Introduction

Warfare in the 21st century has changed tremendously, expanding in the tactical as well as technical dimensions. As military operations are increasingly becoming technologically driven it can be argued that future wars will be fought in a new battlefield, which is most likely to be cyber space. Cyber war is relatively a new concept. Not much has been discussed about laws and regulations for conducting it. Since it is a new form of warfare not much can be anticipated about its potential because of the continuous rapid change in computer technology. This concept may not be treated as a mainstream instrument of conducting war at the moment because of its newness but it may soon gain importance in future. In some parts of the world this form of warfare has already started (Stuxnet, Flame) and world forums are highly debating on the ways to govern cyberspace so as to limit cyber crime and cyber terrorism.

This article will focus on the applicability of international humanitarian law (IHL) on cyber network attacks (CNA). It will try to construct the parameters into which CNA can be confined and regulated by laws of armed conflict. In IHL, there is no specific mentioning of CNA per se, but it is increasingly becoming important to look at it from the IHL point of view because of its growing importance in military activities and its potential to gain military advantage in a more cost effective way.

In order to bring computer network attacks under the light of IHL, it must look at can as a means and methods of warfare and at its ability to create civilian damage because IHL primarily is constructed to focus on:

  1. Rules which limit the right of the parties to use means and methods of war.
  2. Rules which protect the civilian population and property in times of armed conflict.

It is also important to keep in mind that IHL is applicable only when there is an armed conflict. Therefore, one of the biggest hurdles is to determine whether CNA constitute an armed attack and whether it has enough potential to create a war under the condition of self-defense if a country is attacked through the cyber network.

Theme: CNA and Jus in Bello

The very first issue that arises is whether CNA can come under the subject of IHL. The popular arguments say that IHL that is based on the Geneva conventions (1949), Additional Protocols (1977) and the customary laws does not specifically mention CNA. Therefore these set of laws are not in a strong position to cover it. CNA is a concept that has come after the creation of the treaty laws hence it does not come under these set of legal instruments. Another argument is that IHL is applicable to armed conflict and CNA is not an armed conflict because it does not include the use of kinetic forces that has the ability to create physical damage. However if we look at computer network attacks as a means and method of warfare, it can surely be a subject of IHL. Even though IHL does not specifically mention CNA, the Martens clause, which is an accepted principle in IHL applies, says that whenever a situation is not covered by an international agreement, “civilians and combatants remain under the protection and authority of the principles of international law derived from established custom, from the principles of humanity, and from the dictates of public conscience”.[1] On the issue of CNA being a new concept that has come into existence since the treaty laws were formed, and therefore, the argument that it is outside the ambit of IHL can also be proved wrong,  by applying the same judgment that was given to the issue of nuclear weapons where the International Court of Justice (ICJ) overruled the assertion that because humanitarian “principles and rules had evolved prior to the invention of nuclear weapons”, humanitarian law was inapplicable to them.[2]The same applies to CNA. Also, the Additional Protocol 1 (AP1), Article 36, is a strong indicator that shows its applicability to new developments, means and methods of warfare. It says, “In the study, development, acquisition or adoption of a new weapon, means or method of warfare, a High Contracting Party is under an obligation to determine whether its employment would, in some or all circumstances, be prohibited by this Protocol or by any other rule of international law applicable to the High Contracting Party.”[3]This displays that CNA as a means and methods of warfare clearly comes under the subject of IHL. A military activity that constitutes a method that is being implemented to fight its adversary always comes within the parameters of certain restrictions under the laws of war.

If IHL is implemented in cyber war during an armed conflict the core issue is protection of people and property. IHL under its standard laws do have provisions for the same.

The relevant areas for the application of IHL are:

  1. Principle of distinction
  2. Ruse of war and perfidy
  3. Combatant status & Direct Participation of Hostilities (DPH)

Principle of distinction is defined as: “In order to ensure respect for and protection of the civilian population and civilian objects, the Parties to a conflict are required at all times to distinguish between the civilian population and combatants and between civilian objects and military objectives and accordingly must direct their operations only against military objectives”. (Art.48 AP1).

The rules that follow from this principle are:

Only military objectives can be attacked: a military objective is the one that makes an effective contribution to the military actions of the adversary and in the circumstances at the time when it is attacked must give a direct and concrete military advantage to the attacker. Therefore it is applicable to CNA. Military objectives such as communication lines and command and control systems can be directly targeted. As long as the two conditions are fulfilled that determine a military objective and as long as the attack does not spill over to civilian damage and suffering, the act is valid. However, it cannot target networks that may supplant humanitarian principles such as networks related to hospitals or construction that has special protections against attacks that are dependent on computer control such as drinking water installations and irrigation works, or dams, dykes, and nuclear electric stations that have the ability to release dangerous forces.[4]

The prohibition of indiscriminate attacks: IHL prohibits indiscriminate attack on the enemy, which is if an attack is not aimed at a specific military objective or if an attack on the military objective is uncontrollable and unpredictable according to Art.51 (4) of AP1.[5] The inter connectivity of military and civilian networks are so high that it is questionable whether a military objective can accurately be targeted without any damage to the civilian cyber infrastructure. If the specificity of military objective can be located and maintained, CNA would be absolutely legal as long as such designs do not penetrate civilian cyber space.

Collateral damage: it is the loss of civilian objects during military combat operations due to the violent character of war. Collateral damage in order to get the direct and concrete military advantage is legal as long as it does not violate the rules of proportionality. No collateral damage is acceptable if it is in excess of the concrete and direct military advantage anticipated. It is clear that these limitations are applicable to CNA as well, as it directly implies means and methods of war.

Precautions in attack: in order to implement the rules related to the principle of distinction the party must take the necessary precautions at all time to avoid or minimize civilian casualties of damage which is reflected on Art.57 AP1.[6] Therefore the attackers must keep in mind the possibilities of civilian damage that CNA activities can create and take the necessary precautions to minimize civilian casualties or damage. For example, commanders must decide whether launching a worm attack on the network of the adversary is feasible or not because the functioning of a worm is such that it has a very high capability of infecting large networks, and that shows its capability of damaging civilian cyber infrastructure, including that of hospitals and banks.

Ruses of war and perfidy are the ways of deceiving the enemy to get military advantage. Ruses of war which are legally accepted by international laws are common practices in military engagement; however, perfidy is absolutely illegal. With the advancement of technology, military organizations are deeply engaged with computer network exploitation (CNE) for intelligence work. Through CNE activities, sending misinformation to the enemy is a common and a legal practice. But this misinformation shall not cross the line into perfidy, like making the enemy believe that combat vehicles are medical vans or belong to organizations that are not involved in the war.

Combatant status & DPH: if CNA related activities are performed directly by armed forces personnel, it is considered to be performed by a combatant; therefore, he can directly be attacked and also have prisoners of war (POW) status. The problem is that since the expertise of computer technology mostly lies in the civilian domain, the use of civilians for military activities can be a common practice. This is where the issue of direct participation of hostilities (DPH) comes into the picture. Civilians involved with DPH can be targeted and have no POW status. But this field is still debatable as what constitutes DPH in CNA related activities is still not specified, for example, is support activities, maintenance of military computer programs constitute DPH, or CNA related activities by a civilian that does not result in death, injury or physical damage constitute DPH?[7]

Conclusion

Even though international law does not have anything specific mentioned about computer network attacks, it can be regulated under the existing treaty laws. IHL is applicable to CNA because it can be treated as a means and methods of warfare. The direct limitations to CNA come from the principle of distinction and hence it cannot be used limitlessly.

There are certain gray areas that require further study and analysis. Determining what constitutes an attack or armed conflict is still debatable as the existing legal literature involves terms like “act of violence” and involvement of “armed forces”. To include CNA as an act of violence, it must cross a certain threshold of death, injury, damage, and destruction, which is again not determined in absolute terms. The non-involvement of armed forces in CNA activities is another area that requires further understanding; the difficulty rises as states must be absolutely sure that an attack by an adversary is not done by non-state actors through network warfare activities so that the principle of self-defense can be applied. Therefore, international law must consider laying specific laws to regulate CNA in future that are absolute in nature.

Notes

[1] Michael N. Schmitt, Wired warfare: computer network attack and jus in bello, IRRC June 2002, vol.84

[2] Ibid.

[3] Knut Dormann, Applicability of the additional protocols to computer network attacks

[4] Knut Dormann, Computer network attack and international law, http://www.icrc.org/eng/resources/documents/misc/5p2alj.htm

[5] Knut Dormann, Applicability of the additional protocols to computer network attacks

[6] Knut Dormann, Computer network attack and international law, http://www.icrc.org/eng/resources/documents/misc/5p2alj.htm

[7] Knut Dormann, Applicability of the additional protocols to computer network attacks