We all hear the word “cyberwar” every day, but few really understand its connotation. Are we really at war? If so, what rules govern our conduct and that of our adversary?
On my last day at FedScoop as an editorial intern, I decided to analyze cyberwarfare in the context of international law as well as share insight into the term garnered from leading scholars in the international law field.
By way of introduction, public international law can be separated into two distinct frameworks: lex generalis — peacetime law — and lex specialis — the law of war or armed conflict. During lex generalis, human rights law and domestic law govern. Hague law and Geneva law apply during wartime.
To say we are at war, and therefore argue we are operating under the body of law governing lex specialis, requires a determination that, in fact, there is an armed conflict — international or not. Armed conflict denotes a specific scope, intensity and organization of hostilities. This means acts of aggression must occur and occur with a relative frequency among groups with a certain degree of organization or command structure.
Terming cyberwar an armed conflict is difficult because the U.S. has not openly declared itself at war, which would render the law of armed combat applicable. With cyber war, determining the beginning of hostilities — the time at which the first civilian or protected person or location is affected by hostilities — is hard. Aggression occurring in cyberspace that causes injury, death or destruction is more easily termed hostile, but in the absence of such clear infringements on state sovereignty, it is difficult to amount these acts to armed conflict. Though cyberwar and the onslaught of cyberattacks on our infrastructure are economically deleterious, they may not meet the threshold required for a determination of hostilities.
If, however, it is determined cyberhostilities can be construed armed conflict, it is next necessary to establish whether the conflict is of an international or non-international character. International armed conflicts occur only between states, and the body of law governing such conflicts is robust. Non-international armed conflicts, conflicts not between states but between other armed groups not representing a state per se, have less codified law governing their conduct. Under this framework, one could argue we are in an international armed conflict with China. Thus, Geneva and Hague law are applicable.
As the war on terror established, it is possible to enter into an armed conflict with a transnational criminal organization that spans across many noncontiguous states. Without going into the political determinations affecting the decision to term such a conflict international or non-international, organized groups possessing command and control over cybercombatants could, theoretically, be engaging in armed conflict with the U.S. as well.
Individual hackers and cybercriminals acting under their own direction would then fall under the body of domestic and human rights law governing lex generalis.
In 2009, the NATO Cooperative Cyber Defence Center of Excellence asked a panel of international law experts to apply international law to a cyberbattlefield. On March 28 this year, the panel released the Tallinn Manual on the International Law Applicable to Cyber Warfare.
Though by no means binding, the document provides important guidelines that could later become codified law. Some of the key determinations presented in the document, as released by the Atlantic Council, are:
States cannot knowingly allow their cyberinfrastructure to be used adversely against other states.
Even when cyberoperations are not conducted by the security agencies of the state, the state may still be liable for these actions. The state is liable under international law for measures committed by individuals or groups acting under its direction.
The prohibition on the use of force in international law applies in full to cyberoperations. Despite lacking a clear threshold for determining when a cyberoperation is a use of force, the group of experts agreed, at a minimum, any cyberoperation that caused harm to individuals or damage to objects qualified as a use of force — cyberoperations causing only inconvenience do not qualify as a use of force.
During armed conflict, superior officers can be held criminally responsible for cyberoperations that constitute war crimes or for failing to prohibit such operations. A cyber operation against a civilian becomes a war crime if it injures the civilian or was likely to do so.
It is illegal to launch a cyberattack, not directed at a lawful target, which would indiscriminately cause damage to civilians and civilian objects or to launch an attack against objects indispensable to the survival of the civilian populations such as medical supplies, food stores or water treatment plants.