IHL Challenges Series - IHL & New Technologies, Part IV: Cyber warfare

In our fourth post on IHL and New Technologies, the head of the ICRC's Operational Law Unit, Cordula Droege, explores the consequences of cyber operations in armed conflicts.

This installment features excerpts from the latest edition of the International Review of the Red Cross, which takes an in-depth look at modern technological developments and their impact, as well as the issues they raise for humanitarian law and action.

Cordula was present during discussions on the the Tallinn Manual on the International Law Applicable to Cyber Warfare – an academic, non-binding study on how international law, in particular the jus ad bellum (the international law governing the resort to force by States as an instrument of their national policy) and the jus in bello (international humanitarian law), apply to cyber conflicts and cyber warfare.

The Tallinn Manual was written at the invitation of the Estonia-based NATO Cooperative Cyber Defence Centre of Excellence by an international group of experts over a three-year period from 2009 to 2012. It was published in March by Cambridge University Press.


Read the full article here: http://journals.cambridge.org/action/displayAbstract?aid=8942329


(Taken from page 6 of the article.)

The International Committee of the Red Cross’ (ICRC) humanitarian concern in respect of cyber warfare relates mainly to the potential impact on the civilian population, in particular because cyber operations could seriously affect civilian infrastructure as a result of several features peculiar to the cyber realm.

First, because of its increasingly ubiquitous reliance on computer systems, civilian infrastructure is highly vulnerable to computer network attacks. In particular, a number of critical installations, such as power plants, nuclear plants, dams, water treatment and distribution systems, oil refineries, gas and oil pipelines, banking systems, hospital systems, railroads, and air traffic control rely on so-called supervisory control and data acquisition (or SCADA) systems and distributed control systems (DCS). These systems, which constitute the link between the digital and the physical worlds, are extremely vulnerable to outside interference by almost any attacker.

Second, the interconnectivity of the Internet poses a threat to civilian infrastructure. Indeed, most military networks rely on civilian, mainly commercial, computer infrastructure, such as undersea fibre optic cables, satellites, routers, or nodes; conversely, civilian vehicles, shipping, and air traffic controls are increasingly equipped with navigation systems relying on global positioning system (GPS) satellites, which are also used by the military. Thus, it is to a large extent impossible to differentiate between purely civilian and purely military computer infrastructure. As will be seen below, this poses a serious challenge to one of the cardinal principles of IHL, namely the principle of distinction between military and civilian objects.

Moreover, even if military and civilian computers or computer systems are not entirely one and the same, interconnectivity means that the effects of an attack on a military target may not be confined to this target. Indeed, a cyber attack may have repercussions on various other systems, including civilian systems and networks, for instance by spreading malware (malicious software) such as viruses or worms if these are uncontrollable. This means that an attack on a military computer system may well also damage civilian computer systems, which, in turn, may be vital for some civilian services such as water or electricity supply or the transfer of assets.


(From page 25)

First, it should be recalled that, based on the fact that an attack must be an act of violence, there is broad agreement nowadays that violence does not refer to the means of the attack – which would only encompass kinetic means.  Military operations that result in violent consequences constitute attacks. For instance, it is uncontroversial that the use of biological, chemical, or radiological agents would constitute an attack, even though the attack does not involve physical force.  Therefore, it has been accepted for a long time that what defines an attack is not the violence of the means, but the violence of the consequences.  Thus, even a data stream passed through cables or satellite could fall under the concept of attack.

The controversy lies on the side of the effects of cyber operations. It turns on those operations that do not cause death or injury to persons or physical destruction or damage to objects as kinetic operations would, but rather disrupt the functioning of objects without causing them physical damage – such as in the examples given above.  As these examples show, the consequences of cyber operations do not necessarily have violent effects in that they do not cause physical damage or destruction. In the examples given above the consequences in the physical realm would be at the most indirect: for instance, if the electrical grid is shut down, this may lead to power outages for vital services such as hospitals. In some cases the consequences are limited to the ability to communicate or engage in commercial activities, such as when a banking system is disrupted. Can such operations be considered attacks within the meaning of Article 49 of Additional Protocol I?


(From page 28)

[A] cyber operation can constitute an attack within the meaning of IHL when it causes death or injury or physical destruction or damage, but also if it interferes with the functioning of an object by disrupting the underlying computer system. Thus, if an air defence system is put out of order by a cyber operation, if a cyber operation disrupts the functioning of an electrical grid, or if the banking system is disabled, this amounts to an attack. However, not all cyber operations directed at disrupting the functioning of infrastructure amount to attacks. Where the operation is not directed at the physical infrastructure relying on the computer system, but essentially at blocking communication, it is more akin to jamming radio signals or television broadcasts – unless it is, of course, part of an attack, such as blocking an air defence system. The difference lies in the fact that in some cases it is the communication function of cyber space alone that is being targeted; in other cases, it is the functioning of the object beyond cyber space in the physical world. While interference with cyber systems that leads to disruption in the physical world constitutes attacks, the question of interference with communication systems such as email systems or the media is not entirely solved.


(From page 46)

[T]here is no question that IHL applies to cyber warfare.  However, whether it will provide sufficient protection to the civilian population, in particular by shielding civilian infrastructure from harm, will depend on how IHL – whose drafters did not envisage such operations – is interpreted with respect to them. Only if interpreted in good faith and with the utmost care will it be possible to protect civilian infrastructure from being directly targeted or from suffering damage that could potentially be disastrous for the civilian population. Even then, considering the potential weaknesses of the principles of distinction, proportionality, and precaution – and in the absence of more profound knowledge of offensive capabilities and effects – it cannot be excluded that more stringent rules might be necessary.


(From page 19)

It is likely to be uncontroversial that IHL will apply to cyber operations that are conducted within the framework of an ongoing international or non-international armed conflict alongside kinetic operations. In the absence of kinetic operations, ‘pure’ cyber warfare is not excluded in theory, but it remains to be seen whether there will be many examples in practice in the near future.


(From page 9)

[C]yber warfare challenges some of the most fundamental assumptions of IHL. First, IHL assumes that the parties to conflicts are known and identifiable. This cannot always be taken for granted even in traditional armed conflicts, in particular, non-international armed conflicts. However, in the cyber operations that occur on an everyday basis, anonymity is the rule rather than the exception. It appears to be impossible in some instances to trace their originator, and even when this is possible it is in most cases time-consuming. Since all law is based on the allocation of responsibility (in IHL, to a party to a conflict or to an individual), major difficulties arise. In particular, if the perpetrator of a given operation and thus the link of the operation to an armed conflict cannot be identified it is extremely difficult to determine whether IHL is even applicable to the operation. So, for instance, if a government’s infrastructure is being attacked, but it is not clear who is behind the attack, it is difficult to define who the parties to the potential armed conflict are, and therefore to determine whether there is an armed conflict at all. Similarly, even if the parties to the conflict are known, it may be difficult to attribute the act to one particular party. Second, IHL is based on the assumption that the means and methods of warfare will have violent effects in the physical world. Many cyber operations are likely to have effects that are disruptive but not immediately perceivably physically destructive. Third, the entire structure of the rules on the conduct of hostilities – and in particular the principle of distinction – is founded on the assumption that civilian objects and military objects are, for the most part, distinguishable. In the cyber theatre of war this is likely to be the exception rather than the rule because most cyber infrastructure around the world (undersea cables, routers, servers, satellites) serves for both civilian and military communications.