Scenario 18: Legal status of cyber operators during armed conflict

During a conventional armed conflict, a State deploys three groups of persons for its cyber operations against an enemy State. A fourth, civilian group, joins the fight and launches cyber operations against the same enemy. The scenario analyses the lawfulness of the lethal targeting of these four different types of cyber operators. It particularly concentrates on the status and functions of the relevant personnel.

Keywords
international humanitarian law, distinction, combatants, civilians, organized armed groups, targeting, direct participation in hostilities

Facts
[F1] State A and State B have been engaged in armed hostilities against each other for years.

[F2] While the hostilities are ongoing, State A engages a number of civilian IT-professionals to work for the government. All IT-professionals are pooled in the same building, but they are divided into three groups:
 * 1) One group, consisting of civilians with former military background, is attached to the army’s cyber unit. All members get uniforms, ranks and are integrated in the military hierarchy. Also, they operate with the military IT (group 1).
 * 2) The second group is assigned as a computer emergency response team (CERT) to protect the government’s IT-infrastructure and State A’s civilian critical infrastructure against computer security incidents. It is assigned to the ministry of interior. Its members do not wear uniforms or any other emblems of nationality (group 2).
 * 3) The third group, whose members dress like IT-Hipsters, is assigned to State A’s ministry of traffic and cyber. Their role is to influence the public opinion in the country and in the international community. This group publishes stories on social media and on various news websites. Their main storyline is that State A is the victim of aggressive expansionism while State B is committing war crimes. Besides, this group controls a network of social media bots, which are frequently used to spread fake news related to supposed military movements and tactics of A’s armed forces. This results in operational mistakes on part of State B’s forces (group 3).

[F3] In addition, a nationalist hacker group decided long ago to fight on State A’s side. The group has managed to gain access to advanced technological equipment and it continuously recruits new members that are willing to comply with the orders and the strategic plan of the group’s leadership. The group normally communicates via an encrypted messaging system, but it does occasionally meet in person, too. During the armed confrontation, the group continuously conducts cyber operations of variable intensity against State B. In particular, the group conducts DDoS (Distributed Denial of Service) attacks against media companies in State B, blocking and manipulating some of the news. Also, the group deploys a Software-Defined-Radio-system to interfere with State B’s military UAV command and control systems. Thereby, many of State B’s UAVs are misdirected and fall. Two of them crash in a village in State B, causing civilian casualties. The group regularly assumes responsibility for its acts and declares its intention to continue the fighting against State B. However, State A denies any link and any ability to influence this group (group 4).

[F4] Later, group 1 successfully intrudes into the military communication network of State B and reassigns the data transfer directions. This results in a temporary chaos in State B’s coordination of its military operations. The effect lasts for half a day and State B then successfully re-traces the attack to group 1.

[F5] In retaliation, State B decides to launch a conventional air strike against the IT-complex of State A where groups 1–3 are based. Furthermore, it fires cruise missiles on the hideout of group 4.

Examples

 * Israeli attack against Hamas cyber headquarters in Gaza (2019)

Legal analysis
For a general overview of the structure of analysis in this section, see Note on the structure of articles.

[L1] The scenario raises the question under which circumstances cyber operators become a lawful target under international law and, conversely, when they are protected from attacks. It analyses and discusses the status of persons under international humanitarian law (IHL, also referred to as law of armed conflict). It concludes with a short general assessment of the scenario from the perspective of targeting law.

International armed conflict
[L2] States A and B have conducted armed hostilities against each other for years. Thus, the situation qualifies as an international armed conflict, to which IHL applies in accordance with Common Article 2 to the Geneva Conventions. As a consequence, all acts of States A and B with a nexus to that armed conflict are governed by IHL, including any cyber operations.

Non-international armed conflict
[L3] Group 4 and State B have been involved in a series of confrontations, culminating in a missile strike by State B against the group’s hideout. Group 4 appears to have sufficient organization, given that it had the ability to speak with one voice, access to recruits and the ability to plan and conduct cyber operations that were pre-approved by its leadership. It was not only a purely “virtual” group, because its members did meet in person, although only rarely. With respect to the requirement of intensity, the group’s sustained cyber operations extensively interfered with the military capacity of State B, caused loss of life and destruction of property in that State’s territory, and provoked its missile strike in response. Therefore, the threshold for the applicability of IHL has arguably been crossed and the confrontation between State B and group 4 would qualify as a NIAC.

[L4] The analysis applies the IHL rules on the status of persons to cyber operators. This status is decisive for the question of lawfulness of the attack against the cyber operators and thus for the relevant targeting decisions (see para. L16 below).

Combatancy
[L5] Under the mere membership approach, members of group 1 qualify as combatants merely for being integrated in the regular armed forces of State A. By contrast, under the extensive view, they would still have to meet the four conditions of Article 4A(2) GC III as well as the belonging requirement. In any event, group 1 fulfils these criteria, subject to one contested qualification noted below. Its members have regular military ranks and are integrated in the military hierarchy. They are under military command. As they wear uniforms, they distinguish themselves from civilians. Given the fact that a characteristic of cyber operations are concealment techniques and the abuse of weaknesses in the enemy’s systems, it is contested whether the criterion to carry arms openly can be fulfilled in general. It is therefore suggested not to apply this criterion too strictly in the cyber context. The requirements of AP I are equally met for group 1. Due to the integration of this group to the army and its duty to comply with commands, it is subject to an internal disciplinary system. Thus, compliance with IHL can be enforced within this group.

[L6] Group 2 is subordinated to the ministry of interior and its members are not assigned to the armed forces. Although the group clearly belongs to State A as a Party to the ongoing armed conflict and eventually could be commanded by a superior, the group does not wear any distinctive emblems nor signs making it recognisable at distance. From an objective perspective, members of the group appear as civilians. The group was also not incorporated into State A’s armed forces as a paramilitary or law enforcement agency through a formal act or notification, as provided for in Article 43(3) AP I. These considerations indicate that State A does not consider group 2 a part of its armed forces. Accordingly, members of group 2 have to be classified as civilians.

[L7] Group 3, as part of the ministry of traffic and cyber, does not belong to the armed forces of State A. As it forms part of the State’s hierarchy, it is likely to be commanded by a person responsible for his or her subordinates. The so-called IT-Hipster dress code could in principle qualify as a distinctive sign under IHL, given that other elements of clothing such as caps, coats or shirts are considered to be acceptable in this regard. However, a particular dress alone does not suffice. Whatever distinctive sign is used, it must identify and characterize the group using it as well as distinguish the said group from civilians. As the dress code in question is neither special for militaries in general nor in any way distinctive from ordinary civilians, this criterion is not fulfilled by group 3. Overall, members of group 3 do not therefore qualify as combatants. Accordingly, its members have to be classified as civilians.

[L8] Group 4 is not affiliated to the government of State A. There appears not to be even a tacit agreement by State A with the group’s activities and the group is clearly not acting on behalf of the government of State A. Also, group 4 does not fulfil the other criteria for an organised armed group defined in Article 4A(2) GC III, such as wearing a distinctive emblem. The members of the group therefore have to be classified as civilians in the IAC between States A and B. However, if a NIAC is ongoing between State B and group 4 (see para. L3 above), members of group 4 with a continuous combat function (CCF) may be targetable for the duration of such membership (see para. L18 below).

Direct participation in hostilities
[L9] The following paragraphs analyze whether those groups whose members were found to qualify as civilians (i.e., groups 2, 3, and 4: see paras L6–L8 above) could nonetheless be the object of a lawful attack on account of their direct participation in hostilities.

[L10] Members of group 2 are tasked with the protection of State A’s government IT infrastructure and its civilian critical infrastructure. As a CERT, the group fulfils a defensive function without a connection to the ongoing armed conflict. The pure defense of government and civilian IT infrastructure does not adversely affect the military operations or capacity of the adversary. Thus, the activities of members of group 2 do not amount to DPH.

[L11] It is controversial whether members of group 3 directly participate in hostilities. The publication of information on social media and other IT media platforms is not a particular military usage of these media, but rather a common form of civilian journalism. Information operations aim to influence the public and international opinion. Even accepting that the threshold of harm and belligerent nexus criteria could at times be met by such operations, this alone does not suffice as the causal link between the act and the harm would only be indirect. By contrast, if group 3 started to use the means at their disposal to transmit military information for tactical use by State A’s military forces, this conduct would qualify as DPH.

[L12] In addition, the fake news operations of group 3 may conceivably have a direct negative effect on State B’s military operations. Wrong information (fake news), e.g. about the defence of certain objects or the (non-existing) concentration of troops at a certain spot, can influence and mislead military decisions of the enemy on certain military objectives. The operations are conducted frequently, they directly cause harm, and demonstrate a belligerent nexus. Thus, engaging in these information operations by members of group 3 can be seen as direct participation in hostilities. The exact time frame for the participation depends on the actual conduct and may be seen as controversial. In any case, these information operations will only amount to DPH to the extent that they directly affect a specific military operation by State B. For the duration of such activities, members of group 3 may be attacked. By contrast, if these fake news simply foster a propaganda campaign against State B, these acts do not constitute DPH and members of group 3 in charge of them remain protected from attack.

[L13] The legal qualification of the conduct of group 4 depends on the applicable legal framework. If there is no parallel NIAC, in which the group would constitute a belligerent party (on which see para. L3 above), the group’s conduct falls to be determined on the basis of the criteria for direct participation in hostilities applicable in the IAC between States A and B. In this regard, the DDoS attacks on the media companies do not have a nexus to the ongoing armed conflict. Even though they might generate confusion among the population, they are not likely to affect the military operations or capacity of State B as a party to the conflict. Conversely, the SDR-attacks on the UAVs of State B lead to the misdirection of several UAVs and partly result in civilian casualties, damage or destruction of other military equipment. Thus, State B’s citizens and its military matériel are attacked and destroyed, resulting in physical damage. Accordingly, State B’s military operations are directly affected by the cyber operations of group 4. Thus, those members of the group that are committing these acts are directly participating in hostilities and are not protected from attack for their duration.

[L14] However, this analysis must be modified to some degree if a separate NIAC is taking place between State B and group 4 (see para. L3 above). In the context of a NIAC, members of organized armed groups with a continuous combat function are targetable for the duration of such membership. Accordingly, if the situation qualifies as a NIAC, those members of group 4 whose continuous function is to prepare, execute, or command cyber operations such as the SDR attacks on State B’s UAVs, lose protection from attack for as long as they assume that function.

Attacks against persons
[L15] The IT-specialists belonging to group 1 are not in principle protected from attack, because they qualify as combatants (see para. L5 above). Given that this group uses the building in which they are based for military purposes, in accordance with Article 52(2) AP I the building also qualifies as a military objective through its present use. [L16] As group 2 are civilians who are not participating in hostilities (see para. L10 above), they are not a lawful target.

[L17] The lawfulness of a separate attack on group 3 is more controversial and would depend on whether the conduct of the group members would constitute direct participation in hostilities (see para. L11-12 above). Those members who do directly participate in hostilities are liable to attack for the duration of such participation, while members who are not DPHing remain protected at all times.

[L18] In the context of an IAC, a conventional attack on group 4 might at first appear unlawful, because the members of the group are civilians. However, due to their hostile attacks against State B’s matériel and the frequency of this conduct, some members of the group are directly participating in hostilities and therefore they lose their protection (see para. L13 above). If a NIAC with group 4 as party to it is in place, then those members of group 4 who have a CCF can be attacked at any time (see paras. L13 and L14 above for details).

[L19] Given that groups 1–3 are all situated in the same building at the same time, any conventional attack against the building would also have to comply with the principle of proportionality. Accordingly, the lawfulness of the attack against the building would depend on whether the incidental harm to civilians present in the building and not considered to be DPHing at the material time was excessive in relation to the military advantage anticipated from the attack.

[L20] Finally, feasible precautions would have to be taken both before and during an attack against groups 1–4. These include issuing warnings to the civilian population if possible and choosing such means and methods of attack that would avoid or at least minimize incidental civilian harm, as per Article 57 AP I.

Checklist

 * Conflict qualification
 * Does the situation qualify as either an international armed conflict or a non-international armed conflict?
 * Combatancy
 * Is the State in question a State party to Additional Protocol I?
 * Is the State in question a State party to Additional Protocol II?
 * Is the person in question assigned to, integrated in or elsewhere affiliated with the military of a State?
 * Is the person subject to a hierarchical command structure?
 * Does the person wear a uniform or have any other distinctive sign which clearly distinguishes him or her from civilians?
 * Does the person qualify as a civilian?
 * Direct participation in hostilities
 * Does the action by the person support the conduct of hostilities by one party to the conflict?
 * Is this support equivalent to conventional military support to the conduct of hostilities?
 * Attacks against persons
 * If the person in question is located within an object such as a building, does that object qualify as a military objective?
 * If the said object is normally dedicated to civilian purposes, is it presently being used to make an effective contribution to military action?
 * Would attacking the said object offer a definite military advantage ?
 * Would the incidental civilian harm expected to be caused by the attack be excessive in relation to the concrete and direct military advantage anticipated?
 * Have all feasible precautions been taken before and during the attack?

Bibliography and further reading

 * Russell Buchan, ‘Cyber Warfare and the Status of Anonymous under International Humanitarian Law' (2016) Chinese JIL 741.
 * Emily Crawford, Identifying the Enemy: Civilian Participation in Armed Conflict (OUP 2015).
 * Hans-Peter Gasser and Knut Dörmann, ‘Protection of Civilian Population’ in Dieter Fleck (ed), The Handbook of International Humanitarian Law (3rd edn, OUP 2013).
 * Prosecutor v Boskoski and Tarculovski (Trial Judgment) IT-04-82-T (10 July 2008).
 * Prosecutor and Strugar (Appeal Judgment) IT-01-42-A (17 July 2008).
 * Knut Ipsen, ‘Combatants and Non-Combatants’ in Dieter Fleck (ed), The Handbook of International Humanitarian Law (3rd edn, OUP 2013).
 * ICRC, Interpretive Guidance on the Notion of Direct Participation in Hostilities under International Humanitarian Law (ICRC 2009).
 * Kubo Mačák, ‘Unblurring the lines: military cyber operations and international law’ (2021) 6(3) Journal of Cyber Policy 411.
 * Nils Melzer, ‘Cyber Operations and jus in bello’ in Kerstin Vignard (ed), Confronting Cyberconflict (UNIDIR 2011).
 * John Merriam, ‘Affirmative Target Identification, Operationalizing the Principle of Distinction for U.S. Warfighters’ (2015) 56 Virginia JIL 83.
 * Jody Prescott, ‘Direct Participation in Cyber Hostilities: Terms of Reference for Like-Minded States?’ in Christian Czosseck, Rain Ottis and Katharina Ziolkowski (eds), 4th International Conference on Cyber Conflict (NATO CCD COE 2012).
 * Michael N Schmitt (ed), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (CUP 2017).
 * Michael N Schmitt, ‘The Interpretive Guidance on the Notion of Direct Participation in Hostilities: A Critical Analysis’ (2010) 1 Harvard National Security Journal 5.
 * Tassilo Singer, ‘Update to Revolving Door 2.0 – the Extension of the Period for Direct Participation in Hostilities Due to Autonomous Cyber Weapons’ in Henry Rõigas and others (eds), 9th International Conference on Cyber Conflict: Defending the Core (NATO CCD COE 2017).
 * Sean Watts, ‘The Notion of Combatancy in Cyber Warfare’, in Christian Czosseck, Rain Ottis and Katharina Ziolkowski (eds), 4th International Conference on Cyber Conflict (NATO CCD COE 2012).

Contributions

 * Scenario by: Tassilo Singer
 * Analysis by: Tassilo Singer
 * Reviewed by: Martin Faix, David Wallace