Scenario 22: Cyber methods of warfare

From International cyber law: interactive toolkit
Jump to navigation Jump to search
© Gorodenkoff. Licensed from Shutterstock.

Two States are involved in an international armed conflict. One State uses its cyber capabilities against the other in two distinct operations. This scenario explores the concept of methods of warfare in international humanitarian law (IHL). In doing so, it distinguishes methods of warfare from means of warfare and weapons generally and in the context of cyber operations specifically. The analysis in this scenario also briefly addresses whether cyber capabilities can ever be considered means of warfare or weapons under IHL or always be regarded as methods of warfare.

Scenario[edit | edit source]

Keywords[edit | edit source]

Article 36, cyber weapons, distributed denial of service, indiscriminate attack, international humanitarian law, malware, means and methods of warfare, weapons review

Facts[edit | edit source]

[F1] State A launched a Distributed Denial of Service (DDoS) operation against the computer infrastructure of the Emergency Services Sector (ESS) in State B (incident 1). The ESS, an essential element of civilian critical infrastructure, provides a wide range of prevention, preparedness, response, and recovery services. The ESS includes geographically distributed facilities, equipment, and organizations that rely heavily upon its networks, servers, and other cyber infrastructure. To facilitate the DDoS operation, the cyber team from State A remotely controlled thousands of compromised computers inside and outside State B to conduct the coordinated DDoS attack. In doing so, they flooded the ESS networks and servers with repeated waves of significant internet traffic. The targeted cyber infrastructure became overwhelmed, shutting down or slowing the networks and servers to the point that their use was significantly impeded or degraded. The DDoS attack caused delay and inconvenience and permanently damaged approximately one-third of the targeted computer systems of the ESS, thereby causing degraded emergency responses throughout State B. Moreover, this incident resulted in significant loss of life and property damage across State B.

[F2] State A then launched another cyber operation against its adversary’s integrated air defense system, including some surface-to-air missiles (incident 2). This cyber operation involved two aspects. First, the attackers hacked into computer networks supporting State B’s air-defense system and fed State B with a false sky picture that then enabled State A’s air force to bomb various sites without risk to its forces because State B’s air-defense system did not report State A’s infiltration. In the second phase of the cyber operation, the attacking cyber team inserted malware directly into the air defense missiles. This malware interfered with the ignition and control systems of the surface-to-air missiles, causing some to explode on the launchpads immediately after ignition and others, when launched, to go wildly off target. Some of the errant missiles hit civilian population centers in State B, causing death and destruction.

[F3] State A is not a Party to Additional Protocol I.[1]

Examples[edit | edit source]

Legal analysis[edit | edit source]

For a general overview of the structure of analysis in this section, see Note on the structure of articles.

[L1] The legal analysis first distinguishes the concepts of means and methods under IHL in the context of cyber warfare and then applies the concepts to the facts of the scenario focusing on methods of warfare.

Means and methods of cyber warfare[edit | edit source]

Means and methods of cyber warfare
International humanitarian law (IHL) regulates the conduct of hostilities through principles and rules concerning weapons, means, and methods of warfare.[2] A bedrock principle of modern IHL is that the right of the parties to the conflict to choose methods and means of warfare is not unlimited.[3] This principle reflects customary international law and is one of the most widely recognized and accepted principles in IHL.[4] It binds all States and other parties in both international and non-international armed conflicts.[5] Central to understanding and applying this principle and the rules that operationalize it are the terms weapons, means, and methods of warfare. As a threshold matter, it is crucial to recognize that, despite these terms’ foundational nature in IHL, divergent views and approaches exist concerning their definitions in treaties, State regulations, and unofficial publications.[6]

Methods of warfare are tactics or strategies to weaken the enemy or gain an advantage during military operations, while means of warfare refer to the weapons or devices used in combat.[7] For instance, the use of ruses in armed conflicts is a lawful and commonly accepted method of warfare. Ruses include using decoys or dummy materials, feigning activity or inactivity, and using camouflage, among many other tactics and techniques.[8] Human shields, misuse of protected emblems, or perfidy are examples of methods of warfare that are prohibited.

By contrast, means of warfare include weapons or devices such as machine guns, tanks, airplanes, submarines, missiles, drones, rifles, and many others.[9] A weapon is “generally understood as that aspect of the system used to cause damage or destruction to objects or injury or death to persons,” and characterizes both weapons and weapon systems as means of warfare.[10] Various rules of IHL operationalize the terms weapons, methods, and means. These include, but are not limited to, the weapons review requirement and process,[11] the prohibition on unnecessary suffering,[12] precautions in the attack,[13] and the law of neutrality.[14]

Tallinn Manual 2.0 outlines a definitional framework for the terms means and methods of warfare in the cyber context. According to the Manual, “[c]yber means of warfare” includes both cyber weapons and related systems and includes cyber devices, material, instrument, mechanisms, equipment, or software used, designed, or intended to be used to conduct a cyber-attack.[15] Cyber weapons are means of warfare used, designed, or intended to cause injury to, or death of, persons or damage to, or destruction of, objects.[16] Finally, Tallinn Manual 2.0 states that “methods of cyber warfare are the cyber tactics, techniques, and procedures by which hostilities are conducted”.[17] Hacking, phishing, distributed denial of service, and the use of so-called honeypots and watering holes are typical examples of methods of cyber warfare.[18]

Publicly available national positions that address this issue include: National position of Costa Rica (2023) (2023), National position of France (2019) (2019), National position of Germany (2021) (2021), National position of Switzerland (2021) (2021).

[L2] Regarding the DDoS operation against the ESS cyber infrastructure in State B (incident 1), the cyber means of warfare is the large botnet of computers. This botnet is the device or instrumentality used to conduct the attack. It is an Internet-connected system of computers being commanded by one party to an armed conflict to cause damage or destruction to objects or injury or death to another party. That is the very essence of a means or weapon under IHL. By contrast, the distributed denial of service attack against State B is the method of cyber warfare. That is how the operation is being carried out. A distributed denial of service is a well-known method of cyber warfare.[19] In this instance, it is devastatingly effective against the cyber infrastructure of the ESS, causing delay in the provision of emergency services and permanently damaging a significant number of computers in the ESS system.

[L3] Concerning the cyber operation against the integrated air defense system and missiles in State B (incident 2), the means of warfare is the malware implanted in the system and missiles and designed to damage or disrupt the function of the air defense system and missiles. State A also used three distinct methods of warfare in the operation. The first involves the ruse that misleads the air defenders with a false sky picture.[20] Under IHL, a ruse is a lawful method of warfare involving deceit employed in a military operation for the purpose of misleading the enemy. Ruses are intended to confuse an adversary, induce them to act recklessly, or make a mistake.[21] In this incident, creating a false sky picture is a method of warfare intended to confuse and mislead State B’s air defenders to facilitate a successful attack. The second method of warfare in the operation involved targeting the ignition systems of some missiles causing them to explode on the pads when their engines were ignited for launch. The third method involved the use of malware on the control system of other missiles resulting in those missiles firing off target.

[L4] For practitioners, an important consideration under IHL is the legal review of the cyber weapons, means and methods of warfare used for an operation.[22] For States that are a Party to Additional Protocol I, the mechanism for such a review can be found in Article 36 of Additional Protocol I. That provision provides: “In the study, development, acquisition or adoption of a new weapon, means or method of warfare, a High Contracting Party is under an obligation to determine whether its employment would, in some or all circumstances, be prohibited by this Protocol or by any other rule of international law applicable to the High Contracting Party.”[23] Article 36 does not specify how the legality of weapons, means and methods of warfare is to be reviewed. Accordingly, States have discretion in terms of how and when they conduct legal reviews.[24] For example, legal reviews may occur at multiple points during the acquisition or development process.[25] The reviews should consider, among other things, whether the weapon, means or method of warfare is by nature indiscriminate or causes superfluous injury or unnecessary suffering as well as violates any provision of a treaty or customary international law.[26] In terms of methods specifically, the legal review would consider how operations are conducted, i.e., the various tactics, techniques, and procedures for employing categories of cyber capabilities. Of note, IHL does not mandate a specific taxonomy or format for reviews of methods of warfare.[27] Importantly, even if a method of warfare passed the legal review, it could still be used in a manner that violates IHL. In other words, the normal or expected use of the method may be assessed as consistent with IHL, but in a specific operation, it could be misused in a way that would be prohibited under IHL.[28]

[L5] It is a matter of dispute whether the Article 36 obligation reflects customary international law.[29] The International Group of Experts responsible for drafting the Tallinn Manual 2.0 were divided on this issue. As specified in Rule 110 of the Tallinn Manual 2.0, the Experts did agree that “[a]ll States are required to ensure that the cyber means of warfare that they acquire or use comply with the rules of the law of armed conflict that binds them.”[30] In terms of methods of warfare specifically, the Experts disagreed as to the extent of the obligation. As noted in the commentary to Rule 110, “[t]he International Group of Experts was split over whether the obligation extends to methods of warfare. Some argued that it does, whereas others suggested that, although methods of warfare must comply with the law of armed conflict generally, there is no affirmative duty to take the specific steps of conduct a formal legal review to ensure such compliance.”[31] Under the facts in the above scenario, State A is not bound by Article 36. Given the ambiguity regarding the existence of the Article 36 obligation as a matter of customary international law, it is not necessary for State A to perform one.

[L6] Notwithstanding the above regarding the requirement for a legal review under Article 36, the facts in this scenario show that some of State A’s methods of cyber warfare complied with IHL, while others did not. More specifically, using cyber methods to create a false sky picture and trick the air defenders is permissible as a ruse under IHL.[32] Likewise, using the malware to destroy the surface-to-air missile on the launch pads is a lawful method of attack against a military objective.[33] What is prohibited under IHL is targeting the civilian population with the DDoS attack.[34] By disrupting, delaying, and damaging the ESS, the civilian population is being attacked. Similarly, the use of malware against the control systems creates an indiscriminate attack in violation of IHL.[35] That is, the use of this malware would be of a nature to cause strikes against military objectives and civilians or civilian objects without distinction in that the control system no longer functioned properly. It is reasonable to conclude that was a foreseeable consequence of employing the malware against the surface-to-air missiles’ control systems. And, that is precisely what happened as some missiles went wildly off-target, hitting civilian population centers, causing death and destruction. Additionally, it is important to consider the principle of proportionality, which includes the reasonably foreseeable reverberating effects of such actions.[36]

[L7] Some scholars have posited that cyber capabilities should not be categorized as weapons or means of warfare at all. Rather, advocates of this position argue that cyber capabilities may only qualify as a method of warfare. For those who advocate this novel approach, they contend that means of warfare have common characteristics, including a direct causal connection between a given means of warfare and physical damage to objects, the permanent loss of functionality of an object, or injury to persons. Computer code and its related cyber infrastructure only indirectly cause physical damage to objects, the permanent loss of functionality of an object, or injury to persons by instructing the targeted system to act. The computer code is but communication to that system instructing it to undertake a harmful action, function in an unintended manner, or cease to function. And, as such, by this view it cannot logically be considered a means of warfare.[37]

[L8] Considering incident 1 through the lens of the novel approach, the botnet of computers and the related software controlling it would not be considered a weapon or means of warfare. The reason is that there is not a direct causal connection between the botnet and the damage and delay to the ESS computers and networks. Instead, it is just communicating with the ESS causing the harmful effects. Under this position, the botnet and the distributed denial of service operation could be thought of as being part of the same method of warfare as both are part of the cyber tactics, techniques, and procedures by which the devasting operation was carried out against the ESS. An Article 36 legal review of a method of warfare is required only if the State is either a party to Additional Protocol I or the requirement is customary.[38] Since State A is not a Party to Additional Protocol I and it is debatable whether the requirement is customary, State A may arguably conduct the operation without a formal legal review. It is important to reiterate; however, that even though State A may not be required to do a formal legal review, it does not relieve them of their general duty of compliance with IHL. A similar analysis can be drawn from incident 2. That is, the malware implanted in the system and missiles would not be characterized as a weapon or means of warfare, but rather as part of the methods of warfare used in the operation. Again, even if a formal legal review is not required, State A is still obligated to comply with IHL principles and rules.

[L9] For States that are not a party to Additional Protocol I, like State A, the novel approach advocated by some scholars may have some appeal because it may seem to be a way to account for and adjust to the speed of cyber and other vagaries of such operations unencumbered by formal legal reviews. Practically speaking, whether a Party to Additional Protocol I or not, reviewing cyber means or methods may necessitate adjusting the review process to account for the speed of the operation and the need to adjust in “real time”, but also difficulties in obtaining sufficient and reliable information on which to base the legal review. Additionally, many cyber capabilities are developed to achieve a specialized objective and consist of features intended to take advantage of unique vulnerabilities in the targeted cyber infrastructure. Accordingly, they are tailored for each mission and are either non-reusable or require significant alteration with each use. One common sense adjustment to the review process may involve having a legal advisor at an appropriate operational level to conduct the review to be able to provide timely advice to commanders and operators on the methods they are employing.

Checklist[edit | edit source]

  • Is there an ongoing international armed conflict?
  • Is the State in question a party to Additional Protocol I?
  • Are the cyber capabilities being used as weapons or means of warfare under IHL?
  • If so, are there any limitations or restrictions on the cyber weapons or means?
  • Are the cyber capabilities being used as methods of warfare under IHL?
  • If so, are there any limitations or restrictions on the cyber method?
  • Is a review under Article 36 of Additional Protocol I required?

Appendixes[edit | edit source]

See also[edit | edit source]

Notes and references[edit | edit source]

  1. Protocol Additional to the Geneva Conventions of 12 August 1949, and Relating to the Protection of Victims of International Armed Conflicts [AP I] (adopted 8 June 1977, entered into force 7 December 1978.) 1125 UNTS 3.
  2. See ICRC CIHL Study, vol I, parts III–IV; see also United States, FM 6-27, MCTP 11-10C, The Commander’s Handbook on the Law of Land Warfare (August 2019) 2-1.
  3. See Article 22 Hague Regulations; Article 35 AP I.
  4. [1] See UN GA, Resolution 2444 (1968), UN Doc A/7218 (adopted unanimously), para. 1(a); ICTY, Prosecutor v Tadić, Decision on the Defence Motion for Interlocutory Appeal on Jurisdiction, Appeals Chamber, Case No. IT-94-1, 2 October 1995, paras. 110 and 112 (holding that principles enshrined in Resolution 2444 reflected customary international law at the time); Nuclear Weapons Advisory Opinion, paras. 78–79 (affirming that the principle that ‘States do not have unlimited freedom of choice of means in the weapons they use’ is one of ‘intransgressible principles of international customary law’); San Remo Manual, Rule 38 (‘In any armed conflict the right of the parties to the conflict to choose methods or means of warfare is not unlimited.’); AMW Manual, Rule 4 (‘The fundamental principle is that, in any armed conflict, the right of the Belligerent Parties to choose methods or means of warfare is not unlimited.’).
  5. See William H Boothby, The Law of Targeting (OUP 2012) 58.
  6. See Jeffrey T Biller and Michael N Schmitt, ‘Classification of Cyber Capabilities and Operations as Weapons, Means, or Methods of Warfare’ (2019) 95 Int’l L Stud 179, 202.
  7. See Geoffrey S Corn and others, The Law of Armed Conflict: An Operational Approach (2nd ed., Wolters Kluwer 2019) 288.  See also United States, FM 6-27, MCTP 11-10C, The Commander’s Handbook on the Law of Land Warfare (August 2019) 2-1.
  8. See Gary D Solis, The Law of Armed Conflict: International Humanitarian Law in War (2nd ed., CUP 2016) 464-467.
  9. Dave Wallace and Shane R Reeves, ‘Modern Weapons and the Law of Armed Conflict’ in Geoffrey S Corn, Rachel E VanLandingham, and Shane R. Reeves (eds), U.S. Military Operations: Law, Policy, and Practice (OUP 2016) 41.
  10. See Tallinn Manual 2.0, commentary to rule 103.
  11. Article 36 AP I.
  12. Article 23 (e) Hague Regulations; Art. 35(2) AP I.
  13. Article 57 AP I.
  14. See Hague Conventions V and XIII.
  15. Tallinn Manual 2.0, commentary to rule 103.
  16. Tallinn Manual 2.0, commentary to rule 103.
  17. Tallinn Manual 2.0, rule 103.
  18. See Jeffrey T Biller and Michael N Schmitt, ‘Classification of Cyber Capabilities and Operations as Weapons, Means, or Methods of Warfare’ (2019) 95 Int’l L Stud 179, 219.
  19. See Jeffrey T Biller and Michael N Schmitt, ‘Classification of Cyber Capabilities and Operations as Weapons, Means, or Methods of Warfare’ (2019) 95 Int’l L Stud 179, 219.
  20. Article 37(2), AP I.
  21. See Gary D Solis, The Law of Armed Conflict: International Humanitarian Law in War (2nd ed., CUP 2016) 464.
  22. See generally, ICRC, A Guide to the Legal Review of New Weapons, Means and Methods of Warfare: Measures to Implement Article 36 of Additional Protocol I of 1977 (Kathleen Lawand ed.) (ICRC 2006).
  23. Article 36 AP I.
  24. It is important to note that States are only required to review the legality of weapons in light of the broad and general circumstances in which the weapon is intended for use, as opposed to a particular use of a weapon – the latter is governed by targeting law.
  25. Dave Wallace and Shane R Reeves, ‘Modern Weapons and the Law of Armed Conflict’ in Geoffrey S Corn, Rachel E. VanLandingham, and Shane R Reeves (eds), U.S. Military Operations: Law, Policy, and Practice (OUP 2016) 62.
  26. See Tallinn Manual 2.0, commentary to rule 110.
  27. See Jeffrey T Biller and Michael N Schmitt, ‘Classification of Cyber Capabilities and Operations as Weapons, Means, or Methods of Warfare’ (2019) 95 Int’l L Stud 179, 221.
  28. Cf. ICRC, A Guide to the Legal Review of New Weapons, Means and Methods of Warfare: Measures to Implement Article 36 of Additional Protocol I of 1977 (Kathleen Lawand ed.) (ICRC 2006) 10; Yves Sandoz, Christophe Swinarski, and Bruno Zimmermann (eds), Commentary on the Additional Protocols of 8 June 1977 to the Geneva Conventions of 12 August 1949 (ICRC 1987) para 1469.
  29. See Tallinn Manual 2.0, commentary to rule 110. On the general international law requirement to systematically assess the legality of new cyber weapons, means, and methods of warfare, see Legal review of cyber weapons (footnotes omitted): ‘The requirement that the legality of all new weapons, means and methods of warfare be systematically assessed is arguably one that applies to all States. It flows logically from the truism that States are prohibited from using illegal weapons, means and methods of warfare or from using weapons, means and methods of warfare in an illegal manner. It is also widely considered, including by the ICRC, that a requirement to carry out legal reviews of new weapons, means and methods of warfare also flows from the obligation to ensure respect for IHL.’
  30. See Tallinn Manual 2.0, rule 110. This rule is based upon a general duty of IHL as reflected in Article 1 of the 1907 Hague Convention IV and Common Article 1 of the 1949 Geneva Conventions.
  31. See Tallinn Manual 2.0, commentary to rule 110.
  32. Article 37(2), AP I.
  33. Article 52(2), AP I.
  34. Article 51, AP I.
  35. Article 51(4)(b), AP I.
  36. See Article 51 AP ISee also, Article 57 AP I.   
  37. See Jeffrey T Biller and Michael N Schmitt, ‘Classification of Cyber Capabilities and Operations as Weapons, Means, or Methods of Warfare’ (2019) 95 Int’l L Stud 179, 219.
  38. See Jeffrey T Biller and Michael N Schmitt, ‘Classification of Cyber Capabilities and Operations as Weapons, Means, or Methods of Warfare’ (2019) 95 Int’l L Stud 179, 221.

Bibliography and further reading[edit | edit source]

Contributions[edit | edit source]

Previous: Scenario 21: Misattribution Next: Scenario 23: Vaccine research
Retrieved from "https://cyberlaw.ccdcoe.org/wiki/Scenario_22:_Cyber_methods_of_warfare?oldid=3967"