Over the last few decades, militaries have grown increasingly dependent on electronics, computational systems and networked information technology. It is therefore unsurprising that they have simultaneously sought ways to exploit the inherent vulnerabilities in these operationally critical systems as a means of achieving military advantage. The incredible resources States are pouring into military cyber capabilities is a direct reflection of the significance they place on cyber operations as a new and valuable method of warfare. The rapid development of cyber capabilities, command structures, military doctrine, as well as reports—some publicly acknowledged—of the actual employment of cyber capabilities during military operations, all demonstrate that cyber operations are neither theoretical nor ephemeral. Militaries will surely continue to develop these capabilities and plan for their employment in new and creative ways. However, this reality should not be viewed solely through a negative or alarmist lens.

But too frequently analysis of new military technologies gravitates immediately toward the negative, presuming adverse humanitarian impacts while understating not only the possible military advantages new technologies may offer, but also ignoring the real potential they may have to actually mitigate the risks to civilians and other protected persons arising from hostilities. This tendency often results in overstatements of risk and premature calls for new regulation or outright bans. Given the widespread uncertainties and misunderstandings surrounding cyber capabilities, it is not surprising to see this inclination at play, including during the ICRC’s recent expert meeting on The Potential Human Costs of Cyber Operations.

The purpose of the meeting—to ‘shed light on the potential human cost of cyber operations through a better understanding of the technical issues surrounding these operations’—was laudable. As with any new technology that offers potential military utility, careful consideration should be given to the IHL implications of using cyber capabilities as a new means of warfare. Given some State’s recent backtracking on the basic premise that IHL even applies to cyber operations during armed conflict (see here), continued emphasis on the non-negotiable role IHL plays in conflict regulation, regardless of the technological means and methods employed, is essential. And given the continued ambiguities regarding how IHL applies to cyber operations, even among those States that correctly recognize its applicability, thoughtful study and recommendations should be welcomed.

Moving forward, however, it is important to ensure that this study of the IHL implications of cyber operations not be grounded too much on negative presumptions. Doing so would risk skewing the analysis and ignoring the potential benefits—both military and humanitarian—that the technology affords. 

There is no question that certain intrinsic characteristics of cyber operations present challenging IHL issues deserving thoughtful deliberation. The global information technology and telecommunications (ITT) environment of cyberspace is predominantly owned, operated and managed by the private sector; is integrated with the operation of critical infrastructures; and forms the backbone of commerce, governance, communication and, in many ways, social interactions. As such, civil society has grown increasingly dependent on cyber technology in almost all facets of daily life. At the same time, militaries have also grown more and more dependent on global ITT and cyber capabilities. Thus, cyberspace offers a unique medium through which to operate against a wide array of targets free from the physical constraints of geography and territorial boundaries in ways that can effectively contribute to securing an enemy’s submission.

Because of these military dependencies, there is simply no question that under the right circumstances cyber operations can offer a definite military advantage to the employing force, and thus cyber capabilities can be employed consistent with the IHL principle of military necessity and, when applicable, distinction and proportionality. In addition, while cyber operations have the potential to cause some level of destructive or disruptive effect—both directly within cyberspace and indirectly in the traditional physical domains—more often, military commanders can leverage cyber capabilities to achieve tactical, operational and even strategic objectives through non-destructive means under circumstances that previously would have necessitated kinetic solutions.

Recent episodes like the launch and viral spread of the WannaCry ransomware—the subject of significant focus during the ICRC expert meeting—certainly raise legitimate humanitarian concerns. A self-propagating worm generally attributed to North Korea, WannaCry is reported to have affected more than 200,000 computers across 150 countries, with total damages estimated into the billions of dollars. One of the largest entities impacted was the National Health Service (NHS) in England and Scotland, putting the provision of healthcare services in direct jeopardy. Plainly, WannaCry was indiscriminate in effect and—at least in the case of the NHS—impacted entities critical to civilian health and welfare and subject to special protections under IHL.

Of course, because this event occurred outside the context of armed conflict, the lex specialis of IHL did not apply, raising separate questions as to the applicability and efficacy of the lex generalis of the law of State responsibility—questions beyond the scope of this post. Nevertheless, the WannaCry example demonstrates the reason why some might question whether the military advantages of cyber operations can be appropriately balanced with the humanitarian principles at the core of IHL.

As fair as these concerns may be—concerns exacerbated by the general secrecy surrounding cyber operations and by the fact that such operations can generate a wide range of effects—it would be wrong to presume from the outset that cyberspace is so sui generis that the extant rules of IHL are either inapplicable or incapable of doing the conflict-regulation work for which they are intended. To begin with, it would be a considerable mistake to suppose that WannaCry is a representative example of all cyber capabilities or operations, to the extent there is such a thing. Achieving an intended effect, either on a targeted system or the information resident thereon, is by no means dependent on the use of malware or the exploitation of system vulnerabilities, or on degrading the functionality of the targeted or collateral systems.

With limited exception, determining the IHL implications of employing any military capability is a fact-specific exercise. The same is true for cyber capabilities and operations. Notwithstanding certain interpretive challenges set out below, on the whole were WannaCry—or similar ransomware—to be considered for use as a military operation in the course of on-going hostilities, the extant rules of IHL would provide an effective framework for assessing legality and legitimacy. In other words, there is nothing particular about cyber capabilities to warrant a presumption that IHL is inadequate to the task of regulating their use in the course of armed conflict. Acknowledging the adequacy of IHL is not to downplay interpretive challenges that may arise. They are surely important, but not necessarily cause for alarm.

First among these challenges is understanding where a particular cyber operation aligns against the specific IHL rules or thresholds governing means and methods. In this regard, the customary international law meaning of ‘attack’ (as set out in Art 49 AP I) is of particular significance.

It is well understood that the specific IHL rules implementing the cardinal principle of distinction—which in its active form requires the parties to a conflict to ‘at all times distinguish between the civilian population and combatants and between civilian objects and military objectives and accordingly direct their operations only against military objectives’—actually regulates a narrower class of actions than the quoted rule might suggest. It is simply a fact of IHL that in the deliberative process of international law making, States have chosen to reserve the most rigorous regulation of means and methods only to a sub-category of operations or actions—those constituting attacks—which IHL specifically defines as ‘acts of violence against the adversary, whether in offence or in defence’.

How the definition of attack applies to cyber operations is less than obvious. Given the wide array of effects that cyber operations can generate, many of these operations will simply never implicate the attack definition. This conclusion is reflected in the lack of consensus among the drafters of the Tallinn Manuals as to what level of harm to a cyber system below actual physical damage would amount to an ‘act of violence’, as well as their agreement that some impacts would absolutely not. The debate, also reflected in the Tallinn Manuals, over the nature of data and whether data can even constitute an ‘object of attack’ further complicates the analysis.  These uncertainties potentially leave a wide range of cyber operations outside the scope of IHL targeting regulation. At first blush this may seem disconcerting. However, it is equally true of a vast array of other non-destructive military operations that can have negative impacts on civilians and the civilian population, but that for good reason are both permissible and subject to less exacting regulation.

Cyber operations can present equally difficult questions with respect to the passive side of the distinction coin, a subject that I and Commander Pete Pascucci tackle here. Drawing the line between lawful ruses, legitimate camouflaging to achieve security and surprise, impermissible deception and perfidy can be all the more clouded in cyberspace. But again, these are factual challenges presented by the particulars of the technology and specific operations, not inherently different than in other scenarios.

***

Whether understandings of how IHL’s targeting regime applies in this space will evolve and expand in response to the nature of cyberspace and the ubiquitous interconnectedness and civilian reliance on it remains to be seen. As in the past, States will ideally engage in an iterative process in addressing these questions, balancing the relative advantages afforded by cyber capabilities against the potential harm—or benefit—to civilians and the civilian population. Key to this analysis is the undeniable fact that under any number of factual scenarios, cyber operations will provide military commanders with a non-kinetic, non-destructive means to achieve military operational objectives that heretofore would have required the application of destructive kinetic force with all of the attendant collateral risks.

Studying the IHL implications of new means and methods of warfare like cyber capabilities and operations is important work requiring a balanced approach. As the ICRC’s study of the IHL implications of cyber operations proceeds, it should bear in mind that focusing too heavily on worst-case scenarios risks imbalanced conclusions. Such an approach diminishes consideration of the perspectives of military commanders on the inherent advantages of cyber operations. This alone will produce regulatory outcomes attenuated from the underlying logic of IHL. Even more troubling, however, is the risk that such an approach will fail to take into account the potential humanitarian benefits of employing cyber capabilities and the perverse consequence that in an effort to protect civilians, evolving regulation of cyber operations will actually deprive military commanders of capabilities that produce a net civilian-risk-mitigation advantage.

***

Col Gary Corn is Staff Judge Advocate of U.S. Cyber Command. The views and opinions expressed herein are those of the author and do not necessarily state or reflect those of the U.S. Cyber Command, the Department of the Army, the Department of Defense, or the United States Government.

***

Other posts in the series

See also

ICRC Report: The potential human cost of cyber operations, 29 May 2019


DISCLAIMER: Posts and discussion on the Humanitarian Law & Policy blog may not be interpreted as positioning the ICRC in any way, nor does the blog’s content amount to formal policy or doctrine, unless specifically indicated.