Crossing Digital Borders: Direct Participation in Cyber Hostilities

(1)

Crossing digital borders: direct participation in cyber hostilities

Student: Marijn Akveld Studentnumber: 11035609 Supervisor: Professor Dr. T.D. Gill

Master International and European law: Public International Law track

(2)

Cyber attacks in Georgia by civilians in 2008 marked the first time that an international armed conflict (IAC) partly-constituted of cyber attacks. It demonstrated that civilians are increasing their participation in armed conflicts through cyber attacks. In 2009 the International Committee of the Red Cross (ICRC) published a document the “Interpretive Guidance on the Notion of Direct Participation in Hostilities Under International

Humanitarian Law”, a document that addresses how to determine when a civilian’s

participation in armed conflict reaches the necessary level to render him or her targetable by one of the parties to the conflict. Three years later, the Tallinn Manual was published to provide legal guidance in cyber situations. The Tallinn Manual represents the first time that experts have compiled a manual of rules to indicate how international law applies to cyber situations by including a section on direct participation in hostilities through cyber means. This thesis explains the notion of direct participation in hostilities and especially in the context of cyber warfare. Both concepts are described and the question of if and how IHL can be applied to both is addressed. Attention in this thesis mostly focuses on what kind of

conduct constitutes direct participation in cyber hostilities and what kind does not. Extra observation has been made in relation to the Georgian-Russian cyber attacks.

Introduction:

Over the past decade the military means of war have changed not only on the battlefield on the ground but what can now be called the battlefield online. With the immense growth of technology and our lives being more and more influenced and directed through technical media it was bound to happen that those same instruments became useful in the military context as well. Not surprisingly after all since the Internet was first developed for the military.1_{Military analysts thus have spoken of a “revolution in military conflicts”.}2 The development of cyber warfare (CW) and the overall trends in technology effect

International Humanitarian Law (IHL) as well. It challenges key IHL principles; it blurs the distinction between combatants and other military objectives from civilians and civilian objects. As warfare becomes more and more complex it requires personnel to develop and maintain their proficiency in its operation. Such technological complexity suggests a bigger crowd of people on the battlefield and as such a closer nexus between civilians and the conduct of hostilities.3_{When the battlefield is moved from the ground to the world wide web,} soldiers are not recognizable by their uniforms. Unknown by others, civilians who DPH could be mixed in the online war as well, with all kinds of unwanted consequences.

The first known International Armed Conflict where elements of CW were actively applied was the war between Russia and Georgia in 2008. In August of that year coinciding with the launch of ground and air military operations between Russia and Georgia the websites of the Georgian president and the Ministry of Foreign Affairs of Georgia were not available. What were available were pictures of the Georgian president next to Adolf Hitler in strikingly similar postures, outfits, facial expressions and gestures. Attacks on these websites and of other strategic websites followed through the whole active phase of the war.4_{Georgia then} 1Woltag, J. C. "Cyber Warfare Military Cross-Border Computer Network Operations Under International Law (Cambridge, Intersentia)." (2014). P.18

2Schmitt, Michael N. "Humanitarian Law and Direct Participation in Hostilities by Private Contractors or Civilian Employees." Chicago Journal of International Law 5 (2005): 2004-2005.

3Schmitt, Michael N. War, technology, and international humanitarian law. Harvard University, 2005. 4Gamreklidze, Ellada. "Cyber security in developing countries, a digital divide issue: The case of Georgia." Journal of International Communication 20.2 (2014): 200-217.

(4)

found itself to be one of the first cases of “an international political and military conflict that

was accompanied – or even preceded – by a coordinated cyber offensive”.5_{The country} turned to the International Community asking for help since they themselves could not independently handle the security of their online systems.

The main focus of this thesis revolves around the notion of DPH and the use of CW. The ‘Interpretative Guidance on the notion of direct participation in hostilities under international humanitarian law’ of the ICRC and the Tallinn Manual will be the guidelines in discussing the topic of DPH. In the first chapter there will be further explanation of the above mentioned notions. In the second chapter the application of IHL during the conflict between Russia and Georgia will be discussed in relation to the use of CW. In the third chapter conduct amount to direct participation in cyber hostilities will be explained as well as conduct that cannot. In the fourth chapter some key principles of IHL will be explained in relation to the topic of CW and DPH. In the fifth and final paragraph a conclusion will be drawn from all the paragraphs described above.

This thesis thus addresses the use of CW during international armed conflict and is limited to consideration of jus in bello, that body of law concerned with what is permissible, or not, during hostilities. Discussion therefore centres on the use of CW in the context of “State-on-State” armed conflict, with a special focus on the conflict in Russia and Georgia in 2008. The main research question in this thesis is what kind of conduct amounts to direct participation in cyber hostilities. And what kind of conduct does not. The secondary research question in this thesis is whether the alleged participation of civilians in the Georgian-Russian war was an example of direct participation in cyber hostilities.

5Tikk, Eneken, et al. "Cyber attacks against Georgia: Legal lessons identified." Tallinn, Estonia: NATO Cooperative Cyber Defence Centre of Excellence, at http://www. carlisle. army. mil/DIME/documents/Georgia 201 (2008): 200.

(5)

Chapter 1. The notion of DPH and the notion of CW:

1.1 The Notion of Direct Participation in Hostilities by civilians:

Under treaty IHL there is no clear definition of DPH. Nor is there any clear State practice or international jurisprudence to deduce the definition from.6_{Hence the notion must be}

interpreted in good faith in accordance with the ordinary meaning to be given to its

constituent terms in their context and in light of the object and purpose of IHL. 7_Indirectly Art 51(3) API deals with DPH in IACs (international armed conflict) and art. 13(3) of APII deals with DPH in NIACs (non international armed conflict). They prescribe that civilians shall enjoy general protection against dangers arising from military operations “unless and for such time as they take a direct part in hostilities”.

These provisions in the two additional protocols of the Geneva conventions are, however, not universally ratified. For states who are party they are binding treaty law but not for others. However the provisions of article 51(3) API and article 13(3) of APII are considered to be part of Customary International Law (CIL). Even states that are not party to the AP’s have recognized their customary status. 8

The term “hostilities” refers to the resort to means and methods of warfare between parties to an armed conflict. This concept is, however, not clearly defined in treaty law. In treaty law it often refers to those types of situations linked to armed confrontations between parties of an international armed conflict or a non-international armed conflict.9_{It is logical that outside of} those situations such as mere riots or other acts of violence of a similar nature such a notion cannot exist. Civilian participation during these hostilities varies greatly in intensity and in form. In determining whether DPH has been taken place consideration must be given to the circumstances at the relevant time and place. 10_{Furthermore hostilities refer to the resort by} parties to the conflict to means and methods of injuring the enemy.11_{How they do that is not} further explained. “Participation” in hostilities refers to the (individual) involvement of a person in these hostilities. 12_{The notion of “direct” and “indirect” involvement is dependant} on the quality and the degree of the involvement of the civilian in question. 13_{. But it is not} only situations revolving around armed force and confrontation that are part of hostilities. There is a wide range of activities by individual participation that fall under hostilities besides direct application of force between parties to an armed conflict. Examples are intelligence gathering directly related to operations, manoeuvre and direct logistical support to units in a combat zone.

6 N. Melzer. “Interpretative guidance on the notion of direct participation in hostilities under international humanitarian law”. International Review of the Red Cross. Vol. 90, Issue 872, December 2008, P. 43

7 Article 31 (1) Vienna Convention on the Law of Treaties

8 ICTY, Trial Chamber II, Prosecutor v. Pavle Strugar (judgement), IT-01-42-T, 31 January 2005, 101, Paragraph 220.

9 Gill, T and Fleck, D. (2015), The Handbook of the International Law of Military Operations. Oxford: Oxford University Press.

11 Art 22, Regulations respecting the Laws and Customs of War on land, The Hague, 18 October 1907

12 Art 43(2) API

(6)

Civilians have become more and more present and active in the battlefield, especially over the past decade. Their actions vary from combat service support (such as supplying food for the troops) to maintaining more complex logistics or weaponed systems. They can also conduct intelligence collection and analysis. 14_{But they have also been known for taking up arms} against a perceived enemy. This behaviour by civilians actually led to the setup by the ICRC for the interpretative guidance on the notion of DPH. 15_{In treaty IHL individual conduct that} constitutes part of the hostilities is described as direct participation in hostilities. Combatant members of the armed forces are entitled to participate in hostilities, the so-called combatant privilege. They are targetable at all times, subject to the rules relating to persons hors de

combat and precautions and proportionality when civilians might be affected.16

The notion of DPH is furthermore focussed on their engagement in hostilities at the moment. When civilians participate they lose their protection for as long as the DPH occurs. It is deliberately chosen not to fulfil the DPH criteria over a long period of time; DPH should only be limited to those acts that constitute DPH and not if civilians still have continued intent to carry them out. The position of the ICRC IG guidance is that such extensions would blur the fine lines of distinction in IHL. However the ICRC acknowledges in a NIAC that when a civilian repeatedly and regularly DPH’s that he loses his protected status and is in so-called “continuous combat function”. However this position by the ICRC is not settled nor codified in law neither for an IAC nor for a NIAC.

According to the ICRC for DPH to be applicable a specific act must meet the following cumulative criteria:

“1. The act must be likely to adversely affect the military operations or military capacity of a party to an armed conflict or, alternatively, to inflict death, injury, or destruction on persons or objects protected against direct attack (threshold of harm), and

2. There must be a direct causal link between the act and the harm likely to result either from that act, or from a coordinated military operation of which that act constitutes an integral part (direct causation), and

3. The act must be specifically designed to directly cause the required threshold of harm in support of a party to the conflict and to the detriment of another (belligerent nexus).” 17 1.2 The threshold of harm:

The first criterion, the threshold of harm can be reached by either causing harm of a

specifically military nature or by inflicting death, injury or destruction on persons or objects protected against direct attacks. This criterion requires not the materialization of harm reaching this threshold but the likelihood that the specific act will result in such harm. This criterion can be named the ‘likely harm criteria’ as well since it is about harm that may be reasonably expected to result from the specific act in the given circumstances. 18

14Schmitt, Michael N. "Humanitarian Law and Direct Participation in Hostilties by Private Contractors or Civilian Employees." Chicago Journal of International Law 5 (2005), P. 512

15Delerue, François. "Civilian Direct Participation in Cyber Hostilities." IDP: Revista de Internet, Derecho y Politica 19 (2014).

16 Dörmann, Knut. "The legal situation of “unlawful/unprivileged combatants”." Revue Internationale de la Croix-Rouge/International Review of the Red Cross 85.849 (2003): P.45-74.

(7)

When causing harm of a specifically military nature the threshold criteria will be satisfied. Military harm includes not only the infliction of death, injury or destruction on military personnel and objects but essentially any consequence affecting the military operations or military capacity of a party to the conflict. That consequence must, however, be of a certain threshold. In absence of military harm to fulfil the ‘likely harm criterion’ the specific act must be at least likely to cause death, injury or destruction. 19_{Even attacks directed specifically} against civilian or civilian objects may amount to DPH if they have belligerent nexus. 20 The Interpretative Guidance states that “the interruption of electricity, water, or food

supplies, […] the manipulation of computer networks, […] would not, in the absence of adverse military effects, cause the kind and degree of harm required to qualify as direct participation in hostilities.” This is particularly interesting and relevant in the context of cyber warfare. Here the interpretative guidance tries to make a difference between computer attacks which have an indirect consequence and those who have direct consequences. Anytime anyone hacks into a computer and plants a piece of malware which makes files unreadable doesn’t mean they are direct participating in hostilities. But when someone hacks into a computer system and attempts to interfere with the ability to control a weapon system or a communication system used by the military that would very likely be seen as constituting DPH. The ICRC IG states that on the civilian side of the threshold of harm, that is to say causing “death, injuries or destruction on persons or objects protected against direct attack”, seems to be difficult to fulfil by a cyber operation.21_{The interpretative guidance however} focuses on attacks in the real world and not in on those that occur in the cyber domain. 22 So in summary for a specific act to reach the threshold of harm required to qualify as

direct participation in hostilities, it must be likely to adversely affect the military operations or military capacity of a party to an armed conflict. In the absence of military harm, the

threshold can also be reached where an act is likely to inflict death, injury, or destruction on persons or objects protected against direct attack. In both cases, acts reaching the required threshold of harm can only amount to direct participation in hostilities if they additionally satisfy the requirements of direct causation and belligerent nexus.23

1.3 Direct participation:

The second criterion referred to as ‘direct causation’ requires that there must be ‘a direct causal link between a specific act and the harm likely to result either from that act, or from a coordinated military operation of which that act constitutes an integral part.’24_{When DPH} occurs the term ‘directly’ refers to those kinds of activities that are part of the general war effort or may be categorized as war-sustaining activities. The general war effort term relates to those kinds of activities which contribute to the military defeat of the adversary. War sustaining activities are those who include additional political, economic or media activities 19 During the expert meetings, it was held that the required threshold of harm would clearly be met where an act can reasonably be expected to cause material damage to objects or persons, namely death, injury or destruction (Report DPH 2005, pp. 30 f.; Background Doc. DPH 2004, pp. 5 f., 9 f., 28). (p. 49 Melzer)

21Delerue, François. "Civilian Direct Participation in Cyber Hostilities." IDP: Revista de Internet, Derecho y Politica 19 (2014). P.8

22Prescott, Jody M. "Direct Participation in Cyber Hostilities: Terms of Reference for Like-Minded States?." Cyber Conflict (CYCON), 2012 4th International Conference on. IEEE, 2012.

(8)

who support the general war effort. Examples are political propaganda and financial

transactions. 25_{Both of these activities may ultimately result in harm according to the ICRC} IG when they reach the threshold required for a qualification as DPH. Some activities are indispensable such as producing weapons or providing food and shelter to the armed forces. But both activities also include acts that merely maintain the capacity to cause such harm, unlike the conduct of hostilities which is designed to cause the required harm.

For the specific act to be direct or indirect there must be a close causal relation. The

Interpretative Guidance states that ‘direct’ should be read as though the harm in question is brought upon in one causal step. Individual conduct that merely builds up is therefore excluded from the notion of DPH. Economical sanctions, depriving the adversary from services such as electricity or the transport of weapons all fall under indirect participation and would not reach the threshold needed for qualification for DPH according to the experts of the ICRC IG. 26

The ICRC IG has been especially criticised regarding their ‘direct causation’ criterion.27_Their requirement was that harm caused by an act should be ‘brought about in one causal step’.28 This criterion has not further been developed and as such remains unclear. The experts working on the ICRC were particularly divided over the situation of an IED. These are often assembled and stored close to the battlefield and they are usually assembled right before their ‘deployment’. The assembler of an IED works dually: he makes the bomb, but he also

functions as a ‘lookout’: he keeps a close eye on any movement of the adversary on the road. This information is likely to be used within a certain time frame and in a particular area. The general agreement was that serving as a ‘lookout’ represents DPH. However the ICRC IG went astray by equating assembly of an IED with the production of munitions in a factory far removed from the battlefield. This example shows how strict this causation criterion is as formulated by the ICRC IG.

When looking at complex military operations where a number of persons are involved one must look at these acts which could be said to directly cause the required threshold of harm. The criterion of direct causation must be interpreted to include conduct that casus harm only in conjunction with other acts. So even when a specific act does not directly cause the required threshold of harm the direct participation criterion could still be fulfilled of the specific act if it constitutes as an integral part of a concrete and coordinated tactical operation that directly causes harm. One example is the identifying and marking of targets. The criterion for direct causation is regardless of geographic proximity. 29

In short the direct participation criterion for DPH is satisfied when the specific act in question can be ‘taken’ in one causal step that reaches the required threshold of harm.

25 Ibid P.52

26 Ibid P.53

27 See for example: Schmitt, Michael N. "The interpretive guidance on the notion of direct participation in hostilities: a critical analysis." Essays on Law and War at the Fault Lines. TMC Asser Press, 2011. 513-546.

28 N. Melzer. “Interpretative guidance on the notion of direct participation in hostilities under international humanitarian law”. International Review of the Red Cross. Vol. 90, Issue 872, December 2008, P.55

(9)

1.4 The belligerent nexus:

The third and final criterion is the one of ‘belligerent nexus’. The ICRC IG position is that “an act must be specifically designed to directly cause the required threshold of harm in support of a party to the conflict and to the detriment of another”. 30_{Another view on this topic is that the} belligerent nexus should be set aside from armed violence and other criminal activities who take place at the same time but who are not designed to harm a party of the armed conflict or to support another party. These activities are of a non-belligerent nexus nature and should be addressed by the law enforcement paradigm.31

1.5 The notion of Cyber Warfare (CW):

The Internet plays a prominent role in everyday life and modern societies nowadays. It is not only used by governments but by private individuals as well. Access and dispersal of

information is mostly linked with the Internet and as such the dominant medium of telecommunication. It is also a medium that creates access and disposal for official

information and press. The high demand for Internet access has led to the flourishing of the information and communications technology sector. The result of that is that we now live in a ‘wired world’. Over the last ten years Internet access increased by over two billion people across the globe.32_{Now not only telephones and computers are wired through the Internet but} cars and even weapons as well. 33_{Besides the importance for the Internet for everyday society} this medium has become indispensable for the military as well. They have become

increasingly reliant on computerized and networked command-and-control systems. Intelligence, operations and weapons platforms are being increasingly linked together via computer networks in order to provide for efficient command and control systems. Decisions are based on data provided by such systems and as such the security of this domain is a highly crucial factor for militaries in their efforts to ensure high reliability of data. 34_{And it is not} only their command and control systems that rely on the internet but their logistical support, as well as a means for the provision of intelligence and support of operations which rely on these networked systems. The US Department of Defense ‘operates over 15,000 networks and seven million computer devices across hundreds of installations in dozens of countries around the globe’ and uses cyberspace for the ‘command and control of the full spectrum of military operations’. 35_{This has led to cyberspace now being characterised as a technological}

environment and as the fifth domain of warfare after land, sea, air and space. 36 The spectrum in which military operations are carried out is often referred to as the electromagnetic spectrum (EM). The need for military forces to use and access the electromagnetic environment (EME) create a ‘soft spot’ for electronic warfare (EW) in support of military operations. EW has three subdivisions: EA known as Electronic Attack, 30 Ibid P.58

31 Gill, T and Fleck, D. (2015), The Handbook of the International Law of Military Operations. Oxford: Oxford University Press. P.34

32 US Department of Defense “The Department of Defense Cyber Strategy” (April, 2015) at

http://www.defense.gov/Portals/1/features/2015/0415_cyber-strategy/Final_2015_DoD_CYBER_STRATEGY_for_web.pdf (Last accessed 13 April 2016), P.1

33 Woltag, J. C. "Cyber Warfare Military Cross-Border Computer Network Operations Under International Law (Cambridge, Intersentia)." (2014). P.14

34 Ibid P.18

35 US Department of Defense “Department of Defense Strategy for Operations in Cyberspace” (July, 2011) at http://csrc.nist.gov/groups/SMA/ispab/documents/DOD-Strategy-for-Operating-in-Cyberspace.pdf (Last accessed 13 April 2016), p.1

36 Van Brunt, David C. Future Operating Concept for Employing Electronic Warfare in the Cyberspace Domain. AIR WAR COLL MAXWELL AFB AL, 2010.

(10)

EP for Electronic Protection and ES stands for Electronic warfare Support. 37

EW and CW are not the same but similarities exist. 38_{They also complement each other.}39 However as part of the Integrated Cyber and Electronic Warfare (ICE, program) the U.S. Army Research, Development and Engineering Command's Communications-Electronics Center (CERDEC) researches the technologies, standards and architectures to support the use of common mechanisms used for the rapid development and integration of third-party cyber and Electronic Warfare (EW) capabilities. "This blending of networks and systems, known as convergence, will continue and with it come significant implications as to how the Army must fight in the cyber environment of today and tomorrow” said Giorgio Bertoli, senior engineer of CERDEC I2WD's Cyber/Offensive Operations Division. "The ability to leverage both cyber and EW capabilities as an integrated system, acting as a force multiplier increasing the commander's situational awareness of the cyber electromagnetic environment, will improve the commander's ability to achieve desired operational effects," said Paul Robb Jr., chief of CERDEC Intelligence and Information Warfare Directorate's Cyber Technology Branch. 40 There has been recognition of the relationship between electronic warfare and cyberspace operations, which includes computer network operations.41

The Tallinn Manual on the International Law Applicable to Cyber Warfare42_(hereinafter referred to as the manual) was prepared at the invitation of the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE). As declared by the Centre, this work is ‘intended to lead to a restatement and manual on the international law applicable to cyber warfare, similar to the manuals on the law applicable to armed conflicts at sea and air and missile warfare’.43

Cyber warfare refers to ‘warfare conducted in cyberspace through cyber means and methods’. Warfare relates to the conduct of military hostilities in situations of armed conflict. The term ‘cyber’ relates to ‘cyberspace’. There are a lot of definitions created for this term but it often is described as an electronic medium through which information is created, transmitted, 37 Warfare, Electronic. "Joint Publication 3–13.1." US Army 129 (2007).

38 Chabrow (2012), “Aligning Electronic and cyber warfare”, Govinfosecurity.com

http://www.govinfosecurity.com/aligning-electronic-cyber-warfare-a-4930 (Last accessed 13 April 2016).

39 Wilson, Clay. "Information Operations, Electronic Warfare, and Cyberwar: Capabilities and Related Policy Issues." LIBRARY OF CONGRESS WASHINGTON DC CONGRESSIONAL RESEARCH SERVICE, 2007. P.5

40 Kushiyama (2013), “Army looks to blend cyber, electronic warfare capabilities on battlefield”. http://www.army.mil/article/113678 (Last accessed 13 April 2016).

41 “Department Of Defense (DOD) of the U.S. defines cyberspace operations, which includes computer network operations, as the employment of cyberspace capabilities where the primary purpose is to achieve military objectives or effects in or through cyberspace. DOD documents that discuss the relationship between electronic warfare and cyberspace operations use several different cyber-related terms, including cyberspace, cyber operations, computer network operations, and computer network attack. In addition, according to DOD, the definition of information operations includes the term computer network operations because it is an

information operations-related capability. To provide clarity in this report, we generally use the term cyberspace operations in our discussion of the relationship between electronic warfare and cyberspace operations and computer network operations in our discussions concerning information operations-related capabilities. From

Lepore, Brian J., et al. Electronic Warfare: DOD Actions Needed to Strengthen Management and Oversight. No. GAO-12-479. GOVERNMENT ACCOUNTABILITY OFFICE WASHINGTON DC, 2012

42Schmitt, Michael N. Tallinn manual on the international law applicable to cyber warfare. Cambridge University Press, 2013.

(11)

received, stored, processed, and deleted’.44

The manual categorizes a cyber attack (for the purposes of applying IHL) as a ‘cyber

operation whether offensive or defensive that is reasonably expected to cause injury or death to persons or damage or destruction to objects’. The experts who participated and created the Manual agreed that de minimis damage or destruction does not meet the threshold of harm as required in this rule. 45

The reason why cyber warfare is such a ‘hot topic’ is the relationship it has with International Law, due to its unique characteristics. Cyber warfare is, unlike traditional warfare, not as such limited in a geographical sense. Whereas troops on the ground have to move from country A to B trying to go unnoticed and being aware of any adversary, cyber warfare can be conducted through networks via numerous countries in the speed of light; it is a interconnected –always pervasive- system.

Information can instantly be shared at any given point and time to anyone and anywhere in the world as long as it is connected through the electromagnetic spectrum. The information is then encrypted in tiny digitalised fragments travelling from point A to point B via

unpredictable routes before they finally arrive at their destination in a reconstituted form. 46 As earlier mentioned, the Internet access across the world is large and gets larger every year. This means that governments, non-state organizations, private enterprises but individuals as well can easily disguise the origin of a operation and as such render the reliable identification and attribution of cyber activities. That again triggers a reaction from International Law.

44Melzer, Nils. Cyberwarfare and international law. UNIDIR, 2011. P.4

45 Rule 30 of Schmitt, Michael N. Tallinn manual on the international law applicable to cyber warfare. Cambridge University Press, 2013.

(12)

Chapter 2. The applicability of IHL to cyber attacks: 2.1: IHL and cyber attacks:

During an armed conflict States do not have an unlimited choice in means of warfare and weapons. Article 22 of the Hague regulations of 1907 and API art. 35(1) both stipulate the principle that the choice of methods and means of warfare are not endless. 47_{There are in} addition treaties that prohibit the use of certain weapons. 48_{There is, however, not yet an} international binding instrument dealing specifically with cyber war and the means associated therewith. There is of course the manual and resources must thus be found in general

codifications of humanitarian law and the customary rules developed in that area. But the fact that CW is not specifically addressed does not mean that they are exempt from the coverage of the rules of IHL. The Martens Clause, a well-accepted principle of IHL, states that

whenever a situation is not covered by an international agreement, “civilians and combatants

remain under the protection and authority of the principles of international law derived from established custom, from the principles of humanity, and from the dictates of public

conscience.”49_{By this norm, all occurrences during armed conflict are subject to application}

of humanitarian law principles; there is no gap in the law. This was reaffirmed in the Nuclear

Weapons (Advisory Opinion) of the ICJ stating that “the entire law of armed conflict…applies to all forms of warfare and to all kinds of weapons, those of the past, those of the present and those of the future”.50_{This means that all military operations during armed conflict are and}

need to comply with IHL principles. 51

But in order for the rules of API and customary IHL relating to the conduct of hostilities to be applicable, cyber attacks must fall under the definition of ‘attack’ in the meaning of IHL. The definition of an ‘attack’ under IHL differs greatly from the definition of ‘armed attack’ under art. 51 UN Charter. Art. 49(1) API defines an attack as “acts of violence against the

adversary, whether in offence or in defence’. Also in API there is only reference to water, land and air. Art. 49(1) API defines an attack as “acts of violence against the adversary, whether in offence or in defence’. If cyberspace would be understood as a completely new domain it could also be seen as constituting a new ‘theatre’ of war for example in case of a cyberspace-to-cyberspace attack. But because the infrastructure where data is stored on is still made up of physically tangible objects and that data is thus stored on systems of a State’s territory it falls under its jurisdiction. That is why traditional concepts of jurisdiction and territoriality are also applicable to cyberspace. This means that the legal rules of land warfare are also applicable to cyber warfare. Computer systems based on a military basis can hence be 47 Convention concerning the Laws and Customs of War on Land and its annex; Regulations respecting the laws and customs of war on land

48 Examples are the 1995 Protocol on blinding laser weapons and the convention on prohibitions or restrictions on the use of certain conventional weapons.

49 Additional Protocol I to the Geneva Convention of 12 August 1949, and Relating to the Protection of Victims of International Armed Conflicts, Art. 1(2), 12 December 1977, 1125 U.N.T.S. 3 (hereinafter Additional Protocol I). The original formulation of the Martens Clause in the preamble of the Hague Convention IV respecting the Laws and Customs of War on Land, 18 October 1907, 36 Stat. 2295, I Bevans 634, states “the inhabitants and the belli- gerents remain under the protection and the rule of the principles of the law of nations as they result from the usages established among civilized peoples, from the laws of humanity, and the dictates of the public conscience”, reprinted in Adam Roberts and Richard Guelff, Documents on the Laws of War, 3rd ed., Oxford University Press, Oxford, 2000, p. 67.

50 Legality of the Threat or Use of Nuclear Weapons (Advisory Opinion), Para. 86.

51Schmitt, Michael N. "Wired warfare: Computer network attack and jus in bello." International Review of the Red Cross 84.846 (2002): 365-399. p.369

(13)

qualified as valid military targets and can be attacked via Computer Networks Operations (CNOs). Acts of violence are often seen as physical force, which excludes psychological, political and economic warfare. Cyber attacks which thus amount to physical damage to objects (beyond the mere destruction of data on computer systems) or persons can therefore be seen as an attack under art. 49 API. That goes for air and missile warfare as well for cyber attacks that cover ‘non-kinetic’ attacks (attacks that do not involve the physical transfer of energy, such as certain Computer Network Attacks) that result in death, injury, damage or destruction of persons or objects. However the majority of CNOs are more likely to involve more ‘subtle’ attacks instead of those who include any physical destruction. If these solely can be qualified as an attack under IHL is more controversial. The majority opinion within the group of experts drafting the Manual was that once restoration of functionality requires replacement of physical components, such an action is to be considered as damage, thus as a cyber attack. 52_{A minority opinion thought that irrespective of how an object is disabled, its} loss of usability in all cases constitutes the damage hence the attack.53

IHL is thus activated through the commencement of an armed conflict. IHL principles apply whenever cyber attacks can be ascribed to a State when they are more than merely sporadic and isolated incidents and are either intended to cause injury, death, damage or destruction (and analogous effects), or such consequences are foreseeable. 54_{This can happen even when} the armed forces are not employed. By this standard, a computer network attack on a large airport’s air traffic control system by agents of another State would implicate humanitarian law. As such it can be stated that computer network attacks are subject to humanitarian law if they are part of either a classic conflict or a “cyber war” in which injury, death, damage or destruction are intended or foreseeable.55

2.2 The Russian-Georgian conflict:

The Russian-Georgian war started in 2008 and is to date the only publicly known international armed conflict in which CNOs took place alongside traditional kinetic

operations. Tensions had been building in the South Ossetia region for several years prior to the initiation of conflict in August 2008.56_{The war officially started on 7 August 2008 after several}

weeks of growing arguments over the future of the South Ossetian territory. Georgian troops initiated a military attack against South Ossetia and began a massive shelling of the town of Tskhinvali in response to alleged Russian provocation. Russia deployed additional combat troops to South Ossetia and retaliated with bombing raids into Georgian territory. Three weeks before the shooting war between Georgia and Russia began, online attackers started assaulting Georgia's websites. The alleged Russian attack upon the Georgia's military and government networks were highly successful. "It seems that 54 web sites in Georgia related to communications, finance, and the government were attacked by rogue elements within Russia ... So as tanks and troops were crossing the border and bombers were flying sorties, Georgian citizens could not access web sites for information and instructions.”57_{Georgian authorities discovered their Internet access and}

communications networks to be exceptionally vulnerable to (alleged) Russian interference.58 52 Schmitt, Tallinn Manual on the International Law Applicable to Cyber Warfare, P.108

53 Ibid P.109

54 Schmitt, Michael N. "Wired warfare: Computer network attack and jus in bello." International Review of the Red Cross 84.846 (2002): 365-399. P.374

55 Ibid. P.375

56 Hollis, David M. "Cyberwar case study: Georgia 2008." Journal Article| January 6.11 (2011).

57 Jon Oltsik “Russian Cyber Attack on Georgia: Lessons Learned?” Network World, (17 August 2009), found at: http://www.networkworld.com/community/node/44448 (Last accessed 5 June 2016)

58 Ben Arnoldy “Cyberspace: new frontier in conflicts, Internet attacks on Georgia expose a key flaw for more than 100 nations” Christian Science Monitor (13 August 2008), found at:

(14)

The alleged Russian cyber attacks on Georgia were accompanied by physical combat between Russian and Georgian military forces. The alleged Russian network attack operations in cyberspace occurred prior to hostilities and later mirrored (apparently synchronized with) Russian combat operations in the on land war.59_{These attacks included various distributed} denial of service (DDOS) attacks to deny and disrupt communications and information exfiltration activities conducted to accumulate military and political intelligence from Georgian networks. These attacks also included website defacement for Russian propaganda purposes.

In the Georgian case there were several official government websites which were modified to show pictures of dictators of the 20th_{century lined next to then Georgian president}

Saakashvili’s picture with obvious implications. The indicators led to the assumption that the attacks had their origin in Russia. An example of this was the Russian-hosted website

www.stopgeorgia.ru, which was created explicitly to allow a large number of individuals to perform attacks on Georgian government websites. That website provided software,

instructions and target information so that every individual with a computer could undertake CNOs against Georgian targets. There were rumours that a Russian Business Network (a Russian internet service provider based in St Petersburg) was involved in the operations, but the level of involvement was never identified as such. It was also never established if the website containing the links to the malicious software was hosted by or under the direction of a Russian state organ. The damage that was inflicted is hard to assess. Direct physical damage did not occur, therefore it is more an attack of a psychological nature. Major website were no longer reachable and the Georgian government had difficulties in informing the national and international public about the ongoing conflict in the country, while at the same time the Georgian people’s access to information was obstructed. There were also banks in Georgia which were instructed to stop their electronic servers as they were earmarked for cyber attacks as well. This lasted for ten days. 60

The cyber attacks are the only publicly known CNOs taking place within the context of traditional military operations. The methods that were used in this case were DDoS attacks: those attacks allow the targeting of a particular computer system and are known as Distributed Denial of Service attacks. In such an attack many communication requests (as much as possible) are sent to the targeted source in order to make the source so slow that it will be unavailable to regular communication requests by other computer systems or ultimately causing it to automatically shut down.61_{The goal of such an attack is to deny the use of the} computer resource to legitimate users. Examples of DDoS attacks are disrupting the

information transmission capacity of systems linked to military sites of the headquarters. In such a way a default can occur of the command and control systems and is regarded as a

http://www.csmonitor.com/USA/Military/2008/0813/p01s05-usmi.html (Last accessed 5 June 2016)

“Georgia's Internet infrastructure has two big weaknesses. First, most of its external connections go through Russia. Second, there's a lack of internal connections called Internet exchange points. So when a Web surfer in Georgia calls up a Georgian Web page, that request routes through another country, which is similar to driving to Mexico to get across town in San Francisco, says Mr. Woodcock, whose organization helps countries build their own Internet exchange points.”

59 John Leyden, "Bear prints found on Georgian cyber-attacks: Shots by both sides," The Register, (14 August 2008), found at: http://www.theregister.co.uk/2008/08/14/russia georgia cyberwar latest/ (Last accessed 5 June 2016)

60 Woltag, J. C. "Cyber Warfare Military Cross-Border Computer Network Operations Under International Law (Cambridge, Intersentia)." (2014). P.46

(15)

preparatory or supportive measure to a conventional attack. 62

Chapter 3: Direct participation in cyber hostilities:

3.1 Determining DPH:

62Woltag, J. C. "Cyber Warfare Military Cross-Border Computer Network Operations Under International Law (Cambridge, Intersentia)." (2014). P.26

(16)

What kind of conduct can be described as DPH relating to cyber hostilities? And what kind of conduct cannot categorised as direct participation in cyber hostilities?

Determining direct participation in hostilities is complex; determining direct participation in cyber hostilities is especially so. As mentioned earlier the IG guidance of the ICRC has undertaken quite some work regarding DPH as well from domestic and international courts through case law. But what kind of acts by civilians would constitute DPH in cyber context? An example is for instance the computer worm Stuxnet that disrupted Iran’s nuclear program in 2010.63_{That incident targeted Iranian centrifuges used for the enrichment of uranium and if} it had occurred in a situation of an armed conflict ,which it did not, would have amounted to DPH because it resulted in physical damage to the centrifuges.64_{Though it was allegedly} conducted by US-Israeli joint operations it is not unthinkable that this kind of conduct can be done by civilians as well. Take for example the case of seven Iranians who allegedly hacked their way into at least 46 major financial institutions and financial sector companies and even a New York dam from 2011 to 2013. 65

So when and where is a civilian taking direct part in cyber hostilities? The IG interpretative guidance relating to DPH has met their fair share of criticism when it came to their writings on the subject.66_{In the scheme of cyber hostilities: is the person who gives the order to put the} malicious code taking direct part? Or is it the person who actually inputs the code? And what about the person who writes the code but doesn’t execute it?

In 2006 the case of “The public committee against Torture in Israel v. the Government of

Israel”67_{(also known as the Targeted Killings case) the Court examined the scope of art.} 51(3) API regarding DPH. The Court confirmed the customary status of the principle of DPH as codified in art. 51(3) API (which was an important step since Israel is not party to API) and analysed the concept. The Court considered civilians who DPH that:

“the direct character of the part taken should not be narrowed merely to the person

committing the physical act of attack, those who have sent him, as well, take ‘a direct part’. The same goes for the person who decided upon the act, and the person who planned it. It is not to be said about them that they are taking an indirect part in hostilities.” 68

Excluded from DPH were actions and persons who acted in a logistic capacity and monetary 63 Dan Turkel, “The US military has a new plan to fight ISIS – and it starts with making the group ‘extremely paranoid’” Business Insider UK, (April 26, 2016), found at: http://uk.businessinsider.com/new-us-cyber-war-against-isis-2016-4?r=US&IR=T (Last accessed 5 June 2016)

64 D Albright, P Brannan and C Walrond, ‘Did Stuxnet Take Out 1,000 Centrifuges at the Natanz Enrichment Plant?’ (Institute for Science and International Security Report 22 December 2010) http://isis-online.org/isis-reports/detail/did-stuxnet-take-out-1000-centrifuges-at-the-natanz-enrichment-plant/ (Last accessed 5 June 2016).

65 Dustin Volz, “Obama administration indicts 7 Iranians it says hacked dozens of US banks and a New York dam” Business Insider UK, (March 24, 2016), found at: http://uk.businessinsider.com/us-blames-iran-for-hacking-of-banks-2016-3?r=US&IR=T (Last accessed 5 June 2016)

66 W. Hays Parks, “Part IX of the ICRC ‘Direct Participation in Hostilities’ Study: No Mandate, No Expertise, and Legally Incorrect,” New York University Journal of International Law 42 (Spring 2010); Kenneth Watkin, “Opportunity Lost: Organized Armed Groups and the ICRC ‘Direct Participation in Hostilities Interpretive Guidance,” New York University Journal of International Law 42 (Spring 2010).

67 The Public Committee Against Torture in Israel v The Government of Israel (2006) HCJ 769/02; hereinafter the Targeted Killings case.

(17)

aid. 69_{The Court stated that whether a civilian could be targeted for taking direct participation} in hostilities needed to be undertaken on a case-by-case basis. The same methodology States use and of other judicial bodies use in their assessment of the scope op DPH. This

methodology is reflected in military manuals such as the American and the Australian who cite the need to analyse DPH “case-by-case”.

As stated in the “Targeted Killings” case it is “possible to take part in hostilities without using weapons at all”. 70_{So while the means of warfare can differ greatly it is the effect of such} means of warfare that are essentially similar. For example: a military communications system that is eliminated either by a CNA (Computer Network Attack) or a bomb is equally effective. In the ICRC IG this thinking was taken into account that:

“…electronic interference with military computer networks could . . . suffice (as DPH), whether through computer network attacks (CNA) or computer network exploitation (CNE), as well as wiretapping the adversary’s high command or transmitting tactical targeting information for attack.”71_{Computer network attacks and computer network exploitations}

could thus amount to DPH by civilians in cyber hostilities. DPH in the cyber domain will be assessed on the intended or actual effect. This “effects based” approach” is supported by State practice and case law. 72

3.2: Acts by civilians that don’t amount to DPH in cyber hostilities:

Before the explanation scenarios of cyber war are described later on there must be first of be described as what can amount to direct participation in cyber hostilities there are also those who don’t amount to it:

First of all there must be a cyber attack during an armed conflict; otherwise IHL and the notion of DPH would not apply. So not all cyber operations would constitute a resort to armed force, first hostilities have to take place. 73_{Then there is the issue whether actions result in} severe non-destructive and non-injurious consequences qualify.74_{It seems sufficient to treat a} cyber attack as one that amounts to an attack under IHL as crossing the hostilities threshold. The requested damage or injury necessary to initiate an international armed conflict still stirs 69 Crawford, Emily. "Virtual Backgrounds: Direct Participation in Cyber Warfare." ISJLP 9 (2013): 1.

70 Targeted Killings case, §35

71 N. Melzer. “Interpretative guidance on the notion of direct participation in hostilities under international humanitarian law”. International Review of the Red Cross. Vol. 90, Issue 872, December 2008, P.1017-18

72 See, the ICTY in Strugar, where the Chamber defined DPH as “acts of war which by their nature or purpose are intended to cause actual harm to the personnel or equipment of the enemy’s armed forces.” Prosecutor v. Strugar, Case No. IT-01-42-A, International Criminal Tribunal for the Former Yugoslavia, (2008), ¶¶ 176-79. The Chamber drew on numerous sources in support of its statement, including: military manuals from numerous countries, international tribunal judgments, U.S. Military Commission decisions, State practice and reports, and decisions of human rights bodies, such as the American Commission on Human Rights. See, Inter-American Commission on Human Rights, Third Report on the Human Rights Situation in Columbia, (1999), http://www.cidh.org/ countryrep/Colom99en/chapter.4a.htm (accessed October 15, 2012), ch. 4 B.2.d.¶ 53. (“It is generally understood in humanitarian law that the phrase ‘direct participation in hostilities’ means acts which, by their nature or purpose, are intended to cause actual harm to enemy personnel and material.”).

73 Tallinn Manual, supra note 2, at 74. And N. Melzer. “Interpretative guidance on the notion of direct

participation in hostilities under international humanitarian law”. International Review of the Red Cross. Vol. 90, Issue 872, December 2008, P.43

74 Not all governments have the same approach, the Dutch government has a more liberal one which is told at: CYBER WARFARE No 77, AIV/No 22, CAVV December 2011, supra note 40, at 24, endorsed by Government Response, supra note 7, at 4.

(18)

up debate. 75_{The experts in the Manual agreed that a cyber operation “that is reasonably} expected to cause injury or death to persons or damage or destruction to objects” qualifies as an attack.”76_{Everything that does not fall under this Rule is inter alia not a cyber attack and} when executed by a civilian would not amount to DPH in cyber hostilities.

A couple of examples of persons and/or actions who/which would not amount to DPH in cyber hostilities are:

- Computer technicians, technical maintenance personnel and others who perform similar task qualify under the inclusion of the category of “persons who accompany the armed forces without actually being a member thereof”.77_{They keep the machines in order and they} themselves don’t undertake the attack nor can they be held accountable for it because of the direct causation criterion. It would in itself cause no harm and routine maintenance does not in itself cause any direct harm nor would it have a nexus with the conflict: routine

maintenance is irrespective of its use in conflict. (See also cyber war scenario no.5). - Civilians who write codes and do research for the development of cyber war programs in general would also not fall under the notion of DPH. There would be no causal harm and there will be no point of reaching the threshold of harm. Simply researching would not be tied to any particular conflict; the research itself has been done in abstracto. (See also cyber war scenario no.4).

- The mere installation of a cyber war program on a computer system would also not amount to DPH. Here the direct causation criterion would also not be fulfilled, it would be too remote for the installation. Just the identification of a vulnerability in a targeted state’s system would in itself cause no harm and it still requires more action to exploit the vulnerability before real harm can be done. It however does have a nexus with the conflict so if imminent exploitation would be intended then this situation could amount to DPH. 78

Next to these situations international humanitarian law would also not apply to disrupting a university intranet, downloading financial records, shutting down Internet access temporarily or conducting cyber espionage, because, even if part of a regular campaign of similar acts, the foreseeable consequences would not include injury, death, damage or destruction.79

3.3 Cyber war scenarios:

International Humanitarian Law principles come into play whenever computer network attacks can be ascribed to a State and are more than merely sporadic and isolated incidents and are either intended to cause injury, death, damage or destruction (and analogous effects) or such consequences are foreseeable80_{. Even so when armed forces are not being employed!} A CNA on a large military airport controlling system of State A being attacked by civilians of State B would implicate IHL and relating principles. Another example of a CNA is a cyber 75 Schmitt, Michael N. "The Law of Cyber Warfare: Quo Vadis?." Stanford Law & Policy Review 25 (2014). P.291

76 Tallinn Manual supra note 2, at 92.

77 NRC Report (n 45) 266–67

78 Turns, David. "Cyber warfare and the notion of direct participation in hostilities." Journal of conflict and security law 17.2 (2012): P.295

79 Schmitt, Michael N. "Wired warfare: Computer network attack and jus in bello." Revue Internationale de la Croix-Rouge/International Review of the Red Cross 84.846 (2002): P.374.

(19)

attack on oil pipelines where surging oil is controlled after an attack regarding their governing flow81_{(which is done by computers), such an attack can cause the meltdown of a nuclear} reactor by manipulation of its computerized nerve centre. A CNA can also occur when computers are triggered to release toxic chemicals from production and storage facilities. These cyber situations can be categorised in the following cyber-war scenarios:

1) A civilian who is contracted by the armed forces of another party to the conflict to write malicious code or otherwise engage in a CNA/CNE:

This scenario strongly resemblances the case in where civilians are used to pilot drones in targeted killing strikes. 82_{The ICRC IG addresses this topic on civilians and DPH stating:} “ …as long as they are not incorporated into the armed forces, private contractors and civilian employees do not cease to be civilians simply because they accompany the armed forces and or assume functions other than the conduct of hostilities that would traditionally have been performed by military personnel . . . . A different conclusion must be reached for contractors and employees who, to all intent and purposes, have been incorporated into the armed forces of a party to the conflict, whether through a formal procedure under national law or de facto by being given a continuous combat function . . .Such personnel would be members of an organised armed force, group or unit under a command responsible to a party to the conflict and . . . would no longer qualify as civilians.”83

2) A civilian independently engaging in a CNA/CNE:

This scenario relates and is based on the earlier mentioned international armed conflict between Georgia and Russia in 2008. The cyber attacks that happened there were mostly for the purposes of disrupting networks and gathering information. 84_{There were Russian}

websites and blogs demonstrating on how to set up computers to automatically run distributed denial of service attacks (DDOS).85_{Some even offered already made ‘downloadable’ DDOS} programs.86_{Civilians who are engaging unilaterally in hostile cyber attacks without an} employment or instruction of the armed forces or another party to the conflict would also likely fill the criteria of DPH if the hostile acts would amount to an attack under IHL. Any acts undertaken by such persons with the “intent or effect of rendering the targeted networks vulnerable or inoperative”87_{have directly participated in the same way as if they were}

conducting a “traditional” attack for example damaging or destroying a military base, aircraft, navy vessel or any other military target. However regarding the CNAs in Georgia these would 81 President's Cmssn on Critical Infrastructure Protection. "Critical Foundations: Protecting America's

Infrastructures." (1997) at A-46

82 David S. Cloud, “Combat by Camera: Civilian Contractors Playing Key Roles in U.S. Drone Operations,” The Los Angeles Times, December 30, 2011.

84 Crawford, Emily. "Virtual Backgrounds: Direct Participation in Cyber Warfare." ISJLP 9 (2013): P.16

85 Evgeny Morozov, “An Army of Ones and Zeroes: How I Became a Soldier in the Georgia-Russia Cyber War,” Slate, August 14, 2008;

http://www.slate.com/articles/technology/technology/2008/08/an_army_of_ones_and_zeroes.html (Last accessed 3 June 2016)

86 Ibid and Asher Moses, “Georgian Websites Forced Offline in Cyber War,” The Sydney Morning Herald, August 12, 2008;

http://www.smh.com.au/news/technology/georgian-websites-forced-offline/2008/08/12/1218306848654.html (Last accessed 3 June 2016)

(20)

not amount to DPH as they were primarily aimed at disrupting networks and gathering information.

3) A civilian who writes malicious code or another malware program and gives (or sells) it to the armed forces or another party to the conflict. He or she does not personally execute the malware:

The ICRC IG also tackled this scenario – acts by someone who creates the mechanism through which a destructive act is executed but is not involved beyond the construction phase - but stated that this would not amount to direct participation in hostilities. They argued that the “causation test” would not be fulfilled. The IG stated that:

“…individual conduct that merely builds up or maintains the capacity of a party to harm its adversary . . . is excluded from the concept of direct participation in hostilities . . . . Examples of non-DPH include scientific research and design, as well as production and transport of weapons and equipment.”88

However the IG stated that there were many discussions on this topic and that opinions were divided89_{as to civilian scientists and weapons experts could always be considered to be taking} no direct part in (cyber) hostilities in such a way as described above. Some of the experts argued that constructing explosive devices could be considered to a measure that is

“preparatory to a concrete military operation”.90_{It wouldn’t just be pure capacity building, it} would’ve exceeded that and would go on to constitute as an integral part of a military operation. However, the other experts argue that such a strict criterion would prevent the criterion in becoming too broad. The approach of the IG was still to require direct causation of harm in the strict sense but to extend that perspective with regard to causing the harm. So instead of focussing solely on the specific act carried out by the civilian, it was pointed out that direct causation still existed when the required harm was directly caused by a concrete and coordinated military operation of which that act contributed in integral part. The act in question must thus be a part of the military operation and not merely a contribution to it. The threshold of harm can be reached if the program also really intents - and is designed - to cause harm but the harm that could bring it would be too remote unless if the person who writes the code also conducts the attack; then there would be no intermediary between the code and its activation.

The experts used the case of a civilian ammunition truck to illustrate their arguments. They stated that if a civilian truck driver were to supply a firing position with ammunition that that would be an integral part of the operation and that it therefore would constitute DPH. That would also be the case if the civilian truck driver would accompany the invading forces to supply them with ammunition. In my view replacing the word “civilian truck driver” to “civilian hacker” and swapping the terms “ammunition” to “malicious code that could hack into computerised weaponized systems” would constitute DPH as well, in cyber hostilities.

89 International Committee of the Red Cross, Summary Report, Fourth Expert Meeting on the Notion of Direct Participation in Hostilities, (Geneva, 2008) P.48.

(21)

4) A civilian who writes or deploys malware for criminal use but who has no nexus to the conflict:

As we know not all cyber attacks are targeted towards an armed conflict. Some hackers use their malware to hack banks and financial institutions for money. Hackers target sites and networks for the purpose of just because they can.91_{In such a case the proper way to approach} this is via domestic law and not IHL obviously. However this scenario would become quite complicated when a civilian engaged in a CNA and/or CNE during an armed conflict would put himself at risk of being targeted, as his attacks would be hard to distinguish from attacks being conducted by civilians who do have a nexus with the conflict.

5) A civilian who provides technical support for someone engaging in cyber hostilities:

Could technical and/or logistical support amount to direct participation in cyber hostilities? A civilian who is engaging in cyber hostilities and who is confronted with a technical problem that he or she could not solve might ask for help from someone else, for example an external contractor. Would such a contractor be participating in hostilities as well? Would that be automatically when the contractor’s hands touched the computer? Or after he or she has fixed the technical problem? Or only if the civilian who is engaged in the cyber hostilities

mentioned to the contractor what he or she was doing? Would only after that explanation mean that the contractor was directly participating in cyber hostilities?

When looking at the ICRC guidance and the ruling of the Israeli Supreme Court on the Targeted Killings case it would conclude that such a support, be it technical or logistics, would be too remote to amount to direct participation in (cyber) hostilities. Even if the contractor would know about the civilian’s cyber attack and was even on board about

engaging in a cyber war and even if he or she encouraged the civilian to destroy as much what was possible then still the contractor would be a mere enthusiastic supporter shouting from the (war infused) sidelines. He or she would not fulfil cumulative criteria required for the DPH-test as formulated by the ICRC.

This in turn was agreed by other scholars that conduct like this would be too remote for the purposes of the threshold of harm and the criterion of causation.92_{That is because computers} require technical support and for a long basis of time. Simply because of their technical nature, they need on-going maintenance. Even when there is no conflict going on. The contractor’s conduct could amount to:

“…individual conduct that merely builds up or maintains the capacity of a party to harm its adversary . . . [and thus] is excluded from the concept of direct participation in hostilities.”93

However not all scholars agree with the ICRC on this point. Some scholars have argued that direct participation includes not only activities involving the delivery of violence, but also acts such as described in this scenario; aimed at protecting personnel, infrastructure, or material.94

91 CNN.com, “Timeline: A Forty Year History of Hacking,” CNN Tech,

http://edition.cnn.com/2001/TECH/internet/11/19/hack.history.idg/index.html (Last accessed 4 June 2016)

92 See for example: Turns, David. "Cyber warfare and the notion of direct participation in hostilities." Journal of conflict and security law 17.2 (2012): P.295

93 N. Melzer. “Interpretative guidance on the notion of direct participation in hostilities under international humanitarian law”. International Review of the Red Cross. Vol. 90, Issue 872, December 2008, P.1021

(22)

Other activities that could amount to direct participation in cyber hostilities are the

exploitation of a vulnerable targeted State’s cyber system by introducing a hostile agent that damages it directly, a dictation of the precise set of commands needed to activate the hostile agent and personal entry by a civilian of the precise set of commands to activate the hostile agent. 95_{Some military thinkers have proposed that a cyber attack could constitute DPH in} cyber hostilities when a civilian used a cyber attack to shut down an air defence station. He or she could deliver the weapon via the host country’s internet or possible “beam” the weapon to the target directly from an aircraft. If such an attack would be properly executed the result of such a cyber strike would be the same as a bombing raid. 96

The situations sketched above are not at all exhaustive on cyber war activities that could amount to direct participation in cyber hostilities. They merely try to visualize the concept of DPH in the context of CW that can be undertaken by civilians. Malware that is often designed and used for cyber wars is by it definition designed to cause harm and damage to the target (computers). It would be strange to argue that any person who creates such a program and/or code is not aware of its intent that their program and/or code has or the consequences it has when it is released against their adversaries in the cyber domain. One exception could be that of a courier who transports the malware physically on foot or via air, land or sea from the programmers who have built it to the person or persons who are going to execute it. A CNA and/or CNE needs to be proportionate for the initial attack. A student who for example hacks his high school communicating and roster making system via a CNA and thereby crashing the system is giving all his peers and his teachers a day off. Such a situation would not justify an armed response. But a civilian who hacks into the air control system of the air force and as such deactivates its security system thereby allowing soldiers to invade it, occupy it and kill anyone who isn’t on their side does amount to direct participation in cyber hostilities and would justify an armed response.

As earlier mentioned direct participation in any kind of hostilities is complex. How and against whom can an appropriate response be directed? The uncertainties in both law and state practice in cyber hostilities makes participation maybe even more complex and problematic.

94 See for example, François Quéguiner, “Direct Participation in Hostilities under International Humanitarian Law,” International Humanitarian Law Research Initiative Briefing Paper, November 2003, n1. Available at:

http://reliefweb.int/sites/reliefweb.int/files/resources/DF086BE53215ACE04925762E0018E15B-Full_Report.pdf (last accessed on June 6 2016)

95 Turns, David. "Cyber warfare and the notion of direct participation in hostilities." Journal of conflict and security law 17.2 (2012): P.295

96 Kelsey, Jeffrey TG. "Hacking into international humanitarian law: The principles of distinction and neutrality in the age of cyber warfare." Michigan Law Review (2008): P. 1434

Crossing Digital Borders: Direct Participation in Cyber Hostilities

Table of contents