By Yohannes Eneyew Ayalew
Cyber warfare begun to draw the attention of the international legal community in the late 1990s. The United States Naval War College convened the first major legal conference on the subject in 1999. The world has witnessed how cyber operations by “hackers” were executed against Estonia in 2007— and—against Georgia during its war with the Russian Federation in 2008( See here ,and here). Cyber operations have targeted the Iranian nuclear facilities with the Stuxnet worm in 2010. The other notable cyber operation called “NotPetya” occurred in Ukraine in 2017.
In today’s armed conflicts, cyber operations are being used as a means or method of warfare. Some States have gone as far as publicly acknowledging their use (for example: France position in 2019), and an increasing number of States are developing military cyber capabilities for offensive or/and defensive purposes.
Despite these developments a comprehensive treaty governing cyber warfare is yet to be tabled. At this juncture it is relevant to recall that international humanitarian law (IHL) treaties have often been accused of being ‘one war behind reality’ potentially contributing to the suffering caused by warfare. The aim of this blog post is therefore to shed some light on how States respond to the threats of cyber operations under IHL and unpack stumbling blocks in striking a comprehensive cyber warfare treaty.
Defining Cyber Warfare
Defining cyber warfare is an elusive exercise since any definition has to take into consideration national contexts. For instance: the 2016 United States War Manual defines cyber warfare may be understood to be operations that involve “[t]he employment of cyberspace capabilities where the primary purpose is to achieve objectives in or through cyberspace.” It includes those operations that use computers to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves. For example, it may include reconnaissance (e.g., mapping a network), seizure of supporting positions (e.g., securing access to key network systems or nodes), and pre-emplacement of capabilities or weapons (e.g., implanting cyber access tools or malicious code) (See US War Manual p.986). But this definition doesn’t specify the modus operandi whether such operations could be launched during international armed conflicts (IAC) or non-international armed conflicts (NIAC).
For Richard Clarke, cyber warfare refers to “actions bya nation-state to penetrate another nation’s computers or networks for the purposes of causing damage or disruption.” Yet, this definition only embraces cyber wars during IAC not NIACs. A more nuanced sort of definition was provided in the 2019 ICRC Position Paper which reads:
“Cyber operations during armed conflicts is used to describe operations against a computer, a computer system or network, or another connected device, through a data stream, when used as means and methods of warfare in the context of an armed conflict.”
Conundrums in Applying the Existing IHL norms to cyber-warfare
The analogous application of IHL rules applicable to conventional means and methods of warfare to cyber warfare is questioned by some observers. In this regard, Michael Schmitt argues that there is no legal doubt that cyber operations launched during an armed conflict having nexus to that conflict must comply with IHL rules.
The existing IHL norms offer some guidance concerning obligations of States concerning the use of new technologies for warfare. Accordingly, when States study, acquire or adopt new means and methods of war (e.g. cyber operations); they need to assess the legality of their employment under the existing norms of IHL (see Article 36 of Additional Protocol I (AP I) to the 1949 Geneva Conventions). In 1996, the International Court of Justice (ICJ) set a compelling precedent in its advisory opinion on the legality of the threat of use of nuclear weapons (para 86). The Court held:
“…the established principles and rules of IHL applicable in armed conflict apply to all forms of warfare and to all kinds of weapons, including ‘those of the future…”
Likewise, the ICRC’s position paper (2019) further asserted the applicability of the existing IHL norms to cyber warfare. In the ICRC’s view, “there is no question that cyber operations during armed conflicts are regulated by IHL – just like any other weapon or means or methods of warfare used by a belligerent in a conflict, whether new or old.”
Given the unprecedented proliferation of new means and methods of warfare including cyber operations, however, the existing body of IHL should be overhauled to respond to growing concerns seen in cyberspace. This is because the existing body of IHL is not sufficiently crafted to address cyber warfare. In other words, with the exception of handful norms such as Article 36 AP I, there is no comprehensive treaty governing cyber warfare. To fill this normative gap, the International Group of Experts (IGE) proposed a very detailed soft law regarding the application of IHL in cyberspace called the Tallinn Manual 2.0.
Attempts towards a comprehensive treaty governing cyber warfare face numerous challenges. Unilateral declaration of States and international organisations regarding the application of the existing bodies of international(humanitarian) law to cyber operations may be a stumbling block in striking a separate treaty governing cyber warfare. For instance, the United States made its position clear that when a cyber operation constitutes an attack, then the law of war rules on conducting attacks must be applied to those cyber operations, and it must comply with the requirements of IHL such as distinction and proportionality. Simply put, IHL applies to cyber operations in war time, including the principles of precaution, humanity, military necessity, proportionality and distinction. (US War Manual 2016 p.1020). Other countries such as—Australia, France and the United Kingdom have also taken a similar stance.
Another challenge is the inevitable attitudinal and policy differences between major superpowers to strike cyber operations treaty. For instance, the United States has, for many years, been an opponent of creating an international treaty for cyber warfare. It has listed enforceability and accountability as two of its primary concerns. Many observers argue that America’s enduring hostility towards binding treaty is driven largely by its technological superiority in the realm of tactical cyber warfare ( See here and here). Instead, the United Stateshas suggested increasing national cyber-defence technology and increasing the cooperation between national law enforcement agencies.On the other hand, Russia has been an ardent supporter of an international treaty for cyber warfare. Beginning in 1998, Russia has been submitting requests to members of the United Nations to back its plan for a global cyber warfare treaty.
The use of cyber operations in an armed conflict poses a real risk of harm to civilians. For the protection of the civilian population and civilian infrastructure, it is critical to recognise that such operations do not occur in a legal vacuum. As such, until the international community negotiates and strikes a deal governing cyber operations, States should adhere to the existing bodies of IHL rules. I wish the adage “IHL treaties seen as one war behind reality” would be debunked in cyber context by negotiating and striking a treaty in advance. Finally, instead of making unilateral declarations, States should show a global commitment towards cyber operations—including striking a comprehensive international treaty governing the regime.