Home
| Databases
| WorldLII
| Search
| Feedback
University of New South Wales Law Journal Student Series |
HOW FAR CAN EXISTING INTERNATIONAL HUMANITARIAN LAW EFFECTIVELY REGULATE CYBER WARFARE?
CHLOE EVANS
I INTRODUCTION
Technology has been advancing at an immeasurable rate, and it was inevitable that technological advances would soon extend to armed conflict. Existing International Humanitarian Law (‘IHL’) makes no specific reference to cyber operations, and there are currently no distinctive examples of cyber warfare being employed. This is most likely a blessing, as cyber warfare is currently an area of disarray, with a vast number of differing opinions, a lack of commentary has been provided by individual states, and it is presently unclear what the definitive definition of cyber warfare is. However, this is not to say that cyber means of warfare ‘exist in a normative void’.[1] It has been established that the current IHL provisions apply to cyber operations. The question remains as to how. The publication of the Tallinn Manuals provided an insight into the answer to this question. However, these manuals are not legally binding; their interpretation is not the only possibility and there are a diverse range of differing approaches to the application of IHL to cyber warfare. This essay will utilise the Tallinn Manual 2.0 as a primary source for discussion, but the views presented in the Manual will be analysed and considered from a variety of perspectives, to determine how effectively current IHL provisions can be applied to cyber warfare, reflecting on whether any changes are required. This essay will primarily study the key definitions contained within IHL, alongside a consideration of the difficulties presented by cyber warfare in the context of both international and non-international armed conflicts. Alongside this, the principles of distinction and proportionality will frequently be considered, in conjunction with policy considerations.
II DEFINITIONS
One of the key difficulties in determining whether IHL has the potential to regulate cyber warfare is first establishing a universally agreed upon definition of ‘cyber warfare’. There are a range of differing opinions regarding this issue. Some commentators argue that IHL clearly accounted for the possibility of extensive technological advances when it was originally drafted. This is evidenced in provisions such as Article 36 of Protocol I,[2] which requires a thorough legality assessment, in stages as early as ‘the study’[3] of the mere possibility of ‘a new weapon, means or method of warfare’.[4] Provisions such as this, it is argued, demonstrate that IHL was unquestionably intended to regulate cyber warfare,[5] as exemplified by the broad scope of IHL. Additionally, there is the absence of an alternative set of regulatory rules. On this basis, any form of cyber warfare falling within the parameters of the definition of ‘attack’ under IHL is subject to IHL regulation, and the current provisions can be sufficiently extended to cyber warfare.
Others, such as Charles J Dunlap Jr disagree with this stance. Dunlap argues that the original IHL provisions were not formed with cyber operations in mind. If they were, the law would reference ‘cyber operations’, but there is no specific mention of this within IHL.[6] These critics contend that IHL is unable to be successfully adapted to encompass cyber warfare, as it significantly differs from the types of warfare that are currently regulated under IHL. As a result of this, new provisions should be written into IHL that are specifically tailored to preside over cyber warfare. In the sphere of this argument, it is likely that the definition of cyber warfare being utilised is far too narrow. It appears that supporters of this perspective are solely considering cyber warfare to be acts wholly conducted within the cyber realm. Arguably, they fail to acknowledge that acts of warfare that currently fall within IHL have the potential to be facilitated by cyber means. The end result is no different from what would be expected, had the act been executed using traditional warfare methods. In instances such as this, it is reasonable that the current IHL provisions should apply.
The third, exceptionally distinct, outlook asserts that cyber warfare is not at all within the boundaries of IHL. This is on the basis that the term ‘cyber warfare’ not only comprises of ‘operations carried out in the context of armed conflicts’,[7] but also includes all varieties of ‘criminal cyber activities’.[8] Consequently, it is necessary to consider the establishment of an entirely new set of cyber-specific laws that encompass all elements of cyber warfare. Arguably, introducing cyber-specific elements into every existing law would create uncertainty and confusion, thus, by creating a comprehensive guide for all elements of cyber warfare, consistency and clarity are ensured. Although this perspective is comprehensible, this should not necessarily preclude the inclusion of cyber warfare within the boundaries of IHL, as this may result in the abuse of cyber warfare means and methods to conduct inhumane acts, undermining the fundamental purpose of IHL. Cyber warfare has the potential to produce devastating effects, therefore it should not be left unregulated or unpunishable. Thus, these two principles can be reconciled by including agreed upon provisions relating directly to cyber warfare within armed conflict in IHL, as well as introducing an all-inclusive set of rules governing cyber warfare on the whole. For the purposes of this essay, cyber warfare falls within the first definition, encompassing the use of technology, either in whole or in part, in the context of armed conflict.
The definition of ‘attack’ under IHL is also evidently a vital consideration in discerning the extent to which cyber warfare falls within the ambit of IHL. This is another contentious issue. It could be argued that IHL is founded upon the notion that methods of warfare will manifest in physical violence.[9] This is reflected in the definition of ‘attack’ within Article 49 of Additional Protocol I,[10] as it is defined as ‘a means of acts of violence against the adversary’.[11] Yet, it has been argued that the vast majority of cyber means of warfare will only give rise to ‘effects that are disruptive but not immediately perceivably physically destructive’;[12] in other words, non-violent outcomes. As a result of this, Droege argues that ‘disruptive’[13] attacks should also be included within the definition of ‘attack’. Others, such as Ido Kilovaty, a cybersecurity expert from Yale Law School, support this opinion, contending that a failure to include attacks such as this would defy the ‘object and purpose of IHL in general’,[14] as it would result in an opening in the protections provided for civilians,[15] leaving them exposed to the harms arising from the majority of cyber operations; operations which are extensively disruptive without being physically violent. As recognised by Kilovaty, the current technological period has led to the devaluation of physical objects, and increasing value is being placed on less tangible entities, such as data and interconnectivity.[16] As a consequence of this, it is necessary ‘to rethink what ought to be protected and incorporate it within the law. Disruption ... could be just as violent as destruction, if not more’.[17] Some commentators have even extended their argument to contend that a high level of disruption can be classified as a form of violence, therefore it is undeniably already included in the definition of an ‘attack’. Kilovaty argues that the provisions relating to attacks are for the purpose of protecting civilians from ‘a broad range of military operations, whether they cause physical harm, or they result in massive disruption effects’[18]. He qualifies this statement by adding that the disruption may only ‘qualify as “violence” in cyberspace’.[19]
Once again, this appears to be a very narrow perspective of cyber warfare which does not encompass the real possibility of cyber means being used to achieve physical damage. The extension of IHL to encompass disruptive attacks as well as physically violent attacks would introduce problematic issues, particularly with regards to policy. Based on Kilovaty’s view[20] that disruptions can qualify as violence in cyberspace, this raises issues as to what in cyberspace actually signifies. Firstly, there is the question of whether this evolution of the law would only apply to disruptive outcomes arising from cyber operations. If this would not be the case, and the broadening of the definition of attack would apply to every means of attack, this could open the floodgates for the extensive regulation of many other military operations that have not been subjected to such regulation previously. If the expansion would be limited only to cyber operations, then difficult questions would be raised regarding the threshold for an attack to be classified as a ‘cyber’ operation; whether it must be fully conducted within the cyber realm, or whether there would be the possibility for the attacks to be partially executed using cyber means, and if so, what extent of the operation must utilise cyber methods. As recognised by Droege, it is likely that all states, even those that are the victim of disruptive attacks, would prefer to give little significance to such disruptive attacks, rather than regarding them as a reason to instigate armed conflict. This is owing to the relative ease with which these ‘attacks’ can be resolved, thus an escalation from a slight inconvenience to full scale international hostilities would be disproportionate. Therefore, it would not be desirable to extend the definition of ‘attack’ to include disruptive operations, on the basis of policy considerations.
The Tallinn Manual 2.0 (‘the Manual’) agrees with this perspective. Within the Manual, it is argued that the inclusion of disruptive attacks is not necessary in order to capture the majority of cyber operations within IHL.[21] Under Rule 92, the Manual defines a cyber-attack as ‘a cyber operation ... that is reasonably expected to cause injury or death to persons or damage or destruction to objects’.[22] This echoes the definition of an attack under Additional Protocol I, acknowledging the necessity for violence. Unlike commentators such as Droege and Kilovaty, the Manual does not agree that disruptions should be included in the definition, as it is the element of violence that distinguishes ‘attacks’ from general military operations. While the Manual recognises that there is ‘logic’[23] in the inclusion of disruptions within the definition of ‘attack’, in certain instances where significant disruption is caused, the Manual concludes that, currently, IHL ‘does not presently extend this far’.[24] This perspective supports the need for specific provisions to be included in IHL to acknowledge the differences presented by cyber warfare in comparison to more traditional methods of warfare, thereby effectively governing cyber warfare. This would avoid the hurdles recognised previously regarding the extension of the current IHL provisions.
The Manual also criticises the imposition of extensive importance on the means of the operation. The Manual appears to conclude that the means are irrelevant, as it is the consequences of the operation that should determine the scope of the term ‘attack’. This conflicts with Kilovaty’s argument that disruption meets the requirements of an ‘attack’ when conducted through cyber means. On this basis, it could be argued that special measures should not be granted for cyber operations, as this could undermine the fundamental purpose of IHL. IHL was intended to regulate the consequences of an attack, rather than how it is carried out. This is reflected in the prohibition of chemical and biological weapons; their ban arose from the disparate level of suffering that stems from their use. IHL will generally only concern itself with means and methods when the outcomes are inhumane. Other than that, states are free to use whatever means they wish to use as long as the outcomes follow the key principles of proportionality, distinction and precaution. This is also reflected in the general purpose of IHL: ‘it does not concern itself with the reasons for war but rather what happens in war’.[25] Similarly, IHL does not concern itself with the methods of war, but rather what arises from these methods.
It has been argued that this is an unsatisfying conclusion. Nils Melzer from the ICRC stated that it would be unconvincing ‘to exclude the non-destructive incapacitation of ... critical military infrastructure from the notion of attack simply because it does not directly cause death, injury or destruction’.[26] This perspective can be reconciled with the views expressed in the Manual. The Manual acknowledges that cyber operations have the capacity to comprise a central role in an overall operation which may amount to an attack.[27] For example, the disablement of a state’s missile defence system to enable the opposing state to successfully launch a missile without interference would result in a cyber operation which gives rise to a physical attack and ‘an act of violence’.[28] In instances such as this, the law of armed conflict unquestionably applies to the cyber operation. This upholds the values that IHL is based upon and ensures that all detrimental effects that IHL seeks to avoid are covered, ensuring cyber warfare does not operate in a legal void that allows it to remain unregulated, despite bringing about devastating effects.
III THE APPLICATION OF IHL TO CYBER WARFARE IN THE CONDUCT OF INTERNATIONAL ARMED CONFLICTS
One of the key issues in both international and non-international armed conflicts is determining whether an armed conflict can arise from cyber warfare alone. In the case of Tadić,[29] the Tribunal concluded that an international armed conflict ‘arises when there is a resort to armed force’[30] by one or more states against another state. However, there is no specific definition of ‘armed force’ under IHL. As previously discussed, there is an initial difficulty in determining the threshold of ‘attack’ with regard to cyber operations. Then there is the additional issue concerning ‘attribution’, as the ‘resort to armed force’[31] must be attributable to a state for the armed conflict to be classified as international. The test for attribution was titled the ‘overall control’ test[32] in the case of Tadić. This test determines whether the actions of a non-state actor can be attributed to a state. This is a question of fact, based on whether the state’s involvement in the conduct of the non-state actor can be classified, on an overall basis, as ‘control’ over their conduct. The International Criminal Tribunal for the former Yugoslavia (‘ICTY’) set out specific guidelines for determining this, concluding that the involvement must constitute ‘more than the mere provision of financial assistance or military equipment or training’.[33] However, the test does not extend to a requirement of comprehensive control, meaning it is not mandatory that the state must direct, plan, or specifically order, every individual attack.
Aside from the issues faced in attempting to determine attribution in cases of conventional warfare, further difficulties are presented when considering cyber operations; the most significant problem arises from the anonymity of the Internet. Firstly, the non-state actor needs to be identified. In cyber warfare, this means ascertaining the source of the cyber operation. This is not simply a case of determining the origin of the computer and, subsequently, the owner of that computer. Pinpointing the exact source of a cyber operation is undoubtedly far more complicated, particularly is a state is responsible for the attack, as they will have undeniably recruited an individual, or group of individuals, who are able to comprehensively cover their tracks. For example, IP spoofing could be used, which falsifies the IP address of the computer used to initiate the attack. As a result of this, the attack may be traced back to an IP address in England, but this, by no means, is conclusive evidence that the British government were behind the attack. Even if it could be definitively determined that the attack originated within England, this still lacks ‘sufficient specificity for attribution of a cyber-attack to a specific actor’.[34] Even if this could amount to an identification of the specific actor, there are then issues regarding linking the actions of the non-state actor to the state, with adequate certainty to declare the existence of an international armed conflict. It is highly likely that the evidence required to ascertain this can also be concealed or disposed of. These are just a few of the innumerable complications in proving, to a sufficient level, attribution to a state.
The Stuxnet virus is a key example of the problem with attribution, and ensuing difficulties that could arise if cyber operations were sanctioned as a ‘resort to armed force’,[35] thus enabling an international armed conflict to arise solely from cyber warfare. The virus was a computer code designed to attack a facility being used in Iran to produce enriched uranium for the creation of nuclear weapons. The virus spread through tens of thousands of computers without causing any damage, owing to its sophisticated code. The virus remained dormant in computers unless certain software (which was known to be used in the Iranian facilities) was detected in the infected computer. Once Stuxnet had found its target facility, the virus commenced the interception of commands to the frequency-converter drives that were functioning in the facility in order to enrich the uranium. However, the virus only operated once it had detected thirty-three or more frequency-converter drives specifically made by a company known to be used by these Iranian facilities, and only targeted the frequency-converter drives that were operating at frequencies known to be necessary for uranium enrichment. Evidently, the virus was meticulously targeted. The virus was unusually complex, but its step by step operation ensured that the attack observed the principles of proportionality and distinction.[36] Additionally, the majority of commentators have concluded that the Stuxnet virus could be classified as a cyber weapon, and thus amounted to the use of armed force.[37] Researchers have also concluded that only a ‘well-resourced nation-state’[38] could be responsible for the virus, due to the complexity and precision of the coding used. Despite this, no individual, non-state actor, or state has claimed responsibility, and the originator has not been exposed, and the attack has not been officially classified as an instigator of armed conflict. However, if both of these could be confirmed, the Stuxnet virus attack would, in the opinion of many, ‘amount to an international armed conflict’.[3] Even if a state had claimed responsibility for the attack, other states, even Iran itself, may not be willing to recognise a cyber operation, such as the Stuxnet virus, as a resort to armed force, as aforementioned. However, under international law, it is not the choice of the state whether or not an operation is classified as a resort to armed force resulting in an armed conflict; if IHL recognises the operation as such, then IHL will apply whether or not the states choose to acknowledge this.
While members of all armed forces or organised groups may be labelled a combatant, combatant status officially only exists within international armed conflicts. Under Additional Protocol I Article 43(2),[39] combatants are granted immunity from prosecution under domestic criminal law for actions that are carried out in the course of the armed conflict, in compliance with IHL. The Manual concludes that these protections also extend to those involved in cyber warfare. A problem with this conclusion once again revisits the difficulty in determining a conclusive definition of cyber warfare, in order to categorise certain actions. Once this definition has been established, the inclusion of those partaking in cyber warfare within the definition of ‘combatant’ for the purposes of combatant status is a logical and desirable outcome.
An additional issue also arises from the inclusion of those conducting cyber operations within the definition of ‘combatant’. Combatant status demands that combatants wear a ‘fixed distinctive sign’.[40] This may seem like a minor and insignificant requirement, but there are extensive implications. Rules such as this ensure that neutral entities such as the Red Cross can operate without being placed in a position of danger. Additionally, it ensures that innocent people do not become targeted when hostile forces are unable to determine who is a legitimate target. While the requirement is unproblematic and rational within the domain of conventional warfare, through the provision of uniforms and combatants’ proximity to the conflict, the circumstances differ with regard to combatants involved in cyber operations. While it is theoretically possible for those involved in cyber operations to be in close proximity to the conflict, it would be incongruous to do so, as this would put the combatant in a position of unnecessary danger. A primary purpose of the ‘distinctive sign’ requirement is to distinguish civilians from combatants to reduce the chance of innocent casualties and to aid combatants in complying with the principles of distinction and proportionality when conducting attacks. However, the lack of proximity to the conflict of a combatant carrying out cyber operations will almost certainly remove the need for the combatant to be distinguished from a civilian, as it is highly probable that the combatant will be isolated from civilians, or there will be an absence of hostile combatants in the area if the cyber operations are being conducted from a distant location. Despite this, however, as those conducting cyber operations are given combatant status, this also makes them a legitimate target of an attack. As a result of this, there is an argument in favour of combatants involved in cyber operations being required to wear a fixed distinctive sign for the purpose of being marked out as a target if their location is uncovered. This is supported by the majority view expressed in the Manual, that ‘there is no basis for deviating from this general requirement for those engaged in cyber operations ... regardless of ... distance from the area of operations or clear separation from the civilian population, [they] must always comply with this requirement to enjoy combatant status’.[41]
Then again, there is a conflicting view presented, in favour of an exception to the rule. This perspective takes the position that IHL only specifies that a distinctive sign must be worn when a failure to do so may result in civilians being placed at risk owing to an attacker being unable to extricate combatants from civilians. This is a plausible argument, if it could ever be said with certainty that a combatant conducting cyber operations in an entirely separate part of the world could never possibly be targeted by opposing forces. However, in the current era of technological advancement, it is highly likely that affluent governments are able to establish methods of tracking to uncover combatants conducting cyber operations, enabling them to send their own combatants to attack them. It is impossible to say with certainty that a cyber operative would never be the object of an attack. In keeping with the principles of IHL, it would be more appropriate to err on the side of caution and maintain the rule as a requirement covering all combatants. Additionally, there are policy reasons related to comprehensive rules encompassing all combatants, with regard to consistency in the law and encouraging enlistment into all areas of the military. If the rules contained in IHL were relaxed for those involved in cyber operations, this may result in additional opportunities for protection that are not afforded to combatants conducting regular warfare operations. For example, if those involved in cyber operations were not required to wear a distinctive sign, this presents them with an opportunity for protection by blending in with civilians, should their location be detected. In turn, prospects of safety such as this may consequently affect combatants’ conduct, particularly as cyber operations can most likely be performed from any location, they may choose to operate in areas with a high civilian population. This could result in a higher risk of violating the principles of proportionality and distinction.
IV THE APPLICATION OF IHL TO CYBER WARFARE CONDUCTED IN NON-INTERNATIONAL ARMED CONFLICTS
The principle issue faced with regard to cyber operations conducted by non-state groups is the differentiation between criminal behaviour, and behaviour that amounts to an armed conflict. To establish a non-international armed conflict, Tadić determined that the confrontational behaviour must reach a certain level of intensity, and the groups partaking in the conflict must show a specified level of organisation.[42] Although actions undertaken by the group Anonymous have sometimes been referred to as ‘war’,[43] on the basis of the Tadić test, their actions do not amount to a non-international armed conflict, as they fail at the first requirement of intensity. Sporadic incidents do not reach the required threshold of intensity under any circumstances[44], as specified in Additional Protocol II under Article 1(2),[45] but especially in circumstances of cyberattacks, even if the attack results from physical injury or damage.[46] A key example of an attack lacking in intensity is Operation Titstorm.[47] Operation Titstorm was a cyberattack on the Australian government in 2010, organised and conducted by Anonymous, in response to the government’s proposal to increase Internet censorship regulations. The attack, of its own accord, could be defined as intense, and highly successful, as it resulted in several websites related to the Australian government becoming inaccessible for intermittent periods of time across a timespan of two days. However, in terms of the threshold of intensity required under IHL, a solitary successful attack is insufficient, as other indicative factors of intensity include the number of attacks carried out, and the duration of the armed confrontation; while two days is impressive for a Distributed Denial of Service attack, it is a short period of time in the context of an armed conflict. As a consequence of the difficulties in sustaining a cyberattack, it is only in very rare cases that cyber operations alone can trigger a non-international armed conflict.[48]
Without the standard of intensity required for hostile actions to trigger a non-international armed conflict, the organisation element of the test stated in Tadić is irrelevant, as it is required that both elements are satisfied. However, in the rare instance that cyber operations do satisfy the intensity requirement, the threshold for a sufficient level of organisation also presents a barrier. The non-state group must be ‘organised’ and ‘armed’. Although it is unclear whether computers and software can constitute weapons, Rule 92 of the Manual concedes that a non-state group is classified as ‘armed’ ‘if it has the capacity of undertaking cyber attacks’.[49] The element of organisation requires that the group are operating under a recognised leader and have the capacity to conduct sustained military operations. Owing to this, cyber operations carried out by individuals do not qualify.
The use of cyber operations, and the capacity for a non-international armed conflict to be triggered by cyber operations alone, (in very limited circumstances), raises the problem of virtual non-state armed groups, and whether online organisation can qualify. On the one hand, there are groups such as Anonymous, who are a loosely affiliated group of random individuals. Their combined efforts to disrupt websites and remove content from the Internet are insufficient to classify them as an organised group. On the other hand, there could be an established organisation conducting coordinated attacks with designated roles, risk assessments and evaluations of the success of the attack; comprehensively acting as a unit. This could qualify as a sufficient level of organisation. While it may be argued by some that physical meetings are required, the Manual asserts that this ‘does not alone preclude it from having the requisite degree of organisation’[50]. This is a constructive conclusion, as it does not result in circumstances such as meetings between individuals involved in the leadership structure over Skype becoming ineligible for inclusion in determining whether the requisite level of organisation is present.
A further difficulty presented by cyber warfare in non-international armed conflicts relates to geographical scope and classification. Under Common Article 3,[51] a non-international armed conflict arises ‘in the territory of one of the High Contracting Parties’[52]. The use of the word ‘one’ has generated an examination of the intended meaning behind the use of this specific word[53]. One perspective holds that it was intended to denote that non-international armed conflicts must remain within the boundaries of ‘one’ state. On the basis of this interpretation, if the conflict transgressed a border, the conflict would become international. However, this seems to misalign with the ICRC’s position regarding the internationalisation of a conflict[54], therefore this interpretation of the use of the word ‘one’ appears to be erroneous. Additionally, there would be wide-ranging implications under this interpretation for the conduct of cyber operations. For example, if they were conducted from overseas and, for instance, malware passes through computers on an international scale, this would classify as a transgression of borders on the basis of this understanding, thus resulting in the internationalisation of a non-international armed conflict, which would be highly undesirable.
A second interpretation, favoured by the majority of the International Group of Experts involved in the writing of the Manual, asserts that ‘one’ refers to any one of the states that are parties to the 1949 Geneva Conventions[55]. This denotes that cyber attacks launched in furtherance of the non-international armed conflict from outside the boundary of the affected state will not result in the internationalisation of the conflict. Likewise, the conveyance of data through cyber infrastructure located internationally does not result in the transformation of the non-international armed conflict into an international armed conflict[56]. It could be argued that the first interpretation is favourable with regard to IHL, as the cross-border deviation of the conflict would also involve the activation of IHL across the border. However, the Manual makes it clear that the implementation of the second interpretation would not preclude the application of IHL outside the borders of the original conflict, as IHL ‘applies to all activities undertaken in pursuit of the armed conflict, and all associated effects, wherever they occur in the territory of a State involved in a non-international armed conflict ... [and] the law of armed conflict applies to activities conducted in the context of the conflict that occur outside the State in question’.[57] As a result of this, there is no designated conflict zone, which is highly favourable with regard to cyber operations and ensuring the full effectiveness of IHL.
Unlike Common Article 3,[58] Additional Protocol II only applies to armed conflicts which arise between a non-state group and the armed forces of a state. Additional Protocol II states that the non-state group must control sufficient territory in order to comply with the requirement of intensity. This is narrower than the test presented in Tadić, and, for the moment, appears to entirely preclude non-state groups acting solely through the use of cyber means. The Manual concludes that ‘control over cyber activities alone is insufficient to constitute control of territory for Additional Protocol II purposes’.[59] The difficulty in classifying a conflict entirely conducted through cyber means draws parallels with the challenges faced in attempting to categorise the US-titled ‘Global War on Terror’. In both cases, similar issues are raised. For example, if the war on terror were to be classified as an international armed conflict, terrorists would be granted additional protections through the provision of combatant status. To avoid this, it would be preferable to preclude terrorism from the law of armed conflict, to prevent the elevation of terrorists to the status of combatants, instead allowing governments to pursue terrorists under criminal law.[60] Additionally, O’Connell argues that a situation must only be recognised as ‘war’ in ‘situations of emergency where normal peacetime law and protections cannot operate’;[61] ‘doubtful situations’[62] such as terrorism should not be classified as war. Likewise, it may be preferable to prevent an entirely cyber-based conflict from elevating to the classification of an armed conflict for the same reasons.
V ISSUES RAISED BY CYBER WARFARE REGARDING CIVILIAN STATUS AND DIRECT PARTICIPATION
Although combatant status only exists in international armed conflicts, in both international, and non-international armed conflicts exists the possibility for civilians to directly participate in hostilities.[63] In these circumstances, civilians are legally protected from a direct attack, unless they choose to take on a direct role in the conflict. They regain their protections after their role has concluded, as protection is only forfeited ‘for such time as he or she so participates’.[64]
The first question to be deliberated is whether civilians assisting in cyber operations can classify as directly participating in the conflict. The ICRC has produced three factors to be taken, cumulatively, into consideration when determining whether a civilian is directly participating.[65] Initially, the act, or acts, must result in detriment to the opposition’s military, either affecting their operations, inflicting death, causing physical harm, or material destruction of people or objects protected against a direct attack.[66] Physical harm to objects and individuals is not a prerequisite, so on this basis, cyber operations can qualify provided they cause a negative disruption that directly impacts the opposition militarily. Secondly, a direct causal link must be established between the outcome and the civilian’s actions. Lastly, the act must have been intended to have a direct effect on the ongoing conflict (belligerent nexus).[67] The experts involved in the formulation of the Manual ‘generally agreed with the three cumulative criteria set forth by the ICRC’.[68] Based on the criteria provided by the ICRC, the Manual indicates several examples specifically relating to cyber warfare. For instance, the invention of malware specifically designed to exploit enemy vulnerabilities can be classified as direct participation, whereas the creation and free distribution of a malware programme which, by chance, results in use in the conflict by a military force to their advantage is insufficient.[69]
While the beginning and end of direct participation has the potential to be exceptionally obvious in the course of traditional warfare operations, the duration of participation in cyber operations are far more ambiguous. Once again, this closely relates to the anonymity of the Internet and the ability to thoroughly conceal cyber operations. An issue that becomes immediately obvious, therefore, is the forfeiture of protections ‘for such time’ as direct participation is being undertaken. The Experts involved in the creation of the Manual conclusively agreed that the civilian directly participating in hostilities forfeits their civilian protection throughout the ‘qualifying act’,[70] but also for the duration of actions directly relating to the act that occur immediately prior to, or subsequent to, the qualifying act. This is logical, especially with regard to the principle of distinction, as it allows armed forces to impede the civilian’s exploits directly before the civilian commits the act, if armed forces uncover the act before it occurs. Without this margin, the individual would retain civilian protections right up to the moment when the act is commenced, which would mean that if their intentions were uncovered before the qualifying act itself is initiated, armed forces would have to choose between allowing the act to occur which could harm their cause or violating the principle of distinction by directly attacking a civilian with civilian status.
However, a key problem to be determined is when this margin on either side of the qualifying act begins and ends. The majority of the Experts agreed that civilian protection is forfeited from the introduction of the individual into the planning stage, up to until their ‘active role in the operation’ is concluded.[71] A primary issue with this interpretation is the term ‘active role’. Based on this conclusion, a civilian may be directly participating while initiating a cyber operation, however the cyber operation may have ongoing effects which become outside of the civilian’s control. As a result, their active role will have concluded when their control over the situation is relinquished. However, there are circumstances when, for example, a civilian may have been responsible for the distribution of malware which remains dormant until it receives a command from the civilian to begin functioning. Under this circumstance, it is unclear whether the civilian will have their protections rescinded until after the point of activation, as they are arguably actively participating until this point, as they are maintaining control. Some commentators are of the opinion that the distribution (in this example) and the activation are distinct acts of direct participation, thus the civilian reclaims their protections between the two acts. However, it appears logical that the civilian should remain targetable throughout the period, particularly in circumstances when armed forces are aware that the civilian has control over the activation of a cyber operation, but they are unsure when the operation will be launched, as this allows them to diffuse the threat at any given time. Moreover, if the civilian chooses to maintain control, it is evident that they are aware of their role and are choosing to maintain involvement in the situation, thus they are continuously directly participating.
It is paramount in the context of cyber operations to remember that a physical act by the civilian is necessary for them to be labelled as a direct participant, as technology can often be used to deceive. For example, a civilian’s IP address may be used, without their knowledge, for the launch of a cyberattack. In instances such as this, the unsuspecting civilian retains their protection. However, an instance may arise in which an individual is a protected civilian, yet their computer may become a military objective.[72] It is in situations such as this that it becomes imperative that the principle of proportionality is adhered to when deciding how to eliminate the military objective.
VI CONCLUSION
To conclude, it is conceivable to think that there is the potential for armed forces to become increasingly frustrated in their attempts to uncover the originators of cyberattacks, as there is the prospect of cyber operatives thoroughly covering their tracks. There is also the possibility that the cyber operative transpires to be a civilian, who may have surrendered their protections for the purpose of playing a direct role in the hostilities; however, when they are eventually discovered, their ‘active role’ has ended and they are no longer a viable target for attack. This means that the principles of proportionality and distinction become even more vital. As evidenced in the essay, cyber warfare differs in a myriad of ways when compared to traditional means of warfare. While current IHL provisions can be extended to cyber warfare for the moment, as the use of cyber operations become more prevalent, it is vital that specific provisions are added to IHL to account for these differences and ensure that protections are sufficiently extended.
[1] Michael N Schmitt, Tallinn Manual 2.0 on the International Law Applicable to
Cyber Operations, (Cambridge University Press, 2nd ed, 2017).
[2] Protocol Additional to the Geneva Conventions of 12 August 1949, and relating
to the Protection of Victims of International Armed Conflicts, signed
8 June 1977, 1125 UNTS 3 (entered into force 7 December 1978) (‘Protocol I‘).
[3] Ibid.
[4] Ibid.
[5] Cordula Droege, ‘Get off My Cloud: Cyber Warfare, International
Humanitarian Law, and the Protection of Civilians’ (2012) 94
International Review of the Red Cross 540.
[6] Charles J Dunlap Jr, ‘Perspectives for Cyber Strategists on Law for
Cyberwar’ (2011) 5 Strategic Studies Quarterly 81.
[7] Droege, above n 5, 536.
[8] Ibid.
[9] Droege, above n 5, 541.
[10] Additional Protocol I art 49.
[11] Additional Protocol I art 49.
[12] Droege, above n 5, 541.
[13] Ibid.
[14] Ibid.
[15] Ibid.
[16] Ido Kilovaty, ‘Violence in Cyberspace: Are Disruptive Cyberspace
Operations Legal under International Humanitarian Law?’, Just Security
(online), 3 March 2017 <https://www.justsecurity.org/38291/violence-
cyberspace-disruptive-cyberspace-operations-legal-international-
humanitarian-law/>.
[17] Ibid.
[18] Kilovaty, above n 16.
[19] Ido Kilovaty, ‘Virtual Violence: Disruptive Cyberspace Operations as
"Attacks" Under International Humanitarian Law’ (2016) 23 Michigan Telecommunications and Technology Law Review 113.
[20] Ibid.
[21] Schmitt, above n 1.
[22] Ibid 415.
[23] Ibid 418.
[24] Ibid.
[25] University of Nebraska Lincoln, The Purpose of International Humanitarian
Law, Human Rights in the US and the International Community <http://www.unlhumanrights.org/index.htm> .
[26] Nils Melzer, Cyberwarfare and International Law (UNIDIR Resources
Paper, 2011) <http://www.unidir.org/files/publications/pdfs/cyberwarfare-
andinternational-law-382.pdf>.
[27] Schmitt, above n 1, 419.
[28] Additional Protocol I art 49.
[29] Prosecutor v Dusko Tadić (Decision on the Defence Motion for Interlocutory
Appeal on Jurisdiction) (International Criminal Tribunal for the Former
Yugoslavia, Trial Chamber II, Case No IT-94-1-A, 2 October 1995).
[30] Ibid [70].
[31] Ibid.
[32] Prosecutor v Dusko Tadić (Judgement) (International Criminal Tribunal for
the Former Yugoslavia, Appeals Chamber, Case No IT-94-1-A, 15 July 1999) [120].
[33] Ibid [137].
[34] Joshua Tromp, ‘Law of Armed Conflict, Attribution, and the Challenges of
Deterring Cyber-attacks’ (2016) Small Wars Journal <http://smallwarsjournal.com/jrnl/art/law-of-armed-conflict-attribution-and-the-challenges-of-deterring-cyber-attacks> .
[35] Prosecutor v Dusko Tadić (Decision on the Defence Motion for Interlocutory
Appeal on Jurisdiction) (International Criminal Tribunal for the Former Yugoslavia, Trial Chamber II, Case No IT-94-1-A, 2 October 1995) [70].
[36] John C Richardson, ‘Stuxnet as Cyberwarfare: Applying The Law Of War
to the Virtual Battlefield’ (2011) SSRN Electronic Journal <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1892888>.
[37] Ibid.
[38] Kim Zetter, Clues Suggest Stuxnet Virus Was Built for Subtle Nuclear Sabotage,
Threat Level (15 November 2010) <http://www.wired.com/threatlevel/2010/11/stuxnet-clues/> .
Michael N Schmitt, ‘Classification of Cyber Conflict’ (2012) 17 Journal of Conflict and Security Law 252.
[39] Additional Protocol I art 43.
[40] Frédéric de Mulinen, Handbook on the Law of War for Armed Forces (ICRC,
1987).
[41] Schmitt, above n 1, 405.
[42] Prosecutor v Dusko Tadić (Judgment) (International Criminal Tribunal for
the Former Yugoslavia, Trial Chamber, Case No IT-94-1-A, 7 May 1997).
[43] Timothy Karr, ‘Anonymous Declares Cyberwar Against “the System”’, The
Huffington Post (online), 6 December 2017 <http://www.huffingtonpost.com/timothy-karr/anonymousdeclares-cyberw_b_870757.html> .
[44] Prosecutor v. Limaj, (Judgment) (International Criminal Tribunal for the
Former Yugoslavia, Trial Chamber Case No IT-03-66-T, 30 November 2005) [84].
[45] Protocol Additional to the Geneva Conventions of 12 August 1949, and relating
to the Protection of Victims of Non-International Armed Conflicts, signed 8 June 1977, 1125 UNTS 609 (entered into force 7 December 1978) (‘Protocol II’).
[46] Schmitt, above n 1, 387.
[47] Kathy Marks, ‘”Operation Titstorm” Hackers Declare Cyber War on
Australia’, The Guardian (online), 11 February 2010 <https://www.independent.co.uk/news/world/australasia/operation-titstorm-hackers-declare-cyber-war-on-australia-1895838.html>.
[48] Schmitt, above n 1, 388.
[49] Ibid 389.
[50] Schmitt, above n 1, 89.
[51] Geneva Convention Relative to the Treatment of Prisoners of War, signed 12 August 1949, 75 UNTS 135 (entered into force 21 October 1950) (‘Third Geneva Convention’).
[52] Third Geneva Convention art 3(1).
[53] Schmitt above n 1, 85.
[54] Tristan Ferraro, ‘The ICRC’s Legal Position on the Notion of Armed Conflict Involving Foreign Intervention and on Determining the IHL Applicable to This Type of Conflict’ (2015) 97 International Review of the Red Cross 1227.
[55] Schmitt, above n 1, 386.
[56] Ibid.
[57] Ibid.
[58] Third Geneva Convention.
[59] Schmitt above n 1, 391.
[60] Mary Ellen O’Connell, ‘When Is A War Not A War? The Myth Of The
Global War On Terror’ (2005) 12 ILSA Journal of International & Comparative Law 535.
[61] Ibid.
[62] Ibid.
[63] Found in Additional Protocol I and Additional Protocol II.
[64] Schmitt, above n 1, rule 97.
[65] ICRC, Interpretive Guidance on the Notion of Direct Participation in
Hostilities under International Humanitarian Law (May 2009) <https://casebook.icrc.org/case-study/icrc-interpretive-guidance-notion-direct-participation-hostilities>.
[66] Ibid.
[67] Ibid.
[68] Schmitt, above n 1, 102.
[69] Schmitt, above n 1, 430.
[70] Ibid 431.
[71] Ibid.
[72] Ibid 429.
AustLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.austlii.edu.au/au/journals/UNSWLawJlStuS/2018/4.html