Scenario 13: Cyber operations as a trigger of the law of armed conflict

From International cyber law: interactive toolkit
Jump to navigation Jump to search
© NATO CCD COE

Two States and one non-State actor get involved in an armed confrontation featuring a combination of cyber and kinetic operations. The outside State provides various forms of financial and military support to the non-State group in its struggle against the territorial State. The analysis in this scenario considers whether any of the relevant incidents trigger the application of the law of armed conflict and it considers whether the resulting situation would qualify as either an international or a non-international armed conflict.

Scenario[edit | edit source]

Keywords[edit | edit source]

Effective control, international armed conflict, international humanitarian law, internationalization, overall control, non-international armed conflict, non-State actors

Facts[edit | edit source]

[F1] Relations between States A and B have been strained for a long time, stemming primarily from State A’s longstanding unfavourable treatment of a minority group M that lives in that State’s territory. The members of the minority M share their ethnicity with the dominant ethnic group in State B. Recently, individuals belonging to minority M formed an armed faction X with a highly active cyber wing. State B does not hide its support for the newly formed armed faction. In particular, State B gradually extends the following forms of support to the armed group:

  1. State B provides the armed group with significant financial assistance, which the group uses to establish and maintain its cyber wing (incident 1);
  2. State B’s military intelligence agency provides the cyber wing of the armed group with several zero-day exploits that were identified for their potential to be used against industrial control systems employed by State A (incident 2);
  3. State B’s civilian intelligence agency provides the cyber wing of the armed group with specific continuous guidance throughout cyber operations the group launches, utilizing the previously provided exploits. As a result of these operations, the group succeeds in:
    1. Temporarily disabling the power grid in parts of the territory of State A (incident 3a); and
    2. Opening the floodgates of several dams in State A, which results in significant material damage and the deaths of several individuals (incident 3b).
[F2] The series of cyber attacks conducted by the group bring about considerable chaos and panic across State A. Soon after, fighting erupts between State A’s armed forces and the armed group.

Examples[edit | edit source]

Legal analysis[edit | edit source]

For a general overview of the structure of analysis in this section, see Note on the structure of articles.

[L1] The law of armed conflict (also referred to as international humanitarian law, IHL) applies in all situations of armed conflict, either international armed conflict (IAC) or non-international armed conflict (NIAC). The characterization of a situation as either an IAC or a NIAC is a distinct legal test based on the objective facts and remains unaffected by the subjective views of the belligerent parties.[1] The analysis in this scenario first considers whether an IAC exists between States A and B as a result of any of the incidents detailed in the scenario. In the alternative, it then considers whether the situation should be considered as a NIAC between State A and armed group X.

Characterization as an international armed conflict[edit | edit source]

International armed conflict
The law of international armed conflict (IAC) applies to any armed confrontation between two or more States,[2] even if one, several, or all of them deny the existence of an armed conflict.[3] Some scholars have suggested that the fighting must be of a certain intensity before international humanitarian law (IHL) comes into effect,[4] but the prevailing view is that any “resort to armed force between States”,[5] however brief or intense, triggers the application of IHL.[6] Furthermore, the law does not prescribe any specific form for the resort to force,[7] so hostilities between the belligerent States may involve any combination of kinetic and cyber operations, or cyber operations alone.[8]

It is unclear what effect cyber operations unaccompanied by any use of kinetic force would have to have in order for IHL to apply. Although it seems generally accepted that if cyber operations have similar effects to classic kinetic operations and two or more States are involved, the resulting situation would qualify as an IAC,[9] the law is unsettled on whether cyber operations that merely disrupt the operation of military or civilian infrastructure amount to a resort to armed force for the purposes of IHL.[10][11]

In the cyber context, States often act through non-State intermediaries and proxies. In such situations at the outset of an armed confrontation, the relevant State must exercise a sufficient degree of control over the non-State entity that commences hostilities against another State for the situation to qualify as an IAC. However, the correct legal test to use in this regard is the subject of an ongoing controversy.[12] The prevailing standard for the characterization of an international armed conflict is that of “overall control”, which requires that the State provides some support and that it participates in the organization, co-ordination, or planning of the relevant operations.[13] A separate standard, the “effective control” test, requires that the State must exercise control over the entire course of the operations in question.[14] While there is still disagreement as to whether the “effective control” test is the controlling test for the purposes of attribution under the law of State responsibility, there is consensus that the “overall control” test is the correct one for conflict qualification under IHL.[15] The latter is also confirmed by decades of consistent practice by international criminal tribunals including the ICTY, the ECCC, and the ICC.[16]

Publicly available national positions that address this issue include: Common position of the African Union (2024) (2024), National position of Costa Rica (2023) (2023), National position of Finland (2020) (2020), National position of France (2019) (2019), National position of Germany (2021) (2021), National position of Ireland (2023) (2023), National position of Japan (2021) (2021).

[L2] In the present scenario, incidents 1 and 2 do not amount to a resort to armed force. They are both best seen as preparatory vis-à-vis the events that follow, but in and of themselves, neither of them has the potential to trigger the law of IAC.

[L3] Incident 3a (reversible attack against the power grid) resulted only in a temporary disruption of the operation of infrastructure on State A’s territory (though it would be necessary to determine if death, injury or physical destruction was a foreseeable consequence of the cyber operation to reach a full conclusion). As such, it is doubtful if, under the present state of the law, this incident could have triggered the application of IHL.[17]

[L4] By contrast, incident 3b (cyber attack against several dams) occasioned considerable physical damage and the deaths of several individuals, which indeed were all foreseeable consequences of this kind of cyber operation. The fact that the operation was conducted by a group under the guidance of State B’s civilian intelligence agency and not its military forces does not make any difference in this regard.[18] On that basis, the effects of incident 3b can be described as comparable to those of classic kinetic operations, which would be sufficient for the purposes of applicability of IHL as long as there was a sufficient level of State involvement. This issue is considered in the following paragraph.

[L5] There is no doubt that State B has extended its support to armed group X throughout the relevant events. This has taken the form of financial support (incident 1), training and equipping (incident 2), and operational guidance and co-ordination (incidents 3a and 3b). The first two forms of support would not suffice for either of the tests of “effective control”[19] and “overall control”.[20] However, in combination with State B’s participation in the co-ordination of the cyber operation qualifying as a resort to armed force, the level of State B’s involvement would reach that required by the “overall control” test.[21] By contrast, the higher test of “effective control” would remain unmet on the facts of this scenario.[22]

[L6] In summary, there was an IAC between States A and B as of the moment when armed group X, acting under the overall control of State B, launched the cyber operation against the dams in State A. The continuation of hostilities by kinetic means does not alter this conclusion in any way.

Characterization as a non-international armed conflict[edit | edit source]

[L7] The engagement between group X and State A may also, or separately, qualify as a NIAC,[23] based on the fulfilment of the requisite criteria of organization and intensity (analysed in the present section).

Non-international armed conflict
The law of non-international armed conflict (NIAC) applies to all armed conflicts not of an international character.[24] As set forth by the ICTY Appeals Chamber in the Tadić case, NIACs are situations of “protracted armed violence between governmental authorities and organized armed groups or between such groups within a State”.[25]

This definition rests on two factors—the intensity of the fighting and the organization of the non-State group.[26] First, the hostilities between the parties must reach a certain level of intensity, which may be indicated by, among other factors, the seriousness and frequency of attacks and military engagements, the extent of destruction, or the deployment of governmental armed forces.[27] Second, the non-State group must have some minimum level of organization, indicators of which may include the presence of a command or leadership structure, the ability to determine a unified military strategy and speak with one voice, the adherence to military discipline, as well as the capability to comply with IHL.[28]

These same criteria of intensity and organization apply in situations involving (or even limited to) cyber operations.[29] However, cyber operations alone will only rarely meet the requisite level of intensity to trigger a NIAC.[30]

Publicly available national positions that address this issue include: Common position of the African Union (2024) (2024), National position of Costa Rica (2023) (2023), National position of Finland (2020) (2020), National position of France (2019) (2019), National position of Germany (2021) (2021), National position of Ireland (2023) (2023), National position of Japan (2021) (2021).

[L8] Group X appears to have sufficient organization, given that it was capable of carrying out sustained military operations of both kinetic and cyber nature,[31] although more details would be needed in practice before making a conclusive determination.[32] Note, however, that the organizational threshold is not particularly high, and the extent of organization certainly does not need to reach the level of organization of State armed forces.[33]

[L9] The threshold for intensity is relatively high and would certainly not be met by any of incidents 1–3a, given that the impact of these incidents was not similar to that of kinetic attacks.[34] In contrast, incident 3b, which resulted in the opening of floodgates of dams and then led to fighting that required the engagement of State A’s armed forces, would likely fulfil the requirement of intensity in the present case.[35]

[L10] In sum, to the extent that armed group X maintains its operational autonomy and the overall control test is not met by State B, the armed confrontation between the group and State A qualified as a NIAC from the moment when the governmental armed forces responded by force against armed group X. Therefore, the law of NIAC would only be triggered as a result of State A’s response to the cyber operation in question.

Checklist[edit | edit source]

  • Do the relevant cyber operations have destructive or injurious effect in the physical world?
  • Do the relevant cyber operations result in irreversible loss of functionality of cyber infrastructure belonging to the adversary?
  • Does the form and extent of support provided by State B to armed group X reach the level of “overall control”?
  • Does armed group X qualify as an organized armed group?
  • Do the hostilities between State A and armed group X reach the required intensity?

Appendixes[edit | edit source]

See also[edit | edit source]

Notes and references[edit | edit source]

  1. See Prosecutor v Milutinović et al (Trial Judgment) IT-05-87-T (26 February 2009) [125] (“The existence of an armed conflict does not depend upon the views of the parties to the conflict.”); see further T Ferraro and L Cameron, ‘Article 2: Application of the Convention’, in ICRC (ed), Commentary on the First Geneva Convention (CUP 2016) 76–77 [211]–[212].
  2. Common Article 2 GC I (stipulating that the Conventions “shall apply to all cases of declared war or of any other armed conflict which may arise between two or more of the High Contracting Parties”).
  3. ICRC (ed), Commentary on the Third Geneva Convention (CUP 2021), commentary on common Article 2, para 246 (‘Even if none of the Parties recognize the existence of a state of war or of an armed conflict, humanitarian law would still apply provided that an armed conflict is in fact in existence.’).
  4. See, eg, Jan K Kleffner, ‘Scope of Application of Humanitarian Law’ in D Fleck (ed), The Handbook of International Humanitarian Law (3rd edn, OUP 2013) 45; ILA Use of Force Committee, Final Report on the Meaning of Armed Conflict in International Law (2010) 32; Gary D. Solis, The Law of Armed Conflict: International Humanitarian Law in War (2nd edn, CUP 2016) 162.
  5. Prosecutor v Tadić (Decision on Jurisdiction) IT-94-1-AR72 (2 October 1995) para 70.
  6. See, eg, Jean S. Pictet (ed) Geneva Convention IV relative to the Protection of Civilian Persons in Time of War: Commentary (ICRC 1958) 20–21; Yves Sandoz, Christophe Swinarski, and Bruno Zimmermann (eds), Commentary on the Additional Protocols of 8 June 1977 to the Geneva Conventions of 12 August 1949 (ICRC 1987) 40; René Provost, International Human Rights and Humanitarian Law (CUP 2002) 250; Jann K Kleffner, ‘Scope of Application of International Humanitarian Law’ in Dieter Fleck (ed), The Handbook of International Humanitarian Law (3rd edn, OUP 2013) 45; Andrew Clapham, ‘Concept of International Armed Conflict’ in Andrew Clapham, Paola Gaeta, and Marco Sassòli (eds), The 1949 Geneva Conventions: A Commentary (OUP 2015) 16 para 38; ICRC (ed), Commentary on the Third Geneva Convention (CUP 2021), commentary on common Article 2, para 251; Noam Zamir, Classification of Conflicts in International Humanitarian Law: The Legal Impact of Foreign Intervention in Civil Wars (Edward Elgar 2017) 53–55; Kubo Mačák, Internationalized Armed Conflicts in International Law (OUP 2018) 15–16.
  7. Cf. Legality of the Threat or Use of Nuclear Weapons Case (Advisory Opinion) [1996] ICJ Rep 226, para 89 (holding that the relevant rules of IHL apply “to all international armed conflict, whatever type of weapons might be used”) (emphasis added).
  8. Tallinn Manual 2.0, commentary to rule 82, para 11.
  9. ICRC (ed), Commentary on the Third Geneva Convention (CUP 2021), commentary on common Article 2, para 288.
  10. ICRC (ed), Commentary on the Third Geneva Convention (CUP 2021), commentary on common Article 2, para 289.
  11. For State views on this matter, see, eg, Finland, ‘International law and cyberspace: Finland’s national positions’ (15 October 2020), 7 (‘International humanitarian law only applies to cyber operations when such operations are part of, or amount to, an armed conflict. Most so far known cyberattacks have not been launched in the context of an armed conflict or have met the threshold of armed conflict.’); French Ministry of the Armies, ‘International Law Applied to Operations in Cyberspace’, 9 September 2019, 12 (‘Cyberoperations that constitute hostilities between two or more States may characterise the existence of international armed conflict (IAC)’); Germany, ‘On the Application of International Law in Cyberspace: Position Paper’ (March 2021), 7 (‘An international armed conflict – a main prerequisite for the applicability of IHL in a concrete case – is characterized by armed hostilities between States. This may also encompass hostilities that are partially or totally conducted by using cyber means.’); Japan, Basic Position of the Government of Japan on International Law Applicable to Cyber Operations (28 May 2021), 7 (‘If the effects of cyber operations are taken into consideration, the conduct of cyber operations alone may reach the threshold of an "armed conflict."’).
  12. See further Kubo Mačák, Internationalized Armed Conflicts in International Law (OUP 2018) 39–47.
  13. Prosecutor v Prlić et al (Trial Judgment) IT-04-74-T (29 May 2013), vol 1, para 86(a).
  14. See Military and Paramilitary Activities in and against Nicaragua (Nicaragua v US) (Merits) [1986] ICJ Rep 14, paras 112–15; see further Kubo Mačák, ‘Decoding Article 8 of the International Law Commission’s Articles on State Responsibility: Attribution of Cyber Operations by Non-State Actors’ (2016) 21 JCSL 405, 421.
  15. Case Concerning the Application of the Convention on the Prevention and Punishment of the Crime of Genocide (Bosnia and Herzegovina v Serbia and Montenegro) (Judgment) [2007] ICJ Rep 43, para 405; but see ICRC (ed), Commentary on the Third Geneva Convention (CUP 2021), commentary on common Article 2, para 304 (arguing that overall control is the controlling test in both contexts).
  16. See Prosecutor v Tadić (Appeal Judgment) IT-94-1-A (15 July 1999) paras 120–121; Prosecutor v Lubanga (Pre-Trial Chamber 1) ICC-01/04-01/06 (29 January 2007) paras 209–211; Case No 001/18-07-2007/ECCC/TC (26 July 2010) para 540.
  17. Tristan Ferraro and Lindsey Cameron, ‘Article 2: Application of the Convention’, in ICRC (ed), Commentary on the First Geneva Convention (CUP 2016) 92 [256].
  18. Tallinn Manual 2.0, commentary to rule 82, para 14 (“To be ‘armed’, a conflict need not involve the employment of the armed forces. Nor is the involvement of the armed forces determinative. For example, should entities such as civilian intelligence agencies engage in cyber operations otherwise meeting the armed criterion …, an armed conflict may be triggered.”).
  19. See Military and Paramilitary Activities in and against Nicaragua (Nicaragua v US) (Merits) [1986] ICJ Rep 14, para 115 (considering that the State’s role must go beyond “financing, organizing, training, supplying and equipping” of the armed group).
  20. See Prosecutor v Tadić (Appeal Judgment) IT-94-1-A (15 July 1999) [137] (noting that the State’s role must go beyond “financing, training and equipping or providing operational support” to the armed group).
  21. Prosecutor v Prlić et al (Trial Judgment) IT-04-74-T (29 May 2013), [86(a)] (considering that coordinating or providing assistance in the overall planning of military activities suffices for the purposes of the overall control test)
  22. Cf. Military and Paramilitary Activities in and against Nicaragua (Nicaragua v US) (Merits) [1986] ICJ Rep 14, para 115 (considering the State would have to have “directed or enforced” the operation in question for the purposes of the effective control test).
  23. See further Kubo Mačák, Internationalization of Armed Conflicts in International Law (OUP 2018) 87–104.
  24. Common Article 3 GCs.
  25. Prosecutor v Tadić (Decision on Jurisdiction) IT-94-1-AR72 (2 October 1995) [70].
  26. See also Prosecutor v Tadić (Trial Judgment) IT-94-1-T (7 May 1997) [562] (noting that the two criteria distinguish “an armed conflict from banditry, unorganized and short-lived insurrections, or terrorist activities, which are not subject to international humanitarian law”).
  27. Prosecutor v Boškoski and Tarčulovski (Trial Judgment) IT-04-82-T (10 July 2008) [177].
  28. Prosecutor v Limaj, Bala and Musliu (Trial Judgment) IT-03-66-T (30 November 2005) [129]; Prosecutor v Boškoski and Tarčulovski (Trial Judgment) IT-04-82-T (10 July 2008) [199]–[203].
  29. Cf. L Cameron et al, ‘Article 3: Conflicts Not of an International Character’ in ICRC (ed), Commentary on the First Geneva Convention (CUP 2016) 158 [436] (“In order to determine the existence of a non-international armed conflict involving cyber operations, the same criteria apply as with regard to kinetic violence.”).
  30. Tallinn Manual 2.0, commentary to rule 83, para 7; Yoram Dinstein, Non-International Armed Conflicts in International Law (CUP 2014) 35. For State views affirming this position, see, eg, French Ministry of the Armies, ‘International Law Applied to Operations in Cyberspace’, 9 September 2019, 12; Germany, ‘On the Application of International Law in Cyberspace: Position Paper’ (March 2021), 7.
  31. Tallinn Manual 2.0, commentary to rule 83, para. 11.
  32. Cf. Tallinn Manual 2.0, commentary to rule 83, para 11 (“Whether or not a given group is organised must be determined on a case-by-case basis.”).
  33. Cordula Droege, ‘Get Off My Cloud: Cyber Warfare, International Humanitarian Law, and the Protection of Civilians’ (2012) 94 IRRC 533, 550.
  34. Lindsey Cameron et al, ‘Article 3: Conflicts Not of an International Character’ in ICRC (ed), Commentary on the First Geneva Convention (CUP 2016) 159 [437].
  35. Cf. Dietrich Schindler, ‘The Different Types of Armed Conflicts According to the Geneva Conventions and Protocols’ (1979) 163 RdC 117, 146–47 (arguing that the criterion of intensity is met whenever “the government is compelled to employ its armed forces against the insurgents instead of mere police forces”).

Bibliography and further reading[edit | edit source]

Contributions[edit | edit source]

Previous: Scenario 12: Computer data Next: Scenario 14: Ransomware campaign