Means and methods of cyber warfare

From International cyber law: interactive toolkit
Jump to navigation Jump to search

Definition[edit | edit source]

Means and methods of cyber warfare
International humanitarian law (IHL) regulates the conduct of hostilities through principles and rules concerning weapons, means, and methods of warfare.[1] A bedrock principle of modern IHL is that the right of the parties to the conflict to choose methods and means of warfare is not unlimited.[2] This principle reflects customary international law and is one of the most widely recognized and accepted principles in IHL.[3] It binds all States and other parties in both international and non-international armed conflicts.[4] Central to understanding and applying this principle and the rules that operationalize it are the terms weapons, means, and methods of warfare. As a threshold matter, it is crucial to recognize that, despite these terms’ foundational nature in IHL, divergent views and approaches exist concerning their definitions in treaties, State regulations, and unofficial publications.[5]

Methods of warfare are tactics or strategies to weaken the enemy or gain an advantage during military operations, while means of warfare refer to the weapons or devices used in combat.[6] For instance, the use of ruses in armed conflicts is a lawful and commonly accepted method of warfare. Ruses include using decoys or dummy materials, feigning activity or inactivity, and using camouflage, among many other tactics and techniques.[7] Human shields, misuse of protected emblems, or perfidy are examples of methods of warfare that are prohibited.

By contrast, means of warfare include weapons or devices such as machine guns, tanks, airplanes, submarines, missiles, drones, rifles, and many others.[8] A weapon is “generally understood as that aspect of the system used to cause damage or destruction to objects or injury or death to persons,” and characterizes both weapons and weapon systems as means of warfare.[9] Various rules of IHL operationalize the terms weapons, methods, and means. These include, but are not limited to, the weapons review requirement and process,[10] the prohibition on unnecessary suffering,[11] precautions in the attack,[12] and the law of neutrality.[13]

Tallinn Manual 2.0 outlines a definitional framework for the terms means and methods of warfare in the cyber context. According to the Manual, “[c]yber means of warfare” includes both cyber weapons and related systems and includes cyber devices, material, instrument, mechanisms, equipment, or software used, designed, or intended to be used to conduct a cyber-attack.[14] Cyber weapons are means of warfare used, designed, or intended to cause injury to, or death of, persons or damage to, or destruction of, objects.[15] Finally, Tallinn Manual 2.0 states that “methods of cyber warfare are the cyber tactics, techniques, and procedures by which hostilities are conducted”.[16] Hacking, phishing, distributed denial of service, and the use of so-called honeypots and watering holes are typical examples of methods of cyber warfare.[17]

Publicly available national positions that address this issue include: National position of Costa Rica (2023) (2023), National position of France (2019) (2019), National position of Germany (2021) (2021), National position of Switzerland (2021) (2021).

National positions[edit | edit source]

Costa Rica (2023)[edit | edit source]

"55. The right of the parties to an armed conflict to choose means and methods of warfare, including cyber capabilities, is not unlimited. In particular, parties to an armed conflict are barred from using means and methods of warfare that are expressly prohibited by IHL. For instance, the use of poison or poisoned weapons is prohibited. This means that a cyber operation that is designed or expected to result in poisoning the water supply is specifically prohibited by IHL. This is true irrespective of whether the operation would amount to an attack or if the water supply would qualify as an object indispensable to the civilian population (on which see paras 49 and 61, respectively). Similarly, a cyber operation directed at a factory or other infrastructure containing or using toxic chemicals, designed or expected to cause harm through their release, is prohibited.[18]

France (2019)[edit | edit source]

"Despite the complexity of cyberspace, the framework for cyberoperations carried out in an armed conflict situation is still determined by compliance with the principles of precaution and proportionality. As such, the digital targeting process takes account of a cyber weapon’s direct and indirect effects.

Despite the interconnectivity of military and civilian systems, the fact of being able to configure a cyber weapon according to the specifically desired effects of an operation helps to avoid excessive damage in relation to the concrete and direct military advantage anticipated. The non-lethal nature of cyber weapons and the possibility of limiting their effects to a previously identified system contribute to the obligation to choose the means and methods of attack most likely to avoid, or at least reduce to a minimum, any incidental loss of civilian lives, injury to civilians or damage to civilian objects."[19]

Germany (2021)[edit | edit source]

"A corollary to the prohibition of indiscriminate cyber attacks is the duty to take constant care to spare the civilian population, civilians and civilian objects during hostilities involving cyber operations.

Those who plan, approve or execute attacks must take all feasible precautions in the choice of means and methods with a view to avoiding, and in any event minimizing, incidental loss of civilian life, injury to civilians and damage to civilian objects. This might encompass gathering intelligence on the network in question through mapping or other processes in order to assess the attack’s likely effects. Also, the inclusion of a deactivation mechanism or a specific configuration of the cyber tool which limits the effects on the intended target might be considered. Moreover, if it becomes apparent that the target is not a military one or is subject to special protection, those who plan, approve or execute the cyber attack must refrain from executing or suspend the attack. The same applies when the attack may be expected to cause excessive collateral damage to civilians and civilian objects."[20]

Switzerland (2021)[edit | edit source]

"IHL prohibits or restricts means (weapons) and methods of warfare through general principles – regulating conduct or prohibiting certain effects – and specific rules addressing particular means and methods of warfare. As regards weapons, IHL distinguishes between the legality of a particular type of weapon (weapons law) and the legality of how it is used (law of targeting). The inherent characteristics of certain weapon categories entail that their use – in some or all circumstances – is unlawful per se. The admissibility of all other weapons depends on whether their use is in conformity with IHL.

This is also applicable to cyberspace. In fact, developing or using new means and methods of warfare must be in compliance with existing international law, particularly IHL. This is true even if a weapon is not covered by a specific norm and the treaty provisions governing the conduct of hostilities do not explicitly refer to new technologies. The customary rules of IHL apply equally to all means and methods of warfare, including in cyberspace. Indeed, it is a long standing principle that the right of parties to an armed conflict to choose methods or means of warfare is not unlimited."[21]


"Legality of a particular type of weapon

IHL stipulates that any means or method of warfare possessing one or more of the following characteristics is inherently unlawful if:

(1) it is of a nature to cause superfluous injury or unnecessary suffering;

(2) it is indiscriminate by nature, because it cannot be directed against a specific military objective or its effects cannot be limited as required by IHL;

(3) it is intended, or may be expected, to cause widespread, long-term or severe damage to the natural environment; or

(4) it is specifically prohibited by treaty or customary international law. This is applicable to cyberspace and, therefore, to cyber means and methods of warfare."[22]

"With regard to the lawful use of cyber means and methods of warfare, the rules and principles governing the conduct of hostilities must be respected. Belligerents must in particular comply with the principles of distinction, proportionality and precaution by:

(1) distinguishing between military objectives on the one hand, and civilians or civilian objects on the other hand and, in case of doubt, presume civilian status;

(2) evaluating whether the incidental harm expected to be inflicted on the civilian population or civilian objects would be excessive in relation to the concrete and direct military advantage anticipated from that particular attack;;

(3) taking all feasible precautions to spare civilians and civilian objects.

This is also applicable in cyberspace, when using cyber means and methods of warfare. [...] In practice, a responsible actor should generally be able to assess the potential impact of their actions and any resulting damage. As this estimation depends, amongst other things, largely on the information available at the time when decisions about an operation are taken, the obligation to take all precautionary measures practically possible to spare civilians and civilian objects plays a particularly important role in the use of cyber means and methods of warfare."[23]

Appendixes[edit | edit source]

See also[edit | edit source]

Notes and references[edit | edit source]

  1. See ICRC CIHL Study, vol I, parts III–IV; see also United States, FM 6-27, MCTP 11-10C, The Commander’s Handbook on the Law of Land Warfare (August 2019) 2-1.
  2. See Article 22 Hague Regulations; Article 35 AP I.
  3. [1] See UN GA, Resolution 2444 (1968), UN Doc A/7218 (adopted unanimously), para. 1(a); ICTY, Prosecutor v Tadić, Decision on the Defence Motion for Interlocutory Appeal on Jurisdiction, Appeals Chamber, Case No. IT-94-1, 2 October 1995, paras. 110 and 112 (holding that principles enshrined in Resolution 2444 reflected customary international law at the time); Nuclear Weapons Advisory Opinion, paras. 78–79 (affirming that the principle that ‘States do not have unlimited freedom of choice of means in the weapons they use’ is one of ‘intransgressible principles of international customary law’); San Remo Manual, Rule 38 (‘In any armed conflict the right of the parties to the conflict to choose methods or means of warfare is not unlimited.’); AMW Manual, Rule 4 (‘The fundamental principle is that, in any armed conflict, the right of the Belligerent Parties to choose methods or means of warfare is not unlimited.’).
  4. See William H Boothby, The Law of Targeting (OUP 2012) 58.
  5. See Jeffrey T Biller and Michael N Schmitt, ‘Classification of Cyber Capabilities and Operations as Weapons, Means, or Methods of Warfare’ (2019) 95 Int’l L Stud 179, 202.
  6. See Geoffrey S Corn and others, The Law of Armed Conflict: An Operational Approach (2nd ed., Wolters Kluwer 2019) 288.  See also United States, FM 6-27, MCTP 11-10C, The Commander’s Handbook on the Law of Land Warfare (August 2019) 2-1.
  7. See Gary D Solis, The Law of Armed Conflict: International Humanitarian Law in War (2nd ed., CUP 2016) 464-467.
  8. Dave Wallace and Shane R Reeves, ‘Modern Weapons and the Law of Armed Conflict’ in Geoffrey S Corn, Rachel E VanLandingham, and Shane R. Reeves (eds), U.S. Military Operations: Law, Policy, and Practice (OUP 2016) 41.
  9. See Tallinn Manual 2.0, commentary to rule 103.
  10. Article 36 AP I.
  11. Article 23 (e) Hague Regulations; Art. 35(2) AP I.
  12. Article 57 AP I.
  13. See Hague Conventions V and XIII.
  14. Tallinn Manual 2.0, commentary to rule 103.
  15. Tallinn Manual 2.0, commentary to rule 103.
  16. Tallinn Manual 2.0, rule 103.
  17. See Jeffrey T Biller and Michael N Schmitt, ‘Classification of Cyber Capabilities and Operations as Weapons, Means, or Methods of Warfare’ (2019) 95 Int’l L Stud 179, 219.
  18. Ministry of Foreign Affairs of Costa Rica, "Costa Rica's Position on the Application of International Law in Cyberspace" (21 July 2023) 15 (footnotes omitted).
  19. Ministry of Defense of France, International Law Applied to Operations in Cyberspace, 9 September 2019, 16.
  20. Federal Government of Germany, ‘On the Application of International Law in Cyberspace’, Position Paper (March 2021) 9-10.
  21. Federal Department of Foreign Affairs, ‘Switzerland's position paper on the application of international law in cyberspace’ (May 2021) 9.
  22. Federal Department of Foreign Affairs, ‘Switzerland's position paper on the application of international law in cyberspace’ (May 2021) 9-10.
  23. Federal Department of Foreign Affairs, ‘Switzerland's position paper on the application of international law in cyberspace’ (May 2021) 9-10.

Bibliography and further reading[edit | edit source]

Retrieved from "https://cyberlaw.ccdcoe.org/wiki/Means_and_methods_of_cyber_warfare?oldid=3909"