Cyber warfare and IHL: some thoughts and questions
Does IHL cover cyber warfare? How can the ICRC help to protect civilians against the consequences of cyberattacks? To get some expert input on these and related questions, the ICRC recently invited Herbert Lin of the Computer Science and Telecommunications Board (USA) to come and speak to the ICRC Assembly and HQ staff. Mr Lin’s views are very much his own, but his presentation and the discussion that followed highlighted areas of importance to the ICRC.
Herb Lin started by warning his audience that “The indirect consequences of cyberattacks are almost always more consequential than the direct effects – indirect does not mean not primary.” He explained that an “attack” can involve preventing an enemy from using their computer system (denial of service attack, virus or malware) or making the system unreliable (changing data, for instance). In some cases, the ultimate target is not the computer system itself. For instance, an attacker may target the computer that controls a radar system, but his ultimate aim is to put it out of action just long enough to launch a bombing raid. Or, pretending to be the commander of enemy forces, he may send out a bogus order to the enemy to surrender. In other words, a cyberattack may have consequences in the “real world,” not just in the virtual world of bits and bytes.
Virtual attacks with real-world consequences
But just as missiles aimed at military objectives can kill civilians, so cyberattacks aimed at military computer systems can have unforeseen consequences for civilian computers. Dams, nuclear power stations and civilian air traffic control all need computers in order to operate and to stay safe.
At first sight, the answer is obvious – only attack military systems. But just as a tank may be parked near a hospital, making it difficult to hit the one and spare the other, so any entanglement between civilian and military air traffic control systems may make it difficult to target the military system without affecting civilian air traffic.
Taking the analogy between civilian and military assets a stage further, ensuring that an attacker could target military assets while sparing civilian systems might well require military computer systems to carry virtual insignia designating them as valid military targets, much as military aircraft have national insignia today. This would require considerable cooperation between States.
Lin emphasized that to minimize the possibility of a cyberattack on military targets having an impact on vital civilian infrastructure, it would be necessary to take special care to avoid or minimize such impact. Taking special care often requires detailed knowledge about the military computers of interest and requires considerable planning.
The conundrum of compliance
To be sure of complying with IHL stipulations regarding collateral damage, any potential cyberattacker would have to gather large quantities of information regarding the systems to be targeted. In modern warfare, however, networks change rapidly, and it would be difficult if not impossible to keep this information up to date. As a result, an attacker might be unable to say with certainty that his cyberattack was not going to cause disproportionate harm to civilians. For example, in disabling a power generating facility supplying a building of the ministry of defence, one might also cut off power to a nearby hospital. Having said which, the same uncertainty may apply if one uses a kinetic weapon to disable the generating facility.
Under some circumstances, it might be possible to introduce markers that identify networks used exclusively by persons and objects that enjoy protection under IHL. However, Lin pointed out that it would be easy to forge such markers, so some trusted organization would have to certify that only those entitled to protection were using them. In kinetic combat, a combatant might illegally use ambulances to transport uninjured soldiers; in cyberspace, a certifying authority (perhaps the ICRC) might be able to ensure that only qualifying computer facilities could post a cyber “marker” saying that it was operated, for example, by a hospital. But nothing would prevent another party from compromising those computer facilities to use them (improperly) for military purposes.
Lin noted difficulties in getting States and others to agree about restrictions on cyber warfare. However, he pointed out that some analysts see power networks, financial systems, and other critical infrastructures as good candidates for a protected status similar to that currently enjoyed by hospitals.
Turning to the potential role of the ICRC with respect to cyber warfare and IHL, Lin felt the organization could usefully apply what he called its “convening authority” to seeking greater clarity about the requirements of IHL as regards cyber warfare, while acknowledging that this would not suit those who are all too happy with the current lack of clarity. He also thought that the ICRC might have a role in helping to generate international consensus on whether civilians have fundamental rights to information, electrical power, etc., in the same way as they have rights to life and property.