Rewired warfare: rethinking the law of cyber attack
Published online by Cambridge University Press: 02 October 2014
The most significant debate regarding the applicability of international humanitarian law to cyber operations involves interpretation of the rules governing cyber “attacks”, as that term is understood in the law. For over a decade, the debate has been a binary one between advocates of the “permissive approach” developed by the author and a “restrictive approach” championed by those who saw the permissive approach as insufficiently protective of the civilian population and other protected persons and objects. In this article, the author analyses that debate, and explains a third approach developed during the Tallinn Manual project. He concludes by suggesting that the Tallinn Manual approach best approximates the contemporary law given the increasing value which societies are attributing to cyber activities.
- International Review of the Red Cross , Volume 96 , Issue 893: Scope of the law in armed conflict , March 2014 , pp. 189 - 206
- Creative Commons
- This is a work of the U.S. Government and is not subject to copyright protection in the United States
- Copyright © icrc 2014
1 Lt Gen Richard P. Mills, speech, AFCEA TechNet Land Forces East Chapter Lunch, 21 August 2012, available at: www.slideshare.net/afcea/afcea-technet-land-forces-east-aberdeen-chapter-lunch-ltgen-richard-p-mills-usmc.
2 Tikk, Enekin, Kaska, Kadri and Vihul, Liis, International Cyber Incidents: Legal Considerations, NATO Cooperative Cyber Defence Centre of Excellence, Tallinn, 2010, pp. 66–90Google Scholar. The 2007 cyber operations directed at Estonia did not occur in the context of an armed conflict.
3 Shane Harris, “The Cyber War Plan”, National Journal Online, 14 November 2009, available at: www.nationaljournal.com/member/magazine/the-cyberwar-plan-20091114; Raphael Satter, “Afghanistan Cyber Attack: Lt. Gen. Richard P. Mills Claims to Have Hacked the Enemy”, The World Post, 24 August 2012, available at: www.huffingtonpost.com/2012/08/24/afghanistan-cyber-attack-richard-mills_n_1828083.html; John Markoff and Thom Shanker, “Halted ‘03 Iraq Plan Illustrates U.S. Fear of Cyberwar Risk”, New York Times, 1 August 2009, available at: www.nytimes.com/2009/08/02/us/politics/02cyber.html.
4 See, e.g., Eric Schmitt and Yhom Shankar, “U.S. Debated Cyberwarfare in Attack Plan on Libya”, New York Times, 17 October 2011, available at: www.nytimes.com/2011/10/18/world/africa/cyber-warfare-against-libya-was-debated-by-us.html?hp; Ivan Watson, “Cyberwar Explodes in Syria”, CNN, 22 November 2011, available at: www.cnn.com/2011/11/22/world/meast/syria-cyberwar/; Eva Galperin, Morgan Marquis-Boire and John Scott-Railton, “Quantum of Surveillance: Familiar Actors and Possible False Flags in Syrian Malware Campaign”, Electronic Frontier Foundation, 2013, available at: www.eff.org/files/2013/12/28/quantum_of_surveillance4d.pdf.
5 Most of the reliable material is classified and cannot be cited. For some public discussion, see Jarno Limnell, “Why Hasn't Russia Unleashed a Cyber Attack on Ukraine?”, CBS News, 2 July 2014, available at: www.cbsnews.com/news/why-hasnt-russia-unleashed-a-cyber-attack-on-ukraine/.
6 David E. Sanger, “U.S. Tries Candor to Assure China on Cyberattacks”, New York Times, 6 April 2014, available at: www.nytimes.com/2014/04/07/world/us-tries-candor-to-assure-china-on-cyberattacks.html?_r=0.
7 Gregory J. Rattray and Jason Healey, “Non-State Actors and Cyber Conflict”, in Kristan M. Lord and Travis Sharp (eds), America's Cyber Future: Security and Prosperity in the Information Age, June 2011, pp. 65–86, available at: www.cnas.org/files/documents/publications/CNAS_Cyber_Volume%20II_2.pdf; Kenneth Geers, “Pandemonium: Nation States, National Security, and the Internet”, Tallinn Paper No. 1, 2014, available at: www.ccdcoe.org/publications/TP_Vol1No1_Geers.pdf.
8 See, generally, Chairman of the Joint Chiefs of Staff, Information Operations, Joint Publication 3–13, 27 November 2012; United States Air Force, Cyberspace Operations, Air Force Doctrine Document 3–12, 30 November 2011; United States Army, Cyber Electromagnetic Activities, Field Manual 3–38, February 2014.
9 Schmitt, Michael N., “Wired Warfare: Computer Network Attack and Jus in Bello”, International Review of the Red Cross, Vol. 84, No. 846, 2002, p. 365CrossRefGoogle Scholar.
10 Knut Dörmann, “Applicability of the Additional Protocol to Computer Network Attack”, in Karin Bystrom (ed.), Proceedings of the International Expert Conference on Computer Network Attacks and the Applicability of International Humanitarian Law, Stockholm, 17–19 November 2011, p. 139, Swedish National Defence College, 2005, reprinted at: www.icrc.org/eng/resources/documents/misc/68lg92.htm.
11 Schmitt, Michael N. (gen. ed.), Tallinn Manual on the International Law Applicable to Cyber Warfare, Cambridge University Press, Cambridge, 2013CrossRefGoogle Scholar (Tallinn Manual).
12 ICRC, International Humanitarian Law and the Challenges of Contemporary Armed Conflicts, official working document of the 31st International Conference of the Red Cross and Red Crescent, 28 November–1 December 2011, Doc. 31IC/11/5.1.2, pp. 36–38.
13 Cordula, Droege, “Get Off My Cloud: Cyber Warfare, International Humanitarian Law, and the Protection of Civilians”, International Review of the Red Cross, Vol. 94, No. 886, 2012, pp. 533–578Google Scholar.
14 Protocol Additional to the Geneva Conventions of 12 August 1949, and Relating to the Protection of Victims of International Armed Conflicts, 8 June 1977, 1125 UNTS 3 (entered into force 7 December 1978).
15 International Court of Justice, Military and Paramilitary Activities in and against Nicaragua (Nicaragua v. United States of America), Judgment, ICJ Reports 1986, para. 78.
16 ICRC, Customary International Humanitarian Law, Vol. 1: Rules, Henckaerts, Jean-Marie and Doswald-Beck, Louise (eds), Cambridge University Press, Cambridge, 2005CrossRefGoogle Scholar, Rule 1.
17 According to NATO, “in complex political and social contexts where the will of the indigenous population becomes the metaphorical vital ground (i.e. it must be retained or controlled for success), there is a requirement to influence and shape perceptions through the judicious fusion of both physical and psychological means”. Allied Joint Doctrine, AJP-01(D), December 2010, pp. 2–10. See also, generally, NATO, Allied Joint Doctrine for Civil-Military Cooperation, AJP-3.4.9, February 2013; Allied Joint Doctrine for Psychological Operations, AJP-3.10.1(A), October 2007.
18 AP I, Art. 51(4).
26 The term “attack” in IHL must be distinguished from “armed attack” in the jus ad bellum. The latter term refers to the condition precedent for the exercise of self- (or collective) defence pursuant to Article 51 of the UN Charter and customary international law.
27 Sandoz, Yves, Swinarski, Christophe and Zimmerman, Bruno (eds), Commentary on the Additional Protocols, ICRC, Geneva, 1987Google Scholar, para. 1875.
28 Vienna Convention on the Law of Treaties, 23 May 1969, 1155 UNTS 331 (entered into force 27 January 1980), Art. 31(1).
34 AP I, Arts 51(1) and 51(2) (emphasis added).
39 We agreed, for example, that cyber operations are fully subject to IHL, in particular the principle of distinction and its various derivative rules such as the prohibition on attacking people other than combatants, civilians directly participating in hostilities, and military objectives.
40 On this issue, see also Nils Melzer, “Cyberwarfare and International Law”, UNIDIR Resources Paper, 2011, p. 27, available at: www.unidir.org/files/publications/pdfs/cyberwarfare-and-international-law-382.pdf; Harrison-Diniss, Heather, Cyber Warfare and the Laws of War, Cambridge University Press, Cambridge, 2012, pp. 196–202CrossRefGoogle Scholar.
44 Bothe, Michael, Partsch, Karl Josef and Solf, Waldemar A., New Rules for Victims of Armed Conflicts: Commentary to the Two 1977 Protocols Additional to the Geneva Conventions of 1949, Martinus Nijhoff, Dordrecht, 1982, p. 325Google Scholar.
45 “Targeting systematically analyzes and prioritizes targets and matches appropriate lethal and nonlethal actions to those targets to create specific desired effects that achieve the JFC's objectives, accounting for operational requirements, capabilities, and the results of previous assessments.” US Chairman, Joint Chiefs of Staff, Joint Publication 3–60, Joint Targeting, January 2013, Appendix A at p. I-5 (“JP 3-60”).
46 For instance, US Joint Doctrine provides that “[t]he CONOPS [concept of operations] provides more detail on what and where fires effects are desired by phase (e.g., deny, disrupt, delay, suppress, neutralize, destroy, corrupt, usurp, or influence)”: ibid., p. I-10 (emphasis added).
47 US Chairman, Joint Chiefs of Staff, Joint Publication 1-02, Department of Defense Dictionary of Military and Associated Terms (as amended through April 2012), p. 226. “Fires” is defined as “[t]he use of weapon systems to create specific lethal or non-lethal effects on a target”: ibid., p. 119.
49 Similarly, the experts participating in the HPCR AMW Manual could not achieve consensus on this point. Harvard Program on Humanitarian Policy and Conflict Research, Manual on International Law Applicable to Air and Missile Warfare, Cambridge University Press, Cambridge, 2013, pp. 12–13Google Scholar and 20–21.
60 My views on the operation of this balance are set forth in 10 Schmitt, Michael N., “Military Necessity and Humanity in International Humanitarian Law: Preserving the Delicate Balance”, Virginia Journal of International Law, Vol. 50, 2010, p. 795Google Scholar.
61 AP I, Arts 51(5(b), 57(2)(a)(iii) and 57(2)(b).
63 Cordula Droege has usefully cited certain activities, the cyber equivalent of which would not be considered attacks. These include espionage, dissemination of propaganda, non-physical psychological and economic warfare, and embargoes. See C. Droege, above note 13, p. 559. While I agree with her on every count, the question remains of how to articulate a norm of general applicability that does not rely on individual ad hoc determinations.
65 AP I, Arts 54 and 61–67.