Law & Policy

How does the legal and normative ecosystem relate to cyberattacks and operations deployed during an armed conflict?

On the 24th of February 2022, the Russian Federation carried out a military invasion of Ukraine, violating the UN Charter. The ongoing international armed conflict (IAC) raises concerns about harm caused to the civilian population, the protection of civilians and civilian infrastructure. The civilian population is affected by both kinetic and cyberattacks. The impact of this armed conflict affects first and foremost the Ukrainian population, however, cyberattacks are also being carried out against and otherwise affecting targets of the Russian Federation, and beyond the territorial borders of the two belligerent states. In this ongoing conflict, the belligerents are bound by international law and especially International Humanitarian Law (IHL) that applies as soon as an armed conflict arises "between two or more High Contracting Parties [to the Geneva Conventions of 1949], even if the state of war is not recognized by one of them" (Common Article 2).

War is now increasingly being fought beyond land, sea and air to encompass cyber space, the information space and outer space, with a combination of kinetic and non-kinetic attacks. Cyber operations have increased, in peacetime and during armed conflicts. They put the population and critical civilian infrastructure at risk of harm and expose the vulnerability of essential services. The international armed conflict in Ukraine is no exception: the term cyber war is being routinely used. Cyber war—method of warfare– is a commonly used term to describe actions by state and non-state actors to penetrate another computer or network to cause damage or disruption. Cyber operations are a type of military operation to which various prohibitions and restrictions apply.

The IAC between Ukraine and the Russian Federation, and its strategic and tactical implications, raises serious concerns and imposes considerations about how states and non-state actors respect and abide by the existing normative framework, including domestic law, IHL, or Human Rights Law. At the international level, even though it is agreed that IHL applies to cyberspace and restricts the use of cyber capabilities as a means and method of warfare during an armed conflict, there is a need for clarity on the limits that IHL imposes on the use of cyber operations due to the complexity of this realm and the challenges in terms of applicability, and accountability.

It is nevertheless very clear that cyberspace is not a lawless world: there are rules applicable to this particular method of warfare that aim to restrain action of States and individuals and to protect civilians and critical infrastructure. Clarifications related to the interpretation of the rules are still required by States, and intergovernmental discussions have been taking place in two United Nations mandated processes working on the development of the regulations in cyberspace - the United Nations Group of Governmental Experts (UN GGE) and the Open-ended Working Group (OEWG). There is an ongoing UN-based process, the OEWG on security of and in the use of information and communications technologies (2021-2025).

A central tenet of the protection of civilians and of the normative framework put in place to this end is the provision of limits to the ways in which wars are fought, and that military force should be proportionate, not excessive, and not indiscriminate. Thus, avoiding harm to protected persons and objects is paramount.

Find out more about the application of laws & norms through a case studyViasat Case Study

International normative framework and applicability in cyberspace

The protection of civilians

The protection of particular sectors: the notion of critical infrastructure

Human Impact and Harm on Society

Attribution and accountability

Current challenges

Do you want to contribute to the law and policy aspect of our work?Contact us


  1. The international armed conflict began in 2014. The CyberPeace Institute started monitoring cyberattacks in relation to this armed conflict in February 2022.