Military objectives

From International cyber law: interactive toolkit
Jump to navigation Jump to search

Definition of military objectives[edit | edit source]

Military objectives
Military objectives.svg
The principle of distinction, one of the foundational precepts of IHL, requires that the parties to an armed conflict must at all times distinguish between civilian objects and military objectives and may, accordingly, only direct their operations against military objectives.[1] The customary definition of military objectives is found in Article 52(2) of Additional Protocol I:
In so far as objects are concerned, military objectives are limited to those objects which by their nature, location, purpose or use make an effective contribution to military action and whose total or partial destruction, capture or neutralization, in the circumstances ruling at the time, offers a definite military advantage.

The formal scope of application of the Protocol is limited to international armed conflicts (IACs).[2] However, an identical definition of military objectives is found in treaties applicable in non-international armed conflicts (NIACs).[3] Moreover, certain non-party States to the Protocol accept the customary nature of the definition.[4] Accordingly, the ICRC has characterized the definition of military objectives as a norm of customary international law applicable in both IACs and NIACs.[5]

Relevant rules of IHL apply to kinetic operations as well as to cyber operations.[6] However, the application of those rules in specific circumstances may pose novel challenges. This is because the rules governing targeting developed with physical operations in mind, and it is not always clear what their application to cyber operations entails.[7] For example, there is some disagreement on what types of acts amount to “attacks”[8] in the context of cyber operations, in particular when the operation in question is limited to the manipulation of data.[9] Nevertheless, even those operations that might not qualify as “attacks” under IHL may still only be directed against military objectives, as required by the principle of distinction.[10]

Publicly available national positions that address this issue include: National position of France (2019) (2019), National position of Germany (2021) (2021), National position of the United States of America (2012) (2012).

National positions[edit | edit source]

France (2019)[edit | edit source]

"In order to ensure application of the rules governing the conduct of hostilities (distinction, proportionality and precaution, prohibition of superfluous injury and unnecessary suffering), a specific digital targeting process is used for cyberoperations, under the responsibility of the commander-in-chief of the armed forces, with the input, inter alia, of operational staff and specialist operational legal advisers. It cannot be ruled out that a serious breach of these principles arising from a cyberoperation could constitute a war crime within the meaning of the Rome Statute.

The principle of distinction

Under the principle of distinction, the parties to an armed conflict must at all times distinguish between the civilian population and combatants, and between civilian objects and military objectives. In this regard, cyber-attacks carried out in an armed conflict situation which are not directed against a specific military objective or whose effects cannot be contained are prohibited. If there is doubt as to whether an individual is a combatant, he or she must be considered a civilian61. Likewise, an object normally used for civilian purposes is presumed not to be used to make an effective contribution to military action. On this point France does not follow the Tallinn Manual, which considers that if there is doubt over the use of a civilian object for military purposes, a determination as to such use should be made only following a careful assessment.

From this standpoint and under the authority of the commander-in-chief of the armed forces, offensive cyber warfare operations are planned and coordinated taking all measures possible in practice to ensure that the targeted objectives are not civilians or civilian objects. Commanders are thus careful to gather the necessary intelligence to identify the objective and choose the most suitable means in order to apply the principle of distinction. Even if cyber weapons can have immediate effects, their integration into the operational manoeuvre is based on often long and specific planning designed to gather the information necessary to identify the nature of the targeted system (such as a map of the enemy network) in order to ensure compliance with IHL. A cyberoperation will be cancelled if the target under consideration proves not to be a military objective.

The distinction between military objectives and civilian objects.

In cyberspace, ICT equipment or systems and the data, processes or flows which constitute a service may be a military objective if (i) they contribute to military action by their nature (armed forces computer workstations, military command, localisation or surveillance networks, etc.), their location (places from which the cyber-attacks are carried out), their purpose (foreseeable use of ICT networks for military purposes) or their use (use of part of the network for military purposes), and (ii) their total or partial destruction, capture or neutralisation confers a definite military advantage. Under these circumstances, a propaganda centre may be a lawful military objective and the target of a cyberattack if it disseminates instructions linked to the conduct of hostilities.

Conversely, all objects which are not military objectives are deemed to be civilian objects. An attack carried out in cyberspace may not be directed against ICT systems used by schools, medical institutions or any other exclusively civilian service, or against systems whose destruction would only entail tangible effects on civilian objects, unless those objects are used for military purposes. Given the current state of digital dependence, content data (such as civilian, bank or medical data, etc.) are protected under the principle of distinction.

Cyberoperations must also take into account the special protection of certain objects, such as medical units, cultural property, the natural environment, objects indispensable to the survival of the civilian population and installations that contain dangerous forces. This protection extends to ICT equipment and services and to the data needed to operate them, such as medical data linked to the operation of a hospital.

ICT infrastructure or a system used for both civilian and military purposes may, after detailed analysis on a case-by-case basis, be deemed a military objective. They may be targeted provided that the principles of proportionality and precaution are respected. Given the hyperconnectivity of systems, commanders exercise vigilance over the action as a whole in order to avoid effects on civilians and civilian objects, or at least keep them to a minimum, in compliance with the principles of precaution and proportionality."[11]

Germany (2021)[edit | edit source]

"[...] a civilian object like a computer, computer networks, and cyber infrastructure, or even data stocks, can become a military target, if used either for both civilian and military purposes or exclusively for the latter. However, in cases of doubt, the determination that a civilian computer is in fact used to make an effective contribution to military action may only be made after a careful assessment. Should substantive doubts remain as to the military use of the object under consideration, it shall be presumed not to be so used.

The benchmark for the application of the principle of distinction is the effect caused by a cyber attack, irrespective of whether it is exercised in an offensive or a defensive context. Thus, computer viruses designed to spread their harmful effects uncontrollably cannot distinguish properly between military and civilian computer systems as is required under IHL and their use is therefore prohibited as an indiscriminate attack. In contrast, malware that spreads widely into civilian systems but damages only a specific military target does not violate the principle of distinction. Given the complexity of cyber attacks, the limited options to comprehensively appraise their nature and effects and the high probability of an impact on civilian systems, having recourse to the appropriate expertise to assess potential indiscriminate effects throughout the mission planning process is of key importance to Germany.

A cyber attack directed against a military target which is nevertheless expected to cause incidental loss of civilian life, injury to civilians, damage to civilian objects, or a combination thereof, is also prohibited under IHL if such incidental effects would be excessive in relation to the concrete and direct military advantage anticipated. If a cyber attack is executed in conjunction with other forms of military action, such as attacks with conventional weapons directed against the same installation, the military advantage and the collateral damage must be considered with regard to the ‘attack […] as a whole and not only […] [with regard to] isolated or particular parts of the attack.’

Assessing collateral damage and incidental injury or loss of life when conducting a proportionality analysis can be even more difficult in the context of cyber operations as compared to more traditional, i.e. physical, means or methods of warfare. This however does not discharge those planning and coordinating attacks from taking into account their foreseeable direct and indirect effects."[12]

United States (2012)[edit | edit source]

"The principle of proportionality prohibits attacks that may be expected to cause incidental loss to civilian life, injury to civilians, or damage to civilian objects that would be excessive in relation to the concrete and direct military advantage anticipated. Parties to an armed conflict must assess what the expected harm to civilians is likely to be, and weigh the risk of such collateral damage against the importance of the expected military advantage to be gained. In the cyber context, this rule requires parties to a conflict to assess (1) the effects of cyber weapons on both military and civilian infrastructure and users, including shared physical infrastructure (such as a dam or a power grid) that would affect civilians; (2) the potential physical damage that a cyber attack may cause, such as death or injury that may result from effects on critical infrastructure; and (3) the potential effects of a cyber attack on civilian objects that are not military objectives, such as private, civilian computers that hold no military significance, but may be networked to computers that are military objectives."[13]

"As you all know, information and communications infrastructure is often shared between state militaries and private, civilian communities. The law of war requires that civilian infrastructure not be used to seek to immunize military objectives from attack, including in the cyber realm. But how, exactly, are the jus in bello rules to be implemented in cyberspace? Parties to an armed conflict will need to assess the potential effects of a cyber attack on computers that are not military objectives, such as private, civilian computers that hold no military significance, but may be networked to computers that are valid military objectives. Parties will also need to consider the harm to the civilian uses of such infrastructure in performing the necessary proportionality review. Any number of factual scenarios could arise, however, which will require a careful, fact-intensive legal analysis in each situation."[14]

Qualification of data as a military objective under IHL[edit | edit source]

Data as a military objective
Data as a military objective.svg
The definition of military objectives and the prohibition of attacks on civilian objects are limited to “objects”. If the target of a cyber operation is not an “object”, then actions against it are not constrained by the rules of IHL that govern targeting. It is therefore of crucial importance whether data may qualify as an “object” and therefore be either a military objective subject to attack or a civilian object protected from attack, particularly with respect to cyber operations that do not result in a physical effect. If data does not qualify as an “object”, civilian datasets would enjoy little if any protection in times of armed conflict.

Two main views have emerged in this regard. Some experts consider the notion “object” to be limited to something with physical properties that is visible and tangible in the real world.[15] This view rests on a textual interpretation of the term “object” and finds further support in the 1987 ICRC commentary to the Additional Protocols.[16] Proponents of this position may also point out the methodological problem of discerning rules of international law on the basis of analogy[17] – a method sometimes employed by proponents of the contrary position, as noted below.[18] According to this view, cyber operations against data do not fall within the ambit of the relevant rules of IHL unless the operation in question results in some physical effect and/or a loss of functionality of the target system or network.[19]

Alternatively, other experts view data as falling within the notion of “object” under IHL. They consider that the remarks on visibility and tangibility in the ICRC commentary were meant to distinguish between concrete things (for instance, a bridge) and abstract notions (for instance, civilian morale).[20] Accordingly, data is analogous to the former category of concrete things because it is likewise susceptible to being attacked and destroyed.[21] As a result, data will be either a military objective or a civilian object; if the latter, it remains protected from attack and from excessive incidental harm, in accordance with IHL’s central value of protection of civilians and civilian objects.[22] According to this view, cyber operations against data do trigger the IHL rules of distinction and military objectives and any cyber operation against data that constitutes an attack may only be directed against data that meets the definition of military objective.

Publicly available national positions that address this issue include: National position of Israel (2020) (2020), National position of Romania (2021) (2021).

National positions[edit | edit source]

Israel (2020)[edit | edit source]

"[..]another question which is especially relevant to the cyber domain is whether the term “object,” as it is understood in LOAC, encompasses computer data. This bears implications with regard to the implementation of the LOAC rules relating to distinction, precautions, and proportionality.

Objects for the purposes of LOAC have always been understood to be tangible things and this understanding is not domain-specific. It is therefore our position that, under the law of armed conflict, as it currently stands, only tangible things can constitute objects.

Here, again, this does not mean that cyber operations adversely affecting computer data are unregulated. In particular, when an operation involving the deletion or alteration of computer data is still reasonably expected to cause physical damage to objects or persons and fulfills the other elements required to constitute an attack, the operation would be subject to LOAC targeting rules. Likewise, one must have regard to rules, which are not dependent on the concept of objects, such as the obligation to respect and protect medical units."[23]

Romania (2021)[edit | edit source]

"There are ongoing discussions in relation to qualifying data as an object for the purposes of the application of IHL. We take the preliminary view that cyber operations against data do trigger the application of IHL. Therefore cyber-attacks can only be directed against those data that represent military objectives according to IHL and cannot be directed against those data that represent a civilian object which must be protected under the principle of distinction."[24]

Appendixes[edit | edit source]

See also[edit | edit source]

Notes and references[edit | edit source]

  1. Art 48 AP I; ICRC CIHL Study, rule 7.
  2. Art 1 AP I.
  3. See, eg, Amended Protocol II to the CCW, Article 2(6); Second Protocol to the Hague Convention for the Protection of Cultural Property, Article 1(f).
  4. See, eg, Brian Egan, Legal Adviser, Department of State, “Remarks to the American Society of International Law: International Law, Legal Diplomacy, and the Counter-ISIL Campaign” (1 April 2016), 242 (“In particular, I’d like to spend a few minutes walking through some of the targeting rules that the United States regards as customary international law applicable to all parties in a NIAC: … Insofar as objects are concerned, military objectives are those objects which by their nature, location, purpose or use make an effective contribution to military action and whose total or partial destruction, capture or neutralization, in the circumstances ruling at the time, offers a definite military advantage.”).
  5. ICRC CIHL Study, rule 8.
  6. Tallinn Manual 2.0, rule 80 (“Cyber operations executed in the context of an armed conflict are subject to the law of armed conflict.”).
  7. See William H Boothby, The Law of Targeting (OUP 2012) 387–88.
  8. Cf Art 49(1) AP I (defining “attacks” as “acts of violence against the adversary, whether in offence or in defence”).
  9. See, eg, William H Boothby, The Law of Targeting (OUP 2012) 384–87; Noam Lubell, ‘Lawful Targets in Cyber Operations: Does the Principle of Distinction Apply?’ (2013) 89 Int’l L Studies 252, 254–74; Marco Roscini, Cyber Operations and the Use of Force in International Law (OUP 2014) 180–81; Yoram Dinstein, The Conduct of Hostilities under the Law of International Armed Conflict (3rd edn, CUP 2016) 3.
  10. Art 48 AP I (“the Parties to the conflict ... shall direct their operations only against military objectives”). It should be noted that it is not universally accepted that the reference to “operations” in Article 48 reflects customary international law. See, eg, Noam Neuman, ‘Challenges in the Interpretation and Application of the Principle of Distinction During Ground Operations in Urban Areas’ (2018) 51 VJTL 807, 821 fn 44.
  11. Ministry of Defense of France, International Law Applied to Operations in Cyberspace, 9 September 2019, 14-15.
  12. Federal Government of Germany, On the Application of International Law in Cyberspace, March 2021, 8-9.
  13. Harold Hongju Koh, International Law in Cyberspace, 18 September 2012, 5
  14. Harold Hongju Koh, International Law in Cyberspace, 18 September 2012, 8
  15. Tallinn Manual 2.0, commentary to rule 100, paras 5–6 (noting that the majority of experts considered that due to it being intangible, data does not fall within the ordinary meaning of the term object, which is “something visible and tangible”) (internal quotation marks deleted); but see Michael N Schmitt, ‘The Notion of ‘Objects’ during Cyber Operations: A Riposte in Defence of Interpretive and Applicative Precision’ (2015) 48 IsrLR 81, 93 (noting that although the “visible and tangible” criterion influenced the Tallinn Manual experts’ deliberations, it was not dispositive).
  16. Tallinn Manual 2.0, commentary to rule 100, para 5 (“An ‘object’ is characterised in the ICRC Additional Protocols 1987 Commentary as something ‘visible and tangible’.”), citing Yves Sandoz, Christophe Swinarski and Bruno Zimmermann (eds), Commentary on the Additional Protocols of 8 June 1977 to the Geneva Conventions of 12 August 1949 (ICRC 1987), 633–34 paras 2007–08.
  17. Cf, eg, Reparation for Injuries Suffered in the Service of the United Nations (Advisory Opinion) [1949] ICJ Rep 174, Dissenting Opinion of Judge Badawi Pasha, 211 (“in international law, recourse to analogy should only be had with reserve and circumspection”).
  18. But see, eg, Silja Vöneky, ‘Analogy in International Law’, in R Wolfrum (ed), Max Planck Encyclopedia of Public International Law (OUP 2008) (updated February 2008), para 24 (“Reasoning by analogy ... as a method of treating similar cases legally in the same way promotes the coherent interpretation of international law, and hence leads to more predictability and stability of the international legal order”).
  19. Tallinn Manual 2.0, commentary to rule 100, para 6.
  20. Heather A Harrison Dinniss, ‘The Nature of Objects: Targeting Networks and the Challenge of Defining Cyber Military Objectives’ (2015) 48 IsrLR 39, 44; Kubo Mačák, ‘Military Objectives 2.0: The Case for Interpreting Computer Data as Objects under International Humanitarian Law’ (2015) 48 IsrLR 55, 67–68.
  21. Kubo Mačák, ‘Military Objectives 2.0: The Case for Interpreting Computer Data as Objects under International Humanitarian Law’ (2015) 48 IsrLR 55, 73.
  22. Kubo Mačák, ‘Military Objectives 2.0: The Case for Interpreting Computer Data as Objects under International Humanitarian Law’ (2015) 48 IsrLR 55, 77–80; see also Tallinn Manual 2.0, rule 100, para 7 (criticizing the majority position for “running counter to the principle … that the civilian population enjoys general protection from the effects of hostilities”).
  23. Roy Schöndorf, Israel’s Perspective on Key Legal and Practical Issues Concerning the Application of International Law to Cyber Operations, 8 December 2020.
  24. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 78.

Bibliography and further reading[edit | edit source]