Rules for cyber war
July 2, 2014After operating for years without a clear legal framework, NATO's 28 member states are moving closer to officially applying the law of armed conflict to cyber warfare, a move that would have far-reaching consequences on how military operations are conducted in the digital age.
"The allies will be in a position to express themselves in a sense that international law applies to cyberspace," Christian Lifländer, a policy officer with the Cyber Defense Section at NATO headquarters, told Deutsche Welle at the Global Media Forum in Bonn this Wednesday (02.07.2014). He was responding to a question about what the alliance will propose at its September summit in Wales.
"NATO cannot make laws - but the allies can express their support for international law," Lifländer said, specifically mentioning the law of armed conflict.
Applying the law of armed conflict to cyber warfare would provide greater clarity to the member states' militaries on how to conduct cyber operations, according to Michael Schmitt, director of the Stockton Center for the Study of International Law at the United States Naval War College.
"It's a very important move and one that's overdue," Schmitt told DW."The notion of going to war without understanding what law applies and how it applies to your cyber operations in an era when cyber operations are central to armed conflict is, to me, very troubling."
Real-world danger to civilians
Under the armed conflict law, states can conduct military operations only against combatants and military targets. They are prohibited from attacking civilians or civilian property and infrastructure, such as homes, hospitals and schools.
But as military operations have moved into cyberspace, many governments around the world have not yet adopted a clear policy on whether or not they should apply these same rules to cyber warfare. Although a cyber attack does not physically destroy a target like a bomb, it can still have catastrophic consequences for the life and property of civilians.
"Experts say it's possible to carry out cyber operations that lead to dams being opened and [cause] flooding, or damaging chemical or nuclear plants that would release material in the atmosphere, and that could have consequences for the life and health of thousands of people," Laurent Gisel, legal advisor with the International Committee of the Red Cross, told DW.
Even a more targeted cyber-attack intended to cripple an adversary's military capabilities could also cause collateral damage. If a belligerent party tries to shut down the enemy's radar system with a cyber-attack, for example, there's a risk that civilian air traffic control could also be impaired, leading to possible airplane accidents.
"Fortunately until now, there haven't been huge consequences in terms of destruction because of the use of cyberspace during armed conflict - but we are concerned by the risk that this kind of thing might occur," Gisel added.
Under Article 36 of the First Additional Protocol to the Geneva Conventions, states are required to apply the law of armed conflict to new military technologies or means of waging war. That means that the law of armed conflict applies to cyber warfare, according to Gisel.
Tallinn Manual as a guide
Last year, NATO supported research by a group of 20 experts on the question of whether or not the law of armed conflict applies to cyber warfare. The group produced a document called the Tallinn Manual, which was published in April 2013.
Not only did the experts unanimously agree that the law of armed conflict applies to cyber warfare, they also said that its application in cyberspace did not require a dramatic departure from the way the law is applied on a traditional battlefield with bullets and bombs. A cyber-attack that causes physical damage or injury to civilians, for example, would be prohibited just like an airstrike against a hospital or school.
The experts also examined the threshold for when a cyber-attack violates the United Nations prohibition on the use of force, and when a state is allowed to use force in response to a cyber-attack. These questions proved more complicated, according to Michael Schmitt, who directed the research group.
There was unanimous agreement that if a cyber-attack causes major physical damage or injury, the state that's been attacked can respond with the use of force pursuant to the right to self-defense under the UN Charter. The victim state can respond either with its own cyber-attack, or with traditional military operations such as airstrikes.
Some experts believe that a cyber-attack causing massive economic disruption - but no physical damage - could also warrant retaliation under the right to self-defense. Schmitt, who shares this position, says NATO is likely to adopt this view.
"We're going to be looking at the severity of the operations directed against you, not whether it cause physical harm or physical injury," he said.