The French Ministry of the Armies (formerly the Ministry of Defense) has recently released Droit International Appliqué aux Opérations dans le Cyberspace (International Law Applicable to Operations in Cyberspace), the most comprehensive statement on the applicability of international law (IHL) to cyber operations by any State to date. The position paper dealt definitively with many of the current unsettled issues at the forefront of governmental and scholarly discussions.
This two-part post builds on an earlier post at Just Security in which I examined the position paper’s treatment of the relationship between peacetime international law, including that set forth in the UN Charter regarding uses of force, and hostile cyber operations. The focus here, by contrast, is on France’s views as to how IHL applies in the cyber context. Key topics addressed in the paper include the applicability of IHL in cyberspace; classification and geography of cyber conflict; the meaning of the term “attack” in the cyber context; the legal nature of data during an armed conflict; and other significant IHL prohibitions, limitations, and requirements on cyber operations.
Applicability of IHL to Cyber Operations
The French position paper begins by affirming the applicability of IHL to cyber operations conducted during an armed conflict. In doing so, it joins a long lineage of comparable statements by international organizations such as NATO and the EU; the International Committee of the Red Cross (ICRC); and many States, including the United States, Netherlands, United Kingdom, and Australia. In its 2015 report, the fourth UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (GGE), which included all members of the UN Security Council, clearly was of the same mind, for it “note[d] … where applicable, the principles of humanity, necessity, proportionality and distinction,” a reference to IHL’s core principles. The acceptability of the statement in the international community was confirmed when the UN General Assembly subsequently endorsed the GGE’s 2015 report.
Unfortunately, during the fifth GGE, a consensus report proved elusive. Among the issues that hobbled proceedings was a desire by some States to include the term “international humanitarian law” in the expected report. A number of other States, including Russia and China, objected, a legally curious stance since the two had agreed in the 2015 GGE report that the aforementioned IHL principles applied to cyber operations during an armed conflict. Moreover, both States have robust military cyber forces and are actively building their wartime cyber capabilities. There is no doubt that they are planning on conducting cyber operations during armed conflict, and, in the Russian case, have done so in the Ukraine. This begs the question of which body of law they believe will govern those operations if not IHL.
More to the point, there is not a scintilla of legal doubt that cyber operations mounted during an armed conflict that have a nexus to that conflict must comply with applicable IHL. IHL has long accommodated itself to new technologies on the battlefield and no objection to its embrace of new weapons or tactics (so-called “means or methods of warfare” respectively) has ever survived scrutiny by States. Indeed, Article 36 of Additional Protocol I (AP I) to the 1949 Geneva Conventions requires States to assess the legality of new means and methods of warfare against the obligations found in pre-existing IHL. Whether this treaty provision, at least with respect to methods of warfare, reflects customary law, and is accordingly binding on States that are not party to AP I, is an unsettled question. However, that controversy does not detract from broad acceptance of the premise that all weapons of war and the manner in which they are used are subject to the constraints of IHL. France is on impermeable ground in taking the position that its cyber operations are subject to IHL rules during an armed conflict, as are those of its adversaries.
Classification of Cyber Conflict
Armed conflicts may be either international in character or non-international. Clearly, as noted in the French position paper, if a kinetic conflict is already underway, cyber operations conducted during the conflict are reached by IHL. The more challenging question is whether cyber operations standing alone may initiate, and comprise, an armed conflict. France is of the view that “in principle” they can, a view that is in my opinion correct.
As reflected in Common Article 2 of the 1949 Geneva Conventions and Article 1(3) of AP I, international armed conflicts (IAC) occur when there are “hostilities” between States (or between a State and a non-State actor under the “overall control” of a State). There is some disagreement over the requisite intensity of hostilities that is required to initiate such a conflict, but whether the ICRC Commentary on Article 2 is correct in stating that “[it]t makes no difference how long the conflict lasts, or how much slaughter takes place,” as I believe it is, it is irrefutable that cyber operations, which can be destructive or lethal, are capable of causing the requisite consequences.
For the reasons explained below, it is less likely that cyber operations that are unaccompanied by kinetic attacks could initiate a non-international armed conflict (NIAC); hence, the French position paper’s appropriate inclusion of the “in principle” text. NIACs are armed conflicts between States and organized armed groups (OAG), or between such groups. Common Article 3 of the Geneva Conventions, which reflects customary law, and Article 1(3) of Additional Protocol II to the 1949 Geneva Conventions (AP II, for NIACs in which the OAG controls significant territory) set out the normative basis for classification of such conflicts.
As observed by the International Criminal Tribunal for the Former Yugoslavia in its Tadić Appeals Chamber decision, to constitute a NIAC the violence in question must reach a certain level of intensity and involve a group that is armed and sufficiently organized. Therein lies the classification challenge for cyber-only exchanges. First, the intensity of the exchange must be very high. For instance, it is well accepted that, as set forth in Article 1(2) of AP II, “internal disturbances and tensions, such as riots, [or] isolated and sporadic acts of violence” do not reach the NIAC threshold; this is so even though they may result in extensive destruction and multiple deaths. The requisite level of violence is often described as so serious that the government must turn to the military to deal with the situation. Military planners do not foresee cyber operations as likely to occur at the requisite level of intensity during future conflict, but the possibility cannot be ruled out.
Second, the group must be well-organized. While military-like hierarchy is not required, the group has to have some form of command structure and an ability to act collaboratively. This criterion would rule out groups that are unorganized, as in a collection of individuals who, out of shared motivation, conduct cyber operations against a State in parallel (as was the case in the 2007 Estonia cyber operations) but without coordinating their activities. A further obstacle is that organized armed groups must have a means of enforcing IHL among their members, a condition understood to derive from the requirement that OAGs be “under responsible command.” A group that is organized entirely online, perhaps without even knowing the actual identity of its members, would – at a minimum – have difficulty in doing so. France is thus right to emphasize that it is in principle possible that cyber-only exchanges would qualify as an armed conflict, and equally correct in noting that the conditions precedent to initiation and maintenance of a NIAC render cyber-only NIACs unlikely.
Geography of Cyber Conflicts
As to the geography of cyber conflicts, France adopts the traditional approach with respect to IACs. Cyber operations may be mounted from, through and into the territory of the belligerents, but operations affecting the territory of neutral states are subject to the law of neutrality. It is accordingly forbidden to mount cyber operations from cyber infrastructure on a neutral’s territory or under its exclusive control (as with military infrastructure based abroad), including when that infrastructure is used remotely by a belligerent. Neutral states have a corresponding duty to terminate such operations. These obligations are well-accepted by states and scholars.
An important operational point in the French position paper deals with cyber operations, including those qualifying as an attack, that merely pass through (as opposed to being mounted from) neutral cyber infrastructure. France takes the position that such operations are communications that may be transmitted across neutral territory in accordance with Article 8 of the 1907 Hague V Convention on neutrality in land warfare, rather than “munitions of war,” the transport of which across neutral territory is forbidden by Article 2 of that Convention. Both articles are generally deemed reflective of customary law applicable in IACs. This is, in my estimation, as well as that of the Tallinn Manual 2.0 International Group of Experts (IGE), the correct interpretation given the geographically ad hoc nature of many cyber transmissions. It also avoids the ongoing discussion as to whether cyber capabilities qualify as weapons at all, at least with respect to neutrality rules regarding operations that might pass through neutral cyber infrastructure.
The position paper does not deal with the question of whether an aggrieved belligerent may take action to put an end to its enemy’s unlawful use of neutral cyber infrastructure, whether in situ or remote, when the neutral State does not comply with its own duty to do so. The prevailing view, and that of the Tallinn Manual 2.0 experts, is that this measure of self-help is permissible. Given France’s rather traditional approach to neutrality law, it is likely to take the same position.
As to the geography of NIACs, the landscape is more contentious. Under the first view, which is advocated by the ICRC, IHL applies throughout the territory of the State that is party to the conflict and in neighboring areas into which hostilities have “spilled.” France appears to take this position because it states that IHL applies during NIACs to cyber operations in the territory of the State in which hostilities are taking place. This begs the question of whether France considers only operations initiated and ending within that territory to be governed by IHL, or whether it would include operations launched from that territory but terminating elsewhere, or vice versa. This is a critical question because of the transborder nature of cyber operations; indeed, it makes operational sense for OAGs to conduct cyber operations from territory far beyond the State so as to hinder the operational practicality of enemy responses, especially kinetic ones, without forfeiting any operational advantages.
The alternative view, and that to which I, the majority of the Tallinn Manual 2.0 IGE, and the United States adhere, is that the applicability of IHL in a NIAC is not limited geographically, but rather extends to all operations with a nexus to the conflict. The geographical limitations of the jus ad bellum continue to apply and would preclude conducting cyber operations that would breach the sovereignty of the States into which they are conducted, except when those States are unwilling or unable to put an end to the hostile operations from their territory. This approach in the cyber context is analogous to the controversial application of the standard with respect to extraterritorial lethal drone operations against terrorists in organized armed groups that are involved in a NIAC with the United States.
In the second part of this post I will examine the position paper’s views on the concept of “attack,” on the conduct of hostilities and on data as an object.