Violence in Cyberspace: Are Disruptive Cyberspace Operations Legal under International Humanitarian Law?
It is already widely acknowledged that cyberspace has become the fifth domain of warfare, and militaries around the world are training various cyber units, who will be supporting military operations, both by defending cyber infrastructure, and by engaging in cyber-attacks, with the purpose of manipulating, interrupting, and damaging the computer systems and networks of the enemy. While technological developments allow warring sides to employ sophisticated means and methods of warfare, they also pose a host of new challenges with regard to civilians and civilian objects, who may become susceptible to the new adverse effects of conflict. One example would be cyber operations that cause massive disruption – whether they target the electric grid, the Internet infrastructure, or civilian communications.
In general terms, international humanitarian law (known as IHL, but often referred to in the U.S. as the law of armed conflict) protects civilians from attacks. The most basic rule of IHL makes it illegal to directly attack civilians, unless and for such time as they directly participate in hostilities. This notion of distinction is one of the core values that the whole corpus of international humanitarian law is based on. According to international humanitarian law, legitimate targets of attacks are combatants, members of armed groups, and other military objectives. While it is generally accepted that international humanitarian law applies to cyberspace operations, it is not always clear whether a specific cyber operation falls within the legal definition of “attacks”. “Attacks” is a legal term of art, defined by Additional Protocol I of the Geneva Conventions (AP I) as “acts of violence against the adversary, whether in offence or in defence.” Essentially, the key to understanding whether a particular cyberspace operation directed at civilians is legal or not, is asking whether it is an “attack,” in other words, if it constitutes an “act of violence.”
As I argued in a new paper in the Michigan Telecommunications Law Review, a disruption can indeed qualify as “violence” in cyberspace, a view that is at odds with the recent Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, and its treatment of this matter.
IHL Protects Civilians from Disruption
After looking at a “disruption” as the primary harm resulting from a cyber operation, the most intuitive argument is that IHL already protects civilians from disruptive cyber operations. This argument is primarily based on interpreting the term “violence” using the regular process of treaty interpretation, as provided by the Vienna Convention on the Law of Treaties (VCLT). The VCLT establishes that terms within a treaty shall be understood by their “ordinary meaning.” Therefore, “violence” should be interpreted by referring to its regular definition, which happens to be broader than simple exhibition of physical force, and also includes “intimidation,” “great intensity or severity… of something undesirable,” and the French definition also defines violence as “physical or moral constraint.” Violence is a broad enough concept, that “attacks” is deemed to protect civilians from a broad range of military operations, whether they cause physical harm, or they result in massive disruption effects.
In addition, IHL has several hints in its respective texts, implying that civilians are in fact protected from many potential threats. For example, civilians are protected from “dangers arising from military operations” and from “Acts or threats of violence the primary purpose of which is to spread terror among the civilian population.” IHL also requires that adversaries “direct their operations only against military objectives” and that “in the conduct of military operations, constant care shall be taken to spare the civilian population” In that context, “military operations” are defined rather broadly as “all the movements and activities carried out by armed forces related to hostilities.” This, in a way, provides the context, object, and purpose of IHL.
While the Tallinn Manual 2.0 agrees that violence is not limited to kinetic force, it still holds the view that cyber-attacks are to be understood as resulting in “violent effects,” that “cause injury or death to persons or damage or destruction to objects” thereby excluding “psychological cyber operations and cyber espionage.” It is also evident that the Manual’s experts overemphasized the physicality factor. For example, the Manual addresses cyber operations that interfere with “the functionality of an object,” concluding that this would be an “attack” only if restoring the functionality would require the replacement of physical components, though some experts argued that the reinstallation of a software or restitution of data would also qualify.
Tallinn Manual 2.0 and Disruptive Cyber Operations
The Tallinn Manual 2.0 does an interesting move in terms of disruptive cyber operations. Methodically, the Manual intends to identify lex lata – the law as it is at present, which restricts the ability of the Manual to expand certain legal concepts in light of the challenges presented by cyber operations. An example is the Manual’s treatment of cyber operations with large-scale disruptive effects, such as “disrupting all email communications throughout the country”. The Manual confessed that there is “logic in characterising [this type of] operation as an attack” but that IHL “does not presently extend this far.” This is identical to the previous Tallinn Manual, or in other words – no change.
This leads to a somewhat bizarre result, for instance, whereas in a scenario where a cyber operation necessitates hardware replacement would require the attacker to comply with the principle of distinction (and other IHL norms), that would not be the case if a target’s e-mail communications were to be shut down entirely due to a cyber operation, or by analogy, access to the Internet as a whole. This narrow reading of “violence” is not in line with the humanitarian purposes IHL is trying to achieve. This includes limiting adverse effects of armed conflicts, allowing military operations only against military objectives, and protecting civilians from direct attacks. Rather, it puts civilians and civilian objects under threat of disruptive cyber operations, which will be used as a form of “unduly coercion,” namely, a form of legitimate targeting of civilians for the purpose of leverage against the opposing adversary.
Redrawing the Line Between Violence and Non-Violence
The Tallinn Manual 2.0 is limited by its methodology and absence of normative authority. This simply illustrates that the law is still in an inadequate position in addressing the myriad challenges of cyber conflict. The Manual acknowledges that should “such [disruptive] cyber operations break out, the international community would generally regard them as attack,” this is perhaps the closest the Manual could get to saying that the law should develop in a way that recognizes the threat of large-scale disruptions.
Thomas Rid, author of “Cyber War Will Not Take Place,” says that cyberspace is leading us to rethink the idea of violence and how to protect against it. He contends that this requires us to redraw the line currently drawn between violence and non-violence, something the Manual fails to do. Nils Melzer, then legal adviser to the ICRC, exemplified the difficulty of avoiding the question of line drawing – “it would hardly be convincing to exclude the non-destructive incapacitation of a state’s air defense system or other critical military infrastructure from the notion of attack simply because it does not directly cause death, injury or destruction.” This, I believe, also extends to non-destructive operations targeting civilians. At the end of the day, States are responsible for reshaping the notion of violence in cyberspace, and the Tallinn Manual 2.0 alludes to it by deferring that question to the international community.
The digital era leads to an increase in the weight of certain values, such as data and global connectivity, while decreasing the relative importance and cost of physical objects. This should encourage us to rethink what ought to be protected, and incorporate it within the law. Disruption, in that context, is something an information society cannot tolerate, particularly when directed against civilians and civilian objects. That could be just as violent as destruction, if not more. Hopefully, the international community and organizations will spearhead this evolution.
Image: Scott Nelson/Getty