By Léa Roubinet, 3 January 2024
Source: Bing image creator
This article explores the evolving landscape of cyber operations within the context of armed conflicts, shedding light on the complexities and challenges they pose to International Humanitarian Law (IHL). The application of IHL to cyber operations is crucial, considering their potential to cause severe damage to civilians and critical infrastructures. The article delves into the principles of IHL, highlighting their applicability to cyber conflicts. It emphasizes that cyber operations must adhere to JUS IN BELLO and JUS AD BELLUM, just like traditional kinetic operations, and analyses the Tallinn Manual which proposes concrete interpretation of IHL for cyber operations.
Introduction
A cyber operation refers to “all defensive[1] and offensive[2] computer warfare operations as well as to cyber intelligence”[3]. When adopted in the context of an armed conflict, they are methods of warfare employed to target enemy’s computer equipment, systems, or networks.
Cyber operations conducted in the context of an armed conflict have received increased attention since the start of the Russian-Ukrainian war as we expected a major battlefield shift to cyberspace. Although the number of cyberattacks has tripled since the beginning of the war, the expected escalation has not taken place. Cyberwar is real but is not changing the general dynamics as conflicts still take place mainly on traditional battlefields. Cyberattacks which support kinetic operations may be useful but will not be a critical factor in winning the war. No large-scale attack that would permanently destabilize Russian or Ukrainian infrastructures has yet taken place. While the attacks on the Viasat satellite network[4], the attack on the Ukrainian power grid in October 2022[5] and the recent attack on the Ukrainian mobile operator[6] have had far-reaching effects, none of them has been qualified under international humanitarian law (IHL).
International humanitarian law, also known as the law of armed conflict, is the international law governing warfare operations and protecting people not directly involved in combat, such as civilians, prisoners or medical staff. The UN Charter prohibits the threat or unilateral use of force in international relations, unless in self-defense or with the authorization of the UN Security Council. This is known as JUS AD BELLUM. Despite this prohibition, a number of armed conflicts have arisen since 1945. Thus, to regulate them and protect civilians, the Geneva Conventions and their Additional Protocols enshrined, in 1949, the principles of JUS IN BELLO which define what is permitted and prohibited in war.
With the development of new technologies and related cyber capabilities, international concerns about the use of cyber operations in an armed conflict have led to reflections on the way in which they should be governed by International Humanitarian Law. Indeed, in such an interconnected world, we know they are capable of causing serious damage to civilians and important infrastructures such as hospitals, water purification infrastructures or even electricity networks.
International humanitarian law includes simple fundamental rules such as the principles of discrimination, proportionality, precaution, humanity, and military necessity. They are applicable to “all forms of warfare and all weapons”, including “those (…) of the future”[7]. International interpretation in this area is clear: cyber operations and cyber conflict are subject to the same law as traditional kinetic operations.
Thus, in the framework of an ongoing armed conflict, cyber operations may constitute a weapon subject to the JUS IN BELLO. Besides, a cyber operation on its own, depending on its scale and implications, may also trigger an armed conflict. Consequently, a cyber operation must respect the principles of JUS AD BELLUM to avoid such a situation to happen.
If international players have recognized that the existing international humanitarian law applies to cyber operations as it does to any other weapon, some difficulties in interpreting and applying this law in cyberspace have arisen. Thus, a NATO initiative has drawn up a non-legally binding law manual in order to facilitate the interpretation of international humanitarian law applicable to cyber operations. To date, the Tallinn manuals published in 2013 and 2017 are the standard references on this topic.
Questions are nevertheless emerging as to the sufficiency of existing International Humanitarian Law principles to provide a framework for cyber operations. Thus, is it possible to wage war in cyberspace? And if so, how?
Can a war be waged in cyberspace? Reflections on JUS AD BELLUM
Article 2.4 of the United Nations Charter prohibits the use of force. This prohibition also applies in cyberspace. But how do we qualify the use of force in cyberspace? The Tallinn Manual proposes qualitative and quantitative evaluation factors to answer this question: “A cyber operation constitutes the use of force when its level (degree/threshold of intensity) and effects are comparable to a traditional (non-cyber) operation which would have reached the level of the use of force”. For instance, the damage magnitude, a possible military nature or the degree of penetration into the target’s system are criteria which can be used to assess and characterize a cyber operation.
Thus, depending on the attack’s scale and damage, a cyber operation may constitute an armed attack under International Humanitarian Law[8]. It does so when the use of force reaches “a high threshold in terms of degree, level of intensity and effects generated “[9]. Human death, serious injuries or major damage to civilian infrastructures would therefore qualify as an armed attack. However, this threshold is still open to debate since it is a subjective assessment. Moreover, as the armed attack qualification has never been given for a cyber operation, jurisprudence is still to be established in order to have some tangible indicators.
This characterization is of great importance, as it enables specific legal levers to be raised in terms of civil protection, but not only. When victim of an armed attack, a State is authorized to use self-defense[10] as provided for in Article 51 of the United Nations Charter. Such armed response must still respect the two core principles of International Humanitarian Law i.e., the principles of necessity and proportionality in order to contain any excesses that armed response might generate. Thus, such operations must only be conducted “to ensure that the aggressor State complies with international law “[11] and must cease as soon as it does so.
In terms of means, the targeted State may resort to a cybernetic response or to a classic kinetic one which means that the operation nature does not necessarily have to be the same. Therefore, according to IHL, a cyber operation could lead to a traditional kinetic response such as air strikes.
The Tallinn Manuals provide some further interpretation regarding the right to self-defense in response to a cyber operation. Beyond Article 51 of the UN Charter, experts consider that the right to self-defense may also be pre-emptive i.e. can intervene when armed attacks are imminent in order to prevent them from occurring. This interpretation is likely controversial as it opens a door for hypothetical violence escalation based on misinterpretation. Another interpretation concerns non-State actors. While international law only recognizes armed attacks and the right to self-defense in the context of State-led military operations, the Tallinn Manual, based on practical experience, considers that self-defense can also be invoked against non-State actors unconnected with a State.
Despite Tallinn Manual’s insights, a number of issues remain to be resolved. These questions are crucial in a context of increased cyber violence. First and foremost, cyber operations are often anonymous thus, it is often very difficult to determine which state or non-state actor is involved and whether or not it is linked to an ongoing armed conflict. As a result, it becomes difficult to condemn the operation and organize an armed response if necessary. Secondly, as pointed out before, there is some debate as to the threshold characterizing an armed attack, a status which not only ensures better protection for civilians and civilian property, but also enables States to react with self-defense attacks.
Finally, to date, no State has declared having undergone a cyber operation that could qualify as an armed attack. Although experts said the Stuxnet virus corresponded to a use of force prohibited by the UN Charter, they are still debating whether the threshold required to qualify as an armed attack had been reached. Thus today, the emergence of an armed conflict as a result of a cyber operation remains hypothetical. Currently, the JUS AD BELLUM relating to cyber operations is only preventive as it has never been applied. Most observed cyberoperations are related to cybercrime and are not massive enough to be qualified as “armed attacks”.
If we expected the next war to start with a cyberattack, the Russo-Ukrainian conflict showed that terrestrial operations still play a major role in contemporary military strategy. Russia’s attack on the Viasat network on 24th February 2022, a few hours before the Russian invasion of Ukraine, was a premiere, demonstrating the importance of cyberspace in today’s new forms of conflict. This massive attack destabilized tens of thousands of terminals, causing numerous outages, not only in Ukraine but also in Europe. For the first time, the European Union publicly attributed the attack to Russia, underscoring its importance and symbolism. However, it was Russia’s terrestrial invasion that triggered the conflict and enabled Ukraine to respond in self-defense, not the Viasat attack. If a combination of cyber and kinetic operation has been observed, this cyberattack may not have been enough to start the war.
*
If, in theory, cyber operations could trigger a war, they most often intervene within an already existing one in support of kinetic land, air or sea operations. When cyber operations take place within an armed conflict, they are governed by the JUS IN BELLO and must respect the basic international law principles i.e. the principles of discrimination, proportionality, and precaution.
*
How to wage war in cyberspace? Reflections on the JUS IN BELLO
First and foremost, any armed kinetic operation must respect the principle of discrimination, according to which a military operation must only target military objectives and not civilian infrastructures or populations[12]. This principle also applies to cyber operations. Thus, it is important to distinguish between civilians and military forces when conducting them. Cyber combatants, be they military combatants, non-state actors under the command of a state, or organized armed groups, can be targeted by an attack[13]. But civilians can’t.
However, such a distinction is difficult to establish in this context. When the nature, location, use or purpose of an infrastructure play a role in supporting military activities, it qualifies as a military objective. A computer system or network used by an army could therefore be a military objective. However, given the interdependence of computer and Internet networks, there is often no strict separation between military and civilians in cyberspace. So how should we consider cyberspace, given that it supports military operations but is primarily used for civilian purposes? IHL states that a civilian asset used in military operations loses its protection. For example, if an enemy hides weapons in a civilian house, the house loses its protection and can be attacked. As civilian and military networks are interconnected, such interpretation would mean removing protection for many civilians’ assets. It is therefore necessary to segment cyberspace and its components: it is impossible to consider the entire cyberspace as a military objective. Characterization must be assessed on a case-by-case basis.
IHL specifically protects infrastructures essential to the survival and protection of the civilian population i.e. health facilities[14]. Cyber operations might disrupt these critical infrastructures leading to a growing risk of intentional and unintentional harm to civilian populations. Thus, a cyber operation neutralizing essential civilian facilities like hospitals’s IT system are strictly prohibited under IHL.
In October 2022 and November 2023, essential civilian facilities such as electrical infrastructure and mobile operators have been targeted by Russian large-scale cyber-attacks. For the moment, their legality under IHL has not been questioned. However, such attacks raise questions about the distinction between combatants and civilians and demonstrate the strategic power of a successful cyber destabilization operation.
To protect these civilian essential infrastructures that benefit from additional protection under IHL, the ICRC is proposing the creation of a “digital emblem” designed to identify protected entities in the event of a cyber offensive. This emblem would indicate to attackers that they have penetrated a protected computer system and intend to discourage them from carrying out the planned attack (which is prohibited under IHL). The ICRC proposes three technical solutions such as DNS and IP labels or dedicated certificates. However, with such identifiable emblems, there are serious doubts as to whether this imaginary line will be respected by unscrupulous cybercriminals who usually do not hesitate to attack hospitals with ransomwares.
The principle of precaution which is tightly linked to the discrimination principle[15] is also very important when conducting cyber operation. Indeed, in cyberspace where networks are interconnected, precise digital targeting is necessary to avoid impacting civilians or civilian objects by ricochet. A cyber operation whose effects and propagation cannot be controlled is therefore strictly forbidden. If the operation is likely to cause civilian damage, such damage must not exceed the expected military advantage. In this context, the main challenge is evaluating potential harm and determining its proportionality. While cyber operations offer the advantage of minimizing human and material casualties in achieving military goals, unregulated harm to computer systems or critical data could lead to significant repercussions on civilian lives. Thus, cyber operations should only be carried out with engineers who are competent enough to assess their scope and with cyber weapons capable of targeting a specific infrastructure.
Finally, the last main IHL principle applicable to cyber operations is the principle of proportionality. This involves balancing collateral damage against the military advantages gained. This principle is at the heart of a divergence of approach within the international community as regards some IHL provisions’ interpretation for cyber operations. While many actors feel that existing law is sufficient to provide a framework for cyber operations, others feel that the current interpretation of IHL has its limits. For example, while the Tallinn Manual provides for proportional kinetic responses in cases of self-defense, some actors would prefer that, in the interests of collective security, responses should only be of a similar nature, i.e. cyber. Based on the assumption that a cyber conflict could be as destructive as a “traditional” one, kinetic responses are authorized. In reality, however, such conflicts do not yet exist. Authorizing such responses could give states pretexts for initiating far more destructive conflicts. Cyberspace should therefore be considered as a separate conflict zone in order to preserve peace.
Conclusion
In the context of armed conflicts, cyber operations pose several challenges concerning International Humanitarian Law. The inherent anonymity and virtual remoteness from traditional battlefields raise concerns about shifting responsibility and escalating violence. While existing IHL principles seemingly provide a viable framework for addressing cyber-attacks, there is a need to elucidate the violence threshold required to qualify a cyber operation as an armed attack. This clarification is essential for improved legal and military responses as well as civilian protections.
As we have been observing for almost two years now, the range of cyber actors involved in armed conflict is extremely varied. They may be state-led forces, but they may also be patriotic volunteers or hacktivists, of various nationalities, sometimes operating far from the battlefield and sometimes targeting infrastructures in third countries because of a supposed support for the enemy nation. The Russian-Ukrainian and Israeli-Palestinian conflicts clearly illustrate this problem. So how do we qualify these cybercriminals and hacktivists under IHL? Are their nations responsible for their actions? Do they constitute a non-state armed group under the Geneva Convention? What should be done if a hacktivist group carries out a large-scale cyber operation qualifying as an armed attack? These are just some of the questions we need to consider, and to which States and international organizations will have to respond when the situation arises.
In conclusion, it is crucial to emphasize that the current legal framework is primarily preventive, as, to date, no cyber operation has constituted a major attack under IHL. While France and other Western countries firmly support the application of the existing legal framework and reject any further convention on cyberwar, the interpretation of certain points will have to be fine-tuned in order to anticipate the widespread of cyber conflicts.
Finally, while we might have expected future conflicts to be of cyber origin, or to take place mainly in cyberspace, the two major conflicts between Russia and Ukraine, and between Israel and Hamas, have proved that these predictions were a little too dystopian. The decisive use of cyberspace in the context of armed conflict lies rather in disinformation, which, organized by large-scale state networks, become a powerful cross-border propaganda tool i.e. a strategic asset for the nation winning the war for the dominant narrative.
[3] Droit international appliqué aux opérations dans le cyberespace, ministère des Armées, 10/2019, [en ligne]
[4] Untersinger, M., “Guerre en Ukraine : les utilisateurs du réseau satellitaire Viasat victimes d’une cyberattaque.”, 08/03/2022, Le Monde [en ligne]
[5] Reynaud, F., “Guerre en Ukraine : des pirates du GRU ont déclenché une panne électrique en même temps que des frappes aériennes.”, 10/11/2023, Le Monde, [en ligne],
[6] Emmanuel Grynszpan, Thomas d’Istria, “Ukraine : une cyberattaque sans précédent paralyse le premier opérateur mobile », 14/12/2023, Le Monde, [en ligne]
[7] I.C.J., nuclear weapons Advisory Opinion, para. 86
[10] Rule 13 of Tallinn Manual
[15] Article 57 du Protocole Additionnel 1 aux Conventions de Genève
Sources
- Le droit international humanitaire et les cyber opérations pendant les conflits armés, Position du CICR, Novembre 2019, [online], https://www.icrc.org/en/download/file/112561/icrc_ihl_and_cyber_operations_during_armed_conflict_fr.pdf
- Rapport d’information sur le droit international humanitaire à l’épreuve des conflits, Assemblée Nationale par la commission des affaires étrangères, 4/12/2019, [online], https://www.assemblee-nationale.fr/dyn/15/dossiers/droit_humanitaire_epreuve_conflits_rap-info
- Droit international appliqué aux opérations dans le cyberespace, ministère des armées, 10/2019, [online], https://www.justsecurity.org/wp-content/uploads/2019/09/droit internat-appliqu%C3%A9-aux-op%C3%A9rations-cyberespace-france.pdf
- Analyse du Manuel de Tallinn 2.0 sur le droit international applicable aux cyber-opérations, DGRIS ministère des armées, 11/2017, [online], https://francoisdelerue.eu/wp-content/uploads/2020/01/20171129_NP_F-Delerue_Analyse-Manuel-Tallinn-2-0.pdf
- Réponse de la France à la résolution 73/27 relative aux « Progrès de l’informatique et des télécommunications et sécurité internationale » et à la résolution 73/266 relative à « Favoriser le comportement responsable des États dans le cyberespace dans le contexte de la sécurité internationale », Diplomatie.gouv, [online],
- https://www.diplomatie.gouv.fr/IMG/pdf/190513_-_reponse_de_la_france_aux_resolutions_73-27_et_73-266_fr_cle893713.pdf
- Maria Pilar Llorens, Los desafios del uso de la fuerza en el ciberespacio, Instituto de investigaciones juridicas de la UNAM, 22/09/2016, [online], https://revistas.juridicas.unam.mx/index.php/derecho-internacional/article/view/11052
- Nils Melzer, Les cyber-opérations et le jus in bello, Forum du désarmement, UNIDIR, 2011, [online], https://unidir.org/files/publication/pdfs//faire-face-aux-cyberconflits-en-473.pdf
- Clémentines Bories, « Appréhender la cyberguerre en droit international. Quelques réflexions et mises au point », La Revue des droits de l’homme [online], mis en ligne le 04 décembre 2014, https://journals.openedition.org/revdh/984#citedby
- Camille Faure, Utilisation contemporaine et future des technologies cyber/numériques dans les conflits armés, International Institute of Humanitarian Law, 04/09/2019, [online], https://iihl.org/wp-content/uploads/2019/10/Faure.pdf
- Libicki, Martin C. « De Tallinn à Las Vegas, une cyberattaque d’importance justifie-t-elle une réponse cinétique ? », Hérodote, vol. 152-153, no. 1-2, 2014, pp. 221-239.
- Barat-Ginies, Oriane. « Existe-t-il un droit international du cyberespace ? », Hérodote, vol. 152-153, no. 1-2, 2014, pp. 201-220.
- « Le droit international humanitaire et les cyberopérations pendant les conflits armés », CICR, 18/02/2020 [online], https://www.icrc.org/fr/document/le-droit international-humanitaire-et-les-cyberoperations-pendant-les-conflits-armes
- « Quelles limites le droit de la guerre impose-t-il aux cyberattaques ? », CICR, 28/06/2013, [online], https://www.icrc.org/fr/doc/resources/documents/faq/130628-cyber-warfare-q-and-a-eng.htm
- « Tallinn Manual 2.0 », CCDCOE, [online], https://ccdcoe.org/research/tallinn-manual/
- Cyber opérations et principe de proportionnalité en droit international humanitaire, Université de Rouen, Marco Roscini, 18/04/2014 [online video], https://webtv.univ rouen.fr/videos/16-cyber-operations-et-principe-de-proportionnalite-en-droit-international humanitaire/
- Cyberguerre : défis du futur pour l’humanitaire, débat organisé par la délégation du CICR en France, 18/12/2012, [online], https://www.youtube.com/results?search_query=cyberguerre+d%C3%A9fis+du+futur