International humanitarian law and cyber operations during armed conflicts

Abstract

Executive summary•Cyber operations have become a reality in contemporary armed conflict. The International Committee of the Red Cross (ICRC) is concerned by the potential human cost arising from the increasing use of cyber operations during armed conflicts.•In the ICRC's view, international humanitarian law (IHL) limits cyber operations during armed conflicts just as it limits the use of any other weapon, means or method of warfare in an armed conflict, whether new or old.•Affirming the applicability of IHL does not legitimize cyber warfare, just as it does not legitimize any other form of warfare. Any use of force by States – cyber or kinetic – remains governed by the Charter of the United Nations and the relevant rules of customary international law, in particular the prohibition against the use of force. International disputes must be settled by peaceful means, in cyberspace as in all other domains.•It is now critical for the international community to affirm the applicability of international humanitarian law to the use of cyber operations during armed conflicts. The ICRC also calls for discussions among governmental and other experts on how existing IHL rules apply and whether the existing law is adequate and sufficient. In this respect, the ICRC welcomes the intergovernmental discussions currently taking place in the framework of two United Nations General Assembly mandated processes.•Events of recent years have shown that cyber operations, whether during or outside armed conflict, can disrupt the operation of critical civilian infrastructure and hamper the delivery of essential services to the population. In the context of armed conflicts, civilian infrastructure is protected against cyber attacks by existing IHL principles and rules, in particular the principles of distinction, proportionality and precautions in attack. IHL also affords special protection to hospitals and objects indispensable to the survival of the civilian population, among others.•During armed conflicts, the employment of cyber tools that spread and cause damage indiscriminately is prohibited. From a technological perspective, some cyber tools can be designed and used to target and harm only specific objects and to not spread or cause harm indiscriminately. However, the interconnectivity that characterizes cyberspace means that whatever has an interface with the Internet can be targeted from anywhere in the world and that a cyber attack on a specific system may have repercussions on various other systems. As a result, there is a real risk that cyber tools are not designed or used – either deliberately or by mistake – in compliance with IHL.•States’ interpretation of existing IHL rules will determine the extent to which IHL protects against the effects of cyber operations. In particular, States should take clear positions about their commitment to interpret IHL so as to preserve civilian infrastructure from significant disruption and to protect civilian data. The availability of such positions will also influence the assessment of whether the existing rules are adequate or whether new rules may be needed. If States see a need to develop new rules, they should build on and strengthen the existing legal framework – including IHL.