International Agreements Guard Against Illegal Cyber Weapons
International humanitarian law (IHL) aims to protect civilians, prisoners of war and others not actively participating in hostilities. Legal and moral ramifications exist for every act of war violating this set of rules, including cyber warfare.
According to most mainstream interpretations of international agreements, a cyber attack against adversarial infrastructure creating disproportionate collateral damage could lead to criminal liability, reputational damage, civil liability and reciprocal retaliation.
“[Cyber] operations are regulated by international humanitarian law, just like any other means or methods of warfare is regulated by international humanitarian law,” said Jonathan Horowitz, legal advisor at the International Committee of the Red Cross (ICRC).
The Tallinn Manual is a cyber-IHL-specific body of work in which experts discuss various technical aspects of how this growing body of regulations should be interpreted and applied (see sidebar). This manual is nonbinding, and its aim is to inform the ongoing discussions toward comprehensive international agreements.
For now, what stands is IHL, also known as the law of war. Its aim is to mitigate the suffering caused through armed conflicts by guaranteeing that fundamental human rights are respected.
The rules of IHL are set out in treaties, including the Fourth Geneva Convention of 1949 and their two Additional Protocols of 1977. In addition to these treaties, customary international law also plays a role. Customary international law refers to unwritten rules and practices recognized by states as binding legal norms.
The overall goal of IHL is to balance the military necessity of armed conflicts with the protection of people who are not participating in hostilities. For centuries, two concepts behind the just use of violence have been discrimination and proportionality. The former identifies what a valid target is and what it is not, and the latter how much force should be applied to that target to avoid collateral damage.
At the international level, the enforcement of IHL is overseen by several bodies, including:
- The International Criminal Court, which is a permanent international entity. It can prosecute individuals responsible for these crimes, regardless of their nationality or where the crimes were committed.
- Ad hoc International Criminal Tribunals, established by the United Nations Security Council for prosecution during specific conflicts.
- National Courts, in which states have the primary responsibility to ensure that IHL is enforced within their territories.
In addition to legal enforcement mechanisms, the ICRC and other organizations monitor parties’ conduct and report violations of IHL to relevant authorities.
“When you’re talking about war crimes, that’s going to attach criminal liability, and in a lot of situations, states must investigate war crimes allegedly committed by their nationals or armed forces, or on their territory, and, if appropriate, prosecute the suspects,” Horowitz said referencing a multiyear study into the rules of IHL. Horowitz also clarified in an interview with SIGNAL Media that there were different levels of violations below the war criminal sanction.
Since 2012, the United States has outlined its view of how IHL applies to cyber actions in speeches and declarations.
“We support targeted cybersecurity capacity building to ensure that all responsible states can implement this framework and better protect their networks from significant disruptive, destructive, or otherwise destabilizing cyber activity,” read a 2019 joint statement that the United States signed along with 27 other nations.
This declaration stressed that cyber conflict was a sphere of action where IHL fully applied. “We reiterate that human rights apply and must be respected and protected by states online, as well as offline, including when addressing cybersecurity,” the same statement said.
In a 2020 speech, Paul Ney, former general counsel of the U.S. Department of Defense, said, “It continues to be the view of the United States that existing international law applies to state conduct in cyberspace.” Countries around the world follow similar criteria.
Interestingly, many other actors are also concerned about regulating conflict, among them Microsoft, for example. One of its top executives, Brad Smith, addressed the need for an international convention binding all actors to ground rules.
“Just as the Fourth Geneva Convention has long protected civilians in times of war, we now need a Digital Geneva Convention that will commit governments to protecting civilians from nation-state attacks in times of peace,” said Smith at the RSA Conference in 2017.
Also, the European Union has started to enforce international criminal law against malign actors.
In July 2020, the supranational organization imposed sanctions for the first time against individuals and organizations for a variety of cyber offenses. Two Chinese and four Russian individuals, together with organizations from China, North Korea and Russia, were listed as actors, supporters or facilitators of disruptive actions that harmed the union and other countries.
At the time, Josep Borrell, the union’s diplomatic chief, was quoted by the media as saying that these individuals and organizations would suffer “a travel ban and asset freeze to natural persons and an asset freeze to entities or bodies. It is also prohibited to directly or indirectly make funds available to listed individuals and entities or bodies.”
The issue is riddled with different views from states with some taking opposing sides despite participating in the same military coalition. Not all NATO members see all topics the same way.
The major legal questions in cyber warfare have lingered for decades with military thinkers: “How do you determine what constitutes a military objective in cyberspace? How do you determine the application of the principle of proportionality in cyberspace? I think those are the two big debates that the ICRC has been striving to message in our own work, with states, with the public, with academics, with journalists,” Horowitz said.
On these debates, China has chosen the sidelines, according to Chinese scholars. The country has argued that regulating conflict in cyberspace would create further conflict in that realm, which would leave developing countries at a disadvantage vis-à-vis the developed world.
Still, the authors, who are independent from the ICRC, take a more cynical stance. “The existing negative attitude of the Chinese government on this issue (IHL and cyber warfare) may also be a delaying tactic in the process when China has not come up with a self-explanatory plan,” argued Wuhan Law researchers Zhixiong Huang and Yaohui Ying in a paper published by Cambridge University Press on behalf of the ICRC.
One of Huang and Ying’s contentions is that Chinese academics tend to see intangible data as not protected by international conflict law, thus, leaving it in a legal limbo that would allow direct attacks or harvesting.
Views from Beijing and Moscow have coincided in cyber warfare regulation in recent years, adhering to similar principles and arguing against widening IHL’s application in the cyber domain.
In legal terms, Russia has conducted its cyber operations against Ukraine in a similar manner as it has directed its kinetic attacks: with little discrimination as to what is and is not a legitimate target.
Moscow attacked or attempted to disrupt banks, power companies, civilian communications networks and other networks not participating in hostilities at the outset of the invasion, according to various media and government reports. Effects were limited, even from a psychological point of view, but many international laws could have been violated, experts say. It will be a matter for further discussion which actions would constitute criminal offenses and who, if anyone, will face prosecution for acting against noncombatants.
Still, as regulatory frameworks start to take shape, there’s a basic principle that helps all cyber warriors: retroactivity. This principle prohibits prosecution for actions that were not criminal at the time these were carried out.
This basic legal standard aids all involved, including those in the Western world, to stay free from liability as long as regulations are not widely adopted.
Manual Offers Cyber Operations Principles for Times of Conflict
The most prominent source of cyber conflict regulation comes from the Tallinn Manual. It is a guide that outlines the principles and rules of international law that apply to cyberspace. Named after the Estonian capital where the initial discussions were held, the manual was published by an independent group of legal experts in 2013.
The manual is not legally binding, but it is widely seen as a useful resource for governments, policymakers, legal professionals and others involved in cybersecurity issues. It provides guidance on a wide range of topics related to cybersecurity, including the definition of cyber warfare, the application of international humanitarian law to cyber operations and the attribution of cyber attacks.
The second edition of the Tallinn Manual, published in 2017, builds on the first and includes updated guidance on topics such as the law of state responsibility, the law of naval warfare and the law of neutrality.
Some of the basic principles in these publications specify:
- “[A] state must not conduct cyber operations that violate the sovereignty of another state.” This principle includes the operations between states using the territory of a third country.
- “A state must: (a) respect the international human rights of individuals; and (b) protect the human rights of individuals from abuse by third parties,” according to the manual.
- “Cyber countermeasures need not target the specific organ of the state that is violating international law as the state itself is the target,” stated the manual. This is better explained by, “a state can respond to a noncyber violation with a cyber countermeasure, and to a cyber violation with a noncyber countermeasure,” according to Eric Talbot Jensen, professor of law at Brigham Young University Law School, and an academic who participated in the drafting of this document. In this respect, international law establishes a principle of proportionality, as with every hostile act.
- In terms of intelligence gathering, the manual allows governments to pursue those activities, tracing a relative parallelism to the stance of international law governing similar offline activities. “Although peacetime cyber espionage by states does not per se violate international law, the method by which it is carried out might do so.”
- For cyber warfare activities in space, despite debate around where exactly space starts, the manual states two distinct areas: “(a) Cyber operations on the moon and other celestial bodies may be conducted only for peaceful purposes. (b) Cyber operations in outer space are subject to international law limitations on the use of force.” This means that “the experts [working on this manual] concluded as a result of this rule that offensive cyber capabilities could not be placed on the moon, whereas no similar prohibition exists for outer space more generally,” Talbot Jensen said. Similarly, other nonstate organizations conducting activities in space are subject to their state of origin regulations and are also bound by the international rules that state observes.
These manuals also describe the aspects where different experts have opposing views, and this debate is ongoing. In 2021, work to draft the third version of the manual was launched, and an update is expected before 2027.