Cyber operations have become a reality of today’s armed conflicts, and their use is likely to continue to increase in the future. In response to this trend, the ICRC has long maintained that international humanitarian law (IHL) governs – and limits – any use of cyber operations during armed conflicts. But what is really at stake? In this post, ICRC legal advisers Tilman Rodenhäuser and Kubo Mačák explain that the risk of harm to humans is significant, and that the seemingly technical issue of IHL applicability in cyberspace makes a difference in the real world.

In today’s digitalizing world, States and non-State armed groups increasingly employ cyber capabilities in their military operations, and their use is likely to grow. Still, there is a debate – most prominently in the framework of the two multilateral processes under the auspices of the United Nations – as to how the existing international legal frameworks apply to such conduct in cyberspace.

Over the past 20 years, the ICRC position has remained unchanged: for us, there is no doubt that international humanitarian law (IHL, also called the ‘law of war’) applies to, and therefore limits, cyber operations during armed conflict (see e.g. here, pp. 36–37, or here, p. 4).

However, technical legal questions may cloud the very real benefits in terms of humanitarian protection offered by the application of this body of law to cyber operations.  So instead of risking a pedantic debate, let’s imagine for a moment that IHL didn’t apply to cyber operations during armed conflicts. What could modern conflicts look like?

The civilian population could be deprived of essential services, such as electricity

Cyber operations against the power grid are not without precedent. In times of armed conflict, belligerents might be tempted to hack into the power grid in enemy territory, switch off electricity in populated areas, and make every effort to avoid it being brought back on swiftly, whether to weaken the adversary or undermine the morale of the population. Such incidents would severely compound the vulnerability of the civilian population in conflict-affected regions.

However, IHL imposes clear limits on such operations if directed against, or expected to incidentally damage, civilian objects. The principle of distinction, described by the International Court of Justice (ICJ) as one of the ‘cardinal principles’ that constitute the ‘fabric of humanitarian law’, prohibits attacks against civilian objects. Moreover, IHL rules prohibit rendering useless objects indispensable to the survival of the population, such as drinking water installations. Therefore, all parties to armed conflicts must direct attacks – including those using cyber means – only against military objectives, and they must take constant care to spare the civilian population and civilian objects from the effects of hostilities.

Without IHL, what legal framework would offer effective protection to critical civilian infrastructure from debilitating cyber operations during armed conflicts? Power outages in populated areas could last for several days or even weeks. In cold climates where heating depends on electricity, being left without heat may literally mean the difference between life and death, as recent events in the United States have demonstrated. In such climatic conditions, power outages can also cause reverberating damage, for example, by allowing water to freeze in pipes, making them burst, and thus interrupting water supply. During armed conflict, the risks of harm are particularly acute given that the vulnerability of the population is often exacerbated by hostilities. Protecting civilians in these exceptional situations is the very raison d’être of IHL.

Patients in hospitals would be at grave risk of harm

Another clear-cut example of an area where IHL is gravely needed concerns cyber operations against the health-care sector in times of armed conflict. If IHL did not apply to such operations, an unscrupulous military commander could question what legal obstacles exist to releasing malware expected to incidentally disable computers and networks at hospitals in enemy territory.

Again, IHL leaves no doubt on the matter. Its rules require that medical units, transport and personnel – irrespective of whether they assist the enemy forces or civilians – must be respected and protected by the parties to the conflict at all times. Therefore, as detailed in an article we published a year ago, belligerents must not harm medical infrastructure through cyber operations and they must take great caution to avoid incidental harm caused by such operations. This analysis also provided the background for the drafting of a statement signed by more than 100 international lawyers in a process convened by the University of Oxford, reaffirming this protection (see para. 5).

In May 2020, the ICRC’s president, Peter Maurer, emphasized that ‘[a]ttacks on health care are unthinkable – and frankly outrageous – especially during the COVID pandemic.’ Yet, without IHL prohibitions, what legal protection would exist against the risk that hospitals would be harmed, or – worse – directly targeted, by hostile cyber operations during armed conflict? Indeed, the COVID-19 pandemic has been a strong reminder that protecting the medical sector is more important than ever: if hospitals are no longer functioning, life-saving treatment will not be available.

Third States would be exposed to unintended yet potentially significant cyber harm

One of the key characteristics of cyberspace is its interconnected nature. This means that a cyber operation against a specific system may have repercussions on various other systems, potentially causing indiscriminate effects worldwide. In particular, if a malware is programmed to spread automatically and without geographic or other limitations, it may well affect at least those machines that run similar software around the globe, wherever they are found.

Under IHL, attacks that employ means or methods of warfare which cannot be directed against a specific military objective, or the effects of which cannot be limited in a lawful manner, are prohibited. In the cyber context, this means that cyber tools that spread and cause damage indiscriminately are unlawful. Accordingly, the prohibition of indiscriminate attacks under IHL protects not only the civilian population in the territories affected by the hostilities, but – in practice – also third States that may be inadvertently affected by such attacks.

Therefore, effective regulation of cyber activities during armed conflict concerns all States. This is the case whether or not they are developing military cyber capabilities, wherever they are located and irrespective of whether they are or ever have been involved in an armed conflict.

The limits imposed by IHL make a difference

But does it really matter whether IHL formally applies to cyber operations like those described thus far? It could be said that no responsible actor would ever attack hospitals or let civilians freeze to death, irrespective of whether such operations are prohibited by law. After all, such conduct is so blatantly dishonourable that IHL is not needed to restrict it: doesn’t everyone know that hospitals and civilians are off-limits?

However, history shows that the question of whether IHL applies and protects those affected by armed conflict has real and tangible consequences. While the law is rarely the sole reason that determines belligerents’ behaviour, there are many examples in which IHL makes a difference. For example, studies have suggested that prisoners of war were treated far better by States that were parties to the 1929 Geneva Convention relative to the treatment of prisoners of war. By contrast, the treatment of prisoners of war who were not protected by that convention was significantly harsher, resulting in many deaths and unspeakable suffering (see, for example, here, p. 3, or here, paras 5–7, 12).

This is also why States have committed themselves to disseminate the provisions of IHL as widely as possible both in peacetime and during armed conflict. This obligation is based on the idea that sound acquaintance with the IHL rules is essential for their effective application and, consequently, for the protection of the victims of armed conflicts. For armed forces, ensuring respect for IHL is a complex endeavor, requiring formal and informal ways of internalizing the rules of restraint established by IHL (see here, pp. 28–31). Intense and repeated training on these rules in all relevant contexts, including cyberspace, is crucial for ensuring that all combatants understand, well ahead of the time and without a scintilla of doubt, which persons and objects are indeed off-limits.

Finally, the applicability of IHL to cyber operations is also an essential precondition for securing accountability for any violations. States have a legal obligation to search for persons who may have committed or ordered the commission of war crimes – in other words, serious violations of IHL – and to carry out criminal proceedings against such individuals (see here, para. 12). After all, even otherwise responsible belligerents may contain ‘bad apples’ who will choose to act outside of the established bounds of acceptable behaviour. The fact that such conduct might occur in cyberspace is no reason to reward it with impunity.

Conclusion and the way forward

To be sure, IHL is not the only body of international law that contains relevant constraints on hostile cyber conduct. In particular, States clarified in Additional Protocol I that no interpretation of IHL ‘can be construed as legitimizing or authorizing any act of aggression or any other use of force inconsistent with the Charter of the United Nations’. In other words, a cyber operation that complies with IHL may still violate, for example, the prohibition against the use of force. In addition, certain cyber operations mentioned in this article may implicate additional international legal rules including the principles of sovereignty and non-intervention, or international human rights law – as we have detailed in the already mentioned analysis of the international law protections against cyber operations targeting the health-care sector.

However, there is no question that among the various branches of international law, IHL plays the central role in protecting civilians against the dangers posed by armed conflicts. As authoritatively pronounced by the ICJ, IHL is the body of law that ‘governs the conduct of hostilities in an armed conflict and pursues the aim of protecting diverse categories of persons and objects’ (at para. 153). Unlike the other rules mentioned above, IHL also undoubtedly binds non-State armed groups when they are party to an armed conflict (see here, paras 539–542, or here, p. 8). For all these reasons, it is essential to understand the extent to which IHL protects the diverse categories mentioned by the ICJ from cyber harm, be they civilians in conflict-affected areas, hospital staff and patients, or objects such as critical civilian infrastructure.

As we have seen, the use of cyber operations in armed conflict can have real humanitarian consequences – especially if used in a manner that would not comply with IHL. As noted in the draft report of the UN’s Open-Ended Working Group, which is being negotiated this week, ‘International Humanitarian Law reduces risks and potential harm to both civilians and civilian objects as well as combatants in the context of an armed conflict’ (at para. 84; for additional context, see also ICRC’s commentary on the report). More and more States have expressly affirmed the applicability of IHL to cyber operations during armed conflicts. In our view, it is imperative that all States join this growing consensus. The international community should leave no room for doubt: even cyber wars have limits.

Editor’s note: This article was originally published by EJIL:Talk!.

See also