Guest Blogger, Michael Schmitt, delves into the applicability of IHL in cyber space

Ahead of the ICRC's "Internet in bello" debate in Geneva on Thurday and in response to our recent and wide-ranging interview with top US cyber expert, Peter W. Singer, Intercross invited Prof. Michael N. Schmitt, to weigh in on some of the thorny legal questions surrounding cyber warfare. For example, does a cyber exchange alone qualify as an armed conflict? Or, when is a forceful response to a cyber operation justified?

By Professor Michael N. Schmitt

Director, Stockton Center for the Study of International Law, US Naval War College

As is often the case with the emergence of new technologies of warfare, the policy, operational, technical, ethical and legal communities dealing with cyber operations have failed to adequately communicate with each other. Indeed, James Lewis of CSIS has even reportedly opined that the Tallinn Manual on the International Law Applicable to Cyber Warfare demonstrates why “you should never let lawyers go off by themselves.” Of course, the statement is badly misinformed in that the lawyers were never “by themselves” during the Tallinn Manual process, but the point is an important one.  If the international community is to effectively get its collective arms around the issue of cyber operations, it must quit acting in an archipelagic fashion. Therefore, I congratulate the ICRC on Peter Singer’s recent Intercross post and other efforts, such as its multidisciplinary approach to the subject that has been taken in the International Review of the Red Cross.

Singer begins by highlighting one of the factors dramatically complicating the dialogue between the communities – the fact that a common language separates them. He correctly points to the confusing use of the term “cyber warfare” to refer to activities that range from cyber crime and cyber terrorism to cyber international armed conflict. In the Tallinn Manual, the International Group of Experts (IGE) adopted the term purely as a descriptive device referring to operations implicating the jus ad bellum or the jus in bello.  The term “cyber operations” was adopted in the Rules and accompanying commentary to denote generic activities in cyberspace. In the jus ad bellum context, “cyber uses of force” referred to cyber operations rising to the level of a use of force under Article 2(4) of the UN Charter and “cyber armed attack” designated the types of cyber operations that justified a forceful response pursuant to Article 51 and the customary law of self-defence. With respect to the jus in bello (international humanitarian law or IHL), the expression “cyber attack” was reserved for those cyber operations qualifying as attacks pursuant to the definition set forth in Article 49 of Additional Protocol I. And the IGE was careful to use the term “conflict” in its status of conflict sense, not as a lay term. 

Unfortunately, the legal community engaged the issue of cyber operations well after some of the terminology became commonplace, especially the two terms “cyber attack” and “cyber warfare”. Therefore, great caution is necessary in interdisciplinary discussions to ensure members of the different community are not talking past each other, particularly with respect to terms having normative significance.

Singer also perceptively highlights a legal complexity that bears directly on this terminological morass by posing the question of when does cyber war begin and end.  Since 1949, “armed conflict” is the correct legal rendering of “war”. The existence of an armed conflict is the condition precedent to application of IHL, including the rules prohibiting or restricting attacks, including cyber attacks.

Of course, once an armed conflict in the traditional sense is initiated, all cyber operations related to the conflict are governed by IHL; IHL ceases to govern them when the conflict ends. The question is whether a cyber exchange alone can qualify as an armed conflict.  As with kinetic exchanges, analysis of the question requires distinguishing between international and non-international armed conflict. International armed cyber conflict exists when a cyber exchange is between two States [or between an organized armed group under the overall control (or individuals under the effective control) of a State and another State in the Tadic sense] and the cyber operations involved constitute “hostilities”. The clearest case of cyber hostilities is an exchange involving cyber operations qualifying as cyber attacks pursuant to Article 49.

Non-international armed conflict (NIAC) involves hostilities between an organized armed group (not under the overall control of a State) and a State or between two or more organized armed groups. The Tadic requirements of sufficient intensity and organization apply fully to a “cyber non-international armed conflict” (including so-called “cyber terrorism” rising to the level of NIAC) and would in many cases preclude qualification as such. For instance, a single cyber operation, no matter how devastating, would not meet the “protracted” criterion of intensity, although, according to the IGE, “frequent, albeit not continuous, cyber attacks occurring within a relatively defined period may be characterized as protracted”, and thereby sometimes could reach the requisite level of intensity. In light of the intensity criterion, such operations would at least have to qualify as cyber attacks.

As problematic in terms of qualifying cyber operations as a NIAC is the requirement of organization. Of particular note would be groups “organized” entirely online. A mere call by individuals or a group for the public to engage in cyber operations against a State, such as occurred in 2007 against Estonia, would clearly fall short, even if those operations amounted to attacks. Rather, some degree of coordination among participants in the campaign would appear to be required, as would some form of leadership with the ability to direct members of the group to conduct, or refrain from, particular attacks. Moreover, the arguably customary requirement that the group have an ability to enforce IHL in some manner would further impede qualification of the operations as a NIAC. Absent satisfaction of the intensity and organization criteria, the operations concerned would constitute cyber crime governed by human rights and domestic law rather than IHL. They might also amount to cyber terrorism subject to domestic legislation and international treaties on the subject.

The complex ongoing debate about the “geography of war” similarly bears on whether particular cyber operations are part of a NIAC and therefore subject to IHL. Three approaches exist: 1) a NIAC (and thus the applicability of IHL) is limited to territory within the borders of the State involved; 2) IHL extends to border areas into which the NIAC has spilled over; and 3) IHL applies wherever acts related to an ongoing NIAC are underway. The first two would seemingly preclude application of IHL to distant cyber operations, thereby prohibiting, for instance, status based targeting of members of an organized armed group or direct participants in the hostilities located well beyond the State or spillover areas.

As Singer suggests, “[w]e need to disentangle all of these things and stop lumping everything together under the same digital umbrella.”  This is especially relevant vis-à-vis international law because the response options to cyber operations depend on their juridical character. For instance, it is clear that espionage, cited by Singer, does not amount to armed conflict (or an armed attack under Article 51 of the UN Charter) and therefore does not justify IHL-based responses.

From an international law perspective, the challenge is to sensitize policy-makers and others responsible for fashioning and deciding upon responses to the appropriate legal architecture. Short of a cyber armed attack, the options are limited to measures such as law enforcement, diplomacy, arbitration, litigation, retorsion, and, in the event the cyber operations constitute an internationally wrongful act, a demand for reparations and countermeasures. Only if the cyber operation comprises an armed attack will forceful responses, whether kinetic or cyber in nature, be justified. Should forceful measures be undertaken, their conduct would be governed by IHL only if the exchange qualified as an armed conflict. As it stands, there is insufficient understanding in the broader cyber policy and operational community as to the various legal characterizations of cyber operations and the lawful responses thereto.

Singer also perceptively points to the likelihood of targeting civilians and civilian objects with cyber operations during an armed conflict. His concern is well founded. In the asymmetric conflicts of the past two decades, those States and organized armed groups that are asymmetrically disadvantaged on the conventional battlefield have repeatedly directed their attacks against the civilian population in the hope of attacking an opponent’s weakest center of gravity. There is every reason to believe they will do the same in cyberspace since military cyber defenses are far more robust than those of civilian cyber infrastructure.

This reality increases the centrality of the current dialogue over application of the principle of distinction in cyber operations, particularly the scope of prohibited attacks. For instance, does the prohibition on attacking civilian objects only apply to cyber operations that are physically destructive or injurious? Or will the approach taken by the majority of the IGE extending the notion of damage to certain interference with the functionality of the targeted system prevail? Might a different, even more restrictive, interpretation emerge as civilian systems are increasingly targeted in future armed conflicts

Similarly, conflicts of the future are, as illustrated by the case of the 2008 conflict between Georgia and Russia or that between Russia and Ukraine of this year, likely to involve cyber operations conducted by individuals and other non-State actors against both military and civilian cyber targets. This raises the issue of the scope of the notion of cyber direct participation in hostilities. For example, under what circumstances will patriotic hackers, including youths, lose their protection from attack when they engage in such activities? Will the three cumulative constitutive elements of direct participation prove adequate to meet the challenge of application in cyber space? Under what circumstances will groups of civilian hackers qualify as members of organized armed groups such that they are assimilated to the armed forces for targeting purposes? And how satisfactorily will the ICRC’s proposed “continuous combat function” concept apply to cyber groups?

Singer notes that in terms of meeting the challenges he raises, “[y]ou’re more likely to meet with success if you graft onto something that already works than if you try to plant an entire new tree or write an entire new treaty.” This view is refreshing in light of the unfortunate tendency to jump to the conclusion that IHL is lacking in the face of new technologies such as cyber, remotely piloted platforms, and autonomous weapons systems. While new technologies do present unique challenges for IHL, such as how (and whether) the concept of levee en masse applies to cyber operations, IHL has historically proven exceptionally flexible in the face of nascent means and methods of warfare; seldom has such technology revealed lacuna in the law or proven beyond the reach of reasonable interpretation of its norms. This was the general consensus of the IGE as it contemplated cyber operations during the Tallinn Manual process. 

Therefore, the IHL community must actively combat the propensity of some ill-informed non-IHL experts to “throw the baby out with the bathwater”. At least with respect to IHL, there is no immediate need for new IHL. Rather, the community must continue to work to better understand how to interpret and apply the current law to cyber operations. In particular, work is necessary in crafting appropriate ROE and other battlefield guidance. 

Finally, as Singer intimates, protection of the civilian population from the effects of cyber operations during an armed conflict will require more than fidelity to IHL. The interconnectivity of cyber space demands cooperative international approaches to combating the adverse effects of cyber operations on the civilian population, civilian objects and other persons and objects protected by IHL, as well as the development of cyber resiliency.  t may equally require belligerents to implement Additional Protocol I’s Article 58 requirement (and its related customary IHL counterpart) to take precautions against the effects of attacks, including cyber attacks. Whether States will prove willing to move in these directions remains to be seen.

(The views expressed in this article are those of the author in his personal capacity. They do not necessarily represent the views of the ICRC.)

More on this topic: 

What limits does the law of war impose on cyber attacks? 

ICRC report on IHL and the challenges of contemporary armed conflicts 

Previous Intercross articles on cyber issues: 
IHL & New Technologies: Part V - Pushing back the gray 
IHL & New Technologies, Part IV: Cordula Droege on the consequences of cyber ops 
IHL & New Technologies, Part III: Michael Schmitt on the relevance of the rules of war 
IHL & New Technologies, Part II - Eric Jensen responds