International humanitarian law and cyber warfare: Old laws vs. new phenomena

By Jordan Hawthorne

War. A term which traditionally conjures images of uniformed armies, guns, bombs, and other forms of conventional military warfare. Yet the 21st century has seen the rise of a new form of war, one divorced from these traditional methods and means: ‘cyber warfare’.

‘Cyber warfare’ refers to war that is waged not through military hostilities on the ground, but through virtual means and methods, within the domain of ‘cyberspace.’  Despite its unconventional nature, the international legal community agrees that international humanitarian law (‘IHL’) can apply to cyber warfare, provided that attacks are committed within the context of an armed conflict, (see the Tallinn Manual). However, the question of how to transpose and apply IHL rules to this modern phenomenon remains problematic.

One of the greatest challenges arising in the context of a cyber attack is the application of the principle of distinction. The principle of distinction is a cornerstone of IHL, one which requires that parties to a conflict differentiate between civilians/civilian objects, and combatants/military objectives at all times (the latter being legitimate targets in an armed attack, while the former cannot be attacked under any circumstances). Making such a distinction in cyberspace is however wrought with difficulty, due to characteristics of the forum, such as its interconnectivity. Cyberspace is a complex network of countless, interconnected computer systems, spanning across the globe. Civilian and military computer systems therefore may be, and often are, intertwined (with the latter sometimes even relying on the former). As a result, it is incredibly difficult to identify ‘legitimate’ targets, and to limit the effects of an attack to a pure military objective.

Another issue arising is the fundamental assumption in IHL that parties to an armed conflict are known and identifiable. In cyberspace, this is rarely the case; attackers are frequently anonymous. As such, in a web of hundreds of thousands of communications systems, trying to identify parties behind an attack is like looking for the proverbial needle in a haystack. This raises a whole range of issues for IHL, which relies on attributing an attack to either a party to the conflict or an individual. For example, if the perpetrator(s) of a cyber attack cannot be identified, then the link between that cyber attack and a situation of armed conflict is extremely difficult to establish, raising the questions as to whether IHL even applies to the cyber attack to begin with (Droege, 2012). Further, the inability to identify perpetrators inevitably renders prosecution and punishment virtually impossible, fostering an expectation of impunity.

But why does it matter? Surely the damage caused by a cyber attack cannot be as devastating as that arising from physical armed attacks?

In fact, it can. The real and potential humanitarian effects of cyber warfare are extremely damaging. Cyber attacks can cause mass confusion, chaos and disruption, bringing daily life to a halt. For example, in Estonia in 2007, cyber attacks shut down ATM machines, online banking services and news broadcasters, and prevented government employees from communicating with one another. More recently in Ukraine, a cyber attack disrupted the country’s national bank, state power company, largest airport, postal service and more. The International Committee of the Red Cross  anticipates even more serious effects; for example, where State networks are blocked or tampered with, civilians may be deprived of water, medical care and electricity. Such effects have already been seen, as a result of the 'Ransomware' cyber attack on 12 May this year. This attack caused major disruption to the UK’s National Healthcare System, resulting in massive delays, the turning away of patients, the diversion of ambulances and more.

So what can we do?

IHL is old. It stems from the horrors of the battle that Henry Dunant witnessed at Solferino in 1859. The reality we now face is different; war is not always waged on the ground- it can be waged from behind a keyboard, and launched at the touch of a button.

The use of cyber warfare is likely to continue, and to become increasingly sophisticated. We must therefore ask ourselves whether IHL, in its current form, is robust and flexible enough to protect civilians from its effects. Can the hurdles outlined above (and many other issues not discussed here) be overcome? If not, steps must be taken to develop new rules to ensure that this form of warfare is regulated, and that civilians are protected.