Principle of precautions

From International cyber law: interactive toolkit
Jump to navigation Jump to search

Principle of precautions is one of the core principles of international humanitarian law (IHL). It requires all parties to armed conflicts to take specific precautions such as, when conducting an attack, to verify that targets are military objectives or to give the civilian population an effective warning before the attack.

Precautionary obligations under international humanitarian law[edit | edit source]

Precautionary obligations under international humanitarian law
In addition to prohibitive rules, the conduct of hostilities regime under IHL contains a host of positive obligations that require parties to conflict to take certain protective steps. These positive obligations to take precautions supplement the basic rule of distinction. They are binding on parties to conflict under both treaty and customary IHL, in both international and non-international armed conflict, and they are applicable to all weapons, means, and methods of warfare, including cyber operations during armed conflict.[1]

In particular, “in the conduct of military operations, constant care must be taken to spare the civilian population, civilians and civilian objects”.[2] The term ‘military operations’ encompasses “any movements, manoeuvres and other activities whatsoever carried out by the armed forces with a view to combat” or “related to hostilities”.[3] The obligation of constant care is an obligation of conduct, to mitigate risk and prevent harm. It applies constantly in the planning or execution of any military operation.[4] As a general rule, the higher the risk for the civilian population in any given military operation, the more will be required in terms of care.[5]

Given that there is significant risk of harm to civilians whenever a military is executing an attack, IHL imposes additional obligations specific to those planning or deciding on or carrying out attacks (“active precautions”);[6] it also requires parties to protect civilians and civilian objects under their control against the effects of attacks (“passive precautions”).[7]

Obligations to take precautions in attack[edit | edit source]

Obligations to take precautions in attack
The obligations to take precautions in attack (also referred to as “active precautions”) are most fully codified in Article 57 of Additional Protocol I. This article mandates the taking of a wide variety of measures from target verification and the giving of effective advance warnings through the choice of means and methods of warfare and choice of military objectives to cancellation or suspension of attacks where it becomes apparent that the attack’s target is not a military one or is subject to special protection, or that the attack may be disproportionate. In the interpretation of these precautionary measures, care must be taken to determine what exactly is required of those involved in planning, deciding upon, and executing attacks. The standards vary. For instance, some precautionary measures operate within a ‘feasibility’ standard, while others, such as effective advance warnings, must be taken ‘unless circumstances do not permit’.[8]

There is no specifically prescribed method through which these obligations ought to be discharged.[9] Feasibility, a standard that appears frequently in Article 57, is a contextual standard, and it depends on the presence of a range of factors in the circumstances prevailing at the time.[10] In this regard, ‘feasible’ is understood as ‘that which is practicable or practically possible, taking into account all circumstances prevailing at the time, including humanitarian and military considerations’.[11] Importantly, the standard of feasibility is capable of accommodating a range of considerations, and it evolves through time and with the acquisition of experience.[12]

While the protection of the civilian population and civilian objects in times of conflict is a challenging task in any domain, cyberspace adds its own layer of complexity. A primary reason for this is the interconnectivity of networks and the risks of escalation and unintended consequences. Thus, in conducting attacks in cyberspace, parties to conflict should consider suitable and feasible cyber-specific precautions such as impact assessments on the connectivity of military and civilian networks and on secondary effects of attacks or the identification of cyber networks and infrastructure that are serving specially protected objects.[13]

Obligations to take precautions against the effects of attacks[edit | edit source]

Obligations to take precautions against the effects of attacks
In addition to obligations to take precautions in attack, IHL requires parties to take precautions against the effects of attacks (also referred to as “passive precautions”).[14] According to Article 58 of Additional Protocol I, ‘The Parties to the conflict shall, to the maximum extent feasible: a) [...] endeavour to remove the civilian population, individual civilians and civilian objects under their control from the vicinity of military objectives; b) avoid locating military objectives within or near densely populated areas; c) take the other necessary precautions to protect the civilian population, individual civilians and civilian objects under their control against the dangers resulting from military operations.’[15]

These specific measures require defending forces to protect the civilian population and civilian objects under their control.[16] They are cast in relative terms,[17] as they incorporate a standard of feasibility.[18] A type of conduct, rather than a result, is what lies at the heart of these precautionary obligations. In cyberspace, these precautionary measures can take the form of, for example, building strong cyber resilience cultures at a societal level, segregating civilian and military cyber networks and infrastructure, using antivirus software, or setting up systems for the detection of cyber vulnerabilities.[19]

National positions[edit | edit source]

Brazil (2021)[edit | edit source]

"Of particular importance, the 2015 GGE report has noted the established international legal principles, including, where applicable, the principles of humanity, necessity, proportionality and distinction.

For Brazil, the IHL principle of precaution is also applicable to the use of ICTs by States, meaning that parties must “take all feasible precautions in the choice of means and methods of attack with a view to avoiding, and in any event minimizing, incidental loss of civilian life, injury to civilians and damage to civilian objects”.

Moreover, according to AP I, States have an obligation, “in the study, development, acquisition or adoption of a new weapon, means or method of warfare,” to “determine whether its employment would, in some or all circumstances,” be prohibited. This norm, although being less strict than some States wished during the negotiations of AP I, already encompasses some precautionary elements. It must guide the development, acquisition and adoption of cyber capabilities. In making the assessment of necessity, distinction, proportionality and precaution, parties must take into consideration the particularities of the cyberspace, such as the interconnectivity between military and civilian networks.

In making the assessment of necessity, distinction, proportionality and precaution, parties must take into consideration the particularities of the cyberspace, such as the interconnectivity between military and civilian networks."[20]

Canada (2022)[edit | edit source]

"49.Cyber activities are an attack under IHL, whether in offence or defence, where their effects are reasonably expected to cause injury or death to persons or damage or destruction to objects. This could include harmful effects above a de minimis threshold on cyber infrastructure, or the systems that rely on it. Such cyber activities must respect relevant treaty and customary IHL rules applicable to attacks including those relating to distinction, proportionality, and the requirement to take precautions in attack."[21]

Costa Rica (2023)[edit | edit source]

"52. States must put in place effective measures to prevent or mitigate the risk of civilian harm posed by the use of military cyber capabilities (“active precautions”). In the conduct of cyber operations, IHL requires that parties to an armed conflict take constant care to spare the civilian population, individual civilians, and civilian objects. To avoid unintended consequences, cyber operators must have a thorough understanding of the degree to which the target networks and systems are interconnected and of the risks of unintended spread of malware or other cyber operations, including any indirect effects. In Costa Rica’s view, this must include a consideration of the differentiated impacts that cyber operations may have on women, girls, members of the LGBTQ+ community and other vulnerable groups. At every stage, States must involve expertise from a wide range of sources and ensure that this is put into straightforward language for the relevant decision makers.

53. In relation to those cyber operations that qualify as attacks, parties to an armed conflict must, among other measures, take all feasible precautions to verify that the objectives to be attacked qualify as military objectives, as well as to avoid or at least minimize incidental civilian harm, including harm caused by indirect or reverberating effects, from such attacks. A variety of technical measures can be considered, such as system-fencing, geo-fencing, or kill switches. Furthermore, if a party to an armed conflict determines that a planned cyber operation would shut down enemy command systems, but also incidentally disrupt civilian public services like water supply, it must suspend the attack until it can satisfy itself that the attack would be consistent with the applicable rules of IHL, including the prohibition of disproportionate attacks.

54. States must put in place effective measures to protect the civilian population against the dangers resulting from military cyber operations (“passive precautions”). Parties to an armed conflict that may be targeted by cyber operations have a responsibility to minimize the danger of civilian harm caused by such operations. Some of these measures may need to be implemented already in peacetime. For instance, States should cultivate a strong culture of cyber resilience throughout their societies and ensure that their critical infrastructure and other infrastructure used by civilians is protected to the highest possible standard. States should also have an adequate understanding of the critical dependencies in their networks in order to be able to restore their functionality in the event of a destructive or disruptive attack. Moreover, whenever feasible, armed forces should segregate military networks from civilian cyber infrastructure, thus limiting the spread of harmful effects onto civilian networks in case a military network is attacked. Similarly, civilian systems should be designed so as to avoid dependence on systems that may qualify as military objectives, thus reducing the risk of civilian harm. States should assist each other with capacity building to ensure that all States have the means to protect themselves against harmful cyber operations. Finally, during armed conflict, States should avoid involving civilians in military cyber operations as doing so may expose them to a grave risk of harm.[22]

Czech Republic (2024)[edit | edit source]

"42. When conducting cyber operations, constant care must be taken to spare the civilian population, individual civilians and civilian objects, for instance to ensure protection of essential civilian infrastructure and services. All feasible precautions must be taken to protect civilians and civilian objects from adverse effects of attacks, including through cyber means."[23]

Denmark (2023)[edit | edit source]

"In situations where a cyber operation does not amount to an attack the relevant rules of IHL that address conducts or effects falling below the threshold of an attack nevertheless apply. This includes but is not limited to the obligation of constant care by which States are required to take all reasonable precautions to spare the civilian population as well as civilian individuals and objects, including essential civilian infrastructure, services, and data, when planning or conducting cyber operations in the context of hostilities."[24]

Finland (2020)[edit | edit source]

"This includes that cyber means and methods of warfare must be used consistently with the principles of distinction, proportionality and precautions, as well as the specific rules flowing from these principles. When assessing the capacity of cyber means and methods to cause prohibited harm, their foreseeable direct and indirect effects shall be taken into account. Constant care shall be taken to ensure the protection of civilians and civilian objects, including essential civilian infrastructure, civilian services and civilian data."[25]

France (2019)[edit | edit source]

"When cyberoperations are conducted, constant care should be taken to spare the civilian population, civilians and civilian objects.

Even though the necessary precautions may be taken, if the neutralisation or destruction of a military objective by digital means nevertheless risks causing civilian damage, it must not exceed the concrete and direct military advantage anticipated. The risks inherent in cyberspace (immediacy of effects, intrinsic duality of military objectives, hyperconnectivity, difficulty of tracing operations, vulnerability of systems) must therefore be taken into account in order to determine the modes of action and means to be implemented in cyber warfare in order to ensure compliance with the principle of proportionality.

Even though the anticipated effect of a cyber weapon may be difficult to measure, given the interconnectivity of information systems, especially on account of the risk of propagation beyond the target, these risks may be contained by the development of specific cyber weapons whose use is decided according to the desired effects, determined beforehand (activation of malware only in the presence of a specific network previously identified by a penetration of the system, existence of a deactivation time, etc.).

The use of malware which deliberately reproduces and propagates with no possible control or reversibility, and is hence likely to cause significant damage to critical civilian systems or infrastructure, is contrary to IHL, in the same way as the temporary interruption without military advantage of an adversary system followed by physical damage to civilian infrastructure.

The assessment of the effects of a cyberoperation takes into account all the foreseeable damage caused by the cyber weapon, whether direct (such as damage to the ICT equipment directly targeted or interruption of the system) or indirect (such as the effects on the infrastructure controlled by the targeted system, or on persons affected by the malfunction or destruction of the targeted systems or infrastructure, or by the alteration and corruption of content data).

In order for offensive cyber warfare operations to be conducted in compliance with the principle of precaution, the Armed Forces Ministry consults operational experts in military cyberdefence under the responsibility of the cyberdefence commander (COMCYBER). They possess the necessary technical knowledge, are able to exploit the available information (intelligence, strict identification of targets, correlation between the weapon and the desired effects, etc.) and have been given specific training in the complexity of cyber weapons.

These precautionary measures in attack are backed up by precautionary measures against the effects of an attack which a State should take in order to protect the civilian population and civilian objects against the dangers resulting from cyberoperations."[26]

Germany (2021)[edit | edit source]

"The basic principles governing the conduct of hostilities, including by cyber means, such as the principles of distinction, proportionality, precautions in attack and the prohibition of unnecessary suffering and superfluous injury, apply to cyber attacks in international as well as in non-international armed conflicts."[27]

"A corollary to the prohibition of indiscriminate cyber attacks is the duty to take constant care to spare the civilian population, civilians and civilian objects during hostilities involving cyber operations.

Those who plan, approve or execute attacks must take all feasible precautions in the choice of means and methods with a view to avoiding, and in any event minimizing, incidental loss of civilian life, injury to civilians and damage to civilian objects. This might encompass gathering intelligence on the network in question through mapping or other processes in order to assess the attack’s likely effects. Also, the inclusion of a deactivation mechanism or a specific configuration of the cyber tool which limits the effects on the intended target might be considered. Moreover, if it becomes apparent that the target is not a military one or is subject to special protection, those who plan, approve or execute the cyber attack must refrain from executing or suspend the attack. The same applies when the attack may be expected to cause excessive collateral damage to civilians and civilian objects.

The obligation to take precautions in attack is complemented by the obligation to conduct weapon reviews of any new means or method of cyber warfare to determine whether its employment would, in some or in all circumstances, be prohibited by international law. The findings of such reviews, to the extent that they identify legal constraints for the employment of means and methods in particular operational settings, should serve as a basis for operational planning. However, the means and methods used in cyber warfare are typically tailored to their targets, as they generally involve exploiting vulnerabilities that are specific to the target and the operational context. This entails that the development of means or the adoption of the method will often coincide with the planning of a concrete operation. Thus, the obligation to take precautions in attack and the requirement of a legal review remain separate requirements, but may overlap in substance.[28]

Israel (2020)[edit | edit source]

"One of the key issues, in the conduct of hostilities in particular, is how to define “attacks,” and in which circumstances cyber operations amount to attacks under LOAC. The concept of attack is central to targeting operations and only acts amounting to attacks are subject to the “targeting rules” relating to distinction, precautions, and proportionality."[29]

Netherlands (2019)[edit | edit source]

"IHL also lays down specific rules regarding attacks aimed at persons or objects, which apply equally to cyber operations carried out as part of an armed conflict. When planning and carrying out such operations, states must act in accordance with, for example, the principles of distinction and proportionality, as well as the obligation to take precautionary measures."[30]

Norway (2021)[edit | edit source]

"Cyber attacks during armed conflicts are subject to the same restrictions and regulations under international humanitarian law as conventional attacks, including the principles of humanity, military necessity, proportionality and distinction. The concept of attack is particularly relevant to the rules and principles on the selection of targets and precautions. Attacks against civilians or civilian objects are for example prohibited."[31]

Romania (2021)[edit | edit source]

"International Humanitarian Law (IHL) applies in the context of cyber operations carried out as part of an armed conflict (whether international or non-international).

In such circumstances, the planning of and carrying on of cyber operations must be done in conformity with the principles governing the conduct of hostilities, namely distinction, proportionality, necessity and precaution."[32]

Switzerland (2021)[edit | edit source]

"With regard to the lawful use of cyber means and methods of warfare, the rules and principles governing the conduct of hostilities must be respected. Belligerents must in particular comply with the principles of distinction, proportionality and precaution by:

(1) distinguishing between military objectives on the one hand, and civilians or civilian objects on the other hand and, in case of doubt, presume civilian status;

(2) evaluating whether the incidental harm expected to be inflicted on the civilian population or civilian objects would be excessive in relation to the concrete and direct military advantage anticipated from that particular attack;

(3) taking all feasible precautions to spare civilians and civilian objects.

This is also applicable in cyberspace, when using cyber means and methods of warfare. The aforementioned principles are applicable in particular to cyber operations that amount to an attack within the meaning of IHL i.e. acts of violence against the adversary, whether in offence or defence. What exactly constitutes a 'cyber attack' in an armed conflict has yet to be clarified. It encompasses at the very least cyber operations that are reasonably expected to cause, directly or indirectly, injury or death to persons, or physical damage or destruction to objects. The question, how exactly data is protected in the absence of such physical damage, remains a challenge. In practice, a responsible actor should generally be able to assess the potential impact of their actions and any resulting damage. As this estimation depends, amongst other things, largely on the information available at the time when decisions about an operation are taken, the obligation to take all precautionary measures practically possible to spare civilians and civilian objects plays a particularly important role in the use of cyber means and methods of warfare."[33]

United States (2016)[edit | edit source]

"To the extent that such cyber operations constitute “attacks” under the law of armed conflict, the rules on conducting attacks must be applied to those cyber operations. For example, such operations must only be directed against military objectives, such as computers, other networked devices, or possibly specific data that, by their nature, location, purpose, or use, make an effective contribution to military action and whose total or partial destruction, capture, or neutralization, in the circumstances ruling at the time, offers a definite military advantage. Such operations also must comport with the requirements of the principles of distinction and proportionality. Feasible precautions must be taken to reduce the risk of incidental harm to civilian infrastructure and users. In the cyber context, this requires parties to a conflict to assess the potential effects of cyber activities on both military and civilian infrastructure and users.[34]

"Even if they do not rise to the level of an “attack” under the law of armed conflict, cyber operations during armed conflict must nonetheless be consistent with the principle of military necessity. For example, a cyber operation that would not constitute an “attack,” but would nonetheless seize or destroy enemy property, would have to be imperatively demanded by the necessities of war. Additionally, even if a cyber operation does not rise to the level of an “attack” or does not cause injury or damage that would need to be considered under the principle of proportionality in conducting attacks, that cyber operation still should comport with the general principles of the law of war."[35]

United States (2021)[edit | edit source]

"In addition, when using cyber capabilities in armed conflict, States must comply with their obligations under international humanitarian law related to the protection of medical personnel and facilities. For example, medical personnel and facilities must not be knowingly attacked or unnecessarily prevented from discharging their proper functions, and parties to a conflict must take feasible precautions to reduce the risk of incidental harm to the civilian population and other protected persons and objects, including medical personnel and facilities.

The United States has specifically addressed how its international humanitarian law obligations apply to cyberspace operations in the context of armed conflict in the Department of Defense’s Law of War Manual, reflecting a commitment to ensure that U.S. legal obligations are understood and respected by its military. Several other States have taken similar steps to share their views on how international humanitarian law applies and / or address cyber specifically in their military manuals."[36]

  1. ICRC, International Humanitarian Law and Cyber Operations during Armed Conflicts: ICRC position paper (November 2019) 5.
  2. ICRC Customary IHL Study, Rule 15; AP 1, Article 57(1).
  3. ICRC Commentary on the Additional Protocols, cited in footnote 249 above, p. 680, para. 2191, p. 617, para. 1936, and p. 600, para. 1875.
  4. Tallinn Manual 2.0, cited in footnote 263 above, p. 477, para. 5.
  5. International Law Association Study Group on the Conduct of Hostilities in the 21st Century, “The conduct of hostilities and international humanitarian law: Challenges of 21st century warfare”, International Law Studies, U.S. Naval War College, Vol. 93, No. 322, 2017, (ILA Study Group Report), 381.
  6. Additional Protocol I, Article 57 and 58; See also ICRC Customary IHL Study, Rules 15, 16, 17, 18, 19 and 20, 22, 23, 24 and 97.
  7. ICRC EWIPA Report, p 103.
  8. Compare Article 57(2)(a)(i)–(ii) with Article 57(2)(c) Additional Protocol I.
  9. Théo Boutruche, “Expert Opinion on the Meaning and Scope of Feasible Precautions under International Humanitarian Law and Related Assessment of the Conduct of the Parties to the Gaza Conflict in the Context of the Operation ‘Protective Edge’”, Expert Opinion commissioned by Diakonia, 2015, p 17.
  10. id, pp 15 – 16.
  11. See Protocol II to the CCW (1980), Article 3(4); Protocol III to the CCW (1980), Article. 1(5); Amended Protocol II to the CCW (1996), Article 3(10); J-M. Henckaerts and L. Doswald-Beck (eds), Customary International Humanitarian Law, Volume I: Rules (2005), Rule 15; ICRC, Explosive Weapons with Wide Area Effects: A Deadly Choice in Populated Areas (2022), p 104.
  12. Marco Sassòli and Anne Quintin, “Active and Passive Precautions in Air and Missile Warfare”, Israel Yearbook on Human Rights, Vol. 44, 2014, p 87.
  13. ICRC, International humanitarian law and the challenges of contemporary armed conflicts (2015), p 43; see also ICRC, Avoiding Civilian Harm from Military Cyber Operations during Armed Conflicts (2021).
  14. Additional Protocol I, art. 58; see also ICRC Customary IHL Study, Rules 22, 23-24.
  15. Under customary IHL, the second and third rules are “arguably” applicable in non-international armed conflicts. See Henckaerts/Doswald-Beck, commentary on Rules 23 and 24, pp 71 and 74.
  16. Commentary of Additional Protocol I, para. 2239.
  17. Dieter Fleck (ed.), The Handbook of International Humanitarian Law, OUP 2021, s 8.08.
  18. Eric Jensen, “Precautions against the effects of attacks in urban areas”, International Review of the Red Cross, Vol. 98 (1), 2016, pp 164 – 165.
  19. ICRC, Avoiding Civilian Harm from Military Cyber Operations during Armed Conflicts, 2021; Jonathan Horowitz, “Cyber Operations under International Humanitarian Law: Perspectives from the ICRC”, American Society of International Law Insights, Vol. 24:11, 2020.
  20. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021), 22-23.
  21. Government of Canada, International Law applicable in cyberspace, April 2022
  22. Ministry of Foreign Affairs of Costa Rica, "Costa Rica's Position on the Application of International Law in Cyberspace" (21 July 2023) 14-15 (footnotes omitted).
  23. Ministry of Foreign Affairs of the Czech Republic, "Czech Republic - Position paper on the application of international law in cyberspace" (27 February 2024) 11-12 (footnotes omitted).
  24. Government of Denmark, "Denmark’s Position Paper on the Application of International Law in Cyberspace"(4 July 2023) 10.
  25. International law and cyberspace - Finland's national position,7
  26. Ministry of Defense of France, International Law Applied to Operations in Cyberspace, 9 September 2019, 15-16.
  27. Federal Government of Germany, ‘On the Application of International Law in Cyberspace’, Position Paper (March 2021) 7-8.
  28. Federal Government of Germany, ‘On the Application of International Law in Cyberspace’, Position Paper (March 2021) 9-10.
  29. Roy Schöndorf, Israel’s Perspective on Key Legal and Practical Issues Concerning the Application of International Law to Cyber Operations, 8 December 2020.
  30. Government of the Kingdom of the Netherlands, Appendix: International law in cyberspace, 26 September 2019 , 5.
  31. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 74.
  32. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 77.
  33. Federal Department of Foreign Affairs, ‘Switzerland's position paper on the application of international law in cyberspace’ (May 2021) 10.
  34. Brian J. Egan, ‘International Law and Stability in Cyberspace’, (10 November 2016) 9.
  35. Brian J. Egan, ‘International Law and Stability in Cyberspace’, (10 November 2016) 10.
  36. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 138.
Retrieved from "https://cyberlaw.ccdcoe.org/wiki/Principle_of_precautions?oldid=4063"