Protection of civilians in the era of cyber warfare: a critical analysis of International Humanitarian Law Towards a treaty restricting the use of cyber weapons

(1)

Protection of civilians in the era of cyber warfare: a critical

analysis of International Humanitarian Law

Towards a treaty restricting the use of cyber weapons

Clara Mathonet Student number: 12588296 clara.mathonet@hotmail.com Supervisor: Professor Liesbeth Zegveld Master Track: Public International Law

(2)

Abstract

The use of cyber operations is an increasing reality in contemporary armed conflicts. Conventional warfare, such as sending soldiers into trenches or dropping bombs, is no longer necessary since war can now be held online. Indeed, technology plays an important role in our daily life and, consequently new means and methods of warfare have emerged. States and non-State actors have started to use cyber-attacks as a new way of conducting hostilities. It is therefore crucial to find an agreement on a legal framework, which would regulate cyber operations. Without an adequate legal framework, there would be a legal vacuum in international law, leaving civilians and civilian infrastructures without sufficient protection. It is now generally accepted that international humanitarian law applies to cyber operations. However, the potential human costs of cyber operations and the way international law should evolve to deal with the challenges of cyber warfare and minimize the risks to civilians and civilian objects is currently the centre of debates. Indeed, how the existing rules of IHL apply in cyberspace and whether these rules are adequate and sufficient remain uncertain and is currently under discussion.

This paper will critically analyse the weaknesses of existing international humanitarian law by highlighting the issues that may arise by applying by analogy the law as it exists today. Indeed, the dual-use nature of cyber infrastructures and the unpredictable nature of cyber operations make it difficult to assert how international law will work out in the cyber realm. Therefore, this paper argues that the principles of international humanitarian law need to be adapted in order to tackle the new challenges cyber operations pose to civilians and civilian infrastructures. Moreover, it will suggest some solutions to the issues underlined in the different chapters. Additionally, the paper emphasizes the obligation to reach an international binding agreement, namely a cyber treaty, which would restrict the use of cyber weapons.

(4)

Abbreviations

AP Additional Protocol

DPH Direct Participation in the Hostilities IAC International Armed Conflict

ICJ International Court of Justice

ICRC International Committee of the Red Cross

ICTY International Criminal Tribunal for the former Yugoslavia IHL International Humanitarian Law

IGE International Group of Experts NIAC Non-International Armed Conflict

(5)

Introduction

The use of cyber operations is an increasing reality in contemporary armed conflicts. Conventional warfare, such as sending soldiers into trenches or dropping bombs, is no longer necessary since war can now be held online. Indeed, technology plays an important role in our daily life and, consequently new means and methods of warfare have emerged. States and non-State actors have started to use cyber-attacks as a new way of conducting hostilities. The most well-known and controversial cyber weapon is the so-called Stuxnet virus.1_{This attack was}

launched in 2010 against the Iranian nuclear enrichment facility at Natanz, which destroyed nuclear centrifuges. Another reported cyber-attack in 2017 is the WannaCry attack: it affected thousands of civilian infrastructures in over a hundred nations.2 Thus, it is crucial to find an agreement on a legal framework, namely a cyber treaty, which would regulate cyber operations. Without an adequate legal framework, there would be a legal vacuum in international law, leaving civilians and civilian infrastructures without sufficient protection.

In recent years, the potential human costs of cyber operations and the way international law should evolve to deal with the challenges of cyber warfare and minimize the risks to civilians and civilian objects is the centre of discussions. According to the UN Secretary-General, cyber warfare presents ‘new and unique challenges’.3 Thus, this paper seeks to understand the interaction between IHL and cyber warfare. It will critically analyse the applicability of the existing law to cyber operations. Indeed, according to the ICJ, established principles and rules of IHL applicable in armed conflict apply ‘to all forms of warfare and to all kinds of weapons’, including ‘those of the future’.4 It is now generally accepted that IHL applies to cyber operations. However, how the existing rules of IHL apply in cyberspace and whether these rules are adequate and sufficient remain uncertain and is currently the subject of debate.5

The scope of this paper is limited to jus in bello and will not address questions relating to the legal framework applicable to cyber operations outside the context of armed conflicts.

1_{David Wallace, ‘Cyber Weapon Review under International Humanitarian Law: a critical analysis’ (2018)}

Tallinn Paper No. 11, 5.

2_{Zen Chang, 'Cyberwarfare and International Humanitarian Law' (2017) 9 Creighton Int'l & Comp LJ 29, 29.} 3_{Report of the Secretary-General, ‘Developments in the field of information and telecommunications in the}

Context of International Security’ (2011) UN Doc A/66/152, 19.

4_{Legality of the Threat or Use of Nuclear Weapons (Advisory Opinion), International Court of Justice (ICJ), 8}

July 1996, para. 86.

5_{ICRC, ‘Principles of IHL (distinction, proportionality) have direct bearing on cyber operations’ (2020) <}

https://www.icrc.org/en/document/principles-international-humanitarian-law-distinction-proportionality-have-direct-bearing> accessed 15 May 2020.

(6)

Therefore, the analysis will be restricted to the four Geneva Conventions and their first two Additional Protocols of 1977 and The Hague Conventions of 1899 and 1907. A majority of these provisions reflects customary international law.6 Moreover, the Tallinn Manual 2.07, written by a group of international experts under the auspices of the NATO Cooperative Cyber Defence of Excellence, albeit soft law, will also help throughout this paper.

The paper is divided in four chapters. The first chapter will clarify how we can define some essential concepts in cyberspace, namely cyber weapons, cyber-attacks and cyber armed conflicts, whether international or non-international armed conflicts. The next chapter will discuss the difficulties related to the attribution of conduct in the cyber realm. Chapter 3 will analyse how the core principles of IHL, namely the principles of distinction, proportionality and precaution, should be applied and will highlight issues by applying IHL as it exists today. Finally, Chapter 4 will examine the obligation of Article 36 of Additional Protocol I to held a cyber weapon review, including the examination of the prohibition of indiscriminate weapons and the prohibition of perfidy. Additionally, a section will be devoted to the comparison with the ban on biological and chemical weapons, in order to analyse whether cyber weapons should be prohibited in a similar way. Thus, this paper will critically analyse the weaknesses of IHL and will suggest some solutions to the issues underlined in the different chapters.

6_{Marco Roscini, Cyber Operations and the use of force in International Law (OUP 2014), 117.}

7_{Tallinn Manual 2.0 on the International Law applicable to Cyber Operations (Michael Schmitt ed., 2017) [from}

(7)

1. Definitions of the necessary concepts related to cyber warfare

Before analysing how International Humanitarian Law responds to cyber operations occurring during armed conflicts, it is fundamental to clarify some concepts. Thus, defining cyber weapons, cyber- attacks and cyber armed conflicts, whether international or non-international armed conflicts, are the necessary first steps before turning to the legality or illegality of the different aspects of cyber warfare.

Indeed, defining correctly these notions is particularly important because it triggers the application of IHL, and therefore provides protection to different actors, whether they are involved in the conflict or whether they cannot be attacked. Otherwise, it would result in a legal vacuum where the civilian population is left without adequate protection during the conflict. This would defeat the primary purpose of IHL, which is specifically the protection of civilians. However, the first complication of a treaty is precisely to find an agreement on the scope of the treaty, as well as on clear and precise definitions.

A. What is a ‘cyber weapon’ under International Humanitarian Law?

Currently, there is no international consensus on the definition of a cyber weapon. Indeed, there is only a definition of the generic concept of a weapon, without a clear and unanimous definition of cyber weapons.8

The starting point of any discussion about the conduct of hostilities in an armed conflict is the notion of ‘means and methods of warfare’. Means of warfare consist of all the weapons or weapons systems used during hostilities, while methods of warfare consist of the tactics, techniques and procedures that are used.9 The Manual on the Law of Air and Missile Warfare defines a ‘weapon’ as ‘a means of warfare used in combat operations, including a gun, missile, bomb or other munitions, that is capable of causing either (i) injury to, or death of, persons; or (ii) damage to, or destruction of, objects’.10 Conventionally understood, weapons are, for instance, bombs, rockets or bullets.11 However, a weapon does not need to be kinetic, it might

8_{Stefano Mele, ‘Legal considerations on Cyber-Weapons and their definition’ (2014) 3 JLCW 1, 55.} 9_{William H. Boothby, ‘Methods and means of Cyber Warfare’ (2013) 89 Int’L L.Stud.387, 387} 10_{Ibid 388.}

(8)

take multiple forms, such as gases, chemical or biological agents.12 Thus, it can be equally applied to cyber warfare.

Scholars and experts attempted to provide definitions of cyber weapons. First, the commentary to rule 103 of the Tallinn Manual 2.0 defines cyber weapons as ‘cyber means of warfare that are used, designed, or intended to be used to cause injury to, or death of, persons or damage to, or destruction of, objects, that is, that result in the consequences required for qualification of a cyber operation as an attack.’13 However, this definition requires physical consequences, it does not include cyber tools only causing loss of functionality.14 William Boothby also describes it narrowly as ‘any computer equipment or computer device that is designed, intended or used, in order to have violent consequences, that is, to cause death or injury to persons or damage or destruction of objects’.15

A broader definition of a cyber weapon has been proposed by Thomas Rid and Peter Mc Burney who consider such weapon as a computer code that is ‘used, or designed to be used, with the aim of threatening or causing physical, functional, or mental harm to structures, systems, or living beings’.16_{This is in line with the definition provided by the United States Air Force in} its regulation on the Legal Reviews of Weapons and Cyber Capabilities which defines weapons as ‘devices designed to kill, injure, disable or temporarily incapacitate people, or destroy, damage or temporarily incapacitate property or material’.17 However, it is important to stress that cyber-crimes that do not reach the level of acts of warfare, as well as cyber-espionage activities are not cyber-weapons and must therefore be separated from this notion.18

Some observations can be made in light of the above definitions. First, cyber weapons can generate different effects. The primary effects consist of deletion, corruption, disruption or alteration of data of a computer network.19 The secondary impacts consist of the destruction or incapacitation of the cyber infrastructure.20 Lastly, the tertiary effects concern the persons

12_{Ibid 388.}

13_{Tallinn Manual 2.0, rule 103 para. 2.} 14_{Roscini (n6) 169.}

15_{William H. Boothby, ‘Methods and means of Cyber Warfare’ (n9), 389.} 16_{Thomas Rid, Peter Mc Burney, ‘Cyber weapons’ (2012) 157 RUSI Journal 1, 7.} 17_{Wallace (n1) 15.}

18_{Mele (n8) 56.} 19_{Ibid 17.} 20_Ibid.

(9)

affected by the secondary impacts.21 For instance, people affected by a cyber operation directed against a power plant.22 Conversely to physical weapons, physical damage to property, loss of life and injury to persons are never the primary effects of a cyber operation.23

Thus, at the current state of law, experts and scholars still do not agree on the definition of cyber weapons, which is crucial for the application of IHL. Since loss of life or injury are less likely to happen, a broader definition, including not only physical damage, but also loss of functionality, is the most logical and appropriate way of defining cyber weapons. In this way, by including also weapons causing temporary loss of functionality without destruction, we ensure that IHL is applicable and can fulfil its protective function. However, it is better not to extend the definition too much, leaving aside cyber-crimes that do not reach the level of acts of warfare and cyber-espionage. Indeed, an overly broad scope would generate enforcement difficulties, leaving civilians and civilian infrastructures unprotected.

B. What is an ‘attack’ in cyberspace?

Defining the notion of attack is necessary because most of the rules dealing with the conduct of hostilities refers to this term.24 For example, Article 52 of the first Additional Protocol prohibits to attack civilian objects.25 If the cyber operation is not qualified as an attack, many rules of IHL do not apply. However, it should not be confused with the notion of armed attack used in jus ad bellum context which is the condition for a State to act in self-defence.26

The term ‘attack’ is defined in Article 49 (1) of the first Additional Protocol as ‘acts of violence against the adversary, whether in offence or in defence’. The commentary to the HCPR Manual on Air and Missile Warfare considers that it also covers non-kinetic attacks (i.e. attacks that do not involve the physical transfer of energy) that result in death, injury, damage or destruction of persons or objects.27

21_Ibid. 22_Ibid.

23_{Roscini (n6) 53.}

24_{Michael N. Schmitt, ‘Peacetime Cyber Responses and Wartime Cyber Operations under International Law: An}

analytical vade mecum’ (2017) 8 Harvard National Security Journal, 265.

25_{See Rules 92, 94 and 99 of the Tallinn Manual 2.0.} 26_{Schmitt, ‘Peacetime Cyber Responses’ (n24) 266.} 27_{Roscini (n6) 170.}

(10)

In the cyber domain, Rule 92 of the Tallinn Manual 2.0 defines a ‘cyber-attack’ as ‘a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects’. Therefore, there is a consensus among IHL experts and scholars that if a cyber operation causes or is likely to cause loss of life, injury to persons or more than minimal material damage to property, it is qualified as an ‘attack’. However, a number of scholars argued that it would be more accurate to include certain disruptive cyber operations in the definition of ‘cyber attacks’. They take a broader approach, including not only attacks that result in physical damage or injury, but also some non-destructive operations.28 The definition would thus also cover loss of functionality without causing permanent damage.29 A majority of the International Group of Experts also took this position: cyber operations that render cyber infrastructure inoperative or that require important repair fall within the definition.30 Nonetheless, there is still a debate about it.

Thus, as it has been argued for the definition of cyber weapons, the threshold required for a cyber operation to reach the level of a cyber ‘attack’ should not be too high and should include, not only attacks causing physical damage, but also the loss of functionality not causing permanent damage. In this way, most cyber operations will be considered as an attack and thus, it will trigger the application of IHL rules, providing a broad protection to civilians.

Although, it is important to stress that, under certain circumstances, cyber operations that do not qualify as ‘attacks’ may still be unlawful or subject to limitations when there is a special protection under IHL.31 For example, medical, religious or humanitarian assistance can never be targeted.

C. What is an ‘armed conflict’ in cyberspace?

In order to apply IHL, the operation must be conducted in the context of an ‘armed conflict’. However, there is no precise definition of an armed conflict in the legal framework of IHL. Common Article 2 of the Geneva Conventions provides that the Conventions become

28_{Dieter Fleck, ‘Searching for International Rules Applicable to Cyber Warfare—A Critical First Assessment of}

the New Tallinn Manual’, Journal of Conflict and Security Law 18 (2013), 341.

29_{Paul A.L Ducheine, ‘Military Cyber Operations’ in Terry D Gill and Dieter Fleck (eds), The Handbook of the}

International Law of Military Operations (OUP 2017), 475.

30_{Schmitt, ‘Peacetime Cyber Responses’ (n24) 266.} 31_{Ibid 267.}

(11)

applicable ‘to all cases of declared war or of any other armed conflict which may arise between two or more parties’. The ICTY highlighted, in the Tadic case, that there is an armed conflict “whenever there is a resort to armed force between States or protracted armed violence between governmental authorities and organized armed groups or between such groups within a State”32. Thus, there must be a recourse to armed force in order to trigger the application of IHL.

Nonetheless, not every use of force is amounting to an armed conflict. Indeed, sporadic, isolated or short term incidents are not considered to reach the threshold of the armed conflict. 33 When it does not so qualify, other legal regimes, such as international human rights law or law enforcement mechanisms, govern cyber operations.34 It is important to stress that international human rights law does not cease to exist during armed conflicts, it applies both in peacetime and during an armed conflict. However, States may derogate from certain rights in time of public emergency which threatens the life of the nation, for example an armed conflict.35 Nevertheless, in situations regulated by the two bodies of law, priority is given to the more specific norm on the basis of the lex specialis derogat legi generali principle.36_{Thus, IHL will}

often prevail over Human Rights during armed conflicts because it has been specifically developed to regulate the conduct of hostilities.37

It is generally accepted that IHL rules apply to cyber operations occurring during armed conflicts. Indeed, according to the ICJ in its Advisory Opinion on the Legality of the Threat or Use of Nuclear Weapons, the Court confirmed that the principles and rules of IHL applicable in armed conflicts apply ‘to all forms of warfare and to all kinds of weapons’, including ‘those of the future’.38 Thus, it certainly applies to cyber operations launched during the conduct of hostilities.

32_{The Prosecutor v. Dusko Tadic (Decision on the Defence Motion on Jurisdiction), IT-94-1, International}

Criminal Tribunal for the former Yugoslavia (ICTY), 2 october 1995, para 70.

33_{Mateusz Piatkowski, 'The Definition of the Armed Conflict in the Conditions of Cyber Warfare' (2017) 46}

Polish Pol Sci YB 271, 276.

34_{Schmitt, ‘Peacetime Cyber Responses’ (n24) 261.}

35_{Jann K. Kleffner, ‘Human Rights and International Humanitarian Law’ in Terry D Gill and Dieter Fleck (eds),}

The Handbook of the International Law of Military Operations (OUP 2017), 53.

36_{D. Fleck (ed.), The Handbook of International Humanitarian Law, (3rd ed., OUP 2013), 72.} 37_{Ibid 74.}

38_{ICRC, ‘International Humanitarian Law and Cyber operations during armed conflicts’ (2019) <}

https://www.icrc.org/en/document/international-humanitarian-law-and-cyber-operations-during-armed-conflicts> accessed 10 January 2002, 4.

(12)

Furthermore, the International Group of Experts agreed that when cyber operations are conducted in the context of an ongoing armed conflict and with a nexus to it, they are governed by the same IHL rules as that conflict.39 However, cyber operations may also be carried out outside thecontext of an armed conflict and are therefore harder to qualify.

There are two types of armed conflicts, namely International armed conflicts (IAC) and non-international armed conflicts (NIAC). The correct qualification of the conflict is fundamental to determine the applicable rules of IHL. However, as we will demonstrate in the next section, difficulties arise by applying by analogy the criteria to qualify the conflict, which have been developed for conventional warfare, to cyber warfare.

a. Cyber armed conflicts as International armed conflicts

The generally accepted criteria to qualify a conflict as an IAC are derived from Common article 2 (1) of the Geneva Conventions which states that the Convention apply ‘to all cases of declared war or of any other armed conflict which may arise between two or more of the High Contracting Parties, even if the state of war is not recognized by one of them’. This provision is reflecting customary international law.40 Moreover, as defined in the Tadic case, there must be ‘a resort to armed forces between States’. Thus, from the first shot fired (as argued by Pictet in his ‘first shot theory’), IHL rules are applicable.41

According to Rule 82 of the Tallinn Manual 2.0, ‘an international armed conflict exists whenever there are hostilities which may include or be limited to cyber operations, between two or more States’. The decision taken by the IGE to refer to the term ‘hostilities’ rather than the expression ‘resort to armed forces’ used to qualify traditional IAC alleviates the difficulty of interpreting an international cyber armed conflict. Indeed, having to prove the ‘use of armed forces’ in cyberspace is completely inadequate and hardly conceivable.

A majority of scholars argue that if the cyber operation is attributable to a State, and if it has the same effects as a kinetic attack, it would reach the threshold of an armed conflict.42 However, it is problematic to compare cyber operations with kinetic attacks because, as we already explained it above, the damage caused by cyber weapons are not necessarily similar to

39_{Tallinn Manual 2.0, Commentaries to Rule 80, 376.} 40_{Roscini (n6) 119.}

41_{Chang (n2) 31.} 42_{Ibid 31-32.}

(13)

the damage caused by traditional weapons. Therefore, the qualification of the conflict as an IAC should be interpreted independently, without any comparison with kinetic weapons. Whether the resort to armed force needs to reach a minimum threshold of intensity is controversial and the Tadic case leaves the question open. Indeed, on the one hand, some scholars argue that the hostilities must reach a certain level of intensity, in order to qualify the conflict as an IAC. According to them, there must be more than a sporadic or isolated event.43 Below this threshold, the situation would be qualified as internal disturbances and tensions.44 On the other hand, in the Mucic case, the ICTY found that ‘the existence of armed force between States is sufficient of itself to trigger the application of international humanitarian law’.45 Thus, the tribunal considered that there is no required intensity level for an IAC. Moreover, according to the ICRC, there is no requirement of a minimum level of intensity for an IAC, as established in the Commentary to Common Article 2 and to Article 1 of AP I.

Accordingly, the purpose of Common Article 2 being to extend the protection of victims of war as widely as possible46, there should not be a minimum threshold of violence for the existence of an IAC because otherwise IHL rules would not apply, leaving a gap of protection in international law.

b. Cyber armed conflicts as Non-international armed conflicts The first provision which recognizes the existence of a NIAC is Common Article 3 of the 1949 Geneva Conventions (‘in the case of armed conflict not of an international character occurring in the territory of one of the High Contracting Parties’). However, this article gives no indication of what is meant by ‘armed conflict not of an international character’. For the ICTY, in the Tadic case, a NIAC exists ‘whenever there is…protracted armed violence between governmental authorities and organised armed groups or between such groups within a State’.47 The expression ‘protracted’ means that the violence must reach a certain intensity. Therefore, contrary to IAC, there are two different requirements in order to qualify the conflict

43_{Roscini (n6) 133.} 44_Ibid.

45_{Prosecutor v Mucić (Judgment), IT–96–21–T, International Criminal Tribunal for the former Yugoslavia}

(ICTY), 16 November 1998, para 184.

46_{Roscini (n6) 134.}

(14)

as a NIAC: a minimum level of intensity and the parties involved must show a minimum of organisation. Indeed, Rule 83 of the Tallinn Manual 2.0 reproduces the definition of the Tadic case and requires the same elements.

Firstly, in order to reach the minimum level of intensity, the ICTY suggested indicative factors: ‘number, duration and intensity of individual confrontations; the type of weapons and other military equipment used; the number and calibre of munitions fired; the number of persons and type of forces partaking in the fighting; the number of casualties; the extent of material destruction; and the number of civilians fleeing combat zones. The involvement of the UN Security Council may also be a reflection of the intensity of a conflict.’ 48 Therefore, based on this intensity requirement, cyber operations conducted in the context of and in relation to an existing non- international armed conflict are without a doubt governed by IHL. However, it is only under exceptional circumstances that cyber operations alone will trigger a NIAC.49

Secondly, a minimum of organisation within the groups participating in the conflict is required. For state armed forces, this requirement is presumed to be fulfilled. Regarding the other armed groups, however, the ICTY relied on multiple indicative factors, which are neither exhaustive, nor cumulative: the existence of a command structure and disciplinary rules and mechanisms within the group; the existence of a headquarters; the fact that the group controls a certain territory; the ability of the group to gain access to weapons, other military equipment, recruits and military training; its ability to plan, coordinate and carry out military operations, including troop movements and logistics; its ability to define a unified military strategy and use military tactics; and its ability to speak with one voice and negotiate and conclude agreements such as cease-fire or peace accords.50

Common Article 3 is complemented by Article 1 of the Additional Protocol II. In order to apply this Additional Protocol, the armed conflict must meet several requirements: (1) it must not be covered by Article 1 of the first Additional Protocol; (2) it must take place in the territory of a High Contracting Party; (3) it must be between the governments armed forces and dissident armed forces or other organized armed groups; (4) the opposition group must be under responsible command; (5) ‘exercise such control over a part of its territory as to enable them

48_{Prosecutor v. Haradinaj (Judgment), IT-04-84-T, International Criminal Tribunal for the former Yugoslavia}

(ICTY), 3 April 2008, para.49.

49_{Tallinn Manual 2.0, Commentaries to Rule 83, 388.} 50_{Prosecutor v. Haradinaj (n48) para.60.}

(15)

to carry out sustained and concerted military operations and to implement this Protocol’; (6) it does not apply to situations of internal disturbances and tensions, such as riots, isolated and sporadic acts of violence and other acts of a similar nature’. 51 Thus, this scope is narrower than the one of Common Article 3 and would only apply to NIAC with a very high threshold. Common Article 3 therefore remains applicable to lower threshold conflicts, to NIAC not involving governmental forces and also as a minimum standard to conflicts falling under the scope of Additional Protocol II. However, it is doubtful whether an armed group that exist only online would ever be able to impose discipline and obtain territorial control with cyber operations alone.52

In conclusion, it is uncontroversial that IHL applies to cyber operations that are conducted in the context of an ongoing IAC or NIAC. Nonetheless, for standalone cyber operations, it is not excluded in theory, but some difficulties remain. Indeed, the requirements developed by the case law to qualify the conflict as an IAC or a NIAC are quite high and implemented in relation to kinetic operations, which are not suitable for cyber operations. Therefore, it is crucial to adapt those criteria to cyberspace.

In particular, the criteria to qualify the conflict as a NIAC must be completely revised. Indeed, the conditions developed by the ICTY, especially regarding the requirement of a minimum of organization within the groups participating in the hostilities, such as the existence of a command structure and disciplinary rules, as well as the conditions of Article 1 of AP II (e.g. exercising control over a territory) are completely inappropriate in cyberspace. Moreover, the threshold being too high, it leads to the conclusion that standalone cyber operations will never be able to qualify as a NIAC. Once again, it would result in a legal vacuum, leaving civilians without protection during conflicts. However, the lack of state practice regarding cyber operations generates the obligation to set fixed criteria specifically adapted to cyberspace in the cyber treaty.

51_{Protocol Additional to the Geneva Conventions of 12 August 1949, and relating to the Protection of Victims}

of Non-International Armed Conflicts (Protocol II), 8 June 1977, Art 1.

(16)

2. Attribution of conduct in cyberspace

The attribution criterion is a central issue regarding the protection of civilians. Indeed, if we do not know the origin of the attack and therefore cannot attribute the attack to a State or a non-State actor, more and more cyber-attacks will be committed since nobody will be held responsible. Thus, it might potentially endanger the civilian population.

Two distinctions must be made: on the one hand, the identification of the source, which is a technical matter, and on the other hand, the legal exercise of attributing the conduct to a State or a non-State actor.53

The identification issue is not new but it is even more problematic in cyberspace, where the anonymity prevails, making it very difficult to assert who is behind the cyber-attack. Assuming that the author is identified, the actions must still be attributed with ‘reasonable certainty’ to a State, regarding the ILC Articles on the Responsibility of States.54 However, cyber operations that originate from systems located in a certain State without the proof of any State involvement is not attributed to the State itself.55

To attribute the conduct of a cyber operation launched by private groups or hackers to the State, the legal rules are also set out in the ILC Articles on Responsibility of States, Chapter II. A particularly important provision is Article 8, which attribute the conduct of person or group of persons to the State if ‘it is in fact acting under the instructions of, or under the direction or control of that State’. To clarify the meaning of ‘direction or control’, two different tests are used by International courts and tribunals. On the one hand, the ICJ requires the effective control of the State over the specific operation carried out by the private entity.56 On the other hand, the ICTY argued that ‘overall control’ over the organised group was sufficient.57 This latter control test is actually not a matter of attribution, but is helpful for the qualification of the

53_{Marco Roscini, ‘To what degree do the difficulties in tracing the author of the attack and assessing the extent}

of the effects remain a challenge for addressing the legal issues raised by cyber weapons?’ (2016) < http://iihl.org/wp-content/uploads/2019/03/Weapons-and-international-rule-of-law_Sanremo-Round-Table-2016-3.pdf > accessed 6 June 2020, 230.

54_{‘Draft articles on Responsibility of States for Internationally Wrongful Acts, with commentaries’ (2001)}

<https://legal.un.org/ilc/texts/instruments/english/commentaries/9_6_2001.pdf > accessed 27 March 2020.

55_{Roscini (n6) 40.}

56_{Case concerning Military and Paramilitary Activities in and against Nicaragua (Nicaragua v. United States of}

America) (Merits), International Court of Justice (ICJ), 27 June 1986, General List No.70, para. 115.

57_{The Prosecutor v. Dusko Tadic (Judgment), IT-94-1, International Criminal Tribunal for the former}

(17)

conflict, whether the NIAC can actually be qualified as international in nature.58 In any case, mere support for a group of non-State actors does not suffice to ‘internationalise’ the conflict.59

Attribution of conduct is essential to guarantee that actors who violate international law, including IHL, are held accountable. Otherwise, it would encourage States or non-State actors to launch more cyber-attacks, since they will have little chance of being identified, leading to impunity. However, it is not prima facie a problem of applying the rules of attribution, but rather a problem of finding sufficient evidence to attribute the conduct in cyberspace, where the anonymity prevails.60 Moreover, it will also depend on how the international courts and tribunals will interpret the Articles on State responsibility regarding cyber operations in the future.

Therefore, it is fundamental that the international binding agreement, namely the cyber treaty, defines the necessary evidence to prove that a specific attack can be attributed to a State or a non-state actor. Without sufficient clarity on these elements, the treaty would be ineffective since it would not be enforceable, generating once again a lack of protection, especially for civilians.

3. The legality of cyber operations with regard to International Humanitarian Law

After defining the necessary concepts in relation to cyber warfare, the next step is to turn to the legality of cyber operations with regard to the core principles of IHL. These are the principles of distinction, proportionality and precaution.

According to the ICRC, there is no doubt that IHL applies to cyber operations.61 However, the law of armed conflict raises many issues in the cyber realm, and therefore, scholars and experts are divided on how IHL should apply. Indeed, the ‘interconnectivity’ makes it difficult to assert how these principles will actually work out in cyberspace.

58_{Tallinn Manual 2.0, Commentaries to rule 83, 381.} 59_Ibid.

60_{Roscini, ‘To what degree do the difficulties in tracing the author of the attack’ (n53) 231.} 61_{ICRC, ‘International Humanitarian Law and Cyber operations during armed conflicts’ (n38) 4.}

(18)

Nonetheless, in order to avoid a legal vacuum in international law, as well as to ensure a broad protection to the civilian population, it is crucial to find an agreement on how to adapt IHL in order to tackle the various problematic aspects of cyber operations.

A. Principle of distinction

The principle of distinction finds its origin in the 1868 St-Petersburg Declaration, providing that ‘the only legitimate object is to weaken the military forces of the enemy’. Moreover, it has been characterized by the ICJ in the Advisory Opinion on the legality of the threat or use of nuclear weapons as one of the two cardinal principles of customary international humanitarian law (with the second being the prohibition of unnecessary suffering) and as one of the ‘intransgressible principles’.62 Consequently, there is no justification for the violation of this principle.

Article 48 of Additional Protocol I stipulates that the belligerents shall ‘at all times distinguish between the civilian population and combatants and between the civilian objects and military objectives and accordingly shall direct their operations only against military objectives’. It applies both in non-international and in international armed conflicts.63 In NIAC, this obligation entails to distinguish between civilians, on the one hand, and members of State armed forces and organised armed groups, including members of the regular or dissident armed forces, on the other.64 It applies to cyber-attacks, as it can be found in the Rules 93 to 104 of the Tallinn Manual 2.0. However, in order to be applicable, the cyber operation must rise to the level of an ‘attack’, as defined in Rule 92.

Thus, there are two requirements to this principle: distinguishing between civilians and combatants, and distinguishing between civilian objects and military objectives. Both requirements pose crucial challenges for the application of this principle in cyberspace.

62_{Legality of the Threat or Use of Nuclear Weapons (n4) para.78-79.} 63_{Article 13 (2) Additional Protocol II.}

(19)

The main difficulty, as we will analyse it, is to distinguish between civilian and military objects. Indeed, although the so-called ‘dual-use’ problem is not new and had already posed difficulties in traditional warfare, it is much more challenging in the cyber realm, due to the fact that there is only one cyberspace, where civilian and military networks are inherently interconnected.

a. The distinction between civilians and combatants in cyberspace: the issue of direct participation in the hostilities

A general distinction exists between members of State armed forces/organized groups of a party to the conflict and civilians. In principle, civilians can never become the object of the attacks during an armed conflict. However, Article 51(3) of Additional Protocol I provides an exception: ‘unless and for such time as they take a direct part in the hostilities’. Consequently, civilians are protected from being targeted, as long as they refrain from taking direct part in the conflict.65 If they do so, they lose their civilian protection and are considered as a legitimate military targets for as long as their direct participation lasts and may be prosecuted for violations of domestic and international law.66

This issue of DPH is particularly important in the context of cyber warfare. Indeed, there is an important involvement of civilians due to the complexity of technology. Therefore, the majority of cyber operations are launched by civilian experts.67 Consequently, it creates problems for civilians working for armed forces, as they are potentially participating directly in the hostilities making them legitimate targets of attacks.

Could a hacker or a computer scientist become the object of an attack? It depends on the meaning of ‘direct participation’ in the context of cyber operations.68 Neither the Geneva Conventions nor their Additional Protocols provide a definition of this concept. According to the ICRC’s interpretative guide, three cumulative conditions must be met in order to qualify acts as direct participation:

65_{Shannon Bosch, ‘International humanitarian Law notion of participation in hostilities- A review of the}

interpretative guide and subsequent debate’ (2014) 17 Potchefstroom Elec LJ, 999.

66_{Niels Melzer, Interpretative guidance on the notion of Direct participation in hostilities under International}

Humanitarian Law (ICRC 2009), 17.

67_{Elizabeth Mavropoulou, 'Targeting in the Cyber Domain: Legal Challenges Arising from the Application of}

the Principle of Distinction to Cyber Attacks' (2015) 4 JL & Cyber Warfare 23, 78.

68_{Nikolaos Tsagourias, Russel Buchan, Research Handbook on International Law and Cyberspace (Edward}

(20)

1. “the act must be likely to adversely affect the military operations or military capacity of a party to an armed conflict or, alternatively, to inflict death, injury, or destruction on persons or objects protected against direct attack (threshold of harm); and

2. There must be a direct causal link between the act and the harm likely to result either from that act, or from a coordinated military operation of which that act constitutes an integral part (direct causation); and

3. The act must be specifically designed to directly cause the required threshold of harm in support of a party to the conflict and to the detriment of another (belligerent nexus)”69.

The International Group of Experts generally agreed with this three conditions set forth by the ICRC.70 However, there is no consensus among scholars and experts on the definition of DPH and the legal parameters are still contentious.71 DPH has to be decided on a ‘case-by-case basis’. It is important to stress that civilians directly participating in the hostilities are excluded from the analysis of the principle of proportionality and precautions in attacks.72

First, regarding cyber warfare, the Interpretative Guidance affirms that ‘electronic interference with military computer networks could suffice’ to reach the threshold of harm, as long as it results in ‘adverse military effects’.73 Indeed, according to the IGE, this criterion is satisfied as long as the act negatively affects the enemy militarily.74 Thus, physical damage to objects or harm to individuals is not required.75

Moreover, the direct causation requirement is subject to debate. Indeed, most cyber-attacks will be indirect in effect, while the ICRC’s approach is to require ‘one causal step’, which would leave indirect effects outside the scope of the definition.76 Therefore, it is uncertain whether cyber warfare will meet this criterion for DPH to occur.77

69_{Melzer (n66) 16.}

70_{Tallinn Manual 2.0, Commentaries to rule 97, 429.} 71_{Chang (n2) 46.}

72_{Michael N Schmitt, 'Cyber Operations and the Jus in Bello: Key Issues' (2011) 41 Isr YB Hum Rts 113, 123.} 73_{Melzer (n66) 48-50.}

74_{Tallinn Manual 2.0, Commentaries to rule 97, 429.} 75_Ibid.

76_{Melzer (n66) 53-58.} 77_{Chang (n2) 46.}

(21)

Furthermore, the belligerent nexus entails to restrict DPH only to those acts directly related to the hostilities. Therefore, purely private or criminal acts that occur during an armed conflict are excluded.78

Finally, a major issue is the duration of DPH, namely the meaning of the phrase ‘for such time’.79 Indeed, in principle, the direct participation extends at least from the preparation of the act until the execution, and the movement to and from the location of the execution.80 Thus, civilians can be targeted from the beginning of their involvement until the termination of their active role in the operation.81 However, the delayed effects of cyber operations complicate the determination of the duration of the participation in the hostilities. Indeed, the end of the participation may not always correspond with the moment at which the damage occurs. For example, the emplacement of a logic bomb by one individual which is supposed to be activated in the future by another individual: in that case, the first civilian is no longer participating in the hostilities when the damage occurs and thus, it is not a legitimate target of attacks anymore.82

In the same way, the International Group of Experts is divided on the issue of repeated cyber operations. One view, in line with the ICRC, is to treat separately each cyber operation, and the other is to consider direct participation from the first cyber operation until the end of the last activity.83

To conclude, DPH is a serious concern in cyber warfare because it could potentially endanger a lot of civilians which are taking part in the hostilities. Indeed, the Tallinn Manual 2.0 fails to explain precisely when a civilian will actually lose his civilian status and be a legitimate target of attacks. This could potentially have a great impact on civilians, since many civilians are involved in cyber-attacks due to the complexity of technology. Thus, a clearer definition of the notion of DPH is essential.

78_{Tallinn Manual 2.0, Commentaries to rule 97, 430.}

79_{Schmitt, 'Cyber Operations and the Jus in Bello’ (n72) 128.}

80_{James Emory Jr Tucker, 'The Targeting of Non-State-Affiliated Civilians in Cyberspace: Lagging LOAC}

Principles Cause Uncertainty on Both Sides' (2017) 42 NC J Int'l L 1013, 1032.

81_{Ibid 1036.} 82_Ibid.

(22)

On the one hand, it could be dangerous to take a broad approach of DPH leading to the conclusion that it is possible to launch attacks against these civilians as long as the effects of their actions exist.84 On the other hand, a narrow approach would lead to the conclusion that civilians can engage in cyber operations with impunity.85

Therefore, the issue of DPH needs further clarification and consensus among experts and scholars in order to find a balance between the protection of civilians and the possibility of attacking civilians taking part in the hostilities. Consequently, it is important to set a clear threshold and defined criteria from which a civilian will be considered as directly participating in the hostilities. This requires a consensus among experts on what specific behaviours are likely to cause a loss of immunity.

b. The distinction between civilian objects and military objectives in cyberspace: the issue of ‘dual use’ cyber infrastructures

As it has already been said, under the principle of distinction, the only legitimate targets (besides combatants) are the military objectives.86 Thus, attacks through cyberspace may not be directed against computer systems used purely for civilian purposes.87

Civilian objects are all objects which are not qualified as military objectives.88 In Article 52 (2) of Additional Protocol I, military objectives are defined as ‘those objects which by their nature, location purpose and use make an effective contribution to military action and whose total or partial destruction, capture or neutralization, in the circumstances ruling at the time, offers a definite military advantage.’89 This definition entails two elements: the object shall make an effective contribution to the military action and the attack of it shall offer a definitive military advantage. However, their interpretation is highly subjective, due to the ambiguity of the terms ‘effective’ and ‘definitive’.90

84_{Tsagourias, Buchan (n68) 364.} 85_{Ibid 365.}

86_{Mavropoulou (n67) 18.}

87_{Cordula Droege, 'Get off my cloud: cyber warfare, international humanitarian law, and the protection of}

civilians' (2012) 94 Int'l Rev Red Cross 533, 543.

88_{Article 52 (1) Additional Protocol I; Rule 100 Tallinn Manual 2.0.} 89_{Rule 100 Tallinn Manual 2.0.}

(23)

In case of doubt, as stated in Article 52 (3) of Additional Protocol I, objects that are normally dedicated to civilian purposes shall be presumed not to be used to make an effective contribution to military action. The determination of whether an object has to be qualified as a military objective or a civilian object has to be made on a case-by-case basis, pursuant to the International Group of Experts.91

The difficulty of distinguishing between civilian objects and military objectives could potentially endanger the civilian population. Indeed, cyber operations might be dangerous, because they enable to reach some targets that were less reachable previously.92 For example, financial networks or social security data.93

The principal issue is that most cyber installations have a so-called ‘dual use’. Indeed, most of them are used for both civilian and military purposes. For instance, power plants that supply electricity to civilian and military users, telecommunications or air traffic control systems.94 According to Article 52 (2) of Additional Protocol I, once they are used for military purposes, i.e. they have an effective contribution in military action and their destruction or neutralisation would offer a definite military advantage, they become military objectives. This will basically render every cyber infrastructure a legitimate target and thus, it might have negative consequences on civilian networks.95

Rule 101 of the Tallinn Manual 2.0 has been introduced in order to clarify the issue of dual use objects: the cyber infrastructures used for both civilian and military purposes are considered as a military objective. However, this leads to the conclusion that the entire internet can become a military objective. Consequently, many cyber space infrastructures are no longer protected during armed conflicts. This expansion of the definition of military objectives is therefore a matter of serious concern. Although, it is important to stress that the rules of proportionality and precautions in attack, as well as the principle of indiscriminate attacks remain applicable and must be taken into account before launching a cyber operation.96

91_{Tallinn Manual 2.0, Commentaries to Rule 99, 435.} 92_{Droege (n87) 561.}

93_{ICRC, ‘International Humanitarian Law and Cyber operations during armed conflicts’ (n38) 7.}

94_{Eric Boylan, 'Applying the Law of Proportionality to Cyber Conflict: Suggestions for Practitioners' (2017) 50}

Vand J Transnat'l L 217, 231.

95_{Robin Geib and Henning Lahmann, 'Cyber Warfare: Applying the Principle of Distinction in an}

Interconnected Space' (2012) Isr L Rev 381, 383.

(24)

Thus, the biggest issue in relation to cyber warfare is the application of the principle of distinction due to the ‘dual-use’ nature of cyber infrastructures. However, this is not insurmountable and solutions must be established in the cyber treaty.

A possibility to alleviate the problem of dual-use infrastructures is that not all of them should be considered as legitimate targets. Accordingly, a clearer definition of military objectives is needed. In particular, notions such as ‘effective contribution’ and ‘military advantage’ should be interpreted more precisely. These vague notions lead to an expansion of what is considered as military objectives, leading to the inclusion of civilian objects in the definition. A narrower definition of military objectives should therefore be adopted.97

Moreover, there should be a limitation of cyber-attacks against dual-use infrastructures. One could consider attacking them only when absolutely necessary. Moreover, a special protection could be accorded to some of these dual-use infrastructures on which civilians heavily rely on.98 An option would be to replicate in cyberspace the protective signs and emblems already existing in kinetic warfare, such as the Red Cross used to indicate medical support.99_{Alternatively, only}

non-lethal attacks, susceptible to have reversible effects, should be allowed against dual-use systems.100

To conclude, although the principle of distinction poses difficulties if applied by analogy to cyber warfare, as we argued, solutions are possible and must be integrated in the cyber treaty.

B. Principle of proportionality

Given the dual-use nature of most cyber infrastructures, the principle of proportionality is a core principle to protect civilians and civilian objects in cyberspace. This principle can be found in Article 51 (5) (b) of Additional Protocol I, which is generally accepted as reflecting customary international law in both IACs and NIACs.101

97_{Chang (n2) 38.} 98_{Ibid 39.}

99_{Sutherland I, Xynos K, Jones A, Blyth A, ‘The Geneva Conventions and Cyber Warfare: A technical}

approach’ (2015) 160 The RUSI Journal 30, 30-31.

100_{Geib, Lahmann (n95) 390.}

(25)

According to this principle, an attack is prohibited if it ‘may be expected to cause incidental loss of civilian life, injury to civilians, damage to civilian objects, or a combination thereof, which would be excessive in relation to the concrete and direct military advantage anticipated.’102 Therefore, the fact that harm is caused incidentally to civilians or civilian objects does not make the attack unlawful per se.103 Thus, for an attack to be lawful, the commander must assert that the death, injury and damages are not excessive in relation to the concrete and direct military advantage anticipated. The principle entails balancing two parameters: incidental damage and military advantage.

It is universally accepted that the principle of proportionality applies to cyber conflicts that constitute attacks under the law of armed conflict.104 However, it is still debated how it will exactly work out in cyberspace. Indeed, the nature of dual-use systems and the difficulty to distinguish between the civilian and the military part of the networks generate an increased impact on civilian infrastructures.105 Consequently, the proportionality test might be more difficult to pass, since the potential impact on civilians is higher.106_{Moreover, another obstacle}

to assess whether the principle of proportionality has been respected is that cyber-attacks are less likely to cause deaths: their effects are often indirect or temporary.

Two specific aspects need further attention: the threshold of damage and the problem of indirect effects.

a. Threshold of ‘damage to civilian objects’

The damage that has to be taken into account in the proportionality assessment comprises physical damage, i.e. ‘incidental loss of civilian life, injury to civilians, damage to civilian objects’.107 It is important to interpret the required ‘damage’ element because most reported cyber-attacks only result in damage to civilian objects.108

102_{Article 51 (5) (b) Additional Protocol I.}

103_{Tallinn Manual 2.0, Commentaries to Rule 113, 471.} 104_{Chang (n2) 41.}

105_{Boylan (n94) 232.} 106_Ibid.

107_{Article 51 (5) (b) AP I.} 108_{Chang (n2) 42.}

(26)

One approach would be to compare the cyber operation with a kinetic attack and argue that if the cyber operation results in the same effect as would a kinetic attack, then the attack amounts to damage.109 Nonetheless, many cyber-attacks would not have the same results as a kinetic attack. Indeed, most reported cyber-attacks only result in mere modifications of cyber codes into civilian infrastructures.110 For instance, simply closing a computer’s specific communication port normally used to correspond with another computer, while leaving the rest of the computer function untouched, is not likely to cause an effect comparable to a kinetic attack.111

A number of scholars argue to take a broad interpretation of the word ‘damage’ and to include also the loss of functionality of civilian infrastructures as a relevant factor.112 Likewise, the International Group of Experts also agreed to include the deprivation of functionality under certain circumstances, but without mentioning any example of loss of functionality that would amount to ‘damage’.113

Accordingly, loss of functionality should be considered in the definition of ‘damage’ in order to maximize the protection of civilian infrastructures. Nonetheless, only serious interruptions in functionality should be examined. Indeed, including any authorized intrusion into computer systems or mere change or modification in digital codes in the definition of damage would be too excessive and not practical for commanders.114

b. Indirect effects

The issue of whether indirect effects of an attack should be included in the proportionality assessment has been the subject of much debate. Direct effects are ‘the immediate, first order consequences, unaltered by intervening events or mechanisms’, while indirect effects comprise ‘the delayed and/or displaced second-, third-, and higher-order consequences of action,

109_{Eric Talbot Jensen, 'Cyber Attacks: Proportionality and Precautions in Attack' (2013) 89 Int'l L Stud Ser US}

Naval War Col 198, 205-206.

110_{Chang (n2) 42.} 111_{Jensen (n109) 206.} 112_{Geib, Lahmann (n95) 397.}

113_{Tallinn Manual 2.0, Commentaries to Rule 113, 471.} 114_{Chang (n2) 43.}

(27)

created through intermediate events or mechanisms’.115 Second- and third- order consequences, also called ‘knock-on effects’, are difficult to discern in the cyber realm.116 Indeed, it is particularly complex to predict the cascading effects of a cyber operation.117

It is now generally accepted among scholars that indirect effects should be taken into account while assessing the proportionality test, but it is still disputed as to how far this obligation goes.118

Roscini argues that indirect effects which are reasonably foreseeable on the basis of the information available at the time must be evaluated in the proportionality calculus.119 In the same way, the Commentary to Rule 113 includes both direct and indirect effects. Thus, according to the International Group of Experts, collateral damage comprises any indirect effects that should be expected by those planning, approving or executing the cyber operation.120 It is not disputed that indirect effects cannot be taken into account if they are too remote or cannot be reasonably foreseen.121_{Likewise, indirect effects that are not expected to}

be excessive are precluded. The use of the word ‘expected’ requires an assessment of the reasonableness of the determination at the time the attack in question was planned approved and executed.122

Thus, it is true that cyber-attacks are less likely to cause deaths and are, consequentially, seen as less dangerous than kinetic attacks. However, due the unpredictable nature of cyber operations, in particular the uncertain knock-on effects resulting from the attacks, and the dual-use nature of cyber infrastructures, the proportionality review is a difficult task for military commanders, since they are not trained to deal with the specificities of cyber operations.

Nonetheless, in order to reduce these various difficulties, it is necessary to implement an analysis of the proportionality principle before engaging in any cyber strike.123 Furthermore,

115_{Tallinn Manual 2.0, Commentaries to Rule 113, 472.} 116_{Boylan (n94) 235.}

117_{Hensey A III Fenton, 'Proportionality and Its Applicability in the Realm of Cyber-Attacks' (2019) 29 Duke J}

Comp & Int'l L 335, 352.

118_{Droege (n87) 561.} 119_{Roscini (n6) 221.} 120_{Tallinn Manual 2.0, 472.} 121_{Roscini (n6) 221.}

122_{Tallinn Manual 2.0, Commentaries to Rule 113, 475.} 123_{Fenton (n117) 353.}

(28)

this proportionality review supervised by military commanders should be conducted with the consultation of a cyber specialist. Indeed, military commanders are not qualified to forecast the unexpected effects of cyber operations. However, this generates additional expenses which could be costly.

A proportionality review prior to all attacks might therefore be complicated to organize but it must be undertaken in order to minimize the risks that can arise from cyber-attacks and protect civilians and civilian objects as much as possible.

C. Principle of precaution

The principle of precaution is based on Articles 57 and 58 of Additional Protocol I. It seems to be generally accepted as customary international law and, therefore binds all States, irrespective whether they are parties to the Additional Protocol I or not.124 The International Group of Experts agreed that this principle applies to cyber-attacks. Their applicability in the cyber realm can be found in Rules 114 to 121 of the Tallinn Manual 2.0. It comprises two aspects: precautions in attack and precautions against the effects of attacks.

a. Precautions in attack

The principle of precaution in attack, based on Article 57 of Additional Protocol I, is applicable in both IACs and NIACs.125_{It entails the obligation to take all steps to spare civilians and}

civilian objects. This includes doing everything feasible to verify that the targets are military objectives, taking all the feasible precautions in the choice of means and methods of warfare, in order to minimize civilian causalities and damages to civilian objects and suspending or cancelling the attack if it will cause excessive collateral damage.126

Another precautionary rule must be added: when a choice can be made between different military objectives for obtaining a similar military advantage, the objective to be chosen must

124_{William H. Boothby, ‘Where do Cyber Hostilities fit in the International Law Maze?’ in H. Nasu and R.}

McLaughlin (eds), New Technologies and the Law of Armed Conflict (Asser Press 2014), 63.

125_{Tallinn Manual 2.0, Commentaries to Rule 114, 476.} 126_{Article 57 Additional Protocol I.}

(29)

be the one which is the less harmful at the time of the attack to civilian and to civilian objects.127 The inclusion of the term ‘feasible’ entails difficulty of interpretation. ‘Feasible’ has been broadly interpreted as that which is ‘practicable or practically possible, taking into account all circumstances ruling at the time, including humanitarian and military considerations’.128 In cyber space, it might include mapping the network of the adversary in order to reasonably to determine the attack’s likely effects, particularly on the civilian population or civilian objects.129

Given the complexity of cyber operations, it would be reasonable to request technical expertise or the assistance of a cyber expert, in order to make sure to take all the necessary precautions required by this principle and to minimize the risks for civilians and civilian infrastructures.

b. Precautions against the effects of attacks

The principle of precautions against the effects of attacks requires that the parties to conflicts, ‘shall to the maximum extent feasible, endeavour to remove civilian population, individual civilians and civilian objects under their control from the vicinity of military objectives , avoid locating military objectives within or near densely populated areas and take the other necessary precautions to protect the civilian population, individual civilians and civilian objects under their control against the dangers resulting from military operations’.130 Once again, the inclusion of the expression ‘to the maximum extent feasible’ entails difficulties of interpretation.

Unlike the precautions in attack, this standard is not only a ‘wartime standard’, but it is also applicable during peacetime, in anticipation of a future armed conflict which could potentially affect civilians and civilian objects.131 According to the International Group of Experts, this rule is only applicable in IACs.132

127_{William H. Boothby, ‘Where do Cyber Hostilities fit in the International Law Maze’? (n124) 64.} 128_{Tallinn Manual 2.0, Commentaries to Rule 115, 479.}

129_Ibid.

130_{Article 58 Additional Protocol I.} 131_{Jensen (n109) 211.}

(30)

Two different obligations arise from the precautions against the effects of attacks: the obligation to segregate the military objectives from civilians and civilian objects and for those military objectives that cannot be separated, the State has the duty to protect civilians and civilian objects from the anticipated effects of attacks.133

On this basis, several scholars argue for a complete segregation between military and civilian networks.134 Consequently, the distinction between civilians and combatants, as well as between civilian objects and military objectives would become much clearer and would generate less collateral damage. Moreover, the dual-use problem would be significantly alleviated. This would be an idealistic option, although very difficult to achieve, since the majority of cyber infrastructures, due to their dual-use, are virtually impossible to segregate. Furthermore, it would be too impractical and costly.135

We could therefore also consider a partial segregation, dissociating only the crucial cyber infrastructures, which are essential for the civilian population. In this way, it would be less costly and would require less work, since only a very small part of the cyber infrastructures would require a segregation. However, it necessitates a consensus among scholars and experts on which specific cyber infrastructures are essential for civilians.

Alternatively, Rowe suggests that the segregation need not to be physical (with separate hardware) but rather ‘logical’, meaning that civilian and military networks are carried through different software mechanisms.136

Solutions that partially or logically segregate civilian and military networks can therefore be considered and are moreover recommended. This would ensure a better application of the principle of distinction, and consequently, less risk of collateral damage. Nevertheless, the feasibility of these recommendations, as well as their implementation require the assistance of a cyber specialist.

133_{Jensen (n109) 212.}

134_{See Geib, Lahmann (n95) 392.} 135_{Droege (n87) 575.}

136_{Neil C Rowe, ‘Challenges of Civilian Distinction in Cyberwarfare’ in M.Taddeo and L. Glorioso (eds.),}

Protection of civilians in the era of cyber warfare: a critical analysis of International Humanitarian Law Towards a treaty restricting the use of cyber weapons