Conduct of hostilities
National positions[edit | edit source]
"The use of a cyber weapon in an armed conflict situation obeys the principles governing the conduct of hostilities. A cyber weapon, which is governed by IHL, may be used in combination with conventional military resources or in isolation. In support of conventional means, it produces the same intelligence, neutralisation and deception effects as those conventional means, which have long been subject to the targeting procedures used by the French armed forces in compliance with IHL.
The specific nature and complexity of offensive cyber warfare resources demand risk control arrangements just as robust as those applied to conventional operations, taking into account the inherent features of the conduct of operations in cyberspace. In practice, the risks linked to the use of a cyber weapon, especially the immediacy of the action, the duality of targets and the hyperconnectivity of networks, demand a specific digital targeting process spanning all phases of the cyberoperation in order to ensure compliance with the principles of distinction, precaution and proportionality, inter alia in order to minimise potential civilian damage and loss of life. The process involves long and specific planning carried out in close coordination with the planning of operations in the physical sphere."
"One of the key issues, in the conduct of hostilities in particular, is how to define “attacks,” and in which circumstances cyber operations amount to attacks under LOAC. The concept of attack is central to targeting operations and only acts amounting to attacks are subject to the “targeting rules” relating to distinction, precautions, and proportionality.
The definition of attack in LOAC requires several elements, but I will focus on those aspects carrying special relevance in the cyber context. Specifically, I will address the element requiring that an act will constitute an attack only if it is expected to cause death or injury to persons or physical damage to objects, beyond de minimis.
One aspect of this element concerns the reasonably expected consequences of the act in question. Reasonably expected consequences are those that are anticipated with some likelihood of occurrence, and entail adequate causal proximity to the act.
A second aspect of this element is the type of required damage. The requirement for physical damage has been accepted law since the introduction of the legal term of art “attack” into the LOAC discourse. For this reason, practices such as certain types of electronic warfare, psychological warfare, economic sanctions, seizure of property, and detention have never been considered to be attacks as such, and, accordingly, were not considered as subject to LOAC targeting rules.
Only when a cyber operation is expected to cause physical damage, will it satisfy this element of an attack under LOAC. In the same vein, the mere loss or impairment of functionality to infrastructure would be insufficient in this regard, and no other specific rule to the contrary has evolved in the cyber domain.
However, if an impediment to functionality is caused by physical damage, or when an act causing the loss of functionality is a link in a chain of the expected physical damage, that act may amount to an attack. For example, if a cyber operation is intended to shut down electricity in a military airfield, and as a result is expected to cause the crash of a military aircraft that operation may constitute an attack (subject, of course, to the additional elements for attacks under LOAC).
The existence of physical damage is assessed purely on objective and technical grounds. It is a factual question and as such does not depend on the subjective perception or the manner in which the other side chooses to address the loss or impairment of functionality.
Finally, the fact that a cyber operation is not an attack does not mean that no legal limitations apply thereto. Indeed, there are general obligations in LOAC that apply to all military operations regardless of being attacks or not. Central among those is the requirement to consider the danger posed to the civilian population in the conduct of military operations. It is widely accepted today that parties to conflicts cannot blatantly disregard such harmful effects to the civilian population in their military operations. But there are also more specific protections that may apply to actions other than attacks. For example, cyber operations affecting medical units are regulated and limited, inter alia, by the LOAC obligation to respect and protect medical units, which applies regardless of whether the act constitutes an attack or not."
"IHL also lays down specific rules regarding attacks aimed at persons or objects, which apply equally to cyber operations carried out as part of an armed conflict. When planning and carrying out such operations, states must act in accordance with, for example, the principles of distinction and proportionality, as well as the obligation to take precautionary measures."
Appendixes[edit | edit source]
See also[edit | edit source]
Notes and references[edit | edit source]
- Ministry of Defense of France, International Law Applied to Operations in Cyberspace, 9 September 2019, 13.
- Roy Schöndorf, Israel’s Perspective on Key Legal and Practical Issues Concerning the Application of International Law to Cyber Operations, 8 December 2020.
- Government of the Kingdom of the Netherlands, Appendix: International law in cyberspace, 26 September 2019 , 5.