In today’s armed conflicts, cyber operations are increasingly used in support of and alongside kinetic operations. Several States have publicly acknowledged such use, and many more are developing military cyber capabilities. In parallel, cyber incidents – primarily outside armed conflicts – have resulted in damage and disruption to civilian services, including hospitals, water and electrical infrastructure, and nuclear and petrochemical facilities. They offer a chilling warning about the potential humanitarian impact of military cyber operations in contemporary and future armed conflicts. If the risk of civilian harm from military cyber operations is to be reduced, it is necessary to consider how it can be assessed and measured. In this post, Kubo Mačák, ICRC Legal Adviser, and Ewan Lawson, ICRC Military Cyber Adviser, introduce the new ICRC report from an expert meeting convened by the ICRC in January 2020 to discuss these issues. Their post also launches a new blog series on the theme of avoiding civilian harm during military cyber operations, which will feature contributions by several international experts as well as the winning essay from this year’s ICRC/Geneva Academy competition on the same theme.

 

In a joint interview released earlier this year, two top UK officials revealed new details about military cyber operations conducted against the Islamic State group between 2016 and 2017. They explained how the UK used cyber capabilities to delete online propaganda, to prevent enemy commanders from sending instructions to their subordinates, and to undermine the group’s drone technology. The level of detail provided to the public may have been unprecedented, but the central message had been well-understood for quite some time now: the Rubicon of the use of cyber operations in armed conflict had been crossed and there is no coming back.

Several other States – including Australia, France, and the US – have openly acknowledged having used cyber operations during armed conflicts, and many more are known to be developing military cyber capabilities. Echoing these trends, two separate UN-mandated working groups on advancing responsible State behaviour in cyberspace recently underscored, using identical language, ‘that the use of ICTs [i.e., information and communications technologies] in future conflicts between States is becoming more likely’ (OEWG report, para. 16; GGE report, para. 7).

The OEWG report further cautioned that such uses may result in ‘potentially devastating humanitarian consequences’ (at para. 18). This warning is supported by growing evidence of particularly concerning cyber incidents over the past few years (primarily outside armed conflicts), including cyber operations against hospitals, water and electrical infrastructure, and nuclear and petrochemical facilities.

For the ICRC, assessing the humanitarian impact of new technologies that may be used in conflict and exploring how that impact may be reduced is part of its longstanding mandate. It was in that context that we had the privilege of organizing an expert meeting on Avoiding Civilian Harm from Military Cyber Operations During Armed Conflict in January 2020. Tomorrow, we will hold a launch event for the report from the meeting and publish its full text. Today, it is our pleasure to present the key takeaways from the expert discussion and thus launch a conversation around its overall theme that will unfold on this blog over the next few weeks.

Takeaway #1: States should address the concerns posed by the increasing integration of cyber operations with other military capabilities during armed conflicts.

The experts underscored that modern military forces perceive cyber operations as part and parcel of a wide range of military capabilities. These operations fulfil various purposes that can be roughly divided into exploitation, defence and offence. Such purposes are often interlinked: for example, exploitation often needs to be carried out before an offensive operation can be launched.

However, State-run cyber operations are not only conducted by the armed forces; intelligence agencies, the private sector and other actors have also been involved. In that respect, the participating experts warned that to protect the civilian population and to ensure appropriate oversight, States should avoid the blurring of the functions of the organizations involved in the conduct of such operations and keep such operations under the supervision and control of the relevant authorities.

Moreover, discussions concerning the risk of civilian harm posed by such operations are made difficult by the persisting lack of clarity on terminology regarding interaction in cyberspace. Accordingly, States should work towards a shared lexicon pertaining to military cyber operations.

Takeaway #2: Existing processes must be adapted to the cyber context to ensure compliance with international humanitarian law (IHL).

Compared to kinetic operations, understanding the possible collateral effects of military cyber operations and the risk to civilians can be challenging because of the interconnected and dynamic nature of target systems and networks, as well as the armed forces’ relative inexperience in conducting such operations. Some States have made the basic procedures for targeting publicly available. However, the details on how these operations are conducted in practice tend not to be released, which is particularly the case with military cyber capabilities.

Accordingly, States should use the existing processes developed for the purposes of kinetic operations as a general frame of reference and adapt them to account for the challenges posed by cyber operations. It is essential that procedures governing such operations be IHL-compliant and, to the extent possible, transparently so.

Takeaway #3: States must put in place measures to mitigate the risk of civilian harm posed by the use of military cyber capabilities (‘active precautions’).

IHL mandates that in the conduct of military operations, constant care must be taken to spare the civilian population and civilian objects. In particular, cyber operators need to understand the extent to which target networks and systems are interconnected, the risk of malware spreading in unintended ways, and the risk of indirect effects. States should have mitigation strategies in place for all military cyber capabilities they consider developing. Specifically, a variety of technical measures can be considered, such as ‘system-fencing’ (preventing malware from executing itself unless there is a precise match with the target system), ‘geo-fencing’ (limiting malware to only operate in a specific IP range), or ‘kill switches’ (disabling malware after a given time or when remotely activated).

However, not all military cyber operations involve the deployment of malware. In operations that consist of taking direct control of the target system, mitigation is rather a matter of establishing appropriate decision-making processes. At every stage, States should involve expertise from a wide range of sources and ensure that this is put into straightforward language for the relevant decision makers.

Takeaway #4: States must put in place measures to protect the civilian population against the dangers resulting from military cyber operations (‘passive precautions’).

Parties to conflicts that may be the object of cyber operations have a responsibility to minimize the risk of civilian harm posed by such operations. Some of these measures may have to be implemented already in peacetime (for more details on the relevant legal obligations, see this ICRC position paper at p. 6).

In particular, the expert participants highlighted that States should build strong cyber resilience cultures across their societies and ensure that their critical infrastructure is protected to the best possible standard. States should also have a sufficient understanding of the critical dependencies in their networks in order to be able to restore their functionality in the event of a destructive or disruptive attack.

Moreover, armed forces tend to create distinct, dedicated military networks, to facilitate their defence. This may also limit the spread of harmful effects onto civilian networks when such a military network is attacked. Designing civilian systems such that they are not reliant on systems that may qualify as military objectives likewise reduces the risk of civilian harm.

Takeaway #5: States should address the risk of civilian harm posed by information operations and grey-zone operations.

The experts highlighted a growing trend of using digital technologies to engage in operations that spread disinformation, undermine social cohesion, or even incite violence (sometimes referred to as ‘information operations’). The related notion of ‘grey-zone operations’ describes competition between States that appears to fall between the standard categories of peace and war. States sometimes argue that such operations offer means that are less lethal and less escalatory than traditional military operations. However, these operations may also lead to unexpected escalation and thus considerable civilian harm, depending on how they are perceived by the adversary.

Accordingly, States and other stakeholders should work towards a better understanding of the risks posed by information and grey-zone operations. In addition, States should ensure that all organizations involved in the conduct of military cyber operations (including, but not limited to the armed forces and intelligence agencies) are acquainted with the scope of application and requirements of IHL.

Takeaway #6: States and other stakeholders should continue to develop their understanding of the risk of civilian harm posed by new technologies and work towards mitigating those risks.

In the future, advances in artificial intelligence (AI) will likely be integrated into military cyber capabilities, leading to a degree of operational autonomy and thus to new risks of civilian harm. In addition, the growth of the Internet of Things (IoT) will expand the attack surface and the range of vulnerabilities available to be exploited by malicious actors. Finally, quantum computing will boost available computational power by orders of magnitude, resulting in unprecedented growth in the volume and speed of data processed by computers.

Accordingly, States should ensure that in the deployment of autonomous cyber systems, commanders or operators always retain a level of human control sufficient to allow them to make context-specific judgements to apply IHL (see also this new ICRC position on autonomous weapon systems). States and other stakeholders should also continue to study the risks associated with the expansion of the IoT and with the quantum-enabled increase in the speed and scale of cyber and other operations.

✱ ✱ ✱

Our new report is another stepping stone in the ICRC’s ongoing work to understand and help minimize the potential humanitarian consequences of cyber operations during armed conflicts. It builds in particular on the recent report concerning the potential human cost of cyber operations and on the legal analysis of IHL and cyber operations during armed conflicts. At the same time, the present report is intended as a conversation starter and we are thus delighted to announce today a stellar lineup of experts who have agreed to explore the report’s themes further in a series of forthcoming independent posts.

The series will commence with a post by Noëlle van der Waag-Cowling, who will explore how the increased militarization of cyberspace reshapes the dynamics of contemporary and future conflict. Ellie Shami will then draw on her operational experience to outline how States can and should assess the risks of civilian harm from military cyber operations in practice. Pete Renals’s post will focus on the future developments in military cyber operations and their impact on the risk of civilian harm. Finally, we will close the series with the winning essay from our student competition on the theme of the report, which will also be announced at tomorrow’s launch event.

Overall, it is our hope that the new report and the following expert discussion will bring renewed attention to the fundamental question of how civilian harm posed by military cyber operations during armed conflicts can be avoided or at least reduced. In our view, these discussions confirm that, if States choose to develop military cyber capabilities, they need to invest time and resources to develop processes to assess the risks of incidental civilian harm and implement measures to limit these risks. Doing so reflects not only universally binding obligations imposed by IHL, but also our shared moral responsibilities to minimize – to the extent possible – the human suffering in time of war in all its forms.

See also