Scenario 28: Extraterritorial incidental civilian cyber harm



State A, involved in an international armed conflict against State B, designs a cyber operation aimed at damaging State B’s military command and control system. The operation might also incidentally impact one university in State B and many universities located in State C, not party to the armed conflict. This scenario analyses whether and how to apply the international humanitarian law principle of proportionality to this operation. In doing so, it also examines the application of the principle of proportionality and the law of neutrality to attacks expected to cause incidental civilian harm in a neutral non-belligerent State.

Keywords
Attack (international humanitarian law), conduct of hostilities, international humanitarian law, military objectives, neutrality, proportionality.

Facts
[F1] State A and State B are in an international armed conflict against each other. State C is not party to that conflict. Using a zero-day software vulnerability, cyber operators who are members of State A’s armed forces plan to conduct a cyber operation that is expected to damage beyond repair computer consoles that are essential to the functioning of a command and control (C2) system critical to State B’s ability to synchronize combat operations.

[F2] The operators design a bespoke malware with a self-spreading capability in order to reach the C2 system. They know the vulnerability is not unique to the military consoles and they therefore incorporate a restriction into the malware, which is designed to prevent it from activating in any non-target systems.

[F3] Nevertheless, they reasonably expect there being a moderate likelihood that the malware will anyway spread outside the original target and, if that does happen, that it will result in the same effects on a civilian computer console in State B and a large number of civilian consoles in State C, which all rely on the same software. State A assesses that the damage to civilian infrastructure would result in significant financial loss and other minor disruptions of civilian life due to loss of connectivity.

[F4] Taking all of these considerations into account, State A decides to launch the operation.

Examples

 * NotPetya (2017)
 * HermeticWiper malware attack (2022)
 * Viasat KA-SAT attack (2022)

Legal analysis
For a general overview of the structure of analysis in this section, see Note on the structure of articles.

[L1] This scenario analyses whether and how to apply the principle of proportionality under international humanitarian law to a cyber operation that is expected to cause incidental civilian harm in both a State that is a party to an international armed conflict and in a neutral non-belligerent State. In doing so, it assesses whether the principle of proportionality prohibits the operation. Separate from that assessment, this scenario also assesses whether the operation is prohibited under the law of neutrality.

Applicability of international humanitarian law
[L2] In situations of armed conflicts, all acts of the parties with a sufficient nexus to the conflict are governed by IHL, including any cyber operations. Views differ, however, on when this standard is met. For example, some Tallinn Manual experts considered it sufficient for an operation to originate from one party to an armed conflict and be directed against its opponent, whereas other experts took the position that the act must be conducted in furtherance of the hostilities. State A’s planned cyber operation against State B’s C2 system meets both threshold tests and, therefore, the operation is subject to the principles and rules of IHL.

Attack
[L3] State A reasonably expects that its cyber operation will cause damage to computer consoles that are essential to the functioning of State B’s military command and control (C2) system and will have the same effects on civilian consoles. Whilst different views exist as to whether the ‘damage’ must result in physical damage as opposed to loss of functionality for the operation to qualify as an ‘attack’ under IHL, in this scenario the loss of functionality is expected to be irreparable, meaning that the affected computer consoles would need to be physically replaced. Following the approach of the majority of the Tallinn Manual experts, the planned cyber operation would constitute an ‘attack’ under IHL. Under this conclusion, State A’s cyber operation is subject to the rules specifically applicable to ‘attacks’.

Military objective
[L4] Having assessed that the cyber operation qualifies as an ‘attack’ under IHL, it is necessary to assess if the targeted C2 system qualifies as a military objective. As the name indicates, a C2 system is used to direct and guide a party’s own military forces in the accomplishment of their mission. It follows that it is reasonable to conclude that the nature of the system provides an effective contribution to the military action of State B, thereby fulfilling the first part of the definition. It is also reasonable to conclude that the C2 system’s total or partial destruction would, in the circumstances ruling at the time, offer a definite military advantage to the other party to the conflict, as it would hamper State B’s ability to carry out military operations against State A. The C2 system thereby qualifies as a military objective.

Proportionality
[L5] State A’s planned cyber operation constitutes an attack under IHL (see para. L3) and the attack is directed at a military objective (see para. L4). The question then turns to whether State A’s operation is expected to result in incidental civilian loss of life or injury, or damage to civilian objects. If so, the principle of proportionality applies and the total sum of that expected incidental civilian harm must be measured against the concrete and direct military advantage anticipated to be gained from the attack.

[L6] The expected irreparable harm to a civilian computer console in State B, meaning that the console would need to be physically replaced, qualifies as damage to a civilian object. This reflects the majority view of the Tallinn Manual experts. The significant financial expenses and other disruptions of civilian life due to loss of connectivity negatively affect civilians. However, the facts do not indicate that any of them would directly or indirectly result in loss of civilian life, civilian injury, or damage (physical or otherwise) to civilian objects. The sum of civilian harm in State B would therefore be limited to the damaged console. As discussed below (para. L10), the financial losses and other civilian disruptions may however be factors when weighing whether the damage to the console is expected to be excessive.

[L7] With regard to the anticipated effects that State A’s cyber attack will cause in State C, it is unclear how a State must consider the incidental civilian harm expected to occur beyond belligerent territories, in this case State C, when assessing the principle of proportionality. Two possible approaches to this issue may be identified.

[L8] Under the first approach, the only incidental civilian harm to be taken into account is that which is expected to occur in State B. This is because, notwithstanding views to the contrary provided below (see paras L9–L10), the geographical scope of most IHL rules is traditionally thought to be limited to the territory of the States parties to the armed conflict. This approach serves several functions, including safeguarding against importing into neutral States principles and rules of IHL, in particular the principle of proportionality, that tolerate some degree of incidental civilian harm. (For other safeguards that mediate this concern, see the section on Neutrality below.)

[L9] The second approach is to place no geographic limitations when assessing the incidental civilian harm, thereby requiring all foreseeable incidental civilian harm in States B and C to be assessed under the principle of proportionality. Indeed, the geographical scope of IHL encompasses State A’s operation, to which the rule of proportionality therefore applies, and that rule does not spell out a geographic limit to the incidental civilian effects to be considered. This approach appears to have stronger support than the first, with some States and academics arguing that the principle of proportionality can be violated when incidental civilian harm occurs in a neutral State. Others have more specifically argued that the rules of IHL apply to attacks with effects in non-belligerent States as long as the attack has a nexus to an armed conflict. This approach finds further support in commentaries that indicate that IHL’s prohibition against excessive incidental harm to the environment must take into account the harm expected to occur both inside and outside belligerent territory.

[L10] In the present case, the harm expected to be caused in State C is directly associated with the international armed conflict between State A and State B. The expected effects therefore have a nexus to the conflict and, as such, the attack falls within the geographical scope of IHL. Damage to the computer consoles in States B and C would therefore constitute the total sum of expected harm. While the significant financial losses and other disruptions do not per se constitute damage to civilian objects, which might lead some to hold the view that they do not need to be considered, they have to be considered when determining the weight given to the objects expected to be damaged for the purpose of assessing excessiveness, a view shared by the ICRC. This approach thereby results in an assessment that may be different than for operations damaging civilian consoles with less disruptive effects.

[L11] The total amount of harm expected by the damaging of one console in State B and a large number of consoles in State C then needs to be weighed against the direct and concrete military advantage anticipated to be gained from State A’s attack on State B’s C2 system.

[L12] Having assessed the expected incidental civilian harm and the concrete and direct military advantage anticipated, it is necessary to determine whether the harm would be excessive. In making this assessment it is reasonable to assume that State A would benefit significantly from the cyber attack given that the system is considered critical to State B’s ability to synchronize combat operations (para. F1). While a definite conclusion could only be drawn based on more detailed factual circumstances, on the basis of the limited guidance on the notion of excessiveness found in military manuals and case law it may be argued that the expected irreparable damage to a large number of civilian consoles would not be excessive when compared to the concrete and direct military advantage anticipated, and therefore the attack not prohibited under the principle of proportionality. Ultimately, however, the answer will have to be measured against the standard of how a reasonable military commander would apply the principle of proportionality based on the circumstances ruling at the time of the attack.

[L13] While this scenario assumes that the cyber attack sufficiently complies with the obligation under IHL to take all feasible precautions in the choice of means or methods of attack with the view of avoiding or at least minimizing the incidental loss of civilian life, injury to civilians, and damage to civilian objects (para. L1, footnote [1]), it should be recalled that the obligation to take such precautions must be complied with even if an attack is not prohibited under proportionality.

Neutrality
[L14] Whatever approach is adopted for assessing the principle of proportionality, it would be necessary to look separately at the law of neutrality, which is distinct from IHL and applies to non-belligerent States—in this case State C—in situations of international armed conflict.

[L15] In spite of the divergent views and considerations around how the law of neutrality regulates cyber operations, it is reasonable to conclude that under the law of neutrality (and without prejudice to the legal analysis under IHL), State A’s cyber attack would likely be unlawful because the harm in State C was foreseeable, raised above a de minimis level, and was intrusive enough to tip the balance in favor of State C’s right to remain unaffected by the conflict.

Conclusion
[L16] In conclusion, State A’s planned cyber operation falls within the scope of IHL, has a nexus to the existing international armed conflict and meets the requirements for it to be subject to the principle of proportionality. Evaluated from of a number of different perspectives, there is support for the position that, for the purposes of IHL, the incidental civilian harm expected to occur in State C must be part of the proportionality assessment together with that expected to occur in State B. State A would then need to include incidental civilian harm expected to occur in State C into its total sum of civilian harm when determining if the attack complies with the principle of proportionality. In any event, as the attack is not seemingly expected to incur incidental civilian harm excessive to the direct and concrete military advantage anticipated, the attack is not prohibited under the principle of proportionality. At the same time, it is reasonable to conclude that the cyber attack would be prohibited under the law of neutrality due to the harm it is expected to cause in State C.

Checklist

 * Does the operation qualify as an attack that is regulated by the principle of proportionality?
 * Which of the expected effects of the attack constitute incidental civilian harm under the principle of proportionality?
 * How does the principle of proportionality assess incidental civilian harm that is expected to occur in a non-belligerent neutral State?
 * Is the expected incidental civilian harm of the attack excessive to the anticipated concrete and direct military advantage?
 * What impact might the law of neutrality have on the lawfulness of an attack that is expected to cause harm in a non-belligerent neutral State?

Bibliography and further reading

 * Emanuela-Chiara Gillard, Proportionality in the Conduct of Hostilities: The Incidental Harm Side of the Assessment (Chatham House 2018)
 * Laurent Gisel, Tilman Rodenhäuser and Knut Dörmann, ‘Twenty years on: International humanitarian law and the protection of civilians against the effects of cyber operations during armed conflicts’ (2020) 102 IRRC 913.
 * Laurent Gisel, The principle of proportionality in the rules governing the conduct of hostilities under international humanitarian law: international expert meeting, 22-23 June 2016 (ICRC 2018)
 * Michael N. Schmitt, ‘Russian cyber operations and Ukraine: The Legal Framework’, Articles of War (16 January 2022)
 * Michael N. Schmitt et al (eds), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (Cambridge University Press 2017)
 * Noam Neuman, Neutrality and Cyberspace: Bridging the Gap between Theory and Reality, 97 ILS 765 (2021)

Contributions

 * Scenario by: Jonathan Horowitz & Florentina Pircher
 * Analysis by: Jonathan Horowitz & Florentina Pircher
 * Reviewed by: Laurent Gisel, Ori Pomson and Ann Väljataga