How does the legal and normative ecosystem relate to cyberattacks and operations deployed during an armed conflict?
The use of cyber capabilities is a reality of modern warfare. Since the Russian military invasion of Ukraine, the population has suffered significantly from the shelling and bombing of cities across the country, as well as from cyberattacks. Cyberattacks are used as a means of destruction, disruption, and data weaponization, in addition to the widespread use of disinformation; they have led to the destabilization of cyberspace.
The use of cyber tools and information warfare doesn't happen in a legal vacuum and poses a range of legal and policy questions. Explore this section to get answers to some of the following legal challenges. What are the rules applicable to the cyber dimension of an armed conflict? How does modern technology challenge the application of established rules of international law? What policy and legal questions arise in the use of cyber tools? What are the rules protecting civilians from harm in an armed conflict and when do civilians lose their protection?
The term cyber war is being routinely used in the context of the armed conflict in Ukraine. Cyber war—method of warfare – is a commonly used term to describe actions by state and non-state actors to penetrate another computer or network to cause damage or disruption. The term cyber war describes cyber operations which are a type of military operation to which various prohibitions and restrictions apply.
During armed conflict (the current situation between the Russian Federation and Ukraine) International Humanitarian Law (IHL) applies and governs the conduct of hostilities including the use of cyber tools. In peacetime – rules of peacetime international law, human rights law and domestic law apply.
The international armed conflict between Ukraine and the Russian Federation, and its strategic and tactical implications, raises serious concerns and imposes considerations about how states and non-state actors respect and abide by the existing normative framework. This framework includes:
international law, notably international humanitarian law (IHL), or jus in bello, (the law that governs the way in which warfare is conducted),
domestic law (for example criminal law), and
the non-binding rules of responsible state behavior in cyberspace emanating from the reports of both the United Nations Group of Governmental Experts (UN GGE) and Open Ended Working Group (OEWG).
When it comes to cyber operations there are rules applicable to this particular method of warfare aiming to restrain action of States and individuals and to protect civilians and critical infrastructure. As the International Court of Justice (ICJ) noticed, IHL “applies to all forms of warfare and to all kinds of weapons, those of the past, those of the present and those of the future [...]”.
The conundrum lies in the interpretation of the rules. Cyberspace, and Information and Communication Technologies (ICTs) are challenging decades of interpretation of the laws, and clarifications are required by States including how international humanitarian law applies to cyber operations.
Find out more about the application of laws & norms through a case studyViasat Case Study
International Law and the Normative Framework
These rules come in the form of international law which includes IHL, rules of peacetime international law, and human rights law. In addition to these laws, there is also a normative framework for responsible state behavior, which has been agreed to by UN Member States in various fora. This framework provides eleven norms that outline both positive obligations and negative obligations with regards to how states should act in cyberspace. For example, in general terms there is the positive obligation for states to protect their critical infrastructure, but there is also the negative obligation that states should not attack the critical infrastructure of another country.
However, with the onset of an armed conflict, questions of applying and respecting these normative frameworks arise, in particular, when a norm is breached. Despite the existence of this framework, clarification is still required by states regarding how these norms apply, to actually implement them in practice, and ensure accountability for the violation of rules of international law and norms of responsible behavior in cyberspace.
Destabilization of cyberspace
As conflicts evolve and as technology develops, the roles and responsibilities of actors in cyberspace shift and change. This creates challenges to ascertaining responsibility. One such example of this is the call for IT Armies or call to volunteers to engage in cyberattacks and operations to harm the other side of the conflict. International humanitarian law makes a clear distinction between civilians and military armed forces and provides modalities on what it means for a person to participate directly or indirectly in an armed conflict. If a civilian carries out a cyberattack, the individual may then be considered as directly participating in the conflict and the potential loss of protection afforded to civilians. 1
If and when civilians engage in taking part in hostilities they lose their protected status, “for such time as they take a direct part in hostilities”. IHL treats combatants identically in terms of targetability regardless of whether they perform offensive or defensive operations. A good example of the challenges posed by use of ICTs is, for example, when a civilian uses their cell phone to support the war effort, what is the duration of the loss of his protection and thus targetability?
Cyberspace also poses additional challenges in that it generates and houses an immense amount of information. The accessibility of and to information is a great contribution of cyberspace, but the ability to spread disinformation rapidly and expansively poses a significant challenge for the security of people and the stability of cyberspace. The long-term consequences of disinformation to destabilization are also unknown, as the world has never seen this influx of information before. The spread of disinformation during wartime can have significant consequences for the safety and well-being of people, and society.
1 According to the International Committee of the Red Cross (ICRC) 2009 Interpretative Guidance on Direct Participation in Hostilities, “Persons take a direct part in hostilities when they commit acts aimed at supporting one party to the conflict by directly causing harm to another party, either by directly inflicting death, injury or destruction, or by directly harming the enemy’s military operations or capabilities. If and for as long as civilians commit such acts, they take a direct part in hostilities and lose their protection against attack.”
Human Impact and Harm on Society
A central tenet of protection of civilians and of the normative framework put in place to this end is the negative impact on people, and ultimately avoiding harm to society. Due to the inherently interconnected nature of cyberspace, it is extremely difficult to map a complete picture of the harm and impact that a cyberattack causes. The aim of this platform is to contribute to this work, providing an overview of some of the pieces of this picture, especially beyond economic quantifiers of harm.
During armed conflict harm to civilians must be avoided. With the use of cyber, the challenge is that because of the interconnected nature of infrastructure, the inherently dual nature of infrastructure, and the difficulty to assess the impact (and unintended consequences of attacks using cyber tools) it is extremely difficult to assess potential harm to civilians and hence to do the calculation as to whether the harm caused to civilians is proportionate or excessive to the military objective.
This interconnected nature also lends another challenge: the spillover effects as a result of cyberattacks. These can be intended or unintended consequences of actions, but either way they can impact upon people. Whether it is an Internet shutdown or an attack against a hospital, the civilian population is at risk. Individuals can be impacted by consequences of a cyberattack even if they are not directly targeted. This platform aims to shed light on this impact by documenting qualitative information of the impact and harm of cyberattacks on organizations, individuals and society.
Applicability of International Humanitarian Law to Cyber Operations
The body of rules pertaining to the branch of jus in bello regulate how warfare is to be conducted. Generally, the applicability of such a body of rules is triggered by a use of force which amounts to the threshold of an armed attack, thus resulting in the outbreak of either an international or a non-international armed conflict. In this specific armed conflict, cyber operations are a part of warfare and they have been resorted to widely, thus there are several relevant areas of application of IHL.
Parties to the armed conflict in Ukraine have a responsibility under international humanitarian law to respect the civilian population and other protected persons, civilian objects and infrastructure essential to survival. (This means parties to the armed conflict must respect the four Geneva Conventions of 1949 and the first Additional Protocol of 1977.)
Protection of civilians
The important legal principles of distinction (distinguish at all times between military objectives and civilian objects) and proportionality (prohibit attacks expected to cause excessive civilian harm) have a direct bearing on cyber operations during armed conflicts in order to protect the civilian population against the effects of such operations. Certain uses of digital technology pose fundamental challenges to the traditional distinction between civilians and combatants in modern times.
Civilians, civilian objects and infrastructure ensuring the delivery of essential services must be spared from attack.
Like any other weapon used in armed conflict, the use of cyber tools is subject to restrictions. International Humanitarian Law (IHL) applies to cyber operations during armed conflicts.
International Law is not static. The basic rules are formulated in a way that they can apply to any weapon used in an armed conflict, including cyber capabilities.
IHL provides rules that aim to save lives and reduce suffering during conflicts. The key principles governing the conduct of hostilities include distinction, proportionality, precaution, and prohibition of superfluous injury and unnecessary suffering. This requires that: civilians and civilian objects must be spared from attack and only military objectives should be targeted; Indiscriminate attacks and attacks which are disproportionate and expected to cause excessive harm to civilians and civilian objects, are prohibited.
IHL makes a clear distinction between combatants and civilians and norms of customary international humanitarian law clarify rules with regard to a person who participates directly or indirectly in hostilities.
According to the International Committee of the Red Cross (ICRC) 2009 Interpretative Guidance on Direct Participation in Hostilities, “Persons take a direct part in hostilities when they commit acts aimed at supporting one party to the conflict by directly causing harm to another party, either by directly inflicting death, injury or destruction, or by directly harming the enemy’s military operations or capabilities. If and for as long as civilians commit such acts, they take a direct part in hostilities and lose their protection against attack.”
A key difference between cyber and kinetic capabilities is the fact that cyber capabilities can be easily accessed and deployed by non-combatants, including from anywhere in the world. Civilians may lose the legal protections afforded to them if they directly participate in the hostilities by engaging in cyberattacks. This makes accountability for actions committed extremely complex, and raises questions within the context of international law, i.e. what due diligence obligations do states not party to the conflict have to cover the activity of cyber combatants operating from their terrority?
The Unknowns
There are several unknown factors that are important to identify and recognize as obstacles in an effort to find solutions to move past them. One such important unknown to recognize is the true scale of the human impact of cyber operations. This is also true for kinetic operations, but cyber operations lend another layer of uncertainty as the impact on victims can materialize only after a time delay. It is also difficult to directly attribute impact to one cyberattack or operation, as sometimes these operations can take place over a long period of time such as espionage-related endeavors or disinformation campaigns, or they can be one in a series of operations that changes ever so slightly each time to avoid detection. There will also be a level of uncertainty in this regard, but the investigation of cyberattacks and operations is a developing field that needs time to mature.
Do you want to contribute to the law and policy aspect of our work?Contact us
