Cyber Operations and The Imperfect Art of “Translating” the Law of War to New Technologies
Since the inception of combat as an organized endeavor, humans have innovated new means and methods of warfare to gain advantage over their adversaries. Some of these innovations have been subtle. Others have been far more impactful and transformative, resulting in profound changes to the very character of warfare itself. History is replete with examples of science and technology changing the face of battle—inventions as simple as the bow and arrow and as complex as the weaponization of nuclear reactions. Although not always the case, these technological innovations often engender increased destruction and lethality and the attendant risk of collateral harm to civilians and non-combatants. And for as long as humans have sought to place boundaries around the conduct of hostilities to limit their harmful effects, at each turn these technological developments have raised difficult moral, ethical, and legal questions. This is especially true today with the unprecedented pace of scientific and technological change and the continuous advent of novel means and methods of warfare such as artificial intelligence, cyber capabilities, unmanned vehicles, directed energy weapons, and space capabilities. As evidenced by continued uncertainties regarding the law of war’s role in regulating cyber operations, the process of applying extant legal regimes to new technologies is often a stiff uphill climb.
Can the Law of War Keep Pace?
The accelerating rate of innovation and technological change has generated serious debates about the law of war’s ability to keep pace. Some advance the view that the law of war is antiquated and incapable of responding adequately to these new developments. With each new technology come overwrought calls for new regulation or outright bans. In the context of cyber, autonomous weapons, or drones, for example, there are numerous cries to adopt new regimes to specifically regulate or ban these emerging means and methods of warfare—what might be described as lex speciali within the lex specialis of the law of war.
Others take the opposite position. They argue that the law of war is not static and is perfectly capable of addressing the development and incorporation of novel means and methods of warfare. It is comprised of a carefully constructed—if imperfect—set of rules. These rules are derived from fundamental, interrelated, and mutually reinforcing principles flexible enough to respond to the vast majority of situations presented by new technologies.
In its Nuclear Weapons Advisory Opinion, the International Court of Justice suggested that the cardinal principles of distinction and the prohibition on causing unnecessary suffering, along with the “catch-all” policy reflected in the Martens clause of the Hague Convention II and Article 1 of Additional Protocol I, provide an effective means of addressing the rapid evolution of military technology. The DoD Law of War Manual adopts a similar approach. For example, on the question of weapons reviews, it clearly considers the novelty of a weapon or capability to be immaterial to its legality. States need not find authorization in the law of war to develop and incorporate new weapons technologies. The presumption is the exact opposite. In the absence of a specific prohibition, the question of legality at the procurement stage turns solely on whether the weapon or capability can be employed consistent with the law of war’s cardinal principles and any specifically applicable treaty or customary international law rules. Once a new capability is integrated into a State’s arsenal, the law of war presumptively governs its operational employment like any other means or method of warfare.
In his oft cited speech before the U.S. Cyber Command Legal Conference in 2012, then State Department Legal Adviser Harold Koh also advocated for this latter approach when discussing the applicability of the law of war in the context of cyber operations. Openly rejecting the notion that the law of war is inadequate to the task, he stated:
This is not the first time that technology has changed and that international law has been asked to deal with those changes. In particular, because the tools of conflict are constantly evolving, one relevant body of law—international humanitarian law, or the law of armed conflict—affirmatively anticipates technological innovation, and contemplates that its existing rules will apply to such innovation.
He went on to note that the law of war provides sufficient guidance to address new technologies at both the procurement stage and later during operational employment of capabilities—a position echoed in the DoD Law of War Manual’s approach generally, and with respect to its specific discussion of cyber operations.
So far so good. Elsewhere, Professor Koh correctly eschews treating novel means and methods of warfare as arising in a legal vacuum or “black hole.” But as he also recognizes, new technologies can “raise new issues and thus, new questions” that can turn on devilishly hard details. He advocates addressing these new questions through what he has described as a translation exercise, “where we must translate what Montesquieu called the ‘spirit of the laws’ to the present-day situation.” Overall, this is sound advice, and experience tells us that most practitioners generally fall in the Koh camp, and with good reason.
But as any polyglot can attest to, translation is as much—if not more—art than science. And, more importantly, it has its limits. Specific points can often get lost in translation, and literalism usually fails to convey accurate meaning and intent. So, although the law of war is neither static nor incapable of adapting to new technologies, caution is warranted in the translation process. Applying pre-existing legal rules developed in distinct contexts to new technologies can raise legitimate questions of whether the rules are sufficiently clear in scope or content to adequately address a technology’s specific characteristics and foreseeable humanitarian impact.
Specific Challenges in Translating the Law of War Concept of “Attack” to Cyber Operations
Consider, for example, the continued uncertainty surrounding the law of war concept of “attack” in the context of cyber operations. Translating the extant law of war rules governing attacks—the most fundamental aspect of means-and-methods regulation—to the cyber context has proved difficult for all but obvious cases. It exposes both the strength and some of the distinct weaknesses inherent in applying a rule set developed to address the sorts of harms attendant to the use of primarily kinetic, destructive capabilities.
The term “attack” is at the heart of many of the most important jus in bello rules regulating the conduct of hostilities such as the prohibitions on attacking civilians or civilian objects, the ban on indiscriminate attacks, and the rules of precaution and proportionality in the conduct of attacks. However, notwithstanding the ubiquitous and imprecise use of the term to refer to all manner of cyber operations, strictly and legally speaking not all harmful cyber effects qualify as “acts of violence against the adversary”—the generally accepted customary international law definition of attack reflected in Additional Protocol I.
Of course, substituting “violence” for “attack” itself adds little clarity. To understand the legal definition of attack, one must dive even deeper. It is generally accepted that to qualify as an act of violence, an action must cause some injury or death to persons, or some degree—greater than de minimis—of damage or destruction to objects. Where the employment of a means or method of warfare crosses this threshold of harm, the full panoply of targeting law kicks in. In contrast, while not unfettered, non-violent measures are not subject to anywhere near the degree of regulation and restriction as are acts of violence. As stated in the DoD Law of War Manual, “[t]he principle that military operations must not be directed against civilians does not prohibit military operations short of violence that are militarily necessary.”
This bright-line construct developed during an era when, based on the state of science and technology at the time, it was typically obvious at the procurement phase of a capability whether its purpose was to cause physical harm. And so, it was relatively easy to identity and segregate means and methods of warfare—whether at the procurement or employment phase—as weapons and attacks, respectively. Thus, traditional weaponry was typically designed to cause a type and level of harm that easily met the attack definition. However, the same cannot be said for the wide range of effects that cyber and other novel capabilities enable.
Where a cyber operation generates an effect amounting to physical damage to objects, or death or injury to individuals, it is easy to conclude that AP I’s definition of attack is triggered. In those cases, applying the law of war targeting rules is non-controversial. The rules are perfectly capable of doing their work.
However, the situation is different where the effects of an in bello cyber operation fall below this bright line. There, significant questions linger as to whether some lesser impact on the functionality of a targeted system is sufficient to satisfy the attack definition or whether cyber operations directed against data—no matter the impact on that data—can ever constitute an in bello attack. Where one lands on these questions has direct implications for the degree of discretion military commanders and operators have when conducting cyber operations. That’s not to say that operational flexibility is a bad thing. But from the perspective of hostilities regulation, overly literal “translations” of the extant rules can also lead to counterintuitive, if not outright absurd, results.
The Challenge of Digital Data
Let’s start with the open and difficult question of how to characterize digital data. In both iterations of the Tallinn Manual (Tallinn and Tallinn 2.0), the International Group of Experts struggled with this question. In both instances, however, a majority came down on the side of viewing data as intangible and therefore falling outside of the definition of “civilian object” for purposes of the attack rules. They reached this conclusion based on a review of the ICRC’s 1987 Commentary to AP I, which characterized an object as something “visible and tangible.” Given the undeniable importance to individuals and society writ large that digital data holds in the information age, this is a questionable and potentially problematic position.
Professor Michael Schmitt, the Tallinn project’s lead, has oft noted as much. If this narrow, formalistic interpretation is correct, a finding of baseline military necessity can justify the deletion, manipulation, or corruption of a wide swath of non-military data that can potentially have significant impacts—both direct and collateral—on a range of civilians and civilian entities that rely on that data for any number of essential needs. The point is not that all negative impacts should or could be proscribed. Some harm to civilians is an unfortunate, but tolerated, reality of war. The point is simply to highlight the potential discord between the existing rules and the unanticipated dynamics of human interactions that new technologies often enable.
Incidental Civilian Harm and Proportionality
Or consider another anomaly raised by the unique nature of cyber operations when assessed strictly against the law of war targeting paradigm: operations anticipated to cause incidental damage to civilian objects or death or injury to civilians may nevertheless not be subject to the rule of proportionality. How can that be?
Consider an operation using a fully reversible effect to temporarily take a key router off line as a means of disrupting enemy communications. Consider that the operation involves foreseeable risk of injury or death to civilians whose medical support devices or systems also depend on the free flow of traffic across the router. If a kinetic means were used to destroy the router, there is no doubt it would be considered an attack on the router and the civilians would be considered foreseeable collateral damage for purposes of the proportionality rule. Use of the cyber capability complicates this otherwise straight forward analysis.
As noted above, where a cyber operation is neither intended nor reasonably anticipated to cause physical damage to the device or network that is the object of the operation, it is unlikely to qualify as an attack. Setting aside debates about whether, and to what degree, causing some degradation to the functionality of a “cyber” object might constitute an act of violence, it is beyond dispute that not all cyber operations qualify as attacks. A reversible, temporary effect on a router would likely fall into this category of not being an attack. And as such, as a matter of law it would not trigger the proportionality obligation reflected in the prohibition on indiscriminate “attacks” in Article 51 of AP I, or the precautionary obligations that attach to “attacks” in Article 57 of the same—a clearly counterintuitive result.
Looking at the Tallinn Manual 2.0, one might conclude that this is a non-issue. Rule 92 of the Manual, which offers a definition of attack in the cyber context, states that any operation “reasonably expected to cause injury or death to persons or damage or destruction to objects” qualifies as an attack. And according to the rule’s discussion the word “cause” is not limited to the effects on the targeted cyber system but extends to “any reasonably foreseeable consequential damage, destruction, injury, or death.” To the extent that a cyber operation is conducted as an indirect means of causing specific harm to persons or objects, this certainly makes sense. The example offered in the Manual of manipulating a dam’s SCADA system with the intent of causing a flood is a case in point. A more pointed example would be targeting a life-support system with a reversible effect in order to kill the dependent patient. However, this is a question of how one defines the “object” of an attack—the dependent patient for example—but must be distinguished from the notion of causing incidental civilian damage, injury, or death encompassed in the proportionality rule.
Read too broadly, the definition of attack in the Tallinn Manual 2.0 would render the proportionality rule superfluous, as it would erase any distinction between the object of an attack and collateral or incidental harms. In so doing, it would upend the accepted formulation in the proportionality rule for balancing military necessity against expected incidental harms, which are unlawful only when expected to be “excessive in relation to the concrete and direct military advantage anticipated” by the predicate attack. The Manual’s sweeping definition is simply discordant with the established structure of the law of war targeting rules.
True as this may be, it is of little solace to the civilians who might nevertheless be placed at incidental risk from non-violent cyber operations. For the vast majority of these operations, the law of war is capable of addressing these risks through application of its general principles. More often than not, the risks do not involve the types of harms contemplated by the targeting rules, and the law of war does not prohibit all incidental impact on civilians regardless of the means employed. The DoD Law of War Manual is correct in noting that “remote harms and lesser forms of harm, such as mere inconveniences or temporary disruptions, need not be considered in assessing whether an attack is prohibited by the principle of proportionality.”
But the Manual is equally correct in stating that a “cyber operation that does not constitute an attack is not restricted by the rules that apply to attacks.” Where the incidental harm reasonably anticipated from such operations would involve the kinds of harm set out in the proportionality rule, the law of war is arguably deficient.
This is not to suggest that such operations should be conducted cavalierly. Some would argue that other provisions of law, such as the “constant care” requirement of Article 57.1 of AP I, should fill this gap, despite substantial uncertainty as to the normative status and contours of that principle. Certainly as a matter of prudence and sound advice, any operational legal advisor worth his or her salt will counsel against proceeding without a standard proportionality analysis under such circumstances and the hypothetical may be fairly criticized as so remote as to not warrant serious discussion about amending the existing targeting rules.
The point of raising these scenarios is simply to highlight the challenges, and limits, to applying legal frameworks developed in different eras and contexts to new technologies. History is replete with examples of poor translations affecting the course of history. Sometimes, new pegs are simply too square to force through a round hole.
Professor Gary Corn, Colonel (Ret), is the Director of the Technology, Law & Security Program and Adjunct Professor of Cyber and National Security Law at the American University Washington College of Law, a Senior Fellow in National Security and Cybersecurity at the R Street Institute, a member of the Editorial Board of the Georgetown Journal of National Security Law and Policy, the Principal and Founder of Jus Novus Consulting, and is an Advisory Board Director for the Cyber Security Forum Initiative.