Hostname: page-component-cd9895bd7-fscjk Total loading time: 0 Render date: 2024-12-27T09:56:55.925Z Has data issue: false hasContentIssue false

Twenty years on: International humanitarian law and the protection of civilians against the effects of cyber operations during armed conflicts

Published online by Cambridge University Press:  26 October 2020

Abstract

The use of cyber operations during armed conflicts and the question of how international humanitarian law (IHL) applies to such operations have developed significantly over the past two decades. In their different roles in the Legal Division of the International Committee of the Red Cross (ICRC), the authors of this article have followed these developments closely and have engaged in governmental and non-governmental expert discussions on the subject. In this article, we analyze pertinent humanitarian, legal and policy questions. We first show that the use of cyber operations during armed conflict has become a reality of armed conflicts and is likely to be more prominent in the future. This development raises a number of concerns in today's increasingly cyber-reliant societies, in which malicious cyber operations risk causing significant disruption and harm to humans. Secondly, we present a brief overview of multilateral discussions on the legal and normative framework regulating cyber operations during armed conflicts, looking in particular at various arguments around the applicability of IHL to cyber operations during armed conflict and the relationship between IHL and the UN Charter. We emphasize that in our view, there is no question that cyber operations during armed conflicts, or cyber warfare, are regulated by IHL – just as is any weapon, means or methods of warfare used by a belligerent in a conflict, whether new or old. Thirdly, we focus the main part of this article on how IHL applies to cyber operations. Analyzing the most recent legal positions of States and experts, we revisit some of the most salient debates of the past decade, such as which cyber operations amount to an “attack” as defined in IHL and whether civilian data enjoys similar protection to “civilian objects”. We also explore the IHL rules applicable to cyber operations other than attacks and the special protection regimes for certain actors and infrastructure, such as medical facilities and humanitarian organizations.

Type
Cyber operations and warfare
Copyright
Copyright © The Author(s), 2020. Published by Cambridge University Press on behalf of the ICRC.

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

Footnotes

*

An earlier version of this article has been published by the same authors under the title “The Applicability and Application of International Humanitarian Law to Cyber Warfare”, Chinese Review of International Law, Vol. 32, No. 4, 2019. It has been substantially updated and broadened for publication in this issue of the Review. This article was written in a personal capacity and does not necessarily reflect the views of the ICRC.

References

1 ICRC, International Humanitarian Law and Cyber Operations during Armed Conflicts, Position Paper submitted to the Open-Ended Working Group on Developments in the Field of Information and Telecommunications in the Context of International Security and the Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security, 2019, available at: www.icrc.org/en/document/international-humanitarian-law-and-cyber-operations-during-armed-conflicts (all internet references were accessed in August 2020). Also available in the “Reports and Documents” section of this issue of the Review.

2 See, in particular, Mike Burgess, Australian Signals Directorate, “Offensive Cyber and the People Who Do It”, speech given to the Lowy Institute, 27 March 2019, available at: www.asd.gov.au/speeches/20190327-lowy-institute-offensive-cyber-operations.htm; Paul M. Nakasone, “Statement of General Paul M. Nakasone, Commander, United States Cyber Command, before the Senate Committee on Armed Services”, 14 February 2019, available at: www.armed-services.senate.gov/imo/media/doc/Nakasone_02-14-19.pdf; Jeremy Fleming, GCHQ, “Director's Speech at CyberUK18”, 12 April 2018, available at: www.gchq.gov.uk/pdfs/speech/director-cyber-uk-speech-2018.pdf.

3 “Hackers Interrupt Israeli Eurovision WebCast with Faked Explosions”, BBC News, 15 May 2019, available at: www.bbc.co.uk/news/technology-48280902; Zak Doffman, “Israel Responds to Cyber Attack with an Air Strike on Cyber Attackers in World First”, Forbes, 6 May 2019, available at: www.forbes.com/sites/zakdoffman/2019/05/06/israeli-military-strikes-and-destroys-hamas-cyber-hq-in-world-first/#1c692f73afb5. While the purported target of the alleged cyber operation by Hamas has not been publicly released, the targeting of Hamas’ building by kinetic means was said to be based on intelligence gained as part of the Israeli Defence Forces’ cyber defence effort.

4 David Hollis, “Cyberwar Case Study: Georgia 2008”, Small War Journal, 2010, available at: https://smallwarsjournal.com/blog/journal/docs-temp/639-hollis.pdf.

5 Andy Greenberg, “How an Entire Nation Became Russia's Test Lab for Cyberwar”, Wired, 20 June 2017, available at: www.wired.com/story/russian-hackers-attack-ukraine/; Andy Greenberg, “The Untold Story of NotPetya, the Most Devastating Cyberattack in History”, Wired, 22 August 2018, available at: www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/.

6 Blake Johnson et al., “Attackers Deploy New ICS Attack Framework ‘TRITON’ and Cause Operational Disruption to Critical Infrastructure”, Fireeye Blogs, 14 December 2017, available at: www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html.

7 For example, there have been various media reports – based on anonymous official sources – that the United States has carried out cyber operations against targets in Russia and Iran, and that Israel has carried out a cyber operation against a port in Iran. See Ellen Nakashima, “U.S. Cyber Command Operation Disrupted Internet Access of Russian Troll Factory on Day of 2018 Midterms”, Washington Post, 27 February 2019, available at: https://tinyurl.com/yxs8twyv; David E. Sanger and Nicole Perlroth, “U.S. Escalates Online Attacks on Russia's Power Grid”, New York Times, 15 June 2019, available at: www.nytimes.com/2019/06/15/us/politics/trump-cyber-russia-grid.html; Julian E. Varnes and Thomas Gibbons-Neff, “U.S. Carried out Cyberattacks on Iran”, New York Times, 22 June 2019, available at: www.nytimes.com/2019/06/22/us/politics/us-iran-cyber-attacks.html; Joby Warrick and Ellen Nakashima, “Officials: Israel Linked to a Disruptive Cyberattack on Iranian Port Facility”, Washington Post, 18 May 2020, available at: https://tinyurl.com/y4onsrt9. On so-called “grey zones” and cyber technology, see Camille Faure, “Utilisation contemporaine et future des technologies cyber/numériques dans les conflits armés”, in Gabriella Venturini and Gian Luca Beruto (eds), Whither the Human in Armed Conflict? IHL Implications of New Technology in Warfare, 42nd Round Table on Current Issues of International Humanitarian Law, International Institute of Humanitarian Law, Sanremo, 2020 (forthcoming); Gary Corn, “Punching on the Edges of the Grey Zone: Iranian Cyber Threats and State Cyber Responses”, Just Security, 11 February 2020, available at: www.justsecurity.org/68622/punching-on-the-edges-of-the-grey-zone-iranian-cyber-threats-and-state-cyber-responses/. On the threshold of application of IHL, see the section below entitled “Cyber Operations that Are Governed by IHL”.

8 In addition to the United States and the United Kingdom, France has set out the objective of “acquir[ing] a cyber defence capability” to defend against “foreign States or terrorist groups [which] could attack the critical infrastructures”. France, Agence Nationale de la Sécurité des Système d'Information, Information System Defence and Security: France's Strategy, 2011, available at: www.ssi.gouv.fr/uploads/IMG/pdf/2011-02-15_Information_system_defence_and_security_-_France_s_strategy.pdf. The 2015 White Paper on China's Military Strategy states that “in response to the increasing development of cyber military capabilities from other states, China will develop a defensive cyber military capacity”. See Government of China, White Paper on China's Military Strategy, 2015, available at: www.gov.cn/zhengce/2015-05/26/content_2868988.htm. Russia has been less explicit on the subject, but the Russian Federation's Doctrine of Information Security identifies “upgrading the information security system of the Armed Forces of the Russian Federation, other troops, military formations and bodies, including forces and means of information confrontation” as a “key area of ensuring information security in the field of national defence”. See Ministry of Foreign Affairs of the Russian Federation, Doctrine of Information Security of the Russian Federation, 5 December 2016, available at: https://tinyurl.com/y6yhp7pv. See also Ministry of Defence of the Russian Federation, “Western MD Operators Repelled Cyberattack of the Simulated Enemy in the Course of the Union Shield – 2015”, 2015, available at: https://eng.mil.ru/en/news_page/country/more.htm?id=12056193@egNews. For general estimates on the spread of cyber tools, see Anthony Craig, “Understanding the Proliferation of Cyber Capabilities”, Council on Foreign Relations, 2018, available at: www.cfr.org/blog/understanding-proliferation-cyber-capabilities. According to the United Nations Institute for Disarmament Research (UNIDIR) Cyber Index, in 2012 forty-seven States had cyber security programmes that gave some role to their armed forces (UNIDIR, The Cyber Index: International Security Trends and Realities, UN Doc. UNIDIR/2013/3, Geneva, 2013, p. 1), while in 2020 Digital Watch Observatory recorded twenty-three and thirty States with respectively evidence or indications of offensive cyber capabilities (Digital Watch Observatory, “UN GGE and OEWG”, available at: https://dig.watch/processes/un-gge).

9 ICRC, Avoiding Civilian Harm from Military Cyber Operations during Armed Conflicts, forthcoming.

10 Sharon Weinberger, “How Israel Spoofed Syria's Air Defense System”, Wired, 4 October 2007, available at: www.wired.com/2007/10/how-israel-spoo/; Lewis Page, “Israeli Sky-Hack Switched Off Syrian Radars Countrywide”, The Register, 22 November 2007, available at: www.theregister.co.uk/2007/11/22/israel_air_raid_syria_hack_network_vuln_intrusion/.

11 In November 2018, the ICRC convened an expert meeting to develop a realistic assessment of cyber capabilities and their potential humanitarian consequences in light of their technical characteristics. See Laurent Gisel and Lukasz Olejnik (eds), ICRC Expert Meeting: The Potential Human Cost of Cyber Operations, ICRC, Geneva, 2019, available at: www.icrc.org/en/download/file/96008/the-potential-human-cost-of-cyber-operations.pdf. See also Sergio Caltagirone, “Industrial Cyber Attacks: A Humanitarian Crisis in the Making”, Humanitarian Law and Policy Blog, 3 December 2019, available at: https://blogs.icrc.org/law-and-policy/2019/12/03/industrial-cyber-attacks-crisis/. The World Economic Forum (WEF) Global Risks Report 2020 ranks cyber attacks among the top ten risks in terms of both likelihood and impact; see WEF, The Global Risks Report 2020, 2020, p. 3, available at: www3.weforum.org/docs/WEF_Global_Risk_Report_2020.pdf.

12 See US Department of Defense Office of General Counsel, An Assessment of International Legal Issues in Information Operations, 1999, available at: https://fas.org/irp/eprint/io-legal.pdf; for one of the early academic examinations of these questions, see Knut Dörmann, “Computer Network Attack and International Humanitarian Law”, 2001, available at: www.icrc.org/en/doc/resources/documents/article/other/5p2alj.htm.

13 See Schmitt, Michael N. (ed.), Tallinn Manual on the International Law Applicable to Cyber Warfare, Cambridge University Press, Cambridge, 2013CrossRefGoogle Scholar (Tallinn Manual); Schmitt, Michael N. and Vihul, Liis (eds), Tallinn Manual 2.0 on International Law Applicable to Cyber Operations, 2nd ed., Cambridge University Press, Cambridge, 2017CrossRefGoogle Scholar (Tallinn Manual 2.0).

14 See, notably, OEWG, “Initial ‘Pre-draft’ of the Report of the OEWG on Developments in the Field of Information and Telecommunications in the Context of International Security”, 11 March 2020, available at: https://unoda-web.s3.amazonaws.com/wp-content/uploads/2020/03/200311-Pre-Draft-OEWG-ICT.pdf.

15 UNGA Res. 73/27, “Developments in the Field of Information and Telecommunications in the Context of International Security”, UN Doc. A/RES/73/27, 11 December 2018, para. 5; UNGA Res. 73/266, “Advancing Responsible State Behaviour in Cyberspace in the Context of International Security”, UN Doc. A/RES/73/266, 2 January 2019, para. 3.

16 UN General Assembly, “Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security: Note by the Secretary-General”, UN Doc. A/70/174, 22 July 2015, paras 24, 28(d).

17 Agreement on Cooperation in the Field of Ensuring International Information Security among Member States of the Shanghai Cooperation Organization, Yekaterinburg, 16 June 2009 (SCO Agreement); unofficial translation in Ministry of Defense of the Russian Federation, “The State and the Prospects of Russian Military Cooperation on International Information Security (A Collection of Papers)”, 2014, pp. 77 ff. See also, for example, J. Fleming, above note 2, p. 5.

18 See AALCO, International Law in Cyberspace, Doc. No. AALCO/58/DAR ES SALAAM/2019/SD/17, available at: www.aalco.int/Final%20Cyberspace%202019.pdf.

19 See the Commonwealth Cyber Declaration issued at the Commonwealth Heads of Government Meeting, London, 16–20 April 2018, available at: https://thecommonwealth.org/commonwealth-cyber-declaration.

20 See, for example, EU Council Conclusions, General Affairs Council meeting, Doc. No. 11357/13, 25 June 2013.

21 See, for example, the Wales Summit Declaration issued by the heads of State and government participating in the meeting of NATO in Wales, 5 September 2014, para. 72, available at: www.nato.int/cps/en/natohq/official_texts_112964.htm.

22 See OAS, Improving Transparency: International Law and State Cyber Operations: Fourth Report, OAS Doc. CJI/doc. 603/20 rev.1 corr.1, 5 March 2020, available at: www.oas.org/en/sla/iajc/docs/CJI_doc_603-20_rev1_corr1_eng.pdf.

23 “UK Response to Chair's Initial ‘Pre-draft’ of the Report of the OEWG on Developments in the Field of Information and Telecommunications in the Context of International Security”, available at: https://front.un-arm.org/wp-content/uploads/2020/04/20200415-oewg-predraft-uk.pdf. See also ICRC, above note 9; Gary Corn, “The Potential Human Costs of Eschewing Cyber Operations”, Humanitarian Law and Policy Blog, 31 May 2019, available at: https://blogs.icrc.org/law-and-policy/2019/05/31/potential-human-costs-eschewing-cyber-operations/.

24 SCO Agreement, above note 17, Art. 2.

25 Helen Durham, “Cyber Operations during Armed Conflict: 7 Essential Law and Policy Questions”, Humanitarian Law and Policy Blog, 26 March 2020, available at: https://blogs.icrc.org/law-and-policy/2020/03/26/cyber-armed-conflict-7-law-policy-questions/.

26 Examples include the malware CrashOverride, the ransomware WannaCry, the wiper program NotPetya, and the malware Triton. CrashOverride affected the provision of electricity in Ukraine; WannaCry affected hospitals in several countries; NotPetya affected a very large number of businesses; Triton was aimed at disrupting industrial control systems, and was reportedly used in attacks against Saudi Arabian petrochemical plants. For some discussion, see Laurent Gisel and Lukasz Olejnik, “The Potential Human Cost of Cyber Operations: Starting the Conversation”, Humanitarian Law and Policy Blog, 14 November 2018, available at: https://blogs.icrc.org/law-and-policy/2018/11/14/potential-human-cost-cyber-operations/.

27 See S. Caltagirone, above note 11.

28 L. Gisel and L. Olejnik (eds), above note 11, pp. 18–22.

29 See Aaron F. Brantly, “The Cybersecurity of Health”, Council on Foreign Relations Blog, 8 April 2020, available at: https://tinyurl.com/yxc4oc9j.

30 See “Call by Global Leaders: Work Together Now to Stop Cyberattacks on the Healthcare Sector”, Humanitarian Law and Policy Blog, 26 May 2020, available at: https://blogs.icrc.org/law-and-policy/2020/05/26/call-global-leaders-stop-cyberattacks-healthcare/. In the specific framework of the above-mentioned OEWG, the ICRC suggested that States could adopt a norm whereby they commit “not to conduct or knowingly support cyber operations that would harm medical services or medical facilities, and to take measures to protect medical services from harm”. This suggestion combines a “negative” element, namely that States should not conduct or knowingly support cyber activity that would harm medical services or facilities, and a “positive” element, meaning that States should take measures to protect medical services from harm. See ICRC, “Norms for Responsible State Behavior on Cyber Operations Should Build on International Law”, 11 February 2020, available at: www.icrc.org/en/document/norms-responsible-state-behavior-cyber-operations-should-build-international-law.

31 See below section entitled “IHL Rules Protecting Objects Indispensable to the Survival of the Civilian Population, Medical Services, and Humanitarian Relief Operations”.

32 For greater detail on how international law applies to such operations, see Kubo Mačák, Laurent Gisel and Tilman Rodenhäuser, “Cyber Attacks against Hospitals and the COVID-19 Pandemic: How Strong are International Law Protections?”, Just Security, 27 March 2020, available at: www.justsecurity.org/69407/cyber-attacks-against-hospitals-and-the-covid-19-pandemic-how-strong-are-international-law-protections/. See also the Oxford Statement on the International Law Protections against Cyber Operations Targeting the Health Care Sector, May 2020 (Oxford Statement), available at: www.elac.ox.ac.uk/the-oxford-statement-on-the-international-law-protections-against-cyber-operations-targeting-the-hea.

33 L. Gisel and L. Olejnik (eds), above note 11, pp. 23–28. See also Aron Heller, “Israeli Cyber Chief: Major Attack on Water Systems Thwarted”, ABC News, 28 May 2020, available at: https://abcnews.go.com/International/wireStory/israeli-cyber-chief-major-attack-water-systems-thwarted-70920855.

34 Ibid., p. 25.

35 Marina Krotofil, “Casualties Caused through Computer Network Attacks: The Potential Human Costs of Cyber Warfare”, 42nd Round Table on Current Issues of International Humanitarian Law, 2019, available at: http://iihl.org/wp-content/uploads/2019/11/Krotofil1.pdf.

36 See also ICRC, International Humanitarian Law and the Challenges of Contemporary Armed Conflicts, Geneva, 2019 (ICRC Challenges Report 2019), p. 27, available at: www.icrc.org/en/document/icrc-report-ihl-and-challenges-contemporary-armed-conflicts; L. Gisel and L. Olejnik (eds), above note 11, p. 7.

37 For a broader discussion on attribution, including the pertinent international law rules, see the section below entitled “The Issue of Attribution”.

38 Statement by Counsellor Sun Lei of the Chinese Delegation at the Thematic Discussion on Information and Cyber Security at the First Committee of the 72nd Session of the UN General Assembly, 23 October 2017, available at: www.china-un.org/eng/chinaandun/disarmament_armscontrol/unga/t1505683.htm.

39 The overall cost of cyber crime alone is measured in trillions of dollars: it was estimated at $3 trillion in 2015 worldwide, and this figure is predicted to double by 2021 (Steve Morgan, “Hackerpocalypse: A Cybercrime Revelation”, Herjavec Group, 17 August 2016, available at: www.herjavecgroup.com/hackerpocalypse-cybercrime-report/). NotPetya's impact was estimated at well above $1 billion, with some estimates as high at $10 billion (Fred O'Connor, “NotPetya Still Roils Company's Finances, Costing Organizations $1.2 Billion in Revenue”, Cybereason, 9 November 2017, available at: www.cybereason.com/blog/notpetya-costs-companies-1.2-billion-in-revenue; A. Greenberg, above note 5). The financial system is also often affected by cyber attacks: see, for example, Choe Sang-Hun, “Computer Networks in South Korea Are Paralyzed in Cyberattacks”, New York Times, 20 March 2013, available at: www.nytimes.com/2013/03/21/world/asia/south-korea-computer-network-crashes.html.

40 See, for instance, US Department of Defense, DOD Dictionary of Military and Associated Terms.

41 The SCO Agreement, above note 17, defines “information war” as “a confrontation between two or more States in the information space with the aim of damaging information systems, processes and resources, critically important and other structures, undermining political, economic and social systems, psychologically manipulating masses of the population to destabilize society and the State, and also forcing the State to take decisions in the interest of the opposing party”. The Russian Federation Armed Forces define information war in the same manner, stating that “the Armed Forces of the Russian Federation follow … international humanitarian law” during military activities in the global information space (Ministry of Defence of the Russian Federation, Russian Federation Armed Forces’ Information Space Activities Concept, 2011, section 2.1, available at: https://eng.mil.ru/en/science/publications/more.htm?id=10845074@cmsArticle).

42 See ICRC, above note 1.

43 See ICRC, International Humanitarian Law and the Challenges of Contemporary Armed Conflicts, Geneva, 2011 (ICRC Challenges Report 2011), pp. 36–39, available at: www.icrc.org/en/doc/assets/files/red-cross-crescent-movement/31st-international-conference/31-int-conference-ihl-challenges-report-11-5-1-2-en.pdf; K. Dörmann, above note 12.

44 Declaration Renouncing the Use, in Time of War, of Explosive Projectiles Under 400 Grammes Weight, St Petersburg, 29 November/11 December 1868.

45 Protocol Additional (I) to the Geneva Conventions of 12 August 1949, and relating to the Protection of Victims of International Armed Conflicts, 1125 UNTS 3, 8 June 1977 (entered into force 7 December 1978).

46 ICJ, Legality of the Threat or Use of Nuclear Weapons, Advisory Opinion, 8 July 1996, para. 86.

47 See Tallinn Manual 2.0, above note 13, Rule 80; Oxford Statement, above note 32, point 5. Also see the article by Zhixiong Huang and Yaohui Ying in this issue of the Review; and see Ma Xinmin, at the time deputy director-general of the Department of Treaty and Law, Ministry of Foreign Affairs of the People's Republic of China, writing in a personal capacity: “[T]he scope of applicability of the rules of IHL has been expanded. … [I]t has also been broadened to cyberspace. The UN GGE on Developments in the Field of Information and Telecommunications in the Context of International Security confirmed in its 2013 and 2015 reports that international law, particularly the UN Charter, is applicable in cyberspace. IHL should, therefore, in principle be applicable to cyber attacks, but how to apply it is still open to discussion” (unofficial and informal translation). Ma Xinmin, “International Humanitarian Law in Flux: Development and New Agendas – In Commemoration of the 40th Anniversary of the 1977 Adoption Protocols to the Geneva Conventions”, Chinese Review of International Law, Vol. 30, No. 4, 2017, p. 8.

48 UN General Assembly, “Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security: Note by the Secretary-General”, UN Doc. A/68/98, 24 June 2013, para. 19, and UN Doc. A/70/174, 22 July 2015, para. 24.

49 UNGA Res. 70/237, “Developments in the Field of Information and Telecommunications in the Context of International Security”, UN Doc. A/RES/70/237, 30 December 2015, preambular para. 16.

50 UNGA Res. 73/27, above note 15, preambular para. 17; UNGA Res. 73/266, above note 15, preambular para. 12.

51 UN Doc. A/70/174, above note 48, para. 28(d).

52 Michael N. Schmitt, “France Speaks Out on IHL and Cyber Operations: Part I”, EJIL: Talk!, 30 September 2019, available at: www.ejiltalk.org/france-speaks-out-on-ihl-and-cyber-operations-part-i/.

53 EU Council Conclusions, above note 20.

54 Wales Summit Declaration, above note 21, para. 72.

55 See “Cybersecurity: Paris Call of 12 November 2018 for Trust and Security in Cyberspace”, France Diplomacy, available at: www.diplomatie.gouv.fr/en/french-foreign-policy/digital-diplomacy/france-and-cyber-security/article/cybersecurity-paris-call-of-12-november-2018-for-trust-and-security-in.

56 Commonwealth Cyber Declaration, above note 19, p. 4, para. 4.

57 See OAS, above note 22, para. 43 (mentioning Bolivia, Chile, Guyana, Peru and the United States); Ecuador's response may appear to have implied such support (see also paras 19–21, 25). Other member States of the OAS expressed this position in the context of the OEWG. See comments by Brazil, Colombia and Uruguay on the initial pre-draft of the OEWG report, available at: www.un.org/disarmament/open-ended-working-group/. See, however, the views of Cuba, Nicaragua and Venezuela, who note, among other things, that there is not yet consensus on the applicability of IHL in cyberspace and that direct reference to IHL in the report may validate or legitimize the militarization of cyberspace.

58 See, most recently, the submissions of China, Cuba, Iran, Nicaragua, Russia and others on the initial pre-draft of the OEWG report, available at: www.un.org/disarmament/open-ended-working-group/. See also, for example, People's Republic of China, Position Paper of the People's Republic of China for the 73rd Session of the United Nations General Assembly, 2018, p. 10, available at: https://tinyurl.com/y4qquywp; “Declaration by Miguel Rodríguez, Representative of Cuba, at the Final Session of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security”, 23 June 2017, p. 2; Ministry of Foreign Affairs of the Russian Federation, “Response of the Special Representative of the President of the Russian Federation for International Cooperation on Information Security Andrey Krutskikh to TASS’ Question Concerning the State of International Dialogue in This Sphere”, 29 June 2017.

59 “The applicability of the law of armed conflicts and jus ad bellum needs to be handled with prudence. The lawfulness of cyber war should not be recognized under any circumstance. States should not turn cyberspace into a new battlefield”: “China's Submissions to the Open-ended Working Group on Developments in the Field of Information and Telecommunications in the Context of International Security”, September 2019, p. 6, available at: https://s3.amazonaws.com/unoda-web/wp-content/uploads/2019/09/china-submissions-oewg-en.pdf. “We should be extremely cautious against any attempt to introduce use of force in any form into cyberspace, have sober assessment on possible conflicts and confrontations resulted from the indiscriminate application of the law of armed conflicts in cyberspace, and refrain from sending wrong messages to the world”: “China's Contribution to the Initial Pre-Draft of OEWG Report”, April 2020, p. 5, available at: https://front.un-arm.org/wp-content/uploads/2020/04/china-contribution-to-oewg-pre-draft-report-final.pdf. “[W]ithout state practice, we should be very prudent on the discussion of application of humanitarian law in so called ‘cyber wars.’ The reason is very simple but fundamental: firstly, no cyber wars shall be permitted; and secondly, cyber war will be a totally new form of high-tech war”: China statement at AALCO 58th Annual Session, in AALCO, Verbatim Record of Discussions: Fifty-Eighth Annual Session, Doc No. AALCO/58/DAR ES SALAAM/2019/VR, 2019, p. 176, available at: www.aalco.int/Verbatim%20(FINAL)%2020200311.pdf.

60 China has stated at a meeting of the AALCO Working Group on International Law in Cyberspace that “the regimes of jus ad bellum and jus in bello must apply taking note of the peculiarities of cyber warfare”. AALCO, Summary Report of the Fourth Meeting of the Open-Ended Working Group on International Law in Cyberspace, 3 September 2019, available at: www.aalco.int/Summary%20Report%20as%20Adopted.pdf.

61 This view has also been expressed in, among others, the submissions of Australia, Brazil, Chile, Denmark and the United Kingdom on the initial pre-draft of the OEWG report, available at: www.un.org/disarmament/open-ended-working-group/.

62 UN Charter, Art. 2(4).

63 See Jean-Marie Henckaerts and Louise Doswald-Beck (eds), Customary International Humanitarian Law, Vol. 1: Rules, Cambridge University Press, Cambridge, 2005 (ICRC Customary Law Study), Rules 70, 71, available at: https://ihl-databases.icrc.org/customary-ihl/eng/docs/v1_rul.

64 The principles and rules regulating the conduct of hostilities are highlighted further below, under the section entitled “The Limits that IHL Imposes on the Use of Cyber Capabilities during Armed Conflicts”.

65 UNGA Res. 73/27, above note 15.

66 The proposed International Code of Conduct for Information Security is available at: http://nz.chineseembassy.org/eng/zgyw/t858978.htm. It was submitted by China, Russia, Tajikistan and Uzbekistan in 2011, and co-sponsored by Kazakhstan and Kyrgyzstan in 2013 (see UN Doc. A/68/98, above note 48, p. 8, para. 18). Similarly, in 2011 the Ministry of Foreign Affairs of the Russian Federation presented a draft Convention on International Information Security (22 September 2011, available at: www.mid.ru/en/foreign_policy/official_documents/-/asset_publisher/CptICkB6BZ29/content/id/191666) which lists among the “Main Measures for Averting Military Conflict in the Information Space” that States shall “take action aimed at limiting the proliferation of ‘information weapons’ and the technology for their creation” (Art. 6(10)). Its Article 7(2) also foresees that “[i]n any international conflict, the right of the States Parties that are involved in the conflict to choose the means of ‘information warfare’ is limited by applicable norms of international humanitarian law”.

67 Among many others, Pascucci, for instance, has suggested that the negotiation of an Additional Protocol IV could enable some of the issues raised by the application of the principle of distinction and proportionality in cyberspace to be addressed: Peter Pascucci, “Distinction and Proportionality in Cyberwar: Virtual Problems with a Real Solution”, Minnesota Journal of International Law, Vol. 26, No. 2, 2017. Schmitt, meanwhile, has put forward proposals in terms of policies that States could adopt: Michael N. Schmitt, “Wired Warfare 3.0: Protecting the Civilian Population during Cyber Operations”, International Review of the Red Cross, Vol. 101, No. 910, 2019, pp 333–355.

68 For an illustration of these debates, see “Scenario 13: Cyber Operations as a Trigger of the Law of Armed Conflict”, in Kubo Mačák, Tomáš Minárik and Taťána Jančárková (eds), Cyber Law Toolkit, available at: https://cyberlaw.ccdcoe.org/.

69 See ICRC, Commentary on the First Geneva Convention: Convention (I) for the Amelioration of the Condition of the Wounded and Sick in Armed Forces in the Field, 2nd ed., Geneva, 2016 (ICRC Commentary on GC I), para. 254; Tallinn Manual 2.0, above note 13, Rule 80.

70 See references in note 2 above.

71 Geneva Convention (I) for the Amelioration of the Condition of the Wounded and Sick in Armed Forces in the Field of 12 August 1949, 75 UNTS 31 (entered into force 21 October 1950) (GC I); Geneva Convention (II) for the Amelioration of the Condition of Wounded, Sick and Shipwrecked Members of Armed Forces at Sea of 12 August 1949, 75 UNTS 85 (entered into force 21 October 1950) (GC II); Geneva Convention (III) relative to the Treatment of Prisoners of War of 12 August 1949, 75 UNTS 135 (entered into force 21 October 1950) (GC III); Geneva Convention (IV) relative to the Protection of Civilian Persons in Time of War of 12 August 1949, 75 UNTS 287 (entered into force 21 October 1950) (GC IV).

72 Common Article 2(1): “[T]he present Convention shall apply to all cases of declared war or of any other armed conflict which may arise between two or more of the High Contracting Parties, even if the state of war is not recognized by one of them.” Common Article 3(1): “In the case of armed conflict not of an international character occurring in the territory of one of the High Contracting Parties …”

73 International Criminal Tribunal for the former Yugoslavia (ICTY), The Prosecutor v. Duško Tadić, Case No. IT-94-1, Decision on the Defence Motion for Interlocutory Appeal on Jurisdiction, 2 October 1995, para. 70; ICRC Commentary on GC I, above note 69, para. 218.

74 Similarly, if the resort to armed force leads, for example, to injuries or the capture of a member of another State's armed forces, IHL rules on the protection of the wounded and sick or the status and treatment of prisoners of war are relevant whether there is one or many prisoners, one or many wounded to be cared for. See ICRC Commentary on GC I, above note 69, paras 236–244.

75 Tallinn Manual 2.0, above note 13, Rule 82, para. 16.

76 ICRC Commentary on GC I, above note 69, paras 253–256.

77 French Ministry of the Armies, International Law Applied to Operations in Cyberspace, 2019, p. 12, available at: www.defense.gouv.fr/content/download/567648/9770527/file/international+law+applied+to+operations+in+cyberspace.pdf. This document specifies that “[w]hile an armed conflict consisting exclusively of digital activities cannot be ruled out in principle, it is based on the capacity of autonomous cyberoperations to reach the threshold of violence required to be categorised as such”.

78 Tallinn Manual 2.0, above note 13, Rule 82, paras 11–16; as can be seen from paras 12–13, the question is not fully settled for kinetic operations either, and this uncertainty will permeate the debate on whether cyber operations alone can cross the threshold of an international armed conflict beyond the cyber-specific issues.

79 ICRC Commentary on GC I, above note 69, para. 255; Tallinn Manual 2.0, above note 13, Rule 82, para. 11.

80 ICTY, Tadić, above note 73, para. 70.

81 ICRC Commentary on GC I, above note 69, para. 437; Tallinn Manual 2.0, above note 13, Rule 83, paras 13–15. For an in-depth analysis of the issue, see Tilman Rodenhäuser, Organizing Rebellion: Non-State Armed Groups under International Humanitarian Law, Human Rights Law, and International Criminal Law, Oxford University Press, Oxford, 2018, pp. 104–108.

82 ICRC Commentary on GC I, above note 69, paras 236–244.

83 Ibid., para. 437. For further discussion, see Tallinn Manual 2.0, above note 13, Rule 83, paras 7–10; Droege, Cordula, “Get Off My Cloud: Cyber Warfare, International Humanitarian Law, and the Protection of Civilians”, International Review of the Red Cross, Vol. 94, No. 886, 2012, p. 551CrossRefGoogle Scholar; Schmitt, Michael N., “Classification of Cyber Conflict”, Journal of Conflict and Security Law, Vol. 17, No. 2, 2012, p. 260CrossRefGoogle Scholar.

84 French Ministry of the Armies, above note 77, p. 12.

85 New Zealand Defence Force, Manual of Armed Forces Law, Vol. 4: Law of Armed Conflict, 2nd ed., DM 69, 2017 (New Zealand Military Manual), para. 5.2.23, available at: www.nzdf.mil.nz/assets/Publications/DM-69-2ed-vol4.pdf.

86 Paul C. Ney Jr., US Department of Defence General Counsel, Remarks at US Cyber Command Legal Conference, 2 March 2020, available at: www.defense.gov/Newsroom/Speeches/Speech/Article/2099378/dod-general-counsel-remarks-at-us-cyber-command-legal-conference/.

87 See US Department of Defense (DoD), Directive 2311.01E, “DoD Law of War Program”, 2006 (amended 2011), paras 4–4.1: “It is DoD policy that … [m]embers of the DoD Components comply with the law of war during all armed conflicts, however such conflicts are characterized, and in all other military operations” (emphasis added). See also US Department of Defense (DoD), Law of War Manual, 2015 (DoD Law of War Manual), para. 3.1.1.2, available at: https://tinyurl.com/y6f7chxo.

88 Russia, “Commentary of the Russian Federation on the Initial ‘Pre-draft’ of the Final Report of the United Nations Open-Ended Working Group on Developments in the Field of Information and Telecommunications in the Context of International Security”, April 2020, available at: https://front.un-arm.org/wp-content/uploads/2020/04/russian-commentary-on-oweg-zero-draft-report-eng.pdf.

89 For a brief assessment, see ICRC Challenges Report 2019, above note 36, pp. 18–22.

90 See Oliver Dörr and Albrecht Randelzhofer, “Article 2(4)”, in Bruno Simma et al. (eds), The Charter of the United Nations: A Commentary, Vol. 1, Oxford University Press, Oxford, 2016, paras 17–20 of the commentary on Art. 2(4). Accordingly, experts have concluded that “neither non-destructive cyber psychological operations intended solely to undermine confidence in a government, nor a State's prohibition of e-commerce with another State designed to cause negative economic consequences, qualify as uses of force”: Tallinn Manual 2.0, above note 13, para. 3 of the commentary on Rule 69.

91 O. Dörr and A. Randelzhofer, above note 90, p. 208, para. 16.

92 ICJ, above note 46, para. 39.

93 French Ministry of the Armies, above note 77, p. 7. See also Tallinn Manual 2.0, above note 13, para. 1 of the commentary on Rule 69.

94 See Estonia, “President of the Republic at the Opening of CyCon 2019”, 29 May 2019, available at: www.president.ee/en/official-duties/speeches/15241-president-of-the-republic-at-the-opening-of-cycon-2019/index.html. Australian Department of Foreign Affairs and Trade, “Australia's International Cyber Engagement Strategy”, 2019, available at: www.dfat.gov.au/international-relations/themes/cyber-affairs/Pages/australias-international-cyber-engagement-strategy.

95 DoD Law of War Manual, above note 87, para. 16.3.1.

96 French Ministry of the Armies, above note 77, p. 7. Examples that France provides of actions that could “be deemed uses of force” are “penetrating military systems in order to compromise French defence capabilities, or financing or even training individuals to carry out cyberattacks against France”.

97 Dutch Ministry of Foreign Affairs, “Letter to the Parliament on the International Legal Order in Cyberspace”, 5 July 2019, p. 4, available at: www.government.nl/ministries/ministry-of-foreign-affairs/documents/parliamentary-documents/2019/09/26/letter-to-the-parliament-on-the-international-legal-order-in-cyberspace; French Ministry of the Armies, above note 77, p. 7. For a recent overview of States’ positions, see Przemysław Roguski, Application of International Law to Cyber Operations: A Comparative Analysis of States’ Views, Policy Brief, Hague Program for Cyber Norms, 2020. For an illustration of these debates, see, for example, Kenneth Kraszewski, “Scenario 14: Ransomware Campaign”, in K. Mačák, T. Minárik and T. Jančárková (eds), above note 68, paras L5–L13.

98 ICJ, Case Concerning Military and Paramilitary Activities in and against Nicaragua (Nicaragua v. United States of America), Judgment, 27 June 1986, paras 191, 195.

99 This view is not, however, accepted by all States. For instance, the United States considers that any use of force is an armed attack.

100 Tallinn Manual 2.0, above note 13, para. 4 of the commentary on Rule 71.

101 Dutch Ministry of Foreign Affairs, above note 97, p. 4; French Ministry of the Armies, above note 77, p. 7.

102 H. Durham, above note 25.

103 For an examination of the technical challenges for attributing cyber attacks to specific actors, see Vitaly Kamluk, “Know Your Enemy and Know Yourself: Attribution in the Cyber Domain”, Humanitarian Law and Policy Blog, 3 June 2019, available at: https://blogs.icrc.org/law-and-policy/2019/06/03/know-your-enemy-know-yourself-cyber-domain-attribution/.

104 ICRC Challenges Report 2011, above note 43, p. 36.

105 ICRC, above note 1, p. 9.

106 Ibid.

107 See ICRC Customary Law Study, above note 63, Rule 149. See also International Law Commission, Responsibility of States for Internationally Wrongful Acts, 2001, in particular Arts 4–11.

108 ICRC, above note 1, p. 9; Tallinn Manual 2.0, above note 13, Rules 15–17. For a different view, see the Chinese submission on the initial pre-draft of the report of the OEWG, which states that with regard to “state responsibility, which, unlike the law of armed conflicts or human rights, has not yet gained international consensus, there is no legal basis at all for any discussion on its application in cyberspace”. Comments by China on the initial pre-draft of the OEWG report, available at: www.un.org/disarmament/open-ended-working-group/.

109 Similarly, the DoD Law of War Manual, above note 87, para. 16.6, concludes: “For example, a destructive computer virus that was programmed to spread and destroy uncontrollably within civilian internet systems would be prohibited as an inherently indiscriminate weapon.”

110 Yves Sandoz, Christophe Swinarski and Bruno Zimmerman (eds.), Commentary on the Additional Protocols of 8 June 1977 to the Geneva Conventions of 12 August 1949, ICRC, Geneva, 1987 (ICRC Commentary on the APs), para. 1963.

111 Protocol Additional (I) to the Geneva Conventions of 12 August 1949, and relating to the Protection of Victims of International Armed Conflicts, 1125 UNTS 3, 8 June 1977 (entered into force 7 December 1978) (AP I), Art. 51(4)–(5); ICRC Customary Law Study, above note 63, Rules 11, 14.

112 See AP I, Art. 52; ICRC Customary Law Study, above note 63, Rules 7–10.

113 See AP I, Art. 54(c); ICRC Customary Law Study, above note 63, Rule 11.

114 See AP I, Art. 51(5)(b); ICRC Customary Law Study, above note 63, Rule 14.

115 See AP I, Art. 57(1); ICRC Customary Law Study, above note 63, Rule 15.

116 See C. Droege, above note 83, p. 557; William H. Boothby, The Law of Targeting, Oxford University Press, Oxford, 2012, p. 384. As Droege points out, “it is uncontroversial that the use of biological, chemical, or radiological agents would constitute an attack, even though the attack does not involve physical force”.

117 Tallinn Manual 2.0, above note 13, Rule 92.

118 See ICRC, International Humanitarian Law and the Challenges of Contemporary Armed Conflicts, Geneva, 2015 (ICRC Challenges Report 2015), pp. 41–42, available at: www.icrc.org/en/download/file/15061/32ic-report-on-ihl-and-challenges-of-armed-conflicts.pdf; Tallinn Manual 2.0, above note 13, Rule 92. For States that have taken a view on how the notion of attack under IHL applies to cyber operations, see, in particular, Australian Department of Foreign Affairs and Trade, above note 94, Annex A; Danish Ministry of Defence, Military Manual on International Law Relevant to Danish Armed Forces in International Operations, 2016 (Danish Military Manual), pp. 290–291, available at: www2.forsvaret.dk/omos/publikationer/Documents/Military%20Manual%20updated%202020.pdf; French Ministry of the Armies, above note 77, p. 13; Norway, Manual i krigens folkerett, 2013 (Norwegian Military Manual), para. 9.54, available at: https://fhs.brage.unit.no/fhs-xmlui/bitstream/handle/11250/194213/manual_krigens_folkerett.pdf?sequence=1&isAllowed=y; New Zealand Military Manual, above note 85, para 8.10.17; DoD Law of War Manual, above note 87, para. 16.5.1.

119 Danish Military Manual, above note 118, p. 677 (when discussing computer network attacks); New Zealand Military Manual, above note 85, para 8.10.22; Norwegian Military Manual, above note 118, para. 9.54.

120 ICRC, above note 1, p. 7.

121 See, for instance, Tallinn Manual 2.0, above note 13, commentary on Rule 92, paras 10–12.

122 See ICRC Challenges Report 2015, above note 119, pp. 41–42. See also Tallinn Manual 2.0, above note 13, para. 12 of the commentary on Rule 92.

123 Vienna Convention on the Law of Treaties, Art. 31(1).

124 Knut Dörmann, “Applicability of the Additional Protocols to Computer Network Attacks”, 2004, p. 4, available at: www.icrc.org/en/doc/assets/files/other/applicabilityofihltocna.pdf; C. Droege, above note 83, p. 559. For a different view, see Schmitt, Michael N., “Cyber Operations and the Jus in Bello: Key Issues”, International Law Studies, Vol. 87, 2011, pp. 9596Google Scholar; Dinniss, Heather Harrison, Cyber Warfare and the Laws of War, Cambridge University Press, Cambridge, 2012, p. 198CrossRefGoogle Scholar.

125 In the same sense, see also M. N. Schmitt, above note 67, p. 339.

126 Roscini, Marco, Cyber Operations and the Use of Force in International Law, Oxford University Press, Oxford, 2014, p. 181CrossRefGoogle Scholar. See also Fleck, Dieter, “Searching for International Rules Applicable to Cyber Warfare – A Critical First Assessment of the New Tallinn Manual”, Journal of Conflict and Security Law, Vol. 18, No. 2, 2013, p. 341CrossRefGoogle Scholar: “It would, indeed, be less than convincing to insist that the term ‘attacks’ should be limited to acts directly causing injury or physical destruction, when the same action can, eg lead to disrupt [sic] essential supplies for hospitals or other important civilian infrastructure.”

127 Australian Department of Foreign Affairs and Trade, above note 94, Annex A.

128 OAS, above note 22, para. 43.

129 Danish Military Manual, above note 118, p. 290. The Manual specifies with regard to computer network attacks and operations that “[t]his means, for instance, that network-based operations must be regarded as attacks under IHL if the consequence is that they cause physical damage”. Ibid., p. 291.

130 United States Submission to the UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, 2014–15, p. 5.

131 See also DoD Law of War Manual, above note 87, paras 16.5.1, 16.5.2.

132 Gary Brown and Kurt Sanger, “Cyberspace and the Law of War”, Cyber Defense Review, 6 November 2015, available at: https://cyberdefensereview.army.mil/CDR-Content/Articles/Article-View/Article/1136032/cyberspace-and-the-law-of-war/.

133 For example, a distributed denial-of-service (DDoS) attack where the targeted network or system would automatically get back to operating normally when the attacker ends the DDoS attack and where no other indirect effect would have been caused during the time that the network or system was affected.

134 Laurent Gisel, “The Use of Cyber Technology in Warfare: Which Protection Does IHL afford and Is It Sufficient?”, in G. Venturini and G. L. Beruto (eds), above note 7.

135 For example, Michael Lewis discusses the practice of conducting bridge attacks longitudinally during the 1991 Gulf War, and, inter alia, notes that “damage to the bridge would be nearer midspan and therefore more easily repaired”, without claiming that this quality would prevent the operation to qualify as an attack. See Lewis, Michael, “The Law of Aerial Bombardment in the 1991 Gulf War”, American Journal of International Law, Vol. 97, No. 3, 2003, p. 501CrossRefGoogle Scholar.

136 French Ministry of the Armies, above note 77, p. 13.

137 M. N. Schmitt, above note 52. In the same sense, see W. H. Boothby, above note 116, p. 386.

138 OAS, above note 22, para. 43.

139 Ecuador specified that “[a] cyber operation can qualify as an attack if it renders inoperable a state's critical infrastructure or others that endanger the security of the state”. Ibid., para. 44.

140 Bolivia suggested that a cyber operation “could be considered an attack when its objective is to disable a state's basic services (water, electricity, telecommunications, or the financial system”); Guyana suggested that “cyber operations that undermine the functioning of computer systems and infrastructure needed for the provision of services and resources to the civilian population constitute an attack”, among which it included “nuclear plants, hospitals, banks, and air traffic control systems”. Ibid., paras 44–45.

141 ICRC Challenges Report 2015, above note 118, pp. 41–42; C. Droege, above note 83, p. 560.

142 See discussion in the above section entitled “IHL Rules Protecting Objects Indispensable to the Survival of the Civilian Population”.

143 AP I, Art. 54; Protocol Additional (II) to the Geneva Conventions of 12 August 1949, and relating to the Protection of Victims of Non-International Armed Conflicts, 1125 UNTS 609, 8 June 1977 (entered into force 7 December 1978) (AP II), Art. 14; ICRC Customary Law Study, above note 63, Rule 54.

144 See Tallinn Manual 2.0, above note 13, paras 6–7 of the commentary on Rule 100. For academic discussion, see Israel Law Review, Vol. 48, No. 1, pp. 39–132; M. N. Schmitt, above note 67.

145 For an illustration of this debate, see “Scenario 12: Cyber Operations against Computer Data”, in K. Mačák, T. Minárik and T. Jančárková (eds), above note 68.

146 The Oxford Dictionary defines an object as “a material thing that can be seen and touched”. Recalling the ordinary meaning of the word object, the 1987 ICRC Commentary on the Additional Protocols describes an object as “something that is visible and tangible”. ICRC Commentary on the APs, above note 110, para. 2008. See also Tallinn Manual 2.0, above note 13, para. 6 of the commentary on Rule 100. It is interesting to note here that today, the Oxford Dictionary includes a specific definition of objects for computing: “A data construct that provides a description of anything known to a computer (such as a processor or a piece of code) and defines its method of operation.”

147 See also International Law Association (ILA) Study Group on the Conduct of Hostilities in the 21st Century, “The Conduct of Hostilities and International Humanitarian Law: Challenges of 21st Century Warfare”, International Law Studies, Vol. 93, 2017 (ILA Report), pp. 338–339.

148 Kubo Mačák, “Military Objectives 2.0: The Case for Interpreting Computer Data as Objects under International Humanitarian Law”, Israel Law Review, Vol. 48, No. 1, 2015, p. 80; Robert McLaughlin, “Data as a Military Objective”, Australian Institute of International Affairs, 20 September 2018, available at: www.internationalaffairs.org.au/australianoutlook/data-as-a-military-objective/.

149 Under the proposed distinction, content-level data would include data “such as the text of this article, or the contents of medical databases, library catalogues and the like”, whereas operational-level data would describe “essentially the ‘soul of the machine’”, meaning the “type of data that gives hardware its functionality and ability to perform the tasks we require”. Dinniss, Heather Harrison, “The Nature of Objects: Targeting Networks and the Challenge of Defining Cyber Military Objectives”, Israel Law Review, Vol. 48, No. 1, 2015, p. 41Google Scholar.

150 Ibid., p. 54.

151 Schmitt therefore argues that as a matter of policy, States should “accord special protection to certain ‘essential civilian functions or services’ by committing to refrain from conducting cyber operations against civilian infrastructure or data that interfere with them”. M. N. Schmitt, above note 67, p. 342.

152 ICRC Challenges Report 2015, above note 118, p. 43.

153 ICRC Challenges Report 2019, above note 36, p. 21.

154 ICRC, above note 1, p. 8. See also P. Pascucci, above note 67, who notes that the position adopted by the majority of the experts in the Tallinn Manual with regard to data creates a “seemingly expansive gap in what constitutes an object”, and later argues that “[i]t is unrealistic in an information age for data to fall outside the scope of constituting an object, thus failing to receive IHL protection associated with the principles of distinction and proportionality”.

155 Danish Military Manual, above note 118, p. 292.

156 Norwegian Military Manual, above note 118, para. 9.58.

157 French Ministry of the Armies, above note 77, p. 14.

158 OAS, above note 22, para. 49, fn. 115.

159 Ibid., para. 48.

160 See AP I, Art. 52. ICRC Customary Law Study, above note 63, Rules 7–10.

161 See AP I, Arts 51(4), 57(2)(a)(ii); ICRC Customary Law Study, above note 63, Rules 12–17.

162 See Tallinn Manual 2.0, above note 13, Rule 112, which derives from the prohibition on area bombardment found in Article 51(5)(a) of AP I and customary IHL (see ICRC Customary Law Study, above note 63, Rule 13).

163 While acknowledging that the other view also exists, the ILA Study Group on the Conduct of hostilities deemed this “the better view” based on State practice, official documents and doctrine: see ILA Report, above note 147, pp. 336–337. See also ICRC, International Expert Meeting Report: The Principle of Proportionality in the Rules Governing the Conduct of Hostilities under International Humanitarian Law, Geneva, 2018, p. 39, available at www.icrc.org/en/document/international-expert-meeting-report-principle-proportionality; Helen Durham, Keynote Address, in Edoardo Greppi (ed.), Conduct of Hostilities: The Practice, the Law and the Future, 37th Round Table on Current Issues of International Humanitarian Law, International Institute of Humanitarian Law, Sanremo, 2015, p. 31.

164 This was reportedly done in the 2015 cyber operations against the electricity grid in Ukraine. See Kim Zetter, “Inside the Cunning, Unprecedented Hack of Ukraine's Power Grid”, Wired, 3 March 2016, available at: www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/.

165 AP I, Art. 57(2)(a)(ii); ICRC Customary Law Study, above note 63, Rule 17.

166 See ILA Report, above note 147, p. 384.

167 While military considerations might include the “fragility” of cyber means and methods, this is not the only relevant factor determining feasibility. It is not possible to rule out that it is feasible, and therefore required, to use cyber operations to avoid or minimize incidental civilian harm on the sole basis that the cyber means or methods used are “fragile”, without looking at the entirety of the situation, including all relevant humanitarian considerations.

168 See GC III, Art. 23; GC IV, Art. 28; AP I, Arts 3, 39, 44, 51, 56–60; AP II, Art. 13.

169 See also AP I, Art. 58; AP II, Art. 13(1).

170 See also ICRC Customary Law Study, above note 63, Rule 15; Tallinn Manual 2.0, above note 13, Rule 114.

171 An interpretation that assimilates the notions of “operation” and “attack” would deprive the rules applying to “operations” of meaningful content and render them essentially superfluous. See C. Droege, above note 83, p. 556.

172 ICRC Commentary on the APs, above note 110, paras 2191, 1936, 1875. In the same vein, see Michael Bothe, Karl Josef Partsch and Waldemar A. Solf, New Rules for Victims of Armed Conflict: Commentary on the Two 1977 Protocols Additional to the Geneva Conventions of 1949, Martinus Nijhoff, Leiden, 2013, para. 2.2.3 on Art. 48, para. 2.8.2 on Art. 57; UK Ministry of Defence, The Joint Service Manual of the Law of Armed Conflict, Joint Service Publication 383, 2004 (UK Military Manual), para 5.32, fn. 187; ILA Report, above note 147, p. 380. The HPCR Manual on International Law Applicable to Air and Missile Warfare (Program on Humanitarian Policy and Conflict Research, Harvard University, 2009) applies the constant care obligation to “air or missile combat operations” (Rule 34), a notion broader than “attack” that includes, inter alia, refuelling, jamming of enemy radars, use of airborne warning systems and dropping an airborne force (commentary on Rule 1(c), para. 3). See also Neuman, Noam, “A Precautionary Tale: The Theory and Practice of Precautions in Attack”, Israel Yearbook on Human Rights, Vol. 48, 2018, p. 28Google Scholar; Quéguiner, Jean-François, “Precautions under the Law Governing the Conduct of Hostilities”, International Review of the Red Cross, Vol. 88, No. 864, 2006, p. 797CrossRefGoogle Scholar; Chris Jenks and Rain Liivoja, “Machine Autonomy and the Constant Care Obligation”, Humanitarian Law and Policy, 11 December 2018, available at: https://blogs.icrc.org/law-and-policy/2018/12/11/machine-autonomy-constant-care-obligation/. Specifically with regard to cyber operations, see Tallinn Manual 2.0, above note 13, para. 2 of the commentary on Rule 114 (noting that the notion of hostilities, to which it applies the constant care obligation, is broader than the notion of attacks); H. Harrison Dinniss, above note 124, p. 199. For a different view at least with regard to the principle of distinction, see M. Roscini, above note 127, p. 178.

173 French Ministry of the Armies, above note 77, p. 15.

174 UK Military Manual, above note 172, para. 5.32.1; Tallinn Manual 2.0, above note 13, para. 4 of the commentary on Rule 114; Fleck, Dieter, The Handbook of International Humanitarian Law, 3rd ed., Oxford University Press, Oxford, 2013, p. 199Google Scholar; N. Neuman, above note 172, pp. 28–29.

175 ILA Report, above note 147, p. 381.

176 Tallinn Manual 2.0, above note 13, para. 4 of the commentary on Rule 114.

177 M. Bothe, K. J. Partsch and W. A. Solf, above note 172.

178 M. Roscini, above note 126, p. 178. See also, though expressed under customary law, Tallinn Manual 2.0, above note 13, para. 5 of the commentary on Rule 93; Michael N. Schmitt, “‘Attack’ as a Term of Art in International Law: The Cyber Operations Context”, in Christian Czosseck, Rain Ottis and Katharina Ziolkowski (eds), 4th International Conference on Cyber Conflict: Proceedings, NATO CCD COE Publications, Tallinn, 2012, pp. 283–293, 289–290.

179 Norwegian Military Manual, above note 118, para. 9.57. See also DoD Law of War Manual, above note 87, para. 16.5.2.

180 H. Harrison Dinniss, above note 124, p. 199.

181 See also C. Droege, above note 83, p. 556.

182 See, for example, US DoD, Cyberspace Operations, Joint Publication 3-12, 8 June 2018, p. xii: “Movement and Maneuver. Cyberspace operations enable force projection without the need to establish a physical presence in foreign territory. Maneuver in the DODIN [Department of Defense Information Network] or other blue [friendly] cyberspace includes positioning of forces, sensors, and defenses to best secure areas of cyberspace or engage in defensive actions as required. Maneuver in gray [neutral] and red [enemy] cyberspace is a cyberspace exploitation action and includes such activities as gaining access to adversary, enemy, or intermediary links and nodes and shaping this cyberspace to support future actions.”

183 L. Gisel and L. Olejnik (eds), above note 11, p. 57.

184 Compare with H. Harrison Dinniss, above note 124, p. 201.

185 The experts who drafted the Tallinn Manual discussed whether disrupting all email communications throughout a country during an armed conflict would amount to an attack – a narrower notion than military operations. While a minority held the view that the international community would generally regard such an operation as an attack, the majority held the view that IHL did not presently extend this far, but nevertheless considered that there was logic in characterizing these operations as attacks. Tallinn Manual 2.0, above note 13, para. 13 of the commentary on Rule 92.

186 C. Droege, above note 83, p. 556.

187 ICRC Challenges Report 2019, above note 36, pp. 28–29.

188 DoD Law of War Manual, above note 87, para. 16.5.1.

189 Ibid., para. 16.5.2.

190 Australian Department of Foreign Affairs and Trade, above note 94, p. 4.

191 M. N. Schmitt, above note 67, p. 347: “States would commit, as a matter of policy, to refraining from conducting cyber operations to which the IHL rules governing attacks do not apply when the expected concrete negative effects on individual civilians or the civilian population are excessive relative to the concrete benefit related to the conflict that is anticipated to be gained through the operation.”

192 See AP I, Art. 54(2); AP II, Art. 14; ICRC Customary Law Study, above note 63, Rule 54.

193 AP I, Art. 54(2).

194 Tallinn Manual 2.0, above note 13, para. 5 of the commentary on Rule 141.

195 ICRC Commentary on the APs, above note 110, paras 2101, 2103.

196 See, for instance, GC I, Art. 19; GC II, Art. 12; GC IV, Art. 18; AP I, Art. 12; AP II, Art. 11; ICRC Customary Law Study, above note 63, Rules 25, 28, 29; Tallinn Manual 2.0, above note 13, Rules 131–132. Protection of medical facilities and personnel ceases only if they commit, or are used to commit, outside their humanitarian duties, acts harmful to the enemy. Protection may, however, cease only after a due warning has been given, naming, in all appropriate cases, a reasonable time limit, and after such warning has remained unheeded. See GC I, Art. 21; GC II, Art. 34; GC IV, Art. 19; AP I, Art. 13; AP II, Art. 11(2); ICRC Customary Law Study, above note 63, Rules 25, 28, 29; Tallinn Manual 2.0, above note 13, Rule 134.

197 ICRC Commentary on the APs, above note 110, para. 517. See also ICRC Commentary on GC I, above note 69, para. 1799; Oxford Statement, above note 32, point 5 (“During armed conflict, international humanitarian law requires that medical units, transport and personnel must be respected and protected at all times. Accordingly, parties to armed conflicts: must not disrupt the functioning of health-care facilities through cyber operations; must take all feasible precautions to avoid incidental harm caused by cyber operations, and; must take all feasible measures to facilitate the functioning of health-care facilities and to prevent their being harmed, including by cyber operations”); Tallinn Manual 2.0, above note 13, para. 5 of the commentary on Rule 131 (“For instance, this Rule [Rule 131, which states that “[m]edical and religious personnel, medical units, and medical transports must be respected and protected and, in particular, may not be made the object of cyber attack”] would prohibit altering data in the Global Positioning System of a medical helicopter in order to misdirect it, even though the operation would not qualify as an attack on a medical transport”).

198 ICRC Commentary on the APs, above note 110, para. 1804.

199 See ICRC Challenges Report 2015, above note 118, p. 43.

200 See L. Gisel and L. Olejnik (eds), above note 11, p. 36, discussing the hypothetical of hacking into the medical or administrative records of a medical facility in order to gain knowledge of an enemy commander's medical appointment so as to locate him in order to capture or kill him on the way to or back from the medical facility. This could indeed unduly impede the facility's medical functioning and hinder the ability of health-care professionals to uphold their ethical duty of preserving medical confidentiality. The Tallinn Manual 2.0, above note 13, para. 2 of the commentary on Rule 132, proposes the following as an example of an operation that would not violate IHL: “non-damaging cyber reconnaissance to determine whether the medical facility or transports (or associated computers, computer networks, and data) in question are being misused for militarily harmful acts”.

201 Tallinn Manual 2.0, above note 13, para. 3 of the commentary on Rule 132.

202 ICRC Commentary on GC I, above note 69, paras 1805–1808; Tallinn Manual 2.0, above note 13, para. 6 of the commentary on Rule 131.

203 AP I, Arts 70(4), 71(2); ICRC Customary Law Study, above note 63, Rules 31, 32.

204 ICRC Commentary on GC I, above note 69, paras 1358, 1799.

205 See, for instance, GC IV, Art. 59; AP I, Arts 69–70; ICRC Customary Law Study, above note 63, Rule 55.

206 Tallinn Manual 2.0, above note 13, para. 4 of the commentary on Rule 80.

207 For further discussion, see Tilman Rodenhäuser, “Hacking Humanitarians? IHL and the Protection of Humanitarian Organizations against Cyber Operations”, EJIL: Talk!, 16 March 2020, available at: www.ejiltalk.org/hacking-humanitarians-ihl-and-the-protection-of-humanitarian-organizations-against-cyber-operations/.

208 AP I, Art. 81. Such data include, for example, those needed to establish tracing agencies to collect information on persons reported missing in the context of an armed conflict, or those collected by the ICRC when visiting and interviewing detainees without witnesses.

209 AP I, Art. 36.

210 See common Article 1; ICRC Customary Law Study, above note 63, Rule 139.

211 ICRC, A Guide to the Legal Review of New Weapons, Means and Methods of Warfare: Measures to Implement Article 36 of Additional Protocol I of 1977, Geneva, 2006, p. 1.

212 Ibid., pp. 22–23.

213 See ICRC Customary Law Study, above note 63, Rule 71. For an illustration of some of the issues raised by the legal review of cyber weapons, see “Scenario 10: Cyber Weapons Review”, in K. Mačák, T. Minárik and T. Jančárková (eds), above note 68.

214 Biller, Jeffrey T. and Schmitt, Michael N., “Classification of Cyber Capabilities and Operations as Weapons, Means, or Methods of Warfare”, International Law Studies, Vol. 95, 2019, p. 219Google Scholar.

215 For example, while the US DOD had the policy of carrying out legal review of weapons, including weapons that employ cyber capabilities (DoD Law of War Manual, above note 87, para 16.6), the relevant US Air Force instruction mandates the review of weapons and cyber capabilities: US Department of the Air Force, Legal Reviews of Weapons and Cyber Capabilities, Air Force Instruction 51-402, 27 July 2011.

216 ICRC, above note 211, p. 10.

217 Gary D. Brown and Andrew O. Metcalf, “Easier Said than Done: Legal Reviews of Cyber Weapons”, Journal of National Security Law and Policy, Vol. 7, 2014, p. 133.

218 This has been proposed in the introductory remarks delivered by Helen Durham, Director of International Law and Policy of the ICRC, during the 22 January 2019 public hearing conducted by the Global Commission on the Stability of Cyberspace (statement on file with the ICRC).

219 ICRC Challenges Report 2019, above note 36, p. 35.