Between 2009 and 2013, a group of 20 public international law scholars and practitioners drafted the recently released Tallinn Manual on the International Law Applicable to Cyber Warfare, a project for which I served as director and to which U.S. Cyber Command, NATO, and the ICRC sent official observers. Interestingly, the more we explored the topic, the more I was struck by the depth of misunderstanding permeating the debates about the law of cyber conflict. Allow me to share my thoughts on five “myths” that were, and remain, noteworthy.
1. Cyberspace is a lawless fifth domain of warfare.
Many States, scholars, and commentators question whether international law applies in the intangible, borderless construct that is cyberspace. In fact, only in 2013 did the UN Group of Governmental Experts acknowledge international law’s applicability to cyberspace, and even then neither Russia nor China agreed to the inclusion of a reference to international humanitarian law (IHL) in the group’s final report.
Such apparent uncertainty as to the valence of the extant law in cyberspace is misplaced. In the Nuclear Weapons Advisory Opinion, the International Court of Justice confirmed that the jus ad bellum and jus in bello applied to new weapon systems. Moreover, the customary and treaty law requirements for a legal review of weapons prior to their fielding demonstrates that current IHL governs all new means and methods of warfare. Since their effects can, like those of traditional kinetic weaponry, be both destructive and deadly, any assertion to the contrary is irrefutably counter-normative.
2. Armed conflicts cannot consist entirely of cyber exchanges.
In assessing this common assertion, a distinction must be made between international and non-international armed conflict. International armed conflict exists whenever “hostilities” between two or more States exist. The quantum of damage or injury necessary to qualify as hostilities is best set forth in the ICRC Commentaries to the 1949 Geneva conventions: “any difference arising between two states and leading to the intervention of armed forces is an armed conflict. . . . It makes no difference how long the conflict last or how much slaughter takes place.”
Doubt among some commentators as to whether non-kinetic cyber operations can qualify as hostilities is misdirected. It is well accepted that other forms of non-kinetic military activities, such as chemical and biological warfare, rise to the level of hostilities (and of attacks, a point discussed below). The issue is one of the effects, not the nature of the operation in question. Once a cyber exchange between States has destructive or injurious consequences, it is undeniable that hostilities are under way and an international armed conflict has commenced. It remains to be seen whether States will, in the future, treat cyber operations generating severe, albeit not physical, consequences as armed conflict.
For a situation to amount to a non-international armed conflict (a conflict between a State and an armed group), the violence involved must reach a certain level of intensity (more than riots, civil disturbances and criminality) and be carried out by an organized armed group. These two criteria, propounded in the ICTY’s widely accepted Tadić judgment, render it difficult for purely cyber exchanges to qualify as a non-international armed conflict. First, the intensity criterion would require protracted cyber attacks causing extensive physical damage or death. Second, the organization criterion would generally exclude operations, no matter how severe, conducted by groups organized entirely online.
3. Cyber operations targeting civilian cyber infrastructure and data are unlawful.
The IHL principle of distinction requires that attackers distinguish between combatants and military objectives on the one hand and civilians and civilian objects on the other. This principle, codified in Article 48 of the 1977 Additional Protocol I, has been operationalized in a series of rules that prohibit or limit “attacks,” the most significant of which are the prohibitions on directly targeting civilians and civilian objects. A persistent myth is that these IHL norms bar any cyber operation directed against civilian cyber infrastructure and civilian activities in cyberspace.
The crux of the issue lies in the meaning of the term “attack,” which is defined in Article 49 of the Additional Protocol I as “acts of violence against the adversary.” There is universal agreement that a cyber operation directed against civilians or civilian cyber infrastructure that physically harms the target is unlawful. But what of those generating no physical effects? Most of the Tallinn Manual participants agreed that if a cyber operation did not rise to the level of an attack, it could lawfully be directed at civilians and civilian infrastructure. Lest this sound overly formalistic, the majority of experts took the position that a cyber operation which interferes with the functionality of cyber infrastructure to the extent that repair is required qualifies as an attack. Civilian data would be protected if the functionality of cyber infrastructure relied on that data. Although this is the current state of the law, a gradual lowering of this threshold can be expected.
4. Civilians may not engage in cyber operations during an armed conflict.
A reoccurring myth with respect to both conventional and cyber warfare is that only military personnel may engage in hostilities during an armed conflict. In fact there is no IHL prohibition on civilians participating in the hostilities. Specifically, it is not a war crime for a civilian member of the intelligence community to conduct cyber operations that lead to the destruction of military cyber infrastructure or the death of combatants.
Although IHL does not prohibit them from taking a “direct part” in cyber hostilities, civilians who do so lose their immunity from attack for such time as they so participate. The cyber activities undertaken must constitute direct, as distinct from indirect, participation. As noted in the ICRC study on the subject, this means that the activities must be likely to adversely affect the enemy’s military operations or military capacity. For example, directing a cyber attack against an enemy command and control facility would qualify, whereas merely compiling open source material available on the web into an intelligence assessment would not.
It must also be cautioned that unlike a combatant, a civilian who directly participates in the hostilities does not enjoy “belligerent immunity” from prosecution. Thus, while using cyber attacks to kill enemy combatants is not a war crime, the civilian launching, planning or approving them would be subject to prosecution for murder under the domestic law of any State enjoying criminal jurisdiction over the matter.
5. When assessing the proportionality of a cyber attack, an attacker must consider all effects on civilians, civilian infrastructure, and civilian activities.
In IHL, the customary law rule of proportionality, reflected in Articles 51 and 57 of Additional Protocol I, prohibits an attack “which may be expected to cause incidental loss of civilian life, injury to civilians, damage to civilian objects, or a combination thereof, which would be excessive in relation to the concrete and direct military advantage anticipated.” The plain text of the rule makes it clear that only physical harm to civilian objects or injury to civilians is considered collateral damage. As with the meaning of the term attack, it is reasonable to extend the notion of damage to encompass certain effects on the functionality of cyber infrastructure. However, it would not be proper to include other effects on civilians and civilian activities in the collateral damage calculation. For example, the inability to send emails or access bank accounts online is not collateral damage in the sense of the rule of proportionality. As with other IHL thresholds, evolution in the interpretation of this norm can be expected as cyber activities become ever more essential to the normal functioning of 21st Century societies.
Cyber operations will permeate 21st Century warfare. No serious thinker on future warfare has suggested otherwise. Whenever radically new technology appears on the battlefield, the pessimists among us wring their hands in despair and proclaim the inadequacy of IHL; we are witnessing this phenomenon with respect to cyber and other new weaponry. But IHL norms have proven very adaptive and resilient in the face of sea changes in the nature of warfare. Although some evolution in their interpretation will prove necessary, the international law community would be well served by a little less normative sensationalism as we consider how IHL will shape cyber conflict.
The views expressed in this piece are those of the author in his personal capacity.