Law & Policy

These rules come in the form of international law which includes IHL, rules of peacetime international law, and human rights law. In addition to these laws, there is also a normative framework for responsible state behavior, which has been agreed to by UN Member States in various fora. This framework provides eleven norms that outline both positive obligations and negative obligations with regards to how states should act in cyberspace. For example, in general terms there is the positive obligation for states to protect their critical infrastructure, but there is also the negative obligation that states should not attack the critical infrastructure of another country.

However, with the onset of an armed conflict, questions of applying and respecting these normative frameworks arise, in particular, when a norm is breached. Despite the existence of this framework, clarification is still required by states regarding how these norms apply, to actually implement them in practice, and ensure accountability for the violation of rules of international law and norms of responsible behavior in cyberspace.

As conflicts evolve and as technology develops, the roles and responsibilities of actors in cyberspace shift and change. This creates challenges to ascertaining responsibility. One such example of this is the call for IT Armies or call to volunteers to engage in cyberattacks and operations to harm the other side of the conflict. International humanitarian law makes a clear distinction between civilians and military armed forces and provides modalities on what it means for a person to participate directly or indirectly in an armed conflict. If a civilian carries out a cyberattack, the individual may then be considered as directly participating in the conflict and the potential loss of protection afforded to civilians. ¹

If and when civilians engage in taking part in hostilities they lose their protected status, “for such time as they take a direct part in hostilities”. IHL treats combatants identically in terms of targetability regardless of whether they perform offensive or defensive operations. A good example of the challenges posed by use of ICTs is, for example, when a civilian uses their cell phone to support the war effort, what is the duration of the loss of his protection and thus targetability?

Cyberspace also poses additional challenges in that it generates and houses an immense amount of information. The accessibility of and to information is a great contribution of cyberspace, but the ability to spread disinformation rapidly and expansively poses a significant challenge for the security of people and the stability of cyberspace. The long-term consequences of disinformation to destabilization are also unknown, as the world has never seen this influx of information before. The spread of disinformation during wartime can have significant consequences for the safety and well-being of people, and society.

¹ According to the International Committee of the Red Cross (ICRC) 2009 Interpretative Guidance on Direct Participation in Hostilities, “Persons take a direct part in hostilities when they commit acts aimed at supporting one party to the conflict by directly causing harm to another party, either by directly inflicting death, injury or destruction, or by directly harming the enemy’s military operations or capabilities. If and for as long as civilians commit such acts, they take a direct part in hostilities and lose their protection against attack.”

A central tenet of protection of civilians and of the normative framework put in place to this end is the negative impact on people, and ultimately avoiding harm to society. Due to the inherently interconnected nature of cyberspace, it is extremely difficult to map a complete picture of the harm and impact that a cyberattack causes. The aim of this platform is to contribute to this work, providing an overview of some of the pieces of this picture, especially beyond economic quantifiers of harm.

During armed conflict harm to civilians must be avoided. With the use of cyber, the challenge is that because of the interconnected nature of infrastructure, the inherently dual nature of infrastructure, and the difficulty to assess the impact (and unintended consequences of attacks using cyber tools) it is extremely difficult to assess potential harm to civilians and hence to do the calculation as to whether the harm caused to civilians is proportionate or excessive to the military objective.

This interconnected nature also lends another challenge: the spillover effects as a result of cyberattacks. These can be intended or unintended consequences of actions, but either way they can impact upon people. Whether it is an Internet shutdown or an attack against a hospital, the civilian population is at risk. Individuals can be impacted by consequences of a cyberattack even if they are not directly targeted. This platform aims to shed light on this impact by documenting qualitative information of the impact and harm of cyberattacks on organizations, individuals and society.

The body of rules pertaining to the branch of jus in bello regulate how warfare is to be conducted. Generally, the applicability of such a body of rules is triggered by a use of force which amounts to the threshold of an armed attack, thus resulting in the outbreak of either an international or a non-international armed conflict. In this specific armed conflict, cyber operations are a part of warfare and they have been resorted to widely, thus there are several relevant areas of application of IHL.

Parties to the armed conflict in Ukraine have a responsibility under international humanitarian law to respect the civilian population and other protected persons, civilian objects and infrastructure essential to survival. (This means parties to the armed conflict must respect the four Geneva Conventions of 1949 and the first Additional Protocol of 1977.)

The important legal principles of distinction (distinguish at all times between military objectives and civilian objects) and proportionality (prohibit attacks expected to cause excessive civilian harm) have a direct bearing on cyber operations during armed conflicts in order to protect the civilian population against the effects of such operations. Certain uses of digital technology pose fundamental challenges to the traditional distinction between civilians and combatants in modern times.

Civilians, civilian objects and infrastructure ensuring the delivery of essential services must be spared from attack.

Like any other weapon used in armed conflict, the use of cyber tools is subject to restrictions. International Humanitarian Law (IHL) applies to cyber operations during armed conflicts.

International Law is not static. The basic rules are formulated in a way that they can apply to any weapon used in an armed conflict, including cyber capabilities.

IHL provides rules that aim to save lives and reduce suffering during conflicts. The key principles governing the conduct of hostilities include distinction, proportionality, precaution, and prohibition of superfluous injury and unnecessary suffering. This requires that: civilians and civilian objects must be spared from attack and only military objectives should be targeted; Indiscriminate attacks and attacks which are disproportionate and expected to cause excessive harm to civilians and civilian objects, are prohibited.

IHL makes a clear distinction between combatants and civilians and norms of customary international humanitarian law clarify rules with regard to a person who participates directly or indirectly in hostilities.

According to the International Committee of the Red Cross (ICRC) 2009 Interpretative Guidance on Direct Participation in Hostilities, “Persons take a direct part in hostilities when they commit acts aimed at supporting one party to the conflict by directly causing harm to another party, either by directly inflicting death, injury or destruction, or by directly harming the enemy’s military operations or capabilities. If and for as long as civilians commit such acts, they take a direct part in hostilities and lose their protection against attack.”

A key difference between cyber and kinetic capabilities is the fact that cyber capabilities can be easily accessed and deployed by non-combatants, including from anywhere in the world. Civilians may lose the legal protections afforded to them if they directly participate in the hostilities by engaging in cyberattacks. This makes accountability for actions committed extremely complex, and raises questions within the context of international law, i.e. what due diligence obligations do states not party to the conflict have to cover the activity of cyber combatants operating from their terrority?

There are several unknown factors that are important to identify and recognize as obstacles in an effort to find solutions to move past them. One such important unknown to recognize is the true scale of the human impact of cyber operations. This is also true for kinetic operations, but cyber operations lend another layer of uncertainty as the impact on victims can materialize only after a time delay. It is also difficult to directly attribute impact to one cyberattack or operation, as sometimes these operations can take place over a long period of time such as espionage-related endeavors or disinformation campaigns, or they can be one in a series of operations that changes ever so slightly each time to avoid detection. There will also be a level of uncertainty in this regard, but the investigation of cyberattacks and operations is a developing field that needs time to mature.