Cyber Operations under International Humanitarian Law: Perspectives from the ICRC

Issue: 
11
Volume: 
24
By: 
Jonathan Horowitz
Date: 
May 19, 2020

Cyberspace is so omnipresent that it can seem banal, but it is also a target-rich environment from a military perspective, with modern armies deeply reliant on digital infrastructure. From the perspective of international humanitarian law (or IHL, also known as the law of armed conflict), this raises the question of what cyber operators may and may not attack during armed conflicts, what even constitutes an "attack" under IHL in cyberspace, and what the reverberating effects of those attacks could be on civilians. Military networks may rely on civilian cyber infrastructure, such as undersea fiber-optic cables, satellites, routers or nodes. At the same time, civilian logistical supply chains and essential civilian services use the same cyber infrastructure through which some military communications pass.  In more succinct terms, cyber operations present risks of serious unintended harm in situations of armed conflict, including death and injury to civilians, and damage to civilian objects protected under IHL.[1] This Insight explores how international humanitarian law applies to cyber operations. It does not address the application of other bodies of international law. 

Given the global ubiquity of cyberspace, it is not hard to see that rules are needed to constrain cyber activity. Indeed, states have agreed that international law places limits on their cyber operations.[2] Recognizing the risks that cyber operations pose to civilians in time of armed conflict, it is worth noting that 78 states also support the "Paris Call," which reaffirms that "international humanitarian law and customary international law are applicable to the use of information and communication technologies (ICT) by States,"[3] a position also expressed by international organizations such as the EU and NATO.[4] However, some states refrain from, or even draw caution against, taking such position.[5]

Simply saying that IHL applies to cyber operations in times of armed conflict does not, however, fully address the need to clarify what limits exist, and whether they are appropriate. While IHL is the primary body of international law that regulates armed conflict and protects civilians and civilian objects in wartime, there remains the critical question of how states will apply IHL to the cyber domain. 

The Notion of "Attack" Under IHL

States must determine what constitutes an "attack" under IHL.[6] In the past, "attack"—whether with muskets, mortars, field artillery, or air-to-surface missiles—was a reasonably well-understood concept in warfare. The death, injury, damage, and destruction that can result from attacks is one of the most fundamental components of armed conflict. Unsurprisingly, in an effort to spare civilians from its dangers, IHL's strongest articulations of the principles of distinction, proportionality, and precaution apply only to those military operations that qualify as "attacks."[7]

IHL defines an attacks as "acts of violence against the adversary, whether in offence or in defence."[8] This is a seemingly clear and broad definition. The cyber domain, however, creates a host of new and unique questions around what cyber activities rise to the level of an "attack" and, by extension, how states have to comply with IHL.

Some operations are easier to define as "attacks" than others. It is widely accepted that cyber operations expected to cause death, injury or physical damage constitute attacks under IHL.[9] In the ICRC's view, this includes foreseeable indirect (or reverberating) effects of death, injury, or physical damage. For example, the death of patients in intensive-care units caused by a cyber operation on an electricity network that results in cutting off a hospital's electricity supply also constitutes an attack under IHL, if that operation occurs as part of an armed conflict.[10]

Beyond this, cyber attacks have the potential to significantly disrupt essential services and therefore be particularly harmful for civilians even when they do not result in physical damage. Diverging views exist, however, on whether a cyber operation that results in a loss of functionality without causing physical damage qualifies as an attack as defined in IHL.[11]

In the ICRC's view, during an armed conflict an operation designed to disable a computer or a computer network constitutes an attack under IHL, whether the object is disabled through kinetic or cyber means.[12] A cyber operation that is expected to make a civilian network system belonging to stock exchanges, banking systems, or universities dysfunctional (whether deliberately or incidentally) should be covered by IHL's most detailed rules protecting civilians and civilian objects against direct attacks and attacks' incidental effects. An overly restrictive understanding of the notion of attack as only referring to operations that cause death, injury or physical damage would be difficult to reconcile with the object and purpose of IHL's rules on the conduct of hostilities.[13]

Does IHL Protect Civilian Data?

To apply IHL to cyber operations in armed conflict, states will also have to determine whether IHL affords civilian data the protections of civilian objects. Medical data, biometric data, social security data, tax records, bank accounts, companies' client files, or election lists and records are just some examples of data that forms an essential component of digitalized societies. Deleting, restricting, or tampering with essential civilian data can quickly bring government services and private businesses to a complete standstill, sometimes with potential life or death consequences.[14] In the ICRC's view, the specific protections afforded by IHL extend to essential data, such as data belonging to medical units, which are part of the obligation to respect and protect such units.[15] Likewise, IHL's rules on "attacks" would also apply to cyber operations that delete, restrict, or tamper with data with the potential to cause civilian loss of life and injury, or damage to civilian objects.  

Beyond these important protections, in today's data-reliant world, other essential civilian data should receive the same protections that IHL affords "civilians objects." The question of whether and to what extent civilian data constitute civilian objects remains, however, unresolved. In the ICRC's view, the replacement of tangible materials such as paper documents with digital files in the form of data should not decrease the protections of IHL.[16]  A narrow definition of "civilian objects" under IHL would expose an important protection gap and might, for example, result in cyber operators omitting the destruction of civilian data as such from the calculations they must otherwise make to avoid, or at least minimize, incidental harm to civilian objects and ensure they do not conduct disproportionate attacks. 

Proportionality and Precautionary Measures

Under IHL, an object that has become a "military objective" is no longer protected against attack.[17] But despite the interconnected nature of cyberspace (simultaneous use by civilian and military), not every use of interconnected networks for military purposes renders the network a military objective.[18] Moreover, even if the chosen target does fall within the definition of a military objective, any attack would remain governed by IHL's prohibitions against indiscriminate and disproportionate attacks and the obligation to take precaution in attack.[19] Setting loose a "worm" (a self-replicating or self-propagating computer program) that attacks anything it encounters with the hope that it eventually damages an adversary's computer network would, for example, be prohibited as an indiscriminate attack under IHL. Taking precautionary measures and following the rule of proportionality are particularly important precisely because civilian and military networks are so interconnected. Assessing the expected incidental civilian harm of any cyber operation, as required under these two rules, is critical to ensuring that the harm to the civilian population is avoided, or at least minimized.

Under IHL, states also have an obligation to take, to the maximum extent feasible, precautions against the effects of attacks.[20]This rule aims to protect civilian populations and objects that are under the control of parties to an armed conflict. In the ICRC's view, this obligation extends at least to the physical infrastructure of cyberspace (and to objects whose functioning depends on that infrastructure) located in a state's territory, or in any territory that may be occupied by a party to the conflict.[21] What will be feasible for each state to do depends, of course, on that state's resources. Measures that could be considered include, where feasible, segregating military from civilian cyber infrastructure and networks; backing up important civilian data; using antivirus measures; and making advance arrangements ensuring the timely repair of important computer systems against foreseeable kinds of cyber attacks.[22] Other avenues that could be explored include the use of digital watermarks or other tags to identify cyber infrastructure and networks serving specially protected objects like hospitals.[23]

Conclusions

States on their own, in consultation with their allies, and in important international fora, will continue to signal and express their views on how IHL applies to cyberspace and what additional norms they expect themselves and other states to follow. In this context, protecting critical civilian infrastructure, including medical services, against harmful cyber operations[24] remains particularly important. If new rules are to be developed to protect civilians against the effects of cyber operations, they should build on and strengthen the existing legal framework – including IHL.[25]

About the Author: Jonathan Horowitz is Legal Advisor at the ICRC (Regional Delegation for the United States and Canada).


[1] See, generally, ICRC, The Potential Human Cost of Cyber Operations, 2019.

[2] See, UN Doc. A/RES/73/27, December 11, 2018, Preamble.

[3] The Paris Call for Trust and Security in Cyberspace, Nov. 12, 2018. For further information see https://pariscall.international/en/call and https://pariscall.international/en/.

[4] E.U. Council Conclusions, General Affairs Council meeting, June 25, 2013, 11357/13; NATO, Wales Summit Declaration (Issued by the Heads of State and Government participating in the meeting of the North Atlantic Council in Wales), Sept. 5, 2014, ¶ 72.

[5] See, Michael Schmitt, "Norm-Skepticism in Cyberspace? Counter-factual and Counterproductive," JustSecurity.org, Feb. 28, 2020, https://www.justsecurity.org/68892/norm-skepticism-in-cyberspace-counter-factual-and-counterproductive/.

[6] The notion of "attack" under IHL relates to its rules on the conduct of hostilities in armed conflict and is distinct from the notion of "armed attack" under Article 51 of the UN Charter. 

[7] See Protocol Additional to the Geneva Conventions of 12 August 1949, and Relating to the Protection of Victims of International Armed Conflicts, art. 51(4)(b), June 8, 1977, 1125 U.N.T.S. 3 [hereinafter API], Articles 51 and 57. For descriptions of these principles under customary international law, see Jean-Marie Henckaerts & Louise Doswald-Beck, Customary International Humanitarian Law – Volume I: Rules (2005) [hereinafter IHL Customary Law Study], Chapters 1 to 6. It is important to recall, however, the IHL also regulates military operations that do not constitute "attack," albeit with less detailed rules, such as under API, art. 51(1) and art. 57(1).

[8] API, art. 49(1). 

[9] Tallinn Manual 2.0 on the International Law Applicable to Cyber Warfare (Michael N. Schmitt gen. ed.), 2017 [hereinafter Tallinn Manual 2.0], Rule 92, ¶¶ 4–6.

[10] ICRC, International humanitarian law and the challenges of contemporary armed conflicts, Oct. 2015 [hereinafter ICRC, Challenges Report, 2015], p. 41.  

[11] See, Tallinn Manual 2.0, Rule 92, paras. 10-12.

[12] ICRC, International Humanitarian Law and the challenges of contemporary armed conflicts, 2011, p. 37; ICRC, Challenges Report, 2015, p. 41-42.

[13] ICRC, International Humanitarian Law and Cyber Operations during Armed Conflicts, position paper submitted to the Open-Ended Working Group on developments in the field of information and telecommunications in the context of international security [hereinafter OEWG] and Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security [hereinafter GGE], November 2019 [hereinafter, ICRC position paper], p. 7-8, https://www.icrc.org/en/document/international-humanitarian-law-and-cyber-operations-during-armed-conflicts.

[14] ICRC, Challenges Report, 2015, p. 43.  

[15] See, ICRC position paper, p. 8. 

[16] ICRC, Challenges Report, 2015, p. 43; ICRC, International humanitarian law and the challenges of contemporary armed conflicts, November 2019, p. 21.  

[17] For a definition of "military objective" under IHL see API, Article 52(2) and IHL Customary Law Study, Rule 8. 

[18] This may be because the network's nature, location, purpose or use does not make an effective contribution to military action, or because its destruction, capture or neutralization would not offer a definite military advantage. See API, art. 52(2); IHL Customary Law Study, ch. 2; and ICRC position paper, p. 7.

[19] For a detailed description of the prohibition against indiscriminate attacks see API, Article 51(4) and (5) and IHL Customary Law Study, Chapter 3. For a detailed description of the prohibition against disproportionate attacks and the obligation to take precautions, see footnote 8.

[20] API, Article 58 and IHL Customary Law Study, ch. 6.

[21] Challenges Report, 2015, p. 43. For a spectrum of views on this issue, see Tallinn Manual 2.0, Rule 121.

[22] Challenges Report, 2015, p. 43. See also, Tallinn Manual 2.0, Rule 121, ¶ 3. 

[23] Challenges Report, 2015, p. 43.

[24] See, e.g., UN Doc. Res A/RES/73/27, para. 1.6; and ICRC, Statement to the OEWG, Feb. 11, 2020, https://www.icrc.org/en/document/norms-responsible-state-behavior-cyber-operations-should-build-international-law

[25] See, e.g., ICRC, position paper, p. 9.