SOMEONE ELSE’S WINDOWS: IHL and cyber warfare (Second of two parts)

MALAYBALAY CITY (MindaNews/21 August) – Yesterday, this column shared the transcript of an interview with Cordula Droege, a legal expert at the International Committee of the Red Cross. The interview tackles the applicability of the principles of International Humanitarian Law to situations of armed conflict where one or more parties may employ information technology as a method of warfare.

Below is the second and concluding part of the interview:

What is it about cyber space that makes it difficult to apply the rules of IHL?

The means and methods of cyber warfare are still incompletely understood, except presumably by the technical experts who develop and apply them. The development of new technologies is frequently classified. That being said, to determine whether and to what extent the means and methods of cyber warfare are qualitatively different from those of conventional warfare, the most important thing is to understand how the technology could be used and what effects it could have in armed conflict.

But one aspect of cyber space that would seem to pose difficulties is the anonymity of communications. In the cyber operations that occur on an everyday basis, anonymity is the rule rather than the exception. It appears to be impossible in some instances to trace their originator. Since all law is based on the allocation of responsibility (in IHL to a party to a conflict or to an individual), major difficulties arise. In particular, if the perpetrator of a given operation and thus the link of the operation to an armed conflict cannot be identified, it is extremely difficult to determine whether IHL is even applicable to the operation.

Another feature of cyber space is, of course, interconnectivity. The interconnections between computer systems – civilian and military – could make it difficult to apply even the most fundamental rules of IHL.

What rules of IHL are applicable to cyber operations? How can they be applied in the world of interconnectivity?

All IHL rules governing the conduct of hostilities are potentially applicable during armed conflict, but whether they are relevant in such a context, and how they could be applied, are real questions. Before giving some examples, it is important to recall that one of the main purposes of IHL is to protect the civilian population and civilian infrastructure from the effects of hostilities.
Let us consider some fundamental rules of IHL to illustrate not only their importance for cyber operations but also the difficult questions that their application to cyber space raises. These rules are related to the principles of distinction, proportionality and precaution.

The principle of distinction and the prohibition of indiscriminate and disproportionate attacks:

The principle of distinction requires that parties to a conflict distinguish at all times between civilians and combatants and between civilian objects and military objectives. Attacks may only be directed against combatants or military objectives. Indiscriminate attacks, that is, attacks which are not or cannot be directed at a specific military objective or whose effects cannot be limited as required by IHL, are prohibited. Similarly, attacks against military objectives or combatants are prohibited if they may be expected to cause incidental civilian casualties or damage which would be excessive in relation to the concrete and direct military advantage anticipated (so-called disproportionate attacks).

This means that, in planning and carrying out cyber operations, the only targets permissible under IHL are military objectives, such as computers or computer systems used in support of military infrastructure or of infrastructure used specifically for military purposes. It follows that attacks via cyber space may not be directed against, for example, computer systems used in medical facilities, schools, and other purely civilian installations. The issue of humanitarian concern in this respect is that cyber space is characterized by interconnectivity. It consists of innumerable interconnected computer systems across the world. Military computer systems appear to be often interconnected with commercial, civilian systems and to rely on them in whole or in part. Thus, it might well be impossible to launch a cyber attack on military infrastructure and limit the effects to just that military objective. For instance, the use of a worm that replicates itself and cannot be controlled, and might therefore cause considerable damage to civilian infrastructure, would be a violation of IHL.

Obligation to take precautions:

The party responsible for an attack must take measures, to the maximum extent feasible, to avoid or minimize incidental damage to civilian infrastructure or harm to civilians. This will require verifying the nature of the systems that are being attacked and the possible damage that might ensue from an attack. It also means that when it becomes apparent that an attack will cause excessive incidental civilian damage or casualties, it must be cancelled.

Also, parties to conflicts have an obligation to take necessary precautions against the effects of attacks. It would therefore be advisable for them, in order to protect the civilian population against incidental effects of attacks, to assess whether military computer systems are sufficiently separate from civilian ones. The reliance of military computer systems and connections on systems run by civilian contractors which are also used for civilian purposes could be a cause for concern.

On the other hand, information technology might also serve to limit incidental damage to civilians or civilian infrastructure. For instance, it might be less damaging to disrupt certain services used for military and civilian purposes than to destroy infrastructure completely. In such cases, the principle of precaution arguably imposes an obligation on States to choose the less harmful means to achieve their military aim.

What is the ICRC doing in relation to cyber warfare?

We need to bear in mind that the military potential and the humanitarian impact of cyber warfare – despite all the things we read about them in the media – are far from fully understood.

However, it is certainly possible that cyber operations could have disastrous consequences for civilians. That is why the ICRC monitors their development and reminds parties to conflicts of their obligations to comply with IHL. We are also paying close attention to a number of initiatives that aim to clarify the law applicable to cyber operations in armed conflict. Our aim is to reaffirm the applicability of IHL, to prevent any weakening of IHL caused by the development of new standards, and to remind those involved that in the world of interconnectivity the need to spare the civilian population is probably greater than ever. (MindaViews is the opinion section of MindaNews. H. Marcos C. Mordeno can be reached at