International humanitarian law (jus in bello)

From International cyber law: interactive toolkit
Jump to navigation Jump to search

National positions[edit | edit source]

African Union (2024)[edit | edit source]

"47. The African Union affirms that International Humanitarian Law (IHL) applies in cyberspace. Despite the fact that most rules of IHL emerged before the appearance of cyberspace, IHL applies, concurrently with any other applicable rules of international law, to cyber-operations that may be undertaken in the context of an armed conflict. As noted by the International Court of Justice in its advisory opinion on the Legality of the Threat or Use of Nuclear Weapons, by virtue of its “intrinsically humanitarian character,” IHL applies to “all forms of warfare and to all kinds of weapons, those of the past, those of the present, and those of the future.”

48. In order to trigger the application of IHL, a situation must amount to an armed conflict. IHL recognizes two categories of armed conflict: international armed conflicts, in which the parties are States that are engaged in hostilities using armed force, and non-international armed conflicts, in which the parties are State armed forces engaged in hostilities against organized armed groups or a situation in which armed groups are engaged in hostilities amongst each other on the territory of a State."[1]

Australia (2020)[edit | edit source]

"International humanitarian law (IHL) (including the principles of humanity, necessity, proportionality and distinction) applies to cyber activities within an armed conflict.

[...]

The IHL principle of proportionality prohibits the launching of an attack which may be expected to cause incidental loss of civilian life, injury to civilians, damage to civilian objects, or a combination thereof, which would be excessive in relation to the concrete and direct military advantage anticipated.

The IHL principle of military necessity states that a combatant is justified in using those measures, not forbidden by international law, which are indispensable for securing complete submission of an enemy at the soonest moment. The principle cannot be used to justify actions prohibited by law, as the means to achieve victory are not unlimited.

The IHL principle of distinction seeks to ensure that only legitimate military objects are attacked. Distinction has two components. The first, relating to personnel, seeks to maintain the distinction between combatants and non-combatants or military and civilian personnel. The second component distinguishes between legitimate military targets and civilian objects.

All Australian military capabilities are employed in line with approved targeting procedures. Cyber activities are no different. Australian targeting procedures comply with the requirements of IHL and trained legal officers provide decision-makers with advice to ensure that Australia satisfies its obligations under international law and its domestic legal requirements."[2]

Brazil (2021)[edit | edit source]

"International humanitarian law (IHL) is fairly equipped to answer many of the questions associated with new technologies, including ICTs. There is no doubt that IHL applies to States use of ICTs during an armed conflict. The fact that a specific weapon has been invented after the development of humanitarian law does not exempt it from regulation. Quoting from the ICJ Advisory Opinion on the Legality of the Threat or Use of Nuclear Weapons, excluding cyber operations from IHL scope of application “would be incompatible with the intrinsically humanitarian character of the legal principles in question which permeates the entire law of armed conflict and applies to all forms of warfare and to all kinds of weapons, those of the past, those of the present and those of the future.”

IHL applies to situations amounting to armed conflict independently of its classification as such by the parties. For IHL, it does not matter whether the armed conflict is lawful or not, because its objective is to minimize human suffering and provide a minimum level of protection to civilians in any scenario of hostilities. Hence, the recognition that international humanitarian law applies to the cyberspace does not in any way endorse its militarization or legitimize cyberwarfare, but only ensures a minimum level of protection if an armed conflict arises.

There are two instances where IHL might apply to cyber activities. First, if they are carried out as part of an ongoing armed conflict, contributing to conventional operations conducted by the parties. Second, if the cyber activities themselves cross the threshold of violence to be characterized as an armed conflict.

Of particular importance, the 2015 GGE report has noted the established international legal principles, including, where applicable, the principles of humanity, necessity, proportionality and distinction.

For Brazil, the IHL principle of precaution is also applicable to the use of ICTs by States, meaning that parties must “take all feasible precautions in the choice of means and methods of attack with a view to avoiding, and in any event minimizing, incidental loss of civilian life, injury to civilians and damage to civilian objects”."[3]

"In making the assessment of necessity, distinction, proportionality and precaution, parties must take into consideration the particularities of the cyberspace, such as the interconnectivity between military and civilian networks. The principle of distinction determines that cyberattacks must target military objectives and must not be indiscriminate. In case of doubt whether a cyber infrastructure that is normally dedicated to civilian purposes is being used to make an effective contribution to military action, it shall be presumed not to be so used.

[...]

In any event, where IHL is silent or ambiguous, the “Martens clause” remains applicable, ensuring that, in cases not covered by existing rules, “civilians and combatants remain under the protection and authority of the principles of international law derived from established custom, from the principles of humanity and from the dictates of public conscience”."[4]

Canada (2022)[edit | edit source]

"48. IHL applies to cyber activities conducted in the context of both international and non-international armed conflict and regulates the conduct of hostilities and protects the victims of armed conflict.[5] In any armed conflict, the right of parties to choose means and methods of warfare is not unlimited.[6]

"[...]51. Canada emphasises that acknowledging the application of IHL to cyber activities in armed conflict neither contributes to militarising cyberspace nor legitimises cyber activities that are unlawful.[7]"[8]

Costa Rica (2023)[edit | edit source]

"38. Costa Rica joins the global consensus of States that international humanitarian law (IHL) is applicable in cyberspace and to cyber operations during armed conflicts. As noted earlier, the International Court of Justice observed that IHL applies to ‘all forms of warfare and to all kinds of weapons’. In Costa Rica’s perspective, there is no doubt that this extends to all uses of ICTs in situations of and connected to armed conflicts.

39. Costa Rica is also of the view that affirming the application of IHL to the use of ICTs during armed conflict does not legitimize cyber warfare or encourage the militarization of cyberspace in any way. IHL is a body of law that is restrictive in nature, and therefore it acts as a constraint, not an enabler of conflict. In addition, IHL imposes important limits on the militarization of cyberspace by prohibiting the development of new weapons or other military cyber capabilities that would be inconsistent with IHL, as detailed later in this position (see para. 56).

40. IHL applies only in situations of armed conflict.79 During peacetime, certain additional measures must be taken to ensure respect for IHL in the event an armed conflict occurs. Those relevant in the ICT context include the duties to disseminate and train IHL, to adopt certain implementing domestic legislation, to carry out legal reviews of new weapons, means and methods of warfare, or to take measures to protect civilians against the effects of attacks.

41. The relationship between cyber operations and armed conflict can be one of two kinds. First, cyber operations may occur as part of an ongoing armed conflict. If such operations have a sufficient nexus with the conflict (e.g., they are conducted in conjunction with or in support of traditional kinetic military operations during an existing conflict), they are governed by IHL.

42. Second, resorting to cyber operations may bring an armed conflict into existence. In this regard, IHL distinguishes between two types of armed conflict: international armed conflict, and non-international armed conflict. [...][9]

Czech Republic (2020)[edit | edit source]

"[...] the Czech Republic recognizes that International humanitarian law (IHL) applies to cyber operations during armed conflicts, on the understanding that this neither encourages the militarization of cyberspace, nor legitimizes cyber warfare, just as IHL does not legitimize any other form of warfare.

It is essential to underline that IHL does not promote the militarisation of cyberspace. On the contrary, it reduce its lawful military use by creating limits and requiring for all used means and methods to be employed in accordance with its rules; including the principles of humanity and distinction and the principle of proportionality."[10]

Czech Republic (2024)[edit | edit source]

37. IHL applies to cyber operations conducted in the context of both international and non- international armed conflicts. It protects persons who do not, or no longer, take part in the hostilities, and imposes limits on the the means and methods of warfare, conduct of hostilities, and provides for the protection of civilians and civilian objects during an ongoing armed conflict.

38. Principles and rules of IHL applicable in armed conflict govern all forms of warfare and all means or methods of warfare, including those of the future. This is confirmed also by Article 36 of Additional Protocol I requiring States to review the lawfulness of such means and methods of warfare. Thus, cyber operations conducted as a part of an armed conflict are governed by IHL in the same way as any other means or methods of warfare.

39. The Czech Republic endorses the view that a cyber operation during an armed conflict, which is attributable to a State or other party to the conflict under international law, may constitute an “attack” under IHL, when the effects of such operation are comparable to those conducted by conventional means or methods of warfare, for instance if a cyber operation is designed or reasonably expected to cause injury or death to persons or damage or destruction to objects during an armed conflict.

40. Cyber operations conducted as part of hostilities during an armed conflict must always be conducted in compliance with all relevant IHL rules and in particular with IHL basic principles of humanity and military necessity, distinction, proportionality and precaution. Compliance with these principles in a cyber context may require specific considerations as the infrastructure in cyberspace is often used for both military and civilian purposes.

41. Parties to armed conflict must carefully design and use cyber tools to distinguish between the civilian population and combatants and between civilian objects and military objectives when conducting cyber operations. Civilians and civilian objects shall be protected from being the object of attack, including those carried out by cyber means. Civilians are protected against attack unless and for such time as they are directly participating in hostilities. In case of doubt as to whether a person is a civilian, that person shall be presumed a civilian. Attacks shall be limited strictly to military objectives. In case of doubt as to whether cyber infrastructure that is normally used for civilian purposes is being used to effectively contribute to military action, it shall be presumed not to be so used. Foreseeable direct and indirect effects shall be taken into account when assessing the proportionality of an attack.

42. When conducting cyber operations, constant care must be taken to spare the civilian population, individual civilians and civilian objects, for instance to ensure protection of essential civilian infrastructure and services. All feasible precautions must be taken to protect civilians and civilian objects from adverse effects of attacks, including through cyber means.

43. It is prohibited to make objects indispensable for the survival of the civilian population the object of attack, including through cyber means. It is likewise prohibited to destroy, remove or render them useless by cyber means. Parties to an armed conflict must not disrupt the functioning of such objects, including through cyber means. All feasible measures must be taken to facilitate thier functioning and prevent harm to these objects, including by cyber operations.

44. Medical units, transport and personnel as well as impartial humanitarian personnel and objects shall not be the object of attack and they must be respected and protected at all times, including their cyber infrastructure. All feasible measures must be taken to facilitate their functioning and to prevent harm to these facilities and persons.

45. Under all circumstances, parties to an armed conflict must not employ cyber tools that would spread or cause harm indiscriminately. Indiscriminate attacks, i.e., those that are of a nature to strike military objectives and civilians or civilian objects without distinction, are prohibited by IHL.

46. Cyber operations that may be expected to cause incidental loss to civilian life, injury to civilians, or damage to civilian objects, or a combination thereof, which would be excessive in relation to the concrete and direct military advantage anticipated, are prohibited. In the cyber context, this would require parties to a conflict to assess the potential effects of cyber activities on both military and civilian infrastructure and users, including shared physical infrastructure that would affect civilians.

47. The Czech Republic emphasizes that the application of IHL to cyber activities in armed conflict by no means promotes the militarization of cyberspace, nor legitimizes cyber warfare, just as IHL does not legitimize any other form of warfare. On the contrary, it reduces the military use of cyberspace by creating limits and requiring for all used means and methods of warfare to be employed in accordance with its rules."[11]

Denmark (2023)[edit | edit source]

"Denmark concurs with the view put forward by a number of States that international humanitarian law (IHL) applies to cyber operations undertaken in the context of armed conflict. This is the case regardless of whether the cyber operation takes place during an international or a non-international armed conflict."[12]

Estonia (2021)[edit | edit source]

If a situation amounts to an armed conflict and cyber operations are carried out during that conflict, international humanitarian law applies to these cyber operations as it does to all operations with a nexus to armed conflict in general.

"Estonia believes that international humanitarian law sets boundaries for states' activities in conflict, protecting civilian persons and infrastructure, and acting as a constraint, not a facilitator of conflict.

In our view, international humanitarian law provides the necessary rules constraining states’ conduct in conflict that also extend to cyber operations. Its applicability does not lead to the militarisation of cyberspace.

Armed conflicts today and in the future may involve offensive cyber capabilities. Therefore, it is vital that the use of such capabilities would be subject to obligations deriving from international humanitarian law, including taking into account such considerations as humanity, necessity, proportionality and distinction.[13]

Finland (2020)[edit | edit source]

"International humanitarian law only applies to cyber operations when such operations are part of, or amount to, an armed conflict. Most so far known cyberattacks have not been launched in the context of an armed conflict or met the threshold of armed conflict. At the same time, when cyber means are used in the context of a pre-existing armed conflict, as has been done in many current conflicts, there is no reason to deny the need for the protections that international humanitarian law provides. This includes that cyber means and methods of warfare must be used consistently with the principles of distinction, proportionality and precautions, as well as the specific rules flowing from these principles. When assessing the capacity of cyber means and methods to cause prohibited harm, their foreseeable direct and indirect effects shall be taken into account. Constant care shall be taken to ensure the protection of civilians and civilian objects, including essential civilian infrastructure, civilian services and civilian data.

The unique characteristics of cyberspace, such as interconnectedness and anonymity, may affect how international humanitarian law is interpreted and applied with regard to certain cyber means and methods warfare. The related problems can nevertheless mostly be solved on the basis of existing rules. New technologies do not render the existing rules of international humanitarian law meaningless or necessarily require new legal regulation. Furthermore, while international humanitarian law is lex specialis in an armed conflict, it does not override other areas of international law, such as human rights law, which may continue to apply throughout the conflict."[14]

France (2019)[edit | edit source]

In an armed conflict situation, cyberspace is an area of confrontation in its own right linked to other areas of confrontation. The offensive cyber capability implemented in the theatres of engagement of the French armed forces is controlled by means of a doctrine and a framework for use in accordance with which it is required to comply with international humanitarian law (IHL).[15]

Germany (2021)[edit | edit source]

"Germany reiterates its view that IHL applies to cyber activities in the context of armed conflict. The fact that cyberspace as a domain of warfare was unknown at the time when the core treaties of IHL were drafted does not exempt the conduct of hostilities in cyberspace from the application of IHL. As for any other military operation, IHL applies to cyber operations conducted in the context of an armed conflict independently of its qualification as lawful or unlawful from the perspective of the ius ad bellum.

An international armed conflict – a main prerequisite for the applicability of IHL in a concrete case – is characterized by armed hostilities between States. This may also encompass hostilities that are partially or totally conducted by using cyber means. Germany holds the view that cyber operations of a non-international character, e.g. of armed groups against a State, which reach a sufficient extent, duration, or intensity (as opposed to acts of limited impact) may be considered a non-international armed conflict and thereby also trigger the application of IHL.

At the same time, cyber actions can become part of an ongoing armed conflict. In order to fall within the ambit of IHL, the cyber operation must show a sufficient nexus with the armed conflict, i.e. the cyber operation must be conducted by a party to the conflict against its opponent and must contribute to its military effort.

Cyber operations between a non-State actor and a State alone may provoke a non-international armed conflict. However, this will only seldom be the case due to the level of intensity, impact and extent of hostilities required. Thus, activities such as a large-scale intrusion into foreign cyber systems, significant data theft, the blocking of internet services and the defacing of governmental channels or websites will usually not singularly and in themselves bring about a non-international armed conflict."[16]

"The basic principles governing the conduct of hostilities, including by cyber means, such as the principles of distinction, proportionality, precautions in attack and the prohibition of unnecessary suffering and superfluous injury, apply to cyber attacks in international as well as in non-international armed conflicts."[17]

Ireland (2023)[edit | edit source]

"29. International humanitarian law (IHL) applies in situations of armed conflict (international or non-international). Cyber operations that take place in the context of, or themselves amount to, an armed conflict are regulated by IHL, including the principles of humanity, necessity, proportionality and distinction. States, through the GGE, have acknowledged the relevance of these key IHL principles to the use of ICTs by states.[21]

30. Cyber operations that have similar effects to physical military operations constituting armed force will bring into existence an international armed conflict if conducted between states, and can bring into existence a non-international armed conflict if the usual criteria are satisfied, namely that the violence has reached the requisite level of intensity and that it is between at least two organised parties.

[...]

32. Ireland strongly disagrees with any suggestion that affirming the application of IHL to cyberspace encourages or legitimises the militarisation of cyberspace. IHL is concerned with limiting the suffering caused by armed conflict and mitigating its effects, rather than with the justifiability of the initiation of the conflict."[18]

Israel (2020)[edit | edit source]

"I’ll start by stating the obvious: the law of armed conflict and its fundamental principles generally apply to cyber operations conducted in the context of an armed conflict. Indeed, “the right of belligerents to adopt means of injuring the enemy is not unlimited” even in the cyber domain.

Israel is a party to the four Geneva Conventions and other treaties governing particular aspects of conduct in armed conflict and is also bound by applicable customary law. Israel—like the United States and others—is not a party to the First and Second Additional Protocols to the four Geneva Conventions and is not bound by them as a matter of treaty law. However, we see the following as consistent with the relevant customary law and the Additional Protocols."[19]

Italy (2021)[edit | edit source]

"IHL applies in cyberspace in the context of an international or non-international armed conflict. The definition of ‘armed conflict’ in this regard has been formulated by the Appeals Chamber in the Prosecutor v Tadić case Jurisdiction Decision, according to which ‘…an armed conflict exists whenever there is a resort to armed force between States or protracted armed violence between governmental authorities and organised crime groups or between such groups within a State’.

[...]

Furthermore, a State may not carry out attacks against targets located within the territory of a non-belligerent State without the express consent of the latter, unless otherwise allowed by jus ad bellum rules for the purposes of self-defence or under the authorization of the UN Security Council. Finally, the law of neutrality must also be taken into account as a possible limit in international armed conflicts."[20]

"Within an armed conflict, any action taken by a neutral State should be applied equally to all belligerents. For instance, a State may not provide or deny access to its ICT infrastructure to one party but not to the other(s)."[21]

Japan (2021)[edit | edit source]

"International humanitarian law is also applicable to cyber operations.

In situations of armed conflict, the methods and means of warfare used by the parties to the conflict are subject to regulations under international humanitarian law. This extends to cyber operations implemented by the parties to the conflict. Several principles under international humanitarian law, including the principle of humanity, necessity, proportionality and distinction, are also applicable to acts in cyberspace. In paragraph 28(d) of the 2015 GGE report, those principles are referred to as "established international legal principles." This reference, considered together with the fact that this report affirms the applicability of existing international law, can be interpreted to affirm the applicability of those principles.

[..] In principle, the existence of an "armed conflict" is a prerequisite for the application of international humanitarian law. Under the Geneva Conventions, there is no particular definition of an "armed conflict," and therefore, whether or not a certain incident constitutes an "armed conflict" needs to be decided on a case-by-case basis, taking into account a number of elements, such as the manner of the actual attack and the intent of each party to the incident, in a comprehensive manner. If the effects of cyber operations are taken into consideration, the conduct of cyber operations alone may reach the threshold of an "armed conflict."

As affirming the applicability of international humanitarian law to cyber operations contributes to the regulation of methods and means of warfare, the argument that doing so will lead to the militarization of cyberspace is groundless.[...] On the other hand, modes of combat in cyberspace are different from those in traditional domains. Therefore, how international humanitarian law regarding, for example, the scope of combatants applies to cyberspace should be further discussed."[22]

Kenya (2021)[edit | edit source]

"Kenya notes that there is a strong body of International Law which can be applied in the context of ICTs including Human Rights Law based on the Universal Declaration of Human Rights, International Humanitarian Law (recognizing that, unfortunately, not only can ICTs become a source of conflict, but they are increasingly both used and developed during conflicts between States) and Customary International Law. All these laws should be studied and analyzed in a fair, open, peace-loving and balanced manner in order to adopt a utilitarian body of International Law that guides the use of information and communication technology in the context of international security." [23]

Netherlands (2019)[edit | edit source]

"A key component of IHL is international law on neutrality. Neutrality requires that states which are not party to an armed conflict refrain from any act from which involvement in the conflict may be inferred or acts that could be deemed in favour of a party to the conflict. In its relations with parties to the armed conflict the neutral state is required to treat all parties equally in order to maintain its neutrality. A state may not, for example, deny access to its IT systems to one party to the conflict but not to the other. In its response to the above-mentioned advisory report by the AIV/CAVV, the government noted that, ‘In an armed conflict involving other parties, the Netherlands can protect its neutrality by impeding the use by such parties of infrastructure and systems (e.g. botnets) on Dutch territory. Constant vigilance, as well as sound intelligence and a permanent scanning capability, are required here.’"[24]

New Zealand (2020)[edit | edit source]

"In situations of armed conflict, international humanitarian law applies to cyber activities. [...] All cyber “attacks” must comply with the principles of military necessity, humanity, proportionality and distinction."[25]

Norway (2021)[edit | edit source]

Key message
International humanitarian law applies to cyber operations in connection with an armed conflict.

"International humanitarian law (IHL) applies in the event of an armed conflict. Whether an (international or non-international) armed conflict exists will depend on the specific circumstances.

This specialised regime of international law, also called jus in bello, governs actions, including cyber operations, when they are conducted in connection with an armed conflict.

International humanitarian law aims to minimise the human suffering caused by armed conflict. It thus regulates and limits cyber operations during armed conflicts, just as it regulates and limits the use of any other weapons, means and methods of warfare in an armed conflict.

IHL does not legitimise the use of force in cyberspace. Any use of force by States – either by digital or by conventional means – remains governed by the Charter of the United Nations and the relevant rules of customary international law, also called jus ad bellum. Of particular relevance is the prohibition against the use of force. International disputes must be settled by peaceful means, in cyberspace as in all other domains.

[...]

Under IHL, medical services must be protected and respected, including when carrying out cyber operations during armed conflict. IHL also prohibits attacking, destroying, removing or rendering useless objects indispensable to the survival of the population, including through cyber means and methods of warfare. ‘Objects indispensable to the survival of the civilian population’ include ICT infrastructure for food production or drinking water installations."[26]

Pakistan (2023)[edit | edit source]

“9. Like international law including the UN Charter, there also exists a consensus among the States that International Humanitarian Law (IHL) does have applicability in cyberspace. However, the real debatable point is how IHL applies to cyberspace. Moreover, States have divergent set views on modifying the existing framework of IHL in view of the constantly changing nature of warfare.

10. In the past, efforts were made in the form of projects like the Tallinn Manual 3.0 or the Cyber Law Toolkit, which are academic, non-binding studies to examine the applicability of international law and IHL in cyberspace. The Tallinn Manual provides much guidance in this regard. However, key issues relating to the defining of a threshold for an armed conflict, status, and attribution remain unsettled.

11. The most important issue, while discussing the application of IHL in cyberspace, is that of ensuring the transposition of the three cardinal principles of International Humanitarian Law, namely, distinction, proportionality, and precaution during cyber-operations. Their application is complicated because of the complexity of cyber-operations, the interconnectedness of computer systems, and the use of the same internet infrastructure by both civilians and the military. Militaries utilize the same internet backbone and transmission lines for communication, used by the civilian critical infrastructure. Targeting an adversary's military internet infrastructure during a conflict may result in civilian human and financial loss.

12. Pakistan believes that the Geneva Conventions and its Additional Protocols (APs) related to distinction whereby, parties to a conflict must distinguish between civilians and combatants and between civilian objects and military targets, continue to apply during cyber conflicts. Moreover, the use of any type of cyber weapon which causes indiscriminate damage is outlawed under IHL and the critical civilian infrastructure and the civilian population shall remain protected during cyber conflicts. Pakistan is of the view that owing to the interconnected nature of the internet and related infrastructure, the existing framework of IHL needs transformations to accommodate the needs of modern warfare to guarantee that the cardinal principles of IHL i.e. distinction, proportionality, and precaution are upheld.

13. In view of the above-mentioned limitations of the existing framework of IHL, Pakistan calls for the formulation of a legally-binding instrument to not only promote the responsible behavior of States in cyberspace and to regulate the use of cyber and other digital technologies to ensure that they will not be violating the IHL."[27]

Poland (2022)[edit | edit source]

8. The norms of international humanitarian law apply to cyberspace

"The norms of international humanitarian law (IHL) apply in the event of an armed conflict, an international or non international one. The basic principles of international humanitarian law include the principle of humanity, proportionality, military necessity and distinction. The requirements of international humanitarian law apply also to actions carried out in cyberspace during an armed conflict. When taking actions in cyberspace, it is necessary to consider both direct and indirect effects of such operations."[28]

Romania (2021)[edit | edit source]

"International Humanitarian Law (IHL) applies in the context of cyber operations carried out as part of an armed conflict (whether international or non-international).

In such circumstances, the planning of and carrying on of cyber operations must be done in conformity with the principles governing the conduct of hostilities, namely distinction, proportionality, necessity and precaution."[29]

Singapore (2021)[edit | edit source]

"Singapore’s view is that in times of armed conflict, the relevant principles of international humanitarian law (“IHL”) would apply to the belligerents’ use of cyberspace. Some examples of such principles would include those of humanity, necessity, proportionality and distinction.

The principle of proportionality requires a State to refrain from launching a cyber operation which may be expected to cause incidental loss of civilian life, injury to civilians, damage to civilian objects, or a combination thereof, which would be excessive in relation to the concrete and direct military advantage anticipated.

In keeping with the principle of distinction, cyber operations undertaken in the context of armed conflicts have to distinguish between legitimate military objectives and civilian objects. Only legitimate military objectives may be targeted."[30]

Sweden (2022)[edit | edit source]

"Sweden is of the view that international humanitarian law (IHL) applies to cyber operations conducted in the context of armed conflict. An armed conflict may be of an international or non-international character, depending on the nature of the parties to the armed conflict. The application of the law of armed conflict is not limited to kinetic force. However, to fall within the scope of IHL, a cyber operation must show a sufficient nexus with the armed conflict.

IHL is not concerned with the legality of war and does not as such legitimise the use of force between States. IHL aims to regulate the conduct of hostilities and to protect those who are not, or no longer, participating in hostilities, thereby reducing risks and potential harm to civilians and civilian objects as well as persons recognised to be hors de combat. IHL requires parties to an armed conflict to distinguish between civilians and civilian objects on the one hand and military objectives on the other.

The conduct of hostilities obligates parties to the armed conflict inter alia to comply with the principles of distinction, proportionality and precaution. Compliance with these principles in a cyber context may require specific considerations as the infrastructure in cyberspace is often used for both military and civilian purposes."[31]

Switzerland (2021)[edit | edit source]

"Switzerland considers international law to be applicable to cyberspace, which includes the application of IHL in the context of armed conflicts. Switzerland's foreign policy priorities include ensuring respect as well as strengthening and promoting IHL. Switzerland is well known for its neutrality, humanitarian tradition and role as depositary of the Geneva Convention. This position paper therefore addresses IHL issues in greater depth.

IHL is applicable once an international or non-international armed conflict de facto exists. It is applicable in any armed conflict and to all parties to a conflict. IHL addresses the realities of war without considering the reasons for or the legality of the use of force. It does not deal with the legality of war, nor does it legitimise the use of force between states. The purpose of IHL is to regulate the conduct of hostilities and to protect victims of armed conflict, in particular by restricting the use of certain means and methods of warfare. The ICJ clearly stated that the established principles and rules of IHL apply to “all forms of warfare and to all kinds of weapons, those of the past, those of the present and those of the future”.

This is applicable to cyberspace in the same way as for traditional and new operational spaces (outer space, airspace, land, maritime space, electromagnetic space, information space). IHL is therefore the main body of international law governing cyber operations that have a connection with an armed conflict. Implementing IHL effectively contributes to ensuring international security. Existing IHL, particularly its fundamental principles, places important limits on the execution of cyber operations in armed conflicts."[32]

United Kingdom (2018)[edit | edit source]

"[..]in addition to the provisions of the UN Charter, the application of international humanitarian law to cyber operations in armed conflicts provides both protection and clarity. When states are engaged in an armed conflict, this means that cyber operations can be used to hinder the ability of hostile groups such as Daesh to coordinate attacks, and in order to protect coalition forces on the battlefield. But like other responsible states, this also means that even on the new battlefields of cyber space, the UK considers that there is an existing body of principles and rules that seek to minimise the humanitarian consequences of conflict."[33]

United Kingdom (2021)[edit | edit source]

"IHL applies to operations in cyberspace conducted in the furtherance of hostilities in armed conflict just as it does to other military operations.

IHL seeks to limit the effects of armed conflict - it protects persons who are not, or who are no longer, participating in hostilities, and limits the methods and means of warfare employed by the belligerents."[34]

"IHL seeks to limit the effects of armed conflict and it is not therefore correct that its applicability to cyber operations in armed conflict would encourage the militarisation of cyberspace."[35]

"[..] Those responsible for planning, deciding upon, or executing attacks necessarily have to reach decisions on the basis of their assessment of the information from all sources which is reasonably available to them at the relevant time. All relevant rules of IHL must be observed when planning and conducting operations whether by cyber or other means – the complexity of cyber operations is no excuse for a lower standard of protection to be afforded to civilians and civilian objects."[36]

United States (2012)[edit | edit source]

"In the context of an armed conflict, the law of armed conflict applies to regulate the use of cyber tools in hostilities, just as it does other tools. The principles of necessity and proportionality limit uses of force in self-defense, and would regulate what may constitute a lawful response under the circumstances. There is no legal requirement that the response to a cyber armed attack take the form of a cyber action, as long as the response meets the requirements of necessity and proportionality."[37]

United States (2016)[edit | edit source]

"Turning to cyber operations in armed conflict, I would like to start with the U.S. military’s cyber operations in the context of the ongoing armed conflict with the Islamic State of Iraq and the Levant (ISIL). As U.S. Defense Secretary Ashton Carter informed Congress in April 2016, U.S. Cyber Command has been asked “to take on the war against ISIL as essentially [its] first major combat operation […] The objectives there are to interrupt ISIL command-and-control, interrupt its ability to move money around, interrupt its ability to tyrannize and control population[s], [and] interrupt its ability to recruit externally.

The U.S. military must comply with the United States’ obligations under the law of armed conflict and other applicable international law when conducting cyber operations against ISIL, just as it does when conducting other types of military operations during armed conflict. To the extent that such cyber operations constitute “attacks” under the law of armed conflict, the rules on conducting attacks must be applied to those cyber operations. For example, such operations must only be directed against military objectives, such as computers, other networked devices, or possibly specific data that, by their nature, location, purpose, or use, make an effective contribution to military action and whose total or partial destruction, capture, or neutralization, in the circumstances ruling at the time, offers a definite military advantage. Such operations also must comport with the requirements of the principles of distinction and proportionality. Feasible precautions must be taken to reduce the risk of incidental harm to civilian infrastructure and users. In the cyber context, this requires parties to a conflict to assess the potential effects of cyber activities on both military and civilian infrastructure and users."[38]

United States (2020)[edit | edit source]

"It is also longstanding DoD policy that U.S. forces will comply with the law of war “during all armed conflicts however such conflicts are characterized and in all other military operations.” Even if the law of war does not technically apply because the proposed military cyber operation would not take place in the context of armed conflict, DoD nonetheless applies law-of-war principles. This means that the jus in bello principles, such as military necessity, proportionality, and distinction, continue to guide the planning and execution of military cyber operations, even outside the context of armed conflict."[39]

United States (2021)[edit | edit source]

"The 2015 GGE report recognized the applicability of the established jus in bello principles of humanity, necessity, proportionality, and distinction in cyberspace. The applicability of the jus in bello more broadly to States’ use of ICTs has been reaffirmed by a large number of Member States.

[...]

The United States has also elaborated on how these principles would apply to cyber capabilities under an armed conflict. For example, the principle of distinction requires that only legitimate military objectives be made the object of attack. In the context of cyber capabilities used in armed conflict, the principle of distinction requires that only legitimate military objectives be made the object of attack.

The principle of proportionality prohibits attacks that may be expected to cause incidental loss to civilian life, injury to civilians, or damage to civilian objects which would be excessive in relation to the concrete and direct military advantage anticipated. In the cyber context, this rule would require parties to a conflict to assess the potential effects of cyber activities on both military and civilian infrastructure and users, including shared physical infrastructure (such as a dam or a power grid) that would affect civilians. In addition to the potential physical damage that a cyber activity may cause, such as death or injury that may result from effects on critical infrastructure, parties must assess the potential effects of a cyber attack on civilian objects that are not military objectives, such as private, civilian computers that hold no military significance but may be networked to military objectives.

In addition, when using cyber capabilities in armed conflict, States must comply with their obligations under international humanitarian law related to the protection of medical personnel and facilities. For example, medical personnel and facilities must not be knowingly attacked or unnecessarily prevented from discharging their proper functions, and parties to a conflict must take feasible precautions to reduce the risk of incidental harm to the civilian population and other protected persons and objects, including medical personnel and facilities.

The United States has specifically addressed how its international humanitarian law obligations apply to cyberspace operations in the context of armed conflict in the Department of Defense’s Law of War Manual, reflecting a commitment to ensure that U.S. legal obligations are understood and respected by its military. Several other States have taken similar steps to share their views on how international humanitarian law applies and / or address cyber specifically in their military manuals."[40]


Appendixes[edit | edit source]

See also[edit | edit source]

Notes and references[edit | edit source]

  1. African Union Peace and Security Council, "Common African Position on the Application of International Law to the Use of Information and Communication Technologies in Cyberspace" (29 January 2024) 8.
  2. Australian Government, Australia's position on how international law applies to State conduct in cyberspace
  3. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 22.
  4. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 23.
  5. Government of Canada, International Law applicable in cyberspace, April 2022, See Footnote [30], Tallinn Manual 2.0, supra note 15, Rule 80 at 375.
  6. Government of Canada, International Law applicable in cyberspace, April 2022
  7. Government of Canada, International Law applicable in cyberspace, April 2022, See Footnote [33], The views of the International Committee of the Red Cross (ICRC) are a valuable reference on this point: ICRC, Cyber operations during armed conflict are not happening in the a ‘legal void’ or ‘grey zone’-they are subject to the established principles and rules of international humanitarian law: Statement by the International Committee of the Red Cross to the UN Security Council Open Debate on Cyber Security, maintaining international peace and security in cyberspace (2021), online: https://www.icrc.org/en/document/cyber-operations-during-armed-conflict-are-not-happening-legal-void-or-grey-zone-they-are; ICRC, The ICRC calls on all States to affirm that IHL applies to, and therefore restricts, cyber operations during armed conflicts: Statement to the Group of Governmental Experts on Advancing responsible State behaviour in cyberspace in the context of international security, Informal Consultative meeting (2021), online: https://www.icrc.org/en/document/icrc-calls-all-states-affirm-ihl-applies-and-therefore-restricts-cyber-operations-during.
  8. Government of Canada, International Law applicable in cyberspace, April 2022
  9. Ministry of Foreign Affairs of Costa Rica, "Costa Rica's Position on the Application of International Law in Cyberspace" (21 July 2023) 11-12 (footnotes omitted).
  10. Richard Kadlčák, Statement of the Special Envoy for Cyberspace and Director of Cybersecurity Department of the Czech Republic, 11 February 2020, 4
  11. Ministry of Foreign Affairs of the Czech Republic, "Czech Republic - Position paper on the application of international law in cyberspace" (27 February 2024) 10-12 (footnotes omitted).
  12. JGovernment of Denmark, "Denmark’s Position Paper on the Application of International Law in Cyberspace"(4 July 2023) 9.
  13. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 26-27.
  14. International law and cyberspace - Finland's national position
  15. Ministry of Defense of France, International Law Applied to Operations in Cyberspace, 9 September 2019, 12.
  16. Federal Government of Germany, ‘On the Application of International Law in Cyberspace’, Position Paper (March 2021) 7.
  17. Federal Government of Germany, ‘On the Application of International Law in Cyberspace’, Position Paper (March 2021) 8.
  18. Irish Department of Foreign Affairs, Position Paper on the Application of International Law in Cyberspace (6 July 2023) 7-8. See Footnote [21]: A/70/174 Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, Report (22 July 2015), [28(d)]
  19. Roy Schöndorf, Israel’s Perspective on Key Legal and Practical Issues Concerning the Application of International Law to Cyber Operations, 8 December 2020.
  20. Italian position paper on "International law and cyberspace", Italian Ministry for Foreign Affairs and International Cooperation.,9-10.
  21. Italian position paper on "International law and cyberspace", Italian Ministry for Foreign Affairs and International Cooperation.,10.
  22. Ministry of Foreign Affairs of Japan, Basic Position of the Government of Japan on International Law Applicable to Cyber Operations, 16 June 2021, 6-7
  23. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 54.
  24. Government of the Kingdom of the Netherlands, Appendix: International law in cyberspace, 26 September 2019 , 5.
  25. The Application of International Law to State Activity in Cyberspace, 1 December 2020, 4.
  26. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 74-75.
  27. UNODA, ‘Pakistan’s Position on the Application of International Law in Cyberspace’ (3 March 2023), para. 9-13.
  28. The Republic of Poland’s position on the application of international law in cyberspace, Ministry of Foreign Affairs of Poland, 29 December 2022, 7.
  29. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 77.
  30. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 85.
  31. Government Offices of Sweden, Position Paper on the Application of International Law in Cyberspace, July 2022,6-7
  32. Federal Department of Foreign Affairs, ‘Switzerland's position paper on the application of international law in cyberspace’ (May 2021) 8-9.
  33. Attorney General Jeremy Wright:Cyber and International Law in the 21st Century, 23 May 2018
  34. United Kingdom Foreign, Commonwealth & Development Office, Application of international law to states’ conduct in cyberspace: UK statement, 3 June 2021
  35. United Kingdom Foreign, Commonwealth & Development Office, Application of international law to states’ conduct in cyberspace: UK statement, 3 June 2021
  36. United Kingdom Foreign, Commonwealth & Development Office, Application of international law to states’ conduct in cyberspace: UK statement, 3 June 2021
  37. Harold Hongju Koh, International Law in Cyberspace, 18 September 2012, 5
  38. Brian J. Egan, International Law and Stability in Cyberspace, 10 November 2016 8-10.
  39. Hon. Paul C. Ney, Jr., DOD General Counsel Remarks at U.S. Cyber Command Legal Conference, 2 March, 2020
  40. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 138.

Bibliography and further reading[edit | edit source]

Retrieved from "https://cyberlaw.ccdcoe.org/wiki/International_humanitarian_law_(jus_in_bello)?oldid=4057"