Article contents
Cyber Warfare: Applying the Principle of Distinction in an Interconnected Space
Published online by Cambridge University Press: 30 October 2012
Abstract
While the rules of the jus in bello are generally operative in cyberspace, it appears to be problematic to apply the fundamental principle of distinction because of the systemic interconnection of military and civilian infrastructure in the cyber realm. In this regard, the application of the accepted legal definition of military objectives will make various components of the civilian cyber infrastructure a legitimate military objective. In order to avoid serious repercussions for the civilian population that might follow from this inherent interconnectedness, different concepts are analysed that could provide potential solutions for a clearer separation of legitimate military targets and protected civilian installations and networks. The approaches discussed range from the exemption of central cyber infrastructure components that serve important civilian functions, to the creation of ‘digital safe havens’ and possible precautionary obligations regarding the segregation of military and civilian networks. As a solution, the authors propose a dynamic interpretation of the wording ‘damage to civilian objects’ within the principle of proportionality of Article 51(5)(b) of Additional Protocol I, an interpretation that would comprise the degradation of the functionality of systems that serve important civilian functions.
Keywords
- Type
- Articles
- Information
- Copyright
- Copyright © Cambridge University Press and The Faculty of Law, The Hebrew University of Jerusalem 2012
References
1 ‘[C]yberspace is now as relevant a domain for DoD [Department of Defence] activities as the naturally occurring domains of land, sea, air, and space. There is no exaggerating our dependence on DoD's information networks for command and control of our forces, the intelligence and logistics on which they depend, and the weapons technologies we develop in the field’: United States Dept of Defense, ‘Quadrennial Defense Review Report’ (February 2010, 37), http://www.defense.gov/qdr/.
As far as the Chinese position is concerned, the US-China Economic and Security Review Commission has held that ‘PLA [People's Liberation Army] leaders have embraced the idea that successful war fighting is predicated on the ability to exert control over an adversary's information and information systems, often pre-emptively. This goal has effectively created a new strategic and tactical high ground, occupying which has become just as important for controlling the battle space as its geographic equivalent in the physical domain’: US-China Economic and Security Review Commission, ‘Occupying the Information High Ground: Chinese Capabilities for Computer Network Operations and Cyber Espionage’ (7 March 2012, 9), http://www.uscc.gov/RFP/2012/USCC%20Report_Chinese_CapabilitiesforComputer_NetworkOperationsandCyberEspionage.pdf.
2 Report of the US-China Economic and Security Review Commission, ibid 15.
3 Cordula Dröge, ‘No Legal Vacuum in Cyberspace’ (online interview, 16 August 2011), http://www.icrc.org/eng/resources/documents/interview/2011/cyber-warfare-interview-2011-08-16.htm.
4 Protocol Additional to the Geneva Conventions of 12 August 1949 and relating to the Protection of Victims of International Armed Conflicts (entered into force 7 December 1978) 1125 UNTS 3 (Additional Protocol I).
5 Legality of the Threat or Use of Nuclear Weapons, Advisory Opinion [1996] ICJ Rep 226.
6 See Michael N Schmitt, ‘Cyber Operations and the Jus in Bello’ (2011) 41 Israel Yearbook on Human Rights 113; Michael N Schmitt, ‘Wired Warfare: Computer Network Attack and Jus in Bello’ (2002) 84 International Review of the Red Cross 365; Knut Dörmann, ‘Applicability of the Additional Protocols to Computer Network Attacks’ (International Expert Conference on Computer Network Attacks and the Applicability of International Humanitarian Law, Stockholm, September 2004), http://www.icrc.org/eng/assets/files/other/applicabilityofihltocna.pdf; Jenny Döge, ‘Cyber-Warfare: Challenges for the Applicability of the Traditional Laws of War Regime’ (2010) 48 Archiv des Völkerrechts 486.
7 Robin Geiß, ‘The Conduct of Hostilities in and via Cyberspace’, ASIL Proceedings 104th Annual Meeting, 2010; Schmitt, ‘Wired Warfare’ (n 6) 365.
8 Report of the Secretary-General, Developments in the Field of Information and Telecommunications in the Context of International Security, UN Doc A/66/152, December 2011, 19.
9 cf Jakob Kellenberger, ‘International Humanitarian Law and New Weapon Technologies’ (Keynote address, 34th Round Table on Current Issues of International Humanitarian Law, San Remo, 8–10 September 2011), http://www.icrc.org/eng/resources/documents/statement/new-weapon-technologies-statement-2011-09-08.htm.
10 Eric Talbot Jensen, ‘Cyber Warfare and Precautions Against the Effects of Attacks’ (2010) 88 Texas Law Review 1522, 1542.
11 Additional Protocol I (n 4) art 52(2). Of course, the definition contained in art 52(2) of Additional Protocol I is two-pronged in that it not only requires that an object's use would make an effective contribution to military actions but that simultaneously the object's destruction, in the circumstances ruling at the time, would also offer a definite military advantage. However, in reality this second tier has rarely worked as an effective constraint given that typically the destruction of any object which makes an effective contribution to military action also offers a discernible military advantage.
12 But cf Kellenberger (n 9).
13 See Henry Shue and David Wippmann, ‘Limiting Attacks on Dual-Use Facilities Performing Indispensable Civilian Functions’ (2002) 35 Cornell International Law Journal 559.
14 cf Dröge (n 3).
15 Schmitt, ‘Wired Warfare’ (n 6) 365.
16 cf Report of the Secretary-General (n 8) 10.
17 Quadrennial Defense Review Report (n 1) 37.
18 cf Report of the US-China Economic and Security Review Commission (n 1).
19 ibid.
20 ‘By providing counterfeit hardware that already contains the Trojanized access built into the firmware or software, a foreign intelligence service or similarly sophisticated attacker has a greater chance of successfully penetrating these downstream supply chains’: Report of the US-China Economic and Security Review Commission (n 1) 11 ff.
21 Gaycken, Sandro, Cyberwar – Das Wettrüsten hat längst begonnen, Vom digitalen Angriff zum realen Ausnahmezustand (Goldmann 2012)Google Scholar.
22 A computer that has been turned into a so-called ‘bot’ can perform automated or remote-controlled tasks without the owner/user knowing it: http://www.microsoft.com/security/resources/botnet-whatis.aspx. See also Ralf Hund, Matthias Hamann and Thorsten Holz, ‘Towards Next-Generation Botnets’ (4th European Conference on Computer Network Defense (EC2ND 08)), http://www.ei.rub.de/media/emma/veroeffentlichungen/2010/08/05/rambot-ec2nd08.pdf.
23 The recent report of the US-China Economic and Security Review Commission cites the authors of the Peoples Liberation Army publication, ‘Information Confrontation Theory’, as stating that ‘information confrontation forces can potentially plant malicious software in enemy weapons systems that will remain dormant until they are employed; or pre-place malware on enemy information systems that will only activate at a preset time to destroy an enemy's C2 network or those circuits that control operation of railroads and military air routes, or divert trains to wrong routes to cause traffic jams’: Report of the US-China Economic and Security Review Commission (n 1) 26, 27, citing Zhengde, Wang, Shisong, Yang and Lin, Zhou (eds), Xinxi Duikang Lilun (PLA Information Engineering University/Military Science Publishing House 2007) 12Google Scholar.
24 ‘It is agreed that this definition has acquired the status of customary international law notwithstanding continuing controversy over its interpretation’: Henckaerts, Jean-Marie and Doswald-Beck, Louise (eds), Customary International Humanitarian Law, vol I: Rules (International Committee of the Red Cross and Cambridge University Press 2009) (ICRC Study) rule 8Google Scholar.
25 Jensen (n 10) 1542.
26 Sandoz, Yves, Swinarski, Christophe and Zimmermann, Bruno (eds), Commentary on the Additional Protocols of 8 June 1977 to the Geneva Conventions of 12 August 1949 (International Committee of the Red Cross, Martinus Nijhoff 1987) (ICRC Commentary) 2022Google Scholar; Henderson, Ian, The Contemporary Law of Targeting: Military Objectives, Proportionality and Precautions in Attack under Additional Protocol I (Martinus Nijhoff 2002) 84Google Scholar.
27 Program on Humanitarian Policy and Conflict Research, ‘Commentary on the HPCR Manual on International Law Applicable to Air and Missile Warfare’ (version 2.1, March 2010, 107), http://ihlresearch.org/amw/Commentary%20on%20the%20HPCR%20Manual.pdf.
28 Dinstein, Yoram, The Conduct of Hostilities under the Law of International Armed Conflict (2nd edn, Cambridge University Press 2010) 99–100CrossRefGoogle Scholar.
29 Oeter, Stefan, ‘Methods and Means of Combat’ in Fleck, Dieter (ed), The Handbook of International Humanitarian Law (Oxford University Press 2008) 81–180Google Scholar.
30 See eg Dinstein (n 28) 94.
31 Commentary on the HPCR Manual (n 27) 49.
32 ibid 32.
33 Shue and Wippmann (n 13) 561.
34 ibid.
35 Dinstein (n 28) 90–91. For example, Dinstein asserts that deserted military barracks remain a military objective and thereby implicitly discards the situational relevance criterion suggested by Shue and Wippmann (n 13) 94.
36 Report of the US-China Economic and Security Review Commission (n 1) 42–43. See also Northrop Grumman, ‘Capability of the People's Republic of China to Conduct Cyber Warfare and Computer Network Exploitation’ (Report prepared for the US-China Economic and Security Review Commission, 9 October 2009, 23), http://www.uscc.gov/researchpapers/2009/NorthropGrumman_PRC_Cyber_Paper_FINAL_Approved%20Report_16Oct2009.pdf.
37 ibid 110.
38 ibid 108: ‘Any civilian object may become a military objective through use, including those entitled to specific protection but abused by a Belligerent Party through military use. Even objects entitled to specific protection, such as medical units or cultural property can become military objectives if so used.’ See also Shue and Wippmann (n 13) 565.
39 Dinstein (n 28) 141.
40 On the Stuxnet attack, see Nicolas Falliere, Liam O Murchu and Eric Chien, ‘W32.Stuxnet Dossier’ (version 1.4, February 2011), http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf.
41 Antonio Cassese, ‘Terrorism is also Disrupting Some Crucial Legal Categories of International Law’ (2001) European Journal of International Law 993.
42 Commentary on the HPCR Manual (n 27) 109. For a critique of this approach, see the remarks made by the International Committee of the Red Cross (ICRC) included in a footnote to the Commentary, ibid n 25.
43 It is, inter alia, for this reason that we reject proposals for a cyber-specific broadening of the range of military targets in the context of cyber attacks; see Jeffrey T G Kelsey, ‘Hacking into International Humanitarian Law: The Principles of Distinction and Neutrality in the Age of Cyber Warfare’ (2008) 106 Michigan Law Review 1427. Moreover, Kelsey's approach is based on the assumed non-lethal nature of cyber attacks, an assumption which in such generality is hardly maintainable.
44 Dinstein (n 28) 102.
45 Of course, possible effects on another state's civilian population (ie the civilian population of a state which is not a party to the international armed conflict) belong in the realm of the law of neutrality. Convention (V) respecting the Rights and Duties of Neutral Powers and Persons in Case of War on Land (The Hague, 18 October 1907, 205 CTS 229), art 1 stipulates that ‘[t]he territory of neutral Powers is inviolable’, but it remains to be seen how the law of neutrality, especially in as much as it is territory-based, may be applied in the cyber domain and whether the repercussions of a cyber attack directed against State A would be viewed as a violation of the law on neutrality if they also degrade cyber functionality in State B, thereby affecting the civilian population in State B.
46 Jensen (n 10) 1552.
47 ibid.
48 ICRC Study (n 24) rules 22, 23, 24.
49 This limitation applies to the different obligations laid out in art 58(a)–(c): see Diplomatic Conference leading to the Adoption of the Additional Protocols, Report to Committee III on the Work of the Working Group, 65.
50 ICRC Study (n 24) Commentary to rule 22.
51 cf, for instance, the reservation issued by the United Kingdom on the date of its ratification of Additional Protocol I on 28 January 1998, http://www.icrc.org/ihl.nsf/NORM/0A9E03F0F2EE757CC1256402003FB6D2?OpenDocument.
52 ICRC Study (n 24) Commentary to rule 22.
53 On this distinction, cf Wolfrum, Rüdiger, ‘Obligation of Result versus Obligation of Conduct – Some Thoughts about the Implementation of International Obligations’ in Arsanjani, Mahnoush H and others (eds), Looking to the Future – Essays on International Law in Honor of W. Michael Reisman (Martinus Nijhoff 2011) 363Google Scholar.
54 Jensen (n 10) 1569, who argues that ‘the near-complete interconnectedness of government and civilian cyber systems makes segregation under Article 58 (a) and (b) impractical’.
55 International humanitarian law merely prescribes that civilian objects which are used or intended to be used for military purposes will thereby qualify as legitimate military objectives with the consequence that they could be attacked. A similar regulation is adopted under international humanitarian law where civilians take a direct part in hostilities, thereby losing their protection from attack. Such a direct participation may, of course, amount to a criminal offence under domestic criminal law, but it is not prohibited nor privileged on the level of the jus in bello; cf Melzer, Nils, ICRC Interpretive Guidance on the Notion of Direct Participation in Hostilities (International Committee of the Red Cross 2009) rule X, 83Google Scholar.
56 Adam Segal, ‘Cyberspace Governance: The Next Step’ (Council on Foreign Relations, Policy Innovation Memorandum No 2, 14 November 2011, 1), http://www.cfr.org/cybersecurity/cyberspace-governance-next-step/p24397.
57 emphasis added.
58 ICRC Commentary (n 26) 2258.
59 ICRC Study (n 24) rule 22.
60 cf ibid section 3.2.1.
61 cf Jensen (n 10) 1553.
62 ICRC Study (n 24) rule 14.
63 Dinstein (n 28) 128.
64 Schmitt, ‘Wired Warfare’ (n 6) 390; Eric Talbot Jensen, ‘Unexpected Consequences from Knock-on Effects: A Different Standard for Computer Network Operations?’ (2003) 18 American University International Law Review 1145, 1154–61.
65 For the general difficulties in the application of the humanitarian proportionality principle, see eg Oeter (n 29) 204.
66 ibid 7.
67 Michael N Schmitt, ‘The Principle of Discrimination in 21st Century Warfare’ (1999) 2 Yale Human Rights and Development Law Journal 143, 168; James W Crawford III, ‘The Law of Noncombatant Immunity and the Targeting of National Electrical Power Systems’ (1997) 21 Fletcher Forum of World Affairs 101, 106; James A Burger, ‘International Humanitarian Law and the Kosovo Crisis: Lessons Learned or to be Learned (2000) 82 International Review of the Red Cross 129, 134.
68 Oeter (n 29) 181.
69 Shue and Wippmann (n 13) 565.
70 emphasis added.
71 US Department of Defense Strategy for Operating in Cyberspace (July 2011, 1), http://www.defense.gov/news/d20110714cyber.pdf.
- 17
- Cited by