Cyberwarfare in the Context of International Humanitarian Law

By: Yekalo Ghebremicael


Due regard to today’s cyber technology in the cyberspace, it improves and paves a new way in the life of each individual who has access to it; transmuting the world to a smaller pueblo than ever it was. The world is getting smaller and smaller as the result of this splendiferous improvement; the ability to obtain information is comparatively easy in the twenty-first century than it ever was. Commencing from states to individuals, from large to small business organisations, they become more and more reliant on information and information technology (hereinafter IT), including both computer and communications technologies. As this cyber technology is available to various government organisations and private business organisations, it is also greatly favoured and is much sought after by Military Forces, terrorists as well as other non-state armed groups.

It does have voluminous optimistic benefits; it eases and comforts the living of individuals which are fundamental components of various government and non-government organisations, but it also brings unprecedented security perils to its overall users which ratchet up internal and external concerns. These kinds of perils have a blatant pronounced potential to cause a lot of destruction.

As has been acknowledged above, IT also enchants the military where it changed the way in which they conduct warfare.[1] Hence, it will be inevitable to forward many queries as possible in order to shake the subject matter at hand and as such to discover some satisfactory outlets. Some of the queries that can be up stretched are, a) what does it mean by cyber-attacks, particularly cyber warfare and why is it a great concern nowadays? b) Whether there exists any legal framework that governs cyber-attacks? c) Is there any compatibility between cyber-attacks, particularly with reference to cyber warfare, and inherently International Humanitarian Law[2] (hereinafter IHL)? d) Is it difficult to apply rules of IHL to cyber-attacks as it is an evolving phenomenon? e) What type of cyber action should properly involve IHL analysis? f) How do cyber-attacks fit with the current IHL’s framework? g) Under what circumstances, a cyber-attack would constitute an ‘attack’ under IHL? h)  If IHL applies to cyber-attacks, how does the application of rules take place in the world of interconnectivity and what do its provisions articulate about them?

However, before bashing ahead to probe and inquire the above-raised questions it seems indispensably vital to staunchly underline the disparity that lies between certain words or terminologies like cyber warfare, cyber espionage, and cybercrime. As a matter of fact, they stream in and share some common features in one cyberspace, but, have various meanings and different effects on their application to IHL.

Though there is no universally accepted definition for the term cyber warfare, nevertheless, it does not remain devoid. ICRC defines cyber warfare as, the means and methods of warfare that rely on information technology and are used in the context of an armed conflict within the meaning of international humanitarian law – as opposed to the traditional kinetic military operations. Cyber espionage is delineated as the science of covertly capturing e-mail traffic, text messages, other electronic communications, and corporate data for the purpose of gathering national-security or commercial intelligence. Cybercrime is defined as a crime involving the use of a computer, such as sabotaging or stealing electronically stored data.[3] With regard to the meaning, undeniably, they have different meanings and when it comes to their effect in their application to IHL, they have positive and negative effects; that is to say, the affirmative cyber warfare which really has positive effects is ruled by IHL. As a matter of fact, it has much propinquity to the real armed warfare that it is affirmatively governed or regulated by IHL or plainly, it falls under the parasol of IHL, but the others have adverse results which is why they are not overseen by rules of IHL.

Moreover, it is essential to discourse the foundations of international law which emanate from international conventions, international custom, the general principles of law recognised by civilised nations, judicial decisions and the teachings of the most qualified publicists of various nations,[4]  because they are the building bricks of each and every issue that revolves in the international sphere on containing various issues.

From a legal point of view, intuitively, the law has to be general and forward-looking, accordingly, it will adapt to new situations and changes that will take place in the future and as such, they have to be tinted with a large brush. Nevertheless in the international arena, unlike the municipal law, change does not  appear easily as it lacks a legislative body, thus, it can be said that change in international law is usually very slow and moves in a very sluggish manner but to the contrary, cyber technology is changing now and then with a fast pace. As IHL is a part of international instruments, the only way change could come is through conventions, setting this aside for the nonce, the new cyber warfare is then analogically deprived of an occurrence of a change in the shape of IHL, then how is it regulated by IHL? It will be revealed in the subset passages.[5] Using this as an inauguration to the main emphasis of the subject matter, I will proceed to provide at least some outlets to the questions that have been raised above.

WHAT DOES IT MEAN BY CYBER-ATTACK AND PARTICULARLY CYBERWARFARE AND WHY IS IT A GREAT CONCERN NOWADAYS?

There is no universal definition of cyber-attack but it could be defined as the use of deliberate activities to alter, disrupt, deceive, degrade, or destroy computer systems or networks used by an adversary or the information and/or programs resident in or transiting through these systems or networks. One thing that this definition seems to stress is ‘deliberation’; that the act must be done intentionally, but what if the act is done inadvertently and causes some sort of destruction? The definition appears to be bare on that. Thus, any action, intentional or inadvertent, taken to undermine the functions of a computer network attack (hereinafter CNA) has to be considered an attack on cyber; it must be defined in terms of its object. Another point which needs a vigilant fleeting look is that all cyber operations cannot constitute an attack, but all cyber-attacks are embraced in cyber operations.

There is also a point which needs further elaboration, the term attack used in the above definition and as it is employed in IHL has a little bit dissimilarity to a certain extent. Thus, attack within the context of IHL is ‘an act of violence against the adversary, whether in offence or in defence’, accordingly an act which damages, destroys, disables, or usurps an adversary’s computer system either in offence or defence will constitute an attack. Here, the act does not need to be intentional only but even an inadvertent act will constitute an attack. It is also important to note that the direct effects of a cyber-attack (damage to a computer) may be less significant than the indirect effects.

UNDER WHICH CIRCUMSTANCES WOULD A CYBER-ATTACK CONSTITUTE AS AN ‘ATTACK’ UNDER IHL?

A cyber-attack can trigger the application of armed conflict and IHL, but it needs to have the potential to cause injury or death to persons or damage or destruction to objects. The cyber operation against civilians would generally be prohibited, but would not be sufficient alone to trigger IHL. So even though it is clear that IHL applies to cyber activities inside an armed conflict, its relevance is limited. The two most important principles of LOAC – distinction and proportionality, both attach on attacks. That is to say, activities that are something other than attacks do not trigger application.

Though there is no universally accepted definition for cyber warfare,, it can be defined. One way of defining it is from its context, cyber refers to something that is related to information technology, computer or the internet, and evidently, warfare means the waging of an armed conflict against an enemy. As a result, cyber warfare is a conflict against an enemy via a cyber network, information technology or the internet.

Cyber warfare and IHL examine the prominence of CNA in the arena of international law and look at their regulation under IHL. In these days, it turns out to be incontrovertible that cyber-attacks are postured to be tremendous menaces as real and tangible weapons do. As a consequence, it creates much concern to states over the world to be vigilant and hand this particular issue thoroughly.

As a concluding remark for the question posed, it can be argued that, although there is no universally accepted definition, terms like cyber-attack and cyber warfare do not exist in the vacuum. Besides, the issue of cyber warfare has created fear and anxiety among states which makes them oversee this issue more carefully.

WHETHER THERE IS AN EXISTING LEGAL FRAMEWORK THAT GOVERNS CYBERWARFARE?

It is ineluctable to forward this kind of query, if cyber warfare has the potential to exist and if it has a definition which involves conflict in its structure, and as a matter of fact that war is entirely prohibited, then it is sound to ask is there any law which will serve as a neutral referee to balance, at least to the minimum amount, the conflict that will exist between various parties? Although cyber warfare is not regulated by any IHL treaty, “their development and employment in armed conflict do not occur in a legal vacuum.” As a consequence, the rules of IHL are also applicable to cyber warfare analogically, though one cannot trace the word cyber in any IHL treaty.

At this moment, cyber warfare engages legal expertise in a hot argument and academic discussion on how the rules and leading legal principles of IHL are to be applied to it. One thing which is worth remembering here is, as it was raised above, the rules of  IHL apply to all kinds of warfare including those of the future, and as a consequence, it can be argued that the prospect of new types of weapons was undoubtedly foreseen in Article 36 of AP I. Reading Article 36 of AP I,  it appears palpably that states which are party to the AP I are under due obligation to abide by API whenever new weapons, means and methods are utilised at the stage of study, development, acquisition or adoption. That means the underlying principles of IHL, including the principles of military necessity, proportionality, distinction and precaution are applicable to cyber warfare.

Does this then mean, it is easy to apply rules of IHL to cyber warfare? As it is an evolving phenomenon, it may be too swift to provide an answer to it, but due to its different features, the major principles of IHL to cyber warfare cannot be easily applied and create formidable hurdles for legal expertise.

HOW CYBER WARFARE FITS WITH THE CURRENT LEGAL PRINCIPLES OF IHL

Cyber warfare, due to its undeveloped and infant stage, brings with it unprecedented queasy challenges which confront and challenge legal expertise to a certain extent when they strive to apply the rules and particularly the legal principles which underline the IHL. The principles are mainly – the principle of distinction and military necessity, the principle of proportionality, the principle of precaution and principle of neutrality. Regardless of the fact to the contrary, cyber-based warfare is much different from traditional kinetic warfare. It is by these principles that the applicability of cyber warfare to IHL is determined. Thus, let’s see these principles one by one.

  1. Principle of Distinction and Military Necessity

The principle of distinction requires that parties to a conflict distinguish and discriminate at all possible means and at all times between civilians and combatants as well as between civilian objects and military objectives. Attacks may only be directed against combatants or military objectives. Besides, indiscriminate attacks, that is, attacks which are not or cannot be directed at a specific military objective or whose effects cannot be limited as required by IHL, are staunchly prohibited.

Military objectives are fairly limited, referring to “those objects which by their nature, location, purpose or use make an effective contribution to military action and whose total or partial destruction, capture or neutralisation, in the circumstances ruling at the time, offer a definite military advantage”. On the contrary, those objects which are non-military are civilian objects. In case of doubt whether something which belongs to civilian is factually civilian in character or not, has to be presumed to be civilian in nature.

When applying Article 48 of AP I to cyber warfare, it may call for parties in a conflict to distinguish themselves, and discriminate at all possible means, between civilians and combatants as well as between civilian cyber network and military cyber network. Thus, an attack has to be directed and has to be also real, not suppositious only to the military network station which is aimed;[6] this means that attacks, not operations. as some conceived against a civilian cyber network, is totally outlawed by IHL, by way of similitude.

But, unlike the conventional kinetic armed conflict in which civilians are relatively distinguished from the military, cyber warfare involves dual connectivity in which the military network is intermingled with the civilian network and as the military is using the same lane this legal principle becomes quite intricate to be consistent to cyber warfare. As it has been stated above, it is the result of dual-use that creates insurmountable hurdles and makes all civil cyber network military and vice versa, hence making the principle shambolic. Besides, indiscriminate attacks, that is, attacks which are not or cannot be directed at a specific military objective or whose effects cannot be limited as required by IHL, are also staunchly prohibited.

To elucidate this with a simple example; two States engage themselves in conflict, State M and State E. State M shuts down, via a computer virus that replicates easily and destroys each place it rests, the nuclear plants control system of the latter alleging that some nuclear power stations are being used by State E to brand new nuclear weapons. As a matter of course, State M destroys the nuclear plant control system and eventually the citizens of State E suffer and many civilian and combatants face death as an upshot of hospitals, which found in that particular State, face dearth of electricity. In this particular case it seems evident that due to the failure of State M to distinguish which power plant control systems are being used by State E to brand new weapons and which plant control systems are for electricity and utilise the appropriate virus, it shut all down in a blink of an eye. It is this kind of problem that cyber warfare poses with regard to this particular legal principle of IHL.

One may raise a question in the above example – what if the last alternative to stop State E is by destroying all the available nuclear plants in its territory. To provide an answer to that, the principle of proportionality has to be accessed. However, before I proceed to resolve the above question by invoking the principle of proportionality, let’s see first, the military necessity which may also lend a hand to the clarification of the question raised above. In case of conflicts between States, military necessity requires the states in conflict, whenever they have a choice, to select measures that are necessary to subdue the other party in the conflict with least infliction of injury to the civilians.

Let’s refer the above example yet again, if the military objective of State M was to destroy State E’s nuclear weapon program, and State M had a choice between conducting a cyber-attack on the nuclear station control system or take down the nuclear plant with traditional kinetic means, State M would have to calculate what causes the least danger to the civilians. In this example, it might have been better if State M had dismantled the plant that it thought produces nuclear weapons than destroying all of them, though the risk to civilians would, however, most likely be the same. Nevertheless, if such calculation is not feasible, State M has to appeal to the principle of proportionality.

2. Principle of Proportionality

The principle of proportionality dictates that the military advantage obtained by a particular operation must be more important than the damage caused to civilians and civilian objects by that action. Thus, anticipated military advantage must not override the general civilian devastation. The principle of proportionality becomes a more argumentative area in times of an armed conflict which is followed by unavoidable civilian deaths, destruction to civilian objects and collateral damage.

It appears to be evident that one would ask, as to how proportionate is proportionate and who determines whether it is proportionate or not? The International Criminal Tribunal for the former Yugoslavia (hereinafter ICTY) provided how proportionate is proportionate in the Galić judgement, and also set up who could possibly determine it: “in determining whether an attack was proportionate, it is necessary to examine whether a reasonably well-informed person in the circumstances of the actual perpetrator, making reasonable use of the information available to him or her, could have expected excessive civilian casualties to result from the attack”.[7] Accordingly, as a way out, a reasonable person who is informed about the event and has sufficient evidence can at least determine whether a certain cyber-attack is proportionate or not. One thing that has to be noted here is that the reasonable person must not only gauge the direct effects an anticipated cyber-attack would have on civilian life or objects, but also any foreseeable indirect effects. As a result, proportionality has to be also factorised from the anticipatable indirect effect that could result from a cyber-attack.

Referring to the example raised in the principle of distinction and military necessity above, does State M fulfil the proportionality criteria or not? It is in these kinds of questions that difficulty arises; a reasonable person may contend that State M’s cyber-attack was not proportionate because it bleakly affected the civilian society. Another reasonable person may also contend that State M’s cyber-attack and the collateral damage was proportionate and if State M had not taken any action then it is possible that State E would have employed the nuclear weapons to annihilate people of State M who resided in its territory. It isn’t easy to ponder how proportionate is proportionate, even the term ‘reasonable man’ is not complete in itself.

3. Principle of Precaution

This principle functions parallel to the principle of proportionality; whenever a State in a conflict plans to attack it must take all feasible safety measures to avoid or at least minimise to the lowest extent the incidental loss of civilian life, injury to civilians and damage to civilian objects. In order to protect the life and object of the civilians, the State which is planning or has decided to attack must make sure by all possible means that the targeted cyber network should not cause damage or inflict injury.

Then, it becomes possible to discern two criteria from this particular legal principle: ‘feasibility’ and ‘precaution’. Though feasibility is not patently defined in IHL and there is no universally accepted definition, nonetheless, with regard to this particular issue, ICTY perceived it as, “The obligation to do everything ‘feasible’ is high but not absolute”.[8] A State, party to the conflict must target its attack to the military as and this feasibility need not be only complete but should be possible to the best extent that the State can reach. On top of that, if it appears to the State which plans or decides to attack that the target is not used by the military any more but is subject to special protection then it is under a duty to abandon the attack. The principle of precaution lies in precautions against dangers resulting from cyber-attacks; an advance warning has to be given to the civilian population unless the circumstances dictate otherwise.

To further elaborate the principle of precaution, let’s take the same example that we used to clarify the above principles; State M, within the context of the principle of precaution, has a two-fold responsibility; first, that State M, before launching the computer virus that attacked the control system of the nuclear plant was bound by this principle to ascertain the feasibility and possibility that the damage would create an adverse effect, such as the  death of civilians, but unfortunately it did not and hence it breached this principle. Secondly, let’s consider that the military commander of State M, in the process of launching the computer virus, decides to abort the attack after calculating the effect, then, the act of the commander would have been congruous with the principle of precaution.

4. Principle of Neutrality

Though it has been hardly discussed by legal scholars, it is an important issue which needs attention like the principles raised above. This principle applies only to IAC where the parties to a conflict are States which own certain legal territory, but, for the NIAC it does not, for the sole reason that they do not possess legal territory or sovereignty. Besides, whenever the issue of neutrality is raised it is important to remember that territory matters more than anything.

A neutral state must to all extent possible stay away from involving itself with the conflicting party and from making a contribution either logistically or in money, it must, in general, remain as a nonpartisan spectator. If a neutral State involves itself in a conflict, it ceases to exist as a neutral state. The parties to a conflict are also in a duty to not to interfere themselves or their property in the legal territory of the neutral state. This particular principle poses grim challenges, because demarcating one State cyber boundary is very arduous and testing.

For instance, State M and State E are in conflict, while this conflict is pending, State O, though neutral for the past three months starts to be opinionated with State M and allows State M to use its cyber network to attack State E. In this circumstance, it is suffice to say that State O engages itself to the conflict with State E because its cyber network is used to injure and damage the life and property of the residents of State E. As it has been witnessed above, in order for cyber warfare to be applicable to IHL the underlying principles of distinction and military necessity, proportionality, and precaution must appear. On the other hand, IHL would not apply to this particular conflict; any force is limited to what is possible under international human rights law. But the fundamental premise for the creation of IHL is to solve humanitarian problems directly arising from IAC or NIAC[9] and the fact that this law relates so closely to man enables it to take factual dimensions.

CONCLUSION

The new evolving cyber technology is being used only an iota, there is ample possibility that we can witness in the future many unprecedented developments which will ease man’s life and make him more productive with cushy efforts, nonetheless, it is unavoidable that it will definitely bring with it tremendous problems. In spite of the fact that IHL rules and legal principles are long-standing, they are compatible and applicable at all sides to the new phenomenon of cyber warfare but their application is much more vexing, however, they still apply and they will in the future too.

[1] Heather H Dinniss, Cyber Warfare and the Laws of War (1st edn, Cambridge University Press) 11.

[2] Malcolm N Shaw, International Law  (6th edn, Cambridge University Press 2008) 1167; United Nations Educational Scientific and Cultural Organization, International Dimensions of Humanitarian Law (Paris, Martinus Nijhoff Publishers 1998); International Red Cross Handbook (12th edn, Geneva: International Committee of the Red Cross and Red Cross Societies 1982).

[3] Bryan A Garner, Black’s Law Dictionary (9th edn, West Publications 2009) 443.

[4]  Brownlie, Principles of Public International Law (6th edn, OUP 2003) 5; RY Jennings and D Watts, Oppenheim’s International Law (9th edn, London 1992) 24; Malcolm N Shaw, International Law (6th edn, Cambridge University Press 2008) 70.

[5] Additional Protocol I, article 36; Legality of the Threat or Use of Nuclear Weapons (Advisory Opinion) [1996] ICJ 2 [25].

[6] Kolb and Hyde, An introduction to the International Law of Armed Conflicts (OUP 2008) 131.

[7] Prosecutor v Stanislav Galić ICTY-98-29-T (5 December 2003).

[8] NATO Bombing Campaign (ICTY Final Report to the Prosecutor) (2000) 391 LM 1257 [129].

[9] United Nations Educational Scientific and Cultural Organization, International Dimensions of Humanitarian Law  (Paris, Martinus Nijhoff Publishers 1998).


(Yekalo is currently a law undergraduate at Adi-Keih College of Arts and Social Science, Eritrea.)

One thought on “Cyberwarfare in the Context of International Humanitarian Law

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s