Attack (international humanitarian law)

Definition


National positions


Australia (2020)
“Australia considers that, if a cyber activity rises to the same threshold as that of a kinetic 'attack' (or act of violence) under IHL, the rules governing such attacks during armed conflict will apply to those kinds of cyber activities. Applicable IHL rules will also apply to cyber activities in an armed conflict that do not constitute or rise to the level of an 'attack', including the principle of military necessity and the general protections afforded to the civilian population and individual civilians with respect to military operations.”

Brazil (2021)
"While holding the view that IHL applies to cyberspace, there are issues that deserve further reflection, such as the definition of cyberattack for the purposes of article 49 of AP I; the consideration of civilian data as a civilian object that entails protection under IHL; and when a civilian acting in the cyberspace might be considered as taking direct part in hostilities.”

Canada (2022)
"49. Cyber activities are an attack under IHL, whether in offence or defence, where their effects are reasonably expected to cause injury or death to persons or damage or destruction to objects. This could include harmful effects above a de minimis threshold on cyber infrastructure, or the systems that rely on it. Such cyber activities must respect relevant treaty and customary IHL rules applicable to attacks including those relating to distinction, proportionality, and the requirement to take precautions in attack.

France (2019)
“A cyber weapon is first and foremost a combined resource, given its capacity to support weapons used in the other environments. In this regard, it produces the same intelligence, neutralisation and deception effects as conventional means which are subject to targeting procedures already implemented by the French armed forces in compliance with IHL. Such operations may constitute attacks within the meaning of Article 49 of Additional Protocol I to the Geneva Conventions (AP I) where they cause physical damage or disable a system. However, certain military operations, such as general intelligence-gathering or alteration of the adversary’s influence capabilities, do not constitute an attack, though they are still governed by the relevant provisions of IHL. France integrates the principles of distinction, proportionality and precaution into all offensive cyber warfare operations carried out in an armed conflict situation”.

“A cyberoperation may constitute an attack within the meaning of international humanitarian law. Any cyberoperation which is carried out in, and in connection with, an armed conflict situation, and constitutes an act of violence, whether offensive or defensive, against another party to the conflict, is an attack within the meaning of Article 49 of AP I to the Geneva Conventions. In an armed conflict situation, the primary purpose of cyber weapons is to produce effects against an adversary system in order to alter the availability, integrity or confidentiality of data. Their effects may be material (e.g. neutralisation of a weapons system) or virtual (e.g. intelligence gathering), temporary, reversible or final. For example, the destruction of adversary military offensive cyber or conventional capabilities by disruption or the creation of major damage is an attack within the meaning of IHL. The same applies to neutralisation actions which damage adversary cyber or conventional military capabilities by destroying ICT equipment or systems or altering or deleting digital data or flows such as to disable a service essential to the operation of such capabilities. Contrary to the definition given by the Tallinn Manual Group of Experts, France does not characterise a cyberattack solely on the basis of material criteria. It considers that a cyberoperation is an attack where the targeted equipment or systems no longer provide the service for which they were implemented, whether temporarily or permanently, reversibly or not. If the effects are temporary and/or reversible, the attack is characterised where action by the adversary is necessary to restore the infrastructure or system (repair of equipment, replacement of a part, reinstallation of a network, etc.). Most cyberoperations carried out by the French armed forces in an armed conflict situation (mainly information-gathering) do not meet the definition of an attack. For example, altering the adversary’s propaganda capabilities, and in particular making an influence site unavailable by saturation or denial of service – which is not prohibited by IHL by analogy with conventional jamming of radio communications or TV broadcasts – cannot be characterised as an attack. However, such operations, in the same way as general information-gathering with the aim of evaluating the adversary’s military capabilities or hacking a system in order to gather data, are still governed by the provisions of IHL applicable to any military operation carried out in an armed conflict situation. Contrary to the Tallinn Manual, France considers that an attack within the meaning of Article 49 of AP I may occur even if there is no human injury or loss of life, or physical damage to goods. Thus, a cyberoperation constitutes an attack if the targeted equipment or systems can no longer provide the service for which they were implemented, including temporarily or reversibly, where action by the adversary is required in order to restore the infrastructure or the system. Most cyberoperations, including offensive cyber warfare operations carried out by France in an armed conflict situation, remain below the attack threshold, since they mostly involve information-gathering and the jamming of the adversary’s influence capabilities. Such operations remain nonetheless governed by the general principles of IHL.”

Germany (2021)
"Germany defines a cyber attack in the context of IHL as an act or action initiated in or through cyberspace to cause harmful effects on communication, information or other electronic systems, on the information that is stored, processed or transmitted on these systems or on physical objects or persons. The occurrence of physical damage, injury or death to persons or damage or destruction to objects comparable to effects of conventional weapons is not required for an attack in the sense of art. 49 para. 1 Additional Protocol I to the Geneva Conventions. However, the mere intrusion into foreign networks and the copying of data does not constitute an attack under IHL.”

Israel (2020)
"One of the key issues, in the conduct of hostilities in particular, is how to define “attacks,” and in which circumstances cyber operations amount to attacks under LOAC. The concept of attack is central to targeting operations and only acts amounting to attacks are subject to the “targeting rules” relating to distinction, precautions, and proportionality. The definition of attack in LOAC requires several elements, but I will focus on those aspects carrying special relevance in the cyber context. Specifically, I will address the element requiring that an act will constitute an attack only if it is expected to cause death or injury to persons or physical damage to objects, beyond de minimis. One aspect of this element concerns the reasonably expected consequences of the act in question. Reasonably expected consequences are those that are anticipated with some likelihood of occurrence, and entail adequate causal proximity to the act. A second aspect of this element is the type of required damage. The requirement for physical damage has been accepted law since the introduction of the legal term of art “attack” into the LOAC discourse. For this reason, practices such as certain types of electronic warfare, psychological warfare, economic sanctions, seizure of property, and detention have never been considered to be attacks as such, and, accordingly, were not considered as subject to LOAC targeting rules. Only when a cyber operation is expected to cause physical damage, will it satisfy this element of an attack under LOAC. In the same vein, the mere loss or impairment of functionality to infrastructure would be insufficient in this regard, and no other specific rule to the contrary has evolved in the cyber domain. However, if an impediment to functionality is caused by physical damage, or when an act causing the loss of functionality is a link in a chain of the expected physical damage, that act may amount to an attack. For example, if a cyber operation is intended to shut down electricity in a military airfield, and as a result is expected to cause the crash of a military aircraft—that operation may constitute an attack (subject, of course, to the additional elements for attacks under LOAC). The existence of physical damage is assessed purely on objective and technical grounds. It is a factual question and as such does not depend on the subjective perception or the manner in which the other side chooses to address the loss or impairment of functionality."

Italy (2021)
“In line with the definition of ‘attack’ under Article 49(1) of the 1977 Protocol I Additional to the Geneva Conventions of 12 August 1949, Italy qualifies cyber operations as ‘attacks’ under IHL if they constitute an act of violence resulting in more than minimal physical damage of property or disruption in the functioning of critical infrastructure, or human injury and loss of life.”

Japan (2021)
"[..] Meanwhile, Article 49 of the Additional Protocol I to the Geneva Conventions stipulates: "'Attacks' means acts of violence against the adversary, whether in offence or in defence." The Government of Japan understands that cyber operations that may cause the destruction or neutralization of military targets, for example, may also constitute "attacks" under international humanitarian law, depending on the circumstances […] For example, cyber operations during armed conflict that cause physical damage or loss of functionality to medical institutions may constitute a violation of international humanitarian law and therefore should be appropriately regulated.”

Netherlands (2019)
"IHL also lays down specific rules regarding attacks aimed at persons or objects, which apply equally to cyber operations carried out as part of an armed conflict. 160 […]

160) Additional Protocol to the Geneva Conventions of 12 August 1949 relating to International Armed Conflicts (Protocol I), Bern, 8 June 1977, article 49; Tallinn Manual 2.0, Rule 92. It is beyond the scope of this letter to consider the technical debate on the difference between a cyber operation and a cyberattack in the context of an armed conflict.”

New Zealand (2020)
"[..] A cyber activity may constitute an “attack” for the purposes of international humanitarian law where it results in death, injury, or physical damage, including loss of functionality, equivalent to that caused by a kinetic attack."

Norway (2021)
"The general rules for legitimate military targets are the same regardless of whether conventional or digital means are used. A cyber operation conducted in connection with an armed conflict must be assessed according to its consequences, and may qualify as an attack under international humanitarian law. ‘Attack’ is a key concept of international humanitarian law, and is understood to mean ‘acts of violence against the adversary, whether in offence or defence’. Cyber attacks during armed conflicts are subject to the same restrictions and regulations under international humanitarian law as conventional attacks, including the principles of humanity, military necessity, proportionality and distinction. The concept of attack is particularly relevant to the rules and principles on the selection of targets and precautions. Attacks against civilians or civilian objects are for example prohibited.”

Sweden (2022)
"In the framework of IHL, ‘attack’ is defined as an act of violence against the adversary whether in offence or in defence. The determination of an act of violence should be based on its effects rather than the means used. A cyberattack in the context of IHL would at least include cyber operations that are reasonably expected to cause injury or death to persons or damage or destruction to objects. Civilians are protected against attacks but only as long as they do not take a direct part in hostilities. A civilian may thus become a military target if taking a direct part in hostilities by the use of cyber means. In case of doubt whether a person is a civilian, that person shall be considered to be a civilian."

Switzerland (2021)
"With regard to the lawful use of cyber means and methods of warfare, the rules and principles governing the conduct of hostilities must be respected […] The aforementioned principles are applicable in particular to cyber operations that amount to an attack within the meaning of IHL i.e. acts of violence against the adversary, whether in offence or defence. What exactly constitutes a 'cyber attack' in an armed conflict has yet to be clarified. It encompasses at the very least cyber operations that are reasonably expected to cause, directly or indirectly, injury or death to persons, or physical damage or destruction to objects. The question, how exactly data is protected in the absence of such physical damage, remains a challenge. In practice, a responsible actor should generally be able to assess the potential impact of their actions and any resulting damage."

United Kingdom (2021)
"A cyber operation is capable of being an ‘attack’ under IHL where it has the same or similar effects to kinetic action that would constitute an attack. Where an operation in cyberspace amounts to an ‘attack’, the principles of distinction, proportionality, humanity and military necessity apply in the same way as they do to an attack by any other means."

United States of America (2016)
“To the extent that such cyber operations constitute “attacks” under the law of armed conflict, the rules on conducting attacks must be applied to those cyber operations (…)Not all cyber operations, however, rise to the level of an “attack” as a legal matter under the law of armed conflict. When determining whether a cyber activity constitutes an “attack” for purposes of the law of armed conflict, States should consider, among other things, whether a cyber activity results in kinetic or non-kinetic effects, and the nature and scope of those effects, as well as the nature of the connection, if any, between the cyber activity and the particular armed conflict in question. Even if they do not rise to the level of an “attack” under the law of armed conflict, cyber operations during armed conflict must nonetheless be consistent with the principle of military necessity. For example, a cyber operation that would not constitute an “attack,” but would nonetheless seize or destroy enemy property, would have to be imperatively demanded by the necessities of war. Additionally, even if a cyber operation does not rise to the level of an “attack” or does not cause injury or damage that would need to be considered under the principle of proportionality in conducting attacks, that cyber operation still should comport with the general principles of the law of war."

United States of America (2021)
“The United States recognizes that cyber activities in the context of an armed conflict may in certain circumstances constitute an “attack” for purposes of the application of the jus in bello rules that govern the conduct of hostilities, including the principles of humanity, necessity, proportionality, and distinction recognized in the 2015 GGE report." 