The use of cyber operations during armed conflicts and the question of how international humanitarian law (IHL) applies to such operations have developed significantly over the past two decades. This finding is true at the operational, legal and political levels. Operationally, the use of cyber operations during armed conflict has become a reality of armed conflicts and is likely to be more prominent in the future. This development raises a number of concerns in today's ever more cyber-reliant societies, in which malicious cyber operations risk causing significant disruption and harm to humans. At the political and legal levels, through multilateral processes States have achieved agreement on some aspects of the legal and normative framework regulating cyber operations; however, the application of IHL to cyber operations during armed conflict remains the subject of intense discussion. A few States have published positions on how IHL applies to cyber operations during armed conflicts, and a wealth of academic studies exist on the matter, yet key issues remain controversial and lack agreement among States and other experts, or require further analysis. These include the notion of “attack”, the question of how civilian data are protected against harmful cyber operations, and which IHL rules apply to cyber operations other than attacks. In their different roles in the Legal Division of the International Committee of the Red Cross (ICRC), the authors of this article have followed these developments and debates closely and have engaged in governmental and non-governmental expert discussions on the applicability and application of IHL to cyber operations during armed conflicts since their beginning.
The ICRC has recently published a comprehensive institutional position on International Humanitarian Law and Cyber Operations during Armed Conflicts, which was submitted to the United Nations (UN) Group of Governmental Experts (GGE) and Open-Ended Working Group (OEWG).Footnote 1 In this article, we expand on this position and first explain why the potential human cost of cyber operations is a humanitarian concern. We then underline that IHL applies to – and therefore restricts – cyber operations during armed conflicts and examine different States’ views on this subject. Third, we analyze when cyber operations may trigger an armed conflict and how this threshold relates to the prohibition of the use of force and the right to self-defence under the UN Charter and customary international law. In the last and most substantial part of the article, we delve into some of the long-standing questions on how IHL applies to cyber operations during armed conflicts and what positions States have taken on some of the key issues.
Operationally, the use of cyber technology has become a reality in today's armed conflicts and is likely to increase in the future. Some States have acknowledged publicly that they have conducted cyber operations in ongoing armed conflicts. In particular, the United States, the United Kingdom and Australia have disclosed that they used cyber operations in their conflict against the Islamic State group.Footnote 2 There are also public reports suggesting that Israel used cyber operations against Hamas – and allegations that Hamas used cyber operations against Israel.Footnote 3 Furthermore, cyber operations have affected other countries involved in armed conflicts, such as Georgia in 2008,Footnote 4 Ukraine in 2015–17Footnote 5 and Saudi Arabia in 2017,Footnote 6 though the authors of these cyber attacks remain unknown and attribution of responsibility is contested. It is therefore unclear whether these operations had a nexus to the respective armed conflicts and thus whether IHL applied. Moreover, there have been reports of cyber operations by States in other situations where the legal classification may not be straightforward, including in what is sometimes referred to as a “grey zone”.Footnote 7 These examples show an increase in military cyber operations over the past decade – a change in warfare that might continue. Indeed, an increasing number of States are said to have or to be developing cyber military capabilities, including the five permanent member States of the UN Security Council.Footnote 8 Examples of the use of cyber operations during conflicts include espionage; target identification; information operations to affect the enemy's morale and will to fight; the interruption, deception or obfuscation of the enemy's communication systems aimed at hindering force coordination; and cyber operations in support of kinetic operations.Footnote 9 An example of the latter is the disabling of an enemy's military radar stations in support of air strikes.Footnote 10 Moreover, as seen in a range of cyber operations over the past decade – which may not necessarily have occurred in the context of armed conflicts – cyber operations against electricity grids, health-care systems, nuclear facilities or other critical infrastructure risk causing significant human harm.Footnote 11 Legally, discussions on whether and how international humanitarian law applies to, and restricts, cyber operations during armed conflicts began over two decades ago.Footnote 12 The drafting processes for the two Tallinn Manuals on the International Law Applicable to Cyber Operations (Tallinn Manuals) have shown that there is significant consensus among experts that IHL applies in cyberspace and that its basic rules and principles can and must be applied when conducting cyber operations during armed conflict.Footnote 13 As seen in the diverging views recorded in the Tallinn Manuals as well as in a growing number of State positions and the rich body of academic publications on cyber-related issues, however, various aspects of how certain rules of IHL apply in this field remain under-explored and disagreement exists on other questions, including some of the most-examined ones (see the section below on “The Limits that IHL Imposes on the use of Cyber Capabilities during Armed Conflicts”). At the political level, recent and ongoing discussions in the UN have shown that finding agreement on the applicability of IHL to cyber operations and furthering the study of how its rules should be interpreted remains challenging.Footnote 14 Discussions on questions relating to “information security” started when the Russian Federation introduced a first resolution on the subject at the UN General Assembly in 1998. These discussions have intensified over the course of the last few years. Since 2004, governmental experts have been meeting in six consecutive Groups of Governmental Experts on questions relating to information and telecommunications in the context of international security. In 2018, the UN General Assembly also established the OEWG, which runs in parallel to the GGEs. Both groups are mandated, inter alia, to study “how international law applies to the use of information and communications technologies by States”.Footnote 15 These discussions should build on the important conclusions reached by previous GGEs. In 2013 and 2015, States in the GGE affirmed that “international law and in particular the Charter of the United Nations is applicable” in the information and communication technology environment and cited “the established international legal principles, including, where applicable, the principles of humanity, necessity, proportionality and distinction”.Footnote 16 Yet, it appears from recent discussions in these UN processes, and as discussed further below, that finding agreement on the applicability of IHL to cyber operations and furthering the study of how its rules should be interpreted is challenging.
At the regional level, already in 2009 member States of the Shanghai Cooperation Organization (SCO) had identified “[d]eveloping and using information weapons” and “preparing and conducting information warfare” to be a major threat in the field of international information security, but they remained silent on the applicable legal framework.Footnote 17 Discussions on the application of international law, including IHL, have taken place in the Asian–African Legal Consultative Organization (AALCO) (which established an Open-Ended Working Group on International Law in Cyberspace in 2015)Footnote 18, the Commonwealth,Footnote 19 the European Union,Footnote 20 the North Atlantic Treaty Organization (NATO)Footnote 21 and the Organization of American States (OAS),Footnote 22 among others.
The potential human cost of cyber operations
The development of information and communication technology, including communication over computer networks (cyberspace), offers tremendous benefits and opportunities for States, societies and individuals in the social, economic, development, and information and communication realms, among others. The international community, societies, and each of us individually are increasingly relying on digital tools. This trend – which may be accelerated further by the COVID-19 pandemic spreading at the time of writing this article – increases our dependency on the uninterrupted functioning of these technologies, and thus increases our vulnerability to cyber operations. The rapidly evolving nature of cyberspace and cyber technology, and the potential human cost of cyber operations, therefore necessitates constant monitoring and assessment.
The use of cyber tools as a means or method of warfare offers militaries the possibility of achieving their objectives without necessarily causing direct harm to civilians or physical damage to civilian infrastructure. Depending on the circumstances, cyber operations might enable targeting a military objective while reducing the expected incidental damage to civilian objects compared to the use of other means of warfare. In recent intergovernmental discussions, some States emphasized that if employed responsibly and in accordance with international law, “the use of ICTs [information and communications technologies] in military contexts may be preferable to use of kinetic weapons and can be de-escalatory”.Footnote 23 In contrast, as noted above, SCO member States have warned of the dangers of “[d]eveloping and using information weapons” and “preparing and conducting information warfare”.Footnote 24
Conducting highly discriminative cyber operations that comply with IHL and spare civilian populations can be technologically challenging. The interconnectivity that characterizes cyberspace means that whatever has an interface with the Internet can be affected by cyber operations conducted from anywhere in the world. A cyber attack on a specific system may have repercussions on various other systems, regardless of where those systems are located. There is a real risk that cyber tools – either deliberately or by mistake – may cause large-scale and diverse effects on critical civilian infrastructure. The interconnectedness of cyberspace also means that all States should be concerned with its effective regulation: “attacks carried out against one State can affect many others – wherever they are located and irrespective of whether they are involved in the conflict”.Footnote 25 Cyber operations conducted over recent years – primarily outside armed conflicts – have shown that malware can spread instantly around the globe and affect civilian infrastructure and the provision of essential services.Footnote 26 As a result, commentators are warning that industrial cyber attacks present “a humanitarian crisis in the making”.Footnote 27
The health-care sector seems particularly vulnerable to cyber attacks.Footnote 28 The sector is moving towards increased digitization and interconnectivity, which increases its digital dependency and its attack surface – a development that is likely to continue in the coming years. Too often, these developments have not been matched by a corresponding improvement in cyber security.Footnote 29 This vulnerability became particularly apparent during the COVID-19 pandemic, when hospitals and other health-care facilities in various States had their operations disrupted by hostile cyber operations. In light of the particular importance of the health-care sector for mitigating suffering at all times, but especially during armed conflicts and health crises, the ICRC has called on all States to respect and protect medical services and medical facilities against cyber attacks of any kind, whether in time of peace or in time of conflict, and to reaffirm and recommit to international rules that prohibit such actions.Footnote 30 While this call reflects existing obligations under IHL as applicable to cyber operations during armed conflict,Footnote 31 it would reaffirm, or arguably strengthen, existing prohibitions under public international law that apply at all times.Footnote 32
Cyber operations against other critical civilian infrastructure, such as electricity, water and sanitation, can also cause significant harm to humans.Footnote 33 This infrastructure is often operated by industrial control systems (ICSs). A cyber attack against an ICS requires specific expertise and sophistication, and often, custom-made malware. While ICS attacks have been less frequent than other types of cyber operations, their frequency is reportedly increasing and the severity of the threat has evolved more rapidly than anticipated only a few years ago.Footnote 34 Cyber security specialists have pointed out that “due to the potential of cyber-physical attacks to have kinetic effect and cause casualties, it is urgent and of utmost importance for the international community of IT security specialists, governments and humanitarian lawyers to have a conversation about how to regulate the deployment of cyber-physical attacks”.Footnote 35
As will be discussed later on in this article, in an armed conflict IHL protects the health-care sector quite comprehensively, and it prohibits attacks on civilian infrastructure, unless such infrastructure has become a military objective.
Thinking beyond the impact of cyber operations on specific infrastructure, there are at least three characteristics of cyber operations that raise further concern.Footnote 36
First, though not impossible, attributing cyber attacks to a State or non-State actor has proven challenging.Footnote 37 This hampers the possibility of identifying actors who violate IHL in cyberspace and holding them responsible, which is one way to ensure compliance with IHL. Plausible deniability, and the hope of remaining covered, may also alter the political calculations involved in conducting cyber attacks – and in conducting them in violation of international law.
Second, as noted for example by China, “the proliferation of malicious cyber tools and technology [is] rising”.Footnote 38 Cyber tools and methods can indeed proliferate in a unique manner that is difficult to control. Today, sophisticated cyber attacks are only carried out by the most advanced and best-resourced actors. Once malware is used, stolen, leaked or otherwise becomes available, however, actors other than those who developed the malware might be able to find it online, reverse engineer it, and reuse it for their own purposes.
Third, cyber operations bear a risk of overreaction by targeted States and a subsequent escalation in violence. For the target of a cyber attack, it is normally difficult to know whether the attacker aims at espionage or at causing other, potentially physical damage. The aim of a cyber operation may only be identified with certainty once the effect or the end goal is achieved. Hence, there is a risk that the target of an operation will anticipate worst-case impact and react in a stronger manner than if it knew that the attacker's intent was solely espionage.
At the time of writing, cyber operations have not caused major human harm. However, significant economic harm has been caused.Footnote 39 With regard to the potential human cost of cyber operations, much is unknown in terms of technological evolution, the capabilities and the tools developed by the most sophisticated actors – including military ones – and the extent to which the use of cyber operations during armed conflicts might be different from the trends observed so far. In other words, while the risk of human cost does not appear extremely high based on current observations, especially considering the destruction and suffering that conflicts always cause, the evolution of cyber operations requires close attention due to existing uncertainties and the rapid pace of change.
The applicability of IHL to cyber operations during armed conflicts
From a legal point of view, the primary framework imposing limitations on the use of cyber operations during armed conflict and protecting civilian populations against potential harm is international humanitarian law.
IHL does not contain a definition of cyber operations, cyber warfare or cyber war, and neither do other fields of international law. Various definitions of cyber operations have been used in military or other documents by certain States.Footnote 40 Other States refer instead to information warfare or information war and define this notion in a manner that includes at least some aspects of what is often understood as cyber warfare.Footnote 41 Irrespective of how cyber operations, cyber warfare or information warfare are defined by States and others, the determination of whether IHL applies to such operations has to be made based on the nature, effects and circumstances of such operations.
The ICRC understands “cyber operations during armed conflict” to mean operations against a computer system or network, or another connected device, through a data stream, when used as means or method of warfare in the context of an armed conflict.Footnote 42
While there continues to be debate on the question of whether IHL applies to, and therefore restricts, cyber operations during armed conflict, from the outset the ICRC has taken a clear and affirmative position.Footnote 43 In the ICRC's view, there is no question that cyber operations during armed conflicts, or cyber warfare, are regulated by IHL – just as is any weapon, means or method of warfare used by a belligerent in a conflict, whether new or old. The fact that cyber operations rely on new and continuously developing technology does not prevent the application of IHL to the use of such technologies as means or methods of warfare. This holds true whether cyberspace is considered as a new domain of warfare similar to air, land, sea and outer space; as a different type of domain because it is man-made while the former are natural; or not as a domain as such.
In our view, there is cogent support for this view in IHL treaties, in the jurisprudence of the International Court of Justice (ICJ), and in the views expressed by a number of States and international organizations.
The very object and purpose of IHL is to regulate future conflicts, meaning those that occur after the adoption of an IHL treaty. When adopting IHL treaties, States included norms that anticipate the development of new means and methods of warfare and presumed that IHL will apply to them. Already in 1868, the St Petersburg Declaration intended that the principles it established should be maintained with respect to “future improvements which science may effect in the armament of troops”.Footnote 44 An important and more recent IHL rule in this respect is found in Article 36 of the 1977 Additional Protocol I (AP I),Footnote 45 which states:
In the study, development, acquisition or adoption of a new weapon, means or method of warfare, a High Contracting Party is under an obligation to determine whether its employment would, in some or all circumstances, be prohibited by this Protocol or by any other rule of international law applicable to the High Contracting Party.
Undoubtedly, this obligation is based on the assumption that IHL applies to such new weapons, means and methods – otherwise, it would not be necessary to review their lawfulness under existing law. This includes weapons, means and methods of warfare that rely on cyber technology.
The conclusion that IHL applies to cyber operations during armed conflict finds further support in the views expressed by the ICJ. In its Advisory Opinion on the legality of the threat or use of nuclear weapons, the Court recalled that the established principles and rules of humanitarian law applicable in armed conflict apply “to all forms of warfare and to all kinds of weapons”, including “those of the future”.Footnote 46 Again, this includes cyber operations. This view is also widely recognized among experts.Footnote 47
There is increasing recognition among States that international law applies in cyberspace, and in particular that IHL applies to, and therefore restricts, cyber operations during armed conflicts. As mentioned above, in the 2013 and 2015 reports of the UN GGE, experts concluded that “international law, and in particular the Charter of the United Nations, is applicable” in the information and communication technologies environment,Footnote 48 a conclusion that has been first welcomedFootnote 49 and then confirmedFootnote 50 by the UN General Assembly. The 2015 report also cited “the established international legal principles, including, where applicable, the principles of humanity, necessity, proportionality and distinction”.Footnote 51 While this list of principles does not mention IHL explicitly, commentators have pointed out that these are “IHL's core principles”.Footnote 52
In line with this conclusion, an increasing number of States and international organizations have publicly asserted that IHL applies to cyber operations during armed conflict. This includes, for example, the EUFootnote 53 and NATO.Footnote 54 Moreover, the Paris Call for Trust and Security in Cyberspace (supported by seventy-eight States as of April 2020) has reaffirmed the applicability of IHL to cyber operations during armed conflict;Footnote 55 the heads of government of the 54 Commonwealth States have “[c]ommit[ted] to move forward discussions on how … applicable international humanitarian law, applies in cyberspace in all its aspects”;Footnote 56 and States’ responses to a study conducted by the OAS Juridical Committee have “reveal[ed] support for the applicability of IHL” in cyberspace.Footnote 57
At the same time, in the context of discussions on the applicability of IHL to cyber operations during armed conflict, a number of States have expressed opposition to the militarization of cyberspace, or a cyber arms race. States have also expressed concerns regarding a possible legitimization of the use of military cyber operations,Footnote 58 called for prudence in the discussion of the applicability of IHL,Footnote 59 and noted that IHL “must apply taking note of the peculiarities of cyber warfare”.Footnote 60 These are important considerations, but they should not be understood as being incompatible with the application of IHL to cyber operations during armed conflict.
In our view, however, asserting that IHL applies to cyber operations during armed conflict is not an encouragement to militarize cyberspace and should not, in any way, be understood as legitimizing cyber warfare.Footnote 61 Any resort to force by States, whether cyber or kinetic in nature, always remains governed by the UN Charter and customary international law, in particular the prohibition against the use of force.Footnote 62 International disputes must be settled by peaceful means. This principle applies in cyberspace as in all other domains. In addition to – and independent of – the requirements of the UN Charter, IHL provides limits on the conduct of hostilities if and when States or non-State parties chose to resort to cyber operations during armed conflict. In particular, IHL protects civilians and civilian objects from the effects of hostilities by restricting the belligerents’ choice of means and methods of warfare, independent of whether or not the use of force was lawful. This means that instead of legitimizing cyber operations (or any other military operation) during armed conflict, IHL – the jus in bello – provides limits in addition to those found in the UN Charter and customary international law – the jus ad bellum. Furthermore, IHL actually imposes some limits on the militarization of cyberspace. For example, it prohibits the development of cyber capabilities that would qualify as weapons and would be indiscriminate by nature or would be of a nature to cause superfluous injury or unnecessary suffering.Footnote 63
If it is accepted that IHL applies to cyber operations during armed conflicts generally, the subsequent question is whether all or only some rules of IHL apply. In this respect, the scope of application of IHL rules regulating means and methods of warfare may be broadly divided into rules that apply to all weapons, means and methods of warfare, wherever they are used (such as the principles of distinction, proportionality and precaution), and rules that are specific to certain weapons (such as weapons treaties) or certain domains (such as rules specifically regulating naval warfare). All the main customary principles and rules regulating the conduct of hostilities belong to the first category and do apply to cyber operations during armed conflict.Footnote 64 In contrast, a more detailed analysis will be required regarding the applicability of IHL rules that are specific to certain weapons or certain domains.
The fact that IHL applies does not prevent States from developing international law further, agreeing on voluntary norms, or working towards common interpretations of existing rules. For instance, when it established a UN OEWG in 2018, a majority of States in the UN General Assembly “welcome[d]” a set of “international rules, norms and principles of responsible behaviour of States” that build on the norms that were developed over the years by the UN GGEs.Footnote 65 Another example of possible new rules in the field of information security is included in the International Code of Conduct for Information Security, submitted in 2011 to the UN by the member States of the SCO. Under the Code, States would pledge, inter alia, “not to proliferate information weapons and related technologies”.Footnote 66 There are also academic suggestions, including with regard to further legal or policy restrictions on cyber operations during armed conflicts.Footnote 67
To sum up, while cogent legal reasons and increasing international support exist for the conclusion that IHL applies to cyber operations during armed conflict, the issue does not enjoy universal agreement yet. As has been shown in this section, however, a careful examination of the various arguments raised in multilateral discussions shows that affirming IHL applicability does not legitimize either the militarization of cyberspace or the use of malicious cyber operations. Moreover, it does not preclude the development of possible new rules but rather provides a fundamental legal framework that possible new rules could – and should – build on.
Can cyber operations alone cross “the threshold”? Clarifying the difference between the relevant thresholds under IHL and the UN Charter
In light of the manifold cyber operations that are reported on a daily basis, it is important to recall that IHL only applies to cyber operations that form part of an armed conflict otherwise waged with traditional weapons, or, less likely, cyber operations that alone amount to an armed conflict in the absence of kinetic operations. As underlined in the previous section, the question of whether IHL applies to cyber operations during armed conflicts must be analyzed separately from that of whether there has been a violation of the rules governing the use of force under the UN Charter. In the context of the application of IHL and of the UN Charter, a key issue is the attribution of cyber operations to States. These three points – which cyber operations are governed by IHL,Footnote 68 the relationship between IHL and the UN Charter, and questions of attribution – are addressed in this section.
Cyber operations that are governed by IHL
When cyber operations are conducted in the context of – and have a nexus to – an existing international or non-international armed conflict carried out through kinetic means, relevant IHL rules apply to, and regulate the conduct of, all parties to the conflict.Footnote 69 Cyber operations alongside, and in support of, kinetic operations during armed conflicts are the only type of operations that States have acknowledged and have considered to be governed by IHL.Footnote 70
A separate question is whether cyber operations alone – absent kinetic operations – may be regulated by IHL. In other words, can a cyber operation be the first, and possibly only, shot in an armed conflict as defined by IHL? This is to be assessed according to Articles 2 and 3 common to the four Geneva Conventions of 1949Footnote 71 for international and non-international armed conflicts respectively.Footnote 72 These two types of armed conflict differ in the nature of the parties they involve, the intensity of violence that triggers the applicability of IHL, and some of the IHL rules that apply.
With regard to international armed conflicts, common Article 2 states that “the present Convention shall apply to all cases of declared war or of any other armed conflict which may arise between two or more of the High Contracting Parties, even if the state of war is not recognized by one of them”. It is today agreed that “an armed conflict exists whenever there is ‘a resort to armed force between States’”.Footnote 73 With regard to the question of whether there is a threshold of intensity with regard to international armed conflicts, there is some State practice, and some strong humanitarian and conceptual arguments, that IHL applies as soon as armed force is used between States, irrespective of the intensity of the violence. IHL is primarily concerned with the protection of persons affected by armed conflict. Thus, as soon as they use armed force, States must direct their attacks at military objectives and not at civilians or civilian objects, and must take constant care to spare the latter. It cannot matter whether there is one or many civilians needing protection against attack.Footnote 74 At least where the use of cyber operations between States leads to effects akin to those of more traditional means and methods of warfare, IHL applies.
Experts generally agree that cyber operations, on their own, have the potential to cross the threshold of an international armed conflict under IHL.Footnote 75 The ICRC shares this view.Footnote 76 In a rare expression of a State's position on the issue, France has stated that “[c]yberoperations that constitute hostilities between two or more States may characterise the existence of international armed conflict”.Footnote 77
The question of exactly where this threshold lies remains unsettled.Footnote 78 In the ICRC's view, there is no reason to treat one or more cyber operations resulting in the destruction of civilian or military assets, or in the death or injury of soldiers or civilians, differently from equivalent attacks conducted through more traditional means and methods of warfare. Cyber operations might, however, also disable objects without physically damaging them. It remains to be seen if and under what conditions States might consider such operations to amount to a resort to armed force as understood in IHL, and therefore to be governed by this body of law.Footnote 79
With regard to non-international armed conflicts, situations of internal violence may amount to a non-international armed conflict if there is “protracted armed violence between governmental authorities and organized armed groups or between such groups within a State”.Footnote 80 The two criteria that derive from this definition – the organization of the parties to the conflict and the intensity of the violence – pose various questions regarding cyber operations. First, while State armed forces satisfy the organization criterion, determining the degree of organization of an armed group is a more complicated and fact-specific assessment; it becomes all the more challenging – yet arguably not impossible – when that group is only organized online.Footnote 81 Second, unlike IHL applicable to international armed conflicts, which governs any resort to armed force between States regardless of its intensity,Footnote 82 a non-international armed conflict will only exist if violence between two or more organized parties is sufficiently intense. Again, while arguably not impossible in exceptional circumstances, it will be unlikely that cyber operations alone would meet the intensity requirement for a non-international armed conflict.Footnote 83 While expressing the view that prolonged cyber operations may in principle and depending on the circumstances constitute a non-international armed conflict, France held that the state of technology seems to rule out this possibility for the time being.Footnote 84
It has rightly been emphasized that the law of armed conflict “does not regulate cyber operations that fall outside of an armed conflict situation”.Footnote 85 Diverging views exist, however, on whether some or all of its principles should be applied, as a matter of policy, to cyber operations at all times.
The United States has recently stated that “even if the law of war does not technically apply because the proposed military cyber operation would not take place in the context of armed conflict, [the Department of Defense] nonetheless applies law-of-war principles”Footnote 86 as it does more generally with regard to all its operations.Footnote 87 In contrast, Russia has cautioned against “potentially dangerous … attempts to impose the principle of full and automatic applicability of IHL to the ICT environment in peacetime”.Footnote 88
While policy debates on this question are likely to continue, from a legal point of view it is undisputed that IHL does not apply outside the context of an armed conflict. It is true that some rules of IHL, such as the protection of persons not or no longer taking part in hostilities enshrined in common Article 3, or the strong protection of health-care facilities or objects indispensable to the survival of the civilian population, could have positive effects if applied at all times. In contrast, it may be more problematic to apply other IHL rules outside armed conflict, notably those derived from the principles of distinction and proportionality. These rules are based on the premise that attacks against military objectives are lawful under IHL during armed conflict. However, outside armed conflict, the notion of “military objectives” that may lawfully be attacked does not exist – even attacks against another State's military are prohibited. While the principle of proportionality also exists outside of armed conflict, it has a distinct meaning under other bodies of law and therefore operates differently during and outside armed conflicts.Footnote 89 Outside armed conflict, disputes among States and the use of force are solely regulated by other fields of international law, such as the UN Charter and human rights law, as applicable.
The relationship between IHL and the UN Charter
A State that considers carrying out a cyber operation against another State must analyze the lawfulness of such an operation under the jus ad bellum framework (as found in the UN Charter and customary international law) and the jus in bello framework (IHL). The UN Charter and IHL are complementary when it comes to the protection of humans from war and its effects, even though they are distinct fields of international law. Their objectives are complementary: while the preamble of the UN Charter states that it aims to “save succeeding generations from the scourge of war”, the preamble of AP I states that the objective of IHL is “protecting the victims of armed conflict”. Concretely, the UN Charter prohibits the use of force other than in self-defence or when authorized by the Security Council. The applicability of IHL does not replace or set aside the essential rules of the UN Charter, but if an armed conflict breaks out, IHL defines protections for those who do not (civilians) or no longer (for example, wounded soldiers or detainees) participate in hostilities and limits the belligerents’ choice in the means and methods of warfare. Thus, while the UN Charter sets out – subject to narrow exceptions – a prohibition against the use of force, IHL imposes limits on how hostilities may be conducted once a conflict breaks out.
At the same time, IHL and the UN Charter are different fields of international law, each having its own concepts and terminology. As both are concerned with regulating the use of force, some of the terminology they use is similar and at times confusing. This is the case, for example, as regards the notion of “resort to armed force between States” to classify a conflict under IHL, and the prohibition against “the threat or use of force” and the right to self-defence against an “armed attack” under the UN Charter. While international law treaties do not define these notions – neither in general nor as regards cyberspace – certain basic elements can be distilled from jurisprudence and commentary.
As discussed above, IHL applies as soon as there is a resort to armed force between States, irrespective of the intensity of the violence.
The UN Charter does not define the term “use of force” under Article 2(4), and the question of what type of force may qualify remains subject to debate. Following the provision's drafting history and subsequent State practice, it may be concluded that the use of political or economic coercion is not included in this notion.Footnote 90 Instead, it has been argued that the prohibition against the use of force under the UN Charter is “limited to armed force”.Footnote 91 Importantly with regard to cyber operations, the ICJ has stated that Article 2(4) prohibits “any use of force, regardless of the weapons employed”.Footnote 92 Based on this finding, some States have emphasized that “crossing the threshold of the use of force depends not on the digital means employed but on the effects of the cyberoperation”, and have concluded accordingly that a “cyberoperation carried out by one State against another State violates the prohibition of the use of force if its effects are similar to those that result from the use of conventional weapons”.Footnote 93 A number of examples given by States of the use of force in cyberspace seem to reflect this understanding, such as cyber operations causing injury or death of persons or damage to or destruction of property;Footnote 94 triggering a nuclear plant meltdown; opening a dam above a populated area, causing destruction; disabling air traffic control services, resulting in airplane crashes; and crippling a military's logistics systems.Footnote 95 Some States seem to interpret the prohibition against the use of force even more broadly, stating that it cannot be ruled out that “a cyberoperation without physical effects may also be characterised as a use of force”,Footnote 96 or that “a cyber operation with a very serious financial or economic impact may qualify as the use of force”.Footnote 97
Turning to the right to self-defence under the UN Charter and customary international law, this right may only be exercised against an “armed attack”. Following the ICJ's finding that only “the most grave forms of the use of force” may qualify as armed attacks and that such attacks must reach certain “scale and effects”,Footnote 98 it may be concluded that a use of force must reach a certain intensity to qualify as an “armed attack”.Footnote 99 Again, experts have held that “some cyber operations may be sufficiently grave to warrant classifying them as an ‘armed attack’ within the meaning of the Charter”,Footnote 100 notably those whose effects are comparable to more traditional armed attacks. This view is also reflected in the public positions of some States.Footnote 101
The questions of how the thresholds of a resort to armed force to which IHL applies, the prohibition of the use of force under the UN Charter, and the notion of “armed attacks” giving rise to the inherent right to self-defence are interpreted in cyberspace are evolving. While certain signposts may be identified based on the jurisprudence of the ICJ, the case law of international criminal tribunals and courts, State practice, and expert views, many issues remain blurred for the moment.
Nonetheless, it is important to emphasize that these three notions and concepts stem from different bodies of international law and have different meanings. As noted above, in the ICRC's view, a cyber operation that amounts to a resort to armed force between States under IHL is governed by that body of law even in the absence of a pre-existing armed conflict. In practice, such an operation may also amount to a prohibited use of force under the UN Charter. However, the two conclusions require a separate legal analysis: concluding that the threshold has been reached under one body of law does not necessarily preclude reaching a different conclusion under the other body of law. This is especially important when differentiating the applicability of IHL from the right to self-defence under the UN Charter. In view of the position that only the gravest forms of the use of force – meaning those that reach a certain scale and effects – may qualify as armed attacks, it is clear that not every resort to armed force to which IHL applies amounts to an armed attack under the UN Charter triggering the right to self-defence.Footnote 102 These differences have significant legal and practical consequences. Therefore, any analysis of a situation in which a State uses cyber operations against another State needs to distinguish the various notions and not merge them into one unspecified “threshold”.
The issue of attribution
In warfare generally – and in cyberspace in particular – States will at times use non-State actors, such as non-State armed groups or private military and security companies, to carry out certain acts, including cyber operations. The specific characteristics of cyberspace, such as the variety of possibilities for actors to hide or falsify their identity, complicate the attribution of conduct to specific individuals, and to parties to armed conflicts.Footnote 103 This raises important challenges when determining the applicability of IHL in a particular situation. If the perpetrator of a given operation – and thus the link between the operation and an armed conflict – cannot be identified, it is extremely difficult to determine whether IHL is even applicable to the operation.Footnote 104 First, as discussed above, different thresholds of violence are relevant to qualify State or non-State cyber attacks as an armed conflict. Thus, if the State or non-State origin of a cyber operation outside an ongoing armed conflict is not known, it is unclear which threshold applies. Second, even when an armed conflict is taking place, cyber attacks that have no nexus to the conflict (such as criminal acts unrelated to the conflict) are not regulated by IHL, and the inability to identify the author of a cyber operation might hamper the determination of whether such a nexus to the conflict exists. These examples show that determining who the author of a cyber operation is, and whether the operation can be attributed to a State or non-State party to the conflict, has important legal consequences.
Attribution of cyber operations is also important to ensure that actors who violate international law, including IHL, can be held accountable. The perception that it will be easier to deny responsibility for unlawful attacks may also weaken the taboo against such uses – and may make actors less scrupulous about conducting operations in violation of international law.Footnote 105
This being said, attribution is not a problem from the perspective of the actors who conduct, direct or control cyber operations: they have all the facts at hand to determine under which international legal framework they are operating and which obligations they must respect.Footnote 106
Under international law, a State is responsible for conduct attributable to it, including possible violations of IHL. This includes:
(a) violations committed by its organs, including its armed forces;
(b) violations committed by persons or entities it empowered to exercise elements of governmental authority;
(c) violations committed by persons or groups acting in fact on its instructions, or under its direction or control; and
(d) violations committed by private persons or groups which it acknowledges and adopts as its own conduct.Footnote 107
These principles apply whether the violation of IHL has been committed by cyber means or by any other means.Footnote 108
The limits that IHL imposes on the use of cyber capabilities during armed conflicts
Recognizing that IHL applies to cyber operations having a nexus to an armed conflict is only a first step. The specific characteristics of this new technology raise several challenges for the interpretation of IHL rules, including those on the conduct of hostilities.
The partly non-physical (i.e., digital) nature of cyberspace and the interconnectedness of military and civilian networks pose practical and legal challenges in applying the general IHL rules protecting civilians and civilian objects against cyber operations, in particular those amounting to attacks under IHL. It is even suggested that it may be impossible, at times, to apply basic IHL principles in cyberspace. As will be shown below, this challenge might be overstated. Nonetheless, key issues arise with regard to protecting essential civilian cyber infrastructure against military attack. As many of the IHL rules governing the conduct of hostilities apply only to military operations that amount to “attacks” as defined in IHL, this section first examines various issues relating to cyber operations that qualify as attacks, including the salient question of which operations qualify as attacks under IHL. Second, it explores obligations of parties to armed conflicts in military operations other than those amounting to “attacks”. Third, the section analyzes certain challenges regarding the legal review of cyber capabilities.
Cyber operations that amount to an attack under IHL
IHL sets out essential rules restricting cyber operations that amount to “attacks” as defined in IHL. This section looks at those rules and principles that have been subject to the most intense debates. It examines first whether, from a technological perspective, cyber attacks are capable of being directed at specific military objectives as required by the principle of distinction. The second part analyzes how the notion of attack under IHL should be interpreted in cyberspace. The third part discusses the closely related debate on whether civilian data must be granted the same protection as civilian “objects” for the purposes of IHL, and the final part addresses the ongoing debate on how IHL rules on the conduct of hostilities apply to objects used simultaneously for civilian and military purposes (often called dual-use objects), which are particularly prevalent in cyberspace.
From a technical perspective, cyber attacks can be directed at specific military objectives
Implementing the principles of distinction and proportionality, and the prohibition against indiscriminate attacks, requires that an attack can be and is directed at a military objective and will not cause excessive incidental harm to civilians or civilian objects. Contrary to the assumption that these principles might become meaningless in cyberspace because of the interconnectivity that characterizes it, careful examination of cyber operations shows that such operations are not inherently indiscriminate. For instance, if a cyber operation is carried out by operators who enter a target and carry out an operation, the operators will know where they are and what they are doing. Similarly, analyses of cyber tools show that they are not necessarily indiscriminate. However, programming malware that discriminates between civilian objects and military objectives, and conducting cyber operations without causing excessive incidental damage, requires sophisticated capabilities and testing.
Those who develop malware or plan cyber attacks can design their tools without self-propagation functions. In that case, malware cannot spread without additional human intervention. Even if self-propagating, attacks over the years have shown that malware can be designed to only attack specific hardware or software. This means that even if malware is programmed to spread widely, it can be designed to only cause damage to a specific target or specific sets of targets. Especially cyber attacks that aim to cause physical damage to industrial control systems may require cyber tools that are designed for that specific target and purpose. In many cases, the need for such custom-made tools would effectively hamper – from a technical perspective – the ability to carry out a cyber attack on a large scale or in an indiscriminate manner. The fact that cyber attacks can technically be targeted precisely does not mean they are necessarily lawful if carried out in a conflict. However, the characteristics seen in a number of cyber operations show that they can be very precisely tailored to create effects on specific targets only, and that such operations are therefore capable of complying with IHL principles and rules.
The fact that some of the known cyber tools were designed to self-propagate and caused harmful effects on widely used civilian computer systems does not support an argument that the interconnectedness of cyberspace makes it challenging, if not impossible, to implement basic IHL rules. On the contrary, during armed conflicts, the use of such cyber tools would be prohibited by IHL.Footnote 109 IHL prohibits attacks that employ means and methods of warfare, including cyber means and methods, that cannot be directed at a specific military objective or may be expected to escape the control of the user,Footnote 110 or – while being targeted at a military objective – may be expected to cause incidental civilian damage that is excessive in relation to the concrete and direct military advantage anticipated.Footnote 111
The notion of “attack” under IHL and its application to cyber operations
The question of whether or not an operation amounts to an “attack” as defined in IHL is essential for the application of many of the rules deriving from the principles of distinction, proportionality and precaution, which afford important protection to civilians and civilian objects. Concretely, rules such as the prohibition on attacks against civilians and civilian objects,Footnote 112 the prohibition on indiscriminateFootnote 113 and disproportionate attacks,Footnote 114 and the obligation to take all feasible precautions to avoid or at least reduce incidental harm to civilians and damage to civilian objects when carrying out an attack Footnote 115 apply to those operations that qualify as “attacks” as defined in IHL. The question of how widely or narrowly the notion of “attack” is interpreted with regard to cyber operations is therefore essential for the applicability of key rules – and the protection they afford to civilians and civilian infrastructure – to cyber operations.
Article 49 of AP I defines attacks as “acts of violence against the adversary, whether in offence or in defence”. It is well established that the notion of violence in this definition can refer to either the means of warfare or their effects, meaning that an operation causing violent effects can be an attack even if the means used to cause those effects are not violent as such.Footnote 116 On the basis of this understanding, the Tallinn Manual 2.0 proposes the following definition of a cyber attack: “A cyber attack is a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects.”Footnote 117
It is widely accepted by States that took a position on the issue, by the ICRC and by experts that at least those cyber operations which cause death, injury or physical damage constitute attacks under IHL.Footnote 118 Some States expressly include harm due to the foreseeable indirect (or reverberating) effects of attacks,Footnote 119 a view that is also taken by the ICRC.Footnote 120 This could be the case, for example, if patients in an intensive care unit are killed as a result of a cyber operation against an electricity network that causes the hospital's electricity supply to be cut off.
Beyond this basic consensus, different views exist on whether a cyber operation that disables an object without physically damaging it amounts to an attack under IHL.Footnote 121 There were extensive discussions on this issue in the process of drafting the Tallinn Manual. A majority of the experts held that a cyber operation amounts to an attack if it is expected to interfere with functionality and if restoration of functionality requires replacement of physical components. For some experts, a cyber operation will also amount to an attack if the restoration of functionality requires the reinstallation of the operating system or of particular data.
The ICRC has taken the position that an operation designed to disable a computer or a computer network during an armed conflict constitutes an attack as defined in IHL whether or not the object is disabled through destruction or in any other way.Footnote 122
Two main reasons underpin the ICRC's position. The first one results from an interpretation of the notion of attack in its context.Footnote 123 Given that the definition of military objectives in Article 52(2) of AP I refers not only to destruction or capture but also to “neutralization” as a possible result of an attack, the notion of “attack” under Article 49 of AP I should be understood to encompass operations designed to impair the functioning of objects (i.e. neutralize them) without causing physical damage or destruction. Indeed, it has been submitted that the explicit mentioning of neutralization under Article 52(2) would be superfluous otherwise.Footnote 124 Second, an overly restrictive understanding of the notion of attack would be difficult to reconcile with the object and purpose of the rules on the conduct of hostilities, which are to ensure the protection of the civilian population and civilian objects against the effects of hostilities. Indeed, under an overly restrictive understanding, a cyber operation that is directed at making a civilian network (electricity, banking, communications or other network) dysfunctional, or risks causing this incidentally, might not be covered by essential IHL rules protecting the civilian population and objects.Footnote 125
In a similar manner, expert commentators suggest that it is important “to interpret the provision [Article 49 of AP I] taking into account the recent technological developments and to expand the concept of ‘violence’ to include not only material damage to objects, but also incapacitation of infrastructures without destruction”.Footnote 126
Because cyber operations can significantly disrupt essential services without necessarily causing physical damage, this constitutes one of the most critical debates for the protection of civilians against the effects of cyber operations. It is therefore crucial for States to express their views on the issue and to work towards a common understanding. For the moment, opinions vary among the States that have taken public positions.
The definitions of the notion of “attack” adopted in the military manuals of Norway and New Zealand mirror the definition adopted by the Tallinn Manual 2.0. It is, however, unclear whether these manuals were meant to express a position on this debate, because the commentary on Rule 92 of the Tallinn Manual 2.0 notes different views of how “damage” should be understood in the cyber context. Australia has stated that cyber operations qualify as attacks if they rise “to the same threshold as that of a kinetic ‘attack under IHL’”,Footnote 127 but it is unclear whether this was intended as a position in this debate.
A few States focus on physical damage to qualify a cyber operation as an attack. According to one OAS study, Peru has opined that in order for an operation to qualify as an attack, people or objects must be “physically harmed”.Footnote 128 The Danish Military Manual specifies for the term “attack” that “[a]s far as damage to objects is concerned, the term covers any physical damage. However, the term does not cover temporary inoperability and other neutralization which does not involve physical damage (e.g., a digital ‘freeze’ of a communication control system).”Footnote 129 In its 2014 submission to the UN GGE, the United States noted:
When determining whether a cyber activity constitutes an “attack” for jus in bello purposes, States should consider, inter alia, whether a cyber activity results in kinetic and irreversible effects on civilians, civilian objects, or civilian cyber infrastructure, or non-kinetic and reversible effects on the same.Footnote 130
Along the same lines, the US Department of Defense (DoD) Law of War Manual provides the example of a “cyber attack that would destroy enemy computer systems”, and notes that “[f]actors that would suggest that a cyber operation is not an ‘attack’ include whether the operation causes only reversible effects or only temporary effects”.Footnote 131 Unfortunately, these documents do not clarify what they mean by “reversible” or “temporary” effects, or what the difference is – if any – between the two notions.Footnote 132 They do not discuss whether – and if so, after how long – an effect may no longer be considered temporary, or how to consider repeated operations that would each cause a temporary – but deliberately accumulating – effect. They do not discuss either whether “reversible” refers solely to operations in which the author may reverse the effects of the attack,Footnote 133 or also to operations where the target needs to take action to restore the functionality of the targeted system or otherwise end or reverse the effects of the attack. In this respect, it should be remembered that the possibility of repairing physical damage caused by a military operation (whether cyber or kinetic) is not generally understood as a criterion disqualifying an operation as an attack under IHL.Footnote 134 This is the case even if the repair reverses the direct effect of that operation and restores the functionality of the object in question.Footnote 135
France has expressed a clearer and broader understanding of the notion of cyber attack. It considers that
a cyberoperation is an attack where the targeted equipment or systems no longer provide the service for which they were implemented, whether temporarily or permanently, reversibly or not. If the effects are temporary and/or reversible, the attack is characterised where action by the adversary is necessary to restore the infrastructure or system (repair of equipment, replacement of a part, reinstallation of a network, etc.).Footnote 136
Commenting this position, Schmitt has noted that “[t]his view is highly defensible as a matter of law, for the plain meaning of damage reasonably extends to systems that do not operate as intended and require some form of repair to regain functionality”.Footnote 137 In a similar manner, according to the OAS study mentioned above, Chile suggests that for an operation to qualify as an attack, its result must require the affected State to “take action to repair or restore the affected infrastructure or computer systems, since in those cases the consequences of the attack are similar to those described above, in particular physical damage to property”.Footnote 138 The study also indicated that Guatemala expressed the position that a cyber operation which “only produce[s] a loss of functionality” would amount to an attack, a position also held by Ecuador.Footnote 139 Bolivia, Ecuador and Guyana further specify that such cyber operations may constitute an attack under IHL in particular when they disable critical infrastructure or the provision of basic services to the population.Footnote 140
In any case, not all cyber operations during armed conflicts would constitute “attacks” as understood in IHL. First, the concept of attack in IHL does not include espionage. Second, the rules on the conduct of hostilities do not prohibit all operations that interfere with civilian communication systems: the jamming of radio communications or television broadcasts has traditionally not been considered an attack as defined in IHL. However, the distinction between attacks and interferences with communications that do not amount to an attack is probably less clear in cyber operations than in more traditional kinetic or electromagnetic operations.Footnote 141 Third, the notion of “military operations” under IHL, including those carried out by cyber means, is broader than the notion of “attacks”, as will be discussed below.
The protection of data as a “civilian object”
In addition to the foundational question of which cyber operations amount to “attacks” under IHL, the question of whether civilian data enjoys the same protection as civilian objects has been subject to significant debate and remains unsettled. The protection of civilian data against malicious cyber operations during armed conflict is becoming increasingly important because data is an essential component of the digital domain and a cornerstone of life in many societies: individual medical data, social security data, tax records, bank accounts, companies’ client files, and election lists and records are key to the functioning of most aspects of civilian life. As this trend is expected to continue, if not accelerate, in years to come, there is increasing concern about safeguarding such essential civilian data.
With regard to data belonging to certain categories of objects that enjoy specific protection under IHL, the protective rules are comprehensive. As discussed below, the obligations to respect and protect medical facilities and humanitarian relief operations must be understood as extending to medical data belonging to those facilities and data of humanitarian organizations that are essential for their operations.Footnote 142 Similarly, deleting or otherwise tampering with data in a manner that renders useless objects indispensable to the survival of the civilian population, such as drinking water installations and irrigation systems, is prohibited.Footnote 143
Still, it is important to clarify the extent to which civilian data are protected by the existing general rules on the conduct of hostilities. In particular, debate has arisen on whether data constitute objects as understood under IHL, in which case cyber operations against data (such as deleting them) would be governed by the principles of distinction, proportionality and precaution and the protection they afford to civilian objects.Footnote 144
This question is closely related to discussions on the notion of “attack” above. To start with, if data are deleted or manipulated in a manner that is designed or expected to cause, directly or indirectly, death or injury to a person, or damage to (including – in our view – by disabling) a physical object, the operation is an attack regardless of whether data themselves constitute objects for the purpose of IHL. This is the case because the consequences of an operation against data can qualify that operation as an attack under IHL and therefore subject to pertinent IHL. For these attacks, it is not important whether or not data qualifies as an object under IHL.
The question of whether data are objects for the purpose of IHL is, however, critical for operations that are not designed or expected to cause such consequences. Broadly speaking, two general approaches can be considered. Under the first approach, which considers data as objects under IHL, an operation designed or expected to delete or manipulate data would be an attack governed by all the relevant IHL rules because it would amount to destroying or damaging an object (the data). This would also be the case if such deletion or manipulation were not expected to cause death or injury to a person or to damage or disable a physical object. Even under this view, however, an operation designed solely to access (possibly confidential) data without deleting or manipulating them – such as spying – would not be an attack.
Conversely, if data are not considered to be objects under IHL, an operation designed to delete or manipulate them without causing death or injury to a person or damage to an object would not be governed by the rules on attacks, or by some of the more general rules affording protection to civilian objects (such as the obligation to take constant care to spare civilians and civilian objects, as discussed below in the section on “Rules Governing Military Operations Other than Attacks”). The operations could, however, be governed by other specific protection regimes under IHL, which will be analyzed below in the section on “IHL Rules Protecting Objects Indispensable to the Survival of the Civilian Population, Medical Services, and Humanitarian Relief Operations”. Still, there would be a gap in protection for essential civilian data that do not benefit from a specific protection regime, and this would raise concern.
Experts hold different views on whether data qualify as objects for the purposes of the IHL rules on the conduct of hostilities.Footnote 145 One view, held by the majority of experts involved in the Tallinn Manual process, is that the ordinary meaning of the term “object”, as discussed in the 1987 ICRC Commentary on AP I, cannot be interpreted as including data because objects are material, visible and tangible.Footnote 146 The relevant explanation in the ICRC Commentary, however, aims at distinguishing objects from concepts such as “aim” or “purpose”, not at differentiating between tangible and intangible goods, and therefore cannot be seen as determinative for the debate on data.Footnote 147 In contrast, others have argued that either all or some types of data should be considered as objects under IHL. One view is that the “modern meaning” of the notion of objects in today's society, and an interpretation of the term in light of its object and purpose, must lead to the conclusion that “data is an ‘object’ for the purposes of the IHL rules on targeting”.Footnote 148 This interpretation is supported by the traditional understanding of the notion of “object” under IHL, which is broader than the ordinary meaning of the word and encompasses also locations and animals. Another proposal is to differentiate between “operational-level data”, or “code”, and “content-level data”.Footnote 149 In this model, it has been argued that, notably, operational-level data may qualify as a military objective, which implies that this type of data could also qualify as a civilian object.Footnote 150 While considering operational data as objects would align with the view discussed above that disabling objects constitutes an attack, it does not appear to provide additional protection. In this debate, it has been argued that none of the proposed conclusions is entirely satisfactory, each being either under- or over-inclusive.Footnote 151
For its part, the ICRC has stressed the need to safeguard essential civilian data, emphasizing that in cyberspace, deleting or tampering with data could quickly bring government services and private businesses to a complete standstill and could thereby cause more harm to civilians than the destruction of physical objects. Thus, in the ICRC's view the conclusion that this type of operation would not be prohibited by IHL in today's ever more cyber-reliant world seems difficult to reconcile with the object and purpose of this body of norms.Footnote 152 Logically, the replacement of paper files and documents with digital data should not decrease the protection that IHL affords to them.Footnote 153 As the ICRC has emphasized, “[e]xcluding essential civilian data from the protection afforded by IHL to civilian objects would result in an important protection gap”.Footnote 154
So far, few States have expressed views on whether the notion of “object” should be understood to encompass data for the rules governing the conduct of hostilities. For example, the Danish Military Manual considers that “(digital) data do not in general constitute an object”.Footnote 155 Conversely, the Norwegian Military Manual holds that data shall be regarded as objects and may only be attacked directly if they qualify as a lawful target.Footnote 156 France has expressed what could be seen as a middle-ground view, stating that “[g]iven the current state of digital dependence, content data (such as civilian, bank or medical data, etc.) are protected under the principle of distinction”.Footnote 157 The description of Peru's position in the OAS's Improving Transparency report appears to reflect a similar position: while not expressly taking a position on whether data are objects, Peru's position is explained as assessing operations against data under the notion of “military objective”, suggesting that some data systems may not be subjected to attacks because such attacks would “not create a legitimate military advantage”.Footnote 158 As the definition of “military objectives” under Article 52(2) of AP I applies “in so far as objects are concerned”, this reasoning appears to imply that data constitute objects. Chile proposes to look at the effects of an attack against data, concluding that “[t]he principle of distinction must therefore be taken into consideration in the context of cyber operations, whereby a state should refrain from attacking data in case it could affect the civilian population”. Reportedly, Chile has further emphasized that “an attack directed exclusively at computer data could well produce adverse consequences affecting the civilian population”.Footnote 159
In an increasingly data-reliant world, the question of how States interpret and apply IHL rules to safeguard essential data against destruction, deletion or manipulation will be a litmus test for the adequacy of existing humanitarian law rules.
The protection of cyber infrastructure serving simultaneously military and civilian purposes
In order to protect critical civilian infrastructure that relies on cyberspace, it is also crucial to protect the infrastructure of cyberspace itself. The challenge lies, however, in the interconnectedness of civilian and military networks. Most military networks rely on civilian cyber infrastructure, such as undersea fibre-optic cables, satellites, routers or nodes. Civilian vehicles, shipping and air traffic control are increasingly equipped with navigation equipment that relies on global navigation satellite system (GNSS) satellites such as BeiDou, GLONASS, GPS and Galileo, which may also be used by the military. Civilian logistical supply chains (for food and medical supplies) and other businesses use the same web and communication networks through which some military communication passes. Except for certain networks that are specifically dedicated to military use, it is to a large extent impossible to differentiate between purely civilian and purely military cyber infrastructures.
Under IHL, attacks must be strictly limited to military objectives. Insofar as objects are concerned, military objectives are limited to those objects which by their nature, location, purpose or use make an effective contribution to military action and whose total or partial destruction, capture or neutralization, in the circumstances ruling at the time, offers a definite military advantage. All objects which are not military objectives under this definition are civilian objects under IHL and must not be made the object of an attack or of reprisals. In case of doubt as to whether an object that is normally dedicated to civilian purposes is being used to make an effective contribution to military action, it must be presumed to remain protected as a civilian object.Footnote 160
It is traditionally understood that an object may become a military objective when its use for military purposes is such that it fulfils the definition of military objective even if it is simultaneously used for civilian purposes. A wide interpretation of this rule could lead to the conclusion that many objects forming part of cyberspace infrastructure would constitute military objectives and would therefore not be protected against attack, whether cyber or kinetic. This would be a matter of serious concern because of the ever-increasing civilian reliance on cyberspace.
Such a conclusion would, however, be incomplete. First, the analysis of when a civilian object becomes a military objective cannot be done for cyberspace or the Internet in general. Instead, belligerents must identify which computer, nodes, routers or networks might have become a military objective. In this respect, parts of the network, specific computers, or other hardware that can be separated from a network or system as a whole need to be analyzed individually. The means and methods used must enable directing the attack at the specific military objective(s) that may have been identified, and all feasible precautions must be taken to avoid or at least minimize incidentally affecting the remaining civilian objects or parts of the network.Footnote 161 It has also been argued that it is prohibited to treat as a single target a number of clearly discrete cyber military objectives in cyber infrastructure primarily used for civilian purposes if to do so would harm protected persons or objects.Footnote 162 Second, cyberspace is designed with a high level of redundancy, meaning that one of its characteristics is the ability to immediately re-route data traffic. This inbuilt resilience needs to be considered when assessing whether the target's destruction or neutralization would offer a definite military advantage as required by the definition of a military objective. If this is not the case, the object would remain civilian and cannot be attacked. And third, any attack is governed by the prohibition against indiscriminate attacks and the rules of proportionality and precautions in attack. Stopping or impairing the civilian use of an object in violation of one of these rules would render the attack unlawful despite the fact that the object had become a military objective.Footnote 163
Compared to kinetic military operations, the use of cyber operations may, depending on the circumstances, enable achieving a particular effect while causing less destruction (on the target or incidentally on other objects or systems) or causing damage that may be more easily repaired or restored. This consideration is particularly relevant with regard to dual-use objects, as illustrated by the scenario of a belligerent trying to neutralize an enemy underground command bunker by cutting its electricity supply, which is simultaneously providing power to civilian infrastructure. A cyber operation may allow the operator to remotely choose which parts of the network to switch off.Footnote 164 This could enable the attacker to achieve the desired effect while avoiding, or at least minimizing, harmful effects to the delivery of electricity to civilians. In such a case, and provided that choosing to use a cyber operation instead of a kinetic one is feasible, conducting the cyber operation would become required by the principle of precaution. Indeed, the obligation to take all feasible precautions in the choice of means and methods of warfare to avoid or at least minimize incidental civilian harmFootnote 165 is technologically neutral: it also applies to means and methods relying on new technologies, and may even require their use.Footnote 166 Whether this is feasible in a specific instance depends on the circumstances ruling at the time, including humanitarian and military considerations.Footnote 167
Limitations on cyber operations other than those amounting to “attacks”, including the specific protection of certain persons and objects
While many of the general rules on the conduct of hostilities are limited to acts amounting to attacks as defined in IHL, some IHL rules governing the conduct of hostilities apply to a broader set of operations: first, a few rules apply to all “military operations”, and second, the specific protection afforded to certain categories of persons and objects goes beyond the protection against attacks.
Rules governing military operations other than attacks
Identifying, and possibly clarifying, the rules that offer general protection to the civilian population and civilian objects against the effects of cyber operations that do not amount to attacks is an issue requiring more attention. This is all the more critical if the view is taken that only those operations causing physical damage are considered as attacks: in that case, there would be a rather broad category of cyber operations to which only a limited set of IHL rules applies. Such a conclusion would cause real concern for the protection of civilians and civilian infrastructure.
The notion of “military operation” appears in a number of articles of the 1949 Geneva Conventions and their 1977 Additional Protocols.Footnote 168 Of most interest here are the rules that regulate the conduct of military operations, including those carried out by cyber means. They include the basic rule that “parties to the conflict … shall direct their operations only against military objectives” (AP I, Article 48), the principle that “the civilian population and individual civilians shall enjoy general protection against dangers arising from military operations” (AP I, Article 51(1)),Footnote 169 and the obligation that “constant care shall be taken to spare the civilian population, civilians and civilian objects” in the conduct of military operations (AP I, Article 57(1)).Footnote 170
The ordinary meaning of the term “military operation” and a systematic interpretation of these articles lead to the conclusion that this notion is different from the notion of “attack” as defined in Article 49 of AP I.Footnote 171 While the ICRC Commentary on Article 48 of AP I notes that the notion refers to military operations during which violence is used, and not to ideological, political or religious campaigns, it clarifies that it is a broader notion than “attacks”. The Commentary defines “military operations” for the purpose of these articles as “any movements, manoeuvres and other activities whatsoever carried out by the armed forces with a view to combat” or “related to hostilities” – an understanding that is widely accepted.Footnote 172
The notion is mostly discussed in relation to the treaty and customary obligation to take constant care to spare the civilian population, civilians and civilian objects in the conduct of military operations. France has explicitly stated that this obligation also applies in cyberspace.Footnote 173 This obligation requires all those involved in military operations to continuously bear in mind the effects of military operations on the civilian population, civilians and civilian objects, to take steps to reduce such effects as much as possible, and to seek to avoid any unnecessary effects.Footnote 174 It has been described as a positive and continuous obligation aimed at risk mitigation and harm prevention that imposes requirements which increase commensurably with the risk to civilians.Footnote 175 The Tallinn Manual explains in this respect that
[t]he law admits of no situation in which, or time when, individuals involved in the planning and execution process may ignore the effects of their operations on civilians or civilian objects. In the cyber context, this requires situational awareness at all times, not merely during the preparatory stage of an operation.Footnote 176
A more challenging issue is the application of the principle of distinction to military operations other than attacks. As noted above, Article 48 of AP I requires that military operations be directed only against military objectives. While the commentaries by the ICRC and by Bothe, Partsch and SolfFootnote 177 underline the fundamental character of this article, they do not shed much light on the precise meaning and scope of this obligation, which remain subject to debate.
Article 48 is sometimes understood as an overarching principle that is implemented through the application of the various rules of the section of the Protocol that it opens. Some commentators therefore argue that the specific rules stemming from the principle of distinction apply only to attacks and not to military operations other than attacks.Footnote 178 Accordingly, some military manuals expressly state that cyber operations other than attacks may be directed at civilians or civilian objects.Footnote 179 This assertion would seem difficult to reconcile with Article 48 for States party to the Protocol, or at least would need to be carefully articulated. Indeed, experts have pointed out that “[w]hile … there is a distinction between military operations and attacks, it does not follow that non-violent computer network attacks may be therefore conducted against civilian objects”.Footnote 180 This conclusion stems from the rules of treaty interpretation, which require that provisions are interpreted to “have a meaningful content and are not superfluous”.Footnote 181
As noted above, “military operations” are understood as any movements, manoeuvres or other activities whatsoever carried out by the armed forces with a view to combat or related to hostilities. Manoeuvring is also an integral part of cyber operations.Footnote 182 For instance, establishing remote access to one system or device might be a step towards reaching or attacking another system or device.Footnote 183 Assuming that the former system or device is civilian in character and the latter is a military objective, the question may arise as to whether establishing access to the civilian system or device would be a prohibited military operation. In the view of the present authors, provided that the civilian system or device is not damaged or disabled in the process, such a scenario does not appear to contravene Article 48 because the operation is, ultimately, directed at a military objective.Footnote 184 Such cyber operations may indeed be assessed in the same way as traditional military operations – for example, when a commando moves through a civilian house to attack a military objective which is located behind it. Still, other obligations would remain relevant, such as the obligation to take constant care to spare civilian objects.
In the view of the present authors, Article 48, alone or in combination with Articles 51(1) and 57(1) of AP I, should be interpreted as prohibiting cyber operations designed solely at disrupting internet services for the civilian population even if such cyber operations do not disable objects or otherwise have consequences that qualify them as attacks. The civilian use of the Internet is today so all-pervading that any other interpretation would leave an important gap in the protection that IHL affords to civilians against the effects of hostilities carried out by cyber means.Footnote 185
As discussed above, some hold the view that not all cyber operations which disable objects, or which delete or manipulate data, constitute attacks. As a consequence of such interpretations, a significantly broader range of cyber operations would not be governed by the rules on attacks, including operations that would create a significant risk of harm. It is therefore all the more important for the protection of the civilian population that those who interpret narrowly the notions of “attack” and “objects” clarify whether they consider that cyber operations which merely disable objects or delete data amount to “military operations”, and what this means for the application of the principle of distinction to such operations – in particular, what the requirement of Article 48 of AP I that parties to armed conflicts “shall direct their operations only against military objectives” entails. For instance, at least a certain level of protection would be retained if those who interpret the notion of “attack” narrowly accept that a cyber operation that merely disables objects is a “military operation” which as a consequence must be directed only against military objectives.
Even cyber operations that do not fall within the notion of “military operation” as understood in AP I might be regulated by some IHL rules stemming from the principle of distinction. For example, it has been noted that “directing” psychological operations or other types of propaganda at civilians would not violate Article 48 of AP I because these operations would not fall within the meaning of “military operations” as understood in Article 48.Footnote 186 Yet, psychological operations are not beyond the protective reach of other IHL norms. For instance, they must not amount to prohibited acts or threats of violence the primary purpose of which is to spread terror among the civilian population or encourage IHL violations.Footnote 187
Limitations on cyber operations other than attacks may also stem from the principle of military necessity. Relying on the customary rule going back to the 1907 Hague Regulation, the US DoD Law of War Manual states that “[a] cyber operation that would not constitute an attack, but would nonetheless seize or destroy enemy property, would have to be imperatively demanded by the necessities of war”.Footnote 188 The Manual also refers to military necessity in a more generic manner, specifying that cyber operations which do not amount to attack “must not be directed against enemy civilians or civilian objects unless the operations are militarily necessary”.Footnote 189 In a similar manner, Australia notes that “[a]pplicable IHL rules will also apply to cyber operations in an armed conflict that do not constitute or rise to the level of an ‘attack’, including the principle of military necessity”.Footnote 190 While these references to military necessity as a restraining principle are welcome, more clarity is needed on exactly what the principle of military necessity prescribes when conducting cyber operations.
This brief discussion shows that cyber operations other than attacks are not unregulated. The legal regime governing military operations remains, however, less complete, precise and demanding than the legal regime governing operations that amount to attacks under IHL. To address this protection gap at least to some extent, Schmitt has put forward a suggestion that States should apply – as a matter of policy – an adapted proportionality assessment to cyber operations that do not amount to attacks.Footnote 191
The specific protection that IHL provides to certain persons and objects further restricts the scope of permissible military operations.
IHL rules protecting objects indispensable to the survival of the civilian population, medical services, and humanitarian relief operations
In addition to the general rules on the conduct of hostilities, IHL sets out specific regimes for certain objects and services that afford additional and stronger protection than the protection granted to all civilians and civilian objects.
For instance, IHL specifically makes it illegal “to attack, destroy, remove or render useless objects indispensable to the survival of the civilian population”.Footnote 192 This rule protects, for example, “food-stuffs”, “agricultural areas for the production of food-stuffs”, and “drinking water installations and supplies and irrigation works”.Footnote 193 While the experts who drafted the Tallinn Manual held that the Internet as such cannot be considered as an object indispensable to the survival of the civilian population, they noted that “cyber infrastructure indispensable to the functioning of electrical generators, irrigation works and installations, drinking water installations, and food production facilities could, depending on the circumstances, qualify”.Footnote 194 The explicit mention of “rendering useless” must be understood as covering a broader range of operations that may impact these goods, beyond attacks or destruction. As noted in the ICRC Commentary on Article 54(2) of AP I, the intent of the drafters was “to cover all possibilities” of how objects for the subsistence of the civilian population can be rendered useless.Footnote 195 Today, cyber operations that are designed, or can be expected, to render objects indispensable for the civilian population useless are prohibited, regardless of whether they amount to an attack. The debate on whether military operations against these objects amount to an attack (as discussed above) is therefore moot for these objects.
IHL also provides specific protection for medical services. Given the fundamental importance of health care for anyone affected by armed conflict, belligerents must respect and protect medical facilities and personnel at all times.Footnote 196 The obligation to “respect” medical facilities and personnel is understood as not only protecting them against operations that amount to attacks – it is prohibited to “harm them in any way. This also means that there should be no interference with their work (for example, by preventing supplies from getting through) or preventing the possibility of continuing to give treatment to the wounded and sick who are in their care.”Footnote 197 The special protection of medical facilities includes medical communication: while jamming enemy communication is generally considered permissible, “an intentional disruption of [medical] units’ ability to communicate for medical purposes” may not be permissible, even if medical units communicate with the armed forces.Footnote 198 Moreover, the obligation to respect and protect medical facilities encompasses a prohibition against deleting, altering or otherwise negatively affecting medical data.Footnote 199 It may also provide protection against cyber operations directed at the confidentiality of medical data, which at least in some circumstances would be hard to reconcile with the obligation to protect and respect medical facilities.Footnote 200 Relevant data in the medical context include “data necessary for the proper use of medical equipment and for tracking the inventory of medical supplies” as well as “personal medical data required for the treatment of patients”.Footnote 201 The obligation to “protect” medical facilities, including their data, entails positive obligations. Parties to the conflict must actively take measures to protect medical facilities from harm to the extent feasible, including harm resulting from cyber operations.Footnote 202
IHL also prescribes that humanitarian personnel and relief consignments must be respected and protected.Footnote 203 This obligation certainly prohibits any “attacks” against humanitarian operations. In the same way as for the obligation to respect and protect medical personnel and facilities, relevant rules should also be understood as prohibiting “other forms of harmful conduct outside the conduct of hostilities” against humanitarians or undue interference with their work.Footnote 204 Moreover, parties to armed conflicts are required to agree, allow and facilitate humanitarian relief operations.Footnote 205 Accordingly, Rule 145 of the Tallinn Manual 2.0 states that “cyber operations shall not be designed or conducted to interfere unduly with impartial efforts to provide humanitarian assistance”, and specifies that such operations are prohibited “even if they do not rise to the level of an ‘attack’”.Footnote 206 The obligation to respect and to protect relief personnel and operations should also be understood as protecting relevant data.Footnote 207 At least for States party to AP I, the protection of humanitarian data should encompass data of the ICRC that the organization needs “to carry out the humanitarian functions assigned to it by the [Geneva] Conventions and this Protocol in order to ensure protection and assistance to the victims of conflicts”.Footnote 208
These special protections show that IHL provides more stringent rules for military operations against certain goods or services that are essential for the survival, health and well-being of the civilian population.
The importance of legal reviews of cyber means and methods of warfare to ensure respect for IHL
In light of the particular challenges that the characteristics of cyberspace pose to the interpretation and application of some IHL principles in the conduct of hostilities, parties to armed conflicts who choose to develop, acquire or adopt weapons, means or methods of warfare relying on cyber technology need to exercise care in doing so. In this respect, States party to AP I that develop or acquire cyber warfare capacities – whether for offensive or defensive purposes – have an obligation to assess whether the employment of the cyber weapon, means or method of warfare would be prohibited by international law in some or all circumstances.Footnote 209 More broadly, legal reviews are critical for all States to ensure respect for IHL by their armed forces,Footnote 210 so that they only use weapons, means or methods of warfare, including those relying on cyber technology, that comply with the State's obligations under IHL.Footnote 211 Such reviews should involve a multi-disciplinary team including legal, military and technical experts as relevant.Footnote 212 These legal reviews need to be conducted earlier and in more depth than the analysis of the legality of the actual use of a tool in the specific circumstance of an attack.
In view of the novelty of the technology, it is critical that the legal review of cyber weapons, means and methods of warfare is given particular attention. The prohibition of weapons that are by nature indiscriminate may be particularly relevant considering the ability of certain cyber tools to self-propagate autonomously.Footnote 213 The legal review of cyber weapons, means and methods of warfare may, however, present a number of challenges. In the following, we illustrate some issues, without being exhaustive.
First, a State conducting a legal review needs to determine against which legal standards it reviews a cyber tool. In other words, the State will need to have answers to some of the questions discussed above, such as whether the use of a tool will qualify as an attack and is therefore subject to a broad range of IHL rules. For matters where the law is unclear or unsettled, a cautious approach may be warranted to avoid the subsequent appearance that the employment of a cyber tool was, or should have been deemed, unlawful.
Second, a State needs to determine what needs to be reviewed. This may not necessarily be evident with regard to cyber tools or cyber capabilities, as shown by the widespread use of these terms instead of notions such as cyber weapons. Commentators have discussed whether and which cyber tools or capabilities are weapons, means or methods of warfare, and what the implications are with respect to their legal review.Footnote 214 In any case, as noted above, States party to AP I must review all cyber tools or capabilities that qualify as weapons, means or methods of warfare. For States that are not party to AP I, the obligation to respect and ensure respect for IHL by their armed forces and the newness of the use of cyber technologies as weapon, means or method of warfare would make it prudent to cast as large a net as possible in terms of the capabilities being reviewed.Footnote 215
Third, a weapon or means of warfare should not be assessed in isolation from the way in which it will be used, meaning that the normal or expected use of the weapon or means of warfare must be considered in the legal review. Military cyber capabilities might, however, be less standardized than kinetic weapons, especially if designed for a specific operation. This would mean that the review needs to be done in view of the specific cyber environment in which the weapon will likely be used.
Fourth, and relatedly, a State should conduct a legal review not only for a weapon, means or method of warfare it intends to acquire or adopts for the first time, but also when it modifies a weapon, means or method that has already passed a legal review. This may pose a challenge with regard to cyber tools that are likely to be subject to frequent adaptation, including to respond to the software security upgrades that a potential target undergoes. While the question of the type and extent of change that would require a new legal review might need to be further clarified, a new legal review must be conducted, notably, when the weapon, means or method of warfare is modified in a way that alters its function or when the modification could otherwise have an impact on whether the employment of the weapon, means or method would comply with the law.Footnote 216 It has been noted in this respect with regard to cyber weapons that “the assessment of whether a change will affect a program's operation must be qualitative rather than quantitative in nature”.Footnote 217 For legal reviews to be effective, States that study, develop, acquire or adopt new weapons, means or methods relying on new technologies need to navigate these and other complexities. In other words, testing regimes must adapt to the unique characteristics of cyber technology. In light of the above-mentioned complexities, a good practice to ensure respect for IHL by all States would be to share information about a State's legal review mechanisms and, to the extent feasible, about the substantive results of legal reviews.Footnote 218 This would be especially important where problems of compatibility of a weapon with IHL arise, in order to avoid other States encountering the same problems and to notify other States of the testing State's conclusions that such tools are prohibited by IHL. Exchange of information on legal reviews of weapons, means or methods relying on new technologies can also help build expertise and facilitate the identification of good practices, which may assist States that wish to establish or strengthen their own legal review mechanisms.Footnote 219
Conclusion
For the protection of the civilian population and civilian infrastructure in armed conflict, it is fundamentally important to recognize that cyber operations conducted during armed conflicts do not occur in a legal void but are regulated by international law, most notably IHL. As this article shows, recognizing IHL applicability is, however, not the end of the conversation. More discussion – in particular among States – is needed on how IHL is to be interpreted in cyberspace. Any such discussion should be informed by an in-depth understanding of the development of military cyber capabilities, the potential human cost they may cause, and the protection afforded by existing law. This article is meant to provide a basis for such discussions. While the use of cyber operations during armed conflicts, their potential human cost and States’ legal positions on the subject are evolving, the analysis in this article presents a number of conclusions.
First, cyber operations during armed conflicts are a reality in today's armed conflicts and their use is likely to increase in the future. They can cause significant harm to the civilian population, especially if affecting critical civilian infrastructure such as medical facilities, electricity, water or sanitation. While the risk of causing human harm does not appear extremely high based on current observations, especially considering the destruction and suffering that conflicts always cause, the evolution of cyber operations requires close attention due to existing uncertainties and the rapid pace of change.
Second, in the ICRC's view, there is no question that cyber operations during armed conflicts are regulated by IHL – just as is any weapon, means or method of warfare used by a belligerent in a conflict, whether new or old. While the issue does not (yet) enjoy universal agreement, a careful examination of the various arguments raised in multilateral discussions shows that affirming IHL applicability legitimizes neither the militarization of cyberspace nor the use of malicious cyber operations. A State that considers carrying out a cyber operation against another State must analyze the lawfulness of this operation under the UN Charter and IHL. These two frameworks are complementary when it comes to the protection of humans from war and its effects. While some of the terminology they use is similar, the two frameworks are legally separate and require distinct analyses, as similar terminology has (at times) distinct meaning. For instance, concluding that a cyber operation triggers the applicability of IHL does not necessarily mean that it amounts to an armed attack giving rise to the right of self-defence.
Third, the partly non-physical – i.e., digital – nature of cyberspace and the interconnectedness of military and civilian networks pose practical and legal challenges in applying the general IHL principles and rules protecting civilians and civilian objects. This is particularly the case with regard to the notion of “attack” under IHL, the question of whether civilian data enjoys similar protection as “civilian objects”, and the protection of “dual-use” cyber infrastructure.
The question of whether or not an operation amounts to an “attack” as defined in IHL is essential for the application of many of the rules deriving from the principles of distinction, proportionality and precaution, which afford critical protection to civilians and civilian objects. For many years, the ICRC has taken the position that an operation designed to disable a computer or a computer network during an armed conflict constitutes an attack as defined in IHL whether the object is disabled through destruction or in any other way. This view is also reflected in the positions of a number of States.
While many of the general rules on the conduct of hostilities are limited to acts amounting to attacks as defined in IHL, some IHL rules governing the conduct of hostilities apply to a broader set of operations. IHL includes a few rules that apply to all “military operations”, such as the obligation to take constant care to spare civilians and civilian objects. Moreover, IHL defines specific rules protecting certain categories of persons and objects, such as objects indispensable to the survival of the civilian population, medical services, and humanitarian relief operations. The protection they afford goes beyond the general protection afforded to civilians and civilian objects.
The protection of data against malicious cyber operations during armed conflict is becoming increasingly important because data is an essential component of the digital domain and a cornerstone of life in many societies. In the ICRC's view, the conclusion that cyber operations designed or expected to delete or tamper with essential civilian data would not be prohibited by IHL in today's ever more cyber-reliant world seems difficult to reconcile with the object and purpose of this body of norms, and raises significant concern.
In order to protect critical civilian infrastructure that relies on cyberspace, it is also crucial to protect the infrastructure of cyberspace itself. It is traditionally understood that a civilian object may become a military objective when its use for military purposes is such that it fulfils the definition of military objective even if it is simultaneously used for civilian purposes. However, a party to a conflict that considers carrying out an attack against cyberspace infrastructure must analyze which distinct parts of the infrastructure make an effective contribution to military action, and whether their destruction or neutralization would, in the circumstances ruling at the time, offer a definite military advantage. Furthermore, this party must take all feasible precaution to avoid or at last minimize incidental civilian harm, including harm caused by indirect or reverberating effects, and must refrain from carrying out the attack if such harm may be expected to be excessive.
Fourth, in light of the particular challenges that the characteristics of cyberspace pose to the interpretation and application of some IHL principles in the conduct of hostilities, parties to armed conflicts who choose to develop, acquire or adopt weapons, means or methods of warfare relying on cyber technology need to exercise care in doing so. While legal reviews of new weapons, means and methods of warfare are mandatory for States party to AP I, legal reviews are critical for all States to ensure that their armed forces only use weapons, means or methods of warfare that comply with the State's obligations under IHL.
To conclude, recognizing that IHL applies in cyberspace and engaging in discussions on how it addresses the various challenges posed by the specific characteristics of the cyber domain and whether existing law is adequate and sufficient does not exclude that new rules might be useful or even needed. In our view, the answer to this question depends notably on how States interpret existing IHL obligations. If narrow interpretations are adopted, significant gaps in the protection of civilian populations and infrastructure may arise, and the existing legal framework might need strengthening. If new rules are developed, however, in our view it is critical that they build on and strengthen the legal framework that already exists – in particular IHL.
