Cyber warfare figures prominently on the agenda of policymakers and military leaders around the world. New units to ensure cyber security are created at various levels of government, including in the armed forces. But cyber operations in armed conflict situations could have potentially very serious consequences, in particular when their effect is not limited to the data of the targeted computer system or computer. Indeed, cyber operations are usually intended to have an effect in the ‘real world’. For instance, by tampering with the supporting computer systems, one can manipulate an enemy's air traffic control systems, oil pipeline flow systems, or nuclear plants. The potential humanitarian impact of some cyber operations on the civilian population is enormous. It is therefore important to discuss the rules of international humanitarian law (IHL) that govern such operations because one of the main objectives of this body of law is to protect the civilian population from the effects of warfare. This article seeks to address some of the questions that arise when applying IHL – a body of law that was drafted with traditional kinetic warfare in mind – to cyber technology. The first question is: when is cyber war really war in the sense of ‘armed conflict’? After discussing this question, the article goes on to look at some of the most important rules of IHL governing the conduct of hostilities and the interpretation in the cyber realm of those rules, namely the principles of distinction, proportionality, and precaution. With respect to all of these rules, the cyber realm poses a number of questions that are still open. In particular, the interconnectedness of cyber space poses a challenge to the most fundamental premise of the rules on the conduct of hostilities, namely that civilian and military objects can and must be distinguished at all times. Thus, whether the traditional rules of IHL will provide sufficient protection to civilians from the effects of cyber warfare remains to be seen. Their interpretation will certainly need to take the specificities of cyber space into account. In the absence of better knowledge of the potential effects of cyber warfare, it cannot be excluded that more stringent rules might be necessary.
1 Center for Strategic and International Studies, Cybersecurity and Cyberwarfare – Preliminary Assessment of National Doctrine and Organization, UNIDIR Resources Paper, 2011, available at: http://www.unidir.org/files/publications/pdfs/cybersecurity-and-cyberwarfare-preliminary-assessment-of-national-doctrine-and-organization-380.pdf; see also, Tikk, Eneken, Frameworks for International Cyber Security, CCD COE Publications, Tallinn, 2011.
2 See, e.g., Ellen Nakashima, ‘Pentagon to boost cybersecurity force’, in The Washington Post, 27 January 2013; Gordon Corera, ‘Anti-cyber threat centre launched’, in BBC News, 27 March 2013.
3 Scott Shane, ‘Cyberwarfare emerges from shadows of public discussion by US officials’, in The New York Times, 26 September 2012, p. A10.
5 Ben Baseley-Walker, ‘Transparency and confidence-building measures in cyberspace: towards norms of behaviour’, in UNIDIR, Disarmament Forum, ‘Confronting cyberconflict’, Issue 4, 2011, pp. 31–40, available at: http://www.unidir.org/files/publications/pdfs/confronting-cyberconflict-en-317.pdf; James Andrew Lewis, Confidence-building and international agreement in cybersecurity, available at: http://www.unidir.org/pdf/articles/pdf-art3168.pdf.
6 See William Hague, ‘Security and freedom in the cyber age – seeking the rules of the road’, Speech to the Munich Security Conference, 4 February 2011, available at: https://www.gov.uk/government/speeches/security-and-freedom-in-the-cyber-age-seeking-the-rules-of-the-road, and ‘Foreign Secretary opens the London Conference on Cyberspace’, 1 November 2011, available at: https://www.gov.uk/government/speeches/foreign-secretary-opens-the-london-conference-on-cyberspace.
7 See draft resolution submitted by the Russian Federation to the General Assembly First Committee in 1998, letter dated 23 September 1998 from the Permanent Representative of the Russian Federation to the United Nations Secretary-General, UN Doc. A/C.1/53/3, 30 September 1998; Markoff, John and Kramer, Andrew E., ‘US and Russia differ on a treaty for cyberspace’, in The New York Times, 28 June 2009, p. A1; Markoff, John and Kramer, Andrew E., ‘In shift, US talks to Russia on internet security’, in The New York Times, 13 December 2009, p. A1; see Croft, Adrian, ‘Russia says many states arming for cyber warfare’, in Reuters, 25 April 2012, available at: http://www.reuters.com/article/2012/04/25/germany-cyber-idUSL6E8FP40M20120425; Keir Giles, ‘Russia's public stance on cyberspace issues’, paper given at the 2012 4th International Conference on Cyber Conflict, C. Czosseck, R. Ottis and K. Ziolkowski (eds), NATO CCD COE Publications, Tallinn, 2012, available at: http://www.conflictstudies.org.uk/files/Giles-Russia_Public_Stance.pdf.
8 Letter dated 12 September 2011 from the Permanent Representatives of China, the Russian Federation, Tajikistan, and Uzbekistan to the United Nations addressed to the Secretary-General, UN Doc. A/66/359 of 14 September 2011.
9 Agreement between the Governments of the Member States of the Shanghai Cooperation Organisation on Cooperation in the Field of International Information Security.
10 Available at: http://media.npr.org/assets/news/2010/09/23/cyber_treaty.pdf. Annex 1 defines ‘information war’ as a ‘confrontation between two or more states in the information space aimed at damaging information systems, processes and resources, critical and other structures, undermining political, economic and social systems, mass psychologic brainwashing to destabilize society and state, as well as to force the state to taking decision in the interest of an opposing party’. Annex 2 describes the threat of ‘development and use of information weapons, preparation for and waging information war’ as emanating ‘from creating and developing information weapons that pose an immediate danger to critical structures of States which might lead to a new arms race and represents a major threat in the field of international information security. Among its characteristics are the use of information weapons to prepare and wage information war, and impact transportation, communication and air control systems, missile defence and other types of defence facilities, as a result of which the state looses its defence capabilities in the face of the aggressor and fails to exercise its legitimate right to self-defence; breaching information infrastructure operation, which leads to the collapse of administrative and decision-making systems in the states; and destructive impact on critical structures’.
11 Kenneth Lieberthal and Peter W. Singer, ‘Cybersecurity and US–China relations’, in China US Focus, 23 February 2012, available at: http://www.chinausfocus.com/library/think-tank-resources/us-lib/peacesecurity-us-lib/brookings-cybersecurity-and-u-s-china-relations-february-23-2012/; Mandiant Intelligence Centre Report, APT1: Exposing one of China's Cyber Espionage Units, available at: http://intelreport.mandiant.com/?gclid=CKD6-7Oo3LUCFalxOgod8y8AJg; Ellen Nakashima, ‘US said to be target of massive cyber-espionnage campaign’, in The Washington Post, 11 February 2013; ‘North Korea says US “behind hack attack” ’, in BBC News, 15 March 2013.
12 Harold Koh, ‘International law in cyberspace’, speech at the US Cyber Command Inter-Agency Legal Conference, 18 September 2012, available at: http://opiniojuris.org/2012/09/19/harold-koh-on-international-law-in-cyberspace/; Report of the Secretary-General on Developments in the field of information and telecommunication in the context of international security (hereinafter ‘Report of the Secretary-General’), 15 July 2011, UN Doc. A/66/152, p. 19; see also, US Department of Defense Strategy for Operating in Cyberspace: ‘Long-standing international norms guiding state behaviour – in times of peace and conflict – also apply in cyberspace. Nonetheless, unique attributes of networked technology require additional work to clarify how these norms apply and what additional understandings might be necessary to supplement them’, US Department of Defense Strategy for Operating in Cyberspace, July 2011, available at: http://www.defense.gov/news/d20110714cyber.pdf.
13 Report of the Secretary-General, 23 June 2004, UN Doc. A/59/116, p. 11; Report of the Secretary-General, 20 July 2010, UN Doc. A/65/154, p. 15.
14 Report of the Secretary-General, above note 12, p. 6.
15 See also, the proposal by the High Representative of the European Union for Foreign Affairs and Security Policy, Joint Communication to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions – Cyber Security Strategy of the European Union: an Open, Safe and Secure Cyberspace, Brussels, 7.2.2013, JOIN (2013) 1 final.
16 See, e.g., Adam Segal, ‘China, international law and cyber space’, in Council on Foreign Relations, 2 October 2012, available at: http://blogs.cfr.org/asia/2012/10/02/china-international-law-and-cyberspace/.
17 Li Zhang, ‘A Chinese perspective on cyber war’, in this edition. In his speech to the First Committee in September 2011, China's Ambassador stated that China proposed that countries ‘commit themselves to non-use of information and cyber technology to engage in hostile activities to the detriment of international peace and security, and to non-proliferation of information and cyber weapons’ and ‘work to keep information and cyber space from becoming a new battlefield’; there is no mention of IHL. See the statement on information and cyberspace security made by H. E. Ambassador Wang Qun to the First Committee during the 66th Session of the General Assembly, ‘Work to build a peaceful, secure and equitable information and cyber space’, New York, 20 October 2011, available at: http://www.fmprc.gov.cn/eng/wjdt/zyjh/t869580.htm.
18 The reported military doctrine of the Russian Federation does not mention IHL with respect to information warfare; see ‘The Military Doctrine of the Russian Federation Approved by Russian Federation Presidential Edict on 5 February 2010’, available at: http://www.sras.org/military_doctrine_russian_federation_2010; and neither does K. Giles, above note 7; Roland Heikerö, ‘Emerging threats and Russian Views on information warfare and information operations’, FOI Swedish Defence Research Agency, March 2010, p. 49, available at: http://www.highseclabs.com/Corporate/foir2970.pdf, reports that the Russian Federation has proposed the ‘application of humanitarian laws banning attacks on non-combatants and a ban on deception in cyberspace’.
19 For the International Committee of the Red Cross (ICRC), it is important to draw attention to the specific situation of cyber operations amounting to or conducted in the context of armed conflicts – that is, cyber warfare in a narrow sense. This is because the ICRC has a specific mandate under the 1949 Geneva Conventions to assist and protect the victims of armed conflicts. It is also mandated by the international community to work for the understanding and dissemination of IHL. See, e.g., GC III, Art. 126(5), GC IV, Art. 143(5), and Statutes of the International Red Cross and Red Crescent Movement, Art. 5(2)(g).
20 US Department of Defense, Dictionary of Military and Associated Terms, 8 November 2010 (as amended on 31 January 2011), Washington, DC, 2010: ‘Computer network attacks are actions taken through the use of computer networks to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves.’
21 In the law on the conduct of hostilities, ‘civilians’, ‘civilian population’, and ‘civilian objects’ are different legal concepts to which different rules apply. However, when this article speaks about the impact of cyber warfare on the civilian population, it also refers to damage done to civilian infrastructure, which is the most likely way that cyber operations will affect the civilian population.
22 Stefano Mele analyses likely scenarios of interference with different types of military and civilian systems and states that the manipulation of electrical grid management systems is probably the greatest threat at present. See Stefano Mele, ‘Cyber warfare and its damaging effects on citizens’, September 2010, available at: http://www.stefanomele.it/public/documenti/185DOC-937.pdf.
23 The so-called Stuxnet virus was launched against the Iranian uranium enrichment facility at Natanz, reportedly leading to the destruction of a thousand centrifuges. It is reported in the press that the United States and/or Israel were behind this virus, but this has not been officially acknowledged. David Albright, Paul Brannan and Christina Walrond, ‘Did Stuxnet take out 1,000 centrifuges at the Natanz enrichment plant? Preliminary assessment’, ISIS Report, 22 December 2010, available at: http://isis-online.org/isis-reports/detail/did-stuxnet-take-out-1000-centrifuges-at-the-natanz-enrichment-plant/; David E. Sanger, ‘Obama order sped up wave of cyberattacks against Iran’, in The New York Times, 1 June 2012, available at: http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html?pagewanted=all&_moc.semityn.www.
24 Thomas Rid, ‘Think again: cyberwar’, in Foreign Policy, March/April 2012, pp. 5 ff., available at: http://www.foreignpolicy.com/articles/2012/02/27/cyberwar?print=yes&hidecomments=yes&page=full; Thomas Rid and Peter McBurney, ‘Cyber-weapons’, in The RUSI Journal, February–March 2012, Vol. 157, No. 1, pp. 6–13; see also, Maggie Shiels, ‘Cyber war threat exaggerated claims security expert’, in BBC News, 16 February 2011, available at: http://www.bbc.co.uk/news/technology-12473809.
25 Stefano Mele (above note 22) argues that for this reason massive electronic attacks against financial systems of foreign countries are unlikely.
26 Dunlap, Charles J. Jr., ‘Perspectives for cyber strategists on law for cyberwar’, in Strategic Studies Quarterly, Spring 2011, p. 81.
27 Schmitt, Michael N., Tallinn Manual on the International Law Applicable to Cyber Warfare, Cambridge University Press, Cambridge, 2013 (forthcoming). The Tallinn Manual is available at: http://www.ccdcoe.org/249.html.
28 Schmitt, Michael N., ‘Classification of cyber conflict’, in Journal of Conflict and Security Law, Vol. 17, Issue 2, Summer 2012, p. 252; see also, Brown, Gary, ‘Why Iran didn't admit Stuxnet was an attack’, in Joint Force Quarterly, Issue 63, 4th Quarter 2011, p. 71, available at: http://www.ndu.edu/press/why-iran-didnt-admit-stuxnet.html. G. Brown does not address the question of conflict classification, but considers that Stuxnet clearly amounted to an attack, possibly in violation of the prohibition against the use of force and the law of war.
29 International Criminal Tribunal for the Former Yugoslavia (ICTY), Prosecutor v. Tadic, Case No. IT-94-1-A, Appeals Chamber Decision on the Defence Motion for Interlocutory Appeal on Jurisdiction, 2 October 1995, para. 70 (emphasis added). The situations foreseen in Article 1(4) AP I are also considered international armed conflicts for States Party to AP I.
30 International Court of Justice (ICJ), Corfu Channel case (United Kingdom v. Albania), Judgment of 9 April 1949, p. 22; see also, Rule 5 of the Tallinn Manual, above note 27.
31 ICJ, Oil Platforms case (Islamic Republic of Iran v. United States of America), Judgment of 6 November 2003, para. 57.
32 The Tallinn Manual takes a similar legal view in Rule 7: ‘The mere fact that a cyber operation has been launched or otherwise originates from governmental cyber infrastructure is not sufficient evidence for attributing the operation to that State but is an indication that the State in question is associated with the operation’.
33 International Law Commission, Draft Articles on the Responsibility of States for Internationally Wrongful Acts, Yearbook of the International Law Commission, 2001, Vol. II (Part Two). Text reproduced as it appears in the annex to General Assembly resolution 56/83 of 12 December 2001, and corrected by document A/56/49(Vol. I)/Corr.4 (hereinafter ‘Articles on State Responsibility’).
34 Article 8 of the Articles on State Responsibility.
35 ICJ, Military and Paramilitary Activities in and against Nicaragua (Nicaragua v. United States of America), Judgment of 27 June 1986, paras 115–116 (hereinafter ‘Nicaragua case’); ICJ, Case concerning the Application of the Convention on the Prevention and Punishment of the Crime of Genocide (Bosnia and Herzegovina v. Serbia and Montenegro), Judgment, 26 February 2007, paras 400–406.
36 Nicaragua case, above note 35, para. 115.
37 Report of the International Law Commission on the work of its fifty-third session (23 April–1 June and 2 July–10 August 2001), UN Doc. A/56/10, Commentary on Article 8 of the Draft Articles on State Responsibility, para 3.
38 ICTY, Prosecutor v. Dusko Tadic, IT-94-1, Appeals Chamber Judgment of 15 July 1999, para. 120. It is sometimes said that the question before the Tribunal was one of qualification of the conflict as non-international or international; however, the argument that the two questions are entirely separate is not convincing as it would lead to the conclusion that a state could be a party to a conflict by virtue of its control over an organized armed group but not be responsible for the acts committed during that conflict.
39 Ibid., paras 138–140.
40 Commentary on Article 8 of the Draft Articles on State Responsibility, above note 37, para. 5.
41 See Roscini, Marco, ‘World wide warfare – jus ad bellum and the use of cyber force’, in Max Planck Yearbook of United Nations Law, Vol. 14, 2010, p. 85; Schmitt, Michael N., ‘Computer network attack and the use of force in international law: thoughts on a normative framework’, in Columbia Journal of Transnational Law, Vol. 37, 1998–1999, p. 885; Lin, Herbert S., ‘Offensive cyber operations and the use of force’, in Journal of National Security Law and Policy, Vol. 4, 2010, p. 63; Fidler, David P., ‘Recent developments and revelations concerning cybersecurity and cyberspace: implications for international law’, in ASIL Insights, 20 June 2012, Vol. 16, no. 22; Tallinn Manual, above note 27, Rules 10–17.
42 M. N. Schmitt, ‘Classification of cyber conflict’, above note 28, p. 251; Knut Dörmann, ‘Applicability of the Additional Protocols to Computer Network Attacks’, ICRC, 2004, p. 3, available at: http://www.icrc.org/eng/resources/documents/misc/68lg92.htm; Dinniss, Heather Harrison, Cyber Warfare and the Laws of War, Cambridge University Press, Cambridge, 2012, p. 131; Melzer, Nils, Cyberwarfare and International Law, UNIDIR Resources Paper, 2011, p. 24, available at: http://www.unidir.ch/pdf/ouvrages/pdf-1-92-9045-011-L-en.pdf. Nils Melzer argues that since the existence of an international armed conflict depends mainly on the occurrence of armed hostilities between states, cyber operations would trigger an armed conflict not only by death, injury, or destruction, but also by directly adversely affecting the military operations or military capacity of the state.
43 See also, G. Brown, above note 28.
44 N. Melzer, above note 42, p. 14. Melzer argues that reference might be made to the concept of critical infrastructure to consider the ‘scale and effects’ of a computer network attack for the purposes of identifying an armed attack within the meaning of Article 51 of the UN Charter. For French policy, see Agence Nationale de la Sécurité des Systèmes d'Information, Défense et sécurité des systèmes d'informations, available at: http://www.ssi.gouv.fr/IMG/pdf/2011-02-15_Defense_et_securite_des_systemes_d_information_strategie_de_la_France.pdf; for German policy, see Bundesamt für Sicherheit in der Informationstechnik, Schutz Kritischer Infrastrukturen, available at: https://www.bsi.bund.de/DE/Themen/Cyber-Sicherheit/Strategie/Kritis/Kritis_node.html; for Canadian policy, see National Strategy for Critical Infrastructure, available at: http://www.publicsafety.gc.ca/prg/ns/ci/ntnl-eng.aspx; for the policy of the United Kingdom, see The UK Cyber Security Strategy, available at: http://www.cabinetoffice.gov.uk/resource-library/cyber-security-strategy; for Australian policy, see CERT Australia, Australia's National Computer Emergency Response Team, available at: https://www.cert.gov.au/.
45 In How Does Law Protect in War?, Vol. I, 3rd edn, ICRC, Geneva, 2011, p. 122, Marco Sassòli, Antoine Bouvier, and Anne Quintin differentiate between force by the military or other agents of the state: ‘[w]hen the armed forces of two States are involved, suffice for one shot to be fired or one person captured (in conformity with government instructions) for IHL to apply, while in other cases (e.g. a summary execution by a secret agent sent by his government abroad), a higher level of violence is necessary’.
47 Pictet, Jean (ed.), Commentary on the Geneva Convention for the Amelioration of the Condition of the Wounded and Sick in Armed Forces in the Field, ICRC, Geneva, 1952, p. 32. This is a different question from that of animus belligerendi: isolated acts are sometimes not considered to amount to armed conflict, not because they do not reach a certain level of intensity, but rather because they lack animus belligerendi, for instance accidental border incursions; see UK Joint Service Manual of the Law of Armed Conflict, Joint Service Publication 383, 2004, para. 3.3.1, available at: http://www.mod.uk/NR/rdonlyres/82702E75-9A14-4EF5-B414-49B0D7A27816/0/JSP3832004Edition.pdf.
48 See, e.g., Mark Townsend et al., ‘WikiLeaks backlash: The first global cyber war has begun, claim hackers’, in The Observer, 11 September 2010, available at: http://www.guardian.co.uk/media/2010/dec/11/wikileaks-backlash-cyber-war; Timothy Karr, ‘Anonymous declares cyberwar against “the system”’, in The Huffington Post, 3 June 2011, available at: http://www.huffingtonpost.com/timothy-karr/anonymous-declares-cyberw_b_870757.html.
49 ICTY, Prosecutor v. Tadic, above note 29, para. 70.
50 There are two types of non-international armed conflicts. All non-international armed conflicts are covered by common Article 3 to the Geneva Conventions; in addition, the provisions of Additional Protocol II apply to non-international armed conflicts ‘which take place in the territory of a High Contracting Party between its armed forces and dissident armed forces or other organized armed groups which, under responsible command, exercise such control over a part of its territory as to enable them to carry out sustained and concerted military operations and to implement this Protocol’ (AP II., Art. 1(1)).
51 For a review of the indicative factors taken into account by the ICTY in its case law, see ICTY, Prosecutor v. Boskoski, IT-04-82-T, Trial Chamber Judgement of 10 July 2008, paras 199–203. See also, ICTY, Prosecutor v. Limaj, IT-03-66-T, Trial Chamber Judgement of 30 November 2005, paras 94–134; ICTY, Prosecutor v. Haradinaj, IT-04-84-T, Trial Chamber Judgement of 3 April 2008, para. 60.
52 ICTY, Prosecutor v. Boskoski, ibid., para. 202.
53 M. N. Schmitt, above note 28, p. 256.
54 Ibid., p. 257.
55 See the discussion in the Tallinn Manual about the different types of groups that could be considered, above note 27, Commentary on Rule 23, paras 13–15.
57 This occurred in Estonia in May 2007; see Larry Greenemeier, ‘Estonian attacks raise concern over cyber “nuclear winter” ’, in Information Week, 24 May 2007, available at: http://www.informationweek.com/estonian-attacks-raise-concern-over-cybe/199701774.
58 See, for example, Yolande Knell, ‘New cyber attack hits Israeli stock exchange and airline’, in BBC News, 16 January 2012, available at: http://www.bbc.co.uk/news/world-16577184.
59 In Egypt, the government shut down the Internet and cell phone network for five days to curb protests: ‘Internet blackouts: reaching for the kill switch’, in The Economist, 10 February 2011, available at: http://www.economist.com/node/18112043. Similar measures were taken by the Chinese government in reaction to unrest in Xinjiang and Tibet: Tania Branigan, ‘China cracks down on text messaging in Xinjiang’, in The Guardian, 29 February 2010, available at: http://www.guardian.co.uk/world/2010/jan/29/xinjiang-china, and Tania Branigan, ‘China cut off internet in area of Tibetan unrest’, in The Guardian, 3 February 2012, available at: http://www.guardian.co.uk/world/2012/feb/03/china-internet-links-tibetan-unrest.
60 See, e.g., AP I, Arts 12, 54–56.
61 Schmitt, M. N., ‘Cyber operations and the jus in bello: key issues’, in Naval War College International Law Studies, Vol. 87, 2011, p. 91; Geiss, Robin and Lahmann, Henning, ‘Cyber warfare: applying the principle of distinction in an interconnected space’, in Israeli Law Review, Vol. 45, No. 3, November 2012, p. 2.
62 M. N. Schmitt, ibid., p. 91.
63 N. Melzer, above note 42.
64 Ibid., p. 28.
66 Sandoz, Y., Swinarski, C. and Zimmermann, B. (eds), Commentary on the Additional Protocols of 8 June 1977 to the Geneva Conventions of 12 August 1949, ICRC/Martinus Nijhoff Publishers, Dordrecht, 1987, para. 1923 (hereinafter Commentary on the Additional Protocols).
67 H. H. Dinniss, above note 42, pp. 196–202.
68 Ibid., p. 201.
69 Commentary on the Additional Protocols, above note 68, para. 1875.
70 Ibid., para. 1936.
71 Ibid., para. 2191.
72 Dinstein, Yoram, The Conduct of Hostilities under the Law of International Armed Conflict, Cambridge University Press, Cambridge, 2004, p. 84; M. N. Schmitt, above note 61, p. 5.
73 ICTY, Prosecutor v. Dusko Tadić, Decision on the Defence Motion for Interlocutory Appeal, 2 October 1995, paras. 120 and 124 (regarding chemical weapons); Tallinn Manual, above note 27, Commentary on Rule 30, para. 3; Haslam, Emily, ‘Information warfare: technological changes and international law’, in Journal of Conflict and Security Law, Vol. 5, No. 2, 2000, p. 170.
74 Schmitt, Michael N., ‘Wired warfare: computer network attack and jus in bello’, in International Review of the Red Cross, Vol. 84, No. 846, June 2002, p. 377; Tallinn Manual, above note 27, Commentary on Rule 30, para. 3.
75 M. N. Schmitt, above note 61, p. 6.
76 Michael Schmitt now takes a somewhat different position and argues that ‘[d]estruction includes operations that, while not causing physical damage, nevertheless “break” an object, rendering it inoperable, as in the case of a cyber operation that causes a computer-reliant system to no longer function unless repaired’; ‘ “Attack” as a term of art in international law: the cyber operations context’, in 2012 4th International Conference on Cyber Conflict, C. Czosseck, R. Ottis and K. Ziolkowski (eds), 2012, NATO CCD COE Publications, Tallinn, p. 291; see also M. N. Schmitt, above note 28, p. 252.
77 K. Dörmann, above note 42, p. 4.
78 M. N. Schmitt, above note 61, p. 8.
79 Bothe, Michael, Partsch, Karl Josef and Solf, Waldemar A., New Rules for Victims of Armed Conflicts: Commentary to the Two 1977 Protocols Additional to the Geneva Conventions of 1949, Martinus Nijhoff Publishers, Dordrecht, 1982, p. 325.
80 This was reportedly done in the September 2007 Israeli air attack on a Syrian structure believed to be housing a nuclear-weapons development programme. Israel had hacked into the Syrian air defences and controlled them during the attack; see ‘Arab & Israeli cyber-war’, in Day Press News, 22 September 2009, available at: http://www.dp-news.com/en/detail.aspx?articleid=55075.
81 Tallinn Manual, above note 27, Rule 30.
82 Ibid., Commentary on Rule 30, paras 10–12.
83 Concise Oxford Dictionary.
84 M. Bothe et al., above note 79, p. 289.
85 That is, cyber operations that make the targeted computer's service unavailable to the usual users or customers.
86 M. N. Schmitt, above note 74, p. 377; Program on Humanitarian Policy and Conflict Research at Harvard University, Commentary on the HPCR Manual on International Law Applicable to Air and Missile Warfare, 2010, Commentary on Article 1(d), para. 7, available at: http://www.ihlresearch.org/amw/aboutmanual.php (hereinafter Commentary on HPCR Manual on Air and Missile Warfare); Schmitt, Michael N., ‘Cyber operations in international law: the use of force, collective security, self-defense and armed conflict’, in National Research Council, Proceedings of a Workshop on Deterring Cyber Attacks, Washington, DC, The National Academies Press, 2010, p. 155.
87 AP I, Arts 48, 51 and 52; Henckaerts, Jean-Marie and Doswald-Beck, Louise (eds), Customary International Humanitarian Law, Vol. I, Rules, (hereinafter ‘Study on customary international humanitarian law’), ICRC and Cambridge University Press, 2005, Rules 1–10.
88 ICJ, Legality of the Threat of Use of Nuclear Weapons, Advisory Opinion, 8 July 1996, para. 78.
89 Michael N. Schmitt, ‘Ethics and military force: the jus in bello’, Carnegie Council for Ethics in International Affairs, 7 January 2002, available at: http://www.carnegiecouncil.org/studio/multimedia/20020107/index.html.
90 This is the expression used by Jensen, Eric Talbot, ‘Unexpected consequences from knock-on effects: a different standard for computer network operations?’, in American University International Law Review, Vol. 18, 2002–2003, p. 1149.
91 Shulman, Mark R., ‘Discrimination in the law of information warfare’, in Columbia Journal of Transnational Law, 1999, pp. 963ff.
92 Kelsey, Jeffrey T. G., ‘Hacking into international humanitarian law: the principles of distinction and neutrality in the age of cyber warfare’, in Michigan Law Review, Vol. 106, 2007–2008, p. 1439.
93 AP I, Art. 52(1), reflective of customary international law; Study on customary international humanitarian law, above note 87, Rule 9.
94 The Commander's Handbook on the Law of Naval Operations, Department of the Navy/Department of Homeland Security, USA, July 2007, para. 8.3; Tallinn Manual, above note 27, Commentary on Rule 39, para 1.
95 In the ICRC's Draft Rules for the Limitation of Danger incurred by the Civilian Population in Time of War, the list drawn up by the organization with the help of military experts and presented as a model, subject to modification, was as follows: ‘I. The objectives belonging to the following categories are those considered to be of generally recognized military importance: … (6) Those of the lines and means of communication (railway lines, roads, bridges, tunnels and canals) which are of fundamental military importance; (7) The installations of broadcasting and television stations; telephone and telegraph exchanges of fundamental military importance; (8) Industries of fundamental importance for the conduct of the war: (a) industries for the manufacture of armaments …; (b) industries for the manufacture of supplies and material of a military character …; (c) factories or plant constituting other production and manufacturing centres of fundamental importance for the conduct of war, such as the metallurgical, engineering and chemical industries, whose nature or purpose is essentially military; (d) storage and transport installations whose basic function it is to serve the industries referred to in (a)–(c); (e) installations providing energy mainly for national defence, e.g., coal, other fuels, or atomic energy, and plants producing gas or electricity mainly for military consumption.’ (emphasis added). See Draft Rules for the Limitation of the Dangers incurred by the Civilian Population in Time of War, ICRC, 1956, available at: http://www.icrc.org/ihl/INTRO/420?OpenDocument
96 See also R. Geiss and H. Lahmann, above note 61, p. 3.
97 Jensen, Eric Talbot, ‘Cyber warfare and precautions against the effects of attacks’, in Texas Law Review, Vol. 88, 2010, p. 1534.
98 US Department of Defense, Quadrennial Defence Review Report, February 2010, pp. 37–38, available at: http://www.defense.gov/qdr/images/QDR_as_of_12Feb10_1000.pdf.
99 R. Geiss and H. Lahmann, above note 61, p. 9.
100 Tallinn Manual, above note 27, Commentary on Rule 39, para 5.
101 Ibid., Commentary on Rule 39, para 3.
102 See also Marco Sassòli, ‘Legitimate targets of attacks under international humanitarian law’, Background Paper prepared for the Informal High-Level Expert Meeting on the Reaffirmation and Development of International Humanitarian Law, Cambridge, 27–29 January 2003, HPCR, 2003, pp. 3–6, available at: http://www.hpcrresearch.org/sites/default/files/publications/Session1.pdf; William M. Arkin, ‘Cyber warfare and the environment’, in Vermont Law Review, Vol. 25, 2001, p. 780, describing the effects in 1991 of the air attacks on Iraqi electrical power on not only the civilian electricity supply, but also water distribution, purification, sewage, and the health infrastructure; R. Geiss and H. Lahmann, above note 61, p. 16.
103 The boundaries of the battlefield of non-international armed conflict are a matter of dispute and would go far beyond the scope of this article – but the difficulties raised by cyber warfare seem almost unanswerable in this respect. For the ICRC's view, see ICRC, Report on International Humanitarian Law and the challenges of contemporary armed conflicts, 31st International Conference of the Red Cross and Red Crescent, Geneva, 28 November–1 December 2011, Report prepared by the ICRC, October 2011, pp. 21–22; for a discussion of the geographical implications in cyber warfare, see the Tallinn Manual, above note 27, Commentary on Rule 21.
104 These are derived from Article 22 of the San Remo Manual on International Law Applicable to Armed Conflicts at Sea, of 12 June 1994, available at: http://www.icrc.org/IHL.nsf/52d68d14de6160e0c12563da005fdb1b/7694fe2016f347e1c125641f002d49ce!OpenDocument.
105 Commentary on HPCR Manual on Air and Missile Warfare, above note 86, Commentary on Rule 22(d), para. 7; Tallinn Manual, above note 27, Commentary on Rule 39, para. 2; E. T. Jensen, above note 90, p. 1157.
106 M. N. Schmitt, above note 61, pp. 8 ff.
107 It is reported that the US Department of Defense will host contractors who want to propose new technologies for cyber warfare: S. Shane, above note 3.
108 E. T. Jensen, above note 90, pp. 1160 and 1168; see also E. T. Jensen, above note 97, p. 1544: ‘If a civilian computer company produces, maintains, or supports government cyber systems, it seems clear that an enemy could determine that company meets the test of Article 52 and is targetable’.
109 The Tallinn Manual also fails to come to a definite conclusion on this question: ‘The difficult case involves a factory that produces items that are not specifically intended for the military, but which nevertheless are frequently put to military use. Although all of the Experts agreed that the issue of whether such a factory qualifies as a military objective by use depends on the scale, scope, and importance of the military acquisitions, the Group was unable to arrive at any definitive conclusion as to the precise thresholds.’
110 The Commander's Handbook on the Law of Naval Operations, above note 94, para. 8.2.
111 Schmitt, M. N., ‘Fault lines in the law of attack’, in Breau, S. and Jachec-Neale, A. (eds), Testing the Boundaries of International Humanitarian Law, British Institute of International and Comparative Law, London, 2006, pp. 277–307. For the underlying rationale of such an approach, see, for instance, Dunlap, Charles J., ‘The end of innocence, rethinking noncombatancy in the post-Kosovo era’, in Strategic Review, Vol. 28, Summer 2000, p. 9; Meyer, Jeanne M., ‘Tearing down the façade: a critical look at current law on targeting the will of the enemy and Air Force doctrine’, in Air Force Law Review, Vol. 51, 2001, p. 143; see J. T. G. Kelsey, above note 92, p. 1447, who advocates a new definition of military objectives in order to include certain civilian infrastructure and services.
112 Department of Defense Office of General Counsel, An Assessment of International Legal Issues in Information Operations, May 1999, p. 7, available at: http://www.au.af.mil/au/awc/awcgate/dod-io-legal/dod-io-legal.pdf. The position of the United States in the latest Report of the Secretary-General is ambiguous at best when it states that the principles of jus in bello ‘prohibit attacks on purely civilian infrastructure, the disruption or destruction of which would produce no meaningful military advantage’. If this is meant to imply that attacks on purely civilian infrastructure would not be allowed if the destruction or disruption would produce a meaningful military advantage, it would be incompatible with IHL, which never allows attacks on purely civilian objects (Report of the Secretary-General, 15 July 2011, UN Doc. A/66/152, p. 19).
113 M. Sassòli, above note 102; Oeter, Stephan, ‘Means and methods of combat’, in Fleck, Dieter (ed.), The Handbook of Humanitarian Law in Armed Conflicts, Oxford University Press, Oxford, 1995, para. 442.5.
114 It has been reported, for instance, that NATO acknowledged that social media such as Twitter, Facebook, and YouTube contributed to their targeting process in Libya, after being checked against other sources: Graeme Smith, ‘How social media users are helping NATO fight Gadhafi in Libya’, in The Globe and Mail, 14 June 2011; Tim Bradshaw and James Blitz, ‘NATO draws on Twitter for Libya strikes’, in The Washington Post, 16 June 2011.
115 Tallinn Manual, above note 27, p. 114.
116 Ibid., p. 113.
117 See above section ‘Dual-use objects in cyberspace’.
118 Study on customary international humanitarian law, Rule 12; AP I, Art. 51(4).
119 ICJ, above note 88, para. 78.
120 K. Dörmann, above note 42, p. 5.
121 The worm could either not be able to be directed at a specific military objective (cf. Study on customary international humanitarian law, Rule 12 (b), AP I, Art. 51(4)(b)) or have effects that cannot be limited as required by IHL (see Study on customary international humanitarian law, Rule 12(c), AP I, Art. 51(4)(c)).
122 T. Rid, above note 24.
123 D. E. Sanger, above note 23.
124 This follows not only from AP I, Art. 36 for states party to the Protocol, but also from the general obligation of belligerent parties not to employ indiscriminate weapons.
125 Study on customary international humanitarian law, above note 87, Rule 14.
126 Concise Oxford Dictionary.
127 Hathaway, Oonaet al., ‘The law of cyber-attack’, in California Law Review, Vol. 100, No. 4, 2012, p. 817.
128 R. Geiss and H. Lahmann, above note 61, p. 17.
129 See Doswald-Beck, Louise, ‘Some thoughts on computer network attack and the international law of armed conflict’, in Schmitt, Michael N. and O'Donnell, Brian T. (eds), Computer Network Attack and International Law, International Law Studies, Vol. 76, 2002, p. 169 : ‘… examples … have usually been when either the possible target was something that was military in nature but in the circumstances unusable or where the object's value as a military objective could not be verified.’ See also, ICTY, Final Report to the Prosecutor by the Committee Established to Review the NATO Bombing Campaign Against the Federal Republic of Yugoslavia (hereinafter Final Report to the Prosecutor), 13 June 2000, para. 19. In response to the bombardment of the Pancevo industrial complex and of a petroleum refinery in Novi Sad by NATO forces during the war in Kosovo in 1999, which lead to the release of some 80,000 tonnes of crude oil into the soil and of many tonnes of other toxic substances, the Committee stated that ‘[i]t is difficult to assess the relative values to be assigned to the military advantage gained and harm to the natural environment, and the application of the principle of proportionality is more easily stated than applied in practice’.
130 See, e.g., Commentary on HPCR Manual on Air and Missile Warfare, above note 86, Commentary on Rule 14, para. 4; Michael N. Schmitt, ‘Computer network attack: the normative software’, in Yearbook of International Humanitarian Law, The Hague, TMC Asser Press, 2001, p. 82.
132 This must be differentiated from an indiscriminate attack in which the effects cannot be controlled.
133 See AP I, Arts 57 and 58; Study on customary international humanitarian law, above note 87, Rules 15–24.
134 AP I, Art. 57(1); Study on customary international humanitarian law, above note 87, Rule 15.
135 AP I, Art. 57(2)(a)(i); Study on customary international humanitarian law, above note 87, Rule 16.
136 AP I, Art. 57(2)(a)(ii); Study on customary international humanitarian law, above note 87, Rule 17.
137 AP I, Art. 57(2)(b); Study on customary international humanitarian law, above note 87, Rule 19.
138 ICTY, Final Report to the Prosecutor, para. 29: In its Final Report, the Committee Established to Review the NATO Bombing Campaign Against the Federal Republic of Yugoslavia described the obligation thus: ‘A military commander must set up an effective intelligence gathering system to collect and evaluate information concerning potential targets. The commander must also direct his forces to use available technical means to properly identify targets during operations. Both the commander and the aircrew actually engaged in operations must have some range of discretion to determine which available resources shall be used and how they shall be used.’
139 E. T. Jensen, above note 90, p. 1185.
140 Tallinn Manual, above note 27, Rule 53, para. 6.
141 Ibid., Rule 52, para. 6.
142 According to AP I, Art. 49, such defensive operations are also attacks’ that have to abide by the principles of distinction, proportionality, and precaution.
143 See Quéguiner, Jean-François, ‘Precautions under the law governing the conduct of hostilities’, in International Review of the Red Cross, Vol. 88, No. 864, December 2006, p. 801; Commentary on HPCR Manual on Air and Missile Warfare, above note 86, Commentary on Rule 8, para. 2.
144 K. Dörmann, above note 42; Schmitt, Michael N., ‘The principle of discrimination in 21st century warfare’, in Yale Human Rights and Development Law Journal, Vol. 2, 1999, p. 170; Commentary on HPCR Manual on Air and Missile Warfare, above note 86, Commentary on Rule 32(b), para. 3, on weapons with greater precision or lesser explosive force.
145 AP I, Art. 58; Study on customary international humanitarian law, above note 89, Rules 22 and 24.
146 Tallinn Manual, above note 27, Commentary on Rule 59, para. 3.
147 E. T. Jensen, above note 97, pp. 1533–1569; Adam Segal, ‘Cyber space governance: the next step’, Council on Foreign Relations, Policy Innovation Memorandum No. 2, 14 November 2011, p. 3, available at: http://www.cfr.org/cybersecurity/cyberspace-governance-next-step/p24397.
148 Department of Defense Office of General Counsel, above note 112, p. 7.
149 E. T. Jensen, above note 97, pp. 1551–1552.
150 See also R. Geiss and H. Lahmann, above note 61, p. 14.
151 E. T. Jensen, above note 97, pp. 1563 ff.
152 A. Segal, above note 147.
154 R. Geiss and H. Lahmann, above note 61, p. 11.
155 Shulman, Mark R., ‘Discrimination in the law of information warfare’, in Columbia Journal of Transnational Law, Vol. 37, 1999, p. 964; Brown, Davis, ‘A proposal for an international convention to regulate the use of information systems in armed conflict’, in Harvard International Law Journal, Vol. 47, No. 1, Winter 2006, p. 179; Hollis, Duncan B., ‘Why states need an international law for information operations’, in Lewis and Clark Law Review, Vol. 11, 2007, p. 1023.
156 Mary Ellen O'Connell, ‘Cyber mania’, in Cyber Security and International Law, Meeting Summary, Chatham House, 29 May 2012, available at: http://www.chathamhouse.org/sites/default/files/public/Research/International%20Law/290512summary.pdf; Misha Glenny, ‘We will rue Stuxnet's cavalier deployment’, in The Financial Times, 6 June 2012, citing Russian antivirus expert Eugen Kaspersky; Scott Kemp, ‘Cyberweapons: bold steps in a digital darkness?’, in Bulletin of the Atomic Scientists, 7 June 2012, available at: http://thebulletin.org/web-edition/op-eds/cyberweapons-bold-steps-digital-darkness; Bruce Schneier, ‘An international cyberwar treaty is the only way to stem the threat’, in US News, 8 June 2012, available at: http://www.usnews.com/debate-club/should-there-be-an-international-treaty-on-cyberwarfare/an-international-cyberwar-treaty-is-the-only-way-to-stem-the-threat; Holis, Duncan, ‘An e-SOS for cyberspace’, in Harvard International Law Journal, Vol. 52, No. 2, Summer 2011, who argues for a system of e-sos.
157 Lin, Herb and Rid, Thomas, ‘Think again: cyberwar’, in Foreign Policy, March/April 2012, p. 7, available at: http://www.foreignpolicy.com/articles/2012/02/27/cyberwar?print=yes&hidecomments=yes&page=full; Jack Goldsmith, ‘Cybersecurity treaties: a skeptical view’, in Peter Berkowitz (ed.), Future Challenges in National Security and Law (forthcoming), available at: http://media.hoover.org/sites/default/files/documents/FutureChallenges_Goldsmith.pdf.
158 A. Segal, above note 108.
159 Eugene Kaspersky, ‘Der Cyber-Krieg kann jeden treffen’, in Süddeutsche, 13 September 2012, available at: http://www.sueddeutsche.de/digital/sicherheit-im-internet-der-cyber-krieg-kann-jeden-treffen-1.1466845.
* I would like to thank my colleagues from the ICRC, Knut Dörmann, Bruno Demeyere, Raymond Smith, Tristan Ferraro, Jelena Pejic, and Gary Brown for their thoughtful comments on earlier drafts, as well as Nele Verlinden for her help with the references.
All the Internet references were accessed in October 2012, unless otherwise stated.
This article was written in a personal capacity and does not necessarily reflect the views of the ICRC.
Email your librarian or administrator to recommend adding this journal to your organisation's collection.
* Views captured on Cambridge Core between <date>. This data will be updated every 24 hours.
Usage data cannot currently be displayed