Scenario 15: Cyber deception during armed conflict

__NUMBEREDHEADINGS__

Two States are involved in an armed conflict. In order to facilitate the launch of a major military offensive, one of the States engages in several cyber deception operations against the other State. The analysis in this scenario considers whether the operations comply with the relevant rules of international humanitarian law, including the prohibition of perfidy and the prohibition on improper use of internationally recognized emblems, signs, and signals.

Keywords
International armed conflict, international humanitarian law, methods and means of warfare, misuse of indicators, perfidy, ruses of war

Facts
[F1] States A and B are involved in ongoing armed hostilities involving the use of kinetic as well as cyber operations. State A is preparing to launch a major military offensive against State B in region R, which is currently under the control of State B’s forces led by commander X. In order to distract and weaken the enemy, State A’s cyber command engages in several discrete deception operations against State B.

[F2] State A’s operatives set up a complex layered set of fake digital platforms built to lure State B’s cyber operatives to attempt to penetrate State A’s secure military networks (incident 1). Although the systems look authentic, they are entirely separate from State A’s actual networks. State B’s cyber command spends a considerable amount of time and resources trying to compromise the fake systems. Every time State B’s operatives gain access to a layer of the deceptive platform, they are led to another authentic-appearing environment, losing more time. In the meantime, State B’s cyber command fails to effectively defend against simultaneous hostile cyber operations launched by State A, which are detailed below.

[F3] State A discovers that commander X is a diabetic patient who uses a type of insulin pump that allows a healthcare provider to deliver the commander’s insulin doses through a wireless communications system (i.e., a remote control). State A’s cyber operatives hack into the pump’s communications system, take over the remote control by using malware that authenticates itself as a legitimate third-party medical provider with insulin dosage permissions, and administer an overdose of insulin to commander X, which leads to X’s death (incident 2). As a result, the operation accomplishes its main goal of killing the commander.

[F4] State A hacks into the online systems used by the International Committee of the Red Cross (ICRC) to run a humanitarian assistance smartphone application called “e-Red Cross” and relied on by persons affected by the armed conflict in region R. State A’s operatives then send a message through the app to all users, which falsely claims that the ICRC will distribute humanitarian aid next to the only bridge connecting two sides of a major river in region R (incident 3). The operation accomplishes its intended purpose, which was to facilitate State A’s forces to attack State B’s forces. Due to the hack, thousands of civilians obstruct the bridge, preventing State B’s forces from being able to cross the river for several hours, thereby making it impossible for State B to send reinforcements to defend against State A’s deadly attack on State B’s forces on the other side of the river.

[F5] Finally, State A’s armed forces use artillery to begin an operation to take control of a small town that State B currently controls and is using as a location for a forward operating base. Knowing that State B would likely call in close air support to supress State A’s ground assault, State A hacked into State B’s force tracking system prior to the operation. As State A advances on the small town, State A manipulates the data on State B’s system to swap the two States’ indicators, thus making State B’s forces to appear to be State A’s forces, and vice versa (incident 4). When State B’s forward air controller calls in air support, the controller provides the pilots with accurate information regarding the position of State A’s advancing troops. But the conflicting information that the pilots receive from the hacked force tracking system make the pilots suspend the attack in accordance with their rules of engagement. As a result, State B fails to supress both State A’s artillery and commando’s manoeuvring into the town, resulting in significant casualties among State B’s forces.

Examples

 * Operation Orchard/Outside the Box (2007)
 * Operation Glowing Symphony (2016)
 * Medtronic insulin pump incident (2018)

Legal analysis
For a general overview of the structure of analysis in this section, see Note on the structure of articles.

[L1] The analysis in this scenario begins by establishing that a situation of an international armed conflict exists between States A and B and that, accordingly, international humanitarian law (IHL) applies to the relevant incidents. On that basis, the analysis then considers whether any of the incidents constitutes, first, a violation of the prohibition of perfidy; and, second, a violation of the prohibition on improper use of internationally recognized emblems, signs, and signals.

Application of IHL
[L2] In the present scenario, the existence of ongoing armed hostilities between States A and B necessitates the qualification of the situation as an international armed conflict between those States. As a consequence, all acts of the belligerent parties with a nexus to that armed conflict are governed by IHL.

Perfidy and ruses of war
[L3] The deception employed in incident 1 involves State A setting up fake digital platforms to dissimulate its real military systems and networks with the purpose of luring the enemy into spending time and resources to penetrate the fake platforms. This is a decoy technique commonly referred to as a “honeynet”. When assessed against the conditions that make up the prohibition of perfidy, State A’s conduct did not implicate any specific protection under IHL (condition 1); in fact, the fake systems were ostensibly of a military nature and as such they would not be subject to protection under IHL even if they were real. Rather, State A’s use of fake digital platforms qualified as a ruse that made lawful use of decoys, mock operations, and misinformation in cyberspace. Accordingly, incident 1 did not violate the prohibition of perfidy.

[L4] IHL affords special status to medical services and facilities, namely that they must be respected and protected at all times and must not be the object of attack. In incident 2, State A’s cyber operators feigned the role of a third-party medical service provider with the purpose of killing an enemy commander. When assessed against the conditions of perfidy, State A has thus used the protected status of a medical provider (condition 1) and, as a result of its actions, an adversary combatant was deprived of his life (condition 4). It is less clear, however, whether this operation has implicated the adversary’s confidence (relevant for conditions 2 and 3). Crucially, no human judgment was involved on the side of State A’s adversary (whether that of commander X himself or of any other person belonging to State B), and thus, strictly speaking, no human was in fact deceived by the operation. Accordingly, the legal qualification of this incident depends on the scope of the notion of confidence for the purposes of IHL. In this regard, some experts are of the view that gaining the confidence of an enemy’s computer system suffices to breach the prohibition. On that view, the operation would have invited and betrayed the confidence of the adversary’s insulin pump communications system and, consequently, the incident would have amounted to a violation of the prohibition of perfidy. By contrast, others consider that the notion of confidence requires human involvement. According to that view, the operation cannot be said to have implicated the adversary’s confidence and, as such, the incident would not have amounted to prohibited perfidy.

[L5] Incident 3 involves State A’s use of an “e-Red Cross” humanitarian application to convince civilians to obstruct State B’s forces from crossing a bridge. The operation intentionally interferes with State B’s ability to send reinforcements to defend against State A’s attack. The resulting deaths and injuries suffered by State B—which were the purpose of the operation and which would not have occurred but for the operation itself—therefore arguably meet the requisite criteria for harm (condition 4). However, the “e-Red Cross” communication did not invite or betray the confidence of an adversary (conditions 2 and 3)—at most, it might have invited and betrayed the confidence of the civilian population. Incident 3 is therefore missing some of the required elements of perfidy and, as such, it would not constitute a breach of the prohibition of perfidy. Nevertheless, the incident raises issues with respect to the misuse of established indicators (see paras L8–L9 below) and it could also be assessed against other applicable rules of IHL.

[L6] Incident 4 invinvolves State A using digital misrepresentations of both States’ armed forces in an electronic force tracking system to favour State A’s offensive military operation by impeding State B’s military response. When assessing the conditions for perfidy, it would have to be established that State A intentionally invited and betrayed the confidence of its adversary (conditions 2 and 3) related to a rule under IHL that would provide for protection (condition 1) with the purpose of causing casualties to State B’s armed forces (condition 4). While IHL prohibits making belligerent use of the enemy’s “emblems of nationality”, which include flags, military emblems, insignia and uniforms, IHL does not provide armed forces with a legal protection against fratricide. Incident 4 therefore does not involve the invitation or betrayal of an adversary’s confidence that would have arisen from a protection provided for in IHL and, as such, does not amount to a prohibited form of perfidy. As discussed below (see paras L10–L14), it can be debated whether the use of a digital representation of the enemy amounts to the use of the enemy’s “emblems of nationality”.

Misuse of established indicators
[L7] There is no indication of any possible misuse of established indicators or markings in incidents 1 and 2. The deception employed in incident 1 involves the dissimulation of State A’s own systems and networks, but not those of the enemy or of any third party that could benefit from the protection of its emblems, insignia, or other indicators. In incident 2, no dissimulation or other use of protective or established indicators takes place at all, with the deception employed being focussed instead on tampering with the insulin pump’s communications system.

[L8] In incident 3, State A in effect impersonated the ICRC through the unauthorized use of the ICRC’s custom smartphone application “e-Red Cross”. Misuse of any of the ICRC’s symbols or their imitations in the physical space is expressly prohibited by IHL. However, it is less clear whether this prohibition extends to cyber operations that falsely convey their origin as coming from or being affiliated with the ICRC, or that simulate, portray or graphically represent the ICRC’s symbols in the digital space.

[L9] In the present case, it is significant that the application’s name contained the words “Red Cross”, which are subject to express protection under IHL and may not be employed in any way that IHL does not permit. By seizing control over the application’s messaging function, the attackers became, even if only for a limited time, the effective operators of the application. For the duration of the incident, they were therefore employing the designation “Red Cross” in a manner inconsistent with the law. In addition, as the operation was designed to spread false information in the guise of the ICRC, it risked undermining confidence in the ICRC’s neutrality, mission, activities, and the associated protective indicators. As such, it was inconsistent with the object and purpose of the prohibition of improper use. Accordingly, by hacking into the “e-Red Cross” application and using it in an unauthorized manner, State A has likely violated its obligations under IHL.

[L10] Incident 4 implicates the prohibition of the improper use of enemy’s emblems of nationality during an international armed conflict. Crucially, it is not clear whether the digital representations of a State’s armed forces in an electronic force tracking system qualify as that State’s “emblems of nationality”. Apart from the word “emblems” itself, the relevant treaty text refers to “flags”, “insignia” and “uniforms”.

[L11] On the narrower of two possible interpretations of the relevant text, the terms used should be understood as “concrete visual objects” only. For example, under this view, the prohibition would not apply to “the adversary’s codes, passwords and countersigns”. It has been said that this is because using the enemy’s signals is something that military forces should expect and be on guard against. State A’s cyber operation in this incident did not engage any concrete visual objects; instead, it involved the manipulation of data in order to render false information to State B. Under this narrower interpretation, the interference with the enemy’s force tracking system in this incident would thus fall outside the scope of the prohibition.

[L12] By contrast, a broader interpretation of the notion of “emblems” includes electronic representations of identifiers that appear at the human interface level. It is recalled that the prohibition of improper use serves a central purpose of facilitating the distinction between the conflict parties. From this perspective, graphical symbols in digital applications that are commonly understood as representing one of the States involved in an international armed conflict should be seen as serving the purpose of distinguishing that State’s forces from those of the enemy. As such, they would qualify as “emblems of nationality” for the purposes of the prohibition discussed.

[L13] Provided that this interpretation of “emblems of nationality” is adopted, it remains to be seen whether the tampering with the force tracking system to swap the two States’ indicators falls within the temporal scope of the prohibition. In this regard, there is disagreement whether the customary prohibition of improper use extends beyond the instances of attack. However, for States parties to AP I, the prohibition expressly covers improper use designed “to shield, favour, protect or impede military operations”.

[L14] The interference with the force tracking system was undoubtedly designed to assist State A’s advancement on the small town and, as such, it would fall within the temporal scope of the formulation in AP I. Moreover, the hack against the force tracking system persisted throughout State A’s attack against the small town, as evident from the fact that State B’s pilots decided to suspend their counterattack because of the conflicting information received from the hacked system while the original attack was already underway. Accordingly, under the broader interpretation of the rule, the cyber operation conducted by State A would qualify as a violation of the prohibition of improper use of enemy’s emblems of nationality also under customary IHL.

Checklist

 * Applicability of IHL:
 * Does the situation qualify as an international armed conflict?
 * Does the situation qualify as a [non-international armed conflict]]?
 * Prohibition of perfidy:
 * Does the cyber operation relate to a protection specifically provided for in IHL?
 * Does the cyber operation invite the confidence of the adversary with respect to protection under IHL?
 * Did the perpetrator intentionally betray that confidence?
 * Did the cyber operation result in the adversary’s death, injury, or capture?
 * Misuse of established indicators:
 * Does the cyber operation make use of one of the internationally recognized emblems, signs, and signals (e.g. the distinctive emblem of the red cross or red crescent, the white flag of truce, the protective emblem of cultural property, or the distinctive emblem of the United Nations)?
 * Does the cyber operation engage in any use of such indicators other than that for which they were intended?
 * Does the cyber operation make use of one of the emblems of nationality (e.g. flags, military emblems, insignia or uniforms) of the enemy or of States not party to the armed conflict?
 * With respect to the emblems of nationality of the enemy, does the cyber operation employ these emblems during combat?

Bibliography and further reading

 * Jeffrey Biller, ‘The Misuse of Protected Indicators in Cyberspace: Defending a Core Aspect of International Humanitarian Law’ in Henry Rõigas et al (eds), Defending the Core (CCD COE 2017).
 * Gary P. Corn and Peter P. Pascucci, ‘The Law of Armed Conflict Implications of Covered or Concealed Cyber Operations: Perfidy, Ruses, and the Principle of Passive Distinction’ in Ronald T. P. Alcala and Eric T. Jensen (eds), The Impact of Emerging Technologies on the Law of Armed Conflict (OUP 2019).
 * Cordula Droege, ‘Get Off My Cloud: Cyber Warfare, International Humanitarian Law, and the Protection of Civilians’ (2012) 94 IRRC 533.
 * Gloria Gaggioli (ed), The Use of Force in Armed Conflicts (ICRC 2013).
 * ICRC (ed), Commentary on the First Geneva Convention (CUP 2016).
 * Sean K Price, ‘Perfidy in Cyberspace: The Requirement for Human Confidence’ Harvard National Security Journal Online (21 February 2020).
 * Yves Sandoz, Christophe Swinarski and Bruno Zimmermann (eds), Commentary on the Additional Protocols of 8 June 1977 to the Geneva Conventions of 12 August 1949 (ICRC 1987)
 * Michael N Schmitt (ed), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (CUP 2017).
 * Waldemar A Solf, ‘Article 37: Prohibition of Perfidy’ in Bothe et al (eds), New Rules for Victims of Armed Conflicts (Brill 1982).
 * Waldemar A Solf, ‘Article 38: Recognized Emblems’ in Bothe et al (eds), New Rules for Victims of Armed Conflicts (Brill 1982).
 * Waldemar A Solf, ‘Article 39: Emblems of Nationality’ in Bothe et al (eds), New Rules for Victims of Armed Conflicts (Brill 1982).

Contributions

 * Scenario by: Kubo Mačák & Jonathan Horowitz
 * Analysis by: Kubo Mačák & Jonathan Horowitz
 * Reviewed by: Gary Corn; Hitoshi Nasu; Kieran Tinkler; Maria Tolppa