Definition of military objectives[edit | edit source]
|The principle of distinction, one of the foundational precepts of IHL, requires that the parties to an armed conflict must at all times distinguish between civilian objects and military objectives and may, accordingly, only direct their operations against military objectives. The customary definition of military objectives is found in Article 52(2) of Additional Protocol I:
In so far as objects are concerned, military objectives are limited to those objects which by their nature, location, purpose or use make an effective contribution to military action and whose total or partial destruction, capture or neutralization, in the circumstances ruling at the time, offers a definite military advantage.
Thus, to qualify as a military objective, an object must cumulatively meet the two criteria set forth in the abovementioned rule, which must be determined on a case-by-case basis. In case of doubt as to whether an object that is normally dedicated to civilian purposes is being used to make an effective contribution to military action, it must be presumed to remain protected as a civilian object.
The formal scope of application of the Protocol is limited to international armed conflicts (IACs). However, an identical definition of military objectives is found in treaties applicable in non-international armed conflicts (NIACs). Moreover, certain non-party States to the Protocol accept the customary nature of the definition. Accordingly, the ICRC has characterized the definition of military objectives as a norm of customary international humanitarian law applicable in both IACs and NIACs.
Relevant rules of IHL apply to kinetic operations as well as to cyber operations. However, the application of those rules in specific circumstances may pose novel challenges. This is because the rules governing targeting developed with physical operations in mind, and it is not always clear what their application to cyber operations entails. For example, there is some disagreement on what types of acts amount to “attacks” in the context of cyber operations, in particular when the operation in question is limited to the manipulation of data. Nevertheless, even those operations that might not qualify as “attacks” under IHL may still only be directed against military objectives, as required by the principle of distinction. Further, due to the interconnectedness of civilian and military networks as well as in-built redundancies, it may be challenging to apply the definition of military objectives to those parts of cyber infrastructure that simultaneously serve civilian and military purposes (also referred to as “dual-use objects”).
National positions[edit | edit source]
"46. The principle of distinction requires that parties to an armed conflict distinguish at all times between civilians and combatants and between civilian objects and military objectives, including in the ICT environment. Cyber operations may only be directed against combatants or military objectives. Cyber operations must not be directed against civilians or civilian objects. With respect to cyber infrastructure, the assessment of whether an object qualifies as a military objective must be done at the lowest level practically possible, i.e, at the level of each particular computer, cable, router, or other specific device that can be separated from a network or a system as a whole.
48. Under IHL, direct attacks against civilian objects are prohibited. In Costa Rica’s view, this prohibition also governs the use of cyber means and methods of warfare.
51. Under IHL, indiscriminate attacks, i.e., those of a nature to strike military objectives and civilians or civilian objects without distinction, are prohibited, including when carried out by cyber operations. For example, releasing a computer virus that is designed to spread and cause harmful effects uncontrollably constitutes a prohibited indiscriminate attack, because such capability would be unable to distinguish between military and civilian systems as is required under IHL."
"In order to ensure application of the rules governing the conduct of hostilities (distinction, proportionality and precaution, prohibition of superfluous injury and unnecessary suffering), a specific digital targeting process is used for cyberoperations, under the responsibility of the commander-in-chief of the armed forces, with the input, inter alia, of operational staff and specialist operational legal advisers. It cannot be ruled out that a serious breach of these principles arising from a cyberoperation could constitute a war crime within the meaning of the Rome Statute.
The principle of distinction
Under the principle of distinction, the parties to an armed conflict must at all times distinguish between the civilian population and combatants, and between civilian objects and military objectives. In this regard, cyber-attacks carried out in an armed conflict situation which are not directed against a specific military objective or whose effects cannot be contained are prohibited. If there is doubt as to whether an individual is a combatant, he or she must be considered a civilian61. Likewise, an object normally used for civilian purposes is presumed not to be used to make an effective contribution to military action. On this point France does not follow the Tallinn Manual, which considers that if there is doubt over the use of a civilian object for military purposes, a determination as to such use should be made only following a careful assessment.
From this standpoint and under the authority of the commander-in-chief of the armed forces, offensive cyber warfare operations are planned and coordinated taking all measures possible in practice to ensure that the targeted objectives are not civilians or civilian objects. Commanders are thus careful to gather the necessary intelligence to identify the objective and choose the most suitable means in order to apply the principle of distinction. Even if cyber weapons can have immediate effects, their integration into the operational manoeuvre is based on often long and specific planning designed to gather the information necessary to identify the nature of the targeted system (such as a map of the enemy network) in order to ensure compliance with IHL. A cyberoperation will be cancelled if the target under consideration proves not to be a military objective.
The distinction between military objectives and civilian objects.
In cyberspace, ICT equipment or systems and the data, processes or flows which constitute a service may be a military objective if (i) they contribute to military action by their nature (armed forces computer workstations, military command, localisation or surveillance networks, etc.), their location (places from which the cyber-attacks are carried out), their purpose (foreseeable use of ICT networks for military purposes) or their use (use of part of the network for military purposes), and (ii) their total or partial destruction, capture or neutralisation confers a definite military advantage. Under these circumstances, a propaganda centre may be a lawful military objective and the target of a cyberattack if it disseminates instructions linked to the conduct of hostilities.
Conversely, all objects which are not military objectives are deemed to be civilian objects. An attack carried out in cyberspace may not be directed against ICT systems used by schools, medical institutions or any other exclusively civilian service, or against systems whose destruction would only entail tangible effects on civilian objects, unless those objects are used for military purposes. Given the current state of digital dependence, content data (such as civilian, bank or medical data, etc.) are protected under the principle of distinction.
Cyberoperations must also take into account the special protection of certain objects, such as medical units, cultural property, the natural environment, objects indispensable to the survival of the civilian population and installations that contain dangerous forces. This protection extends to ICT equipment and services and to the data needed to operate them, such as medical data linked to the operation of a hospital.
ICT infrastructure or a system used for both civilian and military purposes may, after detailed analysis on a case-by-case basis, be deemed a military objective. They may be targeted provided that the principles of proportionality and precaution are respected. Given the hyperconnectivity of systems, commanders exercise vigilance over the action as a whole in order to avoid effects on civilians and civilian objects, or at least keep them to a minimum, in compliance with the principles of precaution and proportionality."
"[...] a civilian object like a computer, computer networks, and cyber infrastructure, or even data stocks, can become a military target, if used either for both civilian and military purposes or exclusively for the latter. However, in cases of doubt, the determination that a civilian computer is in fact used to make an effective contribution to military action may only be made after a careful assessment. Should substantive doubts remain as to the military use of the object under consideration, it shall be presumed not to be so used.
The benchmark for the application of the principle of distinction is the effect caused by a cyber attack, irrespective of whether it is exercised in an offensive or a defensive context. Thus, computer viruses designed to spread their harmful effects uncontrollably cannot distinguish properly between military and civilian computer systems as is required under IHL and their use is therefore prohibited as an indiscriminate attack. In contrast, malware that spreads widely into civilian systems but damages only a specific military target does not violate the principle of distinction. Given the complexity of cyber attacks, the limited options to comprehensively appraise their nature and effects and the high probability of an impact on civilian systems, having recourse to the appropriate expertise to assess potential indiscriminate effects throughout the mission planning process is of key importance to Germany.
A cyber attack directed against a military target which is nevertheless expected to cause incidental loss of civilian life, injury to civilians, damage to civilian objects, or a combination thereof, is also prohibited under IHL if such incidental effects would be excessive in relation to the concrete and direct military advantage anticipated. If a cyber attack is executed in conjunction with other forms of military action, such as attacks with conventional weapons directed against the same installation, the military advantage and the collateral damage must be considered with regard to the ‘attack […] as a whole and not only […] [with regard to] isolated or particular parts of the attack.’
Assessing collateral damage and incidental injury or loss of life when conducting a proportionality analysis can be even more difficult in the context of cyber operations as compared to more traditional, i.e. physical, means or methods of warfare. This however does not discharge those planning and coordinating attacks from taking into account their foreseeable direct and indirect effects."
"The principle of proportionality prohibits attacks that may be expected to cause incidental loss to civilian life, injury to civilians, or damage to civilian objects that would be excessive in relation to the concrete and direct military advantage anticipated. Parties to an armed conflict must assess what the expected harm to civilians is likely to be, and weigh the risk of such collateral damage against the importance of the expected military advantage to be gained. In the cyber context, this rule requires parties to a conflict to assess (1) the effects of cyber weapons on both military and civilian infrastructure and users, including shared physical infrastructure (such as a dam or a power grid) that would affect civilians; (2) the potential physical damage that a cyber attack may cause, such as death or injury that may result from effects on critical infrastructure; and (3) the potential effects of a cyber attack on civilian objects that are not military objectives, such as private, civilian computers that hold no military significance, but may be networked to computers that are military objectives."
"As you all know, information and communications infrastructure is often shared between state militaries and private, civilian communities. The law of war requires that civilian infrastructure not be used to seek to immunize military objectives from attack, including in the cyber realm. But how, exactly, are the jus in bello rules to be implemented in cyberspace? Parties to an armed conflict will need to assess the potential effects of a cyber attack on computers that are not military objectives, such as private, civilian computers that hold no military significance, but may be networked to computers that are valid military objectives. Parties will also need to consider the harm to the civilian uses of such infrastructure in performing the necessary proportionality review. Any number of factual scenarios could arise, however, which will require a careful, fact-intensive legal analysis in each situation."
Qualification of data as an object under IHL[edit | edit source]
|Data as an object under IHL|
|The definition of military objectives and the prohibition of attacks on civilian objects are limited to “objects”. In this regard, a debate has arisen on whether data constitutes an “object” as understood under IHL, in which case cyber operations against data (such as deleting data) would be governed by the principles of distinction, proportionality and precaution and the protection they afford to civilian objects. Conversely, if data does not qualify as an “object”, civilian datasets would enjoy significantly more limited protection in times of armed conflict.
Two main views have emerged in this regard. One view, held by the majority of experts involved in the Tallinn Manual process, is that the ordinary meaning of the term “object” cannot be interpreted as including data because objects are material, visible and tangible. Proponents of this view place particular importance on the meaning that the drafters of the definition of military objectives would have ascribed to the word “object” at the time, and they reject that this meaning has evolved since then. Accordingly, cyber operations against data would not fall within the ambit of the relevant rules of IHL unless the operation in question resulted in some physical effect and/or a loss of functionality of the target system or network. Some States, including Denmark, Chile, or Israel, also subscribe to this view.
By contrast, others have argued that either all or some types of data should be considered as “objects” under IHL. One view, taken by several States – including Finland, Germany, Norway, and Romania – is that the protection of civilian objects extends to civilian data. This implies that all data constitutes an “object” for the purposes of IHL. This interpretation is supported by the “modern meaning” of the notion of objects in today’s society as well as by the object and purpose of the relevant IHL rules. It has also been described as consistent with the traditional understanding of the notion of “object” under IHL, which is broader than the ordinary meaning of the word and also encompasses locations and animals. According to this view, cyber operations against data are subject to the IHL rules on the conduct of hostilities.
For its part, the ICRC has stated that “data have become an essential component of the digital domain and a cornerstone of life in many societies” and thus “in the ICRC’s view, the conclusion that deleting or tampering with essential civilian data would not be prohibited by IHL in today’s ever more data-reliant world seems difficult to reconcile with the object and purpose” of IHL. In this regard, it has also highlighted the importance “for States to agree on an understanding that civilian data is protected” by the IHL rules governing the conduct of hostilities.
National positions[edit | edit source]
"While holding the view that IHL applies to cyberspace, there are issues that deserve further reflection, such as the definition of cyberattack for the purposes of article 49 of AP I; the consideration of civilian data as a civilian object that entails protection under IHL; and when a civilian acting in the cyberspace might be considered as taking direct part in hostilities."
"50. Costa Rica endorses the view that civilian data constitute civilian objects under IHL and must be protected accordingly. Civilian datasets, including medical data, social security data, tax records, corporate and financial data, or electoral lists, are critical components of digitalized societies and play a vital role in the functioning of many aspects of civilian life. Deleting or damaging such data can have severe consequences for government services and private businesses, potentially causing more harm to civilians than the destruction of physical objects. Before the digital revolution, such data was stored in the form of paper files that were protected under IHL. Therefore, in Costa Rica’s view, the protection of civilian objects under IHL extends to civilian data."
"Although digital data cannot generally in and of itself be considered an object under IHL, the destruction of data may have such adverse secondary effects on individuals or physical objects that the operation may nonetheless qualify as an attack. This may be the case where the destruction of data foreseeably results in injury, death or physical damage, in which case the objects or individuals subject hereto can be considered the object of the attack. Similarly, an operation targeting data upon which the functionality of an object relies could qualify as an attack depending on the nature and scale of the damage foreseeably resulting from the operation in question."
"Constant care shall be taken to ensure the protection of civilians and civilian objects, including essential civilian infrastructure, civilian services and civilian data".
"Conversely, all objects which are not military objectives are deemed to be civilian objects. An attack carried out in cyberspace may not be directed against ICT systems used by schools, medical institutions or any other exclusively civilian service, or against systems whose destruction would only entail tangible effects on civilian objects, unless those objects are used for military purposes. Given the current state of digital dependence, content data (such as civilian, bank or medical data, etc.) are protected under the principle of distinction".
"Germany defines a cyber attack in the context of IHL as an act or action initiated in or through cyberspace to cause harmful effects on communication, information or other electronic systems, on the information that is stored, processed or transmitted on these systems or on physical objects or persons. The occurrence of physical damage, injury or death to persons or damage or destruction to objects comparable to effects of conventional weapons is not required for an attack in the sense of art. 49 para. 1 Additional Protocol I to the Geneva Conventions. However, the mere intrusion into foreign networks and the copying of data does not constitute an attack under IHL."
"[..]another question which is especially relevant to the cyber domain is whether the term “object,” as it is understood in LOAC, encompasses computer data. This bears implications with regard to the implementation of the LOAC rules relating to distinction, precautions, and proportionality.
Objects for the purposes of LOAC have always been understood to be tangible things and this understanding is not domain-specific. It is therefore our position that, under the law of armed conflict, as it currently stands, only tangible things can constitute objects.
Here, again, this does not mean that cyber operations adversely affecting computer data are unregulated. In particular, when an operation involving the deletion or alteration of computer data is still reasonably expected to cause physical damage to objects or persons and fulfills the other elements required to constitute an attack, the operation would be subject to LOAC targeting rules. Likewise, one must have regard to rules, which are not dependent on the concept of objects, such as the obligation to respect and protect medical units."
"There are ongoing discussions in relation to qualifying data as an object for the purposes of the application of IHL. We take the preliminary view that cyber operations against data do trigger the application of IHL. Therefore cyber-attacks can only be directed against those data that represent military objectives according to IHL and cannot be directed against those data that represent a civilian object which must be protected under the principle of distinction."
"What exactly constitutes a 'cyber attack' in an armed conflict has yet to be clarified. It encompasses at the very least cyber operations that are reasonably expected to cause, directly or indirectly, injury or death to persons, or physical damage or destruction to objects. The question, how exactly data is protected in the absence of such physical damage, remains a challenge".
Appendixes[edit | edit source]
See also[edit | edit source]
Notes and references[edit | edit source]
- Art 48 AP I; ICRC CIHL Study, rule 7.
- See Yves Sandoz, Christophe Swinarski and Bruno Zimmermann (eds), Commentary on the Additional Protocols of 8 June 1977 to the Geneva Conventions of 12 August 1949 (ICRC 1987), 635 para 2018; International Law Association Study Group on the Conduct of Hostilities in the 21st Century, ‘The Conduct of Hostilities and International Humanitarian Law: Challenges of 21st Century Warfare’ (2017) 93 International Law Studies 322, 327–328.
- Art 52(3) AP I; on the customary nature of this rule, see ICRC CIHL Study, commentary to rule 10, 35–36. In the cyber context, see e.g., the national positions of France (Ministry of Defense of France, ‘International Law Applied to Operations in Cyberspace’ (9 September 2019) 14); and Germany (Federal Government of Germany, ‘On the Application of International Law in Cyberspace’, Position Paper (March 2021) 8).
- Art 1 AP I.
- See, e.g., Amended Protocol II to the CCW, Article 2(6); Second Protocol to the Hague Convention for the Protection of Cultural Property, Article 1(f).
- See, e.g., Brian Egan, Legal Adviser, Department of State, “Remarks to the American Society of International Law: International Law, Legal Diplomacy, and the Counter-ISIL Campaign” (1 April 2016), 242 (“In particular, I’d like to spend a few minutes walking through some of the targeting rules that the United States regards as customary international law applicable to all parties in a NIAC: … Insofar as objects are concerned, military objectives are those objects which by their nature, location, purpose or use make an effective contribution to military action and whose total or partial destruction, capture or neutralization, in the circumstances ruling at the time, offers a definite military advantage.”).
- ICRC CIHL Study, rule 8. See also Tallinn Manual 2.0., commentary to rule 100, para 1.
- Tallinn Manual 2.0, rule 80 (“Cyber operations executed in the context of an armed conflict are subject to the law of armed conflict.”).
- See William H Boothby, The Law of Targeting (OUP 2012) 387–88.
- Cf Art 49(1) AP I (defining “attacks” as “acts of violence against the adversary, whether in offence or in defence”).
- See, e.g., William H Boothby, The Law of Targeting (OUP 2012) 384–87; Noam Lubell, ‘Lawful Targets in Cyber Operations: Does the Principle of Distinction Apply?’ (2013) 89 Int’l L Studies 252, 254–74; Marco Roscini, Cyber Operations and the Use of Force in International Law (OUP 2014) 180–81; Yoram Dinstein, The Conduct of Hostilities under the Law of International Armed Conflict (3rd edn, CUP 2016) 3.
- Art 48 AP I (“the Parties to the conflict ... shall direct their operations only against military objectives”). It should be noted that it is not universally accepted that the reference to “operations” in Article 48 reflects customary international law. See, e.g., Noam Neuman, ‘Challenges in the Interpretation and Application of the Principle of Distinction During Ground Operations in Urban Areas’ (2018) 51 VJTL 807, 821 fn 44.
- See Laurent Gisel, Tilman Rodenhäuser, and Knut Dörmann, ‘Twenty years on: International humanitarian law and the protection of civilians against the effects of cyber operations during armed conflicts’, (2020) 102(913) International Review of the Red Cross 287, 321–322.
- Ministry of Foreign Affairs of Costa Rica, "Costa Rica's Position on the Application of International Law in Cyberspace" (21 July 2023) 13 (footnotes omitted).
- Ministry of Defense of France, International Law Applied to Operations in Cyberspace, 9 September 2019, 14-15.
- Federal Government of Germany, ‘On the Application of International Law in Cyberspace’, Position Paper (March 2021) 8-9.
- Harold Hongju Koh, International Law in Cyberspace, 18 September 2012, 5
- Harold Hongju Koh, International Law in Cyberspace, 18 September 2012, 8
- See Kubo Mačák, ‘Unblurring the lines: military cyber operations and international law’ (2021) 6(3) Journal of Cyber Policy 411, 421–422.
- On the protection afforded by IHL to certain categories of data (such as medical data or data of humanitarian organizations) irrespective of their qualification as “objects”, see e.g. Kubo Mačák and Laurent Gisel, ‘Grammar: Rules in a Cyber Conflict’, in Patryk Pawlak and François Delerue (eds), Cyber Defence in the European Union (EUISS 2022) 67.
- Tallinn Manual 2.0, commentary to rule 100, paras 5–6 (noting that the majority of experts considered that due to it being intangible, data does not fall within the ordinary meaning of the term object, which is “something visible and tangible”) (internal quotation marks deleted); but see Michael N Schmitt, ‘The Notion of ‘Objects’ during Cyber Operations: A Riposte in Defence of Interpretive and Applicative Precision’ (2015) 48 IsrLR 81, 93 (noting that although the “visible and tangible” criterion influenced the Tallinn Manual experts’ deliberations, it was not dispositive).
- See, e.g., Michael N Schmitt, ‘The Notion of ‘Objects’ during Cyber Operations: A Riposte in Defence of Interpretive and Applicative Precision’ (2015) 48 IsrLR 81, 93; Ori Pomson, ‘“Objects”? The Legal Status of Computer Data under International Humanitarian Law’ (2023) __ Journal of Conflict and Security Law __ (forthcoming).
- Tallinn Manual 2.0, commentary to rule 100, para 6.
- Ministry of Defence of Denmark, Military Manual on International Law Relevant to Danish Armed Forces in International Operations (2016) 292.
- Chile, Response submitted by Chile to the OAS Inter-American Juridical Committee Questionnaire (14 January 2020), cited in OAS, Improving Transparency: International Law and State Cyber Operations: Fifth Report, OAS Doc. CJI/doc. 615/20 rev.1 (7 August 2020) para 36.
- Roy Schondorf, ‘Israel’s perspective on key legal and practical issues concerning the application of international law to cyber operations’ (2021) 97 International Law Studies, 401.
- See, e.g., Heather A Harrison Dinniss, ‘The Nature of Objects: Targeting Networks and the Challenge of Defining Cyber Military Objectives’ (2015) 48 IsrLR 39; Kubo Mačák, ‘Military Objectives 2.0: The Case for Interpreting Computer Data as Objects under International Humanitarian Law’ (2015) 48 IsrLR 55; Robert McLaughlin, ‘Data as a Military Objective’, Australian Institute of International Affairs (20 September 2018); Tim McCormack, ‘International Humanitarian Law and the Targeting of Data’ (2018) 94 International Law Studies 222.
- Finland, ‘International Law and cyberspace: Finland’s national positions’ (2020) 7.
- Federal Government of Germany, ‘On the Application of International Law in Cyberspace’, Position Paper (March 2021) 8.
- Norway, Manual i krigens folkerett, (2013) para 9.58.
- Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 78.
- See also the national position of France, according to which “content data” are protected under the principle of distinction, leaving aside the issue of whether other types of data (such as code) formally qualify as objects or not. Ministry of Defense of France, International Law Applied to Operations in Cyberspace (9 September 2019) 14.
- Kubo Mačák, ‘Military Objectives 2.0: The Case for Interpreting Computer Data as Objects under International Humanitarian Law’ (2015) 48 IsrLR 55, 80; see also Robert McLaughlin, ‘Data as a Military Objective’, Australian Institute of International Affairs (20 September 2018).
- Laurent Gisel, Tilman Rodenhäuser and Knut Dörmann, ‘Twenty years on: International humanitarian law and the protection of civilians against the effects of cyber operations during armed conflicts’ (2020) 102(913) International Review of the Red Cross 287, 319.
- ICRC, International Humanitarian Law and the Challenges of Contemporary Armed Conflicts (2019) 28. The ICRC has highlighted medical data, tax records, bank accounts, social security and biometric data as essential civilian data and an ‘essential component of digitalized societies’. See ICRC, ‘International Humanitarian Law and Cyber Operations during Armed Conflicts’ ICRC position paper (November 2019) 8.
- ICRC, ‘International Humanitarian Law and Cyber Operations during Armed Conflicts’ ICRC position paper (November 2019) 8.
- Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021), 22-23.
- Ministry of Foreign Affairs of Costa Rica, "Costa Rica's Position on the Application of International Law in Cyberspace" (21 July 2023) 13-14 (footnotes omitted).
- Government of Denmark, "Denmark’s Position Paper on the Application of International Law in Cyberspace"(4 July 2023) 10.
- Finland, International law and cyberspace - Finland's national position (2020) 7.
- Ministry of Defense of France, International Law Applied to Operations in Cyberspace (9 September 2019) 14.
- Federal Government of Germany, ‘On the Application of International Law in Cyberspace’, Position Paper (March 2021) 8.
- Roy Schöndorf, Israel’s Perspective on Key Legal and Practical Issues Concerning the Application of International Law to Cyber Operations, 8 December 2020.
- Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 78.
- Federal Department of Foreign Affairs, ‘Switzerland's position paper on the application of international law in cyberspace’ (May 2021) 10.