Possible Modernization of International Humanitarian Law Due to the Rise of Cyber-Attacks

(1)

Possible Modernization of International

Humanitarian Law Due to the Rise of

Cyber-Attacks

Master Thesis for Public International Law International Humanitarian Law

with the supervision of mw. dr. mr. P.A. Hildering

University of Amsterdam

20 July, 2017

(2)

2

Abstract

This thesis will specifically focus on the protection of civilians and civilian objects under article 48 of the Additional Protocol I. Due to the rise of cyber-attacks, it can be questioned if this protection by the principle of distinction can still be guaranteed. Through a legal analysis of the cyber-attack within the international armed conflict, it may become clear if the use of cyber-attacks is covered by international humanitarian law. To conclude an answer to the main question, three sub questions required to be answered first which are about the cyber-attack in an international armed conflict situation, the principle of distinction applied to the use of this mean and at last the proportionality of the use of cyber-attacks. Only by taking all aspects into consideration, this thesis can come to the conclusion if protection is still possible with the use of cyber-attacks.

(3)

3

1. Introduction

In August 2008, an armed conflict broke out between Russia and Georgia on Georgian’s territory. Before it turned into an inter-state conflict, it first began with a national conflict between Georgia and South Ossetia, since South Ossetia was still internationally recognized as a part of Georgia.1 The declaration of independency of Georgia earlier in 1991 – which was a result of the Soviet Union falling apart – created a certain separate group in the Georgian province of South Ossetia. This eventually led to a referendum in that province about

independency from Georgia in which 99 percent of the voters in South Ossetia supported this referendum for becoming independent from Georgia and for being re-unified with the Russian Federation.2 Russian authorities started from that moment on with providing Russian

citizenships to the inhabitants of South Ossetia which causes tension between the Russian and Georgian state. This had its outcome on the night of 7 to 8 August 2008, when the Georgian artillery attacked a town in South Ossetia. As a response, the Russian Federation considered this attack by the Georgian armed forces as an act of aggression and therefore Russian

involvement was allowed according to the Russian Federation, as an providence of assistance against the Georgian attacking groups.3 In a counter-movement, the Russian armed forces entered deep into the Georgian territory partly by airstrikes. Since the entering of the Russian state, the original conflict was no longer a national affair, but it became an international armed conflict.

It might nonetheless seem as an ‘ordinary’ armed conflict, yet there was one irregularity: the use of attacks. It was the first international armed conflict in which a state used cyber-attacks in support of its conventional cyber-attacks against another state. These cyber-cyber-attacks started on 8 August 2008 and ended when Russia announced its ceasefire on 11 August 2008.4 The cyber-attacks exercised by the Russian Federation aimed at disrupting the Georgian

government to govern its state, at paralyzing the army command and control system which includes air defense and among other things, also at disorder the military communication.5

1

Before 2008, UN Member States did not South Ossetia as an independent state. After the conflict in August 2008, the Russian Federation, Nicaragua, Venezuela, Nauru and Tuvalu recognized South Ossetia as an independent state and established diplomatic relations.

A. Nuβberger ‘South Ossetia’ Oxford Public International Law (Oxford University Press 2015), para. 31.

2_{A. Nuβberger ‘South Ossetia’ Oxford Public International Law (Oxford University Press 2015), para. 11.} 3

P. Roudik ‘Russia: Legal Aspects of War in Georgia’ The Law Library of Congress (September 2008), p. 8.

4_{A. Cohen & R. Hamilton ‘The Russian Military and the Georgia War: Lessons and Implications’ Strategic}

Studies Institute (U.S. Army War College 2011), p 45.

5

A.J.C. Selhorst ‘Russia’s Perception Warfare: The Development of Gerasimov’s Doctrine in Estonia and Georgia and its Application in Ukraine’ Militaire Spectator Jaargang 185 Nr. 4 (2016), p. 157.

(5)

5

The disordered communication lines had a military purpose, but were also used for civilian communication, that simultaneously went down as well by these cyber-attacks. The result was that the Georgian population was not able to communicate with each other and the outside world for a certain amount of time, which made it also impossible to make phone calls to emergency services, but the habitants were also not able to use bank accounts which stopped the financial transactions in that state for days.6 Luckily, the overall impact of the cyber-attacks was limited in Georgia. In 2008, the Information and Communication Technology (ICT) was still underdeveloped7 and the cyber-attacks against the Georgian stated caused disruption and chaotic situations, but only led to a temporary interruption and no physical damage occured. However, these days it is more likely that states will use cyber-attacks against other states during armed conflicts due to the development of technology and the fact that the consequences of such a cyber-attack can even be more disastrous than a kinetic attack for states that rely heavily on the internet nowadays.

The previous showed that cyber-attacks are no longer a mere hypothesis and organizations such as the North Atlantic Treaty Organization (hereinafter: NATO) discuss cyber-attacks and cyber-defence as one of their main topics during meetings.8 The combination with

international humanitarian law (hereinafter: IHL), on the contrary, is not as often discussed as the concept of cyber-attacks and defence and therefore this thesis will especially focus on cyber-attacks in combination with IHL. Before going more deeply into this topic, it is first important to know in which framework this thesis will operate.

As the example might show, or in fact, what the example is not showing, is the specific person or group who exercised the attacks. In practice, attribution of cyber-attacks to certain groups or states leads to a uncertainty due to the rise of technology. Cyber-attacks can be operated through many different internet servers and networks, which does not have to particularly be the network of the actual cyber-attacking state.9 It is a topic that will not be discussed and therefore the assumption will be in this thesis that in all examples mentioned , the cyber-attack can be attributed to the state.

6_{US Cyber Consequences Unit (US-CCU), Overview by the US-CCU of the Cyber Campaign against Georgia}

in August of 2008 (Washington, D.C., US-CCU, 2009), p. 6.

7_{CCD COE Legal Task Team ‘Georgian Cyber Attacks: Legal Lessons Identified’ Cooperative Cyber Defence}

Centre of Excellence (November 2008), p. 43.

8_{An example for this sort of NATO discussion is the Tallinn Manual 2.0, its authority and relevance will be}

discussed in the upcoming chapter.

9

CCD COE Legal Task Team ‘Georgian Cyber Attacks: Legal Lessons Identified’ Cooperative Cyber Defence Centre of Excellence (November 2008), p. 14.

(6)

6

While attribution will be left out of consideration, this thesis does focus on the conflicts under IHL. There are two forms of armed conflicts and this thesis concentrates on the international armed conflicts (hereinafter: IAC), which is the use of armed force between states.10 The difference between the IAC and the non-international-armed conflict

(hereinafter: NIAC) will be explained in a later stadium. Concerning the fact that this thesis will be mainly about cyber-attacks in an IAC context and specifically about the distinction of civilians and civilian objects and combatants and military objectives, the core will therefore be article 48, 51 and 52 of the Additional Protocol I (hereinafter: AP I). Article 48 AP I is relevant for this thesis, because it contains one of the basic rules under IHL that a distinction should always be made between civilians and civilian objects and combatants and military objectives. In article 52 AP I, it is contained that a civilian object can change into a military objective by its purpose in case of intertwinement. In this situation where civilian objects and military objectives are intertwined, the so called dual-use objects, the distinction cannot longer be made between military and civilian under article 48 AP I. The inability of making the distinction leads to another important principle of IHL, contained in article 51 AP I. This article provides the principle of proportionality, which allows to attack as long as the attack is proportionate. The mentioned articles can be applied in scenarios where ‘normal’ kinetic attacks are used between states. Yet, AP I does not mention the use of cyber-attacks.

The question therefore is whether these rule can also be applied in case of cyber-attacks between states. For this reason the research question is: During international armed

conflicts, can civilians and civilian objects still be protected under article 48 Additional Protocol I in case of the use of cyber-attacks?

The research question specifically focuses on the fact whether or not a cyber-attack violates IHL, by the methodology of evaluative research, especially if it could be used in combination with the basic rule of distinction between civilians and civilian objects and combatants and military objectives.11 This thesis focusses especially on the situation where an IAC already exists, in the manner of the Georgian example, but it still briefly touches upon the probability that a cyber-attack can also initiate such an inter-state armed conflict. To answer the main question it is of the utmost importance to assess in legal terms if it is possible, in case of an existing IAC, to qualify a cyber-attack as the notion of attack – mentioned in article 49 (1) AP

10_{Article 2 common to the Four Geneva Conventions.} 11

Protocol Additional to the Geneva Conventions of 12 August 1949 and relating to the Protection of Victims of International Armed Conflicts (8 June 1977) 1125 UNTS 609 (hereinafter: Additional Protocol I), article 36.

(7)

7

I – before the principle of distinction can be even applicable and consequently be breached . The first sub question will therefore be:

To what extent can a cyber-attack be considered as an attack under article 49 (1) AP I?

If this qualification is possible, then states have to comply to the basic rule of article 48 AP I when states start using cyber-attacks against another state. In light of the qualification, it is subsequently required to give an explanation of the basic rule of distinction and its

applicability to cyber-attacks. These clarifications and explanations will be given in the second chapter of this thesis whereas the criteria and application of the distinction rule play the most important role. This leads to the second sub question of this thesis:

What does the distinction rule mean in this context and how can this be applied to cyber-attacks?

The compliance of this rule cannot be assured when an object is considered as a dual-use object. If cyber-attacks are exercised against these dual-use objects another important principle of IHL becomes essential, namely the principle of proportionality. Hence, the third sub question will be:

When does proportionality come into play and can it be applied in the same way as in the situation of kinetic attacks?

If it is impossible to protect civilians and civilian objects under article 48 AP I in case of the use of cyber-attacks, it then has to be examined whether this rule should have an additional paragraph, especially focusing on the use of cyber-attacks during IACs or that a complete new rule should be created for this particular form of attacks. This could be an option if states wish to adopt cyber-attacks as a mean of warfare in order to use it in the future without violating IHL. In the fourth and last chapter it will mainly be demonstrated if and how the original rule could be changed in such a way that a violation of IHL will not occur in case of the use of cyber-attacks. It has to be questioned first if this change is desirable and if it is not primarily preferable that the interpretation of article 48 should be expanded in a way that it could also function for cyber-attacks.

Eventually, this will lead to the conclusion to what extent the use of cyber-attacks is in line with article 48 AP I concerning the rule of distinction or that it should be subjected to a change for the reason that it can be used without violating IHL.

(8)

8

2. Qualification of a Cyber-Attack as an Attack

IHL is solely applicable during armed conflicts and especially article 48 AP I can only be applied during an IAC and not in case of a NIAC, because Additional Protocol I is created for the international sort of armed conflict. As mentioned in the Tadić case, for an IAC, states must resort to armed forces or when a difference is leading to the intervention of members of the armed forces.12 As the notion IAC shows, there are two elements that need to be fulfilled before to the threshold of an IAC will be reached: international and armed. The elements will be covered by this chapter, but first, this chapter will focus on the absence of rules for cyber-attacks under IHL. It will lead shortly to the question if the use of cyber-cyber-attacks can initiate an IAC. Subsequently, it will specify cyber-attacks in the context of already existing IACs, which is the main sphere wherein this thesis takes place. Therefore, the qualification and the definition of the notion of attack under article 49 (I) AP is being explained: the act of

violence. The sub question will therefore be: To what extent can a cyber-attack be considered

as an attack under article 49 (1) AP I?

It specifically focusses on the IAC situations where the cyber-attack can be clearly considered as such an attack, whenever a cyber-attack cannot be seen as act of violence and which cyber situations fall within the doubtful grey area of IHL.

2.1 The Absence of Cyber-Attacks in the Geneva Conventions and Protocols

For the application of international humanitarian law, it is necessary that there is a situation of an armed conflict. Common article 2 and 3 of the Four Geneva Conventions require the situation of an armed conflict which can be divided in an international or non-international armed conflict.13 This is also named as jus in bello and does not concern the legitimacy of war or the rules of self-defense set by the United Nations Charter which carries the Latin name of

jus ad bellum. That distinction between the two types of armed conflict also indicates which

Geneva Convention or Additional Protocol is applicable. It will be all the Geneva Conventions and Additional Protocol I that are applicable to IACs. While the Geneva

12_{J Kleffner ‘Scope of Application of International Humanitarian Law’ in D Fleck (ed) The Handbook of}

International Humanitarian Law (3rd edn Oxford University Press 2013) p. 44.

13_{Article 2 & 3 common to the Four Geneva Conventions; Geneva Convention for the Amelioration of the}

Condition of the Wounded and Sick in armed forces in the field (12 August 1949) 75 UNTS 31; Geneva Convention for the amelioration of the condition of the wounded, sick and shipwrecked members of the armed forces at sea (12 August 1949) 75 UNTS 85; Geneva Convention relative to the treatment of prisoners of war (12 August 1949). 75 UNTS 135; Geneva Convention relative to the protection of civilian persons in time of war (12 August 1949) 75 UNTS 287 (GCs) (hereinafter: Geneva Convention).

(9)

9

Conventions and the AP do not mention the use of cyber-attacks, it is still sufficient and broad to subject cyber-attacks to IHL.14 In absence of certain specific rules, in this case rules

concerning cyber-attacks, IHL still goes back to its basis, which is called the Martens

Clause.15This Clause is considered as a reflection of customary international law and provides a legal safety net in case the use of cyber-attacks might slip through the cracks of the already existing rules of IHL. In the present situation of cyber-attacks, it means that situations which are not covered by, inter alia, the AP I, states still need to comply to the principles of

international law, derived from customary international law.16

2.2 The Presence of Rules for Cyber-Attacks by the Tallinn Manual 2.0

While the IHL treaties and protocols do not contain rules concerning the use of cyber-attacks, NATO and its Cooperative Cyber Defence Centre of Excellence took action and invited a group of experts to create a manual wherein international law is explained within the context of cyber-attacks, especially focused on jus ad bellum law and international humanitarian law. A new version, the Tallinn Manual 2.017, was published in February 2017, in which it became clear that the use of cyber-attacks in combination with international law did not lead to a legal vacuum, but to the affirmation that international law is applicable to cyber-attacks. It stated that the manual is non-binding on states, because it is up to states to create new formal and binding guidance. Still, the authors try to create a reflection of the law as it exists applied to cyber-attacks.18 By laying down these rules of the cyber game, the authors hope that states will cross a line in cyberspace, which is not defined yet. Eventually, this push beyond all limits can then lead to a global discourse in which states will come to the point to create binding law based on the resulting opinio juris and state practice.19 Heads of member states of NATO also made a statement during a NATO meeting in 2014 about the rise of

14_{C. Droege ‘Get off my cloud: cyber warfare, international humanitarian law, and the protection of civilians’,}

(2012) International Review of the Red Cross Vol. 94, No. 886, p. 540.

15_{D-I. Voitaşec ‘Cyber Hostilities: Civilian Direct Participation’ (2016) Vol. 6 Challenges of the Knowledge}

Society, p. 555.

16

Additional Protocol I, article 1 (2); Geneva Convention I, article 63; Geneva Convention II, article 62; Geneva Convention III, article 14; Geneva Convention IV, article 158.

17

A special manual created by experts for the use of cyber-attacks in combination with international humanitarian law.

18_{M. Schmitt ‘Tallinn Manual 2.0 on the International Law of Cyber Operations: What It Is and Isn’t’ (Just}

Security 2017) available at: https://www.justsecurity.org/37559/tallinn-manual-2-0-international-law-cyber-operations/ (accessed on 04/06/2017).

19

Asser Institute – Launch Report ‘The International Law of Peacetime Cyber operations – The Hague Launch of the Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations and a Panel Discussion’ (Asser Institute – Centre for International & European Law 2017) available at:

http://www.asser.nl/media/3515/report-the-hague-launch-of-the-tallinn-manual-20-on-the-international-law-applicable-to-cyber-operations.pdf (accessed on 04/06/2017).

(10)

10

attacks. It was stated that the policy of NATO recognizes international law, under which international humanitarian law, as applicable in cyberspace. Additionally, these heads of member states determined that the impact of cyber-attacks could be just as harmful as a conventional attack.20

2.3 Cyber-Attack as the Initiator of an International Armed Conflict

Whether an armed conflict can be considered as an IAC or NIAC depends inter alia on the parties to the conflict and whether there is an existence of hostilities.21For an international armed conflict, it might be obvious that one of the requirements is that there must be an armed conflict in the first place, apart from characterizing it as international or non-international. The Geneva Conventions and the Additional Protocol do not contain a provision with an explanation of the requirements when the level of an armed conflict is reached. Common article 2 of the Four Geneva Conventions only specifies that there could be an armed conflict, even if one of the states has not recognized the conflict as a war.22 It can be inferred that the declaration of war is no longer necessary as it was during the World Wars to speak of an armed conflict and the applicability of IHL. The first time that a sort of definition of armed conflict was mentioned was in the Commentary on the Geneva Conventions in 1960.

However, this is description still leaves the notion of armed conflict as a broad concept. The Commentary on the Geneva Conventions illustrates the first shot theory.23 This theory means that IHL becomes applicable in case of a single shot fired by a state against another state.24 An explanation of armed conflicts was restated again in 1995 during the case of Tadić at the International Criminal Tribunal of Yugoslavia. The definition from this case is that there must be a resort to armed force between states to define it as an IAC and in case of a NIAC there must be protracted armed violence between organized armed groups and governmental

authorities of that state or between multiple organized armed groups within a state.25 A certain intensity to specify the conflict as an armed conflict is required. For NIACs, this leads to the

20_{Wales Summit Declaration issued by the Heads of State and Government participating in the meeting of the}

North Atlantic Council in Wales, 5 September 2014, para 72.

21_{M. Schmitt (Editor), ‘Tallinn Manual 2.0 on the International Law Applicable to Cyber Warfare’, (Cambridge}

University Press 2017) art. 82 (11) (hereinafter: Tallinn Manual 2.0)

22_{Article 2 Common to the Four Geneva Conventions.}

23_{J.S. Pictet (ed.) ‘The Geneva Conventions of 12 August 1949. Commentary: III Geneva Convention Relative}

to the Treatment of Prisoners of War’ Geneva, ICRC, 1960, p. 22.

24_{M. Pedrazzi ‘The beginning of IAC and NIAC for the purpose of the applicability of IHL’ in C. Marchand (ed)}

‘The Distinction between International and Non-international Armed Conflicts: Challenges for IHL?’ (International Institute of Humanitarian Law, 2016), p. 73.

(11)

11

fact that internal disturbances or tensions26 cannot be qualified as an armed conflict. For IACs on the other hand, the intensity of a certain conflict must go beyond border clashes or

abduction of a member of the armed forces of another state concerning situations where the IAC situations take place.27

The question remains if the first shot theory can cover the use of cyber-attacks in a way that it can trigger the application of the law of armed conflict. The first theory created by the scholar Pictet includes any kind of use of arms28 which also implicates the use of cyber-attacks. However, this interpretation of the theory does have some drawbacks.

If the use of a cyber-attack has the same effect as kinetic attacks which is the cause of death and injury of civilians or damage or destruction of civilian objects, the cyber-attack can then be considered as the trigger of an IAC, because the kinetic attack as well would be qualified as reaching the threshold of an IAC.29 Furthermore, during the Georgian-Russian war, the cyber-attacks were in support of the kinetic attacks exercised by the Russian

Federation. This combination of kinetic - and cyber-attacks can also lead to the beginning of an IAC.30 Yet, not all scenarios are as clear as the previous mentioned situations. If a cyber-attack is launched against one single computer of a state with non-essential functions for a short duration, it should not immediately give rise to the beginning of an IAC; it would be comparable to the throw of a stone across the border by a soldier, which would also not be qualified as an IAC.31Currently, there are no specific rules concerning the classification and interpretation of conflicts with the use of cyber-attacks. It will depend on future state practice and opinio juris to determine what the interpretation of an IAC will be in the context of cyber-attacks.32

26

Protocol Additional to the Geneva Conventions of 12 August 1949 and relating to the Protection of Victims of Non-International Armed Conflicts (8 June 1977) 1125 UNTS 609 (AP II) article 1 (2).

28

Dietrich Schindler, ‘The different Types of Armed Conflicts According to the Geneva Conventions and Protocols’ (1979) 163 Recueil des Cours de l’Académie de Droit International, p. 128 - 131.

29_{M. Schmitt ‘Classification of Cyber Conflict’ Journal of Conflict and Security Law Vol 17 No. 2 (2012) p.}

251.

30

Tallinn Manual 2.0 Commentary on Rule 82 para. 11.

31

M. Schmitt ‘Classification of Cyber Conflict’ Journal of Conflict and Security Law Vol 17 No. 2 (2012) p. 252.

32

C. Droege ‘Get off my cloud: cyber warfare, international humanitarian law, and the protection of civilians’, (2012) International Review of the Red Cross Vol. 94, No. 886, p. 549.

(12)

12

2.4 The Application of Article 49 (1) AP I on Cyber-Attacks

While new customary international law is necessary for the consideration of cyber-attacks as initiator of an IAC, this thesis concentrates on cyber-attacks exercised during an already existent IAC. Therefore, it first requires to set out the difference between the art of ‘armed attack’ in the sense of jus ad bellum, used in article 51 of the Charter of the United Nations (hereinafter: UN Charter) and the notion of ‘attack’ provided in IHL, more specific in article 49 (1) AP I. The armed attack that is used in a different system of law – the system of jus ad bellum – has a different definition: in the context of cyber-attacks, this means that this form of attack can be considered as an armed attack in the sense of article 51 UN Charter if this action causes death or injury to civilians or damage or destruction of civilian objects.33

For the application of IHL it is not necessary to take into account whether a violation of the prohibition on the use of force has occurred or an armed attack.34 The notion of attack that is used by IHL must therefore not be confused with the latter definition of armed attack. The definition comes from the principle of distinction of article 48 AP I.This article 48 AP I states that “in order to ensure respect for and protection of the civilian population and

civilian objects, the Parties to the conflict shall at all times distinguish between the civilian population and combatants and between civilian objects and military objectives and

accordingly shall direct their operations only against military objectives”.35 The placement of article 49 AP I in the same chapter as article 48 AP I, which contains the definition of an attack, primarily means that such a military operation mentioned in article 48 AP I can be considered as an attack under article 49 (1) AP I.

2.4.1. Act of Violence

IHL focusses on the notion of attack in the sense of article 49 (1) AP I to be applicable in cases of the distinction rule of article 48 AP I. This means that if a cyber-attack can be legally classified as the definition of attack provided in article 49 (1) AP I, then the principle of distinction is applicable and should be complied with during the exercise of a cyber-attack.

Article 49 AP I gives the definition on whether an attack can be considered as an attack during IACs. It does not mention the condition of physical damage, which analogously might

33

M. Schmitt 'Attack' as a Term of Art in International Law: The Cyber Operations Context’ in C. Czosseck, R. Ottis & K. Ziolkowski (eds) Proceedings of the 4th International Conference on Cyber Conflict (2012) p. 288.

35

(13)

13

suggest that this definition also in case of a cyber-attack physical damage might seem

inessential. It only refers to an “act of violence against the adversary, whether in offence or in defence”.36 The definition used by the AP I is not as specified as it seems in the first place. The article does not give further information about the criteria being used of what can be interpreted as an act of violence. However, the commentary to the AP I by the International Committee of the Red Cross (hereinafter: ICRC) states that combat action can be considered as an attack which refers to physical damage.37

The Additional Protocol and its Commentary were primarily not designed for cyber-attacks, but only for the kinetic cyber-attacks, because it was created many years before the first cyber-attack took place. Based on the Tallinn Manual 2.0, the cyber-attack can nonetheless be qualified within the notion of act of violence mentioned in article 49 AP I.38 In this manual the cyber-attack is defined as “a cyber-operation, whether offensive of defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects”.39

It consequently mentions that the law of IACs is applicable to these situations where cyber-attacks are used as a mean of warfare. In a certain sense, the definition of cyber-cyber-attacks

requires a certain causation of injury, despite the fact that jus ad bellum does not influence the applicability of IHL. The condition of physical damage is not primarily required according to article 49 AP I, but in the case of cyber-attacks it is added by the Tallinn Manual. After the legal analysis of the concept of attack used in IHL, it might roughly be concluded that the similar criteria jus ad bellum – physical damage – is being used after all.40

2.4.2. Exclusions on the Act of Violence

Besides the explanation of the act of violence under the Tallinn Manual, other scholars

pointed out that the concept of an act of violence excludes certain scenarios, such as spreading propaganda, embargoes or other non-physical means of psychological, economic or political warfare.41 Applying this point of view to cyber-attacks, only planting malware in the

computer of the enemy or breaking through the firewall of the opposing state, does not in

36_{AP I (8 June 1977) 1125 UNTS 609 (AP I) article 48.}

37_{M. Schmitt 'Attack' as a Term of Art in International Law: The Cyber Operations Context’ in C. Czosseck, R.}

Ottis & K. Ziolkowski (eds) Proceedings of the 4th International Conference on Cyber Conflict (2012) p. 290.

38_{Tallinn Manual 2.0 Commentary on Rule 92 para. 2 & 3.} 39

40_{M. Schmitt 'Attack' as a Term of Art in International Law: The Cyber Operations Context’ in C. Czosseck, R.}

Ottis & K. Ziolkowski (eds) Proceedings of the 4th International Conference on Cyber Conflict (2012) p. 291.

41_{M. Bothe, K.J. Partsch & W.A. Solf ‘New Rules for Victims of Armed Conflicts: Commentary on the Two}

1977 Protocols Additional to the Geneva Conventions of 1949’ (2nd

edn Martinus Nijhoff Publishers 2013) p. 329.

(14)

14

itself reach the level of an act of violence.42 This implies that the effects of cyber-attacks which are non-violent, such as cyber espionage, cannot be qualified as an attack in the sense that is used by 49 (1) AP I.43 For this reason it can be stated that it is not the nature of the cyber-attack that has to be examined whether it causes injury, death, damage or destruction, but the consequences of the cyber-attack that might cause this. In principle, weapons used by states, such as biological weapons, are in their nature not causing these forms of damage to their designated target with a physical explosion, but there are certain effects caused by these weapons. This is also the case for cyber-attacks. In their nature it might occur that the act of a cyber-attack is non-violent, for example, malware does not have the violence as a nature, but when it eventually results in certain injury or damage it will be considered as an act of

violence.44 An example for the consequences of an cyber-attack that have been qualified as an act of violence can be found in the Stuxnet case whereby Iranian nuclear facilities were hacked by another state. The malware that infected the facilities caused physical damage, because the centrifuges had to be replaced after the attack.45 This cyber-attack could therefore be considered as an act of violence in the sense of article 49 (I) AP I because of the caused physical damage, but would not have become an act of violence when the malware was only planted with non-violent effects. It could be questioned if there is a point in using non-violent malware against another state. Nonetheless, it is a method to obtain sensitive governmental information which can lead to worldwide tensions. WikiLeaks can be considered as an example for providing this confidential information of state governments that lead to global commotion.46 It is unclear who or what is behind the providing of these documents to the WikiLeaks website. This could be states that planted malware and obtained the information and subsequently provided it to WikiLeaks, or private parties, such as an individual whistle-blower.

2.4.3. Attack in the Grey Area

For certain cyber-attacks it is not always on the surface if there is an act of violence, which places the cyber-attacks again in a grey area of international law. The cyber-attacks with

42_{Y. Dinstein ‘The Conduct of Hostilities in an International Armed Conflict (3}rd_{edn Cambridge University}

Press 2016) p. 3.

43_{Tallinn Manual 2.0 Commentary on Rule 92 para. 2.} 44_{Tallinn Manual 2.0 Commentary on Rule 92 para. 3.} 45

D. Albright, P. Brannan & C. Walrond ‘Did Stuxnet take out 1,000 centrifuges at the Natanz enrichment plant? Preliminary assessment’ ISIS Report (22 December 2010) available at: http://isis-online.org/uploads/isis-reports/documents/stuxnet_FEP_22Dec2010.pdf (accessed on 04/06/2017).

46

—— ‘Invloed WikiLeaks merkbaar in diplomatieke contacten’ (De Standaard 2010) available at: http://www.standaard.be/cnt/dmf20101212_025 (accessed 07/05/2017).

(15)

15

violent effects can become violent: it is not obliged that the cyber-attack actually results in the physical damage, which for instance did also not occur during the Russian-Georgian armed conflict.47 During this armed conflict, there was only a temporary interruption, which cannot be legally considered as an act of violence, unless it is resulting in physical damage or human suffering.48 If the eventual physical damage of a cyber-attack can be activated on a certain moment, it can still be considered as an attack, irrespective if the act finally becomes

successful. This is derivable from the statement made by the Commentaries on the Additional Protocols that ‘there is an attack whenever a person is directly endangered by a mine laid’.49 However, mines and cyber-attacks might have similarities concerning their effects,

determination and evidence of the cyber-attack and its possible physical damage is a

challenge. While a mine can be found in the ground and can explode sooner or later, a cyber-attack is intangible and malware can be planted and removed before noticing.50 This could lead to some practical complications and makes it unsure whether to speak of an attack.

Furthermore, there is another situation where the cyber-attack as an attack becomes vague and undeterminable. The Tallinn Manual 2.0 declares that there is a lot of ongoing discussion concerning several forms of cyber-attacks. Pursuant to article 92 (10) Tallinn Manual 2.0, some experts on the one hand have the opinion that the interference of the

functionality of an object can be considered as an act of violence if physical components need to be replaced for the restoration of this functionality of the object. On the other hand, other experts qualify the replacement of software or data as sufficient to reach the level of an attack.51

While there is a slight bifurcation concerning the replacement of physical components or software for restoring the functionality of an object, there is a legal gap that can be derived from these statements in the Tallinn Manual 2.0. The majority of the experts of the Tallinn Manual 2.0 stated that the disruption of email communication for example or the Internet in general does not contain an attack in the sense of article 49 (1) AP I. From the point of view of the experts, the applicability of IHL does have limits and cannot extend this far that these

47

48_{C. Droege ‘Get off my cloud: cyber warfare, international humanitarian law, and the protection of civilians’,}

(2012) International Review of the Red Cross Vol. 94, No. 886, p. 557.

49_{Y. Sandoz, C. Swinarski & B. Zimmermann (eds) ‘Commentary on the Protocol Additional to the Geneva}

Conventions of 12 August 1949 relating to the Protection of Victims of International Armed Conflicts (Protocol I)’ (International Committee of the Red Cross 1987) para 1881.

50_{J.R. Vacca ‘Network and System Security’ (2}nd_{edn Elsevier 2014) p. 64.}

51_{I. Kilovaty ‘Violence in Cyberspace: Are Disruptive Cyberspace Operations Legal under International}

Humanitarian Law?’ (Just Security 2017) available at: https://www.justsecurity.org/38291/violence-cyberspace-disruptive-cyberspace-operations-legal-international-humanitarian-law/ (accessed on 07/05/2017).

(16)

16

disruptive cyber-attacks can be considered as an act of violence.52 It creates a narrow reading of the concept of act of violence of article 49 (1) AP I, which might lead to an unwanted outcome. Article 49 (2) AP I precludes that the provisions of the AP I, including the principle of distinction and proportionality, apply to all attacks. In other words, in case of a lack of the act of violence and thereto an attack, these principles will not be applicable. When the

disruption of the Internet communication lines is not considered as an attack, the principles of distinction and proportionality do not come into force which actually leads to the result that civilians will not be protected against these cyber-attacks. Consequently, states can abuse this non-qualification by the of the experts of the Tallinn Manual 2.0 by legitimately attacking civilians of another state in an ongoing IAC. IHL is then unable to pursue its own intent for which it principally exists.53 This approach seems controversial in the light of the purpose of IHL. For instance, hacking an electrical grid without the result of physical components or software being replaced, it might be assumed in the first place that the requirement of physical damage to the electrical grid is not being fulfilled and that the cyber-attack – the hack in this case – cannot be qualified as an act of violence. However, these specific attacks can cause indirect physical damage to civilians that might not be immediately released after the

disruption of the electrical grid. To close this legal gap, even in cyber-attack context, a return to the interpretation of AP I is required. In the light of the object and purpose of AP I, it can be derived that the goal that IHL tries to achieve is to protect civilians to the effects of armed conflicts by inter alia following the distinction rule on the basis of this interpretation. Despite that IHL uses a legal instrument – the codification of the definition under article 49 (1) AP I – it eventually turns to a consequence-based approach when applying this rule of IHL in

practice.54

52_{Tallinn Manual 2.0 Commentary on Rule 92 para. 12.} 53

I. Kilovaty ‘Violence in Cyberspace: Are Disruptive Cyberspace Operations Legal under International Humanitarian Law?’ (Just Security 2017) available at: https://www.justsecurity.org/38291/violence-cyberspace-disruptive-cyberspace-operations-legal-international-humanitarian-law/ (accessed on 07/05/2017).

54

M. Schmitt 'Attack' as a Term of Art in International Law: The Cyber Operations Context’ in C. Czosseck, R. Ottis & K. Ziolkowski (eds) Proceedings of the 4th International Conference on Cyber Conflict (2012) p. 291.

(17)

17

3. Basic Rule on Distinction

The sub question that will be the theme in this chapter is: What does the distinction rule mean

in this context and how can this be applied to cyber-attacks?

A definition will be given of the rule of distinction and the elements that are included in the one of the most important principles of IHL. The distinction between civilians and civilian objects and combatants and military objectives will play the main role and will eventually lead to the principle applied by cyber-attacks.

3.1 Applicability of the Principle of Distinction

The principle of distinction is one of the main principles of IHL which always has to be taken into account as the boundaries of the law of armed conflicts. The distinction rule can only come into force whenever there is an attack under the definition of article 49 (1) AP I. As mentioned earlier, article 49 (2) AP I precludes that the provisions of AP I are applicable in case of an attack. This means in short that if a cyber-attack cannot be qualified as an attack, the principle of distinction is inapplicable. However, the consequence-based approach removes this legal vacuum.

3.2 Definition

In 1945 the Nuremberg International Military Tribunal already found that humanitarian rules were customs of war and recognized by all civilized nations.55 For the AP I, even though not all states have ratified the Protocols, the fundamental rules of IHL constitute intransgressible principles of international customary law which was stated in the Advisory Opinion of the International Court of Justice.56 This also includes the principle of distinction in which it is concluded that in case of an IAC, parties to the conflict always should distinguish civilians from combatants and civilian objects from military objectives. The Geneva Conventions do not contain a definition of these concepts of combatants and military objectives on the one hand and civilians and civilian objects on the other hand. However, in 1977 the AP I provided the definition of the two mentioned groups in the basic rule of distinction, otherwise the basic rule would be useless.

55_{Trial of the Major War Criminals, 14 November 1945-1 October 1946, Nuremberg, 1947, Vol. 1, p. 254.} 56

Advisory Opinion on Legality of the Threat or Use of Nuclear Weapons (Advisory Opinion) [1996] ICJ Rep 226, para 79.

(18)

18

In the light of the objective of IHL, the protection of those who are not or no longer taking part in hostilities against the effects of armed conflicts, it would be logical that the AP I creates a definition for civilians and civilian objects. Nonetheless, the opposite is true:

preference is given to the definition of the military aspect. The rules of IHL are designed for states that are party to a conflict. These states need to comply with those rules of IHL and are responsible in case of violating this provisions57; it is not mentioned for civilians who became victims of war and therefore civilians are not able to directly invoke IHL at the International Criminal Court, which on the opposite can be done by states.58

3.2.1. The Direct Participation in Hostilities by Civilians with the Use of Cyber-Attacks The first aspect of the principle of distinction can be found in the differentiation of the status of civilian and combatant. A civilian is a person that does not belong in one of the categories mentioned in article 4 (A) (1), (2), (3) and (6) of the Third Geneva Convention and article 43 AP I. 59 These two articles contain a list of persons that are qualified as combatant, for instance, members of the armed forces, but also members of other militias and so on. During an IAC, a civilian is protected under IHL against the dangers of military operations. This protection ceases for such time as a civilian takes a direct part in hostilities.60 In the context of cyber-attacks, this cessation of protection can occur as well61 similar to the conventional situation without cyber-attacks, when civilians decide to launch cyber-attacks against the enemy of the state during an IAC.62 The direct participation in hostilities has some requirements before protection (temporarily) terminates. A threshold of harm needs to be reached before it is actual possible to speak of direct participation, which means that the harm demands sufficiently serious harm: person or objects that are protected against direct attacks are or might be affected by that person with death, injury or destruction or that person causes harm of a specifically military nature. This threshold will already be reached when such harm can be reasonably expected; the harm does not actually have to occur.63 Subsequently, there

57_{Additional Protocol I, article 91.}

58_{Rome Statute of the International Criminal Court article 12, 13 & 14.} 59_{Additional Protocol I, article 50 (1).}

Additional Protocol I, article 51 (3).

61_{Article 97 (5) Tallinn Manual 2.0.}

62_{P. Shakarian ‘The 2008 Russian Cyber Campaign Against Georgia’ Military Review (November-December}

2011) p. 64

63

N. Melzer ‘Interpretative Guidance on the Notion of Direct Participation in Hostilities under International Humanitarian Law’ (International Committee of the Red Cross 2009), p. 47.

(19)

19

must be direct causation: one causal step between act of the civilian and the caused harm and lastly, the act is designed in support of a party, which is called a belligerent nexus.64

The criteria applied to cyber-attacks are not different from the original armed conflict. Actual physical damage is not necessary for direct participation in hostilities, it only has to be reasonably expectable. This means that even if a cyber-attack does not result in the physical damage, it can still be a form of direct participation. An example which is also mentioned in the Tallinn Manual is the scenario of disrupting the command and control network of the enemy state by a civilian. The disruption negatively affects the military operations of the opponent in this example, the causal link is plausible and the civilian could act to support the state.65 When the level of direct participation is met, the civilian will lose its protection and can become object of attack based on article 51 (2) and (3) AP I.

While civilians are protected in general, unless there is direct participation in hostilities, combatants can be attack at all times, with a few exceptions.66 These exceptions can be found in article 41 (1) and (2) AP I: when a combatant is hors de combat it can no longer be object of attack. Hors de combat means that the combatant is no longer taking part in hostilities, which is possible if the combatant is wounded or sick, being captured by the belligerent party or if the combatant surrenders.

3.2.2. Transformation into a Military Objective: Dual-Use Objects

The second aspect of distinction has to be made between military objectives and civilian objects. The AP I comprised the definition of those two concepts as one under article 52 AP I. It states that all objects which cannot be defined as military objectives are civilian objects and should therefore not be attacked. Based on article 52 AP I, civilian objects may not become subjects of a military target. It will only be military objectives that can be under attack by the belligerent party. Objects can be considered as a military objective by their nature, location, purpose or use and these objects have to make an effective contribution to military action.67 Additionally, the total or partial destruction, the capture or neutralization of those objects

64_{N. Melzer ‘Interpretative Guidance on the Notion of Direct Participation in Hostilities under International}

Humanitarian Law’ (International Committee of the Red Cross 2009), p. 46.

65_{D-I. Voitaşec ‘Cyber Hostilities: Civilian Direct Participation’ (2016) Vol. 6 Challenges of the Knowledge}

Society, p. 552 – 553.

66_{Additional Protocol I, article 41 (1) & (2) & article 51 (1).} 67

(20)

20

leads to a military advantage.68 These two elements given by article 52 AP I are cumulative and must both be fulfilled to speak of a military objective. Obviously, it leads to a restrictive interpretation of these objectives and widens the protection of civilian objects which

demonstrates the underlying intent of IHL. This rule that qualifies an object as military or civilian does not differ from the cyber-attack situation.

As a result of this definition of distinction, some objects are instantly by nature a military objective, while other objects, such as computer systems designed for civilians, can become military objectives from the moment that the belligerent party starts using it against the other party, which transforms it in a military objective by purpose.69 The notion that is used for this transformed object is the dual-use object. With this possible transformation in mind, every object can become a military objective, unless it the object is benefitting from special protection under the Geneva Conventions or Additional Protocols.70 Becoming a military objective is possible if the criteria of effective contribution and a definite military advantage is fulfilled. To speak of the previous two basis for exception, the destruction needs to serve a military purpose, which can be direct or indirect, but it has to be based on more than a possibility.71 The interpretation of the used concept of effective and definite is quite narrow stated in the Commentary on the AP I. A contribution can be considered as effective if it is an attack on an object that is “directly used by the armed forces”, if the location as an object is of “special importance for military operations” or if these objects are “being used for military purposes”. For the meaning of definite, the Commentary on the AP I requires that the attacks offers more than just a “potential or indeterminate” advantage.72

3.3 Dual-Use Objects in the Context of Cyber-Attacks

Whereas a Radio and TV station can be found as a military target, if there is no definite military advantage obtained or effective contribution made by the destruction of this station,

68_{Additional Protocol I, article 52 (2).}

69_{Y. Dinstein ‘The Principle of Distinction and Cyber War in International Armed Conflicts’ (2012) 17 (2)}

Journal of Conflict & Security Law, p. 263.

70

M. Sassòli ‘Legitimate Targets of Attacks under International Humanitarian Law’ (2004) Harvard Program on Humanitarian Policy and Conflict Research, p. 2.

71_{S. Verhoeven ‘The Protection of Civilians and Civilian Objects against Hostilities’ in J Wouters, P De Man &}

N Verlinden (eds) Armed Conflicts and the Law (1st edn Intersentia Antwerpen 2015) p. 275.

72_{M. Schmitt ‘Wired Warfare: Computer Network Attack and Jus in Bello’ (2002) International Review of the}

(21)

21

then the destruction is prohibited based on article 52 (2) AP I.73 Instead of bombing this Radio and TV station in the manner of NATO during the armed conflict in Kosovo, it is also

possible nowadays to attack a station by cyber means, which will become a lawful military objective in case of the analogous application of the criteria of article 52 (2) AP I. However, this may become rather vague than clear concerning cyber-attacks due to the subjectivity of these criteria in cyberspace. For example, it can be questioned whether an online banking system can become a military objective by the reason that the disruption of the system can serve a military purpose, because it will be unable to continue to fund the armed forces of a state.74

Whenever it is not evident whether an object can be recognized as a military objective, it must be presumed that it is not to be so used, based on article 52 (3) AP I. This presumption also leads to the fact that it is not an option for belligerent parties to attack in an

indiscriminate manner. Primarily it is a war crime when there is an intentional direct attack on civilians or civilian objects.75 However, this does not mean that there are no rules for attacks on military objectives, because not all forms of attacks on military objectives are allowed, based on the principle of proportionality. Attacks must always be directed at a specific military objective and not at a general objective based on article 51 (4) AP I. This has

consequences as well for the means and methods of warfare: the use of a mean should always be employed in a certain way that it can be directed specifically at a military objective and the effects of this attack must be predictable and controllable.76 The rule for indiscriminate

attacks does refer to means of warfare, but does not specifically address cyber-attacks. However, the Tallinn Manual 2.0 states in the scenario of dual-use objects that military computers need to be attacked separately if this is possible because of distinctive IP address for instance. The attack will be unlawful according to the Manual if a state still attacks a dual-use object where the civil component will be damaged as well while the military component could have been attacked separately.77 An example of the appliance of this rule can be found in the United States where the military communication goes for 95 percent through civilian

73_{International Criminal Tribunal for the former Yugoslavia (ICTY) Final Report to the Prosecutor by the}

Committee Established to Review the NATO Bombing Campaign Against the Federal Republic of Yugslavia, The Hague 14 June 2000, para 76.

74_{M. Schmitt ‘Wired Warfare: Computer Network Attack and Jus in Bello’ (2002) International Review of the}

Red Cross Vol. 84, No. 846, p. 381.

75_{Rome Statute of the International Criminal Court article 8 (2) (b) (i) & (ii).} 76

Additional Protocol I, article 51 (4) (a) – (c).

77

(22)

22

communication lines78. This makes it extremely difficult to attack this military objective without causing damage or injury to civilian objects, unless technology allows to make the distinction on the basis of IP addresses. It makes the communication system a dual-use object, which means that five percent is used for military purposes, while the other 95 percent is used by civilians. Even though 95 percent is used for civilian matters, it still turns the object into a military objective and leads to the fact that it can be attacked by cyber means if the military component cannot be attacked separately. Furthermore, a cyber-attack at a military

communication system might be a direct intentional attack on a military objective, but despite that it could not always be predictable whether this virus or malware would affect the civil systems that might be intertwined with the military communication system. Thus, the computer controlling the sending malware or viruses might be considered as a direct

discriminate attack and is able to precisely attack the computer of the belligerent party, but it is the effects of this virus that cannot be limited and controlled and therefore a violation of article 48 and 51 (4) AP I might exist.79

The difficulty that rises, concerning the prohibition on non-distinctive indiscriminate attacks and cyber-attacks, comes down again on the principle of distinction that has to be made at all time. While the effects of a cyber-attack cannot always be predicted and controlled, it does not automatically mean that a cyber-attack should never be used by the armed forces against their belligerent party. In normal warfare where parties use the ordinary means, it often occurs that the distinction is not always been made by both sides and protected civilian objects become subject to an attack as well. This does not directly imply that the attack was prohibited, which will be explained in the following chapter.

It could be stated in the first place that in a situation where cyber-attacks are used, it is more likely that less civilians and civilian objects will be damaged or injured by a direct attack at military objectives if this military objective is not intertwined with civilian matters. However, in case of dual-use objects, this reaches a certain level of complexity as mentioned above and the rule of distinction will be put in danger. Nevertheless, whether it is a normal attack with ordinary means or a modern cyber-attack, in both cases it firstly has to be analyzed if the principle of proportionality has been taken into account before the attack is exercised.

78_{R. Aldrich ‘The International Legal Implications of Information Warfare’ (1996) Airpower Journal Vol. X,}

No. 3 p. 105.

79

M. Schmitt ‘Wired Warfare: Computer Network Attack and Jus in Bello’ (2002) International Review of the Red Cross Vol. 84, No. 846, p. 389.

(23)

23

4. The Proportionality of Cyber-Attacks

A cyber-attack launched against a dual-use object can be considered as lawful. However, it does not immediately imply that the cyber-attack was proportionate as well. It might become an attackable military objective, it still can cause disproportionate loss of civilian lives, injury to civilians, damage to civilian objects or a combination thereof and eventually be unlawful.80 This chapter will focus on the principle of proportionality and the sub question therefore is:

When does proportionality come into play and can it be applied in the same way as in the situation of kinetic attacks?

This rule will be explained with its complications concerning cyber-attacks. At last, the prerequisite of proportionality - the precautionary measures - which need to be taken previous to the launch of an attack will be shortly discussed in the light of the use of cyber-attacks.

4.1 The Empty Rule of Distinction for Dual-Use Objects

The broad concept of dual-use objects, which transforms a civilian object into a military objective, even if the military use is minimal, can endanger the principle of distinction with the use of cyber-attacks. At worst, all civilian objects might become military objectives in cyberspace. This will turn the rule laid down in article 48 AP I into an empty principle and cyber-attacks can only be subjected to the principle of proportionality. In case of a total coverage by proportionality, it will not cause trouble for the use of cyber-attacks. However, the principle of proportionality carries its complications as well concerning cyber-attacks.

4.2 Complications for the Appliance of Proportionality to Cyber-Attacks

Proportionality flows from the balance where IHL is based on: the balance between military necessity and humanity. This means that it constantly needs to be assessed if an attack is military necessary to accomplish a military purpose with as little as possible human suffering. The principle of proportionality is an element of that assessment and is codified in article 51 (5) (b) AP I. The law of armed conflict initially presumes that damage and injury will occur as well among civilians and civilian objects.81 Civilians and civilian objects will always be

80_{Additional Protocol I, article 51 (5) (b).} 81

Y. Dinstein ‘The Principle of Distinction and Cyber War in International Armed Conflicts’ (2012) 17 (2) Journal of Conflict & Security Law, p. 269.

(24)

24

involved in armed conflict. However, it should not be the basic assumption of parties that this chance on collateral damage functions as a license to kill. That is why AP I prohibits

excessive incidental loss of civilians and excessive damage to civilian objects. This AP I only refers to civilians and civilian objects concerning the principle and does not have to be taken into account with losses of combatants or military objectives. The aspect of excessiveness means in this context that the military advantage that is gained by the attack must outweigh the losses that has been made by the attack.82 In practice this means primarily that there should not be a hundred civilians injured or killed just to eliminate one combatant of the opponent who is not relevant for gained military advantage. It does not make the attack on the combatant unlawful, but the loss of this many civilians is excessive and with that

disproportionate. Article 51 (5) (b) AP I mentions the notion of damage which refers to harm in light of a textual interpretation. It can be derived that it is not specifically required that there will be physical damage, but the loss of functionality can already be qualified under the notion of damage of article 51 (5) (b) AP I.83 For cyber-attacks, this means that disrupting communication lines can already be seen as collateral damage. On the contrary, the causation of inconvenience or fear cannot be qualified as damage under this principle of

proportionality.84 However, the assessment of the proportionality of an attack may change due to these cyber-attacks. If the destruction of a civilian car may be considered as

disproportionate, as it is physical damage to a civilian object, then it will not directly mean that a temporary disconnection from the Internet will cause the same disproportionality, by reason of the difference of consequences.85 It has to be concluded from this change of assessment due to the use of cyber-attacks that the original principle of proportionality used for conventional kinetic attacks therefore will not be the right fit for cyber-attacks, because the use of cyber-attacks causes a double standard in the same principle for its assessment which will leave an ample margin of interpretation when an attack will be disproportionate.

For not violating the prohibition on excessive loss and damage, the proportionality test depends on what is reasonably foreseen in advance of an attack.86It is necessary to apply this

82

I. Robinson & E. Nohle ‘Proportionality and Precaution in Attack: The Reverberating Effects of Using Explosive Weapons in Populated Areas’ (2016) International Review of the Red Cross Vol. 98, No. 1, p. 110.

83

84_{Tallinn Manual 2.0 Commentary on Rule 113 para. 5.} 85

C. Droege ‘Get off my cloud: cyber warfare, international humanitarian law, and the protection of civilians’, (2012) International Review of the Red Cross Vol. 94, No. 886, p. 571 - 572.

86

Y. Dinstein ‘The Principle of Distinction and Cyber War in International Armed Conflicts’ (2012) 17 (2) Journal of Conflict & Security Law, p. 270.

(25)

25

principle with the rule on distinction to the use of cyber-attacks. Cyber-attacks against a military objective are lawful, unless it is an indiscriminate attack and/or it leads to excessive damage to civilian objectives. However, it can become more difficult in case of cyber-attacks than normal warfare scenarios, because on the one hand of the unpredictable effects that cyber-attacks can have at military objectives that are intertwined with civilian objects. On the other hand, in case of cyber-attacking dual-use objects it could not become more clear what the consequences will be. By attacking the communication lines of the United States for instance, it is reasonable foreseeable that by taking down the 5 percent military use of this line, will also damage the 95 percent of the civilian used side, if the military system cannot be separately attacked. Still, the question remains how far the aspect of being foreseeable has to go. Due to the connection between a huge amount of networks, it cannot always be clear how far the domino-effect will reach.87

4.3 Precautionary Measures for Cyber-Attacks

Article 57 AP I about precautionary measures is a principle that flows from the principle of proportionality and can be considered as a specification of this principle.88 These measures need to be taken before an attack can be exercised. For conventional attacks, these measures are, for example, the spread of leaflets to warn the civilian population against an airstrike that will take place at a later time, or, the measure of the knock on the roof, which means that first a harmless bomb will be dropped as a warning for the civilian population to look for shelter against the harmful attack that will be done after a reasonable time. The measures that are used for conventional attacks will not be efficient for the use of attacks. Yet, also cyber-attacks are subjected to these measures to minimize incidental loss and damage to civilians and civilian objects.89 Possible examples could therefore be that a warning should be send to the Internet providers about the upcoming cyber-attack in order to place its civilian networks temporarily on a server of another state.90

87

88_{J. M. Conde Jiminián ‘The Principle of Distinction in Virtual War: Restraints and Precautionary Measures}

under International Humanitarian Law’ (2010) Vol. 15 (1) Tilburg Law Review, p. 84.

89

90_{CCD COE Legal Task Team ‘Georgian Cyber Attacks: Legal Lessons Identified’ Cooperative Cyber Defence}

(26)

26

5. Conclusion

The instruments of IHL require the legal qualification of an cyber-attack as an act of violence and therefore the notion of attack mentioned under article 49 (1) AP I. Stated from the

previous, this qualification leads in some scenarios to a legal impossibility and creates some blanks. However, based on the approach that is focused on the consequences, the principle of distinction does not cease to exist in case of a situation in which a cyber-attack cannot be qualified as an act of violence. Furthermore, IHL also contains the Martens Clause which refers to customary IHL, if a cyber-attack is not covered at all by AP I. States should therefore continue to take the principle of distinction into consideration before operating a cyber-attack against another state.

Even though, the principle does not disappear with the use of cyber-attacks, it poses a

particular problem. The rules on the conduct of hostilities are based on the assumption that the attack can distinguish between civilian objects and military objectives. This indicates that if an object is used for both civilian and military purposes, a so-called dual-use object, it

changes the object into a military objective and as a result it can be attacked. This tightens the rule of proportionality and leaves a meaningless principle of distinction. In this case, the principle of proportionality must then ensure that the civilian part of the dual-use object is sufficiently protected.

The rule on dual-use objects might need a change with respect to cyber-attacks concerning the protection of civilians. It has to be taken into account that there is no separate civilian cyber space that can be distinguished from military cyber space in a precise matter. Instead, there is one space where military and civilian objects are intertwined. One approach might therefore require, in order for a dual-use object to be considered a military objective, that a certain percentage is used for military purposes, for example, more than 50% of the object is used as military objective. If the object is used for civilian purposes for the greater part than for military ones, it should according to an adjusted rule be considered a protected object and may not be attacked. Still, the creation of a higher percentage does not automatically mean that the attack is proportionate. There can still be excessive collateral damage if a dual-use object is attacked with a component of 49% use by civilians. Therefore, this solution cannot work as black and white as it is being presented.

(27)

27

Another approach might be that there should be a protected sphere of cyberspace exclusively for civilian use which enjoys special protection against cyber-attacks during an armed

conflict. The rising obstacle for this suggestion would be that it can lead to difficulties in how to define that specific sphere and how it can be ensured that it remains exclusively civilian.

These enumerated propositions are likely to be opposed by the argument that they would make it too difficult for the armed forces to actually legitimately attack military objectives, which triggers the balance that flows from proportionality between military necessity and humanity. This tension is always in the rules of IHL. Therefore, with the use of IHL, a balance always requires to be sought between ensuring full protection for civilians and civilian objects on the one hand and assure that the rules do not prevent armed forces from pursuing their military objectives. If this balance cannot be found and a legitimate pursuit of military objectives cannot be achieved, the rules of IHL would not be accepted and can never have the protective effect which IHL tries to obtain.

The Tallinn Manual 2.0 might set off a discourse which might eventually create a new treaty between states concerning the use of cyber-attacks. However, as cruel as it might seem, to realize this alliance between states, there must first be a state that crosses a line so badly that it will lead to a global protest of states.

Possible Modernization of International Humanitarian Law Due to the Rise of Cyber-Attacks