Scenario 15: Cyber deception in time of armed conflict

From International cyber law: interactive toolkit
Jump to navigation Jump to search

This page is under construction.

"Cyber attacks", photo by Christiaan Colen.

[Executive summary]

Scenario[edit | edit source]

Keywords[edit | edit source]

International armed conflict, international humanitarian law, perfidy, protective indicators, ruses of war

Facts[edit | edit source]

[F1] States A and B are involved in ongoing armed hostilities involving the use of kinetic as well as cyber operations. State A is preparing to launch a major military offensive against State B in region R, which is currently under the control of State B’s forces led by commander X. In order to distract and weaken the enemy, State A’ cyber command engages in several discrete deception operations against various targets in State B.

[F2] State A’s operatives set up a complex layered set of fake digital platforms built to lure State B’s cyber operatives to attempt to penetrate State A’s military networks (incident 1). Although the systems look authentic, they are entirely separate from actual State A’s networks. State B’s cyber command spends a considerable amount of time and resources trying to compromise the fake systems. Every time State B’s operatives gain access to a layer of the deceptive platform, they are led to another authentic-appearing environment, losing more time. In the meantime, State B’s cyber command fails to effectively defend against simultaneous hostile cyber operations launched by State A, which are detailed below.

[F3] State A discovers that commander X is a diabetic patient who uses a type of insulin pump that allows a healthcare provider to deliver the commander's insulin doses through a wireless communications system (i.e., a remote control). State A’s cyber operatives hack into the pump's communications system, take over the remote control, and administer an under dose of insulin to commander X, which leads to death (incident 2). As a result, the operation accomplishes its main goal of killing the commander, thus leaving State B’s forces in region R without effective command for a few hours.

[F4] State A hacks into the online systems used by the International Committee of the Red Cross (ICRC) to run a humanitarian smart phone application called “e-Red Cross” and used by persons affected by the armed conflict in region R. State A’s operatives then send a message through the app to all users, which falsely claims that the ICRC will distribute humanitarian aid next to the only bridge connecting two sides of a major river in region R (incident 3). As a result, thousands of civilians obstruct the bridge, preventing State B’s forces from being able to cross the river for several hours, thereby making it impossible for State B to send reinforcements to defend against State A’s attack on State B’s forces on the other side of the river.

[F5] Finally, State A's armed forces use artillery to attack a small town that State B controls and is using as a location for a forward operating base. Knowing that State B would likely call in close air support to repel State A's forces, State A had hacked into State B's force tracking system prior to the operation. As State A advances on the small town, the hack allows State A to make State B's forces appear as belonging to State A and to make State B's forces appear to be State A forces (incident 4). When State B's forward air controller calls in air support, the controller provides the pilots with accurate information. But the conflicting information that the pilots receive from the hacked force tracking system make the pilots suspend the attack in accordance with their ROEs. As a result, State A inflicts significant casualties on State B force.

Examples[edit | edit source]

  • [TBC]

Legal analysis[edit | edit source]

For a general overview of the structure of analysis in this section, see Note on the structure of articles.

Characterization as an international armed conflict[edit | edit source]

International armed conflict
International armed conflict.svg
The law of international armed conflict (IAC) applies to any any armed confrontation between two or more States.[1] No matter how short-lived or minor, any hostilities between the armed forces of two States constitute an international armed conflict, even if one or both states deny the existence of armed conflict.[2] Some scholars have suggested that the fighting must be of a certain intensity before international humanitarian law (IHL) comes into effect,[3] but the prevailing view is that any “resort to armed force between States”,[4] however brief or intense, triggers the application of IHL.[5] Furthermore, the law does not prescribe any specific form for the resort to force,[6] so hostilities between the belligerent States may involve any combination of kinetic and cyber operations, or cyber operations alone.[7]

It is unclear what effect cyber operations unaccompanied by any use of kinetic force would have to have in order for IHL to apply. Although it is generally accepted that if cyber operations have similar effects to classic kinetic operations and two or more State actors are involved, the resulting situation would qualify as an IAC,[8] the law is unsettled on whether cyber operations that merely disrupt the operation of military or civilian infrastructure amount to a resort to armed force for the purposes of IHL.[9]

In the cyber context, States often act through non-State intermediaries and proxies. In such situations at the outset of an armed confrontation, the relevant State must exercise a sufficient degree of control over the non-State entity that commences hostilities against another State for the situation to qualify as an IAC. However, the correct legal test to use in this regard is the subject of an ongoing controversy.[10] The prevailing standard for the characterization of an international armed conflict is that of “overall control”, which requires that the State provides some support and that it participates in the organization, co-ordination, or planning of the relevant operations.[11] A separate standard, the “effective control” test, requires that the State must exercise control over the entire course of the operations in question.[12] While there is still disagreement as to whether the “effective control” test is the controlling test for the purposes of attribution under the law of State responsibility, there is consensus that the “overall control” test is the correct one for conflict qualification under IHL.[13] The latter is also confirmed by decades of consistent practice by international criminal tribunals including the ICTY, the ECCC, and the ICC.[14]

[L1] Analysis (very short: yes there is an IAC)

Perfidy and ruses[edit | edit source]

- Box on perfidy vs. ruses

[L#] Analysis (incident-by-incident)

Improper use[edit | edit source]

- Box on improper use

[L#] Analysis (incident-by-incident)

Checklist[edit | edit source]

  • [TBC]

Appendixes[edit | edit source]

See also[edit | edit source]

Notes and references[edit | edit source]

  1. Common Article 2 GC I (stipulating that the Conventions “shall apply to all cases of declared war or of any other armed conflict which may arise between two or more of the High Contracting Parties”).
  2. JS Pictet (ed), Geneva Convention III relative to the Treatment of Prisoners of War: Commentary (ICRC 1960) 23.
  3. See, eg, Jan K Kleffner, ‘Scope of Application of Humanitarian Law’ in D Fleck (ed), The Handbook of International Humanitarian Law (3rd edn, OUP 2013) 45; ILA Use of Force Committee, Final Report on the Meaning of Armed Conflict in International Law (2010) 32; Gary D. Solis, The Law of Armed Conflict: International Humanitarian Law in War (2nd edn, CUP 2016) 162.
  4. Prosecutor v Tadić (Decision on Jurisdiction) IT-94-1-AR72 (2 October 1995) [70].
  5. See, eg, Jean S. Pictet (ed) Geneva Convention IV relative to the Protection of Civilian Persons in Time of War: Commentary (ICRC 1958) 20–21; Yves Sandoz, Christophe Swinarski, and Bruno Zimmermann (eds), Commentary on the Additional Protocols of 8 June 1977 to the Geneva Conventions of 12 August 1949 (ICRC 1987) 40; René Provost, International Human Rights and Humanitarian Law (CUP 2002) 250; Jann K Kleffner, ‘Scope of Application of International Humanitarian Law’ in Dieter Fleck (ed), The Handbook of International Humanitarian Law (3rd edn, OUP 2013) 45; Andrew Clapham, ‘Concept of International Armed Conflict’ in Andrew Clapham, Paola Gaeta, and Marco Sassòli (eds), The 1949 Geneva Conventions: A Commentary (OUP 2015) 16 [38]; Tristan Ferraro and Lindsey Cameron, ‘Article 2: Application of the Convention’, in ICRC (ed), Commentary on the First Geneva Convention (CUP 2016) 79 [218]; Noam Zamir, Classification of Conflicts in International Humanitarian Law: The Legal Impact of Foreign Intervention in Civil Wars (Edward Elgar 2017) 53–55; Kubo Mačák, Internationalized Armed Conflicts in International Law (OUP 2018) 15–16.
  6. Cf. Legality of the Threat or Use of Nuclear Weapons Case (Advisory Opinion) [1996] ICJ Rep 226, para 89 (holding that the relevant rules of IHL apply “to all international armed conflict, whatever type of weapons might be used”) (emphasis added).
  7. Tallinn Manual 2.0, commentary to rule 82, para 11.
  8. Tristan Ferraro and Lindsey Cameron, ‘Article 2: Application of the Convention’, in ICRC (ed), Commentary on the First Geneva Convention (CUP 2016) 92, para 255.
  9. Tristan Ferraro and Lindsey Cameron, ‘Article 2: Application of the Convention’, in ICRC (ed), Commentary on the First Geneva Convention (CUP 2016) 92, para 256.
  10. See further Kubo Mačák, Internationalized Armed Conflicts in International Law (OUP 2018) 39–47.
  11. Prosecutor v Prlić et al (Trial Judgment) IT-04-74-T (29 May 2013), vol 1, para. 86(a).
  12. See Military and Paramilitary Activities in and against Nicaragua (Nicaragua v US) (Merits) [1986] ICJ Rep 14, paras 112–15; see further Kubo Mačák, ‘Decoding Article 8 of the International Law Commission’s Articles on State Responsibility: Attribution of Cyber Operations by Non-State Actors’ (2016) 21 JCSL 405, 421.
  13. Case Concerning the Application of the Convention on the Prevention and Punishment of the Crime of Genocide (Bosnia and Herzegovina v Serbia and Montenegro) (Judgment) [2007] ICJ Rep 43, para 405; ; but see Tristan Ferraro and Lindsey Cameron, ‘Article 2: Application of the Convention’, in ICRC (ed), Commentary on the First Geneva Convention (CUP 2016) 99 [271] (arguing that overall control is the controlling test in both contexts).
  14. See Prosecutor v Tadić (Appeal Judgment) IT-94-1-A (15 July 1999) [120]–[121]; Prosecutor v Lubanga (Pre-Trial Chamber 1) ICC-01/04-01/06 (29 January 2007) [209]–[211]; Case No 001/18-07-2007/ECCC/TC (26 July 2010) [540].

Bibliography and further reading[edit | edit source]

Contributions[edit | edit source]

  • Scenario by: Jonathan Horowitz & Kubo Mačák
  • Analysis by: [TBC]
  • Reviewed by: [TBC]
Previous: Scenario 13: Armed conflict