The Law Of Armed Conflict: Cyber Warfare's Legal Battlefield

does the law of armed conflict apply to cyber

The law of armed conflict, or international humanitarian law (IHL), applies to any armed confrontation between two or more states, even if they deny the existence of a conflict. IHL also applies to non-international armed conflicts, which are situations of protracted armed violence between governmental authorities and organised armed groups or between such groups within a state.

In the cyber context, states often act through non-state intermediaries and proxies. For IHL to apply, the state must exercise a sufficient degree of control over the non-state entity that commences hostilities. The prevailing standard for the characterisation of an international armed conflict is overall control, which requires that the state provides some support and participates in the organisation, coordination, or planning of the relevant operations.

The question of whether IHL applies to cyber operations is a point of contention in the ongoing UN-mandated cyber processes. However, the issue is less controversial among practitioners, who agree that IHL applies to cyber operations during armed conflict. The International Court of Justice has also taken this view.

It is generally accepted that cyber operations having similar effects to classic kinetic operations, such as the destruction of civilian or military assets, or the death or injury of soldiers or civilians, are governed by IHL. It is less clear whether cyber operations that do not physically destroy or damage military or civilian infrastructure could be considered a resort to armed force governed by IHL in the absence of kinetic hostilities.

Characteristics Values
Application of the law of armed conflict The law of armed conflict applies to any armed confrontation between two or more states, even if one, several, or all of them deny the existence of an armed conflict.
Cyber operations as a trigger of the law of armed conflict It is unclear what effect cyber operations unaccompanied by any use of kinetic force would have to have in order for the law of armed conflict to apply.
International armed conflict The prevailing view is that any "resort to armed force between states", however brief or intense, triggers the application of the law of armed conflict.
Non-international armed conflict The law of non-international armed conflict applies to all armed conflicts not of an international character.
Direct participation in hostilities Civilians benefit from a general protection from attack but lose this protection if they directly participate in hostilities.
Attacks against persons It is prohibited to direct an attack against civilians.

lawshun

International armed conflict

The law of international armed conflict (IAC) applies to any armed confrontation between two or more States. This includes situations where one, several, or all parties deny the existence of an armed conflict. The prevailing view is that any "resort to armed force between States", however brief or intense, triggers the application of international humanitarian law (IHL).

The law does not prescribe any specific form for the use of force, so hostilities may involve any combination of kinetic and cyber operations, or cyber operations alone. It is generally accepted that if cyber operations have similar effects to classic kinetic operations and two or more States are involved, the resulting situation would qualify as an IAC.

However, the law is unsettled on whether cyber operations that merely disrupt the operation of military or civilian infrastructure amount to a resort to armed force for the purposes of IHL. In the cyber context, States often act through non-State intermediaries and proxies. For an IAC to be deemed applicable, the relevant State must exercise a sufficient degree of control over the non-State entity that commences hostilities against another State.

The correct legal test to determine the requisite level of control is a subject of ongoing controversy. The prevailing standard for the characterization of an IAC is the "overall control" test, which requires that the State provides some support and participates in the organization, coordination, or planning of the relevant operations. A separate standard, the "effective control" test, requires that the State must exercise control over the entire course of the operations in question. While there is disagreement over whether the "effective control" test is the controlling test for the purposes of attribution under the law of State responsibility, there is consensus that the "overall control" test is the correct one for conflict qualification under IHL.

Publicly available national positions addressing this issue include those of Austria, Costa Rica, Finland, France, Germany, Ireland, and Japan.

lawshun

Non-international armed conflict

The law of non-international armed conflict (NIAC) applies to all armed conflicts not of an international character. NIACs are situations of "protracted armed violence between governmental authorities and organised armed groups or between such groups within a State".

The definition of NIAC rests on two factors: the intensity of the fighting and the organisation of the non-State group. Firstly, the hostilities must reach a certain level of intensity, as indicated by the seriousness and frequency of attacks, military engagements, the extent of destruction, or the deployment of governmental armed forces. Secondly, the non-State group must have a minimum level of organisation, as indicated by the presence of a command or leadership structure, the ability to determine a unified military strategy and speak with one voice, the adherence to military discipline, and the capability to comply with IHL.

These same criteria of intensity and organisation apply in situations involving (or even limited to) cyber operations. However, cyber operations alone will only rarely meet the requisite level of intensity to trigger a NIAC.

In the cyber context, States often act through non-State intermediaries and proxies. For the situation to qualify as a NIAC, the relevant State must exercise a sufficient degree of control over the non-State entity that commences hostilities against another State. The prevailing standard for the characterisation of a NIAC is that of "overall control", which requires that the State provides some support and participates in the organisation, coordination, or planning of the relevant operations.

In summary, the law of NIAC applies to all armed conflicts not of an international character. The definition of NIAC is based on the intensity of the fighting and the organisation of the non-State group. The same criteria of intensity and organisation apply to cyber operations, but cyber operations alone rarely meet the intensity threshold. In the cyber context, States often act through non-State intermediaries, and for the situation to qualify as a NIAC, the State must exercise overall control over the non-State entity.

lawshun

Direct participation in hostilities

Civilians are generally protected from attack under the law of armed conflict. However, this protection is lifted "for such time as they take a direct part in hostilities". During this period, a civilian who directly participates in hostilities (DPH) may be attacked lawfully. This rule applies to cyber operations, when these occur during an armed conflict.

According to the ICRC DPH study, an act must meet the following criteria to qualify as direct participation in hostilities:

  • The act must be likely to adversely affect the military operations or military capacity of a party to an armed conflict or, alternatively, to inflict death, injury, or destruction on persons or objects protected against direct attack (threshold of harm).
  • There must be a direct causal link between the act and the harm likely to result either from that act, or from a coordinated military operation of which that act constitutes an integral part (direct causation).
  • The act must be specifically designed to directly cause the required threshold of harm in support of a party to the conflict and to the detriment of another (belligerent nexus).

These criteria are neutral as to the means and methods of warfare used by the act in question; accordingly, they equally apply to cyber operations. "Digital" damage is included as long as the cyber operation negatively affects the enemy's military operations or military capacity. Examples of direct participation in hostilities through cyber means include damaging enemy property or equipment, or the transmission of military information for immediate use by a belligerent.

In a non-international armed conflict (NIAC), a person who is a member of an organised armed group (OAG) that is a party to the conflict loses their protection if they fulfil a continuous combat function (CCF) within the group. This occurs when the (continuous) function of a person in a group is to directly participate in hostilities. It requires lasting integration into the OAG in question. This includes the individuals whose continuous function involves the preparation, execution or command of cyber operations amounting to DPH. Simple membership in a hacker group without any DPH function does not suffice for a CCF, as the DPH criteria are designed to exclude subsidiary support functions within a group.

The CCF concerns the temporal scope of the loss of protection and is function-based. Membership in an OAG starts when the civilian "starts de facto to assume the continuous combat function" and lasts until that function ceases.

lawshun

Attacks against persons

The principle of distinction is a fundamental principle of international humanitarian law (IHL) and has the status of customary international law. It obliges parties to an armed conflict to distinguish at all times between civilians and combatants.

It is prohibited to direct an attack against civilians. Furthermore, intentionally directing attacks against the civilian population or against individual civilians not taking direct part in hostilities qualifies as a war crime. Acts or threats of violence that primarily aim at spreading terror among the civilian population are also prohibited.

According to Article 48 of Additional Protocol I (API), parties to an armed conflict may "direct their operations only against military objectives". Attacks may be directed against combatants insofar as they are positively distinguished from civilians and qualify as military objectives. Civilians are protected from attack unless and for such time as they directly participate in hostilities.

The principle of distinction is closely linked to the principle of proportionality. The principle of proportionality prohibits attacks that may be expected to cause incidental injuries, death or destruction to civilians or civilian objects (incidental civilian harm), which would be excessive in relation to the concrete and direct military advantage anticipated. Put differently, belligerents are obliged to refrain from attacks even against those persons who otherwise qualify as military objectives if such attacks are expected to cause disproportionate incidental civilian harm.

Overall, an attack against a person may be lawful if it is directed at a combatant or a civilian directly participating in hostilities, without causing any incidental civilian harm. An attack against such a person, which does result in incidental civilian harm, may additionally be lawful if the expected incidental harm is not excessive in relation to the anticipated military advantage.

For example, in the case of State A and State B, the IT specialists belonging to group 1 are not in principle protected from attack, because they qualify as combatants. Given that this group uses the building in which they are based for military purposes, in accordance with Article 52(2) of API, the building also qualifies as a military objective through its present use.

Group 2 are civilians who are not participating in hostilities and are, therefore, not a lawful target.

The lawfulness of a separate attack on group 3 is more controversial and would depend on whether the conduct of the group members would constitute direct participation in hostilities. Those members who do directly participate in hostilities are liable to attack for the duration of such participation, while members who are not participating remain protected at all times.

In the context of an international armed conflict, a conventional attack on group 4 might at first appear unlawful, because the members of the group are civilians. However, due to their hostile attacks against State B's matériel and the frequency of this conduct, some members of the group are directly participating in hostilities and therefore lose their protection. If a non-international armed conflict with group 4 as a party is in place, then those members of group 4 who have a continuous combat function can be attacked at any time.

Given that groups 1–3 are all situated in the same building at the same time, any conventional attack against the building would also have to comply with the principle of proportionality. Accordingly, the lawfulness of the attack against the building would depend on whether the incidental harm to civilians present in the building and not considered to be participating in hostilities at the material time was excessive in relation to the military advantage anticipated from the attack.

Finally, feasible precautions would have to be taken both before and during an attack against groups 1–4. These include issuing warnings to the civilian population if possible and choosing such means and methods of attack that would avoid or at least minimize incidental civilian harm, as per Article 57 of API.

lawshun

International humanitarian law

There is an ongoing debate about whether IHL applies to cyber operations that are not conducted during armed conflicts. The consensus is that an armed conflict exists whenever there is a resort to armed force between states. However, it is unclear when this point is reached in situations involving cyber operations that do not physically destroy or damage military or civilian infrastructure.

The use of cyber operations as a means or method of warfare in armed conflicts poses a real risk of harm to civilians. It is, therefore, essential to understand how IHL can protect civilians, civilian infrastructure, and civilian data against cyber harm. The international community recognizes that cyber operations may seriously affect civilian infrastructure and have devastating humanitarian consequences. There is a real risk that cyber tools will have significant, broad effects on critical civilian infrastructure, such as essential industries, telecommunications, transport, government, and financial systems.

The increasing use of military cyber capabilities and the related humanitarian concerns highlight the importance of reaching a shared understanding of the legal constraints that apply to cyber operations during armed conflicts. While few states have publicly acknowledged using cyber means in support of their military operations, it is estimated that more than 100 states have developed or are developing military cyber capacities.

There are also questions that need further clarification, such as whether civilian data enjoys the same protection as civilian objects, and whether cyber operations that disrupt systems without causing physical damage amount to attacks as defined under humanitarian law.

Frequently asked questions

No, the law of armed conflict only applies to cyber operations that are conducted during an armed conflict.

No, the law of armed conflict does not legitimize cyber warfare, just as it does not legitimize any other form of warfare.

The law of armed conflict and the UN Charter are distinct but complementary. The UN Charter aims to 'save succeeding generations from the scourge of war', while the objective of the law of armed conflict is 'protecting the victims of armed conflict'. The UN Charter prohibits the use of force except in self-defence or when authorized by the Security Council and requires that international disputes be settled peacefully. The law of armed conflict, on the other hand, sets out essential protections for civilians and those who are no longer participating in hostilities if an armed conflict breaks out.

The law of armed conflict is adequate to apply to cyber operations, but further discussions among states are needed to clarify certain points, such as whether civilian data enjoys the same protection as civilian objects. If new rules are developed, they must build on and strengthen the existing legal framework. In the meantime, cyber operations during armed conflicts must comply with the existing law of armed conflict rules.

Written by
Reviewed by
Share this post
Print
Did this article help you?

Leave a comment