IHL sets limits on the conduct of hostilities when states or non-state parties decide to resort to cyber operations during an armed conflict. In such cases, IHL would be applicable, and the principles of distinction, proportionality, and military necessity would need to be respected.18IBID, P 14, 15
Attacks under International Humanitarian Law
In IHL, the term ‘attack’ refers to a particular category of military operations. It is defined in Article 49 of API as “acts of violence against the adversary, whether in offence or in defence.”19AP1, Article 49 An attack is an operatively key threshold in IHL because many of its core restrictions apply to acts qualifying as such.20IBID Attacks are not ipso facto illegal or contrary to IHL; rather, IHL defines certain situations in which attacks can be carried out in a manner that allows a belligerent party to achieve a military advantage within its limitations.
One must keep in mind that the term attack comes into operation once the armed conflict has commenced. Under IHL, attacks can only be conducted during hostilities. ‘Combat action’ refers to a host of activities against the adversary, either in offence or defence, and the concept of ‘attacks’ falls within this ambit. The distinction between ‘combat action’ and ‘attack’ is that combat action’ does not require the use of violence, such as deploying troops and artillery batteries in strategic locations.21THE PROSECUTOR v BOSCO NTAGANDA . ICL 1786 (ICC 2017) Appeals Chamber [ICC]
The word ‘attack’ refers to the application of physical force by a belligerent Party against its adversary. Thus, the concept of ‘attacks’ does not cover non-physical means of psychological or economic warfare such as the dissemination of propaganda and embargoes.22Supra Note 20, P 290 This distinction is important when determining whether cyber operations constitute ‘attacks’ for the subsequent application of IHL.
The Principles Governing the Notion of Attack under IHL
API sets out cardinal principles that a belligerent Party must bear in mind when conducting an attack. The first is the principle of distinction. This principle states that parties at all times distinguish between the civilian population and combatants and between civilian objects and military objectives and accordingly direct their operations only against military objectives except if they participate in direct hostilities.23API, Article 51 A military objective must have two components: an effective contribution to military action and a definite military advantage.24Ibid.
The second important rule is the rule of proportionality, which serves to minimise the collateral damage to civilian life during the conduct of an attack. This rule applies only when a military objective is the object of attack and where incidental damage is foreseeable. Thus, a proportionality assessment requires the balancing of the military advantage expected to be gained from the destruction, capture or neutralization of a military objective, and the foreseen incidental damage harm to civilians and civilian objects caused by the military intervention.25API, Article 57 The rule states that anticipated incidental loss of human life and damage to civilian objects should not exceed the military advantage expected from destruction of military objective.26API, Article 57
Cyber Operations as Attack under IHL
Determining whether cyber operations fall under the definition of an attack under IHL is a complex issue. Cyber operations involve the use of digital techniques to disrupt or compromise computer systems, networks, or infrastructure.27‘What Is Cyber Security and How Does It Work?’ (Synopsys)<https://www.synopsys.com/glossary/what-is-cyber-security.html> accessed 15 May 2023 The applicability of IHL to cyber operations is a topic of ongoing debate and has not been definitively settled. The term ‘attack’ has been given different interpretations by the experts, the ICRC, and the states.
The majority view is that cyber operations that may cause death, injury to persons, or damage to objects are considered attacks, as per the definition under Article 49 API.28API, Article 49 It is well known that the concept of violence in this definition can refer to either the means of warfare and their effects, noting that an operation that has a violent effect can be an attack even if the means used to cause these effects themselves are not violent.29Supra Note 2, P 26 Based on this understanding, the Tallinn Manual, an academic study on the application of international to the cyberspace, has suggested that “a cyber-attack is a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects.”30IBID The definition of “attack” adopted in the Norwegian and New Zealand military manuals mirrors the definition adopted in the Tallinn Manual 2.0.31IBID 28 & Zhixiong Huang and Yaohui Ying , ‘& nbsp; The Application of the Principle of Distinction in the Cyber Context; a Chinese Perspective ’ (2020) 102 International Review of the Red Cross, Humanitarian Debate : Law, policy, action It is widely accepted by states, the ICRC, and experts on this issue that at least cyber operations that cause death, injury, or physical damage constitute attacks under IHL. Some states expressly include harm resulting from the foreseeable indirect (or reverberating) effects of an attack, and this is the view of the ICRC as well.32IBID, 27 For example, this could be the case if a cyberattack on the electricity supply to a hospital killed patients in an intensive care unit.33IBID
Experts have different views on whether a cyber operation that disable an object without physically harming it constitutes an attack under IHL.34IBID 27 There were elaborate discussions on this during the drafting of the Tallinn Manual. A wide majority of experts held that a cyber operation constitutes an attack if it is expected to interfere with the functionality of an object that requires the replacement of physical components.35IBID 27, International Committee of the Red Cross, ‘International Humanitarian Law and Challenges of Contemporary Armed Conflict’ (2015) 97 International Review of the Red Cross: Humanitarian debate: Law, policy, action
In contrast, some experts are of the view that cyber operations will be considered an attack if the restoration of functionality requires the reinstallation of the operating system or of particular data. Thus, the attack is identified by the need for the adversary to take action in order to restore the infrastructure or system (equipment repair, part replacement, network reinstallation, etc.).36IBID 29, 30 This view is shared by Chile, which states that if the results of an operation require affected states to “take steps to repair or restore affected infrastructure and computer systems,” the operation qualifies as an attack.37IBID, 30
The ICRC’s view on this subject matter is that any operation that is designed to disable a computer or computer network during an armed conflict amounts to an attack defined in IHL, whether or not the object is disabled through destruction or some other way.38IBID, 27 Because the definition of military objectives in Article 52(2) AP I refers to those objectives whose “neutralization” as a result of a possible attack would give the other Party a military advantage, the concept of “attack” under Article 49 AP I should be understood to include activities intended to impair the functioning of objects despite not causing physical damage or destruction. An overly restrictive understanding of the concept of attack may undermine the object and purpose of the rules for the conduct of hostilities aimed at ensuring the protection of civilians and civilian goods from the effects of hostilities.39IBID 27 & 28
The effect of a certain cyber activity can be used as a criterion to assess whether it is a cyber operation. The scope of the term ‘attack’ is often determined by the consequences of an operation as opposed to its nature. This criterion is based on the opinions of experts in the Tallinn Manual.40Michael N Schmitt, Tallinn Manual 20 on the International Law Applicable to Cyber Operations (2nd edn, Cambridge University Press 2017) In the Nicaragua v U.S. judgement, the International Court of Justice stated that the scale and effects of an attack must be weighed when evaluating whether certain actions constitute an armed attack, which would constitute a violation of Article 2(4) of the UN Charter’s prohibition on the use of force.41Case Concerning Military and Paramilitary Activities In and Against Nicaragua (Nicaragua v. United States of America); Merits, International Court of Justice (ICJ), 27 June 1986, available at: https://www.refworld.org/cases,ICJ,4023a44d2.html [accessed 13 June 2023] Similarly, the Tallinn Manual experts concluded that there is no reason to exclude cyber operations from the scope of acts that may constitute a use of force if the scale and consequences of the operation in question are comparable to those of non-cyber operations that would qualify as such.42Supra Note 43, P 330 & 331 Though they may be carried out through non-kinetic means, cyber operations can have violent consequences. For example, a cyber operation that alters the running of a SCADA system controlling an electrical grid and results in a fire qualifies.43IBID, P 415 & 416
On the other hand, other cyber operations may not have physical or violent effects, but may result in interference of functionality, which, as discussed above, may qualify as damage if restoration of functionality requires the replacement of physical components. Thus, a cyber operation that targets an electricity grid’s computer-based control system, which would require the replacement of certain components or the entire system, would qualify as an attack.44IBID 417 & 418 In another situation, if the effect of a cyber operation is such that it disables an object and the effect is such that it loses its operability,45IBID 418 then under the above-mentioned criteria, it will amount to an attack. As a result, the effect-based criterion can be utilised to determine whether a certain cyber operation constitutes an attack.
Depending on the effects of the operation, any operation against the data may constitute an attack. If data is deleted or manipulated in a way that is intended or expected to cause death or injury to a person, or damage to (by disabling) a physical object, the operation will qualify as an attack, regardless of whether the data itself constitutes an object of attack for the purposes of IHL. If the effect of a cyber operation is such that it aims to tamper with or delete data, it may have the indirect effect of destroying the object in question on which said data is stored, such as a local server.46IBID Thus, the consequence-based approach indicates that a data breach would be considered an attack because its effect would cause harm to the object regardless of whether it falls under the concept of an object.
The Principles of IHL Governing the Cyber Space
In the context of cyber operations, the principle of distinction can be applied by ensuring that cyberattacks are directed only at legitimate military objectives or combatants, rather than indiscriminately targeting civilian infrastructure or non-military systems. However, civilians may be at risk due to the interconnectedness of cyberspace, which is where the precautionary principle comes into operation.
The principle of distinction prohibits indiscriminate attacks, including attacks using cyber means and methods of warfare. An indiscriminate attack is a type of attack that fails to differentiate between civilians or civilian objects, and combatants and military objectives. For example, malware that exploits vulnerabilities in civilian and military systems, self-propagates and are released into open networks would be considered an indiscriminate attack. Similarly, certain cyber operations may be aimed at military objectives, but once released, are likely to spread uncontrollably and are expected to cause disproportionate harm to civilians.47The Principle of Distinction ’ [2023] International Committee of the Red Cross, P 2
In its position paper, the ICRC has suggested a few steps that can be taken to ensure that the principle of distinction is respected. From a technological perspective, cyber tools can be programmed and used to target and harm only specific objects and not spread harm indiscriminately. Faced with these risks, those planning or conducting cyber operations must take all feasible steps to ensure that the target is a military objective to remain within the prescribed limits of IHL.48IBID P 2, 3
With regards to the principle of proportionality, one must bear in mind that the harm in cyber operations may be different from more traditional kinetic operations. For example, a cyber operation could incidentally disable civilian objects without physically damaging them, but the effects may be more widespread due to the interconnectedness of cyberspace. Thus, proportionality assessments even more important in the cyberspace due to this inherent interconnectedness and subsequent difficult of separating civilian and military data, particluarly on public servers, or where encryption protection is easily bypassed.
The assessment of incidental civilian harm includes harm from the foreseeable direct and indirect effects of cyber operations. Direct harm in this context means effects that are directly and immediately caused by a cyberattack, for example, damage to the targeted systems. Indirect harm, also referred to as ‘reverberating effects’, covers all other consequences that may foreseeably result from the cyberattack in question. The need to consider incidental harm raises the question of whether the accidental loss of functionality of civilian computers, systems, or networks also needs to be considered in order to apply this principle of proportionality. According to the ICRC, all types of damage associated with protecting civilian objects from direct attack must be considered, even if such objects are disabled. The incidental civilian harm must be compared with the direct and concrete military advantage. Assessing the expected incidental civilian harm of any cyber operation is critical, and it is critical that the harm to the civilian population is minimised or reduced in dual systems.49‘The Principle of Proportionality ’ [2023] International Committee of the Red Cross, P 1-3
Conclusion
Ultimately, this article attempts to identify ways in which cyber warfare can be regulated under IHL, while also highlighting areas that need further work. Currently, there is no universally accepted consensus on when a cyber operation constitutes an attack under IHL. States and legal experts continue to grapple with the challenges of applying traditional legal frameworks, such as IHL, to the rapidly evolving field of cyber warfare. Nevertheless, efforts are underway to clarify the applicability of IHL to cyber operations, which will lead to the development of consolidated legally-binding norms regulating cyberspace.
To this end, states should recognise that international humanitarian law applies to cyberwarfare, engage in discussion and reflect on how international humanitarian law should be applied, and consider its application during armed conflict. Some scholars believe that perhaps a new Convention would provide much-needed clarity in this field.50Haroon S (RSIL 2015) rep accessed 2 June 2023 , pg 40 Finding a common understanding of cyberwarfare is therefore crucial to effectively protecting civilians from the direct and intentional effects of cyber operations. It will be necessary to determine whether the challenges posed by such cyber operations are being given due consideration by existing rules and principles of IHL.
The opinions expressed in the articles on the Diplomacy, Law & Policy (DLP) Forum are those of the authors. They do not purport to reflect the opinions or views of the DLP Forum, its editorial team, or its affiliated organizations. Moreover, the articles are based upon information the authors consider reliable, but neither the DLP Forum nor its affiliates warrant its completeness or accuracy, and it should not be relied upon as such.
The DLP Forum hereby disclaims any and all liability to any party for any direct, indirect, implied, punitive, special, incidental or other consequential damages arising directly or indirectly from any use of its content, which is provided as is, and without warranties.
The articles may contain links to other websites or content belonging to or originating from third parties or links to websites and features in banners or other advertising. Such external links are not investigated, monitored, or checked for accuracy, adequacy, validity, reliability, availability or completeness by us and we do not warrant, endorse, guarantee, or assume responsibility for the accuracy or reliability of this information.