Laws and customary practices have long governed the conduct of armed conflict. Over the last 150 years, the Geneva and the Hague Conventions have been the cornerstone of international treaties to address humanitarian concerns related to warfare. According to the International Committee of the Red Cross (ICRC), the laws of war, or international humanitarian law (IHL), “aims to protect persons who are not or are no longer taking part in hostilities, the sick and wounded, prisoners and civilians, and to define the rights and obligations of the parties to a conflict in the conduct of hostilities.”
IHL prescribes a set of obligations on those participating in warfare, and its scope has been limited to armed attacks and war crimes. With the development of technology, acts of hostility and conflict can take place in cyberspace with minimal damage or destruction in the physical world. Cyber-attacks typically do not have kinetic effects, although there is the possibility of some physical side effects from the attacks itself. There is now the complicated challenge of defining whether the laws of war apply to cyber conflicts since it can certainly affect civilian populations, yet not in the traditional context of warfare.
The Humanitarian Angle of Cyber-Warfare
There is a concern in knowing that these systems are vulnerable to external interferences since there is a substantial link between the digital and physical world.
Many military and civilian populations operate similar computer infrastructures that are interconnected. As such, cyber attacks run the risk of affecting unintended civilian targets. This would violate the first of six basic rules of warfare outlined in the Geneva and the Hague Conventions, which is to make the distinction between military and civilian objects. Some of the major humanitarian concerns of cyber-warfare would surround critical infrastructures such as energy supply systems, hospital systems, air traffic control, and water treatment and distribution systems. As stated by Dr. Cordula Droege– legal advisor at the ICRC, “IHL is based on the assumption that the means and methods of warfare will have violent effects in the physical world.” Under this existing definition, cyber operations alone would not likely reach the magnitude to cause significant destructive effects on a large civilian population.
There have been no documented cases of civilian networks being affected by cyber operations targeted towards military infrastructures. The likelihood of such events occurring is not very likely, because cyber operations are more frequently used to manipulate civilian infrastructures, resulting in disruption or malfunction, without causing physical harm. Nevertheless, it is still a possibility that should not be dismissed, and it should reinforce the necessity to clarify the rules of IHL.
The Grey Areas
The applicability of IHL to cyber-warfare can pose some challenges since its provisions do not acknowledge the exploitation of cyber technology, nor is it mentioned in the Geneva Convention and its Additional Protocols.
IHL makes the assumption that all parties engaged in warfare are identifiable, and that the parties will respect the principles of distinction, and proportionality. This is not always possible, as evidenced by traditional armed conflict. In the case of cyber operations, it is difficult to identify the source responsible for an attack. If the party is unidentifiable, it becomes increasingly difficult to determine if the attack was even a form of armed conflict. In an ICRC interview with legal advisor Laurent Gisel, he describes most cyber operations not being linked to armed conflict- in which case IHL would not apply. In most cases, hackers are civilians protected under IHL, unless they “take a direct part in hostilities, carrying out a cyber-attack in support of one side in an armed conflict”.
Looking at Article 2(4) of the UN Charter, all member states will refrain from using force against another state. ‘Force’ in its traditional sense is as a physical act, meaning that a cyber-attack does not fall under those limitations. Furthermore, Article 51 of the UN Charter allows for self-defence in an armed attack, which would allows for cyber-attacks to take place at any given time since there are no physical arms used in cyber operations.
Sorting out the Kinks
The NATO-developed Tallinn Manual is so far the closest thing to an international consensus on dealing with cyber-conflicts. It is a non-binding study examining how existing international laws and customary practices can be applied to these new types of conflict. This is not an official manual; rather it is a declaration of individual experts and academics that are trying to bring clarity to the issue and limit the exploitation of cyber-attacks in warfare.
There is still a lot to learn about managing cyber operations and its potential applications in warfare, and its effects on civilians. Cyber-attacks are not nearly as lethal as traditional armed conflicts, but their effects can spill into the physical world. Though cyber-conflicts do not pose an imminent or lethal threat, the rules of IHL nevertheless apply. IHL may not explain or limit all of the potential possibilities of cyber-warfare, but it is a starting point for policymakers to discuss future action plans to prevent future cyber-attacks from occurring.