Cyber operations during armed conflicts

11 October 2021

The use of cyber operations as means or methods of warfare in armed conflicts poses a real risk of harm to civilians. It is thus essential to understand how international humanitarian law protects civilians, civilian infrastructure, and civilian data against cyber harm.

Today, the use of cyber operations during armed conflicts is a reality. While only a few states have publicly acknowledged using such operations, an increasing number of states are developing military cyber capabilities, and their use is likely to increase in future.

The international community recognises that just as any other means and methods of warfare, cyber operations may seriously affect civilian infrastructure and thus result in devastating humanitarian consequences.

There is a real risk that cyber tools – either deliberately or by mistake – may cause large-scale and diverse effects on critical civilian infrastructures, such as essential industries, telecommunications, transport, governmental, and financial systems.

Cyber operations conducted over recent years – primarily outside armed conflicts – have shown that malware can spread instantly around the globe and affect civilian infrastructure and the provision of essential services.

The increasing use of military cyber capabilities and the related humanitarian concerns underscore the importance of reaching shared understandings on the legal constraints that apply to the use of cyber operations during armed conflicts.

The principal body of law that governs the use of such operations during armed conflicts is international humanitarian law. States have formulated its rules in such ways that they apply – in the words of the International Court of Justice – to all forms of warfare and to all kinds of weapons, including those of the future.

The basic rules are straightforward: targeting civilians and civilian objects is forbidden; indiscriminate weapons and attacks must not be used; disproportionate attacks are prohibited; medical services must be respected and protected. These and many other rules apply in cyberspace and must be respected.

Other questions remain in need of further clarification. These include, for instance, whether civilian data enjoys the same protection as civilian objects, or whether cyber operations that disrupt systems without causing physical damage amount to attacks as defined in international humanitarian law.

The ICRC welcomes the increasing international attention to the potential human cost of cyber operations and the applicable international legal framework. Considering how rapidly societies are digitizing, it is critical that international humanitarian law be interpreted and applied in a way that protects the digital means and tools that populations rely on in every aspect of their lives, just as it protects physical objects.