Private Companies in Cyber Operations During Armed Conflict
This post argues that States must ensure that their national defense cyber measures can comply with the rules of IHL when situations of armed conflict arise. States must reaffirm IHL’s cardinal principle of distinction as it applies to cyber operations. To meaningfully do so, they must clarify who may and may not be attacked, and when.
The Current Setting
A moment does not pass without news of a fresh cyber threat. In response, some governments have beefed-up their national defense cyber capabilities, often relying on a host of different actors. For example, the 2022 National Defense Authorization Act and the U.S. Department of Homeland Security’s (DHS) Joint Cyber Defense Collaborative initiative aim to facilitate greater public-private cyber defense coordination. Other proposals abound, such as a bipartisan congressional bill to create a “Civilian Cyber Security Reserve” and another bill that would require DHS to study the potential benefits and risks of allowing private companies to “hack-back” in defense against unlawful network breaches.
The most discussed cyber threats involve groups or individuals conducting espionage and ransomware operations outside situations of armed conflict. When a State is involved, conversations often shift to discussions about a “grey zone” where malicious cyber activities are not part of an armed conflict but also are not perceived as ordinary peacetime behavior. Additionally, a few States—among them the United States—have disclosed that they engage in cyber operations in situations that clearly constitute armed conflict.
Who’s Who Under IHL
In situations of armed conflict there is growing agreement among States that IHL imposes limits on cyber operations, just as it does for “traditional” means and methods of warfare. The International Committee of the Red Cross (ICRC) has long held this view. However, how States apply each and every rule and principle is not yet settled. States acknowledge that further study is needed on how and when IHL applies in cyberspace.
One question that several States (e.g., Brazil and Russia) and others have posed is who is a combatant in cyberspace. The question of when and how civilians directly participating in cyber hostilities has arisen as well. The importance of these questions comes into sharp focus when we hear proposals—such as those mentioned above—that entrust various actors with a role in national defense cyber operations. During an IAC, those who carry such responsibilities might include armed forces, private companies, government contractors, and intelligence personnel.
Members of the Armed Forces
IHL regulates the treatment and behavior of combatants extensively. Combatants include all members of the armed forces of a party to a conflict, provided they are not medical or religious personnel. As combatants, they may be the object of attack, may be interned as prisoners of war (POW) if captured, are immune from prosecution for conduct lawful under IHL (i.e., they have combatant immunity), and must comply with IHL in all their operations. These same rules apply to combatants who engage in cyber operations. While these are some of the more obvious ways that IHL applies to combatants operating in or through cyberspace in an IAC, other important implications arise that are worth considering.
No Difference between Offense and Defense
IHL treats combatants identically in terms of targetability regardless of whether they perform offensive or defensive operations, or no operations whatsoever. (API Art. 49(1); Tallinn 2.0, Rule 92; ICRC expert meeting report, pp. 16-17). Membership in the armed forces of a party to a conflict is what permits targetability, not the type of operations someone carries out. This means a combatant who conducts only national defense cyber tasks during an IAC can be the object of attack.
Attacks Need Not Be in Kind
A combatant who conducts non-lethal defensive cyber operations may be the object of a lethal attack (e.g., an airstrike), provided the strike complies with IHL principles and rules on the conduct of hostilities. IHL contains no requirement that a response must be in kind. Objects used by a combatant in a national cyber defense operation that constitute military objectives (such as military computers or networks) may also be the target of attack.
Distance from the “Battlefield” Does Not Matter
In cyberspace, networks span the globe with little concern for geography and borders. Like emerging practice in drone warfare, cyber combatants may conduct national defense cyber operations in their home country thousands of miles away from major hostilities abroad. This geographic distance might reduce the likelihood that these combatants are attacked, but under prevailing interpretations of IHL the distance does not alter their exposure to lawful targeting. (Tallinn Manual 2.0, Rule 81, and ICRC 2015 Challenges Report, pp. 14-15).
Combatants are legally required to distinguish themselves from the civilian population—commonly accomplished by wearing a uniform. The rule enhances the protection of civilians by maximizing their distinction from combatants. The ICRC’s customary IHL study found that this rule applies only to those “engaged in an attack or in a military operation preparatory to an attack,” raising interesting questions about when a defensive cyber operation crosses the line into being an “attack.” Whatever its scope, those who fail to comply with this rule forfeit the right to POW status and combatant immunity (ICRC Updated Commentary on GCIII, para. 983).
Some have questioned whether this requirement that combatants distinguish themselves applies when a failure to do so would not place civilians at risk of being mistakenly attacked, including in the context of cyber operations. (Tallinn 2.0, Rule 87, paras. k-m). In the author’s view it is ill-advised to link the rule of distinction to civilian risk in such a manner. Doing so could lead to an arbitrary application of the rule and create a damaging legal loophole in the principle of distinction. (For elaborations, see Mačák.) Wearing a uniform also avoids allegations that a cyber combatant was acting under the false pretense of being a civilian, which could lead to allegations of the war crime of perfidy. The safer bet therefore is to apply the rule without this exception.
Civilians were never meant to directly participate in hostilities on behalf of a party to an IAC (ICRC Interpretive Guidance on the Notion of Direct Participation in Hostilities, pp. 38–39). But cyberspace produces an environment that may draw them towards doing so. During armed conflicts, as in peacetime, critical infrastructure risks being attacked through cyberspace, whether these attacks are lawful or unlawful. Private companies often control such infrastructure, and may therefore find themselves wanting or being required to defend against deliberate cyberattacks (Brenner and Clarke, pp. 1029-1030).
Because private companies do not form part of a State’s “armed forces,” the company’s employees remain civilians as long as they are not incorporated into the armed forces (ICRC Interpretive Guidance on the Notion of Direct Participation in Hostilities, p. 39). This means IHL protects them from being the object of attack. If, however, an employee were to directly participate in hostilities, the rules of IHL would shift and that employee may be the object of attack until the employee ceased his or her direct participation.
With this shift, some of the same implications listed above need to be taken into account, namely that an attack on a civilian directly participating in hostilities by means of cyber operations need not be in kind. It would not matter that the direct participation was defensive in nature or that the participation took place from afar. Additionally, a civilian who directly participates in hostilities would be liable to capture without the benefit of POW status or combatant immunity.
To examine the contours of direct participation in hostilities, imagine an IAC between States X and Y. In this scenario, a cybersecurity employee of a private natural gas company in State Y investigates irregular gas readings and a gradual slowdown of gas distribution across the country. The employee’s analysis reveals malicious code that will eventually completely shut down and cause damage to the natural gas company’s distribution infrastructure. The employee also recognizes that the code contains hallmarks of military cyber operations previously carried out by State X. With a view to support State Y and thwart the operation, the employee provides State Y with the employee’s analysis. State Y uses that analysis to successfully remove the code, thereby neutralizing State X’s operation, and gas starts flowing again normally and without further incident.
Did the employee directly participate in hostilities?
According to the ICRC’s interpretive guidance on the notion of direct participation in hostilities (p. 46), and as echoed by certain States (e.g. especially with regard to cyber: Germany, p. 37, and France, p. 15, including note 77; see also Tallinn 2.0, Rule 97), answering this question requires applying a precise three-part cumulative test.
1. The act must be likely to adversely affect the military operations or military capacity of a party to an armed conflict or, alternatively, to inflict death, injury, or destruction on persons or objects protected against direct attack (known as the “threshold of harm” criterion);
2. There must be a direct causal link between the act and the harm likely to result either from that act, or from a coordinated military operation of which that act constitutes an integral part (known as the “direct causation” criterion); and
3. The act must be specifically designed to directly cause the required threshold of harm in support of a party to the conflict and to the detriment of another (known as the “belligerent nexus” criterion).
When we apply these criteria to the employee’s actions we see that the employee was likely to adversely affect the military operations of State X, thereby meeting the “threshold of harm” criterion. There was also a direct causal link between the employee’s actions and the harm likely to result from State Y’s military operation, of which those employee’s actions constituted an integral part, thereby meeting the “direct causation” criterion. Finally, the employee undertook action specifically designed to support State Y and to be detrimental to State X, thereby meeting the “belligerent nexus” criterion. Having met the three cumulative criteria for direct participation in hostilities, the employee would have lost protection from being attacked for such time as the employee did so.
The Need for State Clarification
This conclusion might cause angst for private companies and for cyber security professionals who fear being attacked for simply doing their job. That is why—in the hazy cyber environment where a company may not even know who is intruding into its networks—States should firm up their views on how companies and their employees keep or lose their protection from attack. They should, for example, evaluate the potentially serious legal implications for private companies and their employees if domestic laws require them to inform their government of cyber security breaches associated with an IAC, or to play an active role in the defense of national infrastructure in times of armed conflict.
To avoid mistakes, it is also important that States take all feasible precautions to determine whether a civilian is directly participating in hostilities and follow the IHL rule that protects a civilian against direct attack if there is doubt whether they are directly participating in hostilities (ICRC Interpretive Guidance on the Notion of Direct Participation in Hostilities, pp. 74-75). For legal, operational, humanitarian, and policy considerations, States may want to prioritize directing their responses against objects such as networks or computers used in military operations, rather than persons, as the former may be easier to identify as military objectives.
Contractors who are not incorporated into the armed forces do not qualify as combatants. They are civilians and protected from direct attack.
But circumstances may arise when contractors lose their civilian protection or status. Consider the example of a contracted company that a party to an IAC hires to engage in a specific military cyber operation. If the contracted operators meet the test for direct participation in hostilities, the legal consequences would be the same as for the civilian employee discussed above.
The group of experts who wrote the Tallinn Manual 2.0 on the application of international law to cyber operations separately debated whether the contracted company might “belong to a party” to an armed conflict. The ICRC Commentary points out that the concept of “belonging to” would require the company to fight on behalf of a party and require the party to accept both the fighting role of the company and the fact that the fighting is done on its behalf (ICRC Updated Commentary on GCIII, para. 1005).
The majority of the Tallinn Manual 2.0 experts appeared to agree that a contractual agreement to perform specific military operations was enough to make a company an organized armed group that “belonged to a party” to the conflict (Tallinn Manual 2.0, Rule 96, para. g; see, also, ICRC Updated Commentary on GCIII, para. 1007). According to the ICRC and some Tallinn experts, IHL would then no longer consider those company contractors who are given a continuous combat function to be civilians, and the legal consequences would be the same as those of combatants as discussed above. Other experts appeared to hold the view that membership in the company, and nothing more, would be enough to justify an attack. (Tallinn Manual 2.0, Rule 96, para. d)
A variation of this scenario that focuses on cyber defense—which the Tallinn Manual experts did not consider—is the example of government contracted information technology (IT) and operational technology (OT) service providers that are contractually required to routinely collect and share data about specific cyberattacks with their governments.
Whatever legal interpretations are adopted, the use of these types of employees draws attention again to the need for States to carefully consider and express how they apply IHL, in particular the principle of distinction, to national defense cyber policy. The principle was of such importance that the U.S. DoD Office of General Counsel argued in favor of “retaining the requirement that [military cyber operations] during international armed conflicts be conducted only by members of the armed forces.” (emphasis added). (On the tension between the principle of distinction and the involvement of civilians in military cyber operations, see further Mačák.)
Governmental Intelligence Personnel
An additional category of persons to consider is governmental intelligence agency personnel who perform military cyber operations associated with armed conflicts (ICRC expert meeting report, pp.15-16). The most important issue related to their participation is determining if the agency has been incorporated into the armed forces, de jure or de facto. If so, these personnel are members of the armed forces and must behave and be treated as such. If not, these personnel are civilians who lose protection from attack for such time as they directly participate in hostilities.
States have a legitimate interest in defending against hostile cyber operations—whether in times of peace or in times of armed conflict. How States will manage national cyber defense in tandem with the principle of distinction is, however, not entirely clear. It will often boil down to who defends what, and how they do it.
As a general rule, any national cyber defense plan that applies to IAC should find ways for the defending side to enhance the principle of distinction rather than erode a rule so fundamental to protecting civilians. Additionally, law and policy makers must ensure that their plan considers the rules of IHL and accounts for the consequences for those asked to take part in national cyber defense. To accomplish those steps, States should clarify further who qualifies as a combatant and how rules regulating the loss of civilian protection apply in cyberspace.
Jonathan Horowitz is a Legal Advisor at the ICRC’s Regional Delegation for the United States and Canada, based on Washington, D.C. This piece was written in the author’s personal capacity and does not necessarily reflect the views of the ICRC.