Scenario 28: Extraterritorial incidental civilian cyber harm

From International cyber law: interactive toolkit
Jump to navigation Jump to search
Pixabay

State A, involved in an international armed conflict against State B, designs a cyber operation aimed at damaging State B’s military command and control system. The operation might also incidentally impact one university in State B and many universities located in State C, not party to the armed conflict. This scenario analyses whether and how to apply the international humanitarian law principle of proportionality to this operation. In doing so, it also examines the application of the principle of proportionality and the law of neutrality to attacks expected to cause incidental civilian harm in a neutral non-belligerent State.

Scenario[edit | edit source]

Keywords[edit | edit source]

Attack (international humanitarian law), conduct of hostilities, international humanitarian law, military objectives, neutrality, proportionality.

Facts[edit | edit source]

[F1] State A and State B are in an international armed conflict against each other. State C is not party to that conflict. Using a zero-day software vulnerability, cyber operators who are members of State A’s armed forces plan to conduct a cyber operation that is expected to damage beyond repair computer consoles that are essential to the functioning of a command and control (C2) system critical to State B’s ability to synchronize combat operations.

[F2] The operators design a bespoke malware with a self-spreading capability in order to reach the C2 system. They know the vulnerability is not unique to the military consoles and they therefore incorporate a restriction into the malware, which is designed to prevent it from activating in any non-target systems.

[F3] Nevertheless, they reasonably expect there being a moderate likelihood that the malware will anyway spread outside the original target and, if that does happen, that it will result in the same effects on a civilian computer console in State B and a large number of civilian consoles in State C, which all rely on the same software. State A assesses that the damage to civilian infrastructure would result in significant financial loss and other minor disruptions of civilian life due to loss of connectivity.

[F4] Taking all of these considerations into account, State A decides to launch the operation.

Examples[edit | edit source]

Legal analysis[edit | edit source]

For a general overview of the structure of analysis in this section, see Note on the structure of articles.

[L1] This scenario analyses whether and how to apply the principle of proportionality under international humanitarian law to a cyber operation that is expected to cause incidental civilian harm in both a State that is a party to an international armed conflict and in a neutral non-belligerent State. In doing so, it assesses whether the principle of proportionality prohibits the operation. Separate from that assessment, this scenario also assesses whether the operation is prohibited under the law of neutrality.[1]

Applicability of international humanitarian law[edit | edit source]

[L2] In situations of armed conflicts, all acts of the parties with a sufficient nexus to the conflict are governed by IHL[2], including any cyber operations.[3] Views differ, however, on when this standard is met. For example, some Tallinn Manual experts considered it sufficient for an operation to originate from one party to an armed conflict and be directed against its opponent, whereas other experts took the position that the act must be conducted in furtherance of the hostilities.[4] State A’s planned cyber operation against State B’s C2 system meets both threshold tests and, therefore, the operation is subject to the principles and rules of IHL.

Attack[edit | edit source]

The notion of ‘attack’ under international humanitarian law
The question of whether an operation amounts to an ‘attack’ as defined in international humanitarian law (IHL) is essential for the application of many of the rules deriving from the principles of distinction, proportionality and precaution. While some IHL rules impose limits on any military (cyber) operation, the rules specifically applicable to ‘attacks’ afford significant protection to civilians and civilian objects in times of armed conflict.[5]

Article 49 of Additional Protocol I defines ‘attacks’ as ‘acts of violence against the adversary, whether in offence or in defence’. Viewed as ‘combat action’,[6] they are understood to denote violence directed against military forces of an opposing party.[7] Arguments that a subjective element of purpose or motive to cause harm are inherent in the notion of attack[8] have not found wide support.[9]

The notion of violence in this definition can refer to either the means of warfare or their effects, meaning that an operation causing violent effects can qualify as an attack even if the means used to bring about those effects are not violent as such.[10] Accordingly, it is widely accepted that cyber operations that can be reasonably expected to cause injury or death to persons or damage or destruction to objects constitute attacks under IHL.[11]

There has been limited discussion over the contours of the reasonable foreseeability of harm standard for the purposes of defining attacks.[12] In the assessment of what constitutes the ‘reasonably expected’ effects of an operation that have to be considered, some States, including Denmark, Finland, New Zealand, Norway, Switzerland, or the United States, have clarified that this includes harm due to the foreseeable direct and indirect (or reverberating) effects of an attack.[13] An indirect or reverberating effect would include, for example, the death of patients in intensive-care units caused by a cyber operation on an electricity network that results in cutting off a hospital’s electricity supply – a view shared by the ICRC.[14] Care must be exercised in considering the extent to which understandings of reasonable foreseeability for the purposes of other rules of IHL can be deemed relevant in the interpretation of ‘attack’.

At present, different views exist on the interpretation of what constitutes ‘damage’ for assessing whether an operations amounts to an ‘attack’. One view, taken by some States including Denmark, Israel, and Peru, is that only physical damage is relevant in the assessment of what constitutes an attack under IHL.[15] Other States have interpreted the notion of ‘attack’ wider. States including Bolivia, Ecuador, France, Germany, Guatemala, Japan, and New Zealand consider that cyber operations may qualify as an ‘attack’ without causing physical damage if they disable the functionality of the target.[16] For its part, the ICRC interprets the notion of ‘attack’ as including a loss of functionality. In its view, ‘an operation designed to disable a computer or a computer network constitutes an attack under IHL, whether the object is disabled through kinetic or cyber means’.[17]

Publicly available national positions that address this issue include: National position of Australia (2020) (2020), National position of Brazil (2021) (2021), National position of Canada (2022) (2022), National position of Costa Rica (2023) (2023), National position of Denmark (2023) (2023), National position of France (2019) (2019), National position of Germany (2021) (2021), National position of Ireland (2023) (2023), National position of Israel (2020) (2020), National position of the Italian Republic (2021) (2021), National position of Japan (2021) (2021), National position of the Netherlands (2019) (2019), National position of New Zealand (2020) (2020), National position of Norway (2021) (2021), National position of Pakistan (2023) (2023), National position of the Kingdom of Sweden (2022) (2022), National position of Switzerland (2021) (2021), National position of the United Kingdom (2021) (2021), National position of the United States of America (2016) (2016), National position of the United States of America (2021) (2021).

[L3] State A reasonably expects that its cyber operation will cause damage to computer consoles that are essential to the functioning of State B’s military command and control (C2) system and will have the same effects on civilian consoles. Whilst different views exist as to whether the ‘damage’ must result in physical damage as opposed to loss of functionality for the operation to qualify as an ‘attack’ under IHL, in this scenario the loss of functionality is expected to be irreparable, meaning that the affected computer consoles would need to be physically replaced. Following the approach of the majority of the Tallinn Manual experts, the planned cyber operation would constitute an ‘attack’ under IHL.[18] Under this conclusion, State A’s cyber operation is subject to the rules specifically applicable to ‘attacks’.

Military objective[edit | edit source]

Military objectives
The principle of distinction, one of the foundational precepts of IHL, requires that the parties to an armed conflict must at all times distinguish between civilian objects and military objectives and may, accordingly, only direct their operations against military objectives.[19] The customary definition of military objectives is found in Article 52(2) of Additional Protocol I:

In so far as objects are concerned, military objectives are limited to those objects which by their nature, location, purpose or use make an effective contribution to military action and whose total or partial destruction, capture or neutralization, in the circumstances ruling at the time, offers a definite military advantage.

Thus, to qualify as a military objective, an object must cumulatively meet the two criteria set forth in the abovementioned rule, which must be determined on a case-by-case basis.[20] In case of doubt as to whether an object that is normally dedicated to civilian purposes is being used to make an effective contribution to military action, it must be presumed to remain protected as a civilian object.[21]

The formal scope of application of the Protocol is limited to international armed conflicts (IACs).[22] However, an identical definition of military objectives is found in treaties applicable in non-international armed conflicts (NIACs).[23] Moreover, certain non-party States to the Protocol accept the customary nature of the definition.[24] Accordingly, the ICRC has characterized the definition of military objectives as a norm of customary international humanitarian law applicable in both IACs and NIACs.[25]

Relevant rules of IHL apply to kinetic operations as well as to cyber operations.[26] However, the application of those rules in specific circumstances may pose novel challenges. This is because the rules governing targeting developed with physical operations in mind, and it is not always clear what their application to cyber operations entails.[27] For example, there is some disagreement on what types of acts amount to “attacks[28] in the context of cyber operations, in particular when the operation in question is limited to the manipulation of data.[29] Nevertheless, even those operations that might not qualify as “attacks” under IHL may still only be directed against military objectives, as required by the principle of distinction.[30] Further, due to the interconnectedness of civilian and military networks as well as in-built redundancies, it may be challenging to apply the definition of military objectives to those parts of cyber infrastructure that simultaneously serve civilian and military purposes (also referred to as “dual-use objects”).[31]

Publicly available national positions that address this issue include: National position of Costa Rica (2023) (2023), National position of France (2019) (2019), National position of Germany (2021) (2021), National position of the United States of America (2012) (2012).

[L4] Having assessed that the cyber operation qualifies as an ‘attack’ under IHL, it is necessary to assess if the targeted C2 system qualifies as a military objective. As the name indicates, a C2 system is used to direct and guide a party’s own military forces in the accomplishment of their mission. It follows that it is reasonable to conclude that the nature of the system provides an effective contribution to the military action of State B, thereby fulfilling the first part of the definition.[32] It is also reasonable to conclude that the C2 system’s total or partial destruction would, in the circumstances ruling at the time, offer a definite military advantage to the other party to the conflict, as it would hamper State B’s ability to carry out military operations against State A.[33] The C2 system thereby qualifies as a military objective.

Proportionality[edit | edit source]

Proportionality
The principle of proportionality prohibits attacks ‘which may be expected to cause incidental loss of civilian life, injury to civilians, damage to civilian objects, or a combination thereof, which would be excessive in relation to the concrete and direct military advantage anticipated’.[34] The principle of proportionality is codified in Articles 51(5)(b) and 57(2)(a)(iii)(b) of the 1977 Additional Protocol I and reflects customary international law.[35] The nature of the principle makes it relevant only to attacks directed at military objectives or persons who are lawful targets, where incidental civilian loss of life, injury, damage to civilian objects, or a combination thereof, is expected. These three types of harms are commonly referred to as ‘incidental civilian harm’.[36]

The principle of proportionality is ex ante in nature, as it demands a balancing of the expected civilian harm and the anticipated military advantage. A proportionality assessment must therefore be made in advance of an attack and cannot be judged based on hindsight. The assessment must be made on the basis of a ‘reasonable military commander’s’ assessment of the information which is reasonably available from all sources at the relevant time.[37] The decision must be made in good faith.[38]

The ICRC has expressed the view that all direct and indirect incidental civilian harm that is foreseeably caused by the attack must be taken into consideration in the proportionality assessment.[39] Direct harm relates to consequences that are directly and immediately caused by a cyber attack. All other harms are considered indirect harms; sometimes referred to as the ‘reverberating’ effects of an attack.[40] For example, if it is reasonably expected that a cyber attack against a power grid will cause deaths in a hospital emergency ward due to a lack of power, those deaths must be part of the proportionality assessment. While one military manual claims the assessment of incidental civilian harm is generally understood to be limited to immediate or direct harm,[41] most of them do not limit the assessment in this way and a number of manuals and other relevant official State documents expressly require the consideration of indirect effects.[42]

When considering what constitutes ‘damage’ to civilian objects, some have argued that the damage does not have to be physical, but may include loss or deprivation of functionality.[43] However, Tallinn Manual experts agreed that damage must go beyond inconvenience, irritation, stress, or fear since these consequences do not amount to incidental loss of civilian life, injury to civilians, or damage to civilian objects.[44] Finally, when different types of incidental civilian harm are anticipated, the harms must be assessed in combination, and not in isolation of each other.[45]

The ‘concrete and direct’ military advantage that is assessed is that which is ‘substantial and relatively close’.[46] Conversely, ‘advantages which are hardly perceptible and those which would only appear in the long term should be disregarded’.[47] Among others, the expected military advantage to be assessed cannot be merely speculative.[48] Additionally, advantages that are solely political, psychological, economic, financial, social, or moral in nature do not constitute ‘military advantage’ under the principle of proportionality.[49] When ratifying Additional Protocol I, a number of States explained that they consider the military advantage from an attack to refer to the ‘advantage anticipated from the attack as a whole and not only from isolated or particular parts of an attack’.[50]

When assessing whether the incidental civilian harm will be excessive to the attack’s anticipated concrete and direct military advantage, determining ‘excessiveness’ entails a subjective assessment that allows for a ‘fairly broad margin of judgement’.[51] At the same time, the determination of excessiveness also has an objective element since it ‘must be based on that of the “reasonable commander”’.[52]

Publicly available national positions that address this issue include: Common position of the African Union (2024) (2024), National position of Costa Rica (2023) (2023).

[L5] State A’s planned cyber operation constitutes an attack under IHL (see para. L3) and the attack is directed at a military objective (see para. L4).[53] The question then turns to whether State A’s operation is expected to result in incidental civilian loss of life or injury, or damage to civilian objects. If so, the principle of proportionality applies and the total sum of that expected incidental civilian harm must be measured against the concrete and direct military advantage anticipated to be gained from the attack.

[L6] The expected irreparable harm to a civilian computer console in State B, meaning that the console would need to be physically replaced, qualifies as damage to a civilian object. This reflects the majority view of the Tallinn Manual experts.[54] The significant financial expenses and other disruptions of civilian life due to loss of connectivity negatively affect civilians. However, the facts do not indicate that any of them would directly or indirectly result in loss of civilian life, civilian injury, or damage (physical or otherwise) to civilian objects.[55] The sum of civilian harm in State B would therefore be limited to the damaged console. As discussed below (para. L10), the financial losses and other civilian disruptions may however be factors when weighing whether the damage to the console is expected to be excessive.

[L7] With regard to the anticipated effects that State A’s cyber attack will cause in State C, it is unclear how a State must consider the incidental civilian harm expected to occur beyond belligerent territories, in this case State C, when assessing the principle of proportionality. Two possible approaches to this issue may be identified.

[L8] Under the first approach, the only incidental civilian harm to be taken into account is that which is expected to occur in State B. This is because, notwithstanding views to the contrary provided below (see paras L9–L10), the geographical scope of most IHL rules is traditionally thought to be limited to the territory of the States parties to the armed conflict.[56] This approach serves several functions, including safeguarding against importing into neutral States principles and rules of IHL, in particular the principle of proportionality, that tolerate some degree of incidental civilian harm. (For other safeguards that mediate this concern, see the section on Neutrality below.)

[L9] The second approach is to place no geographic limitations when assessing the incidental civilian harm, thereby requiring all foreseeable incidental civilian harm in States B and C to be assessed under the principle of proportionality. Indeed, the geographical scope of IHL encompasses State A’s operation, to which the rule of proportionality therefore applies, and that rule does not spell out a geographic limit to the incidental civilian effects to be considered.[57] This approach appears to have stronger support than the first, with some States and academics arguing that the principle of proportionality can be violated when incidental civilian harm occurs in a neutral State.[58] Others have more specifically argued that the rules of IHL apply to attacks with effects in non-belligerent States as long as the attack has a nexus to an armed conflict.[59] This approach finds further support in commentaries that indicate that IHL’s prohibition against excessive incidental harm to the environment must take into account the harm expected to occur both inside and outside belligerent territory.[60]

[L10] In the present case, the harm expected to be caused in State C is directly associated with the international armed conflict between State A and State B. The expected effects therefore have a nexus to the conflict and, as such, the attack falls within the geographical scope of IHL. Damage to the computer consoles in States B and C would therefore constitute the total sum of expected harm. While the significant financial losses and other disruptions do not per se constitute damage to civilian objects, which might lead some to hold the view that they do not need to be considered, they have to be considered when determining the weight given to the objects expected to be damaged for the purpose of assessing excessiveness, a view shared by the ICRC.[61] This approach thereby results in an assessment that may be different than for operations damaging civilian consoles with less disruptive effects.

[L11] The total amount of harm expected by the damaging of one console in State B and a large number of consoles in State C then needs to be weighed against the direct and concrete military advantage anticipated to be gained from State A’s attack on State B’s C2 system.

[L12] Having assessed the expected incidental civilian harm and the concrete and direct military advantage anticipated, it is necessary to determine whether the harm would be excessive. In making this assessment it is reasonable to assume that State A would benefit significantly from the cyber attack given that the system is considered critical to State B’s ability to synchronize combat operations (para. F1). While a definite conclusion could only be drawn based on more detailed factual circumstances, on the basis of the limited guidance on the notion of excessiveness found in military manuals and case law[62] it may be argued that the expected irreparable damage to a large number of civilian consoles would not be excessive when compared to the concrete and direct military advantage anticipated, and therefore the attack not prohibited under the principle of proportionality. Ultimately, however, the answer will have to be measured against the standard of how a reasonable military commander would apply the principle of proportionality based on the circumstances ruling at the time of the attack.

[L13] While this scenario assumes that the cyber attack sufficiently complies with the obligation under IHL to take all feasible precautions in the choice of means or methods of attack with the view of avoiding or at least minimizing the incidental loss of civilian life, injury to civilians, and damage to civilian objects (para. L1, footnote [1]), it should be recalled that the obligation to take such precautions must be complied with even if an attack is not prohibited under proportionality.

Neutrality[edit | edit source]

Neutrality
Law of neutrality is a separate but complementary legal regime to international humanitarian law. It regulates relations between States which are parties to an international armed conflict (IAC) and States which are not parties to the conflict (neutral Powers). Several States have affirmed the application of the law of neutrality to cyber operations and shared their views on how it applies.[63] Transposing the rule of inviolability of the neutral Power’s territory to the cyber context, several States consider that parties to the conflict are prohibited from directing cyber operations against and from cyber infrastructure located in the territory, and under the exclusive control of, neutral Powers.[64] However, one State has expressed doubts over whether rules relating to territorial inviolability under the law of neutrality are applicable to cyber operations.[65]

With regard to harm that is not directed at a neutral State but which nonetheless may occur incidentally, France takes the view that ‘belligerents must refrain from causing harmful effects to digital infrastructure situated on the territory of a neutral State’.[66] Switzerland and Romania take similar positions.[67] The Tallinn Manual struggled with this issue, agreeing that foreseeable spill-over effects in neutral territory may breach the law of neutrality, but that ‘each case must be assessed on its own merits’ and that ‘States would be unlikely to regard de minimis effects as precluding the prosecution of an otherwise legitimate attack’.[68] The experts also noted that the law of neutrality allows for a balancing of competing rights between ‘belligerents to effectively conduct military operations’ and ‘neutral States to remain generally unaffected by the conflict’.[68]

While neutral State territory is inviolable[69] and therefore the exercise of belligerent rights by cyber means in neutral territory is prohibited, Article 8 of the Hague Convention (V) respecting the Rights and Duties of Neutral Powers and Persons in Case of War on Land, explains that a neutral State is not required to forbid or restrict a belligerent’s use of ‘telegraph or telephone cables or of wireless telegraphy apparatus belonging to it or to companies or private individuals.’[70] In light of Article 8, different views exist with respect to the use of neutral cyber infrastructure by belligerents for cyber operations carried out in connection with an armed conflict. This mainly concerns situations where the data packets are routed through neutral cyber infrastructure, intentionally or otherwise. France takes the position that it does not violate the law of neutrality if the transmission has no effects on the neutral State.[71] The United States generally considers the use of publicly available communications infrastructure by belligerents as lawful.[72] Denmark has taken the view that it is ‘assumed that infrastructure located in the territory of a neutral State may not be used by belligerent States to engage in acts of war’.[73]

Corollary to the protection granted to neutral Powers is their duty to prevent and terminate any violation of its neutrality, although its extent is unsettled in the cyber context.[74] Failure to do so, particularly in the face of offensive cyber operations, could entitle the aggrieved party to use forceful measures against the neutral cyber infrastructure to end the adverse effects the operation causes.[75] However, any such measures would need to conform to the overarching UN Charter regime and customary international law governing the use of force.

Any potential legal obligation to prevent and terminate a violation of neutrality presents unique challenges in the cyber context given that neutral States do not always have knowledge of the use of their servers to transmit malware, and are not always able to prevent or terminate a cyber attack.[76] Switzerland seems to share this concern, arguing that there should be limits to the rights and duties of a neutral Power in light of the nature of data traffic on the Internet.[77]

Publicly available national positions that address this issue include: National position of Costa Rica (2023) (2023), National position of France (2019) (2019), National position of the Italian Republic (2021) (2021), National position of the Netherlands (2019) (2019), National position of Romania (2021) (2021), National position of Switzerland (2021) (2021).

[L14] Whatever approach is adopted for assessing the principle of proportionality, it would be necessary to look separately at the law of neutrality, which is distinct from IHL and applies to non-belligerent States—in this case State C—in situations of international armed conflict.[78]

[L15] In spite of the divergent views and considerations around how the law of neutrality regulates cyber operations, it is reasonable to conclude that under the law of neutrality (and without prejudice to the legal analysis under IHL), State A’s cyber attack would likely be unlawful because the harm in State C was foreseeable, raised above a de minimis level, and was intrusive enough to tip the balance in favor of State C’s right to remain unaffected by the conflict.

Conclusion[edit | edit source]

[L16] In conclusion, State A’s planned cyber operation falls within the scope of IHL, has a nexus to the existing international armed conflict and meets the requirements for it to be subject to the principle of proportionality. Evaluated from of a number of different perspectives, there is support for the position that, for the purposes of IHL, the incidental civilian harm expected to occur in State C must be part of the proportionality assessment together with that expected to occur in State B. State A would then need to include incidental civilian harm expected to occur in State C into its total sum of civilian harm when determining if the attack complies with the principle of proportionality. In any event, as the attack is not seemingly expected to incur incidental civilian harm excessive to the direct and concrete military advantage anticipated, the attack is not prohibited under the principle of proportionality. At the same time, it is reasonable to conclude that the cyber attack would be prohibited under the law of neutrality due to the harm it is expected to cause in State C.

Checklist[edit | edit source]

  • Does the operation qualify as an attack that is regulated by the principle of proportionality?
  • Which of the expected effects of the attack constitute incidental civilian harm under the principle of proportionality?
  • How does the principle of proportionality assess incidental civilian harm that is expected to occur in a non-belligerent neutral State?
  • Is the expected incidental civilian harm of the attack excessive to the anticipated concrete and direct military advantage?
  • What impact might the law of neutrality have on the lawfulness of an attack that is expected to cause harm in a non-belligerent neutral State?

Appendixes[edit | edit source]

See also[edit | edit source]

Notes and references[edit | edit source]

  1. Note: For the purposes of this scenario, it is assumed that the restrictions added to prevent the malware from activating in non-target systems (see para. F2) were sufficient to comply with the obligation to take all feasible precautions to avoid or at least minimize incidental harm to civilians and damage to civilian objects when carrying out an attack. Additional Protocol I, Article 57(1); Jean-Marie Henckaerts and Louise Doswald-Beck, Customary international humanitarian law, (Vol. I, Cambridge University Press 2005) (ICRC Customary IHL Study), Rule 15. While other areas of public international law may be relevant to this scenario, many of them are already analysed in a number of different scenarios in the Toolkit and thus generally excluded from the scope of this scenario. See, for example, the Toolkit’s treatment of self-defence, retorsion, and countermeasures in Scenario 14: Ransomware campaign.
  2. See, e.g. Marco Sassòli, International Humanitarian Law: Rules, Controversies, and Solutions to Problems Arising in Warfare (Edward Elgar 2019) 201 (‘IHL only governs conduct that has a sufficient nexus to the armed conflict’); Gloria Gaggioli (ed), Expert Meeting: The Use of Force in Armed Conflicts (ICRC 2013) 4 (‘In order to be covered by IHL, the use of force must take place in an armed conflict situation and must have a nexus with the armed conflict’.).
  3. Michael N. Schmitt et al (eds), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (Cambridge University Press 2017) (Tallinn Manual 2.0), commentary to rule 80, para 5.
  4. Tallinn Manual 2.0, commentary to rule 80, para 6.
  5. Concretely, rules such as the prohibition of attacks against civilians and civilian objects, the prohibition of indiscriminate and disproportionate attacks, and the obligation to take all feasible precautions to avoid or at least reduce incidental harm to civilians and damage to civilian objects when carrying out an attack apply to those operations that qualify as ‘attacks’ as defined in IHL. The notion of attack under IHL, defined in Article 49 of AP I, is different from and should not be confused with the notion of ‘armed attack’ under Article 51 of the UN Charter, which belongs to the realm of the law on the use of force (jus ad bellum). To determine that a specific cyber operation, or a type of cyber operations, amounts to an attack under IHL does not necessarily mean that it would qualify as an armed attack under the UN Charter.
  6. Yves Sandoz, Christophe Swinarski and Bruno Zimmermann (eds), Commentary on the Additional Protocols, ICRC, Geneva, para. 1879 (‘Commentary of Additional Protocol I’).
  7. International Criminal Court (ICC), Situation in the Democratic Republic of the Congo in the case of the Prosecutor v Bosco Ntaganda, Roger O’Keefe, Observations by Professor Roger O’Keefe, pursuant to rule 103 of the Rules of Procedure and Evidence, No. ICC-01/04-02/06 A2, 17 September 2020, p. 3.
  8. ICC, Situation in the Democratic Republic of the Congo in the case of the Prosecutor v Bosco Ntaganda, Submission of Observations to the Appeals Chamber Pursuant to Rule 103 by Geoffrey Corn et al, No.: ICC-01/04-02/06 A2, 18 September 2020, paras. 14 – 15.
  9. ICC, Prosecutor v Bosco Ntaganda, ICC-01/04-02/06, Judgment (Appeals Chamber), 30 March 2021, Partly Concurring Opinion of Judge Eboe-Osuji, para. 110; Yoram Dinstein and Arne Willy Dahl, Oslo Manual on Select Topics of the Law of Armed Conflict (Springer 2020), rule 8 and the discussion of reasonable foreseeability of harm.
  10. Cordula Droege, “Get Off My Cloud: Cyber Warfare, International Humanitarian Law, and the Protection of Civilians”, (2012) 94(886) International Review of the Red Cross 533, 557; William H. Boothby, The Law of Targeting (OUP 2012) 384; Laurent Gisel, Tilman Rodenhäuser, and Knut Dörmann, ‘Twenty years on: International humanitarian law and the protection of civilians against the effects of cyber operations during armed conflicts’, (2020) 102(913) International Review of the Red Cross 287, 312.
  11. ICRC, “International humanitarian law and the challenges of contemporary armed conflicts” (2015) 41–42; Tallinn Manual 2.0, rule 92. This view is also held by States including Australia, Australia’s submission on international law to be annexed to the report of the 2021 Group of Governmental Experts on Cyber, at 4; and Switzerland, Switzerland's position paper on the application of international law in cyberspace, Annex UN GGE 2019/2021, at 10.
  12. See, for instance, the commentary to the relevant rules in the Tallinn and Oslo Manuals: Tallinn Manual 2.0, rule 92 and accompanying commentary; Yoram Dinstein and Arne Willy Dahl, Oslo Manual on Select Topics of the Law of Armed Conflict (Springer 2020), rule 8 and accompanying commentary.
  13. Denmark, Military Manual on International Law Relevant to Danish Armed Forces in International Operations (2016) 677 (when discussing computer network attacks); Finland, International law and cyberspace: Finland’s national positions (2020) 7; New Zealand, Manual of Armed Forces Law (2nd edn, 2017) vol 4, para 8.10.22; Norway, Manual i krigens folkerett (2013) para 9.54; Switzerland, “Switzerland’s position paper on the application of international law in cyberspace: Annex UN GGE 2019/2021” (27 May 2021) 10; United States, “United States Submission to the UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (2014–15)”, at 6, and from a practical perspective Joint Publication 3-12 (R) ‘Cyberspace operations’ (5 February 2013), at IV-4.
  14. ICRC, International Humanitarian Law and Cyber Operations during Armed Conflicts: ICRC position paper (November 2019) 7. Israel has further argued that an operation may amount to an attack if ‘a cyber operation is intended to shut down electricity in a military airfield, and as a result is expected to cause the crash of a military aircraft—that operation may constitute an attack’. Roy Schöndorf, ‘Israel’s Perspective on Key Legal and Practical Issues Concerning the Application of International Law to Cyber Operations’, (2021) 97 International Law Studies 395, 400.
  15. Denmark, Military Manual on International Law Relevant to Danish Armed Forces in International Operations (2016) 290–291; Roy Schöndorf, ‘Israel’s Perspective on Key Legal and Practical Issues Concerning the Application of International Law to Cyber Operations’, (2021) 97 International Law Studies 395, 400; Peru, Response Submitted by Peru to the Questionnaire on the Application of International Law in OAS Member States in the Cyber Context (June 2019), cited in OAS, Improving Transparency: International Law and State Cyber Operations: Fifth Report, OAS Doc. CJI/doc. 615/20 rev.1 (7 August 2020) para 31.
  16. Bolivia, Note from the Plurilateral State of Bolivia, Ministry of Foreign Affairs, OAS Permanent Mission to the OAS Inter-American Juridical Committee, MPB-OEA-NV104-19 (17 July 2019), cited in OAS, Improving Transparency: International Law and State Cyber Operations: Fifth Report, OAS Doc. CJI/doc. 615/20 rev.1 (7 August 2020) para 33; Ecuador, Verbal Note 4-2 186/2019 from the Permanent Mission of Ecuador to the OAS (28 June 2019), cited in OAS, Improving Transparency: International Law and State Cyber Operations: Fifth Report, OAS Doc. CJI/doc. 615/20 rev.1 (7 August 2020) para. 32; France, Ministry of the Armies, International Law Applied to Operations in Cyberspace, 2019, p. 13; Germany, On the Application of International Law in Cyberspace Position Paper, March 2021, p. 9; Guatemala, Note Of. 4VM.200-2019/GJL/lr/bm, from Mr. Gabriel Juárez Lucas, Fourth Vice Minister of the Interior Ministry of the Republic of Guatemala to Luis Toro Utillano, Technical Secretariat, Inter-American Juridical Committee (14 June 2019), cited in OAS, Improving Transparency: International Law and State Cyber Operations: Fifth Report, OAS Doc. CJI/doc. 615/20 rev.1 (7 August 2020) para. 32; Italy, Italian Position Paper on ‘International Law and Cyberspace’, 2021, pp. 9–10; Japan, Ministry of Foreign Affairs of Japan, Basic Position of the Government of Japan on International Law Applicable to Cyber Operations, 2021, p. 7; New Zealand, The Application of International Law to State Activity in Cyberspace (1 December 2020), para. 25.
  17. ICRC, International Humanitarian Law and Cyber Operations during Armed Conflicts: ICRC position paper (November 2019) 7–8. The ICRC bases this interpretation on a contextual and teleological interpretation of the notion of ‘attack’ in Additional Protocol I. See ICRC, International humanitarian law and the challenges of contemporary armed conflicts (2015) 41.
  18. Tallinn Manual 2.0, commentary to rule 100, para 10 (‘…a majority of them was of the view that interference with functionality qualifies as damage if restoration of functionality requires replacement of physical components’.)
  19. Art 48 AP I; ICRC CIHL Study, rule 7.
  20. See Yves Sandoz, Christophe Swinarski and Bruno Zimmermann (eds), Commentary on the Additional Protocols of 8 June 1977 to the Geneva Conventions of 12 August 1949 (ICRC 1987), 635 para 2018; International Law Association Study Group on the Conduct of Hostilities in the 21st Century, ‘The Conduct of Hostilities and International Humanitarian Law: Challenges of 21st Century Warfare’ (2017) 93 International Law Studies 322, 327–328.
  21. Art 52(3) AP I; on the customary nature of this rule, see ICRC CIHL Study, commentary to rule 10, 35–36. In the cyber context, see e.g., the national positions of France (Ministry of Defense of France, ‘International Law Applied to Operations in Cyberspace’ (9 September 2019) 14); and Germany (Federal Government of Germany, ‘On the Application of International Law in Cyberspace’, Position Paper (March 2021) 8).
  22. Art 1 AP I.
  23. See, e.g., Amended Protocol II to the CCW, Article 2(6); Second Protocol to the Hague Convention for the Protection of Cultural Property, Article 1(f).
  24. See, e.g., Brian Egan, Legal Adviser, Department of State, “Remarks to the American Society of International Law: International Law, Legal Diplomacy, and the Counter-ISIL Campaign” (1 April 2016), 242 (“In particular, I’d like to spend a few minutes walking through some of the targeting rules that the United States regards as customary international law applicable to all parties in a NIAC: … Insofar as objects are concerned, military objectives are those objects which by their nature, location, purpose or use make an effective contribution to military action and whose total or partial destruction, capture or neutralization, in the circumstances ruling at the time, offers a definite military advantage.”).
  25. ICRC CIHL Study, rule 8. See also Tallinn Manual 2.0., commentary to rule 100, para 1.
  26. Tallinn Manual 2.0, rule 80 (“Cyber operations executed in the context of an armed conflict are subject to the law of armed conflict.”).
  27. See William H Boothby, The Law of Targeting (OUP 2012) 387–88.
  28. Cf Art 49(1) AP I (defining “attacks” as “acts of violence against the adversary, whether in offence or in defence”).
  29. See, e.g., William H Boothby, The Law of Targeting (OUP 2012) 384–87; Noam Lubell, ‘Lawful Targets in Cyber Operations: Does the Principle of Distinction Apply?’ (2013) 89 Int’l L Studies 252, 254–74; Marco Roscini, Cyber Operations and the Use of Force in International Law (OUP 2014) 180–81; Yoram Dinstein, The Conduct of Hostilities under the Law of International Armed Conflict (3rd edn, CUP 2016) 3.
  30. Art 48 AP I (“the Parties to the conflict ... shall direct their operations only against military objectives”). It should be noted that it is not universally accepted that the reference to “operations” in Article 48 reflects customary international law. See, e.g., Noam Neuman, ‘Challenges in the Interpretation and Application of the Principle of Distinction During Ground Operations in Urban Areas’ (2018) 51 VJTL 807, 821 fn 44.
  31. See Laurent Gisel, Tilman Rodenhäuser, and Knut Dörmann, ‘Twenty years on: International humanitarian law and the protection of civilians against the effects of cyber operations during armed conflicts’, (2020) 102(913) International Review of the Red Cross 287, 321–322.
  32. Tallinn Manual 2.0, commentary to rule 100, paras. 8 and 15. (‘“Nature” involves the inherent character of an object, and typically refers to those objects that are fundamentally military and designed to contribute to military action’.)
  33. Views differ however on whether an object that qualifies as a military objective due to its ‘nature’ needs to meet this second part of the definition. See, Tallinn Manual 2.0, commentary to rule 100, paras 16–17.
  34. Additional Protocol I, Article 51(5)(b). On the applicability of the proportionality principle in cyber space see: Ministry of Defense of France, International Law Applied to Operations in Cyberspace (9 September 2019); Federal Government of Germany, ‘On the Application of International Law in Cyberspace’ (March 2021) 9-10; Federal Department of Foreign Affairs, ‘Switzerland's position paper on the application of international law in cyberspace’ (May 2021) 9-10; Tallinn Manual 2.0, rule 113.
  35. ICRC Customary IHL Study, Rule 14. Tallinn Manual 2.0, rule 113.
  36. See ICRC, International humanitarian law and the challenges of contemporary armed conflicts, (2019) 16.
  37. Laurent Gisel, The principle of proportionality in the rules governing the conduct of hostilities under international humanitarian law: international expert meeting, 22-23 June 2016 (ICRC 2018) (Expert Report on Proportionality) 9, 52-53.
  38. Yves Sandoz, Christophe Swinarski and Bruno Zimmerman (eds), Commentary on the Additional Protocols (ICRC 1987) (Commentary on Additional Protocol I), para 1978; Emanuela-Chiara Gillard, Proportionality in the Conduct of Hostilities: The Incidental Harm Side of the Assessment (Chatham House 2018) 28.
  39. ICRC, International humanitarian law and the challenges of contemporary armed conflicts, (2015) 41. See, also, Emanuela-Chiara Gillard, Proportionality in the Conduct of Hostilities: The Incidental Harm Side of the Assessment (Chatham House 2018) (Proportionality in the Conduct of Hostilities) 13-18; Tallinn Manual 2.0, commentary to rule 113, paras 6–7.
  40. Expert Report on Proportionality 43-45; Proportionality in the Conduct of Hostilities 18-20.
  41. U.S. Department of Defense, Law of War Manual, June 2016 (revised December 2016) (DoD Law of War Manual), para 5.12.1.3.
  42. See, the Cyber Law Toolkit entry for ‘Attack (international humanitarian law)’ (‘In the assessment of what constitutes the ‘reasonably expected’ effects of an operation that have to be considered, some States, including Denmark, Finland, New Zealand, Norway, Switzerland, or the United States, have clarified that this includes harm due to the foreseeable direct and indirect (or reverberating) effects of an attack’).
  43. Tallinn Manual 2.0, commentary to rule 92, paras 10–12; ICRC, International Humanitarian Law and Cyber Operations during Armed Conflicts: ICRC position paper (November 2019) 7-8.
  44. Tallinn Manual 2.0, commentary to rule 113, para 5.
  45. Additional Protocol I, Article 51(5)(b).
  46. Commentary on Additional Protocol I, para 2209.
  47. Commentary on Additional Protocol I, para 2209. For a discussion of different State interpretations of this requirement see ICRC Customary IHL Study, Rule 14.
  48. William H. Boothby, The law of targeting (Oxford University Press 2012) 94-95.
  49. International Law Association Study Group, Final Report: The Conduct of Hostilities and International Humanitarian Law Challenges of 21st Century Warfare, 25 June 2017, 31.
  50. Expert Report on Proportionality 13.
  51. Commentary on Additional Protocol I, para 2210.
  52. Final Report to the Prosecutor by the Committee Established to Review the NATO Bombing Campaign Against the Federal Republic of Yugoslavia’ [50]. See also Expert Report on Proportionality 52.
  53. Considering that the attack is targeted at a military objective as well as the restrictions incorporated into the malware (see para. F2), it is presumed that the attack complies with the prohibition of indiscriminate attacks as codified in 1977 Additional Protocol I, Article 51(4). See also ICRC Customary IHL Study, Rule 11; William H. Boothby, The law of targeting (Oxford University Press 2012) 91.
  54. Tallinn Manual 2.0, commentary to rule 92, para 10 (‘a majority of them was of the view that interference with functionality qualifies as damage if restoration of functionality requires replacement of physical components. Consider a cyber operation that is directed against the computer-based control system of an electrical distribution grid. The operation causes the grid to cease operating. In order to restore distribution, either the control system or vital components thereof must be replaced. The cyber operation is an attack for the majority’.)
  55. Isabel Robinson and Ellen Nohle, ‘Proportionality and precautions in attack: The reverberating effects of using explosive weapons in populated areas’, International Review of the Red Cross (2016), 98 (1), 107–145, 130 (‘As such, even under a broad interpretation of “injury”, incidental harm does not include effects such as poverty, unemployment or economic capacity’.)
  56. Prosecutor v Tadic (Decision on the Defence Motion for Interlocutory Appeal on Jurisdiction) ICTY-94-1 (2 Oct 1995) [68]; Dieter Fleck, ‘Scope of Application of International Humanitarian Law’, in Dieter Fleck (ed), Handbook of International Humanitarian Law (4th edn, OUP 2021) 65.
  57. The 1974-1977 Diplomatic Conference rejected several attempts aimed at excluding incidental harm that is not in the proximity of the target from the application of the proportionality principle. Michael Bothe, Karl Josef Partsch and Waldemar Solf, New Rules for Victims of Armed Conflicts, (2nd edition, Martinus Nijhoff Publishders, 2013), p. 406, para. 2.6.2 on Article 57. See also ICRC, Explosive weapons with wide area effects: A deadly choice in populated areas, (2022) 97.
  58. In support of this approach, see ‘Letter dated 19 June 1995 from the Permanent Representative of Solomon Islands to the United Nations, together with Written Statement of the Government of Solomon Islands’, in the case in ICJ, Legality of the Use by a State of Nuclear Weapons (Advisory Opinion), 20 June 1995, para 3.103, https://www.icj-cij.org/public/files/case-related/95/8714.pdf (‘…since these effect may affect people outside the scope of the conflict, both in time and geographically, the use of nuclear weapons violates the prohibition on the use of weapons which cause unnecessary suffering, cause harm to civilians, and have indiscriminate effects. The principles of proportionality and humanity are obviously violated’.) See also Tamsin Phillipa Paige, Douglas Guilfoyle, and Rob McLaughlin, ‘The Final Frontier of Cyberspace: Ensuring that Submarine Data Cables are Able to Live Long and Prosper (Part II)’ (Opinio Juris, 16 October 2020), available at: http://opiniojuris.org/2020/10/16/the-final-frontier-of-cyberspace-ensuring-that-submarine-data-cables-are-able-to-live-long-and-prosper-part-ii/ (‘We suggest that any application of [the proportionality test to attacks on submarine data cables] will always come back in the negative. This is because the combination of the scale of impact on civilian social and economic infrastructure, and the likelihood of this damage spreading beyond the targeted state to neutral third states, can only be excessive in relation to any military advantage’.)
  59. Michael N. Schmitt, ‘Russian cyber operations and Ukraine: The Legal Framework’ (Articles of War, 16 January 2022) (‘the fact that consequences were caused beyond belligerent territory has no bearing on whether the cyber operations causing them are subject to IHL rules. The question is whether the nexus condition is met. So long as that condition is satisfied, consequences manifesting outside belligerent territory still matter in the application of IHL to the cyber operation, as in the case of assessing incidental injury and collateral damage pursuant to the proportionality rule’.) See also Tallinn Manual 2.0, commentary to rule 80, para 5. Sassòli takes the view that ‘IHL of IACs applies in any location where opposing State forces exercise belligerent activity against each other irrespective of whether or not this activity occurs on their territory. In my view, even hostilities on the territory of a non-consenting neutral State are governed by IHL even though they are prohibited […] they are neither outside the geographical scope of application of IHL of IACs nor prohibited by IHL’. Marco Sassòli, International Humanitarian Law: Rules, Controversies, and Solutions to Problems Arising in Warfare (Edward Elgar 2019), para 6.46.
  60. See, ICRC, Guidelines on the Protection of the Natural Environment in Armed Conflict – Rules and Recommendations relating to the Protection of the Natural Environment under International Humanitarian Law, with Commentary, (ICRC December 2020) [ICRC Guidelines on the Protection of the Natural Environment in Armed Conflict] [122].
  61. Proportionality in the Conduct of Hostilities 35; Expert Report on Proportionality 42; ICRC, Explosive weapons with wide area effects: A deadly choice in populated areas, (2022) 98 and 100.
  62. See e.g. Expert Report on Proportionality, 53-55.
  63. Denmark, Military Manual on International Law Relevant to Danish Armed Forces in International Operations (2016) 60; Ministry of Defense of France, International Law Applied to Operations in Cyberspace (9 September 2019); Italian Position Paper on “International Law and Cyber Space”, Italian Ministry for Foreign Affairs and International Cooperation 10; Government of the Kingdom of the Netherlands, Appendix: International law in cyberspace, 26 September 2019 5; Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021 78 (Romania), 89 (Switzerland); DoD Law of War Manual, para 16.4.1.
  64. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021 89 (Switzerland); Ministry of Defense of France, International Law Applied to Operations in Cyberspace (9 September 2019); Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021 78 (Romania); Denmark, Military Manual on International Law Relevant to Danish Armed Forces in International Operations (2016) 60; See also Italian Position Paper on “International Law and Cyber Space”, Italian Ministry for Foreign Affairs and International Cooperation 10.
  65. Roy Schöndorf, Israel’s Perspective on Key Legal and Practical Issues Concerning the Application of International Law to Cyber Operations, 97 ILS 395, 397-98 (2021) (‘in relation to one of the basic overarching rules of neutrality—the inviolability of a neutral State’s territory—while in the land domain it is forbidden to transfer troops or convoys of munitions; at sea—the passage of warships in territorial waters is possible; and in the air such passage is subject to discretion or limitations of each neutral State. Given these differences, it remains unclear if and how this rule would be applicable in cyberspace.’)
  66. Ministry of Defense of France, International Law Applied to Operations in Cyberspace (9 September 2019).
  67. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021 79 (Switzerland), 89 (Romania) The ICJ has acknowledged that under the law of neutrality some States ‘rule out the use of a weapon the effects of which simply cannot be contained within the territories of the contending States’. ICJ, Legality of the Threat or Use of Nuclear Weapons (Advisory Opinion) 1996, para 93. For an alternative view, see verbal statement by the United States in ICJ, ‘Public sitting: Verbatim Record’, in the case in ICJ, Legality of the Use by a State of Nuclear Weapons (Advisory Opinion), Wednesday 15 November 1995, 41 (‘The argument that the use of a nuclear weapon is per se unlawful because it would inevitably violate the territory of neutral States is equally unsound, Mr. President. The principle that neutral territory is inviolable means that a belligerent may not, save in rare and clearly defined circumstances, actually conduct military operations on the territory of a neutral State. It has never meant that neutral States can expect to be subject to none of the effects of war’.) See also more generally, ‘Draft Convention on Rights and Duties of Neutral States in Naval and Aerial War’, American Journal of International Law Vol. 33 (1939) 386-391 (commentary to Article 22 ‘A belligerent has no duty to pay compensation for damage to a neutral vessel or other neutral property or persons, when such damage is incidental to a belligerent’s act of war against the armed forces of its enemy and not in violation of the provisions of this Convention or of the law of war’.)
  68. 68.0 68.1 Tallinn Manual 2.0, commentary to rule 150, para 4.
  69. Hague Convention (V) respecting the Rights and Duties of Neutral Powers and Persons in Case of War on Land, Article 1.
  70. Hague Convention (V) respecting the Rights and Duties of Neutral Powers and Persons in Case of War on Land, Article 8.
  71. Ministry of Defense of France, International Law Applied to Operations in Cyberspace (9 September 2019).
  72. DoD Law of War Manual, para 16.4.1.
  73. Denmark, Military Manual on International Law Relevant to Danish Armed Forces in International Operations (2016) 60.
  74. See Tallinn Manual 2.0, commentary to rule 150, paras 5–7.
  75. Tallinn Manual 2.0, rule 153.
  76. Jeffrey T.G. Kelsey, ‘Hacking into International Humanitarian Law: The Principles of Distinction and Neutrality in the Age of Cyber Warfare’, Michigan Law Review, Vol. 106, May 2008, 1427-1452, 1444.
  77. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021 89.
  78. Additionally, State A would also need to consider whether the planned cyber attack would comply with its obligations under international human rights law, which continues to apply in parallel to IHL.

Bibliography and further reading[edit | edit source]

Contributions[edit | edit source]

Previous: Scenario 27: Contesting and redirecting ongoing attacks
Retrieved from "https://cyberlaw.ccdcoe.org/wiki/Scenario_28:_Extraterritorial_incidental_civilian_cyber_harm?oldid=3963"