In recent years, cyber operations have shown that essential civilian infrastructure – power grids, hospitals, and even nuclear plants – are at risk of disruption through digital means. Until now, disruptive cyber operations have occurred primarily outside the context of armed conflicts. However, a few States have publicly acknowledged using cyber operations during armed conflict, and an increasing number are developing military cyber capabilities.

Hostile cyber operations are high on the agenda of the international community. In 2018, States agreed to establish two intergovernmental processes on security related issues in cyberspace. In December 2019, the ‘Open-Ended Working Group on Developments in the Field of Information and Telecommunications in the Context of International Security’ (OEWG) and the ‘Group of Governmental Experts on Advancing responsible State behaviour in cyberspace in the context of international security’ (GGE) will convene in New York. Both groups are mandated to study ‘how international law applies to the use of information and communications technologies by States’. One important field in the context of international security, and a point of contention in past discussions on information and telecommunication technologies, is international humanitarian law (IHL).

The ICRC has just submitted a position paper on cyber operations and IHL to both groups to support the deliberation of States. Here are the five key points from the position paper for consideration by lawyers and policy makers during discussions:

1. Cyber operations can cause human harm

Technology is advancing quickly. During armed conflict, cyber operations have been used in support of or alongside kinetic military operations. They have the potential to help achieve military aims without harming civilians or causing physical damage to civilian infrastructure. However, recent cyber operations – which have been mostly conducted outside the context of armed conflict –reveal that sophisticated actors have the capability to disrupt the provision of essential services to the civilian population.

By means of cyber operations, a variety of “targets” in the real world – such as industries, infrastructure, telecommunications, transport, or governmental and financial systems – can be disrupted, altered or damaged. Based on discussions with experts from all parts of the world and its own research, the ICRC published a report earlier this year on ‘The Potential Human Costs of Cyber Operations’. Experts underlined, for instance, that the health care sector appears to be particularly vulnerable to both direct cyber attacks and incidental harm from such attacks directed elsewhere.

2. IHL applies to cyber operations during armed conflict

The question of whether IHL applies to cyber operations has been a recurring topic of discussion among States. In 2015, the Group of Governmental Experts recalled that international law applies to the use of information and telecommunication technology, and State experts took note of ‘established international legal principles, including, where applicable, the principles of humanity, necessity, proportionality and distinction’. While this list of principles does not mention IHL explicitly, some commentators have pointed out that these are actually ‘IHL’s core principles’.

From a legal point of view, there should be no doubt that existing IHL principles and rules apply to new weapons, means and methods of warfare, including those relying on information and telecommunications technology. When States adopt IHL treaties, they do so to regulate future conflicts. States have included rules that anticipate the development of new means and methods of warfare in IHL treaties, presuming that IHL will apply to them. For instance, if IHL did not apply to future means and methods of warfare, it would not be necessary to review their lawfulness under existing IHL, as required by Article 36 of the 1977 First Additional Protocol.

Moreover, in the Advisory Opinion on the legality of the threat or use of nuclear weapons the International Court of Justice the Court recalled in paragraph 86 that the established principles and rules of humanitarian law applicable in armed conflict apply ‘to all forms of warfare and to all kinds of weapons’, including ‘those of the future’.

It is similarly clear, however, that any use of force by States – cyber or kinetic – is governed by the UN Charter, in particular the prohibition against the use of force. International disputes must be settled by peaceful means, in cyber space as in all other domains. Asserting that IHL applies does not encourage the militarization of cyberspace or legitimize cyber warfare. Instead, it affirms existing protection for civilian populations in the unfortunate event of an armed conflict and, in fact, limits the type of means and methods of warfare that may be developed in case States decide to militarize cyberspace.

3. IHL provides essential rules protecting civilian populations

Existing IHL treaties and customary law provide rules on a number of issues during armed conflict. In cyberspace, the rules on the conduct of hostilities are particularly relevant, from the principles of distinction, proportionality, and precautions to specific rules, such as the prohibition to render useless objects indispensable to the survival of the population, the obligation to respect and protect medical services, and many others.

Despite the interconnected nature of cyberspace, IHL principles and rules can and must be respected (see ICRC Challenges Report 2019, pp 27-28). Not all cyber tools are indiscriminate by nature. While some were designed to self-propagate and indiscriminately affect widely used computer systems, this is not by chance: the ability to self-propagate usually needs to be specifically included in the design of such tools. In contrast, other cyber operations appear to have been rather discriminate from a technical perspective. They were targeted at specific objects and did not spread and cause damage indiscriminately. However, the interconnectivity that characterises cyber space means that whatever has an interface with the internet can be targeted from anywhere in the world. A cyber attack targeted at a specific system may also have repercussions on various other systems. As a result, there is a real risk that cyber operations violate IHL and cause direct or excessive incidental harm to civilians.

4. We need to clarify how key IHL notions apply in cyberspace

To protect the civilian population from the negative effects of cyber operations, IHL principles and norms need to be understood and interpreted in a manner that takes into account the specific characteristics of cyberspace. Three key issues illustrate this point:

First, while cyberspace is predominantly used for civilian purposes, civilian and military networks may be interconnected. Military networks may rely on civilian cyber infrastructure, such as undersea fiber-optic cables, satellites, routers or nodes. In certain circumstances, the military use of civilian cyberspace infrastructure can turn that infrastructure into a military objective (see ICRC Challenges Report 2015, p. 42). It would, however, be a matter of serious concern if the military use of cyberspace led to the conclusion that many objects forming part thereof would no longer be protected civilian objects. In any case, even attacks against military objectives must respect the prohibition against indiscriminate attacks and the rules of proportionality and precautions in attack. In applying these rules, the interconnected nature of cyberspace and the risk of widespread incidental civilian harm must be considered.

The second issue relates to the notion of ‘attack’ under IHL (a notion that is different from the notion of ‘armed attack’ under the UN Charter). A number of IHL rules on the conduct of hostilities apply only to military operations that qualify as ‘attacks’. Additional Protocol I defines attacks as ‘acts of violence against the adversary, whether in offence or in defense’. It is widely accepted that cyber operations expected to cause death, injury or physical damage constitute attacks under IHL. The ICRC has repeatedly emphasized its view that an operation designed to disable a computer or a computer network during an armed conflict constitutes an attack under IHL, whether or not the object is disabled through kinetic or cyber means (see ICRC Challenges Report 2015, p. 41). Concretely, a cyber operation that is designed to render dysfunctional a civilian network – such as electrical or banking – constitutes a prohibited attack under IHL in our view.

The third issue is the question of whether data – for example civil registries, insurance data, medical data – benefits from IHL protections. Under IHL, civilian objects are protected against attack and against excessive incidental harm, but States take different views on whether data benefits from the same protection. The real-world impact of these differing positions can be significant. Deleting or tampering with essential civilian data could quickly bring government services and private businesses to a complete standstill. The conclusion that this type of operation would not be prohibited by IHL in today’s evermore data-reliant world seems difficult to reconcile with the object and purpose of IHL. Put simply, the replacement of paper files and documents with digital files in the form of data should not decrease the protection that IHL affords to them.

5. Any development of law or norms needs to build upon re-affirmed existing rules

The use of cyber operations as means or method of warfare in an armed conflict poses a real risk of harm to civilians. It is critical for the international community to find a common understanding on international rules that adequately protect the civilian populations against the effects of cyber operations. As cyber operations during armed conflicts are a reality today and their use is likely to increase in the future, in our view States should:

• Affirm that IHL applies to cyber operations during armed conflicts, on the understanding that such affirmation neither encourages the militarization of cyberspace nor legitimizes cyber warfare;
• Engage in a dialogue, and find a common understanding, on how existing IHL rules apply to cyber operations during armed conflict.

States need to determine whether existing law is adequate and sufficient to address the challenges posed by the interconnected and largely digital character of cyberspace, or whether it needs adaptation to the specific characteristics of cyberspace. From a humanitarian point of view, the answer to this question depends, to some extent, on the positions States take on some of the issues laid out above. If new rules are to be developed, however, they should build upon and strengthen the legal framework that already exists, including IHL.

See also

• Humanitarian Law & Policy Blog, Human Costs of Cyber – Blog Series, May-June 2019
• ICRC, International Humanitarian Law and Cyber Operations during Armed Conflict, 28 November 2019