Modern warfare has become increasingly advanced, with cyberattacks providing a powerful and complex way to attack both offensively and defensively. While cyber operations have traditionally been thought of as an indirect means of warfare, cyberattacks have been used to physically maim and kill targets, and are expected to continue to do so. [1] As the threat of cyber use to cause physical damage increases, an interesting question arises regarding the principle of distinction in the law of armed conflict. The principle of distinction, calls for the differentiation between combatants and military objectives, and civilians and civilian objects, and is thought of as one of the most important, if not the most important principle in international humanitarian law. [2] The principle of distinction is now codified in Articles 48, 51(2) and 52(2) of Additional Protocol I, to which no reservations have been made. [3]
It is of utmost importance to abide by the principle of distinction, even in the realm of cyberspace. The law of targeting has not only safeguarded armed conflict formally and informally for centuries, but in the context of cyberspace, critically narrows the scope of attack, and limits unlawful harm and casualties. [4] Upholding the distinction requirement in cyberspace, however, poses some difficulties. Under the law of war, only combatants, civilians directly participating in hostilities, and civilians acting in a continuous combat function may be lawfully targeted. A straightforward example of a cyberattack that would comply with the principle of distinction would be a cyberattack that targets a military industrial control system, and is limited to combatants. In 2010, for example, the famous Stuxnet virus targeted Iranian uranium enrichment facilities, and infected but caused no damage to any other system than its intended military target. [5] This is an example of a real attack that presumably complied with the principle of distinction. However, the more obvious use of cyber attacks would not be so narrow, and would have a much broader impact. In 2007, in the first known cyberattack against a state actor, Estonia fell victim to a cyber attack that lasted nearly 22 days, believed by most to have been sanctioned by Russia. [6] The attacks were primarily in the form of distributed denial of service attacks, and resulted in temporary degradation or loss of service on many commercial and government servers. [7] While most of the attacks targeted non-critical services like public websites and e-mail, others concentrated on more critical targets, such as online banking and DNS. [8] The extent of damage caused by this attack was broad, impacting civilians as well as government and military actors, and was contrary to the principle of distinction.
Distinction in the law of armed conflict not only excludes deliberate attacks against civilians, but also indiscriminate attacks without any target. [9] This is a vital requirement to maintain in the field of cyberspace, as cyberattacks conducted indiscriminately can cause widespread harm. Because the law of armed conflict was formulated at a time when cyberattacks did not pose any real threat, the laws as written do not encompass the complex variation of cyberattacks, of which many risk undermining and/or disregarding the principle of distinction. This should not excuse cyberattacks from governance by traditional laws of war, and especially the principle of distinction. Cyberattacks actually have the capability to be as precise as necessary, and perhaps more accurate than human actors. Therefore, cyberattacks should be held to the standard of distinction, but a more thorough analysis of the principle and its application is necessary to understand the scope of such a standard.
Further discussions regarding this should evaluate whether traditional rules of war should apply to or are equipped to apply to cyber attacks and war. Other issues that the application of distinction to cyberspace present are the ability to hide the actor conducting the attack, and the ability to disrupt and cause harm without causing perhaps physical harm. [10] Currently, the only detailed application of the law of armed conflict and the laws of war are in the Tallin Manuals, written by a group of experts, and not by States. [11] It is therefore critical that the traditional principles of the law of armed conflict be thoroughly applied to cyberspace, using a variety of case studies and hypotheticals. A general understanding of unique and dynamic nature of cyber-attacks underscores the need for more discussions on the rules governing such attacks, and potentially, for a new body of law.
Footnotes
[1] Andrea Peterson, “Yes, terrorists could have hacked Dick Cheney’s heart,” Wash. Post (Oct. 21, 2013) https://www.washingtonpost.com/news/the-switch/wp/2013/10/21/yes-terrorists-could-have-hacked-dick-cheneys-heart/; Ryan Singel, “Industrial Control Systems Killed Once and Will Again, Experts Warn,” Wired (April 9, 2000) https://www.wired.com/2008/04/industrial-cont/
[2] Nuclear Weapons Legality, 1996 I.C.J. 226, P 257
[3], [9] Protocol Additional to the Geneva Conventions of 12 August 1949, and Relating to the Protection of Victims of International Armed Conflicts, arts. 48, 51, 52, June 8, 1977, 1125 U.N.T.S. 3
[4] Elizabeth Mavropoulou, Targeting in the Cyber Domain: Legal Challenges Arising from the Application of the Principle of Distinction to Cyber Attacks, 4 J.L. & Cyber Warfare 23 (2015)
[5] Elen Nakashima & Joby Warrick, “Stuxnet was work of U.S. and Israeli experts, officials say,” Wash. Post (June 2, 2012)
[6]-[8] Damien McGuinness, “How a cyber attack transformed Estonia,” BBC News (Apr. 27, 2017)
[10] Emily Tamkin, “10 Years After the Landmark Attack on Estonia, Is the World Better Prepared for Cyber Threats?”, Foreign Pol. (Apr. 27, 2017)
[11] James E. McGhee, Cyber Redux: The Schmitt Analysis, Tallinn Manual and US Cyber Policy, 2 J.L. & Cyber Warfare 64 (2016)