No legal vacuum in cyber space
Cyber warfare and international humanitarian law. All over the world, policy makers and military leaders are considering the implications of cyber warfare. Cordula Droege, an ICRC legal expert, explains that the existing legal framework is applicable and must be respected even in the cyber realm.
What do you mean by "cyber warfare" and why is it of concern to the ICRC?
The concept of cyber warfare is somewhat nebulous and different people appear to mean different things when they refer to it. For the purposes of this discussion, cyber warfare refers to means and methods of warfare that rely on information technology and are used in the context of an armed conflict within the meaning of international humanitarian law – as opposed to the traditional kinetic military operations.
Similarly, such terms as "cyber attacks," "cyber operations" or "computer network attacks" have no internationally agreed legal meaning and are used in different contexts (not always limited to armed conflicts) and with different meanings. Let us use the rather broad term of cyber operations to refer to operations against or via a computer or a computer system through a data stream. Such operations can aim to do different things, for instance to infiltrate a computer system and collect, export, destroy, change, or encrypt data or to trigger, alter or otherwise manipulate processes controlled by the infiltrated system. The technology can be used in warfare and, under certain circumstances, some of these operations can constitute attacks as defined under international humanitarian law.
Cyber operations can raise humanitarian concerns, in particular when their effect is not limited to the data of the targeted computer system or computer. Indeed, they are usually intended to have an effect in the "real world." For instance, by tampering with the supporting computer systems, one can manipulate an enemy's air traffic control systems, oil pipeline flow systems or nuclear plants. The potential humanitarian impact of some cyber operations is therefore enormous. Cyber operations that have been carried out thus far, for example in Estonia, Georgia and Iran, do not appear to have had serious consequences for the civilian population. However, it seems that it is technically feasible to interfere with airport control systems, other transportation systems, dams or nuclear power plants via cyber space. Potentially catastrophic scenarios, such as collisions between aircraft, the release of poisons from chemical plants, or the disruption of vital infrastructure and services such as electricity or water networks, therefore cannot be dismissed. The main victims of such operations would most likely be civilians.
Does international humanitarian law apply to cyber operations?
International humanitarian law, or IHL, only comes into play if cyber operations are committed in the context of an armed conflict – whether between States, between States and organized armed groups or between organized armed groups. Therefore, we need to distinguish the general issue of cyber security from the specific issue of cyber operations in armed conflict. Terms like "cyber attacks" or even "cyber terrorism" may evoke methods of warfare, but the operations they refer to are not necessarily conducted in armed conflict. Cyber operations can be and are in fact used in crimes committed in everyday situations that have nothing to do with situations of war. A large proportion of operations colloquially termed "cyber attacks" are in fact network exploitation attacks carried out for the purpose of illicit information gathering and occur outside the context of armed conflicts. But in armed conflict situations, IHL applies when the parties resort to means and methods of warfare relying on cyber operations.
If IHL applies to cyber operations, what does it say about them?
IHL does not specifically mention cyber operations. Because of this, and because the exploitation of cyber technology is relatively new and sometimes appears to introduce a complete qualitative change in the means and methods of warfare, it has occasionally been argued that IHL is ill adapted to the cyber realm and cannot be applied to cyber warfare. However, the absence in IHL of specific references to cyber operations does not mean that such operations are not subject to the rules of IHL. If the means and methods of cyber warfare produce the same effects in the real world as conventional weapons (such as destruction, disruption, damage, injury or death), they are governed by the same rules as conventional weapons.
New technologies of all kinds are being developed all the time and IHL is sufficiently broad to accommodate these developments. IHL prohibits or limits the use of certain weapons specifically (for instance, chemical or biological weapons, or anti-personnel mines). But it also regulates, through its general rules, all means and methods of warfare, including the use of all weapons. In particular, Article 36 of Protocol I additional to the Geneva Conventions provides that, "[i]n the study, development, acquisition or adoption of a new weapon, means or method of warfare, a High Contracting Party is under an obligation to determine whether its employment would, in some or all circumstances, be prohibited by this Protocol or by any other rule of international law applicable to the High Contracting Party." Beyond the specific obligation it imposes on States parties, this rule shows that general IHL rules apply to new technology.
This is not to say that there might not be a need to develop the law further as technologies evolve or their humanitarian impact becomes better understood. That will have to be determined by States. In the meantime, it is important to stress that there is no legal vacuum in cyber space. Beyond that, however, we are faced with a number of question marks on how IHL will apply in practice.
What is it about cyber space that makes it difficult to apply the rules of IHL?
The means and methods of cyber warfare are still incompletely understood, except presumably by the technical experts who develop and apply them. The development of new technologies is frequently classified. That being said, to determine whether and to what extent the means and methods of cyber warfare are qualitatively different from those of conventional warfare, the most important thing is to understand how the technology could be used and what effects it could have in armed conflict.
But one aspect of cyber space that would seem to pose difficulties is the anonymity of communications. In the cyber operations that occur on an everyday basis, anonymity is the rule rather than the exception. It appears to be impossible in some instances to trace their originator. Since all law is based on the allocation of responsibility (in IHL to a party to a conflict or to an individual), major difficulties arise. In particular, if the perpetrator of a given operation and thus the link of the operation to an armed conflict cannot be identified, it is extremely difficult to determine whether IHL is even applicable to the operation.
Another feature of cyber space is, of course, interconnectivity. The interconnections between computer systems – civilian and military – could make it difficult to apply even the most fundamental rules of IHL.
What rules of IHL are applicable to cyber operations? How can they be applied in the world of interconnectivity?
All IHL rules governing the conduct of hostilities are potentially applicable during armed conflict, but whether they are relevant in such a context, and how they could be applied, are real questions. Before giving some examples, it is important to recall that one of the main purposes of IHL is to protect the civilian population and civilian infrastructure from the effects of hostilities.
Let us consider some fundamental rules of IHL to illustrate not only their importance for cyber operations but also the difficult questions that their application to cyber space raises. These rules are related to the principles of distinction, proportionality and precaution.
The principle of distinction and the prohibition of indiscriminate and disproportionate attacks
The principle of distinction requires that parties to a conflict distinguish at all times between civilians and combatants and between civilian objects and military objectives. Attacks may only be directed against combatants or military objectives. Indiscriminate attacks, that is attacks which are not or cannot be directed at a specific military objective or whose effects cannot be limited as required by IHL, are prohibited. Similarly, attacks against military objectives or combatants are prohibited if they may be expected to cause incidental civilian casualties or damage which would be excessive in relation to the concrete and direct military advantage anticipated (so-called disproportionate attacks).
This means that, in planning and carrying out cyber operations, the only targets permissible under IHL are military objectives, such as computers or computer systems used in support of military infrastructure or of infrastructure used specifically for military purposes. It follows that attacks via cyber space may not be directed against, for example, computer systems used in medical facilities, schools, and other purely civilian installations. The issue of humanitarian concern in this respect is that cyber space is characterized by interconnectivity. It consists of innumerable interconnected computer systems across the world. Military computer systems appear to often be interconnected with commercial, civilian systems and to rely on them in whole or in part. Thus, it might well be impossible to launch a cyber attack on military infrastructure and limit the effects to just that military objective. For instance, the use of a worm that replicates itself and cannot be controlled, and might therefore cause considerable damage to civilian infrastructure, would be a violation of IHL.
Obligation to take precautions
The party responsible for an attack must take measures, to the maximum extent feasible, to avoid or minimize incidental damage to civilian infrastructure or harm to civilians. This will require verifying the nature of the systems that are being attacked and the possible damage that might ensue from an attack. It also means that when it becomes apparent that an attack will cause excessive incidental civilian damage or casualties, it must be cancelled.
Also, parties to conflicts have an obligation to take necessary precautions against the effects of attacks. It would therefore be advisable for them, in order to protect the civilian population against incidental effects of attacks, to assess whether military computer systems are sufficiently separate from civilian ones. The reliance of military computer systems and connections on systems run by civilian contractors which are also used for civilian purposes could be a cause for concern.
On the other hand, information technology might also serve to limit incidental damage to civilians or civilian infrastructure. For instance, it might be less damaging to disrupt certain services used for military and civilian purposes than to destroy infrastructure completely. In such cases, the principle of precaution arguably imposes an obligation on States to choose the less harmful means to achieve their military aim.
What is the ICRC doing in relation to cyber warfare?
We need to bear in mind that the military potential and the humanitarian impact of cyber warfare – despite all the things we read about them in the media – are far from fully understood. However, it is certainly possible that cyber operations could have disastrous consequences for civilians. That is why the ICRC monitors their development and reminds parties to conflicts of their obligations to comply with IHL. We are also paying close attention to a number of initiatives that aim to clarify the law applicable to cyber operations in armed conflict. Our aim is to reaffirm the applicability of IHL, to prevent any weakening of IHL caused by the development of new standards, and to remind those involved that in the world of interconnectivity the need to spare the civilian population is probably greater than ever.
- See also : Applicability of the Additional Protocols to Computer Network Attacks by Knut Dörmann, 2004