What does the principle of proportionality entail for cyberspace operations in armed conflicts? How can you decide whether you are using a sledgehammer to crack a walnut when typing up codes on your keyboard?

The first thematic round table was held at the Humanitarium Centre in Moscow which opened in March 2016. Experts and specialists exchanged their views on the topic “Cyberspace operations in armed conflicts and the proportionality rule: Thinking out loud.” The event was co-organized by the Moscow Delegation of the International Committee of the Red Cross (ICRC), the PIR Centre and the Institute of Information Security Issues (IISI) of Lomonosov Moscow State University. Experts from Russia, Belarus, France and Switzerland considered the matter from theoretical and practical perspectives, while the audience enjoyed a unique opportunity to benefit from the discussion of lawyers and specialists in the field of information and computer security, and to ask the questions of interest.

Xavier Philippe, Professor at Aix-Marseille University, emphasized that we should not reduce the principle of proportionality to a mathematical formula. Our understanding of what can be considered as proportional collateral damage is inevitably subjective and should be contextualized. Nevertheless, from an expert’s point of view, the belligerent parties should exercise sufficient caution and put necessary efforts in order to minimize the damage from hostilities instead of trying to calculate the percentage ratio of civilian losses to the number of destroyed military objectives. Philippe reminded the audience that, understood in this way, the principle of proportionality should be taken into account during any kind of attack. Those responsible must foresee possible consequences of their actions for the civilian population regardless of the nature of those consequences. “It is more important to respect the procedure and to ask: ‘Do we or not violate the principle of proportionality?’, rather than “Are we going to achieve that specific result?’”, Philippe said.

Can we equate a cyber-attack to an armed attack in its classical meaning? Can a combination of zeroes and ones cause the same destruction as a bomber squadron? Nils Melzer, Professor at the Geneva Academy of International Humanitarian Law and Human Rights, addressed these questions by analyzing various approaches to interpretation and arguments of their respective supporters. One of the key issues in regulating cyber-attacks is the dependency of IHL rules’ applicability on factually establishing an “attack.” In the end, cyber-attacks, which do not always lead to physical destruction or casualties, may or may not fall under IHL restrictions. Everything depends on how the notion of “attack” is understood. In order to overcome this “terminological obstacle,” Melzer suggested looking to the basic IHL provisions, which, first of all, consider military objectives as the only lawful target of the military operations, and, secondly, set the obligation of the parties to respect the civilian population. In his expert opinion, these provisions, which apply to all military operations, if interpreted conscientiously, can provide an adequate legal basis for regulation of cyber-attacks. Melzer added that “we should take a step back from existing treaties and remember what are the principles that we base ourselves on, what is the purpose of IHL. In this case, many of those technical discussions will not be necessary if we remember that this is about protecting the civilian population and, therefore, that you cannot attack civilian computers.”

Is it possible to take the necessary precautions before a cyber-attack? What should be considered “damage” inflicted by a cyber-attack? How can a regular military foresee the indirect consequences that such an attack can have for the civilian population? Vera Rusinova, an associate professor of the Chair of International Public and Private Law of the Higher School of Economics, ascertained that the largely indirect character of damage caused by cyber-attacks, as well as the possibility to refer to the lack of necessary control or impossibility of taking precautions to protect civil objects, give belligerents a chance to escape responsibility and thus testify to the fact that existing IHL rules are insufficient for effective protection from consequences of cyber conflicts.

The speaker proposed various ways of solving this problem, “including new approaches to the interpretation of objects under special protection and, possibly, development of a distinctive protection code, which could be called, for example, a ‘Cyber Red Cross’.”

To what extent can information technologies be recognized as weapons? What are the similarities between a computer and a Kalashnikov rifle? The form in which “belligerents” confine themselves in cyberspace and the “weapons” they use fall outside of the IHL definitions.

While specialized knowledge is necessary to launch a hacker attack, one does not have to be a military to conduct such an attack. Pavel Karasev, a research fellow of the IISI, reported on the way States can provide protection to important objects in such a situation. “We have been talking about the fact that IHL is applicable to cyber operations and I think that it is time to use accumulated potential and prepare a proposal for States on the matter of how to apply IHL to this kind of operation,” Karasev said.

Is cyberspace as intangible as it seems to us? Where does it border with reality? Matvei Voitov, the head of the Critical Infrastructures Protection Department at Kaspersky Lab, considered that in reality we are talking about cyber-physical space, since it is quite possible to influence specific technological processes with the help of a keyboard. In the modern world a well-prepared hacker can not only stop the work of a factory, but also cause its destruction. In his presentation Voytov gave specific examples of such attacks, the number of which has significantly increased in recent years, and also explained how to protect oneself from them and the difficulties specialists in computer security face when carrying out this task.

Watch the full recording of the conference below (partly in Russian).