Conduct of hostilities

National positions[edit | edit source]

African Union (2024)[edit | edit source]

"50. The African Union reaffirms their commitment to the cardinal principles of IHL that govern all means and methods of warfare and reiterate that such principles apply to the use of ICTs in cyberspace as a means of warfare and afford protection to civilian ICTs during armed conflicts. In particular, the African Union recalls the principle that “the right of belligerents to adopt means of injuring the enemy is not unlimited” and the principle that belligerents are under an obligation to limit the suffering, injury, and destruction caused by an armed conflict."^[1]

Costa Rica (2023)[edit | edit source]

"44. Costa Rica agrees with the global consensus on the significance and applicability of the established international legal principles of IHL, which include the principles of humanity, necessity, distinction, and proportionality.

45. The principles of humanity and military necessity underlie and inform the entire normative framework of IHL. All rules of IHL reflect a careful balance between these two principles, which in turn inform the interpretation of these rules. The two principles also impose limits beyond specific rules, including in the ICT environment. In Costa Rica’s view, this means that even if a cyber operation during an armed conflict is not specifically prohibited by a rule of IHL, to be lawful it must nonetheless comply with the principles of military necessity and humanity."^[2]

Czech Republic (2024)[edit | edit source]

"40. Cyber operations conducted as part of hostilities during an armed conflict must always be conducted in compliance with all relevant IHL rules and in particular with IHL basic principles of humanity and military necessity, distinction, proportionality and precaution. Compliance with these principles in a cyber context may require specific considerations as the infrastructure in cyberspace is often used for both military and civilian purposes.

45. Under all circumstances, parties to an armed conflict must not employ cyber tools that would spread or cause harm indiscriminately. Indiscriminate attacks, i.e., those that are of a nature to strike military objectives and civilians or civilian objects without distinction, are prohibited by IHL."^[3]

France (2019)[edit | edit source]

"The use of a cyber weapon in an armed conflict situation obeys the principles governing the conduct of hostilities. A cyber weapon, which is governed by IHL, may be used in combination with conventional military resources or in isolation. In support of conventional means, it produces the same intelligence, neutralisation and deception effects as those conventional means, which have long been subject to the targeting procedures used by the French armed forces in compliance with IHL.

The specific nature and complexity of offensive cyber warfare resources demand risk control arrangements just as robust as those applied to conventional operations, taking into account the inherent features of the conduct of operations in cyberspace. In practice, the risks linked to the use of a cyber weapon, especially the immediacy of the action, the duality of targets and the hyperconnectivity of networks, demand a specific digital targeting process spanning all phases of the cyberoperation in order to ensure compliance with the principles of distinction, precaution and proportionality, inter alia in order to minimise potential civilian damage and loss of life. The process involves long and specific planning carried out in close coordination with the planning of operations in the physical sphere."^[4]

Israel (2020)[edit | edit source]

"One of the key issues, in the conduct of hostilities in particular, is how to define “attacks,” and in which circumstances cyber operations amount to attacks under LOAC. The concept of attack is central to targeting operations and only acts amounting to attacks are subject to the “targeting rules” relating to distinction, precautions, and proportionality.

[...]

Finally, the fact that a cyber operation is not an attack does not mean that no legal limitations apply thereto. Indeed, there are general obligations in LOAC that apply to all military operations regardless of being attacks or not. Central among those is the requirement to consider the danger posed to the civilian population in the conduct of military operations. It is widely accepted today that parties to conflicts cannot blatantly disregard such harmful effects to the civilian population in their military operations. But there are also more specific protections that may apply to actions other than attacks. For example, cyber operations affecting medical units are regulated and limited, inter alia, by the LOAC obligation to respect and protect medical units, which applies regardless of whether the act constitutes an attack or not."^[5]

Netherlands (2019)[edit | edit source]

"IHL also lays down specific rules regarding attacks aimed at persons or objects, which apply equally to cyber operations carried out as part of an armed conflict. When planning and carrying out such operations, states must act in accordance with, for example, the principles of distinction and proportionality, as well as the obligation to take precautionary measures."^[6]

Appendixes[edit | edit source]

See also[edit | edit source]

Notes and references[edit | edit source]

Bibliography and further reading[edit | edit source]