Law & Policy

Apart from domestic laws, different rules of international law apply in times of armed conflict including: Jus ad bellum, referring to the conditions under which States may resort to war or to the use of force (UN Charter); International Humanitarian Law (IHL), also known as jus in bello, regulating the conduct of parties engaged in armed conflicts and protecting the victims of such conflicts, including civilians; International Human Rights Law (IHRL), that continues to apply during armed conflicts, as well as customary international law.

In addition to those binding rules, there are policies or other international norms that are voluntary and non-binding (in a legal sense) but that influence the behavior of States in cyberspace. The Tallinn Manual is an academic and non-binding study on how international law applies to the cyber realm in times of peace and during warfare. It is a crucial source especially when it comes to interpreting international law, including IHL or Human Rights law, in the context of cyberspace.

Moreover, a normative framework for responsible state behavior in cyberspace providing eleven norms has been agreed by UN Member States in various fora to reduce risks to international peace and security, and to contribute to conflict prevention (UN General Assembly Resolution 70/237). Those norms outline both positive obligations and negative obligations with regards to how states should act in cyberspace, eight relate to actions that states want to encourage and three involve actions that countries should avoid:

1. Interstate cooperation on security
2. Consider all relevant information
3. Prevent misuse of ICTs in your territory
4. Cooperate to stop crime and terrorism
5. Respect Human Rights and Privacy
6. Do not damage critical infrastructure
7. Protect critical infrastructure
8. Respond to requests for assistance
9. Ensure supply chain security
10. Report ICT vulnerabilities
11. Do no harm to emergency response teams.

What is the applicable international law during the conflict in Ukraine?

International Humanitarian Law

The conflict in Ukraine is an International Armed Conflict (IAC) between two High Contracting Parties to the Geneva Conventions of 1949 (Common Article 2). The four Geneva Conventions are applicable, as well as customary IHL, the Hague Regulations and the first Additional Protocol of 1977 to which both Ukraine and the Russian Federation are parties.

International Human Rights Law

Both the Russian Federation and Ukraine are parties to the International Covenant on Civil and Political Rights (ICCPR) and the International Covenant on Economic, Social and Cultural Rights (ICESCR).

Ukraine is a party to the European Convention on Human Rights (ECHR). The Russian Federation ceased to be a party on the 16th of September 2022 six months after being excluded from the Council of Europe.

Those treaties admit derogations for certain rights in times of emergencies. However, those derogations are subject to specific procedures.

Does IHL apply to cyberspace?

According to the International Committee of the Red Cross (ICRC), there is no doubt that IHL applies to cyber operations occurring during armed conflicts. The International Court of Justice (ICJ) stated that IHL applicable in armed conflicts "applies to all forms of warfare and to all kinds of weapons, including those of the future" (Legality of the Threat or Use of Nuclear Weapons AO (1996), ICJ Rep 226, §86). In 2021, the UN General Assembly unanimously endorsed a consensus report of the UN GGE that referred to the applicability of IHL in the cyber context, confirming a consensus on this point in the international community.

However, when an armed conflict occurs and IHL becomes applicable, it is to be determined for each cyber operation that has a nexus with the armed conflict, whether it falls under the definition of an attack under IHL, namely under Article 49 of the first Additional Protocol to the Geneva Conventions (AP I). Only in this case, all rules on conduct of hostilities will be applicable to this particular operation.

The geographical scope of IHL is debated. It does not only apply in the area(s) where hostilities are conducted. In an IAC, it is agreed that IHL applies on the whole territory of the parties to the conflict and also in any location where belligerent States would conduct hostilities. Outside those territories, when the conduct is happening far from the territories of the belligerents, it is debated whether a nexus with the conflict suffices for IHL to apply. In any event, cyber operations from outside of such territories would remain governed by other applicable bodies of law, including jus ad bellum, the law of neutrality, and IHRL.

In cyberspace, cyber operations are subject to geographical limitations imposed by the relevant provisions of international law applicable during an armed conflict, as stated in rule 21 of the Tallinn Manual 2.0. However, as outlined in the Manual, this may be particularly complex to determine and implement in cyberspace considering the specificities of cyberspace where it can happen that the data used to prosecute the attack from one State may be replicated across servers in a number of other States, including neutral ones, but only observable on the systems where the attack was initiated or completed. The questions are where do those operations have effects, and what is the specific nature of those effects on the various affected systems.

INTERNATIONAL HUMANITARIAN LAW APPLICABLE

PROTECTING THE CIVILIAN POPULATION THROUGH THE RULES ON CONDUCT OF HOSTILITIES

Civilians as well as civilian infrastructure are protected under IHL. Indeed, during the hostilities, the belligerents are bound by a certain number of rules to protect the civilian population to the maximum extent.

Are cyber weapons allowed under IHL?

The rules on weapons are to be found in Customary IHL (CIHL) and in various treaty provisions, including articles 35 and 36 of the first Additional Protocol (AP I). The employment of "weapons, projectiles and material and methods of warfare of a nature to cause superfluous injury or unnecessary suffering" is prohibited as well as methods or means of warfare that are "intended, or may be expected, to cause widespread, long-term and severe damage to the natural environment".

Article 36 binds states (High Contracting Parties) to determine whether the employment of a new means or method of warfare would be prohibited under the Protocol or any other applicable international rules. Even though cyber capabilities were not considered at the time of the drafting, this article codified the obligation to consider evolving means and methods of warfare.

What is an attack under IHL?

The notion of attack is defined in Article 49(1) of AP I as "acts of violence against the adversary, whether in offence or in defence." In its commentary of the article, the ICRC describes an attack a s "the use of armed force to carry out a military operation at the beginning or during the course of armed conflict." The second paragraph of Art. 49 refers to any "land, air or sea warfare that may affect the civilian population, individual civilians or civilian objects on land."

There are several obstacles in applying this definition to cyberspace. First, the act of violence and the notion of physical force to carry out a military operation are concepts that do not translate easily to attacks in cyberspace. Secondly, cyberspace knows no territory beyond the ones from which the attack is launched or where it has effects. However, a cyber-attack may affect persons and objects on land, meeting the requirements of the provision.

It is widely accepted that the notion of violence in the definition of attacks can refer to either the means of warfare or their effects, meaning that an operation generating violent effects can qualify as an attack even if the means used to bring about those effects are not violent as such. It is also widely accepted that cyber operations expected to cause death, injury or physical damage constitute attacks under IHL. For a number of States, as well as the ICRC, during an armed conflict an operation designed to disable a computer or a computer network constitutes an attack under IHL, whether the object is disabled through kinetic or cyber means.

Although non-binding, the Tallinn Manual on the International Law Applicable to Cyber Operations Rule 30 defines a cyberattack as a "cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects." This definition focuses thus on the consequences - the harm - of the attack rather than the way it is conducted. The notion of consequential harm 'encompasses any reasonably foreseeable consequential damage, destruction, injury or death.'

Therefore, to be considered as an attack in the meaning of the laws of war, its consequences must reach a certain threshold of harm, which is not clearly defined, although excluding "de minimis damage or destruction."

The Tallinn Manual 2.0 broadens the definition regarding the target, which does not need to be the adversary, to make sure that all civilians are included, but also regarding the effects. Indeed, they also encompass "serious illness and severe mental suffering that are tantamount to injury."

Rules to protect the civilian population against the effects of hostilities

If the operation amounts to an attack, the commander preparing and launching it is bound by the rules on Conduct of Hostilities enshrined in the 1907 Hague Regulations, Additional Protocol I of 1977 to the Geneva Conventions, and customary international humanitarian law. They detail the three main sets of rules on distinction, proportionality, and precautions which aim to protect the civilian population.

The rules on distinction

The principle of distinction between military objectives and civilians and civilian objects is enshrined in Articles 48, 51(2), 52(2) of API and the rules 1 and 7 of CIHL. It prohibits any indiscriminate attack targeting anything but military objectives as defined under Art. 52(2). Those provisions protect the civilian population or individuals who shall not be the object of an attack "unless and for such time" as they are directly participating in the hostilities, as well as civilian infrastructures unless they turn into a military objective. In addition, dual-use objects used for both for military and civilian purposes are to be considered as military objectives, even if the military use is secondary. In case of doubt as to whether an object that is normally dedicated to civilian purposes is being used to make an effective contribution to military action, it must be presumed to remain protected as a civilian object.

The principle of proportionality

The principle of proportionality is defined in Article 51(5)(b) of AP I: an attack is prohibited if it "may be expected to cause incidental loss of civilian life, injury to civilians, damage to civilian objects, or a combination thereof, which would be excessive in relation to the concrete and direct military advantage anticipated." If the notion of excessiveness is not clearly defined, this principle binds the commander to assess, ex ante and based on the information available at the time, what incidental civilian harm is expected to be caused, in relation to the concrete and direct military advantage gained. It is transcribed in Rule 113 of the Tallinn Manual 2.0.

In order to assess proportionality, the commander must take into consideration not only the direct harm resulting from the attack, but also the indirect effects which comprise "the delayed and/or displaced second-, third-, or higher-order consequences of action, created through intermediate events ormechanisms." Indirect effects are even more important in the cyber context than the primary ones because the effects on infrastructures controlled by the targeted system or on the persons and objects relying on those infrastructures are very often more relevant than the effects on the system themselves.

The rules on precautions

The attacker shall always take all feasible precautions pursuant to Article 57 of AP I. This binds those "who plan or decide upon an attack" to do "everything feasible" to verify that the target is legitimate, to take in any event "all feasible precautions" to avoid or minimize incidental civilian harm and to "refrain from deciding to launch" an attack which may be expected to violate the rules on proportionality. If it becomes "apparent" that the attack will violate the principle of distinction or proportionality, it shall be "canceled or suspended" pursuant to Art. 57(2)(b). In addition, "unless circumstances do not permit," an effective warning shall be given if the attack may be expected to affect civilians under Art. 57(2)(c).

Most of the rules on precaution bind the attacker. The defender, nevertheless, has obligations to take passive precautions under Article 58 "to the maximum extent feasible." In cyberspace, this could include attempts to limit the interconnectivity between the civilian and military systems, or to develop shields to protect the "civilian " cyberspace.

What happens if the attack does not amount to the threshold required under Art. 49?

Even if the operation does not amount to an attack in the meaning of Article 49, some rules providing for general protection apply, protecting the civilian population and individual civilians against danger arising from military operations. This includes the Martens Clause (referring to "principles of humanity") and some articles arguably applicable to all operations (as Art. 48 AP I on the obligation "at all times" to "distinguish between the civilian population and combatants and between civilian objects and military objectives" or the articles on precautions). Human Rights Law also remains applicable.

What does it mean to directly participate in hostilities in cyberspace?

Civilians are protected under IHL "unless and for such time they are directly participating in hostilities" (Article 51(3) AP I). The ICRC has developed a guidance to clarify what can be understood as direct participation in hostilities, establishing three requirements to be considered as such.

1. The act must be likely to adversely affect the military operations or military capacity of a party to an armed conflict or, alternatively, to inflict death, injury, or destruction on persons or objects protected against direct attack (threshold of harm).
2. There must be a direct causal link between the act and the harm likely to result either from that act, or from a coordinated military operation of which that act constitutes an integral part (direct causation).
3. The act must be specifically designed to directly cause the required threshold of harm in support of a party to the conflict and to the detriment of another (belligerent nexus).

Those rules also apply to cyber operations when they occur during an armed conflict (Rule 97 of the Tallinn Manual 2.0).

PROTECTING THOSE WHO FALL INTO THE HANDS OF THE ENEMY

The Geneva Conventions provide protection to persons that fall into the hands of the enemy, mainly Prisoners Of War (POW) as defined under Article 4 of GC III/Article 44 of AP I, and civilians that are protected persons under the definition given in Article 4 of GC IV. With regards to cyberspace, specific attention must be given to some provisions including those regulating family links and communication opportunities. Article 25 GC IV requires for example that all persons in the territory of a party to the conflict or in occupied territory must be enabled to exchange family news. If this communication is prevented, the legality of the process must be carefully examined.

The law of occupation - what is applicable in cyberspace?

Annexation of territories is prohibited under Art. 2(4) of the UN Charter as it violates the territorial integrity and the political independence of a State.

As stated in the Tallinn Manual, there is no legal notion of occupation in cyberspace. Cyber operations alone cannot reach the threshold and cumulative criteria to constitute occupation under IHL. "However, cyber operations can be employed to help establish or maintain the requisite authority, for example, by enabling the issuance of certain notices required by the law of occupation to the population. Conversely, cyber operations are capable of employment to disrupt or degrade computer systems used by an Occupying Power to maintain authority" (Chapter VI on occupation). Moreover, seizure of properties and rules regarding compelled labor for instance, apply the same way as in occupation.

The Occupying Power (OP) is bound to respect to the maximum extent the laws in force in the country it occupies, including the ones related to cyberspace. However, some articles know exceptions if the laws constitute a threat to the security of the occupying power or if they prevent the application of IHL. Article 64 of GC IV states for instance that "the Occupying Power may, however, subject the population of the occupied territory to provisions which are essential to enable the Occupying Power to fulfill its obligations under the present Convention, to maintain the orderly government of the territory, and to ensure the security of the Occupying Power, of the members and property of the occupying forces or administration, and likewise of the establishments and lines of communications used by them."

The Tallinn Manual provides precisions regarding the interpretation of the rules applicable in occupied territory in cyberspace (See rules 87 to 90). For example, the OP must protect protected persons from the harmful effects of cyber operations, including making sure that a means of communication always remains for them to communicate with members of their families. As it is prohibited under GC IV, the prohibition of compelling enemy nationals to take part in military operations extends to cyber activities (see rule 87§6 for details). The OP must comply with the laws in force in the occupied territory (including on freedom of speech and intrusions into privacy) and ensure the continuity of the infrastructure essential for the functioning of the occupied territory. However, it is authorized to curb freedom of expression, and of the press provided that the requisite conditions are met. It can also repeal or suspend laws in force that prejudice its cyber operations in case they represent a threat to its security. The Occupying Power can also confiscate a state’s movable property for its military operations and use the data of the State for its military operation.

INTERNATIONAL HUMAN RIGHTS LAW APPLICABLE

Human Rights Law remains applicable in times of armed conflict and is applicable to cyberspace: people have the same rights online asoffline.

The right to privacy, freedom of expression or data protection for instance continue to apply. A State is considered to exercise jurisdiction over territory that is under its effective control as well as individuals that come within its power.

As an example, the right to privacy is enshrined in Article 17 of the ICCPR and in Article 8 of the ECHR.
However, those two conventions allow derogations for certain rights in times of public emergency (Article 4 of the ICCPR, Article 15 of the ECHR).
Moreover, any State Party "availing itself of the right of derogation shall immediately inform the other States Parties to the present Covenant, through the intermediary of the Secretary General of the UN" for the ICCPR and the Secretary General of the Council of Europe for the ECHR.

To date, the Russian Federation is not currently bound by the ECHR, having been excluded from the Council of Europe.

The Russian Federation had not notified the Secretary-General of derogation from Covenant rights and thus remains under the obligation to respect them.

Ukraine declared a State of Emergency on 23 of February 2022, for a period of 30 days. Ukraine notified the UN Secretary General of its waiver of obligations under articles 12, 13, 17, 19, 20, 21, 22, 24 and 25 of the ICCPR; articles 8, 9, 10, 11 and 14 of the ECHR; articles 1- 3 of the Additional Protocol to the ECHR; and article 2 of Protocol No. 4 to the ECHR. It also notified of derogation from articles 3, 8(3), 9, 12, 13, 17, 19, 20, 21 and 24 – 27 of the ICCPR; articles 4 (paragraph 3), 8, 9, 10, 11, 13, 14, 16 to the ECHR; Articles 1, 2 of the Additional Protocol to the ECHR; and Article 2 of Protocol No. 4 to the ECHR. The derogation has been first extended twice, and then until the 21st of November 2022.

In any case, those International Human Rights treaties know absolute and non-derogable rights, including the right to life and the prohibition of torture.

Cyberattacks and operations during the armed conflict have impacted most sectors of economic activity, which for the majority, provide infrastructure or services essential to the survival of the civilian population. The most impacted sectors to date include Energy, Financial, ICT, Media, Public Administration and Transportation. Other sectors have been targeted including the Health and Agriculture sectors. Some difficulties arise when it comes to the applicability of IHL, notably regarding the geographical scope (please refer to the section "international normative framework and the applicability of International Humanitarian Law").

UNDER INTERNATIONAL HUMANITARIAN LAW

Civilian objects are protected unless they qualify as military objectives defined under Article 52(2) AP I. Besides this general protection, some infrastructures are benefitting from a special protection. Medical facilities benefit from this special protection but not only. The articles 52 to 56 of AP I focus on the protection of objects indispensable to the survival of the population, works and installations containing dangerous forces, but also cultural objects and places of worship and the natural environment.

Medical Units and Establishments

Medical personnel, both military and civilian medical units and establishments benefit from a special protection under IHL mentioned in GC I (articles 19, 20 and 35), GC II (articles 22, 29) and GC IV (article 18) for civilian infrastructures as well as in Art. 12 of AP I. The definition of the medical units and facilities protected are to be found in Article 8 of AP I.

Under certain circumstances, those infrastructures can lose protection (Articles 21/22 GC I, Art. 34 GC II for military ones and Article 19 GC IV, Art. 13 AP I), if they are used to "commit, outside their humanitarian function, acts harmful to the enemy."

Objects indispensable to the survival of the civilian population

Objects indispensable to the survival of the civilian population are defined in the Article 54 of AP I. The second paragraph states that those objects (no matter if they are private or public) cannot be attacked, destroyed, removed or rendered useless and identifies as examples ("such as")"foodstuffs, agricultural areas for the production of foodstuffs, crops, livestock, drinking water installations and supplies and irrigation works."

This prohibition applies when the operation is conducted "for the specific purpose of denying them for their sustenance value to the civilian population or to the adverse Party, whatever the motive, whether in order to starve out civilians, to cause them to move away, or for any other motive." These objects shall also "not be made the object of reprisals" (paragraph 4).

This prohibition knows two exceptions:

• If such objects are used by an adverse Party "as sustenance solely for the members of its armed forces" or "in direct support of military action" provided that it would never be expected "to have serious effects on supplies for the civilian population."
• A derogation may be made by a Party to the conflict to defend its national territory under its own control against invasion wher e "required by imperative military necessity."

On this last point, the ICRC commentary states that in all cases, an occupying power may not destroy objects located in the occupied territory which are indispensable to the survival of the civilian population, even when withdrawing from such territory.

Works and installations containing dangerous forces

The protection of works and installations containing dangerous forces is stated in Article 56 AP I. It is granted to dams, dykes and nuclear power stations. All the attacks, even if targeting lawful military objectives in the vicinity of those installations, that may cause the release of the dangerous forces resulting in "severe losses among the civilian population" are prohibited. They cannot be the object of reprisals.

This prohibition knows exceptions mentioned in the second paragraph.

• For a dam or a dyke only if it is "used for other than its normal function" meaning that it is used for a purpose other than containing an actual or potential mass of water, and "in regular, significant and direct support of military operations and if such attack is the only feasible way to terminate such support" (2)(a),
• For a nuclear electrical generating station as well as for other military objectives located at or in the vicinity,"only if they are used in regular, significant and direct support of military operations and if such attack is the only feasible way to terminate such support" (2)(b) and (c).

The ICRC Commentary of 1987 states that "it would not be reasonable to claim that merely supplying electricity constitutes direct support of military operations in accordance with the definition" and that it disagrees with the view that the expression "military operations" "could cover factories producing armaments, ammunition and militaryequipment." It adds that "in the case of nuclear electrical generating stations, it is relatively easy to stop electricity reaching its destination by attacking the electricity lines" resulting in the achievement of the operation without taking the risk of releasing dangerous forces.

POLICY AND INTERPRETATION

The UN Group of Governmental Experts on Development in the Field of Information and Telecommunications in the Context of International Security published a report in 2015 recommending States, among others, not "to conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public", to take "appropriate measures to protect their critical infrastructure from ICT threats", to "respond to appropriate requests for assistance by another State". Both this report and the report by the GGE on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security (July 2021) urge States to "determine which infrastructures or sectors it deems critical within its jurisdiction" in order to facilitate international cooperation.

Recognition of the health sector as critical

Since the COVID-19 pandemic, a consensus has been reached regarding the protection of the health sector. The 2021 GGE’s report included the following guidance that mentioned the healthcare sector: "The COVID-19 pandemic heightened awareness of the critical importance of protecting health care and medical infrastructure and facilities, including through the implementation of the norms addressing critical infrastructure (such as this norm and norms (g) and (h)). Other examples of critical infrastructure sectors that provide essential services to the public can include energy, power generation, water and sanitation, education, commercial and financial services, transportation, telecommunications and electoral processes. Critical infrastructure may also refer to those infrastructures that provide services across several States such as the technical infrastructure essential to the general availability or integrity of the Internet. Such infrastructure can be critical to international trade, financial markets, global transport, communications, health or humanitarian action."

The final substantive report of the Open-ended Working Group on developments in the field of information and telecommunications in the context of international security states: "While agreeing on the need to protect all critical infrastructure (CI) and critical information infrastructure (CII) supporting essential services to the public, along with endeavouring to ensure the general availability and integrity of the Internet, States further concluded that the COVID-19 pandemic has accentuated the importance of protecting healthcare infrastructure including medical services and facilities through the implementation of norms addressing critical infrastructure, such as those affirmed by consensus through UN General Assembly resolution 70/237."

To date, on the international level, some States have provided more or less precise definitions of what they consider to be critical infrastructure or have referred to some examples without giving adefinition. When looking at the national positions available, only a few States provide clear lists of what they consider to be critical infrastructures or the sectors that are concerned.

The armed conflict in Ukraine

In the ongoing armed conflict in Ukraine, defining what a critical infrastructure is, is important to enhance their protection and to protect the civilian population. Moreover, it is also important for the non-belligerent states that are affected by cyber operations or even targeted, to improve the resilience of those infrastructures, to avoid or at least minimize the spill-over effects of an attack occurring in the belligerent States.

In 2022, Ukraine and the Russian Federation developed their views on what they considered as critical infrastructures giving some examples but without providing clear lists.

War is now increasingly being fought beyond land, sea, and air to encompass cyber space, the information space and outer space, with a combination of kinetic and non-kinetic attacks.

A central tenet of the protection of civilians and of the normative framework put in place to this end is the provision of limits to the ways in which wars are fought, and that military force should be proportionate, not excessive, and not indiscriminate. Thus, avoiding harm to protected persons and objects is paramount. Due to the inherently interconnected nature of cyberspace, it is extremely difficult to map a complete picture of the harm and impact that a cyberattack causes. The aim of this platform is to contribute to this work, providing an overview of some of the pieces of this picture.

During armed conflict harm to civilians must be avoided to the greatest extent possible. With the use of cyber operations, the challenge is that it may be extremely difficult to assess potential harm to civilians and hence to do the calculation as to whether the harm caused to civilians is proportionate or excessive to the military objective. This is because of the interconnected nature of infrastructure, the inherently dual nature of infrastructure (which is targetable if falling under the definition of a military objective under IHL), and the difficulty to assess the impact and unintended consequences of attacks using cyber tools.

This interconnected nature of cyberspace also leads to another challenge: the spillover effects as a result of cyberattacks. These can be intended or unintended consequences of actions, but either way they can impact upon protected people. Whether it is an internet shutdown or an attack against a hospital, the civilian population is at risk. Individuals can be impacted by consequences of a cyberattack even if they are not directly targeted.

In IHL, the notion of harm is related to the notion of foreseeability. When preparing or launching the attack there must always be an assessment ex ante of the potential harm it could cause according to the information available at the time. To assess the final harm from the attack, one cannot only refer to the IHL notion of foreseeable harm and damage: it is important to assess the consequences of the attack on the civilian population, whether or not those operations were lawful under IHL. The notion of harm raises a lot of questions: what does harm and de minimis damage mean? Is there a threshold of damage required to reach the notion of harm? What kind of damage falls under this notion? Can psychological harm be considered? And so on.

This platform aims to shed light on this impact by documenting qualitative information about the impact and harm of cyberattacks on critical infrastructure, individuals and society.

Why is it important to attribute acts?

Attribution is a technical step in international law for attaching a given act or omission to a relevant actor, such as a state, for the purposes of determining who is responsible for a violation of international law and which is the appropriate legal framework establishing the rights and obligations of states affected by an incident and impose consequences, if appropriate. Thus, attribution is critical for accountability under the law, remedy, and redress for victims of cyberattacks.

Attribution of an attack under international law triggers State responsibility, and may trigger the application of IHL, and/or activate the right to respond in self defense. Especially in a situation of armed conflict it is important not to rush to make attributions without such investigations, even when there is political and/or military pressure to attribute quickly. In relation to the use of cyber operations in conflicts, it is important to continue to document attacks, assess the impact on people and ensure that such information is available for potential accountability mechanisms.

An International Armed Conflict (IAC) is triggered "whenever there is a resort to armed force between States ", this definition is "generally considered as the contemporary reference for any interpretation of the notion of armed conflict under humanitarian law". This includes situations in which an (i) act of violence, is attributable to one State, (ii) against the population, armed forces or territory of another State. The existence of an armed conflict must be deduced from thefacts.

To attribute such conduct to a State, the draft Articles on Responsibility of States for Internationally Wrongful Acts (ARSIWA - Articles 4-11 on attribution) are usually used in International Law. However, it can be very difficult to attribute a cyberattack to a State among others because of the complexity of attribution and anonymity of attacks, and a reluctance to publicly reveal technical sources and methods of intelligence.

During armed conflict, attribution of acts to individuals is essential to be able to trace the actions of the belligerents and/or attackers, to assess their compliance with international humanitarian law and/or other legal regime they are bound by and the possible misconducts and violations, and for accountability for violations of the law. There is also an opportunity to identify good practices, gaps in the law or where clarification of the law is required.

Why is attribution particularly challenging in cyberspace?

The agreed standard for attribution under international law is reflected in the International Law Commission’s Articles on State Responsibility("ILC Articles").

There are several types of attribution:

1. Technical attribution - the forensic investigation of a malicious incident to the origins of an attack platform, specific software, hardware, code, or modus operandi.
2. Political attribution - determining or disclosing by a State who is the party(s) responsible for an attack including a nation state, State-sponsored group, criminal group, collective, etc. based on analysis, assessment and/or judgement.
3. Legal attribution - determining who is responsible for an attack based on technical means to identify the origin of the attack and legal criteria in order to ascribe legal consequences and/or other sanctions, for example through a court of law. Attribution of a cyberattack under international law may trigger the application of IHL, State responsibility, and/or activate the right to respond in self-defense.
4. Legal attribution - determining who is responsible for an attack based on technical means to identify the origin of the attack and legal criteria in order to ascribe legal consequences and/or other sanctions. Attribution of a cyberattack under international law may trigger the application of IHL, State responsibility, and/or a self-defense response.

Attribution of a cyberattack or operation is significantly more difficult than for kinetic operations. Some reasons for this are:

• the origin of the attack can be misleading when the attacker uses compromised machines to launch their attack.
• attribution requires deep analysis of Tactics Techniques and Procedures (TTPs) used by threat actors, similarities of the code or the compilation of malware and data on the command & control infrastructure.
• the consequences or damages from cyberattacks may be difficult to quantify as they may be delayed (occurring several hours, days, months after the attack was launched), direct and indirect.

The attribution of responsibility for a cyberattack to a certain attacker or group of attacks must be based on evidence, which may be of a technical and legal nature. The quality of an attribution is a function of available resources, time, evidence, data, verification means, etc. Speculating about or wrongly attributing an attack may lead to an escalation in hostilities. So far, in general many attributions have been politically based, not technically or legally based.

In the armed conflict between Ukraine and the Russian Federation, there have been a significant number of "self" attributions, in which threat actors publicly disclose a cyberattack attributing themselves as the actor behind the attack.

How is a war crime prosecuted ?

• During an armed conflict, the High Contracting Parties "undertake to respect and to ensure respect" of IHL, as stated in Article 1 of each of the Geneva Conventions. The Geneva Conventions and Additional Protocol I include a set of particularly serious breaches, called "grave breaches". The High Contracting Parties "undertake to enact any legislation necessary to provide effective penal sanctions for persons committing, or ordering to be committed, any of the grave breaches". IHL also requires States "to search for persons alleged to have committed, or to have ordered to be committed, such grave breaches, and shall bring such persons, regardless of their nationality, before its own courts" or extradite them to another State for prosecution. IHL confers universal jurisdiction over grave breaches on all States.
• The Nuremberg trials were the first time that leaders of a State were prosecuted in an international military tribunal created especially to make sure that heads of States committing, or ordering the commission of war crimes would not go unpunished. The International Criminal Tribunal for the former Yugoslavia (ICTY) and the International Criminal Tribunal for Rwanda (ICTR) were set up in response to the violations committed in these two conflicts. Hybrid tribunals (national jurisdictions with international participation) in Lebanon and in Sierra Leone have also been set up.
• The international community also created a permanent international criminal court of justice to prosecute perpetrators of certain defined crimes. The Rome Statute adopted in 1998, entered into force in 2002, establishing the International Criminal Court (ICC). It investigates and, where warranted, tries individuals charged with the crimes of genocide, war crimes, crimes against humanity and the crime of aggression. Neither Ukraine nor the Russian Federation are parties to the Rome Statute. However, Ukraine has accepted the ad hoc jurisdiction of the Court by lodging two Article 12(3) declarations on two occasions before the ongoing conflict. The second declaration extended to alleged crimes committed from February 20, 2014, onwards, meaning that the ICC has jurisdiction to prosecute any individual who allegedly committed crimes falling within its jurisdiction on Ukrainian territory. This concerns war crimes, crimes against humanity and crimes of genocide but does not extend to the crime of aggression, for which both States (the aggressor and the victim) involved must be State parties.
• Apart from those possibilities, war criminals can be prosecuted according to domestic laws.

What can be done when it comes to cyber operations that are not bound by IHL (for example for geographical reasons or because it did not reach the necessary threshold of damages) or that do not amount to a grave breach or a war crime?

In those cases, it is necessary to rely in the first instance on peacetime international law and domestic law of the countries in question, Human Rights Law for instance with regards to Data Protection or Privacy Law.

Apart from that regional and international instruments may exist.

The first international Convention on Cybercrime was opened by the Council of Europe in Budapest in 2001 and entered into force in 2004. This treaty is open for signature by the member States and the non-member States which have participated in its elaboration and for accession by other non-member States. Today there are 68 State Parties and 15 countries have signed or been invited to accede. Ukraine is a party to the Budapest Convention, the Russian Federation is not.

The United Nations General Assembly created an "Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes" (AHC). The AHC is discussing an international instrument on cybercrime with the process foreseeing a draft convention being proposed to the UN General Assembly at the 78th session in September 2024.

Current challenges related to the interpretation and application of law and policy in relation to cyberattacks and operations relate to their unique characteristics. It is important to identify and clarify these in order to ensure the protection afforded by the law, the limits imposed by existing rules and - where required - develop additional law and policy. Challenges regarding interpretation are obstacles to enforcing and developing the legal framework and to elaborating adequate and accurate policies at the international level.

Harm and impact

One such important unknown to recognize is the true scale of the human impact of cyber operations. This is also true for kinetic operations, but cyber operations lend another layer of uncertainty as the impact on victims can materialize only after a time delay or may be indirect but cause harm.

It is also difficult to directly attribute impact to one cyberattack or operation, as sometimes these operations can take place over a long period of time such as espionage-related endeavors or disinformation campaigns, or they can be one in a series of operations that changes ever so slightly each time to avoid detection. There will also be a level of uncertainty in this regard, but the investigation of cyberattacks and operations is a developing field that needs time to mature.

The notion of data

Military objectives are limited to objects under IHL (Article 52(2) of the first Additional Protocol to the Geneva Conventions). Whether or not data should be considered as an object is still controversial when looking at States positions, with no clear majority view emerging thusfar. Considering the particular circumstances of warfare and the increasing volumes of data relied upon by society to function, the impact it can have if data is deleted, tampered with, exfiltrated and/or weaponized is enormous. Thus, it should be included under the interpretation and application of existing rules it to the extent that an attack targeting data would have negative effects on the civilian population or infrastructures.

The notion of Direct Participation in Hostilities

This is particularly challenging in cyberspace (please refer to the section applicability of IHL)

The geographical scope

The geographic scope of IHL (please refer to the section applicability of IHL)

The notion of belligerency.

The armed conflict between Ukraine and the Russian Federation has shown that cyber operations can be an integral part of the way war is waged. It also means that anyone, from his or her computer or cellphone can have some ability to help or harm another device, another group of persons, another entity that might be on the other side of the planet. Today, we see individuals using their devices to participate in the hostilities, to act against one of the belligerents, or allies. Companies are also advising or supporting the belligerents with tools that could help them to better detect and/or protect themselves from cyber operations, but also to be more efficient when conducting a cyber operation. This raises questions about the notion of Direct Participation in Hostilities, highlighted in the section applicability of IHL.

The same way as a State supplying a belligerent State with weapons is usually not considered as a belligerent unless it has some sort of control over the operations conducted or over the group it is supplying, the same logic could be applied with private companies providing cyber tools or assistance. However, companies are not States and cannot become belligerent in an IAC. The individuals working in such a company might be considered as directly participating in hostilities in certain cases, but the company itself is not generally considered to be directly bound by IHL. Other rules and treaties would apply in such a case.

When it comes to States, an attack can trigger an IAC if it is attributed to a State towards another State. To trigger an IAC, there is no threshold of violence needed.

The notion of espionage and surveillance

Harmful information, disinformation, misinformation and hate speech

There is specific reference to misinformation and propaganda in IHL. Article 37 (2) of AP I states that "Ruses of war are not prohibited. Such ruses are acts which are intended to mislead an adversary or to induce him to act recklessly but which infringe no rule of international law applicable in armed conflict and which are not perfidious because they do not invite the confidence of an adversary with respect to protection under that law. The following are examples of such ruses: the use of camouflage, decoys, mock operations and misinformation." Article 51(1) of GC IV which states that "The Occupying Power may not compel protected persons to serve in its armed or auxiliary forces. No pressure or propaganda which aims at securing voluntary enlistment is permitted".

The use of propaganda, misinformation and disinformation is not necessarily prohibited under IHL, however,"certain forms … can violate specific IHL rules. For instance, IHL prohibits "acts of threats of violence, the primary purpose of which is to spread terror among the civilian population." Parties to armed conflict are prohibited from encouraging violations of IHL, this includes through misinformation, disinformation and hate speech.

Under the International Covenant on Civil and Political Rights states are required to prohibit "any advocacy of national, racial or religious hatred that constitutes incitement to discrimination, hostility orviolence."

The quantity of misinformation, disinformation and hate speech circulating today is of concern considering the harm that it can cause to civilians: severe mental suffering, exposure to retaliatory violence, misleading information that could prevent them from accessing healthcare, humanitarian aid, etc., as well as to the acceptance and security of humanitarian organizations carrying out humanitarian activities in situations of armed conflicts.

Including cyberspace in ceasefire agreements

During armed conflicts, the parties to the conflict might agree on a ceasefire or commit to a unilateral ceasefire. It is important to determine to which extent such agreements can include cyber operations and be monitored to ensure compliance. It is important to distinguish between cyber operations of a military character and espionage operations. It would seem unlikely that a ceasefire would apply to cyber (or other) intelligence/espionage operations.

Digital emblems to protect specially protected objects

In the physical world, specially protected objects under IHL, such as medical objects, cultural heritage, nuclear plants etc., can be marked with a sign or signal to alert the attacker that this object must be avoided and protected to the maximum extent.

In the digital domain, there is no currently accepted sign, signal or emblem. The ICRC is currently examining the benefits and potential risks of a digital emblem, that is a digital sign or signal to identify the data and digital infrastructure of protected medical entities and of certain humanitarian organizations to better signal their protection in cyberspace too.