Scenario 20: Cyber operations against medical facilities

From International cyber law: interactive toolkit
Jump to navigation Jump to search
© Ismail Sadiron Pictures. Licensed from Shutterstock.

Public hospitals in a State fall victim to a hostile cyber operation, encrypting hospital computers. As a result, patient data becomes unavailable and a number of patients have to be diverted to private hospitals. The victim State’s forensic investigation indicates that the operation was conducted by a State actor but cannot immediately determine which State was responsible. Two possible culprits emerge: a State that is a political adversary of the victim State; and a State engaged in an armed conflict with the victim State. Therefore, this scenario analyses the incident first from the perspective of peacetime international law (primarily the principles of sovereignty and non-intervention, the prohibition against the use of force, and international human rights law) and then under international humanitarian law applicable during armed conflict (notably the obligation to respect and protect medical units).

1 Scenario[edit | edit source]

1.1 Keywords[edit | edit source]

International humanitarian law, international human rights law, medical facilities, hospitals, ransomware, prohibition of intervention, sovereignty, use of force

1.2 Facts[edit | edit source]

[F1] State A is located in a region rattled by conflict and rivalry among regional powers. The tensions between States A and B run high and their governments have been constantly exchanging insults and political threats. However, neither State has ever used physical force against the other. By contrast, State A is locked into an ongoing international armed conflict with State C. For several years, the conflict has been continuing at low intensity with frequent shelling across the frontline.

[F2] Recently, public hospitals of State A, which account for 30% of all its hospitals, fell victim to a ransomware attack. All public hospitals use the same administration software and are connected to each other. The operation encrypted computers used in the hospitals and doctors became unable to access patient data stored digitally. This included data containing test results from hundreds of patients tested for a highly infectious disease. The inaccessibility of patient data meant the hospitals became unable to admit some patients or to treat others. As a result, the affected public hospitals had to transfer urgent cases to private hospitals.

[F3] After three days, cyber security specialists from State A found the key needed to decrypt the computers. Still, as a result of the incident, medical care at the hospitals was disrupted by delays and unavailability of important data on patient treatment. Two of the patients diverted to private hospitals died while in transit, although investigations were inconclusive as to whether their lives could have been saved if they had been admitted on time. Moreover, due to test results being unavailable, public authorities were unable to track and inform individuals who had been infected. State A’s Ministry of Health stated that the inability to track positive cases undermined the State’s strategy to combat the infectious disease.

[F4] State A’s forensic experts quickly determine that the operation was conducted by an advanced persistent threat actor, likely linked to a State. However, at the early stages they are unable to attribute the operation to a specific State. While waiting for further clarity from forensic experts, on the basis of the evidence available, State A’s intelligence service considers it is highly probable that the operation was either the work of State B, or of State C.

[F5] All States involved in this scenario are parties to the four Geneva Conventions, their Additional Protocol I, the Rome Statute of the International Criminal Court, the International Covenant on Civil and Political Rights (ICCPR), and the International Covenant on Economic, Social, and Cultural Rights (ICESCR).

1.3 Examples[edit | edit source]

2 Legal analysis[edit | edit source]

For a general overview of the structure of analysis in this section, see Note on the structure of articles.

[L1] Attribution of the cyber operation against State A’s public hospitals is unclear. With available evidence suggesting that it was conducted either by State B or by State C, the legal analysis discusses the two possibilities in two separate sections below.

2.1 What if it was State B: Focus on peacetime international law[edit | edit source]

[L2] If the operation was attributed to State B, it would have taken place in time of peace. Thus, the legal analysis in this section focusses on whether the operation would have violated State A’s sovereignty, amounted to a prohibited intervention into the internal affairs of State A, and/or amounted to a use of force against State A. The analysis also examines whether State B would have violated its obligations under international human rights law.

2.1.1 Obligation to respect the sovereignty of other States[edit | edit source]

Sovereignty
Sovereignty is a core principle of international law. According to a widely accepted definition of the term in the 1928 Island of Palmas arbitral award,
[s]overeignty in the relations between States signifies independence. Independence in regard to a portion of the globe is the right to exercise therein, to the exclusion of any other State, the functions of a State.[1]
Multiple declarations by the UN,[2] NATO,[3] OSCE,[4] the European Union,[5] and individual States have confirmed that international law applies in cyberspace. Accordingly, so too does the principle of sovereignty. However, there is some debate as to whether this principle operates as a standalone rule of international law, the breach of which gives rise to state responsibility.
  • For the proponents of this view, the prohibition on violating the sovereignty of other States is a substantive primary rule of international law, the breach of which is an internationally wrongful act. This view was unanimously accepted by the experts who prepared the Tallinn Manual 2.0.[6] It has also been adopted by several States including Austria,[7] the Czech Republic,[8] Finland,[9] France,[10] Germany,[11] Iran,[12] and the Netherlands.[13]
  • By contrast, the opposing view is that sovereignty is a principle of international law that may guide State interactions, but it does not amount to a standalone primary rule.[14] This view has now been adopted by one State, the United Kingdom,[15] and has been endorsed by the U.S. Department of Defense General Counsel.[16] By this approach, cyber operations cannot violate sovereignty as a rule of international law, although they may constitute prohibited intervention, use of force, or other internationally wrongful acts.

The remainder of this section proceeds on the basis of the former “sovereignty-as-rule” approach. Those espousing the latter “sovereignty-as-principle” approach should refer to other relevant sections of the legal analysis (such as that on the prohibition of intervention).

It is understood that sovereignty has both an internal and an external component.[17] In the cyber context, the “internal” facet of sovereignty entails that “[a] State enjoys sovereign authority with regard to the cyber infrastructure, persons, and cyber activities located within its territory, subject to its international legal obligations.”[18][19]

As a general rule, each State must respect the sovereignty of other States.[20] It is clear that a cyber operation with severe destructive effects, comparable to a “non-cyber” armed attack or a use of force against a State, constitutes a violation of its sovereignty; however, with more subtle cyber operations, the question is far from settled.[21]

The following modalities, highlighted in the Tallinn Manual 2.0, represent different ways of determining what a “sovereignty violation” might mean in the context of cyber operations:

  1. A State organ conducting cyber operations against a target State or entities or persons located there while physically present in the target State's territory violates the target State's sovereignty.[22] This was agreed by all Experts drafting the Manual; however, “a few” of the Experts thought that the extensive State practice carved out an exception for espionage operations.[23]
  2. Causation of physical damage or injury by remote means;[24] again, “a few” Experts took the position that this is a relevant but not a determinative factor by itself.[25]
  3. Causation of a loss of functionality of cyber infrastructure: although the Tallinn Manual 2.0 experts agreed that a loss of functionality constituted “damage” and thus a breach of sovereignty, no consensus could be achieved as on the precise threshold for a loss of functionality (the necessity of reinstallation of operating system or other software was proposed but not universally accepted);[26] Below this threshold, there was no agreement among the Experts whether operations that do not cause physical consequences or a loss of functionality qualify as a violation of sovereignty.[27]
  4. Interference with data or services that are necessary for the exercise of "inherently governmental functions";[28] although the Experts could not conclusively define the term "inherently governmental functions", they agreed that, for example, the conduct of elections would so qualify.[29]
  5. Usurpation of "inherently governmental functions", such as exercise of law enforcement functions in another State’s territory without justification.[30]

The Tallinn Manual’s view of what constitutes a violation of sovereignty has been expressly endorsed by several States including Germany[31] and the Netherlands.[32] An alternative test has been proposed by France, which argues that a breach of sovereignty occurs already when there is “any unauthorised penetration by a State of [the victim State’s] systems”.[33]

Attributing the relevant cyber operation to a State different from the target State is a necessary prerequisite for qualifying the cyber operation as a violation of the target State's sovereignty.

Whether non-State actors can violate territorial sovereignty on their own is a matter of disagreement.[34]

Publicly available national positions that address this issue include: National position of Australia (2020) (2020), National position of Brazil (2021) (2021), National position of the Czech Republic (2020) (2020), National position of Estonia (2019) (2019), National position of Estonia (2021) (2021), National position of Finland (2020) (2020), National position of France (2019) (2019), National position of Germany (2021) (2021), National position of Iran (2020) (2020), National position of Israel (2020) (2020), National position of Japan (2021) (2021), National position of Kenya (2021) (2021), National position of the Netherlands (2019) (2019), National position of New Zealand (2020) (2020), National position of Norway (2021) (2021), National position of Romania (2021) (2021), National position of Singapore (2021) (2021), National position of Switzerland (2021) (2021), National position of the United Kingdom (2018) (2018), National position of the United Kingdom (2021) (2021), National position of the United States of America (2012) (2012), National position of the United States of America (2016) (2016), National position of the United States of America (2020) (2020).

[L3] This analysis proceeds on the basis that the obligation to respect the sovereignty of another State is a rule of international law applicable to cyberspace. The operation interrupted and slowed down the delivery of medical services in another State. The fact that this was done through an unauthorized penetration of State A’s systems would suffice for the qualification of the operation as a breach of sovereignty under the test proposed by France.[35]

[L4] The ransomware operation also resulted in a widespread loss of functionality, given that the affected systems in State A’s public hospitals ceased to operate properly until the encryption key was found. In addition, the operation prevented State A from tracking and informing patients who were tested positive for a highly infectious disease, thereby undermining its capacity to contain that disease. Taking measures to curb an epidemic is a governmental responsibility of any State and thus the tracking and informing of patients can be considered as an inherently governmental function of State A.[36] Accordingly, State B’s cyber operation could also be characterized as a violation of State A’s sovereignty due to it having caused a loss of functionality of cyber infrastructure in State A (option 3 in the box above) and interfered with State A’s inherently governmental functions (option 4).

2.1.2 Prohibition of intervention[edit | edit source]

Prohibition of intervention
The obligation of non-intervention, a norm of customary international law prohibits States from intervening coercively in the internal or external affairs of other States. Prohibited intervention was authoritatively defined by the International Court of Justice in the judgment on the merits in the 1986 case Nicaragua v United States:
A prohibited intervention must … be one bearing on matters in which each State is permitted, by the principle of State sovereignty, to decide freely. One of these is the choice of a political, economic, social and cultural system, and the formulation of foreign policy. Intervention is wrongful when it uses methods of coercion in regard to such choices, which must remain free ones.[37]
In order for an act, including a cyber operation, to qualify as a prohibited intervention, it must fulfil the following conditions:
  1. The act must bear on those matters in which States may decide freely. The spectrum of such issues is particularly broad and it includes both internal affairs (such as the “choice of a political, economic, social, and cultural system”[37] or the conduct of national elections[38]), and external affairs (“formulation of foreign policy”;[37] “recognition of states and membership of international organisations”[39])—the so-called domaine réservé of States.[40] The content of the domaine réservé is determined by the scope and nature of the State's international legal obligations.
  2. The act must be coercive in nature. There is no generally accepted definition of “coercion” in international law. In this respect, two main approaches have emerged in the cyber context:[41]
    1. Under the first approach, an act is coercive if it is specifically designed to compel the victim State to change its behaviour with respect to a matter within its domaine reservé.[42] Under this approach, the “key is that the coercive act must have the potential for compelling the target State to engage in an action that it would otherwise not take (or refrain from taking an action it would otherwise take)”.[43]
    2. Under the second approach giving meaning to “coercion”, it is sufficient for an act to effectively deprive the target State of its ability to control or govern matters within its domaine reservé.[44] This latter approach distinguishes itself from the former by accepting that mere deprivation of the target State’s control over a protected matter, without actually or potentially compelling that State to change its behaviour, may constitute intervention.[45]
    Under both approaches, however, merely influencing the target State by persuasion or propaganda or causing a nuisance without any particular goal is insufficient to qualify as coercion.[46] The element of coercion also entails the requirement of intent.[47]
  3. Finally, there has to be a causal nexus between the coercive act and the effect on the internal or external affairs of the target State.[48]

Publicly available national positions that address this issue include: National position of Australia (2020) (2020), National position of Brazil (2021) (2021), National position of Estonia (2021) (2021), National position of France (2019) (2019), National position of Germany (2021) (2021), National position of Iran (2020) (2020), National position of Israel (2020) (2020), National position of Japan (2021) (2021), National position of the Netherlands (2019) (2019), National position of New Zealand (2020) (2020), National position of Norway (2021) (2021), National position of Romania (2021) (2021), National position of Singapore (2021) (2021), National position of Switzerland (2021) (2021), National position of the United Kingdom (2018) (2018), National position of the United Kingdom (2021) (2021), National position of the United States of America (2016) (2016), National position of the United States of America (2020) (2020).

[L5] With regard to the first element of prohibited intervention, the ransomware incidents related to matters of public policy including the operation of public hospitals and the development of a strategy to contain an infectious disease. Although some aspects of these matters are now subject to international regulation – for example, the World Health Organization’s International Health Regulations codify certain international obligations in handling public health emergencies[49] – the overall management of a public health crisis at a national level is still widely considered to remain a sovereign prerogative falling within each State’s domaine réservé.[50] Accordingly, the incidents related to matters upon which State A had the right to decide freely.

[L6] With respect to the second element, the two approaches to the meaning of “coercion” defined above lead to different results in the present scenario. On the first approach, an intent to compel State A to change its behaviour cannot be discerned from the facts. The cyber operation interfered with the functioning of the hospitals and the implementation of State A’s strategy, but there is insufficient information to conclude that State B had the goal of effecting any particular change in the behaviour of State A.

[L7] By contrast, on the second approach, the interference with the hospitals would be considered coercive because it prevented State A from operating those hospitals according to its own will. As such, it effectively deprived that State of its ability to control or govern matters within its domaine réservé and, accordingly, it qualified as a violation of the prohibition of intervention.

2.1.3 Use of force[edit | edit source]

Use of force
Article 2(4) of the UN Charter prescribes States to “refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the purposes of the United Nations”.[51] This prohibition is reflective of customary international law[52] and it is frequently described as a peremptory norm of international law.[53] However, the notion of “force” in this context is limited to armed force[54], and to operations whose scale and effects are comparable to the use of armed force.[55]

At present, there is a debate as to whether cyber operations with no physical effects may amount to a prohibited use of force. It has been argued that disruptive cyber operations of this kind fall under the scope of Article 2(4) if the resulting disruption is “significant enough to affect state security”.[56] Undoubtedly, one of the purposes of the prohibition of force under international law is to safeguard the national security of the potentially affected States.[57] However, many forms of outside interference including various forms of political and economic coercion may affect the national security of the victim State. And yet, the drafters of the UN Charter had expressly rejected the proposal to extend the prohibition of force beyond the strict confines of military (or armed) force.[58] This is reflected also in the preamble, which explicitly stipulates that the drafters sought “to ensure, by the acceptance of principles and the institution of methods, that armed force shall not be used, save in the common interest”.[59]

In principle, it could be argued that the notion of “force”, like other generic terms in treaties of unlimited duration, should be presumed to have an evolving meaning.[60]

As of 2021, there is limited State practice supporting the claim that the meaning of “force” has evolved to include non-destructive cyber operations against critical national infrastructure[61] and no victim State of an operation of this kind has suggested that the operation would have amounted to a use of force.[62] However, States have begun addressing this question. In particular, France[63] and the Netherlands[64] allow for the possibility of cyber operations, which do not produce physical effects, to qualify as uses of force, if certain criteria are met. These criteria include the seriousness and reach of a given cyber operation’s consequences and its military nature,[65] as well as “the circumstances prevailing at the time of the operation, such as the origin of the operation and the nature of the instigator (military or not), the extent of intrusion, the actual or intended effects of the operation or the nature of the intended target”.[66] Several of these criteria are also reflected in the Tallinn Manual 2.0.[67]

Even if an operation does not meet the threshold of the use of force, it may still be considered a violation of other rules of international law.[68] In this regard, the prohibition of non-intervention, the obligation to respect the sovereignty of other States, and the possible obligation to refrain from launching cyber operations against other States’ critical infrastructure are all of potential relevance.

Publicly available national positions that address this issue include: National position of Australia (2020) (2020), National position of Brazil (2021) (2021), National position of France (2019) (2019), National position of Germany (2021) (2021), National position of Japan (2021) (2021), National position of the Netherlands (2019) (2019), National position of Romania (2021) (2021), National position of the United Kingdom (2021) (2021), National position of the United States of America (2012) (2012), National position of the United States of America (2020) (2020).

[L8] It is unlikely that the ransomware operations amounted to a use of force. There is no evidence of direct physical damage and it is doubtful that the operations can be considered comparable to the use of kinetic force on the basis of the criteria mentioned above. The consequences of the operations – in particular, the disruption to the functioning of public hospitals – would arguably not be considered serious or severe enough to equate the operation with a physical use of force against those targets.[69] Even if a causal link between the cyber operations and the two patient deaths could be established, these effects might still fall below a de minimis threshold suggested in legal doctrine[70] as well as in international practice.[71] The indirect nature of any such effects would also militate against the qualification of the underlying operation as a use of force.[72] Finally, the target of the operations and the circumstances prevailing at the time when the operations were launched did not suggest that the operations had a military character.[73]

2.1.4 Applicability of international humanitarian law[edit | edit source]

[L9] Provided that the operation is attributed to State B, a separate legal question is whether the cyber operation conducted by State B would bring into existence an international armed conflict between State B and State A. [74]

International armed conflict
International armed conflict.svg
The law of international armed conflict (IAC) applies to any armed confrontation between two or more States,[75] even if one, several, or all of them deny the existence of an armed conflict.[76] Some scholars have suggested that the fighting must be of a certain intensity before international humanitarian law (IHL) comes into effect,[77] but the prevailing view is that any “resort to armed force between States”,[78] however brief or intense, triggers the application of IHL.[79] Furthermore, the law does not prescribe any specific form for the resort to force,[80] so hostilities between the belligerent States may involve any combination of kinetic and cyber operations, or cyber operations alone.[81]

It is unclear what effect cyber operations unaccompanied by any use of kinetic force would have to have in order for IHL to apply. Although it seems generally accepted that if cyber operations have similar effects to classic kinetic operations and two or more States are involved, the resulting situation would qualify as an IAC,[82] the law is unsettled on whether cyber operations that merely disrupt the operation of military or civilian infrastructure amount to a resort to armed force for the purposes of IHL.[83][84]

In the cyber context, States often act through non-State intermediaries and proxies. In such situations at the outset of an armed confrontation, the relevant State must exercise a sufficient degree of control over the non-State entity that commences hostilities against another State for the situation to qualify as an IAC. However, the correct legal test to use in this regard is the subject of an ongoing controversy.[85] The prevailing standard for the characterization of an international armed conflict is that of “overall control”, which requires that the State provides some support and that it participates in the organization, co-ordination, or planning of the relevant operations.[86] A separate standard, the “effective control” test, requires that the State must exercise control over the entire course of the operations in question.[87] While there is still disagreement as to whether the “effective control” test is the controlling test for the purposes of attribution under the law of State responsibility, there is consensus that the “overall control” test is the correct one for conflict qualification under IHL.[88] The latter is also confirmed by decades of consistent practice by international criminal tribunals including the ICTY, the ECCC, and the ICC.[89]

Publicly available national positions that address this issue include: National position of Finland (2020) (2020), National position of France (2019) (2019), National position of Germany (2021) (2021), National position of Japan (2021) (2021).

[L10] In the present scenario, the effect of the cyber operation is difficult to compare to a classic kinetic operation because there is no physical damage comparable to that resulting from armed hostilities between States. At the same time, if computer systems in a significant number of hospitals are targeted and disrupted, it is reasonably foreseeable that injury or death will result. In line with the prevailing view that there is no requirement of a specific level of intensity of violence to trigger an international armed conflict (see in the box above), it could thus be argued that such operations would bring into existence an international armed conflict and have to comply with the limits imposed by IHL (on which see section 2.2.1 below). For the time being, however, it is unclear whether States would classify such cyber operations as bringing IHL into application.[90]

2.1.5 International human rights law[edit | edit source]

[L11] The scenario also raises the question of whether the cyber operation is in violation of State B’s obligation (1) to respect the right to life of those patients who died following the operation (article 6 ICCPR) and (2) the right to health of persons whose health is negatively affected by the operation (article 12 ICESCR).


International human rights law
International human rights law applies in cyberspace; individuals enjoy the same human rights online as they enjoy offline.[91] States are therefore bound by their human rights obligations to both respect and ensure human rights in cyberspace. States also bear international responsibility for the violation of human rights obligations that are attributable to them.[92]

The source of these obligations is primarily treaty law. The two key global treaties are the International Covenant on Civil and Political Rights (ICCPR) and the International Covenant on Economic, Social and Cultural Rights (ICESCR);[93] many of these treaties’ provisions, along with the provisions of the Universal Declaration of Human Rights, are regarded as reflective of customary international human rights law, even though there is no universally accepted codification. Apart from the ICCPR and ICESCR, there exist important regional human rights treaty systems, especially for Europe (European Convention on Human Rights – ECHR)[94], the European Union (Charter of Fundamental Rights of the European Union – EUCFR),[95] and America (American Convention on Human Rights – ACHR)[96], which provide for adjudicatory mechanisms by which individuals can assert their human rights against States and which have generated a considerable amount of case-law as a result.

In order to determine whether a State has breached its human rights obligations, the following steps of analysis should be conducted:

  1. Since cyber operations often take place in the cyber infrastructure of multiple States, the issue of jurisdiction must be addressed. Each human rights treaty has its own bespoke jurisdictional requirements and scope. In this regard, every State party to the ICCPR has undertaken “to respect and to ensure to all individuals within its territory and subject to its jurisdiction the rights recognized in the [ICCPR]”.[97] The UN Human Rights Committee has understood this provision to mean that the human rights obligations recognized within the ICCPR apply not only to persons physically located within a State’s territory, but also to situations where the State exercises “power or effective control” either over the territory on which an individual is located (the spatial model of jurisdiction) or over the individual (the personal model of jurisdiction).[98] The International Court of Justice (ICJ) has gone even further by stating that the ICCPR “is applicable in respect of acts done by a State in the exercise of its jurisdiction outside its own territory”.[99] A few States (such as the US and Israel) have adopted the contrary view and maintain that human rights obligations do not apply extraterritorially. To date, however, these States remain in the minority.[100] As such, although the exact criteria for the applicability of human rights obligations to extraterritorial activities of States are not settled and are subject to ongoing academic and political debate,[101] the prevailing opinion at present is that human rights obligations do apply to some acts of a State outside its territory.
  2. If an international human rights regime is applicable, the second question is whether a cyber operation attributable to a State constitutes an interference with a particular human right. The human rights that are often implicated by cyber operations include the right to privacy[102] and the right to freedom of opinion and expression.[103]
  3. Not every State interference with a human right is also a violation of international human rights law. For an interference to be legal, it must be justified, namely:
    1. in accordance with an accessible and foreseeable domestic law (“legality”),
    2. pursuing a legitimate objective of public interest (such as national security, public order, public health, or morals) or for the protection of rights of others,
    3. necessary to achieve that objective, and
    4. proportionate in balancing the means and the end.[104]

Apart from the responsibility for human rights violations attributed to it, a State can also be held responsible for its failure to take all reasonable measures to protect the human rights of individuals in its territory and subject to its jurisdiction (for instance, if it unlawfully allows non-State actors to violate human rights).[105]

Publicly available national positions that address this issue include: National position of Australia (2020) (2020), National position of the Czech Republic (2020) (2020), National position of Estonia (2021) (2021), National position of Finland (2020) (2020), National position of Japan (2021) (2021), National position of Kazakhstan (2021) (2021), National position of Kenya (2021) (2021), National position of the Netherlands (2019) (2019), National position of New Zealand (2020) (2020), National position of Norway (2021) (2021), National position of Romania (2021) (2021), National position of Switzerland (2021) (2021), National position of the United Kingdom (2021) (2021), National position of the United States of America (2012) (2012), National position of the United States of America (2016) (2016).

[L12] In the present scenario, it must first be determined whether the patients are within State B’s jurisdiction, meaning whether State B owes human rights obligations to them.

[L13] There are at least three possible approaches to determining whether a State owes human rights obligations to persons living abroad who are affected by its cyber activities.

[L14] First, a few States take the view that human rights treaties, such as the ICCPR, do not apply extraterritorially.[106] On this view, State B would not owe human rights obligations to anyone outside of its territory, including the affected patients in State A. However, it should be noted that this view has been contradicted by the International Court of Justice[107] and it has gained minimal traction outside of the limited number of its supporters.[108]

[L15] Second, in line with the well-established understanding of jurisdiction under human rights law, a State only owes obligations under the ICCPR or the ICESCR to persons abroad if it exercises effective control over the territory in which the effects of the operation manifest,[109] or if it has physical control over the victims;[110] referred to in the literature as, respectively, the spatial and personal models of jurisdiction.[111] However, neither of these conditions is met in the present scenario. As a result, a cyber operation by State B that affects victims in State A would not violate State B’s human rights obligations because the victims do not come within State B’s jurisdiction.

[L16] Third, and without specifically referring to cyber operations, human rights treaty bodies have presented more extensive views on the scope of States’ extraterritorial jurisdiction under the ICCPR and the ICESCR. With regard to the right to life under the ICCPR, the UN Human Rights Committee opined that a State’s obligations to respect and to ensure this right extend to “persons located outside any territory effectively controlled by the State, whose right to life is nonetheless impacted by its military or other activities in a direct and reasonably foreseeable manner”.[112] More broadly, the UN Committee on Economic, Social, and Cultural Rights has argued that under the ICESCR “States parties have to respect the enjoyment of the right to health in other countries”.[113] Under this approach, State B would owe human rights obligations to those affected by its cyber operations. It is unclear, however, whether such broad interpretations of the notion of jurisdiction reflect the current state of international law.[114]

[L17] If the view suggested by the UN treaty bodies was followed, it would still need to be analysed whether State B acted in violation of its obligation under the right to life by using ransomware against public hospitals. Following the UN Human Rights Committee’s interpretation of the right to life, this would be the case if an act of the State – in this case the cyber operation that resulted in the death of two patients – impacted the right to life in an “in a direct and reasonably foreseeable manner”.[115] In the present case, it could be argued that a cyber operation against a significant number of hospitals affects the right to life of patients in a direct and reasonably foreseeable manner, even if the cyber operation is not the immediate cause of death.[116]

[L18] Similarly, if the more extensive approach to jurisdiction was taken, it would follow that State B also violated its obligations under the right to health. This is because, as noted by the Committee on Economic, Social, and Cultural Rights, the obligation to respect that right requires States not to interfere “directly or indirectly with the enjoyment of the right to health”.[117] State B’s cyber operations which prevented patients from receiving treatment and which negatively affected State A’s ability to respond to a public health crisis would have violated that obligation.[118]

2.2 What if it was State C: Focus on the law applicable during armed conflict[edit | edit source]

2.2.1 International humanitarian law[edit | edit source]

[L19] If the operation is attributed to State C, it takes place in the context of an existing international armed conflict. As a consequence, all acts of the parties to the conflict with a sufficient nexus to that conflict are governed by IHL.[119] Based on the evidence available, it is unclear whether such nexus existed, which would be assessed by reference to whether State C “acted in furtherance of or under the guise of the armed conflict”.[120] The remainder of the analysis in this subsection proceeds on the assumption that this requirement was met.


Protection of medical units during armed conflict
Protection of medical units.svg
Under treaty and customary IHL, “medical units” – a term that includes military and civilian hospitals (the latter if belonging to a party to the conflict and recognized and authorized by the competent authority of one of the Parties to the conflict) – must be “respected and protected” by the parties to the conflict at all times and “shall not be the object of attack”.[121] Intentionally directing attacks against medical units and facilities may constitute a war crime.[122]

The obligation to “respect” medical facilities is broader than just protecting them against operations that amount to attacks as defined in IHL, meaning it is also prohibited to interfere with the functioning of medical services in ways that do not necessarily result in death, injury, or damage.[123] As the ICRC Commentary explains, under the relevant IHL provisions it is prohibited to “harm [medical facilities] in any way. This also means that there should be no interference with their work (for example, by preventing supplies from getting through) or preventing the possibility of continuing to give treatment to the wounded and sick who are in their care”.[124]

In light of the comprehensive protection for medical facilities under IHL, the obligation to respect medical facilities encompasses a prohibition against deleting, altering or otherwise negatively affecting medical data.[125] Relevant data in the medical context include “data necessary for the proper use of medical equipment and for tracking the inventory of medical supplies” as well as “personal medical data required for the treatment of patients”.[126]

Publicly available national positions that address this issue include: National position of Switzerland (2021) (2021).

[L20] In the present scenario, the malware encrypted computers used in the hospital and made medical data of hospital patients temporarily unavailable. The operation thereby interfered with the hospital’s medical work and prevented medical staff from treating those in need of care. Therefore, the operation would have constituted a violation of State C’s obligations to respect and to protect medical units.


The notion of ‘attack’ under international humanitarian law
Attack international humanitarian law.svg
The question of whether an operation amounts to an ‘attack’ as defined in international humanitarian law (IHL) is essential for the application of many of the rules deriving from the principles of distinction, proportionality and precaution. While some IHL rules impose limits on any military (cyber) operation, the rules specifically applicable to ‘attacks’ afford significant protection to civilians and civilian objects in times of armed conflict.[127]

Article 49 of Additional Protocol I defines ‘attacks’ as ‘acts of violence against the adversary, whether in offence or in defence’. The notion of violence in this definition can refer to either the means of warfare or their effects, meaning that an operation causing violent effects can qualify as an attack even if the means used to bring about those effects are not violent as such.[128] Accordingly, it is widely accepted that cyber operations that can be reasonably expected to cause injury or death to persons or damage or destruction to objects constitute attacks under IHL.[129]

At present, different views exist on the interpretation of what constitutes ‘damage’ for assessing whether an operations amounts to an ‘attack’. One view, taken by some States including Denmark, Israel, and Peru, is that only physical damage is relevant in the assessment of what constitutes an attack under IHL.[130] Under this approach, ‘the mere loss or impairment of functionality to infrastructure would be insufficient’ to qualify a cyber operation as an ‘attack’.[131]

Other States have interpreted the notion of ‘attack’ wider. States including Bolivia, Ecuador, France, Germany, Guatemala, Japan, New Zealand consider that cyber operations may qualify as an ‘attack’ without causing physical damage if they disable the functionality of the target. While no uniform formulation of the requisite threshold of damage exists, it has been said that a cyber operation can be qualified as an attack if it ‘neutralizes’ an object,[132] if it causes a ‘loss of functionality, equivalent to that caused by a kinetic attack’,[133] or ‘only produce[s] a loss of functionality’,[134] if ‘the [affected] system is functionally disabled’,[135] ‘if harmful effects on communication, information or other electronic systems, on the information that is stored, processed or transmitted on these systems or on physical objects or persons’ are caused,[136] or if the operation ‘renders inoperable a state’s critical infrastructure’[137] or disables a ‘state’s basic services (water, electricity, telecommunications, or the financial system”)’.[138]

For its part, the ICRC interprets the notion of ‘attack’ as including a loss of functionality. In its view, ‘an operation designed to disable a computer or a computer network constitutes an attack under IHL, whether the object is disabled through kinetic or cyber means’.[139] The ICRC bases this interpretation on a contextual and teleological interpretation of the notion of ‘attack’ in Additional Protocol I.[140]

In the assessment of what constitutes the ‘reasonably expected’ effects of an operation that have to be considered, some States, including Denmark, Finland, New Zealand, Norway, Switzerland, or the United States, have clarified that this includes harm due to the foreseeable direct and indirect (or reverberating) effects of an attack.[141] An indirect or reverberating effect would include, for example, the death of patients in intensive-care units caused by a cyber operation on an electricity network that results in cutting off a hospital’s electricity supply – a view shared by the ICRC.[142]

[L21] It must further be inquired whether the operation amounts to an attack against a medical unit, which could amount to a war crime.[143] This would be the case if the operation can reasonably be expected to cause injury or death to persons or damage or destruction to objects (see box above). If the view is taken that the notion of damage includes a loss of functionality, the present operation amounts to an attack because it effectively disabled the hospital computers. This conclusion will also be reached if the focus is not on the damage caused but on the reasonably foreseeable injury or death. This is because conducting a cyber operation that is expected to disrupt computers in 30% of a State’s hospitals can be “reasonably expected to cause injury or death to persons”.[144] On the basis of the foregoing, the operation would thus qualify as a prohibited attack against a medical unit.

2.2.2 International human rights law[edit | edit source]

[L22] Finally, it should be noted that it is generally – though not universally – accepted that international human rights law continues to apply during armed conflicts.[145] If the more extensive view on the notion of jurisdiction is taken, the conduct attributed to State C might also implicate its human rights obligations, in particular those under the rights to life and health (see paras L16–L18 above). In that case, the precise interplay between the relevant IHL and human rights obligations would require further analysis, which is beyond the scope of the present scenario.[146]

3 Checklist[edit | edit source]

  • Who is responsible for the operation and can the act be attributed to a State?
  • Does the operation take place in time of peace or in the context of an armed conflict?
  • If the operation takes place in time of peace, does it
    • Violate the principle of sovereignty, the principle of non-intervention, or the prohibition against the use of force?
    • Violate the acting State’s human rights obligations? Does the acting State owe human rights obligations to the victims?
    • Could it bring into existence an international armed conflict to which IHL applies?
  • If the operation takes place in times of armed conflict, does it violate relevant rules of IHL, notably the obligation to respect and protect medical facilities and the prohibition against attacks against medical units?

4 Appendixes[edit | edit source]

4.1 See also[edit | edit source]

4.2 Notes and references[edit | edit source]

  1. Island of Palmas (Neth. v. U.S.), 2 RIAA 829, 838 (Perm. Ct. Arb. 1928).
  2. UNGA Res 71/237 (30 December 2015) UN Doc A/RES/20/237.
  3. North Atlantic Treaty Organization, 'Wales Summit Declaration' (issued by the Head of State and Government participating in the meeting of the North Atlantic Council in Wales (5 September 2015) para 72.
  4. Organization for Security and Cooperation in Europe, Decision No. 1202, OSCE Confidence-Building Measures to Reduce the Risks of Conflict Stemming from the Use of Information and Communication Technologies (Permanent Council, 10 March 2016) PC.DEC/1202.
  5. Council of the European Union,"Council Conclusions on the Joint Communication to the European Parliament and the Council: Resilience, Deterrence and Defence: Building strong cybersecurity for the EU" (Council conclusions, 20 November 2017).
  6. Michael N Schmitt, 'Virtual Disenfranchisement: Cyber Election Meddling in the Grey Zones of International Law' (2018) 19 ChiJIntlL 30,40; Tallinn Manual 2.0, commentary to rule 4, para 2 (‘States shoulder an obligation to respect the sovereignty of other States as a matter of international law’).
  7. Austria, Pre-Draft Report of the OEWG - ICT: Comments by Austria (31 March 2020), stating that ‘a violation of the principle of State sovereignty constitutes an internationally wrongful act – if attributable to a State – for which a target State may seek reparation under the law of State responsibility’.
  8. Czech Republic, Statement by Mr. Richard Kadlčák, Special Envoy for Cyberspace, 2nd substantive session of the Open-ended Working Group on developments in the field of information and telecommunications in the context of international security (11 February 2020), stating that ‘[t]he Czech Republic concurs with those considering the principle of sovereignty as an independent right and the respect to sovereignty as an independent obligation.’
  9. Finland, ‘International law and cyberspace: Finland’s national positions’ (15 October 2020), 3, stating that ‘Finland sees sovereignty as a primary rule of international law, a breach of which amounts to an internationally wrongful act and triggers State responsibility. This rule is fully applicable in cyberspace.’
  10. French Ministry of the Armies, ‘International Law Applied to Operations in Cyberspace’, 9 September 2019, stating that ‘Any unauthorised penetration by a State of French systems or any production of effects on French territory via a digital vector may constitute, at the least, a breach of sovereignty’.
  11. Germany, ‘On the Application of International Law in Cyberspace: Position Paper’ (March 2021), p. 3, noting that ‘Germany agrees with the view that cyber operations attributable to States which violate the sovereignty of another State are contrary to international law’.
  12. Iran, ‘Declaration of General Staff of the Armed Forces of the Islamic Republic of Iran Regarding International Law Applicable to the Cyberspace’ (July 2020), para 4 (‘Any utilization of cyberspace if and when involves unlawful intrusion to the (public or private) cyber structures which is under the control of another state, maybe constituted as the violation of the sovereignty of the targeted state.’).
  13. Dutch Ministry of Foreign Affairs, ‘Letter to the parliament on the international legal order in cyberspace’ (5 July 2019), stating that ‘countries may not conduct cyber operations that violate the sovereignty of another country’.
  14. Gary P. Corn and Robert Taylor, ‘Sovereignty in the Age of Cyber’ (2017) 111 AJIL Unbound 207, 208 (arguing that sovereignty is ‘a principle of international law that guides state interactions’).
  15. Jeremy Wright, ‘Cyber and International Law in the 21st Century’ (23 May 2018) (stating that he was ‘not persuaded that we can currently extrapolate from that general principle a specific rule or additional prohibition for cyber activity beyond that of a prohibited intervention. The UK Government’s position is therefore that there is no such rule as a matter of current international law’); see also Memorandum from JM O’Connor, General Counsel of the Department of Defense, ‘International Law Framework for Employing Cyber Capabilities in Military Operations’ (19 January 2017) (considering that sovereignty is not ‘a binding legal norm, proscribing cyber actions by one State that result in effects occurring on the infrastructure located in another State, or that are manifest in another State’), as cited by Sean Watts & Theodore Richard, 'Baseline Territorial Sovereignty and Cyberspace' (2018) 22 Lewis & Clark L. Rev. 771, 829.
  16. Paul C. Ney, DOD General Counsel Remarks at U.S. Cyber Command Legal Conference, 2 March 2020, arguing that ‘the Department believes there is not sufficiently widespread and consistent State practice resulting from a sense of legal obligation to conclude that customary international law generally prohibits such non-consensual cyber operations in another State’s territory’.
  17. Cf. James Crawford, Brownlie's Principles of Public International Law (OUP 2012) 448.
  18. Tallinn Manual 2.0, rule 2.
  19. Sovereignty over cyber infrastructure derives from the traditional concept of sovereignty, independent of the use of cyberspace. See Wolff Heintschel von Heinegg, 'Territorial Sovereignty and Neutrality in Cyberspace' (2013) 89 Int’l L. Stud. 123 (noting that '[t]erritorial sovereignty [..] implies that, subject to applicable customary or conventional rules of international law, the State alone is entitled to exercise jurisdiction, especially by subjecting objects and persons within its territory to domestic legislation and to enforce these rules.')
  20. UN GA Res 2625 (XXV) (24 October 1970) (Friendly Relations Declaration), preamble (emphasizing “that the purposes of the United Nations can be implemented only if States enjoy sovereign equality and comply fully with the requirements of this principle in their international relations”); Tallinn Manual 2.0, rule 4.
  21. Tallinn Manual 2.0, commentary to rule 4, para 5 and 12.
  22. See, eg, Certain Activities Carried Out by Nicaragua in the Border Area (Costa Rica v Nicaragua) and Construction of a Road in Costa Rica along the San Juan River (Nicaragua v Costa Rica) (Judgment) [2015] ICJ Rep 665, 704–05, paras 97–99 (holding that the presence of Nicaragua’s military personnel in the territory under Costa Rica’s sovereignty amounted to a violation of Costa Rica’s territorial sovereignty); see also Tallinn Manual 2.0, commentary to rule 4, para 6.
  23. Tallinn Manual 2.0, commentary to rule 4, para 7; commentary to rule 32, para 9.
  24. Tallinn Manual 2.0, commentary to rule 4, para 11.
  25. Tallinn Manual 2.0, commentary to rule 4, para 12.
  26. Tallinn Manual 2.0, commentary to rule 4, para 13.
  27. Tallinn Manual 2.0, commentary to rule 4, para 14.
  28. Tallinn Manual 2.0, commentary to rule 4, para 15.
  29. Tallinn Manual 2.0, commentary to rule 4, para 16.
  30. Tallinn Manual 2.0, commentary to rule 4, para 18.
  31. Germany, ‘On the Application of International Law in Cyberspace: Position Paper’ (March 2021), p. 4.
  32. Dutch Ministry of Foreign Affairs, ‘Letter to the parliament on the international legal order in cyberspace’ (5 July 2019), p. 3.
  33. French Ministry of the Armies, International Law Applied to Operations in Cyberspace, p. 6.
  34. In favour: see, eg, Theodore Christakis, ‘The ICJ Advisory Opinion on Kosovo: Has International Law Something to Say about Secession?’ (2011) 24 LJIL 73, 84; Marcelo Kohen, ‘The Court’s Contribution to Determining the Content of Fundamental Principles of International Law’ in Giorgio Gaja and Jenny Grote Stoutenburg (eds), Enhancing the Rule of Law through the International Court of Justice (Brill 2012) 145. Against: see, eg, Tallinn Manual 2.0, commentary to rule 4, para 3.
  35. French Ministry of the Armies, ‘International Law Applied to Operations in Cyberspace’ (9 September 2019), 6.
  36. Marko Milanovic and Michael N. Schmitt, ‘Cyber Attacks and Cyber (Mis)information Operations During a Pandemic’ (2020) 11 Journal of National Security Law & Policy 247, 255 (‘[C]risis management during an epidemic or a pandemic is a governmental responsibility in every state and accordingly an inherently governmental function.’).
  37. 37.0 37.1 37.2 Military and Paramilitary Activities in and against Nicaragua (Nicaragua v US) (Merits) [1986] ICJ Rep 14, para 205.
  38. Dutch Minister of Foreign Affairs, ‘Letter to the President of the House of Representatives on the International Legal Order in Cyberspace – Appendix: International Law in Cyberspace’ (5 July 2019), 3; Finland, ‘International law and cyberspace: Finland’s national positions’ (15 October 2020), 3; Germany, ‘On the Application of International Law in Cyberspace: Position Paper’ (March 2021), 5.
  39. Dutch Minister of Foreign Affairs, ‘Letter to the President of the House of Representatives on the International Legal Order in Cyberspace – Appendix: International Law in Cyberspace’ (5 July 2019), 3.
  40. See, for example, Katja Ziegler, “Domaine Réservé”, in Rudiger Wolfrum (ed), Max Planck Encyclopedia of Public International Law (OUP 2008) (updated April 2013) (defining the domaine réservé as those “areas where States are free from international obligations and regulation”).
  41. See also Harriet Moynihan, ‘The Vital Role of International Law in the Framework for Responsible State Behaviour in Cyberspace’ (2020) 5 Journal of Cyber Policy __, ___ [10–12 in pre-print].
  42. See, eg, Dutch Minister of Foreign Affairs, ‘Letter to the President of the House of Representatives on the International Legal Order in Cyberspace – Appendix: International Law in Cyberspace’ (5 July 2019) 3, defining coercion as ‘compelling a state to take a course of action (whether an act or an omission) that it would not otherwise voluntarily pursue’ and noting that ‘[t]he goal of the intervention must be to effect change in the behaviour of the target state’; Germany, ‘On the Application of International Law in Cyberspace: Position Paper’ (March 2021), 5, defining coercion as a situation in which a State’s ‘will is manifestly bent by the foreign State’s conduct’ and noting that ‘the acting State must intend to intervene in the internal affairs of the target State’; see also Tallinn Manual 2.0, commentary to rule 66, para 19 (‘The majority of Experts was of the view that the coercive effort must be designed to influence outcomes in, or conduct with respect to, a matter reserved to a target State.’).
  43. Tallinn Manual 2.0, commentary to rule 66, para 21. See also Dutch Minister of Foreign Affairs, ‘Letter to the President of the House of Representatives on the International Legal Order in Cyberspace – Appendix: International Law in Cyberspace’ (5 July 2019), 3.
  44. See, eg, Australia, ‘Supplement to Australia’s Position on the Application of International Law to State Conduct in Cyberspace’ (2019) 4 (‘A prohibited intervention is one that interferes by coercive means (in the sense that they effectively deprive another state of the ability to control, decide upon or govern matters of an inherently sovereign nature), either directly or indirectly, in matters that a state is permitted by the principle of state sovereignty to decide freely.’); New Zealand, ‘The Application of International Law to State Activity in Cyberspace’ (1 December 2020), para 9(b) (stating that a State cyber activity is coercive if ‘there is an intention to deprive the target state of control over matters falling within the scope of its inherently sovereign functions’); see also Tallinn Manual 2.0, commentary to rule 66, para 19 (‘A few Experts took the position that to be coercive it is enough that an act has the effect of depriving the State of control over the matter in question.’).
  45. Harriet Moynihan, ‘The Vital Role of International Law in the Framework for Responsible State Behaviour in Cyberspace’ (2020) 5 Journal of Cyber Policy __, ___ [11 in pre-print].
  46. Tallinn Manual 2.0, commentary to rule 66, para 21.
  47. Tallinn Manual 2.0, commentary to rule 66, paras 19 and 27.
  48. Tallinn Manual 2.0, commentary to rule 66, para 24 (the exact nature of the causal nexus was not agreed on).
  49. International Health Regulations (signed 23 May 2005, entered into force 15 June 2007) 2509 UNTS 79.
  50. Marko Milanovic and Michael N. Schmitt, ‘Cyber Attacks and Cyber (Mis)information Operations During a Pandemic’ (2020) 11 Journal of National Security Law & Policy 247, 257 (‘It is unquestionably within the domaine réservé of a state to determine how it will handle a health crisis, as is the actual handling of that crisis.’); Gary P. Corn, ‘Covert Deception, Strategic Fraud, and the Rule of Prohibited Intervention’, Hoover Working Group on National Security, Technology, and Law, Aegis Series Paper No. 2005 (18 September 2020) 9 (‘the adoption and implementation of public-health policies and measures, especially in the face of a global pandemic, are widely recognized as legitimate matters of governance within a state’s internal sovereign jurisdiction’).
  51. Charter of the United Nations (adopted 26 June 1945, entered into force 24 October 1945) 1 UNTS 16 (UN Charter) art. 2(4).
  52. Legal Consequences of the Construction of a Wall in the Occupied Palestinian Territory (Advisory Opinion) [2004] ICJ Rep 136, para 87; Military and Paramilitary Activities in and against Nicaragua (Nicaragua v United States of America) (Merits) [1986] ICJ Rep 14, paras 187–190.
  53. See, for example,The International Law Commission, 'Document A/6309/ Rev.1: Reports of the International Law Commission on the second part of its seventeenth and on its eighteenth session' Yearbook of the International Law Commission Vol. II (1966) 247 (“The law of the Charter concerning the prohibition of the use of force in itself constitutes a conspicuous example of a rule in international law having the character of jus cogens”); Christine Gray, International Law and the use of force (OUP 2018) 32; Oliver Corten, The Law against War (Hart Pub. 2010) 44; Oliver Dörr and Albrecgr Randelzhofer, ‘Article 2(4)’ in Bruno Simma et al (eds), The Charter of the United Nations: A Commentary Vol I (OUP 2012), 231, para 67 (“the prohibition of the use of force laid down in Art. 2 (4) is usually acknowledged in State practice and legal doctrine to have a peremptory character, and thus to be part of the international ius cogens”).
  54. Oliver Dörr and Albrecht Randelzhofer, ‘Article 2(4)’ in Bruno Simma et al (eds), The Charter of the United Nations: A Commentary Vol I (OUP 2012) 208 para 16 (“The term [‘force’] does not cover any possible kind of force, but is, according to the correct and prevailing view, limited to armed force.”).
  55. Cf. Ian Brownlie, International Law and the Use of Force by States (OUP 1963) 362 (“[Art 2(4)] applies to force other than armed force”); Tallinn Manual 2.0, rule 69 (“A cyber operation constitutes a use of force when its scale and effects are comparable to non-cyber operations rising to the level of a use of force.”).
  56. Marco Roscini, Cyber Operations and the Use of Force in International Law (OUP 2014) 55.
  57. Cf. Charter of the United Nations (adopted 26 June 1945, entered into force 24 October 1945) 1 UNTS 16 (UN Charter) art. 2(4) (expressly prohibiting the use of force against the “political independence” of any State).
  58. Documents of the United Nations Conference on International Organization (1945), vol VI, 334.
  59. Charter of the United Nations (adopted 26 June 1945, entered into force 24 October 1945) 1 UNTS 16 (UN Charter) preamble.
  60. Cf. Dispute regarding Navigational and Related Rights (Costa Rica v Nicaragua) Judgment [2009 ICJ Rep 213], para 66 (“[W]here the parties have used generic terms in a treaty, the parties necessarily having been aware that the meaning of the terms was likely to evolve over time, and where the treaty has been entered into for a very long period or is ‘of continuing duration’, the parties must be presumed, as a general rule, to have intended those terms to have an evolving meaning”).
  61. However, such claims are occasionally made in the scholarship: see, for example, Marco Roscini, Cyber Operations and the Use of Force in International Law (OUP 2014) 59; Nicholas Tsagourias 'Cyber Attacks, Self-Defence and the Problem of Attribution' (2012) 17 (2) Journal of Conflict and Security Law 23; Gary Brown and Keira Poellet, ‘The Customary International Law of Cyberspace’ (2012) Strategic Studies Quarterly 137.
  62. Dan Efrony and Yuval Shany, ‘A Rule Book on the Shelf? Tallinn Manual 2.0 on Cyberoperations and Subsequent State Practice’ (2018) 112 AJIL 583, 638.
  63. French Ministry of the Armies, ‘International Law Applied to Operations in Cyberspace’, 9 September 2019, at p. 7, stating that ‘France does not rule out the possibility that a cyberoperation without physical effects may also be characterised as a use of force’.
  64. Dutch Ministry of Foreign Affairs, ‘Letter to the parliament on the international legal order in cyberspace’ (5 July 2019) at p. 4, stating that ‘in the view of the government, at this time it cannot be ruled out that a cyber operation with a very serious financial or economic impact may qualify as the use of force’.
  65. Dutch Ministry of Foreign Affairs, ‘Letter to the parliament on the international legal order in cyberspace’ (5 July 2019) at p. 4.
  66. French Ministry of the Armies, ‘International Law Applied to Operations in Cyberspace’, 9 September 2019, at p. 7.
  67. Tallinn Manual 2.0, commentary to rule 69, para 9.
  68. Cf. US, State Department Legal Advisor Brian Egan, International Law and Stability in Cyberspace, Speech at Berkeley Law School (10 November 2016), 13 (“In certain circumstances, one State’s non-consensual cyber operation in another State’s territory could violate international law, even if it falls below the threshold of a use of force.”) (emphasis original); UK, Attorney General Jeremy Wright QC MP, Cyber and International Law in the 21st Century, Speech (23 May 2018) (“In certain circumstances, cyber operations which do not meet the threshold of the use of force but are undertaken by one state against the territory of another state without that state’s consent will be considered a breach of international law.”).
  69. See also Tallinn Manual 2.0, commentary to rule 69, para 9(a) (‘Severity is the most significant factor in the analysis.’).
  70. See, eg, Robert Kolb, Ius contra bellum: Le droit international relatif au maintien de la paix (2nd edn, Bruylant 2009) 247; Olivier Corten, The Law Against War: The Prohibition on the Use of Force in Contemporary International Law (Bloomsbury 2010) 55; Mary Ellen O’Connell, ‘The Prohibition on the Use of Force’, in Nigel D. White & Christian Henderson (eds), Research Handbook on International Conflict and Security Law (OUP 2013) 102; see also Tallinn Manual 2.0, commentary to rule 69, para 9(a); but see, eg, Tom Ruys, ‘The Meaning of “Force” and the Boundaries of the Jus ad Bellum: Are “Minimal” Uses of Force Excluded from UN Charter Article 2(4)?’ (2014) 108 AJIL 159.
  71. IIFFMCG, Independent International Fact-Finding Mission on the Conflict in Georgia: Report (September 2009) vol 2, at 242 (‘The prohibition of the use of force covers all physical force which surpasses a minimum threshold of intensity. … Only very small incidents lie below this threshold, for instance the targeted killing of single individuals, forcible abductions of individual persons, or the interception of a single aircraft.’) (emphasis added).
  72. Tallinn Manual 2.0, commentary to rule 69, para 9(c) (‘Cyber operations in which cause and effect are clearly linked are more likely to be characterised as uses of force than those in which they are highly attenuated.’).
  73. See French Ministry of the Armies, ‘International Law Applied to Operations in Cyberspace’, 9 September 2019, 7 (‘In the absence of physical damage, a cyberoperation may be deemed a use of force against the yardstick of several criteria, including the circumstances prevailing at the time of the operation, such as the origin of the operation and the nature of the instigator (military or not), the extent of intrusion, the actual or intended effects of the operation or the nature of the intended target’) (emphasis added).
  74. On the difference in the cyber context between the relevant thresholds under the law on the use of force and IHL, see Laurent Gisel, Tilman Rodenhäuser, and Knut Dörmann, ‘Twenty years on: International humanitarian law and the protection of civilians against the effects of cyber operations during armed conflicts’, (2020) 102(913) International Review of the Red Cross 287, 302–310.
  75. Common Article 2 GC I (stipulating that the Conventions “shall apply to all cases of declared war or of any other armed conflict which may arise between two or more of the High Contracting Parties”).
  76. ICRC (ed), Commentary on the Third Geneva Convention (CUP 2021), commentary on common Article 2, para 246 (‘Even if none of the Parties recognize the existence of a state of war or of an armed conflict, humanitarian law would still apply provided that an armed conflict is in fact in existence.’).
  77. See, eg, Jan K Kleffner, ‘Scope of Application of Humanitarian Law’ in D Fleck (ed), The Handbook of International Humanitarian Law (3rd edn, OUP 2013) 45; ILA Use of Force Committee, Final Report on the Meaning of Armed Conflict in International Law (2010) 32; Gary D. Solis, The Law of Armed Conflict: International Humanitarian Law in War (2nd edn, CUP 2016) 162.
  78. Prosecutor v Tadić (Decision on Jurisdiction) IT-94-1-AR72 (2 October 1995) para 70.
  79. See, eg, Jean S. Pictet (ed) Geneva Convention IV relative to the Protection of Civilian Persons in Time of War: Commentary (ICRC 1958) 20–21; Yves Sandoz, Christophe Swinarski, and Bruno Zimmermann (eds), Commentary on the Additional Protocols of 8 June 1977 to the Geneva Conventions of 12 August 1949 (ICRC 1987) 40; René Provost, International Human Rights and Humanitarian Law (CUP 2002) 250; Jann K Kleffner, ‘Scope of Application of International Humanitarian Law’ in Dieter Fleck (ed), The Handbook of International Humanitarian Law (3rd edn, OUP 2013) 45; Andrew Clapham, ‘Concept of International Armed Conflict’ in Andrew Clapham, Paola Gaeta, and Marco Sassòli (eds), The 1949 Geneva Conventions: A Commentary (OUP 2015) 16 para 38; ICRC (ed), Commentary on the Third Geneva Convention (CUP 2021), commentary on common Article 2, para 251; Noam Zamir, Classification of Conflicts in International Humanitarian Law: The Legal Impact of Foreign Intervention in Civil Wars (Edward Elgar 2017) 53–55; Kubo Mačák, Internationalized Armed Conflicts in International Law (OUP 2018) 15–16.
  80. Cf. Legality of the Threat or Use of Nuclear Weapons Case (Advisory Opinion) [1996] ICJ Rep 226, para 89 (holding that the relevant rules of IHL apply “to all international armed conflict, whatever type of weapons might be used”) (emphasis added).
  81. Tallinn Manual 2.0, commentary to rule 82, para 11.
  82. ICRC (ed), Commentary on the Third Geneva Convention (CUP 2021), commentary on common Article 2, para 288.
  83. ICRC (ed), Commentary on the Third Geneva Convention (CUP 2021), commentary on common Article 2, para 289.
  84. For State views on this matter, see, eg, Finland, ‘International law and cyberspace: Finland’s national positions’ (15 October 2020), 7 (‘International humanitarian law only applies to cyber operations when such operations are part of, or amount to, an armed conflict. Most so far known cyberattacks have not been launched in the context of an armed conflict or have met the threshold of armed conflict.’); French Ministry of the Armies, ‘International Law Applied to Operations in Cyberspace’, 9 September 2019, 12 (‘Cyberoperations that constitute hostilities between two or more States may characterise the existence of international armed conflict (IAC)’); Germany, ‘On the Application of International Law in Cyberspace: Position Paper’ (March 2021), 7 (‘An international armed conflict – a main prerequisite for the applicability of IHL in a concrete case – is characterized by armed hostilities between States. This may also encompass hostilities that are partially or totally conducted by using cyber means.’); Japan, Basic Position of the Government of Japan on International Law Applicable to Cyber Operations (28 May 2021), 7 (‘If the effects of cyber operations are taken into consideration, the conduct of cyber operations alone may reach the threshold of an "armed conflict."’).
  85. See further Kubo Mačák, Internationalized Armed Conflicts in International Law (OUP 2018) 39–47.
  86. Prosecutor v Prlić et al (Trial Judgment) IT-04-74-T (29 May 2013), vol 1, para 86(a).
  87. See Military and Paramilitary Activities in and against Nicaragua (Nicaragua v US) (Merits) [1986] ICJ Rep 14, paras 112–15; see further Kubo Mačák, ‘Decoding Article 8 of the International Law Commission’s Articles on State Responsibility: Attribution of Cyber Operations by Non-State Actors’ (2016) 21 JCSL 405, 421.
  88. Case Concerning the Application of the Convention on the Prevention and Punishment of the Crime of Genocide (Bosnia and Herzegovina v Serbia and Montenegro) (Judgment) [2007] ICJ Rep 43, para 405; but see ICRC (ed), Commentary on the Third Geneva Convention (CUP 2021), commentary on common Article 2, para 304 (arguing that overall control is the controlling test in both contexts).
  89. See Prosecutor v Tadić (Appeal Judgment) IT-94-1-A (15 July 1999) paras 120–121; Prosecutor v Lubanga (Pre-Trial Chamber 1) ICC-01/04-01/06 (29 January 2007) paras 209–211; Case No 001/18-07-2007/ECCC/TC (26 July 2010) para 540.
  90. For instance, Germany states broadly that ‘armed hostilities’ that are ‘totally conducted by using cyber means’ can amount to an international armed conflict. Germany, ‘On the Application of International Law in Cyberspace: Position Paper’ (March 2021), 7. France considers that ‘while an armed conflict consisting exclusively of digital activities cannot be ruled out in principle, it is based on the capacity of autonomous cyberoperations to reach the threshold of violence required to be categorised as such’ (emphasis added). French Ministry of the Armies, ‘International Law Applied to Operations in Cyberspace’ (9 September 2019), 12. While Japan considers that the effects of a cyber operation ‘alone may reach the threshold of an "armed conflict”’, it also argues that this ‘needs to be decided on a case-by-case basis, taking into account a number of elements, such as the manner of the actual attack and the intent of each party to the incident, in a comprehensive manner’. Japan, Basic Position of the Government of Japan on International Law Applicable to Cyber Operations (28 May 2021), 7.
  91. See, for example, United Nations Human Rights Council, The promotion, protection and enjoyment of human rights on the Internet, Resolution A/HRC/RES/32/13 (1 July 2016), para 1; NATO, Warsaw Summit Communiqué (9 July 2016), para 70; G8 Summit of Deauville, Declaration: Renewed Commitment for Freedom and Democracy (27 May 2011), para II/11.
  92. See, Application of the Convention on the Prevention and Punishment of the Crime of Genocide (Bosnia and Herzegovina v. Serbia and Montenegro) (Judgment) [2007] ICJ Rep 43, para 170.
  93. International Covenant on Civil and Political Rights (adopted 16 December 1966, entered into force 23 March 1976) 999 UNTS 171 (ICCPR); International Covenant on Economic, Social and Cultural Rights (adopted 16 December 1966, entered into force 3 January 1976) 993 UNTS 3 (ICESCR).
  94. Formal title: Convention for the Protection of Human Rights and Fundamental Freedoms (opened to the signature in Rome on 4 November 1950, entered into force 3 September 1953), ETS 5 (ECHR); there are several protocols which significantly expand and amend the obligations of the original Convention.
  95. Charter of Fundamental Rights of the European Union, proclaimed on 7 December 2000 (EUCFR).
  96. American Convention on Human Rights (open for signature from 22 November 1969, entered into force 18 July 1978), 1144 UNTS 123 (ACHR).
  97. Article 2(1) ICCPR.
  98. UN HRC, ‘General Comment No. 31 (80): The Nature of the General Legal Obligation Imposed on States Parties to the Covenant’ (adopted on 29 March 2004, 2187th meeting), para 10.
  99. Cf, Legal Consequences of the Construction of a Wall in the Occupied Palestinian Territories (Advisory Opinion) [2004] ICJ Rep 136, para 111.
  100. See, Legal Consequences of the Construction of a Wall in the Occupied Palestinian Territories (Advisory Opinion) [2004] ICJ 136, para 110; UN HRC, Summary Record of the 1405th Meeting, CCPR/C/SR.1405 (31 March 1995) 6 [20].
  101. See, for example, Marko Milanovic, ‘Human Rights Treaties and Foreign Surveillance: Privacy in the Digital Age’ (2015) 56 Harvard International Law Journal 81.
  102. Article 17 ICCPR; Article 8 ECHR; Article 7 EUCFR; Article 11 ACHR. The exact titles and scopes of the provisions vary.
  103. Article 19 ICCPR; Article 10 ECHR; Article 11 EUCFR; Article 13 ACHR. The exact titles and scopes of the provisions vary.
  104. UN Human Rights Committee, ICCPR General Comment No. 34 (12 September 2011), paras 21-36; See also ICCPR General Comment No. 27 (1 November 1999), paras 14-16.
  105. See, Velásquez Rodríguez v. Honduras, (Merits) IACrtHR (Ser. C) No. 4 (29 July 1988) [177].
  106. Human Rights Committee, Concluding observations of the Human Rights Committee, United States of America, 18 December 2006, CCPR/C/USA/CO/3/Rev.1, para 10; Committee on Economic, Social and Cultural Rights, Concluding observations of the Committee on Economic, Social and Cultural Rights, Israel, 26 June 2003, E/C.12/1/Add.90, para. 11.
  107. See International Court of Justice, Legal Consequences of the Construction of a Wall in the Occupied Palestinian Territory, Advisory Opinion, 9 July 2004, paras 111 and 112.
  108. See Nicola Wenzel, ‘Human Rights, Treaties, Extraterritorial Application and Effects’ in Rüdiger Wolfrum (ed), Max Planck Encyclopedia of Public International Law (OUP 2008) (updated May 2008) paras 4 and 21; see also Human Rights Committee, General Comment No. 31 on ‘The Nature of the General Legal Obligation Imposed on States Parties to the Covenant’, 26 May 2004, CCPR/C/21/Rev.1/Add.13, para. 10.
  109. See Human Rights Committee, Concluding Observations, Israel, UN Doc CCPR/C/79/Add.93 (18 August 1998), para 10 (‘the Covenant must be held applicable to the occupied territories and those areas…where Israel exercises effective control’); Committee on Economic, Social and Cultural Rights, Concluding observations, Israel, UN Doc E/C.12/1/Add.90 (26 June 2003), para 31 (‘the Committee reaffirms its view that the State party’s obligations under the Covenant apply to all territories and populations under its effective control’).
  110. See Human Rights Committee, General Comment No. 31 on ‘The Nature of the General Legal Obligation Imposed on States Parties to the Covenant’, 26 May 2004, CCPR/C/21/Rev.1/Add.13, para. 10 (‘a State Party must respect and ensure the rights laid down in the Covenant to anyone within the power or effective control of that State Party, even if not situated within the territory of the State Party’); Committee on Economic, Social and Cultural Rights, Concluding observations, Israel, UN Doc E/C.12/1/Add.90 (26 June 2003), para 31 (‘the Committee reaffirms its view that the State party’s obligations under the Covenant apply to all territories and populations under its effective control’).
  111. See generally Marko Milanovic, Extraterritorial Application of Human Rights Treaties: Law, Principles, and Policy (OUP 2011) 118–228.
  112. See Human Rights Committee, General comment No. 36 (2018) on article 6 of the International Covenant on Civil and Political Rights, on the right to life, 30 October 2018, CCPR/C/GC/36, para. 63. See also Marko Milanovic, Extraterritorial Application of Human Rights Treaties: Law, Principles, and Policy (OUP 2011) 209 ff.
  113. CESCR General Comment No. 14: The Right to the Highest Attainable Standard of Health (Art. 12), 11 August 2000, E/C.12/2000/4, para. 39; see also Committee on Economic, Social and Cultural Rights, General comment No. 24 (2017) on State obligations under the International Covenant on Economic, Social and Cultural Rights in the context of business activities, 10 August 2017, E/C.12/GC/24, para. 29, in which the Committee states: “The extraterritorial obligation to respect requires States parties to refrain from interfering directly or indirectly with the enjoyment of the Covenant rights by persons outside their territories.”
  114. Several States have rejected such interpretations in non-cyber contexts explicitly. See, for instance, the reactions of Austria, Canada, France, Germany, Norway, Netherlands, United States to draft General Comment No. 36 of the UN Human Rights Committee, available here: https://www.ohchr.org/en/hrbodies/ccpr/pages/gc36-article6righttolife.aspx
  115. See Human Rights Committee, General Comment No. 36 (2018) on article 6 of the International Covenant on Civil and Political Rights, on the right to life, 30 October 2018, CCPR/C/GC/36, para. 63. See also Marko Milanovic, Extraterritorial Application of Human Rights Treaties: Law, Principles, and Policy (OUP 2011) 209 ff. On another occasion, the Committee defines the relevant standard as an impact on the right to life in an “intentional or otherwise foreseeable and preventable” manner. Human Rights Committee, General Comment No. 36 (2018) on article 6 of the International Covenant on Civil and Political Rights, on the right to life, 30 October 2018, CCPR/C/GC/36, para. 6.
  116. Marko Milanovic and Michael N. Schmitt, ‘Cyber Attacks and Cyber (Mis)information Operations During a Pandemic’ (2020) 11 Journal of National Security Law & Policy 247, 262 (arguing that a State would violate the right to life if it, ‘through a hostile cyber operation, knowingly and intentionally increased the risk that a population would be exposed to infection, or denied them effective treatment’) (emphasis added).
  117. CESCR General Comment No. 14: The Right to the Highest Attainable Standard of Health (Art. 12), para. 33.
  118. See Marko Milanovic and Michael N. Schmitt, ‘Cyber Attacks and Cyber (Mis)information Operations During a Pandemic’ (2020) 11 Journal of National Security Law & Policy 247, 262 (arguing that ‘[h]ostile cyber operations that disrupt individuals’ access to health care, or more generally a state’s ability to mitigate the effects of a pandemic, would easily run afoul of [the obligation to respect the right to health], which contains no threshold criterion’).
  119. See, eg, Marco Sassòli, International Humanitarian Law: Rules, Controversies, and Solutions to Problems Arising in Warfare (Edward Elgar 2019) 201 (“IHL only governs conduct that has a sufficient nexus to the armed conflict”); Gloria Gaggioli (ed), The Use of Force in Armed Conflicts (ICRC 2013) 4 (“In order to be covered by IHL, the use of force must take place in an armed conflict situation and must have a nexus with the armed conflict.”); Tallinn Manual 2.0, commentary to rule 80, para 5 (“there must be a nexus between the cyber activity in question and the conflict for the law of armed conflict [i.e., IHL] to apply to that activity”).
  120. Prosecutor v Kunarac et al (Appeal Judgement) IT-96-23 & IT-96-23/1-A (12 June 2002) [58]; see also Tallinn Manual 2.0, commentary to rule 80, para 6 (noting a difference of views among the experts: “According to one view, [IHL] governs any cyber activity conducted by a party to an armed conflict against its opponent … By a second view, the cyber activity must have been undertaken in furtherance of the hostilities, that is, in order to contribute to the originator’s military effort.”)
  121. See, in particular, Article 19 First Geneva Convention, Article 18 Fourth Geneva Convention, Article 12 Additional Protocol I, Article 11(1) Additional Protocol I. See also Rule 28 ICRC CIHL Study. On the requirement of recognition and authorization, see Article 12(2) Additional Protocol I. Unauthorized civilian medical units are protected according to the rules on the protection of civilian objects. See ICRC CIHL Study, commentary on rule 28, at 95.
  122. See Articles 8(2)(b)(xxiv) and 8(2)(e)(ii) Rome Statute of the International Criminal Court. See also Article 85(2) Additional Protocol I.
  123. See Article 49 AP I, which defines attacks as “acts of violence against the adversary, whether in offence or in defence”. The Tallinn Manual 2.0 defines a cyber attack for the purposes of IHL as a cyber operation, “that is reasonably expected to cause injury or death to persons or damage or destruction to objects”. (Rule 92)
  124. ICRC Commentary on the APs, para 517. See also ICRC Commentary on GC I, para 1799; Oxford Statement on the International Law Protections Against Cyber Operations Targeting the Health Care Sector (21 May 2020), point 5 (“During armed conflict, international humanitarian law requires that medical units, transport and personnel must be respected and protected at all times. Accordingly, parties to armed conflicts: must not disrupt the functioning of health-care facilities through cyber operations; must take all feasible precautions to avoid incidental harm caused by cyber operations, and; must take all feasible measures to facilitate the functioning of health-care facilities and to prevent their being harmed, including by cyber operations”); Tallinn Manual 2.0, para 5 of the commentary on Rule 131.
  125. See ICRC, “International humanitarian law and the challenges of contemporary armed conflicts” (2015) 43; Tallinn Manual 2.0, commentary to rule 132, para 3; French Ministry of the Armies, “International Law Applied to Operations in Cyberspace” (9 September 2019) 14–15.
  126. Tallinn Manual 2.0, commentary to rule 132, para 3.
  127. Concretely, rules such as the prohibition of attacks against civilians and civilian objects, the prohibition of indiscriminate and disproportionate attacks, and the obligation to take all feasible precautions to avoid or at least reduce incidental harm to civilians and damage to civilian objects when carrying out an attack apply to those operations that qualify as ‘attacks’ as defined in IHL. The notion of attack under IHL, defined in Article 49 of AP I, is different from and should not be confused with the notion of ‘armed attack’ under Article 51 of the UN Charter, which belongs to the realm of the law on the use of force (jus ad bellum). To determine that a specific cyber operation, or a type of cyber operations, amounts to an attack under IHL does not necessarily mean that it would qualify as an armed attack under the UN Charter.
  128. Cordula Droege, “Get Off My Cloud: Cyber Warfare, International Humanitarian Law, and the Protection of Civilians”, (2012) 94(886) International Review of the Red Cross 533, 557; William H. Boothby, The Law of Targeting (OUP 2012) 384; Laurent Gisel, Tilman Rodenhäuser, and Knut Dörmann, ‘Twenty years on: International humanitarian law and the protection of civilians against the effects of cyber operations during armed conflicts’, (2020) 102(913) International Review of the Red Cross 287, 312.
  129. ICRC, “International humanitarian law and the challenges of contemporary armed conflicts” (2015) 41–42; Tallinn Manual 2.0, rule 92. This view is also held by States including Australia, Australia’s submission on international law to be annexed to the report of the 2021 Group of Governmental Experts on Cyber, at 4; and Switzerland, Switzerland's position paper on the application of international law in cyberspace, Annex UN GGE 2019/2021, at 10.
  130. Denmark, Military Manual on International Law Relevant to Danish Armed Forces in International Operations (2016) 290–291; Roy Schöndorf, ‘Israel’s Perspective on Key Legal and Practical Issues Concerning the Application of International Law to Cyber Operations’, (2021) 97 International Law Studies 395, 400; Peru, Response Submitted by Peru to the Questionnaire on the Application of International Law in OAS Member States in the Cyber Context (June 2019), cited in OAS, Improving Transparency: International Law and State Cyber Operations: Fifth Report, OAS Doc. CJI/doc. 615/20 rev.1 (7 August 2020) para 31.
  131. Roy Schöndorf, ‘Israel’s Perspective on Key Legal and Practical Issues Concerning the Application of International Law to Cyber Operations’, (2021) 97 International Law Studies 395, 400.
  132. Japan, Basic Position of the Government of Japan on International Law Applicable to Cyber Operations (28 May 2021) 7.
  133. New Zealand, The Application of International Law to State Activity in Cyberspace (1 December 2020), para 25.
  134. Guatemala as cited in OAS, ‘Improving Transparency: International Law and State Cyber Operations: Fifth Report’, OAS Doc. CJI/doc. 615/20 rev.1 (7 August 2020) para 32.
  135. French Ministry of the Armies, ‘International Law Applied to Operations in Cyberspace’ (9 September 2019), 13.
  136. Germany, On the Application of International Law in Cyberspace Position Paper (March 2021) 9.
  137. Ecuador, Verbal Note 4-2 186/2019 from the Permanent Mission of Ecuador to the OAS (28 June 2019), cited in OAS, Improving Transparency: International Law and State Cyber Operations: Fifth Report, OAS Doc. CJI/doc. 615/20 rev.1 (7 August 2020) para 32.
  138. Bolivia, Note from the Plurilateral State of Bolivia, Ministry of Foreign Affairs, OAS Permanent Mission to the OAS Inter-American Juridical Committee, MPB-OEA-NV104-19 (17 July 2019), cited in OAS, Improving Transparency: International Law and State Cyber Operations: Fifth Report, OAS Doc. CJI/doc. 615/20 rev.1 (7 August 2020) para 33.
  139. ICRC, International Humanitarian Law and Cyber Operations during Armed Conflicts: ICRC position paper (November 2019) 7–8.
  140. ICRC, International humanitarian law and the challenges of contemporary armed conflicts (2015) 41.
  141. Denmark, Military Manual on International Law Relevant to Danish Armed Forces in International Operations (2016) 677 (when discussing computer network attacks); Finland, International law and cyberspace: Finland’s national positions (2020) 7; New Zealand, Manual of Armed Forces Law (2nd edn, 2017) vol 4, para 8.10.22; Norway, Manual i krigens folkerett (2013) para 9.54; Switzerland, “Switzerland’s position paper on the application of international law in cyberspace: Annex UN GGE 2019/2021” (27 May 2021) 10; United States, “United States Submission to the UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (2014–15)”, at 6, and from a practical perspective Joint Publication 3-12 (R) ‘Cyberspace operations’ (5 February 2013), at IV-4.
  142. ICRC, International Humanitarian Law and Cyber Operations during Armed Conflicts: ICRC position paper (November 2019) 7. Israel has further argued that an operation may amount to an attack if ‘a cyber operation is intended to shut down electricity in a military airfield, and as a result is expected to cause the crash of a military aircraft—that operation may constitute an attack’. Roy Schöndorf, ‘Israel’s Perspective on Key Legal and Practical Issues Concerning the Application of International Law to Cyber Operations’, (2021) 97 International Law Studies 395, 400.
  143. Article 8(2)(b)(xxiv) Rome Statute of the International Criminal Court.
  144. Tallinn Manual 2.0, Rule 92.
  145. See Legality of the Threat or Use of Nuclear Weapons Case (Advisory Opinion) (1996) ICJ Rep 226, para 25; Legal Consequences of the Construction of a Wall in the Occupied Palestinian Territories (Advisory Opinion) (2004) ICJ Rep 136, para 106; see also Human Rights Committee, General Comment No. 31: Nature of the General Legal Obligation on States Parties to the Covenant, UN Doc. CCPR/C/21/Rev.1/Add. 13, 26 May 2004, para. 11; General Comment No. 35 – Article 9: Liberty and Security of person, UN Doc. CCPR/C/GC/35, 16 December 2014, para. 64; General Comment No. 36 – Article 6: Right to life, UN Doc. CCPR/C/GC/36, 3 September 2019, para. 64; but see e.g. M. J. Dennis, ‘Application of Human Rights Treaties Extraterritorially in Times of Armed Conflict and Military Occupation’ (2005) 99 American Journal of International Law 119.
  146. See generally René Provost, International Human Rights and Humanitarian Law (CUP 2002); Cordula Droege, ‘Elective Affinities? Human Rights and Humanitarian Law’ (2008) 90 IRRC 501; Iain Scobbie, ‘Principle or Pragmatics? The Relationship between Human Rights Law and the Laws of Armed Conflict’ (2009) 14 JCSL 449; Orna Ben-Naftali (ed), International Humanitarian Law and International Human Rights Law (OUP 2011); Daniel Bethlehem, ‘The Relationship between International Humanitarian Law and International Human Rights Law in Situations of Armed Conflict’ (2013) 2 Cambridge J Int’l & Comp L 180; Andrew Clapham, ‘The Complex Relationship Between the Geneva Conventions and International Human Rights Law’ in Andrew Clapham, Paola Gaeta, and Marco Sassòli (eds), The 1949 Geneva Conventions: A Commentary (OUP 2015); Marco Sassòli, International Humanitarian Law: Rules, Controversies, and Solutions to Problems Arising in Warfare (Edward Elgar 2019) 423–443.

4.3 Bibliography and further reading[edit | edit source]

4.4 Contributions[edit | edit source]

Previous: Scenario 19: Hate speech Next: Scenario 21: Misattribution caused by deception