During the recent Sony incident, politicians and pundits debated whether the cyber operations allegedly launched by North Korea were an “act of war.” Presumably, they were asking whether the operations qualified as an “armed attack” that allows a victim State to respond with armed force, including destructive cyber operations, under the law of self-defense.
But the term “war” is actually a dated one drawn from a different body of law– international humanitarian law (IHL, also known as the “law of armed conflict”). Since adoption of the 1949 Geneva Conventions, wars have been labeled “armed conflicts” in legal terminology; this is generally considered to be a lower threshold of violence than an armed attack. When armed conflicts occur, IHL governs ongoing hostilities alongside any applicable human rights and domestic law. This contribution to Just Security examines the state of play with respect to IHL’s application to cyber operations, whether taking place in conflicts between States (“international armed conflicts”) or those between State and organized armed groups (“non-international armed conflicts”).
For some time, there was a specious debate about whether existing international law governed cyber operations. Fortunately, intergovernmental organizations have begun to expressly acknowledge that it does. The Group of Governmental Experts that convened under UN auspices (with representatives of 15 States) did so in 2013. Specifically citing IHL, the European Union followed suit that year, as did NATO in its Wales Summit Declaration the next year. Individual States have adopted the same position regarding IHL and cyber activities. The United States led the way in 1999 with an analysis by the DoD General Counsel’s Office; State Department Legal Adviser Harold Koh confirmed that position in 2012 at the Cyber Command Legal Conference. Other States, such as Australia and Japan, soon echoed the U.S. view.
Today, no serious international law expert questions the full applicability of IHL to cyber operations. The better question is whether an armed conflict can commence based solely on a cyber exchange, such as the actions that may be taking place between North Korean and the United States. A distinguished group of international law scholars and practitioners examined this and other IHL issues during a three-year project sponsored by the NATO Cooperative Cyber Defence Centre of Excellence. In the resulting 2013 Tallinn Manual on the International Law Applicable to Cyber Warfare, they agreed that when a cyber operation by one State causes meaningful damage or injuries to another, an “international armed conflict” is underway. Some of them were even of the view that any physical damage or injury beyond a de minimis level qualifies the situation as such. By these standards, the alleged North Korean operations, which caused no physical damage to tangible objects, did not start an international armed conflict. President Obama was correct in asserting that this was not “war,” at least not in the legal sense.
The Tallinn Manual experts also agreed that an international armed conflict exists whenever a State is in “overall control” of a group that launches a cyber attack against another State. Absent such control, they concluded that it was unlikely that a cyber-only exchange between a non-State group and a State would qualify as international armed conflict. Additionally, the level of damage and injury required for non-international armed conflicts is quite high (higher than in international armed conflict) and the group in question has to meet certain demanding requirements as to its organizational structure; reaching these thresholds is unlikely in cyber only exchanges. In most cases, therefore, IHL will apply to cyber operations involving a non-State group only when the operations are one component of the group’s traditional hostilities or take place under the direction of a State.
The critical aspect of IHL is that it permits lethal and destructive targeting based solely on the status of the individual or object. Assuming an international or non-international armed conflict exists, the parties may target, either kinetically or by cyber means, combatants (members of the armed forces) at any time; force is not limited to that necessary to save oneself or others from serious imminent harm (as in human rights law). Members of an organized armed group (OAG) may be attacked on the same basis. Controversy exists as to whether targetability extends to all group members or only those having what the ICRC calls a “continuous combat function.” However, there is agreement that group members who conduct cyber operations against an opponent’s forces have such a function and are therefore subject to attack. Individuals who are not combatants or members of an OAG may be attacked only while they “directly participate in the hostilities.” Engaging in cyber operations, such as cyber reconnaissance or monitoring of enemy systems or conducting operations to delete or alter data stored in them, clearly amounts to direct participation. Although direct participation renders the individuals susceptible to attack, participation is not an international law violation per se. Indeed, an individual can lawfully take such actions but would then just have to assume the risks—they would become legitimate military targets in the eyes of the law.
IHL prohibits “attacks,” including cyber attacks, against civilians, civilian objects and certain specified entities, such as medical and religious personnel, facilities and activities. But the precise legal meaning of the term “attacks” remains somewhat unsettled, a critical ambiguity because the prohibitions apply only to cyber operations that qualify as an attack. The Tallinn Manual experts agreed that those causing physical damage or injury are clearly attacks and therefore may not be directed at protected persons and objects. The majority of them also agreed that if targeted systems lose functionality, the operations constitute attacks even if the systems are not physically damaged. But, according to the majority, cyber operations that alter or destroy civilian data without generating these consequences are not, in the current state of the law, attacks; consequently, they are lawful. It must be cautioned that international law evolves to reflect the values of the international community. In light of the growing centrality of cyber activities, the IHL rules governing cyber operations directed at the civilian population and civilian objects can be expected to evolve with some dispatch.
Finally, there is wide consensus that the IHL rule of proportionality, which prohibits attacks expected to cause collateral damage that is excessive to the anticipated military advantage of the attack, applies fully to cyber attacks, as does the requirement to take precautions to minimize, to the extent militarily and practically “feasible,” harm to civilians. These two rules have particular resonance in the cyber context because of the likelihood of effects reverberating through a targeted network and beyond. Yet, what is often missed is that neither rule encompasses harm that does not (at least by the majority view) involve physical damage, loss of functionality or injury. Thus, although the two rules clearly apply, their application in the cyber context is quite different than in the kinetic one.
Assertions that IHL does not apply to cyber operations during an armed conflict are counter-normative. They also threaten to shake the very foundations of IHL since failure to observe its rules with respect to cyber operations risks bleeding over into kinetic operations, diminishes the effect of reciprocity on compliance with the IHL, and fuels contempt for the law. Plus, ignoring IHL simply runs counter to the national interests of any rational State, for to claim that IHL does not penetrate cyber space is to open the door to the unrestricted cyber targeting of one’s own civilian population.
The views expressed are those of the author in his personal capacity.