In the midst of recent notable incidents, including the cyberattack on the Canadian Forces’ website and the ransomware assault targeting the multinational conglomerate Johnson Controls, our world stands at the precipice of an ever-encroaching spectre of cyberattacks. The accessibility and cost-effectiveness with which malicious actors exploit digital vulnerabilities have escalated cyberattacks to extend far beyond virtual realms, targeting critical infrastructure like power grids, hospitals, and even nuclear facilities.
Amid this digital vulnerability, fundamental questions challenge established international law and humanitarian norms, with a central query: Does International Humanitarian Law (IHL), governing armed conflicts, extend its reach to cyberwarfare? As we delve into this multifaceted issue, it becomes apparent that the existing body of international humanitarian law offers only partial guidance, with a conspicuous silence surrounding the application of these principles in the context of cyber warfare. This article aims to examine whether cyber warfare can be categorized as an armed conflict falling under the purview of International Humanitarian Law (IHL), highlighting the challenges of incorporating it into International Armed Conflicts and Non-International Armed Conflict. While doing so, the article also delves into the critical need for state attribution and provides recommendations for effectively managing and resolving these challenges.
Defining Cyber Warfare
Cyber warfare remains a complex and globally impactful issue, yet no international accord exists to comprehensively define and regulate it. Various individuals and groups have made efforts to elucidate this concept. A widely referenced definition proposed by Richard Clark and Robert Knake characterizes cyber warfare as “actions taken by nation-states to infiltrate another nation’s computer systems or networks with the intent to cause damage or disruption.” The International Committee of the Red Cross (ICRC) offers an alternative definition, defining cyber warfare as “methods of warfare encompassing cyber operations that occur within the context of, or during armed conflicts, as defined by International Humanitarian Law (IHL).” However, to truly grasp the essence of cyber warfare, it is essential to establish the threshold at which such cyber operations transition from a mere attack to an act of cyber warfare. Not all cyber-attacks qualify as cyber warfare; it is only when these attacks produce effects akin to those seen in conventional armed conflicts or take place within the context of such conflicts that they rise to the level of cyber warfare. This question poses a significant challenge and calls for global deliberation: does International Humanitarian Law (IHL) apply in the realm of cyber warfare? The answer hinges on whether a cyber-attack constitutes an armed conflict as IHL is exclusively applicable to International Armed Conflicts and to Non-International or Internal Armed Conflicts, in specific situations.
Categorizing Cyber Warfare as an Armed Conflict
The conventional notion of an armed conflict traditionally involves the use of physical force (Prosecutor v. Kupreskic). This encompasses hostilities employing tangible and destructive means, such as bullets, bombs, or other physical elements causing immediate and observable destruction during warfare. In fact, computer network attacks that result in physical destruction comparable to that caused by kinetic force attacks would indeed qualify as an armed attack. However, the classification of cyber warfare as an armed conflict becomes less certain when considering indirect effects that do not entail direct physical destruction. In a significant parallel, in its advisory opinion on Nuclear Weapons, the International Court of Justice, observed that the evaluation regarding the presence of an armed attack should centre on the consequences of the action rather than the specific weapons used. This widely accepted principle implies that acts of violence extend beyond the nature of the means employed to the consequences they produce. For instance, it is well-established that the employment of radiological, chemical or biological agents constitutes an attack, in violation of the Geneva Protocol of 1925, despite the absence of physical force (Prosecutor v. Dusko Tadic).
Consistent with this line of reasoning, cyber warfare can be deemed to amount to an armed conflict because their real-world consequences can be substantial, often equivalent to those resulting from traditional kinetic attacks. Hence, assessment of such cyber warfare operations should primarily consider their effects, rather than the means employed. Indeed, while cyber warfare utilize modern technology not envisioned during the drafting of the Geneva Conventions, Additional Protocol I (AP I), also indicate that the framers of these agreements anticipated the adaptation of rules to new developments in warfare. Article 36 of AP I stipulates that a High Contracting Party, when considering the introduction of new means, methods of warfare or weapons, are obligated to evaluate the utilization of such innovations, and whether the same contravenes the provisions of AP I or other established international legal norms. Hence, the evolution of armed conflict addresses emerging humanitarian issues that may arise due to changes in the methods of warfare, including cyber warfare.
Challenges in aligning cyber warfare operations within International Armed Conflict (IAC) and Non- International Armed Conflict (NIAC)
Meeting the criteria for IAC in cyber warfare poses challenges. IAC arises when states resort to armed force, making cyber warfare an IAC when (a) such warfare are attributable to a state and (b) when they constitute a resort to armed force against another state. However, attributing cyber warfare operations to a state becomes complex when actions are carried out by private individuals or groups on behalf of a state, considering the notion of “control” in cyberspace. Addressing the second IAC criterion, traditional armed force involves physical harm that have a kinetic or tangible impact. When we apply this to activities such as creating and utilizing computer code, the scenario becomes complex since cyber warfare can cause harm in non-physical ways, such as disrupting critical services or resource supplies. These indirect effects can be severe, such as interrupting the delivery of essential resources like electricity or water etc., even if the initial cyber-attack goes unnoticed. If we are to interpret IHL in alignment with its core humanitarian principles, cyber warfare causing such significant humanitarian consequences should arguably be regarded as a form of armed force, thereby falling under IHL’s protective provisions.
Defining a NIAC necessitates the presence of armed violence which involves one non-state actor, with both a minimum level of organization and intensity (Prosecutor v Germain Katanga). However, applying these criteria to cyber warfare presents challenges. Virtual groups, like hacker collectives operating in cyberspace, seldom meet the traditional requirement for minimum organization. They lack the typical command structures and hierarchies found in conventional armed groups, primarily communicating virtually without physical meetings or personal identity disclosures. While such groups may engage in criminal activities, characterizing them as participants in armed conflict appears to be an unsuitable characterization. Nonetheless, this conclusion raises concerns when considering the potential harm and destruction cyber operations by these groups can inflict, comparable to kinetic operations. When cyber operations result in substantial physical damage, they might meet the intensity threshold for a NIAC. However, determining when cyber operations with non-physical destruction reach this threshold remains unclear. State practices and opinio juris offer no guidance, and humanitarian considerations do not definitively support any particular interpretation.
The need for State Attribution
The concept of attribution under the international law of state responsibility involves assigning a specific act or omission to a particular state. Hence, in cases where states intend to respond to international crimes committed in cyberspace, such as by employing force or implementing countermeasures, they must establish attribution. In this regard, the use of force in response to cyber warfare is lawful only when it constitutes a response to armed attacks. Hence, attribution of a cyberattack is a crucial prerequisite before a state can legitimately take countermeasures, even if done implicitly.
In light of the absence of clear humanitarian regime and considerations regarding cyber warfare, the creation of International Cybersecurity Task Force is essential to strengthen the global cybersecurity regime. The same could comprise of legal experts, cybersecurity professionals, and policymakers to study the application of International Humanitarian Law (IHL) to cybercrime during conflicts. Additionally, fostering cross-sector collaboration, developing comprehensive Cybercrime Guidelines based on IHL principles, investing in cybersecurity capacity building for law enforcement and legal professionals including judges, and promoting international agreements on IHL in cyberspace can collectively enhance our defences against cyber threats, ensuring responsible behaviour and upholding the principles of distinction, proportionality, and precaution in the digital realm.
In conclusion, the evolving landscape of cyber warfare challenges established international laws. However, it’s evident that IHL is adaptable and capable of accommodating technological advancements, including cyber warfare. For instance, the “Martens Clause” in the preamble to the Hague Convention IV of 1907 asserts that even when specific agreements do not explicitly cover certain situations, civilians and combatants are still protected by principles of international law rooted in established customs, principles of humanity, and the moral conscience of the global community. Nevertheless, addressing ambiguities in IHL application is crucial, and international efforts must continue to refine and clarify rules and responsibilities in the face of cyber threats.