Scenario 22: Cyber methods of warfare

__NUMBEREDHEADINGS__

Two States are involved in an international armed conflict. One State uses its cyber capabilities against the other in two distinct operations. This scenario explores the concept of methods of warfare in international humanitarian law (IHL). In doing so, it distinguishes methods of warfare from means of warfare and weapons generally and in the context of cyber operations specifically. The analysis in this scenario also briefly addresses whether cyber capabilities can ever be considered means of warfare or weapons under IHL or always be regarded as methods of warfare.

Keywords
Article 36, cyber weapons, means and methods of warfare, indiscriminate attack, distributed denial of service, malware, weapons review, international humanitarian law

Facts
[F1] State A launched a Distributed Denial of Service (DDoS) operation against the computer infrastructure of the Emergency Services Sector (ESS) in State B (incident 1). The ESS, an essential element of civilian critical infrastructure, provides a wide range of prevention, preparedness, response, and recovery services. The ESS includes geographically distributed facilities, equipment, and organizations that rely heavily upon its networks, servers, and other cyber infrastructure. To facilitate the DDoS operation, the cyber team from State A remotely controlled thousands of compromised computers inside and outside State B to conduct the coordinated DDoS attack. In doing so, they flooded the ESS networks and servers with repeated waves of significant internet traffic. The targeted cyber infrastructure became overwhelmed, shutting down or slowing the networks and servers to the point that their use was significantly impeded or degraded. The DDoS attack caused delay and inconvenience and permanently damaged approximately one-third of the targeted computer systems of the ESS, thereby causing degraded emergency responses throughout State B. Moreover, this incident resulted in significant loss of life and property damage across State B.

[F2] State A then launched another cyber operation against its adversary’s integrated air defense system, including some surface-to-air missiles (incident 2). This cyber operation involved two aspects. First, the attackers hacked into computer networks supporting State B’s air-defense system and fed State B with a false sky picture that then enabled State A’s air force to bomb various sites without risk to its forces because State B’s air-defense system did not report State A’s infiltration. In the second phase of the cyber operation, the attacking cyber team inserted malware directly into the air defense missiles. This malware interfered with the ignition and control systems of the surface-to-air missiles, causing some to explode on the launchpads immediately after ignition and others, when launched, to go wildly off target. Some of the errant missiles hit civilian population centers in State B, causing death and destruction.

[F3] State A is not a Party to Additional Protocol I.

Examples

 * Cyber attacks against Estonia (2007)
 * Operation Orchard/Outside the Box (2007)

Legal analysis
For a general overview of the structure of analysis in this section, see Note on the structure of articles.

[L1] The legal analysis first distinguishes the concepts of means and methods under IHL in the context of cyber warfare and then applies the concepts to the facts of the scenario focusing on methods of warfare.

Means and methods of cyber warfare
[L2] Regarding the DDoS operation against the ESS cyber infrastructure in State B (incident 1), the cyber means of warfare is the large botnet of computers. This botnet is the device or instrumentality used to conduct the attack. It is an Internet-connected system of computers being commanded by one party to an armed conflict to cause damage or destruction to objects or injury or death to another party. That is the very essence of a means or weapon under IHL. By contrast, the distributed denial of service attack against State B is the method of cyber warfare. That is how the operation is being carried out. A distributed denial of service is a well-known method of cyber warfare. In this instance, it is devastatingly effective against the cyber infrastructure of the ESS, causing delay in the provision of emergency services and permanently damaging a significant number of computers in the ESS system.

[L3] Concerning the cyber operation against the integrated air defense system and missiles in State B (incident 2), the means of warfare is the malware implanted in the system and missiles and designed to damage or disrupt the function of the air defense system and missiles. State A also used three distinct methods of warfare in the operation. The first involves the ruse that misleads the air defenders with a false sky picture. Under IHL, a ruse is a lawful method of warfare involving deceit employed in a military operation for the purpose of misleading the enemy. Ruses are intended to confuse an adversary, induce them to act recklessly, or make a mistake. In this incident, creating a false sky picture is a method of warfare intended to confuse and mislead State B’s air defenders to facilitate a successful attack. The second method of warfare in the operation involved targeting the ignition systems of some missiles causing them to explode on the pads when their engines were ignited for launch. The third method involved the use of malware on the control system of other missiles resulting in those missiles firing off target.

[L4] For practitioners, an important consideration under IHL is the legal review of the cyber weapons, means and methods of warfare used for an operation. For States that are a Party to Additional Protocol I, the mechanism for such a review can be found in Article 36 of Additional Protocol I. That provision provides: “In the study, development, acquisition or adoption of a new weapon, means or method of warfare, a High Contracting Party is under an obligation to determine whether its employment would, in some or all circumstances, be prohibited by this Protocol or by any other rule of international law applicable to the High Contracting Party.” Article 36 does not specify how the legality of weapons, means and methods of warfare is to be reviewed. Accordingly, States have discretion in terms of how and when they conduct legal reviews. For example, legal reviews may occur at multiple points during the acquisition or development process. The reviews should consider, among other things, whether the weapon, means or method of warfare is by nature indiscriminate or causes superfluous injury or unnecessary suffering as well as violates any provision of a treaty or customary international law. In terms of methods specifically, the legal review would consider how operations are conducted, i.e., the various tactics, techniques, and procedures for employing categories of cyber capabilities. Of note, IHL does not mandate a specific taxonomy or format for reviews of methods of warfare. Importantly, even if a method of warfare passed the legal review, it could still be used in a manner that violates IHL. In other words, the normal or expected use of the method may be assessed as consistent with IHL, but in a specific operation, it could be misused in a way that would be prohibited under IHL.

[L5] It is a matter of dispute whether the Article 36 obligation reflects customary international law. The International Group of Experts responsible for drafting the Tallinn Manual 2.0 were divided on this issue. As specified in Rule 110 of the Tallinn Manual 2.0, the Experts did agree that “[a]ll States are required to ensure that the cyber means of warfare that they acquire or use comply with the rules of the law of armed conflict that binds them.” In terms of methods of warfare specifically, the Experts disagreed as to the extent of the obligation. As noted in the commentary to Rule 110, “[t]he International Group of Experts was split over whether the obligation extends to methods of warfare. Some argued that it does, whereas others suggested that, although methods of warfare must comply with the law of armed conflict generally, there is no affirmative duty to take the specific steps of conduct a formal legal review to ensure such compliance.” Under the facts in the above scenario, State A is not bound by Article 36. Given the ambiguity regarding the existence of the Article 36 obligation as a matter of customary international law, it is not necessary for State A to perform one.

[L6] Notwithstanding the above regarding the requirement for a legal review under Article 36, the facts in this scenario show that some of State A’s methods of cyber warfare complied with IHL, while others did not. More specifically, using cyber methods to create a false sky picture and trick the air defenders is permissible as a ruse under IHL. Likewise, using the malware to destroy the surface-to-air missile on the launch pads is a lawful method of attack against a military objective. What is prohibited under IHL is targeting the civilian population with the DDoS attack. By disrupting, delaying, and damaging the ESS, the civilian population is being attacked. Similarly, the use of malware against the control systems creates an indiscriminate attack in violation of IHL. That is, the use of this malware would be of a nature to cause strikes against military objectives and civilians or civilian objects without distinction in that the control system no longer functioned properly. It is reasonable to conclude that was a foreseeable consequence of employing the malware against the surface-to-air missiles’ control systems. And, that is precisely what happened as some missiles went wildly off-target, hitting civilian population centers, causing death and destruction. Additionally, it is important to consider the principle of proportionality, which includes the reasonably foreseeable reverberating effects of such actions.

[L7] Some scholars have posited that cyber capabilities should not be categorized as weapons or means of warfare at all. Rather, advocates of this position argue that cyber capabilities may only qualify as a method of warfare. For those who advocate this novel approach, they contend that means of warfare have common characteristics, including a direct causal connection between a given means of warfare and physical damage to objects, the permanent loss of functionality of an object, or injury to persons. Computer code and its related cyber infrastructure only indirectly cause physical damage to objects, the permanent loss of functionality of an object, or injury to persons by instructing the targeted system to act. The computer code is but communication to that system instructing it to undertake a harmful action, function in an unintended manner, or cease to function. And, as such, by this view it cannot logically be considered a means of warfare.

[L8] Considering incident 1 through the lens of the novel approach, the botnet of computers and the related software controlling it would not be considered a weapon or means of warfare. The reason is that there is not a direct causal connection between the botnet and the damage and delay to the ESS computers and networks. Instead, it is just communicating with the ESS causing the harmful effects. Under this position, the botnet and the distributed denial of service operation could be thought of as being part of the same method of warfare as both are part of the cyber tactics, techniques, and procedures by which the devasting operation was carried out against the ESS. An Article 36 legal review of a method of warfare is required only if the State is either a party to Additional Protocol I or the requirement is customary. Since State A is not a Party to Additional Protocol I and it is debatable whether the requirement is customary, State A may arguably conduct the operation without a formal legal review. It is important to reiterate; however, that even though State A may not be required to do a formal legal review, it does not relieve them of their general duty of compliance with IHL. A similar analysis can be drawn from incident 2. That is, the malware implanted in the system and missiles would not be characterized as a weapon or means of warfare, but rather as part of the methods of warfare used in the operation. Again, even if a formal legal review is not required, State A is still obligated to comply with IHL principles and rules.

[L9] For States that are not a party to Additional Protocol I, like State A, the novel approach advocated by some scholars may have some appeal because it may seem to be a way to account for and adjust to the speed of cyber and other vagaries of such operations unencumbered by formal legal reviews. Practically speaking, whether a Party to Additional Protocol I or not, reviewing cyber means or methods may necessitate adjusting the review process to account for the speed of the operation and the need to adjust in “real time”, but also difficulties in obtaining sufficient and reliable information on which to base the legal review. Additionally, many cyber capabilities are developed to achieve a specialized objective and consist of features intended to take advantage of unique vulnerabilities in the targeted cyber infrastructure. Accordingly, they are tailored for each mission and are either non-reusable or require significant alteration with each use. One common sense adjustment to the review process may involve having a legal advisor at an appropriate operational level to conduct the review to be able to provide timely advice to commanders and operators on the methods they are employing.

Checklist

 * Is there an ongoing international armed conflict?
 * Is the State in question a party to Additional Protocol I?
 * Are the cyber capabilities being used as weapons or means of warfare under IHL?
 * If so, are there any limitations or restrictions on the cyber weapons or means?
 * Are the cyber capabilities being used as methods of warfare under IHL?
 * If so, are there any limitations or restrictions on the cyber method?
 * Is a review under Article 36 of Additional Protocol I required?

Bibliography and further reading

 * Jeffrey T Biller and Michael N Schmitt, ‘Classification of Cyber Capabilities and Operations as Weapons, Means, or Methods of Warfare’ (2019) 95 Int’l L Stud 179.
 * William H Boothby, The Law of Targeting (OUP 2012).
 * Geoffrey S. Corn, Rachel E. VanLandingham and Shane R. Reeves (eds), U.S. Military Operations: Law, Policy, and Practice (OUP 2015).
 * Geoffrey S. Corn and others, The Law of Armed Conflict: An Operational Approach (2nd edn, Wolters Kluwer 2019)
 * ICRC, A Guide to the Legal Review of New Weapons, Means and Methods of Warfare: Measures to Implement Article 36 of Additional Protocol I of 1977 (Kathleen Lawand (ed), ICRC 2006).
 * Yves Sandoz, Christophe Swinarski, and Bruno Zimmermann (eds), Commentary on the Additional Protocols of 8 June 1977 to the Geneva Conventions of 12 August 1949 (ICRC 1987).
 * Michael N Schmitt (ed), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (CUP 2017).
 * Gary D Solis, The Law of Armed Conflict: International Humanitarian Law in War (2nd ed., CUP 2016).
 * United States, ‘The Commander’s Handbook on the Law of Land Warfare’ (FM 6-27, MCTP 11-10C, August 2019).
 * David Wallace, ‘Cyber Weapon Reviews under International Humanitarian Law: A Critical Analysis’ (NATO CCD COE, Tallinn Paper No. 11, 2018).

Contributions

 * Scenario by: David Wallace
 * Analysis by: David Wallace
 * Reviewed by: Laurie Blank, Hitoshi Nasu, Wen Zhou