Attack (international humanitarian law)

From International cyber law: interactive toolkit
Jump to navigation Jump to search

Definition[edit | edit source]

The notion of ‘attack’ under international humanitarian law
Attack international humanitarian law.svg
The question of whether an operation amounts to an ‘attack’ as defined in international humanitarian law (IHL) is essential for the application of many of the rules deriving from the principles of distinction, proportionality and precaution. While some IHL rules impose limits on any military (cyber) operation, the rules specifically applicable to ‘attacks’ afford significant protection to civilians and civilian objects in times of armed conflict.[1]

Article 49 of Additional Protocol I defines ‘attacks’ as ‘acts of violence against the adversary, whether in offence or in defence’. The notion of violence in this definition can refer to either the means of warfare or their effects, meaning that an operation causing violent effects can qualify as an attack even if the means used to bring about those effects are not violent as such.[2] Accordingly, it is widely accepted that cyber operations that can be reasonably expected to cause injury or death to persons or damage or destruction to objects constitute attacks under IHL.[3]

At present, different views exist on the interpretation of what constitutes ‘damage’ for assessing whether an operations amounts to an ‘attack’. One view, taken by some States including Denmark, Israel, and Peru, is that only physical damage is relevant in the assessment of what constitutes an attack under IHL.[4] Under this approach, ‘the mere loss or impairment of functionality to infrastructure would be insufficient’ to qualify a cyber operation as an ‘attack’.[5]

Other States have interpreted the notion of ‘attack’ wider. States including Bolivia, Ecuador, France, Germany, Guatemala, Japan, New Zealand consider that cyber operations may qualify as an ‘attack’ without causing physical damage if they disable the functionality of the target. While no uniform formulation of the requisite threshold of damage exists, it has been said that a cyber operation can be qualified as an attack if it ‘neutralizes’ an object,[6] if it causes a ‘loss of functionality, equivalent to that caused by a kinetic attack’,[7] or ‘only produce[s] a loss of functionality’,[8] if ‘the [affected] system is functionally disabled’,[9] ‘if harmful effects on communication, information or other electronic systems, on the information that is stored, processed or transmitted on these systems or on physical objects or persons’ are caused,[10] or if the operation ‘renders inoperable a state’s critical infrastructure’[11] or disables a ‘state’s basic services (water, electricity, telecommunications, or the financial system”)’.[12]

For its part, the ICRC interprets the notion of ‘attack’ as including a loss of functionality. In its view, ‘an operation designed to disable a computer or a computer network constitutes an attack under IHL, whether the object is disabled through kinetic or cyber means’.[13] The ICRC bases this interpretation on a contextual and teleological interpretation of the notion of ‘attack’ in Additional Protocol I.[14]

In the assessment of what constitutes the ‘reasonably expected’ effects of an operation that have to be considered, some States, including Denmark, Finland, New Zealand, Norway, Switzerland, or the United States, have clarified that this includes harm due to the foreseeable direct and indirect (or reverberating) effects of an attack.[15] An indirect or reverberating effect would include, for example, the death of patients in intensive-care units caused by a cyber operation on an electricity network that results in cutting off a hospital’s electricity supply – a view shared by the ICRC.[16]

Appendixes[edit | edit source]

See also[edit | edit source]

Notes and references[edit | edit source]

  1. Concretely, rules such as the prohibition of attacks against civilians and civilian objects, the prohibition of indiscriminate and disproportionate attacks, and the obligation to take all feasible precautions to avoid or at least reduce incidental harm to civilians and damage to civilian objects when carrying out an attack apply to those operations that qualify as ‘attacks’ as defined in IHL. The notion of attack under IHL, defined in Article 49 of AP I, is different from and should not be confused with the notion of ‘armed attack’ under Article 51 of the UN Charter, which belongs to the realm of the law on the use of force (jus ad bellum). To determine that a specific cyber operation, or a type of cyber operations, amounts to an attack under IHL does not necessarily mean that it would qualify as an armed attack under the UN Charter.
  2. Cordula Droege, “Get Off My Cloud: Cyber Warfare, International Humanitarian Law, and the Protection of Civilians”, (2012) 94(886) International Review of the Red Cross 533, 557; William H. Boothby, The Law of Targeting (OUP 2012) 384; Laurent Gisel, Tilman Rodenhäuser, and Knut Dörmann, ‘Twenty years on: International humanitarian law and the protection of civilians against the effects of cyber operations during armed conflicts’, (2020) 102(913) International Review of the Red Cross 287, 312.
  3. ICRC, “International humanitarian law and the challenges of contemporary armed conflicts” (2015) 41–42; Tallinn Manual 2.0, rule 92. This view is also held by States including Australia, Australia’s submission on international law to be annexed to the report of the 2021 Group of Governmental Experts on Cyber, at 4; and Switzerland, Switzerland's position paper on the application of international law in cyberspace, Annex UN GGE 2019/2021, at 10.
  4. Denmark, Military Manual on International Law Relevant to Danish Armed Forces in International Operations (2016) 290–291; Roy Schöndorf, ‘Israel’s Perspective on Key Legal and Practical Issues Concerning the Application of International Law to Cyber Operations’, (2021) 97 International Law Studies 395, 400; Peru, Response Submitted by Peru to the Questionnaire on the Application of International Law in OAS Member States in the Cyber Context (June 2019), cited in OAS, Improving Transparency: International Law and State Cyber Operations: Fifth Report, OAS Doc. CJI/doc. 615/20 rev.1 (7 August 2020) para 31.
  5. Roy Schöndorf, ‘Israel’s Perspective on Key Legal and Practical Issues Concerning the Application of International Law to Cyber Operations’, (2021) 97 International Law Studies 395, 400.
  6. Japan, Basic Position of the Government of Japan on International Law Applicable to Cyber Operations (28 May 2021) 7.
  7. New Zealand, The Application of International Law to State Activity in Cyberspace (1 December 2020), para 25.
  8. Guatemala as cited in OAS, ‘Improving Transparency: International Law and State Cyber Operations: Fifth Report’, OAS Doc. CJI/doc. 615/20 rev.1 (7 August 2020) para 32.
  9. French Ministry of the Armies, ‘International Law Applied to Operations in Cyberspace’ (9 September 2019), 13.
  10. Germany, On the Application of International Law in Cyberspace Position Paper (March 2021) 9.
  11. Ecuador, Verbal Note 4-2 186/2019 from the Permanent Mission of Ecuador to the OAS (28 June 2019), cited in OAS, Improving Transparency: International Law and State Cyber Operations: Fifth Report, OAS Doc. CJI/doc. 615/20 rev.1 (7 August 2020) para 32.
  12. Bolivia, Note from the Plurilateral State of Bolivia, Ministry of Foreign Affairs, OAS Permanent Mission to the OAS Inter-American Juridical Committee, MPB-OEA-NV104-19 (17 July 2019), cited in OAS, Improving Transparency: International Law and State Cyber Operations: Fifth Report, OAS Doc. CJI/doc. 615/20 rev.1 (7 August 2020) para 33.
  13. ICRC, International Humanitarian Law and Cyber Operations during Armed Conflicts: ICRC position paper (November 2019) 7–8.
  14. ICRC, International humanitarian law and the challenges of contemporary armed conflicts (2015) 41.
  15. Denmark, Military Manual on International Law Relevant to Danish Armed Forces in International Operations (2016) 677 (when discussing computer network attacks); Finland, International law and cyberspace: Finland’s national positions (2020) 7; New Zealand, Manual of Armed Forces Law (2nd edn, 2017) vol 4, para 8.10.22; Norway, Manual i krigens folkerett (2013) para 9.54; Switzerland, “Switzerland’s position paper on the application of international law in cyberspace: Annex UN GGE 2019/2021” (27 May 2021) 10; United States, “United States Submission to the UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (2014–15)”, at 6, and from a practical perspective Joint Publication 3-12 (R) ‘Cyberspace operations’ (5 February 2013), at IV-4.
  16. ICRC, International Humanitarian Law and Cyber Operations during Armed Conflicts: ICRC position paper (November 2019) 7. Israel has further argued that an operation may amount to an attack if ‘a cyber operation is intended to shut down electricity in a military airfield, and as a result is expected to cause the crash of a military aircraft—that operation may constitute an attack’. Roy Schöndorf, ‘Israel’s Perspective on Key Legal and Practical Issues Concerning the Application of International Law to Cyber Operations’, (2021) 97 International Law Studies 395, 400.

Bibliography and further reading[edit | edit source]