Attack (international humanitarian law)

From International cyber law: interactive toolkit
(Redirected from Attack (IHL))
Jump to navigation Jump to search

Definition[edit | edit source]

The notion of ‘attack’ under international humanitarian law
Attack international humanitarian law.svg
The question of whether an operation amounts to an ‘attack’ as defined in international humanitarian law (IHL) is essential for the application of many of the rules deriving from the principles of distinction, proportionality and precaution. While some IHL rules impose limits on any military (cyber) operation, the rules specifically applicable to ‘attacks’ afford significant protection to civilians and civilian objects in times of armed conflict.[1]

Article 49 of Additional Protocol I defines ‘attacks’ as ‘acts of violence against the adversary, whether in offence or in defence’. The notion of violence in this definition can refer to either the means of warfare or their effects, meaning that an operation causing violent effects can qualify as an attack even if the means used to bring about those effects are not violent as such.[2] Accordingly, it is widely accepted that cyber operations that can be reasonably expected to cause injury or death to persons or damage or destruction to objects constitute attacks under IHL.[3]

At present, different views exist on the interpretation of what constitutes ‘damage’ for assessing whether an operations amounts to an ‘attack’. One view, taken by some States including Denmark, Israel, and Peru, is that only physical damage is relevant in the assessment of what constitutes an attack under IHL.[4] Under this approach, ‘the mere loss or impairment of functionality to infrastructure would be insufficient’ to qualify a cyber operation as an ‘attack’.[5]

Other States have interpreted the notion of ‘attack’ wider. States including Bolivia, Ecuador, France, Germany, Guatemala, Japan, New Zealand consider that cyber operations may qualify as an ‘attack’ without causing physical damage if they disable the functionality of the target. While no uniform formulation of the requisite threshold of damage exists, it has been said that a cyber operation can be qualified as an attack if it ‘neutralizes’ an object,[6] if it causes a ‘loss of functionality, equivalent to that caused by a kinetic attack’,[7] or ‘only produce[s] a loss of functionality’,[8] if ‘the [affected] system is functionally disabled’,[9] ‘if harmful effects on communication, information or other electronic systems, on the information that is stored, processed or transmitted on these systems or on physical objects or persons’ are caused,[10] or if the operation ‘renders inoperable a state’s critical infrastructure’[11] or disables a ‘state’s basic services (water, electricity, telecommunications, or the financial system”)’.[12]

For its part, the ICRC interprets the notion of ‘attack’ as including a loss of functionality. In its view, ‘an operation designed to disable a computer or a computer network constitutes an attack under IHL, whether the object is disabled through kinetic or cyber means’.[13] The ICRC bases this interpretation on a contextual and teleological interpretation of the notion of ‘attack’ in Additional Protocol I.[14]

In the assessment of what constitutes the ‘reasonably expected’ effects of an operation that have to be considered, some States, including Denmark, Finland, New Zealand, Norway, Switzerland, or the United States, have clarified that this includes harm due to the foreseeable direct and indirect (or reverberating) effects of an attack.[15] An indirect or reverberating effect would include, for example, the death of patients in intensive-care units caused by a cyber operation on an electricity network that results in cutting off a hospital’s electricity supply – a view shared by the ICRC.[16]

Publicly available national positions that address this issue include: National position of Australia (2020) (2020), National position of Brazil (2021) (2021), National position of Canada (2022) (2022), National position of France (2019) (2019), National position of Germany (2021) (2021), National position of Israel (2020) (2020), National position of the Italian Republic (2021) (2021), National position of Japan (2021) (2021), National position of the Netherlands (2019) (2019), National position of New Zealand (2020) (2020), National position of Norway (2021) (2021), National position of the Kingdom of Sweden (2022) (2022), National position of Switzerland (2021) (2021), National position of the United Kingdom (2021) (2021), National position of the United States of America (2016) (2016), National position of the United States of America (2021) (2021).

National positions[edit | edit source]

Australia (2020)[edit | edit source]

“Australia considers that, if a cyber activity rises to the same threshold as that of a kinetic 'attack' (or act of violence) under IHL, the rules governing such attacks during armed conflict will apply to those kinds of cyber activities. Applicable IHL rules will also apply to cyber activities in an armed conflict that do not constitute or rise to the level of an 'attack', including the principle of military necessity and the general protections afforded to the civilian population and individual civilians with respect to military operations.”[17]

Brazil (2021)[edit | edit source]

"While holding the view that IHL applies to cyberspace, there are issues that deserve further reflection, such as the definition of cyberattack for the purposes of article 49 of AP I; the consideration of civilian data as a civilian object that entails protection under IHL; and when a civilian acting in the cyberspace might be considered as taking direct part in hostilities.”[18]

Canada (2022)[edit | edit source]

"49. Cyber activities are an attack under IHL, whether in offence or defence, where their effects are reasonably expected to cause injury or death to persons or damage or destruction to objects. This could include harmful effects above a de minimis threshold on cyber infrastructure, or the systems that rely on it. Such cyber activities must respect relevant treaty and customary IHL rules applicable to attacks including those relating to distinction, proportionality, and the requirement to take precautions in attack. [19]

France (2019)[edit | edit source]

“A cyber weapon is first and foremost a combined resource, given its capacity to support weapons used in the other environments. In this regard, it produces the same intelligence, neutralisation and deception effects as conventional means which are subject to targeting procedures already implemented by the French armed forces in compliance with IHL. Such operations may constitute attacks within the meaning of Article 49 of Additional Protocol I to the Geneva Conventions (AP I) where they cause physical damage or disable a system. However, certain military operations, such as general intelligence-gathering or alteration of the adversary’s influence capabilities, do not constitute an attack, though they are still governed by the relevant provisions of IHL. France integrates the principles of distinction, proportionality and precaution into all offensive cyber warfare operations carried out in an armed conflict situation”.

“A cyberoperation may constitute an attack within the meaning of international humanitarian law. Any cyberoperation which is carried out in, and in connection with, an armed conflict situation, and constitutes an act of violence, whether offensive or defensive, against another party to the conflict, is an attack within the meaning of Article 49 of AP I to the Geneva Conventions. In an armed conflict situation, the primary purpose of cyber weapons is to produce effects against an adversary system in order to alter the availability, integrity or confidentiality of data. Their effects may be material (e.g. neutralisation of a weapons system) or virtual (e.g. intelligence gathering), temporary, reversible or final. For example, the destruction of adversary military offensive cyber or conventional capabilities by disruption or the creation of major damage is an attack within the meaning of IHL. The same applies to neutralisation actions which damage adversary cyber or conventional military capabilities by destroying ICT equipment or systems or altering or deleting digital data or flows such as to disable a service essential to the operation of such capabilities. Contrary to the definition given by the Tallinn Manual Group of Experts, France does not characterise a cyberattack solely on the basis of material criteria. It considers that a cyberoperation is an attack where the targeted equipment or systems no longer provide the service for which they were implemented, whether temporarily or permanently, reversibly or not. If the effects are temporary and/or reversible, the attack is characterised where action by the adversary is necessary to restore the infrastructure or system (repair of equipment, replacement of a part, reinstallation of a network, etc.). Most cyberoperations carried out by the French armed forces in an armed conflict situation (mainly information-gathering) do not meet the definition of an attack. For example, altering the adversary’s propaganda capabilities, and in particular making an influence site unavailable by saturation or denial of service – which is not prohibited by IHL by analogy with conventional jamming of radio communications or TV broadcasts – cannot be characterised as an attack. However, such operations, in the same way as general information-gathering with the aim of evaluating the adversary’s military capabilities or hacking a system in order to gather data, are still governed by the provisions of IHL applicable to any military operation carried out in an armed conflict situation. Contrary to the Tallinn Manual, France considers that an attack within the meaning of Article 49 of AP I may occur even if there is no human injury or loss of life, or physical damage to goods. Thus, a cyberoperation constitutes an attack if the targeted equipment or systems can no longer provide the service for which they were implemented, including temporarily or reversibly, where action by the adversary is required in order to restore the infrastructure or the system. Most cyberoperations, including offensive cyber warfare operations carried out by France in an armed conflict situation, remain below the attack threshold, since they mostly involve information-gathering and the jamming of the adversary’s influence capabilities. Such operations remain nonetheless governed by the general principles of IHL.”[20]

Germany (2021)[edit | edit source]

"Germany defines a cyber attack in the context of IHL as an act or action initiated in or through cyberspace to cause harmful effects on communication, information or other electronic systems, on the information that is stored, processed or transmitted on these systems or on physical objects or persons. The occurrence of physical damage, injury or death to persons or damage or destruction to objects comparable to effects of conventional weapons is not required for an attack in the sense of art. 49 para. 1 Additional Protocol I to the Geneva Conventions. However, the mere intrusion into foreign networks and the copying of data does not constitute an attack under IHL.”[21]

Israel (2020)[edit | edit source]

"One of the key issues, in the conduct of hostilities in particular, is how to define “attacks,” and in which circumstances cyber operations amount to attacks under LOAC. The concept of attack is central to targeting operations and only acts amounting to attacks are subject to the “targeting rules” relating to distinction, precautions, and proportionality. The definition of attack in LOAC requires several elements, but I will focus on those aspects carrying special relevance in the cyber context. Specifically, I will address the element requiring that an act will constitute an attack only if it is expected to cause death or injury to persons or physical damage to objects, beyond de minimis. One aspect of this element concerns the reasonably expected consequences of the act in question. Reasonably expected consequences are those that are anticipated with some likelihood of occurrence, and entail adequate causal proximity to the act. A second aspect of this element is the type of required damage. The requirement for physical damage has been accepted law since the introduction of the legal term of art “attack” into the LOAC discourse. For this reason, practices such as certain types of electronic warfare, psychological warfare, economic sanctions, seizure of property, and detention have never been considered to be attacks as such, and, accordingly, were not considered as subject to LOAC targeting rules. Only when a cyber operation is expected to cause physical damage, will it satisfy this element of an attack under LOAC. In the same vein, the mere loss or impairment of functionality to infrastructure would be insufficient in this regard, and no other specific rule to the contrary has evolved in the cyber domain. However, if an impediment to functionality is caused by physical damage, or when an act causing the loss of functionality is a link in a chain of the expected physical damage, that act may amount to an attack. For example, if a cyber operation is intended to shut down electricity in a military airfield, and as a result is expected to cause the crash of a military aircraft—that operation may constitute an attack (subject, of course, to the additional elements for attacks under LOAC). The existence of physical damage is assessed purely on objective and technical grounds. It is a factual question and as such does not depend on the subjective perception or the manner in which the other side chooses to address the loss or impairment of functionality."[22]

Italy (2021)[edit | edit source]

“In line with the definition of ‘attack’ under Article 49(1) of the 1977 Protocol I Additional to the Geneva Conventions of 12 August 1949, Italy qualifies cyber operations as ‘attacks’ under IHL if they constitute an act of violence resulting in more than minimal physical damage of property or disruption in the functioning of critical infrastructure, or human injury and loss of life.”[23]

Japan (2021)[edit | edit source]

"[..] Meanwhile, Article 49 of the Additional Protocol I to the Geneva Conventions stipulates: "'Attacks' means acts of violence against the adversary, whether in offence or in defence." The Government of Japan understands that cyber operations that may cause the destruction or neutralization of military targets, for example, may also constitute "attacks" under international humanitarian law, depending on the circumstances […] For example, cyber operations during armed conflict that cause physical damage or loss of functionality to medical institutions may constitute a violation of international humanitarian law and therefore should be appropriately regulated.”[24]

Netherlands (2019)[edit | edit source]

"IHL also lays down specific rules regarding attacks aimed at persons or objects, which apply equally to cyber operations carried out as part of an armed conflict. 160 […]

160) Additional Protocol to the Geneva Conventions of 12 August 1949 relating to International Armed Conflicts (Protocol I), Bern, 8 June 1977, article 49; Tallinn Manual 2.0, Rule 92. It is beyond the scope of this letter to consider the technical debate on the difference between a cyber operation and a cyberattack in the context of an armed conflict.”[25]

New Zealand (2020)[edit | edit source]

"[..] A cyber activity may constitute an “attack” for the purposes of international humanitarian law where it results in death, injury, or physical damage, including loss of functionality, equivalent to that caused by a kinetic attack."[26]

Norway (2021)[edit | edit source]

"The general rules for legitimate military targets are the same regardless of whether conventional or digital means are used. A cyber operation conducted in connection with an armed conflict must be assessed according to its consequences, and may qualify as an attack under international humanitarian law. ‘Attack’ is a key concept of international humanitarian law, and is understood to mean ‘acts of violence against the adversary, whether in offence or defence’. Cyber attacks during armed conflicts are subject to the same restrictions and regulations under international humanitarian law as conventional attacks, including the principles of humanity, military necessity, proportionality and distinction. The concept of attack is particularly relevant to the rules and principles on the selection of targets and precautions. Attacks against civilians or civilian objects are for example prohibited.”[27]

Sweden (2022)[edit | edit source]

"In the framework of IHL, ‘attack’ is defined as an act of violence against the adversary whether in offence or in defence. The determination of an act of violence should be based on its effects rather than the means used. A cyberattack in the context of IHL would at least include cyber operations that are reasonably expected to cause injury or death to persons or damage or destruction to objects. Civilians are protected against attacks but only as long as they do not take a direct part in hostilities. A civilian may thus become a military target if taking a direct part in hostilities by the use of cyber means. In case of doubt whether a person is a civilian, that person shall be considered to be a civilian."[28]

Switzerland (2021)[edit | edit source]

"With regard to the lawful use of cyber means and methods of warfare, the rules and principles governing the conduct of hostilities must be respected […] The aforementioned principles are applicable in particular to cyber operations that amount to an attack within the meaning of IHL i.e. acts of violence against the adversary, whether in offence or defence. What exactly constitutes a 'cyber attack' in an armed conflict has yet to be clarified. It encompasses at the very least cyber operations that are reasonably expected to cause, directly or indirectly, injury or death to persons, or physical damage or destruction to objects. The question, how exactly data is protected in the absence of such physical damage, remains a challenge. In practice, a responsible actor should generally be able to assess the potential impact of their actions and any resulting damage."[29]

United Kingdom (2021)[edit | edit source]

"A cyber operation is capable of being an ‘attack’ under IHL where it has the same or similar effects to kinetic action that would constitute an attack. Where an operation in cyberspace amounts to an ‘attack’, the principles of distinction, proportionality, humanity and military necessity apply in the same way as they do to an attack by any other means."[30]

United States of America (2016)[edit | edit source]

“To the extent that such cyber operations constitute “attacks” under the law of armed conflict, the rules on conducting attacks must be applied to those cyber operations (…)Not all cyber operations, however, rise to the level of an “attack” as a legal matter under the law of armed conflict. When determining whether a cyber activity constitutes an “attack” for purposes of the law of armed conflict, States should consider, among other things, whether a cyber activity results in kinetic or non-kinetic effects, and the nature and scope of those effects, as well as the nature of the connection, if any, between the cyber activity and the particular armed conflict in question. Even if they do not rise to the level of an “attack” under the law of armed conflict, cyber operations during armed conflict must nonetheless be consistent with the principle of military necessity. For example, a cyber operation that would not constitute an “attack,” but would nonetheless seize or destroy enemy property, would have to be imperatively demanded by the necessities of war. Additionally, even if a cyber operation does not rise to the level of an “attack” or does not cause injury or damage that would need to be considered under the principle of proportionality in conducting attacks, that cyber operation still should comport with the general principles of the law of war." [31]

United States of America (2021)[edit | edit source]

“The United States recognizes that cyber activities in the context of an armed conflict may in certain circumstances constitute an “attack” for purposes of the application of the jus in bello rules that govern the conduct of hostilities, including the principles of humanity, necessity, proportionality, and distinction recognized in the 2015 GGE report."[32]

Appendixes[edit | edit source]

See also[edit | edit source]

Notes and references[edit | edit source]

  1. Concretely, rules such as the prohibition of attacks against civilians and civilian objects, the prohibition of indiscriminate and disproportionate attacks, and the obligation to take all feasible precautions to avoid or at least reduce incidental harm to civilians and damage to civilian objects when carrying out an attack apply to those operations that qualify as ‘attacks’ as defined in IHL. The notion of attack under IHL, defined in Article 49 of AP I, is different from and should not be confused with the notion of ‘armed attack’ under Article 51 of the UN Charter, which belongs to the realm of the law on the use of force (jus ad bellum). To determine that a specific cyber operation, or a type of cyber operations, amounts to an attack under IHL does not necessarily mean that it would qualify as an armed attack under the UN Charter.
  2. Cordula Droege, “Get Off My Cloud: Cyber Warfare, International Humanitarian Law, and the Protection of Civilians”, (2012) 94(886) International Review of the Red Cross 533, 557; William H. Boothby, The Law of Targeting (OUP 2012) 384; Laurent Gisel, Tilman Rodenhäuser, and Knut Dörmann, ‘Twenty years on: International humanitarian law and the protection of civilians against the effects of cyber operations during armed conflicts’, (2020) 102(913) International Review of the Red Cross 287, 312.
  3. ICRC, “International humanitarian law and the challenges of contemporary armed conflicts” (2015) 41–42; Tallinn Manual 2.0, rule 92. This view is also held by States including Australia, Australia’s submission on international law to be annexed to the report of the 2021 Group of Governmental Experts on Cyber, at 4; and Switzerland, Switzerland's position paper on the application of international law in cyberspace, Annex UN GGE 2019/2021, at 10.
  4. Denmark, Military Manual on International Law Relevant to Danish Armed Forces in International Operations (2016) 290–291; Roy Schöndorf, ‘Israel’s Perspective on Key Legal and Practical Issues Concerning the Application of International Law to Cyber Operations’, (2021) 97 International Law Studies 395, 400; Peru, Response Submitted by Peru to the Questionnaire on the Application of International Law in OAS Member States in the Cyber Context (June 2019), cited in OAS, Improving Transparency: International Law and State Cyber Operations: Fifth Report, OAS Doc. CJI/doc. 615/20 rev.1 (7 August 2020) para 31.
  5. Roy Schöndorf, ‘Israel’s Perspective on Key Legal and Practical Issues Concerning the Application of International Law to Cyber Operations’, (2021) 97 International Law Studies 395, 400.
  6. Japan, Basic Position of the Government of Japan on International Law Applicable to Cyber Operations (28 May 2021) 7.
  7. New Zealand, The Application of International Law to State Activity in Cyberspace (1 December 2020), para 25.
  8. Guatemala as cited in OAS, ‘Improving Transparency: International Law and State Cyber Operations: Fifth Report’, OAS Doc. CJI/doc. 615/20 rev.1 (7 August 2020) para 32.
  9. French Ministry of the Armies, ‘International Law Applied to Operations in Cyberspace’ (9 September 2019), 13.
  10. Germany, On the Application of International Law in Cyberspace Position Paper (March 2021) 9.
  11. Ecuador, Verbal Note 4-2 186/2019 from the Permanent Mission of Ecuador to the OAS (28 June 2019), cited in OAS, Improving Transparency: International Law and State Cyber Operations: Fifth Report, OAS Doc. CJI/doc. 615/20 rev.1 (7 August 2020) para 32.
  12. Bolivia, Note from the Plurilateral State of Bolivia, Ministry of Foreign Affairs, OAS Permanent Mission to the OAS Inter-American Juridical Committee, MPB-OEA-NV104-19 (17 July 2019), cited in OAS, Improving Transparency: International Law and State Cyber Operations: Fifth Report, OAS Doc. CJI/doc. 615/20 rev.1 (7 August 2020) para 33.
  13. ICRC, International Humanitarian Law and Cyber Operations during Armed Conflicts: ICRC position paper (November 2019) 7–8.
  14. ICRC, International humanitarian law and the challenges of contemporary armed conflicts (2015) 41.
  15. Denmark, Military Manual on International Law Relevant to Danish Armed Forces in International Operations (2016) 677 (when discussing computer network attacks); Finland, International law and cyberspace: Finland’s national positions (2020) 7; New Zealand, Manual of Armed Forces Law (2nd edn, 2017) vol 4, para 8.10.22; Norway, Manual i krigens folkerett (2013) para 9.54; Switzerland, “Switzerland’s position paper on the application of international law in cyberspace: Annex UN GGE 2019/2021” (27 May 2021) 10; United States, “United States Submission to the UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (2014–15)”, at 6, and from a practical perspective Joint Publication 3-12 (R) ‘Cyberspace operations’ (5 February 2013), at IV-4.
  16. ICRC, International Humanitarian Law and Cyber Operations during Armed Conflicts: ICRC position paper (November 2019) 7. Israel has further argued that an operation may amount to an attack if ‘a cyber operation is intended to shut down electricity in a military airfield, and as a result is expected to cause the crash of a military aircraft—that operation may constitute an attack’. Roy Schöndorf, ‘Israel’s Perspective on Key Legal and Practical Issues Concerning the Application of International Law to Cyber Operations’, (2021) 97 International Law Studies 395, 400.
  17. Australian Government, ‘Australia's position on how international law applies to State conduct in cyberspace’ (2020).
  18. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021), 22-23.
  19. Government of Canada, International Law applicable in cyberspace, April 2022
  20. Ministry of Defense of France, ‘International Law Applied to Operations in Cyberspace’, (9 September 2019) 13.
  21. Federal Government of Germany, ‘On the Application of International Law in Cyberspace’, Position Paper (March 2021) 8.
  22. Roy Schöndorf, Ministry of Justice, ‘Israel’s Perspective on Key Legal and Practical Issues Concerning the Application of International Law to Cyber Operations’, 97 INT’L L. STUD. 395 (2021) 399-401.
  23. Italian Ministry for Foreign Affairs and International Cooperation, ‘Italian position paper on “International law and cyberspace”’, (2021) 9-10.
  24. Ministry of Foreign Affairs of Japan, ‘Basic Position of the Government of Japan on International Law Applicable to Cyber Operations’ (28 May 2021) 7.
  25. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 59-60 (Netherlands).
  26. New Zealand, ‘The Application of International Law to State Activity in Cyberspace’ (1 December 2020) 4.
  27. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 74.
  28. Government Offices of Sweden, Position Paper on the Application of International Law in Cyberspace, July 2022,7
  29. Federal Department of Foreign Affairs, ‘Switzerland's position paper on the application of international law in cyberspace’ (May 2021) 10.
  30. United Kingdom Foreign, Commonwealth & Development Office, ‘Application of international law to states’ conduct in cyberspace: UK statement’ (3 June 2021) 24.
  31. Brian J. Egan, ‘International Law and Stability in Cyberspace’, (10 November 2016) 9-10
  32. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 138.

Bibliography and further reading[edit | edit source]