In Part I of this series, I examined Germany’s recently released positions on key issues of general international law – including sovereignty, intervention, attribution, and response options – as applied in the cyber context. I concluded that the government has adopted a very responsible and sophisticated approach to interpreting these preexisting international law rules.
This part deals with Germany’s views on two distinct legal issues that are often related in practice – how the jus ad bellum rules governing the use of force and self-defense apply in the cyber context and how international humanitarian law (IHL) shapes cyber operations in the battlespace. Again, the position paper drafted by the Foreign Office, Ministry of Defense, and Interior Ministry offers a sensible and legally sound discussion of both.
Jus ad Bellum
Use of Force: As it did with respect to intervention (see Part I), Germany adopts a “scale and effects” approach to determining when a cyber operation that is not part of a broader kinetic attack qualifies as a “use of force” in violation of UN Charter Article 2(4) and customary international law. The standard is drawn from the International Court of Justice’s Paramilitary Activities judgment (para. 195), where the Court used the test to evaluate whether a particular use of force rises to the level of an “armed attack” such that it entitles the victim state to use force in self-defense (UN Charter art. 51). The Tallinn Manual 2.0 experts adapted the standard for use in assessing whether cyber operations qualify as uses of force (Rule 68-699), an approach that a growing number of states, like Germany, have formally adopted (e.g., Australia, Finland, the Netherlands, New Zealand).
Using the scale and effects approach, and as applied by Germany, assessments are conducted on a case-by-case basis by reference to various qualitative criteria. Germany cites three that the Tallinn Manual experts had earlier identified (Rule 69) – the severity of the interference, the immediacy of the cyber operation’s effects, and the degree of intrusion. The German position perceptively adds a fourth that had previously not been proffered, the “the degree of organization and coordination of the malicious cyber operation period.” Other non-exclusive factors bearing on the use of force assessment that the Tallinn Manual experts highlighted include the directness of the harm caused, measurability of effects, military character of the operation, extent and nature of state involvement, political environment, identity of the attacker, the state’s record of previous cyber operations, and nature of the target. Germany presumably would look to these factors, among others, in coming to any conclusion that a particular cyber operation amounts to a use of force.
Self-defense: Article 51 of the UN Charter and customary law permit a state to resort to force in the face of an “armed attack” when the conditions of necessity and proportionality are satisfied (Tallinn Manual 2.0, Rules 71-75). Although China and Russia blocked inclusion of the term “self-defense” in the aborted 2016-17 U.N. Group of Governmental Experts (GGE) report on Developments in the Field of Information and Telecommunications in the Context of International Security, there is no question that states enjoy a right to self-defense in cyberspace. Indeed, previous GGE reports already had confirmed that the UN Charter, in which Article 51 resides, applies to cyber operations (2013 and 2015 reports).
Germany is of the view that “malicious cyber operations can constitute an armed attack whenever they are comparable to traditional kinetic armed attack in scale and effects.” As noted above, this standard is drawn directly from the ICJ’s Paramilitary Activities judgment. The Tallinn Manual experts and most states that have spoken to the issue are in accord (e.g., Australia, France, Israel, Netherlands, New Zealand, United States); no state has yet expressed opposition.
Like most other states, Germany rejects the U.S. position that the threshold for an armed attack is identical to that for the use of force. Instead, it adopts the position enunciated by the International Court of Justice in Paramilitary Activities that an armed attack is the “most grave form” of a use of force (para. 191). Precisely what this means in the cyber context and whether it encompasses cyber operations without physical effects remains an open question. France has gone furthest in this regard, suggesting, for example, that a major attack against the French economy, or that otherwise would “paralyze whole swathes of the country’s activity,” would be an armed attack.
Although rejecting the U.S. position on the armed attack threshold, Germany shares the view that non-state actors may launch armed attacks by cyber means against which the victim state may reply in self-defense. It joins other key NATO allies in doing so (e.g., the Netherlands and United Kingdom, but see France). The position amounts to an implicit rejection of the questionable view of a majority of International Court of Justice judges who, based on the Paramilitary Activities holding (para. 195), maintain that only when non-state entities act on behalf, or with this substantial involvement, of a state can its actions be treated as justifying a response in self-defense (see majority opinions in the Armed Activities judgment and Wall advisory opinion).
International Humanitarian Law
As with the term “self-defense,” China, Russia, and other states opposed inclusion of a reference to “international humanitarian law” in the draft 2016-17 6th GGE report. Because consensus was required, the GGE issued no report.
It is hard to imagine that any of those countries would claim in good faith that this body of law does not govern cyber operations, particularly cyber-attacks during non-international or international armed conflict. Indeed, they supported the 2015 GGE report that endorsed the IHL principles of necessity, humanity, necessity, proportionality, and distinction, albeit without explicitly using the term international humanitarian law. The European Union and NATO have both taken the position that IHL applies to cyber operations during armed conflict. So, has every country that has raised the issue in official statements setting forth their interpretation of international law in cyberspace ( e.g., United States, Israel, New Zealand, Finland, France, Netherlands, United Kingdom, and Australia). Germany follows suit, unambiguously stating that “international humanitarian law… applies without reservation in the context of cyberspace.” Policy considerations aside, any other position would simply be wrong as a matter of law. Surely belligerents are not permitted, for instance, to destroy objects indispensable to the survival of the civilian population or interfere with the delivery of medical care so long as the operation having those consequences is carried out only through cyber means.
Germany begins its assessment of IHL by making the vital point that this body of law is distinct from, and is not influenced by, the jus ad bellum. Cyber operations that comply with the jus ad bellum because they are conducted pursuant to a Security Council resolution under Chapter VII of the UN Charter or in self-defense must equally comply fully with IHL when the situation is one of “armed conflict.” As Germany observes, this is the case whether the operations themselves trigger the armed conflict or occur as part of an ongoing armed conflict.
When engaging in IHL analysis, the threshold question is always whether the situation in which the cyber operations are occurring is an armed conflict. International armed conflict exists when a state resorts to armed force in a dispute with another state. Although Germany simply states that such hostilities between states must be “armed,” it is well accepted that the exchange need not be intense. And Germany acknowledges that actions that trigger an international armed conflict may be “totally conducted by using cyber means.” Presumably, Germany would treat cyber operations that are destructive or injurious directed by, for example, one state’s cyber forces against another state’s military as an international armed conflict (Tallinn Manual 2.0, Rule 82). Whether operations not having such effects may qualify remains an open question internationally.
The more difficult question is whether cyber operations may ever alone comprise a non-international armed conflict (NIAC). As noted by the International Criminal Tribunal for the former Yugoslavia in its Tadic Trial Chamber judgment, such conflicts are characterized by the involvement of fairly well-organized groups and require hostilities of an intensity that exceeds that that of riots, civil disturbances, and traditional criminality. At the risk of oversimplification, NIACs look like war and involve significant death and destruction.
As did the Tallinn Manual 2.0 experts (Rule 83), Germany concludes that, although possible, it is unlikely that cyber operations alone would initiate a NIAC because of the intensity requirement. Drawing on examples provided in Tallinn Manual 2.0, it notes “activities such as a large-scale intrusion into foreign cyber systems, significant data theft, the blocking of Internet services and the defacing of government channels or websites will usually not singularly and in themselves bring about a non-international armed conflict.” In practice, it is much more likely that cyber operations will occur during a kinetic NIAC, which has become common, for example, in the conflict with ISIS (see, e.g., here, here, and here).
Perhaps wisely, Germany avoids addressing the complex and contentious issue of the geography of non-international armed conflict. At issue is the applicability of IHL to cyber operations into territory beyond the state that is party to the conflict and where there are no ongoing hostilities other than the cyber operations themselves. France seems to have taken the view that such operations are not subject to IHL because their effects do not manifest “on the territory where the NIAC hostilities occur.” In my estimation (see here), the better view is that exchanges with a nexus to a NIAC are subject to IHL wherever they occur. The issue is critical in the cyber context because non-state actors are very likely to conduct cyber operations from beyond the state’s territory, and states responding to those operations will want to direct their operations into the territory from which the operations are being mounted. Of course, such operations are also subject to other international law rules, such as sovereignty and the prohibition on the use of force, that could affect their lawfulness.
One of the most significant unsettled matters regarding the application of IHL to cyber operations deals with qualification as an “attack,” an IHL term of art (Tallinn Manual 2.0, Rule 92; see also here). Additional Protocol I to the 1949 Geneva Conventions defines an attack as “an act of violence whether in offense or defense” (art. 49). Cyber operations that amount to an attack are subject to the multiple conduct of hostilities rules prohibiting attacks or restricting how they may be conducted. Key among them are the rules prohibiting attacks against civilians or civilian objects, barring attacks in which the expected collateral damage to civilians or civilian objects is excessive relative to the anticipated military advantage expected to be gained (proportionality) and requiring the taking of precautions in attack to minimize harm to civilians and civilian objects (Tallinn Manual 2.0, ch. 17).
Most discussion has revolved around whether the notion of “attack” is limited to cyber operations causing physical damage or injury. For example, Israel and Denmark have taken this narrow position. The French Ministry of the Armies, by contrast, supports an expansive interpretation in which a cyber operation “is an attack where the targeted equipment or systems no longer provide the service for which they were implemented, whether temporarily or permanently, reversibly or not. If the effects are temporary and/or reversible, the attack is characterized where action by the adversary is necessary to restore the infrastructure or system (repair of equipment, replacement of a part, reinstallation of a network, etc.).” This characterization builds on the Tallinn Manual 2.0’s “loss of functionality” approach, although with a greater degree of certainty than the Manual’s experts were able to obtain (Rule 92).
Germany has followed the lead of its NATO ally by also adopting a rather broad interpretation of attack. It defines a “cyber attack in the context of IHL as an act or action initiated in or through cyberspace to cause harmful effects on communication, information or other electronic systems, on the information that is stored, processed or transmitted on these systems or on physical objects or persons.” Unfortunately, there is no indication of the type of effects necessary to qualify as an attack under the German position. For example, it is unclear whether temporary disruption would amount to an attack or whether an operation causing the targeted system to slow would so qualify, such that if directed against civilian infrastructure, the operation would violate IHL.
Notably, the definition indicates that a cyber operation against data might qualify as an attack in Germany’s view, even if it does not affect cyber infrastructure. Elsewhere in the position paper, it more directly treats “data stocks” as a potential civilian object. This raises the contentious issue of whether a cyber operation that destroys or alters civilian data is an “attack” on a civilian “object,” thereby violating the prohibition on such attacks. Although the German statement fails to address the matter head-on, if this interpretation of the document is accurate, Germany will join France in treating “content data” (as distinct from “process data”) as an object.
This position is contrary to the recent Israeli statement on the matter and the characterization of data found in Denmark’s 2020 Military Manual, both of which assert that data is not an object. By their interpretation, a cyber operation against data is not prohibited unless it causes the requisite consequences (damage) to cyber infrastructure that relies upon the targeted data or in some way injures people. As I have suggested elsewhere, both positions are highly problematic; in the near term, this ongoing debate is only likely to be addressed satisfactorily by policy decisions reflected in rules of engagement and other guidance that is fully informed by both operational and humanitarian considerations.
Concerning lawful cyber targets, Germany adopts a mainstream approach to targeting individuals, noting that cyber operations may be directed against combatants, members of organized armed groups, and civilians taking a direct part in hostilities (Tallinn Manual 2.0, Rules 96-97). It avoids the contentious issue of whether all organized group members are targetable or, as the ICRC has suggested, only those engaged in a “continuous combat function.” By the latter interpretation, an OAG member collecting tactical or operational level intelligence may be attacked around the clock, but the group’s lawyer would be subject to attack only while engaging in activities qualifying as direct participation (see below), like fighting. The United States takes the former position, which better reflects the balance between operational realities and humanitarian concerns that must infuse interpretations of IHL. But that is, indeed, a debate for another day as Germany does not engage with it here. That said, it’s worth noting that Germany’s Law of Armed Conflict Manual (2013) states that “persons who, as a result of their role and function within the enemy forces, are continuously participating in hostilities (continuous combat function) … are a legitimate military target” (emphasis in original).
Individuals who are not members of organized groups (or, by the ICRC interpretation, are not engaged in a continuous combat function for an OAG) are targetable only “for such time” as they directly participate in hostilities. Germany has adopted the three constitutive elements for direct participation set forth by the ICRC in its Interpretive Guidance on the Notion of Direct Participation in Hostilities: 1) likely to adversely affect the military operations or military capacity of a party, 2) a direct causal link between the activity and the adverse effects, and 3) nexus to the conflict. To illustrate direct participation, Germany draws on examples from the Interpretive Guidance: “electronic interference with military computer networks […], whether through computer network attacks or computer network exploitation, as well as wiretapping […] [of an] adversary’s high command or transmitting tactical targeting information for an attack.” They are indisputably direct participation. Indeed, most cyber activities related to military operations would qualify as direct participation (Tallinn Manual 2.0, Rule 97). The three elements, in my estimation, capture the essence of the legal notion of direct participation, although they are subject to differing interpretations in practice.
However, most cyber operations will be directed against objects instead of individuals directly, as in interfering with a rail network’s control system to cause a train crash to kill the passengers. Whether cyber infrastructure is targetable as an object depends on its status as a “military objective” (Tallinn Manual, Rule 100). In the case of military cyber infrastructure, the assessment is relatively simple. However, much of the cyber infrastructure used by the armed forces is also used, to some extent, by civilian individuals and entities. Germany correctly notes that so long as there is some military use of a system, it qualifies as a military objective (Tallinn Manual 2.0, Rule 101). It cautions, however, that the determination of whether the cyber infrastructure qualifies as a military objective because it makes “an effective contribution to military action may only be made after a careful assessment.” I would add that the second prong of the military objective test, that the “total or partial destruction, capture or neutralization [of the cyber infrastructure to be targeted], in the circumstances ruling at the time, offers a definite military advantage” must also be satisfied. Germany also asserts that a presumption that the targeted infrastructure is not being used for military purposes applies in cases of “substantive doubt,” a position with which I agree. However, universal consensus on this point is lacking.
There is no doubt that IHL prohibits indiscriminate attacks. Germany correctly interprets the standard, noting, “computer viruses designed to spread their harmful effects uncontrollably” are indiscriminate, but “malware that spreads widely into civilian systems but damages only a specific military target” is not. The emphasis on effects is critical. In this regard, I would add that the effects caused to the civilian systems must be at a level that qualifies the operation as an attack (see above) before the operation can be labeled indiscriminate. This does not mean that a cyber operation failing to generate such effects on civilian cyber infrastructure is necessarily lawful. Indeed, the operation would still need to satisfy other overarching rules, such as: “In the conduct of military operations, constant care shall be taken to spare the civilian population, civilians and civilian objects” (see Additional Protocol I, art. 57(1); and here).
Germany also notes, without detailed analysis, that cyber attacks are subject to the rule of proportionality, by which a cyber attack may not be conducted if the expected harm to civilians and civilian objects is excessive relative to the concrete and direct military advantage anticipated from the engagement. The government also highlights the obligation to take precautions in attack to minimize harm to civilians, offering the examples of “gathering intelligence on the network in question through mapping or other processes in order to assess the attacks likely affects” and “inclusion of a deactivation mechanism or a specific configuration of the cyber tool which limits the effects on the intended target.” In the context of cyber operations, perhaps the most significant precaution is electing to engage a target by cyber rather than kinetic means, or vice versa, because a comparable militarily beneficial effect can be achieved at lesser risk to civilians and civilian objects.
Finally, Germany raises the complicated issue of weapons review. As a state party to Additional Protocol I, Germany is obligated (art. 36) to conduct weapons reviews of new means (weapons) and methods (tactics) of warfare. Non-party states are subject only to the customary law requirement to review new means of warfare. Whether cyber capabilities are means of warfare is an unsettled question. I do not consider them to be, although Germany treats them as such.
The important aspect of Germany’s treatment of the weapons review requirement is its highlighting of the reality that cyber operations “generally involve exploiting vulnerabilities that are specific to the target and the operational context. This entails that the development of means or the adoption of the method will often coincide with the planning of a concrete operation.” As a result, a weapons review might be possible only as the operation is being planned. Germany appears to consider “on-the-fly” reviews as lawful, and rightly so (Tallinn Manual 2.0, Rule 110).
Germany’s interpretation of how the jus ad bellum and IHL apply to cyber operations is sound. Although there are modest differences here and there, they mesh well with those of its allies and partners, particularly in NATO and the European Union. Germany’s issuance of its detailed positions in these areas of law is to be applauded. It should be emulated by those states that have not done likewise, especially those fielding or facing cyber capabilities in the battlespace. After all, effective coalition warfare necessitates a shared understanding of the rules of the game, but so too does maximizing protection of the civilian population from the effects of cyber operations during armed conflict.