How does cyber warfare fit in the framework of International Humanitarian Law?
Gone are the days when the worst thing on the Internet to be afraid of was a pesky virus. The current highly sophisticated malware looks for software vulnerabilities which can result in fatal damage to the opponent’s entire computer network.
There is no unanimously agreed definition of cyber warfare, however there are a few authoritative drafts. The Tallinn Manual 2.0 distinguishes between (a) the means, and (b) the methods of cyber warfare as being: a) cyber weapons and their associated cyber systems; b) cyber tactics, techniques, and procedures by which hostilities are conducted (Tallinn Manual, p. 452). This definition notes that the ‘means of cyber warfare’ include cyber weapons and cyber weapon systems. In this context, a weapon is the part of the system which causes damage or injury. This broad definition allows for cyber warfare to encompass cyber devices, equipment, or software used, designed, or intended to be used to conduct a cyber attack. Subsequently, it defines cyber weapons as “cyber means of warfare that are used, designed, or intended to be used to cause injury to, or death of, persons or damage to, or destruction of, objects, that is, that result in the consequences required for qualification of a cyber operation as an attack” (ibid). It states that this definition is applicable to International Armed Conflicts and Non-International Armed Conflicts.
Academics such as Rid and McBurney define cyber weapons as a “computer code that is used, or designed to be used, with the aim of threatening or causing physical, functional, or mental harm to structures, systems, or living things” (Ridd, Cyber Weapons p. 7). A third definition is provided by the US Air Force which interprets weapons as “devices designed to kill, injure, disable or temporarily incapacitate people, or destroy, damage or temporarily incapacitate property or material” (US Air Force Instructions, Legal Review of Weapons and Cyber Capabilities, p. 6). All three definitions have one primary aspect in common: they all agree that cyber weapons are the tools of harm. Consequently, there are a few things which can be deduced about cyber warfare from the above definitions. Firstly, a vast multitude of cyber weapons exists ranging from highly advanced to much more basic. Gone are the days when the worst thing on the Internet to be afraid of was a pesky virus. The current highly sophisticated malware looks for software vulnerabilities which can result in fatal damage to the opponent’s entire computer network. The most advanced cyber weapons are capable of entering networks which are off the grid, causing total damage. Such stateof- the-art weapons are expensive to make as there are not many individuals capable of writing them to such a high standard. On the other hand, a basic cyber weapon is easier to detect as it focuses on denying service to an opponent’s computer rather than targeting the computer directly. Such an attack was conducted by a pro-Kremlin youth group against Estonia in 2007. Secondly, cyber weapons result in different effects. The initial stage affects the targeted computer networks. This results in destruction of the system and impacts persons by for example cutting power to a power plant or locking exit doors. The main difference between cyber weapons and traditional weapons is the sequence of events: traditional weapons usually cause immediate damage to people, whereas cyber warfare affects people at a later stage.
Indiscriminate cyber weapons
Having provided an explanation of cyber weapons above, it is important to determine whether a weapon is inherently indiscriminate as per the review of a weapon under international humanitarian law (IHL). Indiscriminate cyber weapons are defined as being: a) directed at a specific military objective, or b) limited in the effects as required by law of armed conflict. Consequently, they strike military objectives and civilians or civilian objectives without distinction (Tallinn Manual, p. 455). Criterion (a) highlights the primary principle of IHL to respect the delicate balance between humanitarian considerations and military necessity. IHL focuses on protecting civilians from attacks. Therefore, the weapons need to be as accurate as possible to limit the risk of harm. From what can be gathered, powerful States are meeting or have met the requirement in (a) in terms of their cyber warfare. As technology advances, an increasing number of States will be able to fully fulfil this requirement. On the contrary, criterion (b) involves effects that are not limited. As per the Manual, here is a sequence of events which breach (b) as the effects cannot be limited: 1. A State uses malware against another State in an armed conflict; 2. The malware is targeting military computer networks; 3. Even though the intended target is military, the malware will unavoidably spread into the civilian networks (Cyber Weapons Reviews under International Humanitarian Law ‘Tallinn Paper no 11’, p. 19). The above scenario demonstrates the unintentional simplicity in breaching (b). Therefore, there are two subparts to (b) to make it fit in the IHL framework. Firstly, the effects need to be harmful and cause injury to persons or damage to property. Secondly, the indiscriminate effects must be foreseeable.
Cyber warfare and IHL
IHL will only be applicable to a cyber warfare occurrence if the attack occurs during or triggers an armed conflict. It is questionable whether a cyber attack can constitute the ‘use of force’ or an ‘armed attack’ in order for IHL to apply. Furthermore, attributing the attack to a State or an armed group poses questions which take time to be answered, whilst on the other hand IHL cannot wait until it is determined whether the cyber attack qualifies as such or not. There is a need for more adherent rules which encompass non-physical armed attacks to reflect the changing weaponry of the 21st century. The Tallinn Manual makes useful suggestions, but still has a long way to go to place cyber warfare in the IHL framework.