Scenario 13: Cyber operations as a trigger of the law of armed conflict

Two States and one non-State actor get involved in an armed confrontation featuring a combination of cyber and kinetic operations. The outside State provides various forms of financial and military support to the non-State group in its struggle against the territorial State. The analysis in this scenario considers whether any of the relevant incidents trigger the application of the law of armed conflict.

Keywords
Effective control, international armed conflict, internationalization, overall control, non-international armed conflict, non-State actors

Facts
The relationship between States A and B has been strained for a long time. The tensions in their mutual relations arise primarily from State A’s longstanding unfavourable treatment of a minority group M that lives in that State’s territory. The members of the minority M share their ethnicity with the dominant ethnic group in State B. Recently, individuals belonging to minority M formed an armed faction X with a highly active cyber wing. State B does not hide its support for the newly formed armed faction. In particular, State B gradually extends the following forms of support to the armed group:  State B provides the armed group with significant financial assistance, which the group uses to establish and maintain its cyber wing (incident 1); State B’s military intelligence agency provides the cyber wing of the armed group with several zero-day exploits which had been identified for their potential to be used against industrial control systems employed by State A (incident 2); State B’s civilian intelligence agency provides the cyber wing of the armed group with specific continuous guidance throughout cyber operations launched by the group, which utilize the previously provided exploits. As a result of these operations, the group succeeds in:   Temporarily disabling the power grid in parts of the territory of State A (incident 3a); and  Opening the floodgates of several dams in State A, which results in significant material damage and the deaths of several individuals (incident 3b).  

Examples

 * Georgia-Russia conflict (2008)
 * Ukraine-Russia conflict (2014-)

Legal analysis
The law of armed conflict (also referred to as international humanitarian law, IHL) only applies in situations that qualify as either an international armed conflict (IAC) or a non-international armed conflict (NIAC). Distinct legal tests apply to the characterization of a situation as either an IAC or a NIAC. These tests are of an objective nature in that their fulfilment is a question of fact unaffected by the subjective views of the belligerent parties. The analysis in this scenario first considers whether an IAC has come about between States A and B as a result of any of the incidents detailed in the scenario. In the alternative, it then considers whether the situation should be considered as a NIAC between State A and armed group X.

Characterization as an international armed conflict
In the present scenario, incidents 1 and 2 do not amount to a resort to armed force. They are both best seen as preparatory vis-à-vis the events that follow, but in and of themselves, neither of them has the potential to trigger the law of IAC.

Incident 3a (reversible attack against the power grid) resulted only in a temporary disruption of the operation of infrastructure on State A’s territory. As such, it is unsettled in the present state of the law whether or not this incident could have triggered the application of IHL.

By contrast, incident 3b (cyber attack against several dams) occasioned considerable physical damage and the deaths of several individuals. The fact that it was conducted by the group under the guidance of State B’s civilian intelligence agency and not its military forces does not make any difference in this regard. On that basis, the effects of incident 3b can be described as comparable to those of classic kinetic operations, which would be sufficient for the purposes of applicability of IHL as long as there was a sufficient level of State involvement. This issue is considered in the following paragraph.

There is no doubt that State B has extended its support to armed group X throughout the relevant events. This has taken the form of financial support (incident 1), training and equipping (incident 2), and operational guidance and co-ordination (incidents 3a and 3b). The first two forms of support would not suffice for either of the tests of “effective control” and “overall control”. However, in combination with State B’s participation in the co-ordination of the cyber operation qualifying as a resort to armed force, the level of State B’s involvement would reach that required by the “overall control” test. By contrast, the higher test of “effective control” would remain unmet on the facts of this scenario.

In summary, there was an IAC between States A and B as of the moment when armed group X, acting under the overall control of State B, launched the cyber operation against the dams in State A. The continuation of hostilities by kinetic means does not alter this conclusion in any way.

Characterization as a non-international armed conflict
''In case armed group X were not found to have acted under the overall control of State B (on which, see the previous section) and provided that the group maintains its operational autonomy, the relationship between group X and State A may qualify as a separate NIAC. Whether this is the case further depends on the fulfilment of the requisite criteria of organization and intensity (analysed in the present section).

With respect to the level of organisation, the fact that the group was capable of carrying out sustained military operations of both kinetic and cyber nature seems to suggest that this criterion was met. In practice, more details would be needed before making a conclusive determination. However, the criterion threshold is not particularly high, and the extent of organization certainly does not need to reach the level of organization of State armed forces.

Concerning the intensity of the hostilities, due to the relatively high bar imposed by this criterion, it would certainly not be met by any of incidents 1–3a, given that the impact of these incidents was not similar to that of kinetic attacks. By contrast, incident 3b, which had resulted in the opening of floodgates of dams and then led to fighting that, in turn, necessitated the engagement of State A’s armed forces, would likely fulfil the requirement of intensity in the present case.

In sum, to the extent that armed group X maintains its operational autonomy and the overall control test is not met by State B, the armed confrontation between the group and State A qualified as a NIAC from the moment when the cyber operation against the dams in State A’s territory was launched.

Checklist

 * Do the relevant cyber operations have destructive or injurious effect in the physical world?
 * Do the relevant cyber operations result in irreversible loss of functionality of cyber infrastructure belonging to the adversary?
 * Does the form and extent of support provided by State B to armed group X reach the level of “overall control”?
 * Does armed group X qualify as an organized armed group?
 * Do the hostilities between State A and armed group X reach the required intensity?

Bibliography and further reading

 * [TBC]

Contributions

 * Scenario by: Kubo Mačák
 * Analysis by: Kubo Mačák
 * Reviewed by: [TBC]