Israel’s Cautious Perspective on International Law in Cyberspace: Part II (jus ad bellum and jus in bello)

In Part I of this series, I assessed Israel’s approach to the identification and interpretation of international law in the cyber context, as set forth in an important virtual speech by Israel’s Deputy Attorney General for International Law, Dr. Roy Schöndorf, at the “Disruptive Technologies and International Law” conference hosted by the US Naval War College’s Stockton Center for International Law. I commended that nation for putting international law rules of interpretation front and center in its analysis. I also considered Israel’s understanding of key rules of general international law that lie at the heart of ongoing multilateral discussions in such fora as the UN GGE & OEWG, as well as the broader international law community. In my estimation, Israel has taken a generally cautious approach to these rules, even where one might have expected it to take a broader view.

I now turn to two areas of law that are of particular importance to Israel — the jus ad bellum, that body of law governing when states may resort to force as an instrument of their national policy, and the jus in bello (international humanitarian law), which includes the rules that govern how cyber operations may be conducted during armed conflicts.

Jus ad bellum

Israel’s approach to application of the jus ad bellum rules in cyberspace is quite cautious. It takes the position that the prohibition on the “use of force” found in Article 2(4) of the UN Charter and customary law applies in cyberspace, as does the right of self-defense in the face of an “armed attack” found in Article 51 and customary law. Moreover, Israel confirms that states may employ both cyber and kinetic force when defending themselves. With the exception of a minor bump in the road at the 2016-17 UN Group of Governmental Experts proceedings, these positions are widely accepted, and rightly so.

Dr. Schöndorf also confirmed that Israel interprets the right of self-defence as applying not only to state cyber operations at the armed attack level, but also to those of non-state actors that are not conducted on behalf, or with the substantial involvement, of a state (the ICJ’s Paramilitary Activities standard, para. 195). Although a contentious subject, Israel has long been of the view that the right of self-defence applies to armed attacks by non-state groups. Its extension of that interpretation to cyber operations is reasonable and mirrored by certain other states. (see, e.g., Netherlands, United Kingdom, United States, but see France).

However, Dr. Schöndorf’s presentation sidestepped the critical question of where the use of force and armed attack thresholds lie (Tallinn Manual 2.0, Rules 69 & 71). He did acknowledge that causation of physical damage, injury or death by cyber means would suffice with respect to both. But he offered no view on the so-called “gap” issue of whether the two thresholds are distinct, as suggested by the International Court of Justice in its Paramilitary Activities judgment (para. 191), or identical, a position championed by the United States. Although as a matter of legal interpretation the former is more defensible, in light of the difficulty in determining where the thresholds lie when applied to cyber operations, the dueling interpretations may represent a distinction without a practical difference.

But the real question is whether a cyber operation causing severe non-physical consequences, such as an attack on the nation’s economic system, can reach the thresholds. Other states that are setting forth their international law positions are increasingly indicating that may be the case by embracing the “scale and effects” approach (see, e.g., Australia, Finland, Netherlands, and New Zealand) suggested by the Tallinn Manual 2.0 experts (Rule 69) that was drawn from the International Court of Justice’s treatment of self-defence in the Paramilitary Activities judgment (para. 195).

Although adoption of that approach is analytically a major step forward, few states have offered examples of operations that might qualify, beyond suggesting the effects should be comparable to those that would qualify a non-cyber operation as a use of force or armed attack (see, e.g., France, Australia, Netherlands, New Zealand, United States). France has gone furthest in this regard. Referring the use of force threshold, it notes,

In the absence of physical damage, a cyberoperation may be deemed a use of force against the yardstick of several criteria, including the circumstances prevailing at the time of the operation, such as the origin of the operation and the nature of the instigator (military or not), the extent of intrusion, the actual or intended effects of the operation or the nature of the intended target. This is of course not an exhaustive list.

And as to the threshold for armed attack, France asserts,

A cyberattack could be categorised as an armed attack if it caused substantial loss of life or considerable physical or economic damage. That would be the case of an operation in cyberspace that caused a failure of critical infrastructure with significant consequences or consequences liable to paralyse whole swathes of the country’s activity, trigger technological or ecological disasters and claim numerous victims. In such an event, the effects of the operation would be similar to those that would result from the use of conventional weapons.

Dr. Schöndorf only went so far as noting that “there may be room to further examine whether operations not causing physical damage could also amount to use of force.” This cautious approach is the norm among states so far. That said, given the severe non-physical consequences that could be caused by concerted hostile cyber operations, it is difficult to imagine that any State would rule out the possibility of a cyber operation qualifying as an unlawful use of force or, when “most grave” (Paramilitary Activities, para. 191), an armed attack against which it is entitled to defend itself. Such an interpretation would run counter to the object and purpose of the jus ad bellum, which is to prevent harm at a certain level of consequentiality rather than of a particular genre. Accordingly, the challenge for states lies not in deciding whether a non-destructive cyber operation may amount to a use of force or armed attack under the jus ad bellum, but instead in identifying the circumstances in which it would so qualify.

Jus in bello 

Although Israel is cautious in adopting positions with respect to the application of the jus ad bellum to cyber operations, it is less so vis-à-vis the jus in bello (international humanitarian law – IHL). In particular, it takes clear stances on two important unsettled issues, the definition of the term “attack” in IHL and whether data qualifies as an “object” in that body of law.

The meaning of “attack” lies at the heart of IHL’s application in the cyber context because many of the prohibitions, limitations, and obligations resident in its conduct of hostilities treaty and customary law rules are framed in terms of attacks. Key examples include the prohibition on directing attacks against civilian objects, the rule of proportionality in attacks, and the duty to take precautions in and against attack. Importantly, they apply only to cyber operations that qualify as an attack.

An attack is defined in Article 49 of Additional Protocol I as “an act of violence.” Drawing on that definition, and focusing on actions that have violent consequences, the Tallinn Manual 2.0 experts concluded that “a cyber attack is a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects” (Rule 92).

This raises the issue of whether a cyber operation that does not generate physical damage or injury may nevertheless qualify as an attack, such that directing it against civilian cyber infrastructure would be unlawful or, should it be directed at a military objective, be subject to the rule of proportionality and the requirement to take precautions in attack. Given that cyber operations during an armed conflict have the potential to dramatically disrupt civilian life, the Tallinn Manual 2.0 experts, interpreting the concept in light of its object and purpose, took the view that the concept of damage in the cyber context included a loss of functionality (Rule 92).

They could not agree, however, on the precise circumstances in which a loss of functionality would qualify a cyber operation as an attack. Surely it would when repair of the system, for instance by replacement of components, is necessary. Yet, whether other forms of functionality loss, such as the targeted system no longer operating in the intended manner, cross the attack threshold remains unsettled. Only France has addressed this issue with any granularity. Its Ministry of the Armies has opined that

France does not characterise a cyberattack solely on the basis of material criteria. It considers that a cyberoperation is an attack where the targeted equipment or systems no longer provide the service for which they were implemented, whether temporarily or permanently, reversibly or not. If the effects are temporary and/or reversible, the attack is characterised where action by the adversary is necessary to restore the infrastructure or system (repair of equipment, replacement of a part, reinstallation of a network, etc.).

Israel rejects the notion of loss of functionality altogether on the basis that “certain types of electronic warfare, psychological warfare, economic sanctions, seizure of property and detention have never been considered to be attacks as such.” For Israel, “only when a cyber operation is expected to cause physical damage” would it amount to an attack subject to the IHL rules on that category of military operations.

The restrictive Israeli interpretation is consequential, for by it civilian cyber infrastructure is left legally vulnerable to hostile non-destructive cyber operations that could prove highly disruptive for the civilian population, arguably even if the operations did not affect the military situation. That Israel is sensitive to this reality was clear from Dr. Schöndorf’s caveat that all military operations are subject to the “requirement to consider the dangers posed to the civilian population in the conduct of military operations.” This requirement to take “constant care” when conducting military operations is found, for States Parties, in Article 57(1) of Additional Protocol I.

Israel’s approach might be questioned on two grounds. First, it is questionable that the rules governing attacks were intended to preclude a certain type of harm, that which is physical in nature. Instead, the better characterization  of the rules, one consistent with their object and purpose, is that they were designed to preclude harm to civilians to the extent possible, while allowing the armed forces to retain the ability to conduct military operations effectively. In the era predating cyber operations, crafting rules by reference to damage (understood as physical) served as reliable textual shorthand for achieving that end. In fairness, the Israeli position on attack is one I advocated for a number of years until discussions with ICRC experts and fellow members of the Tallinn Manual (1.0) experts convinced me that it was legally supportable and sensible to include loss of functionality in the understanding of attacks, and that effort would be best spent in determining how that concept is to be interpreted.

Second, it is not altogether clear that IHL imposes a constant care requirement as a matter of customary international law in other than attacks (DoD Law of War Manual, para. 5.2.3.5). Although the better argument is that it does, this is not a universally accepted characterization, especially in light of the fact that the constant care provision is located in an Additional Protocol I rule entitled “Precautions in attack” (see discussion here, pp. 178-180). Even if the constant care provision does reflect customary law in an international armed conflict, it is not altogether clear that it would likewise do so in non-international armed conflict.

From a policy and operational perspective, it is a bit surprising that Israel has taken this position on the meaning of attack. The history of conflict in the region is one in which its civilian population has been a regular target of attacks by its adversaries. Into the future, this will likely also be the case with respect to hostile non-destructive cyber operations launched by other states or non-state actors. By rejecting characterization of such operations as attacks, and therefore legally prohibited, rather than working with other states to identify when they might violate IHL, Israel has relinquished the possibility of employing offensive lawfare in condemning them.

A second disputed topic on which Israel has taken a firm stance is that of whether data qualifies as an “object,” as that term is used in IHL. If so, a cyber operation designed to alter or destroy civilian data is unlawful as an attack on a civilian obect. Further, if the operation is directed at a military objective, the collateral effects on civilian data would have to be considered in the proportionality and precautions in attack analyses.

Experts and states are split on this issue (see, e.g., here, here and here). For instance, France has taken the position that content data is an object, citing “civil (governmental) data, banking data, and medical data,” although an operation against process data will be assessed by France based on the effect it has on associated systems. Denmark, by contrast, observed that “(digital) data do not in general constitute an object” in its 2020 Military Manual (para. 2.1.1).

Neither interpretation is wholly satisfactory. If data is considered to be an object, certain critical military cyber operations that might be directed against the civilian population, such as psychological operations during counterinsurgency or stability operations, would be prohibited. On the other hand, if data is not an object as a matter of IHL, some cyber operations that could dramatically disrupt civilian life would be permissible.

Although most countries that have issued statements on international law have avoided the topic, Israel engaged it head on by asserting that “only tangible things can constitute objects,” a view that most of the Tallinn Manual 2.0 experts supported (Rule 100). Importantly, in explaining this position Dr. Schöndorf cautioned that if an operation against data causes effects that qualify the operation as an attack (physical damage, injury), the IHL rules governing attacks would apply.

On the one hand, the fact that Israel took an unambiguous stand on the matter was surprising because by the interpretation its civilian population is left legally unprotected against significant disruption caused by the loss or alternation of data. For instance, imagine a cyber operation targeting banking or essential social services data. On the other hand, however, Israel’s stance makes sense considering the propensity of many of Israel’s adversaries to ignore IHL’s rules protecting the civilian population and because cyber influence operations involving data are particularly useful for a state like Israel that faces adversaries operating from within the civilian population. Given the respective costs and benefits of the two positions, this might have been one subject that would have been better left unaddressed, with Israel simply adopting operational policies such as those that have been suggested elsewhere that are designed to balance the military and humanitarian considerations raised by the dispute.

Conclusion

Israel’s approach to, and views on, the application of international law to cyber operations are sophisticated and surgical. Particularly commendatory is its expressed, and actual, commitment to the rules of international law governing the identification and interpretation of international law. They are rules to which other states sometimes accord insufficient attention as they craft their legal positions, particularly when the rules lead to suboptimal results.

In light of the Israel’s fidelity to application of these rules, it is unsurprising that it has taken a rather cautious approach to the how international law governs cyber operations. What is surprising is that Israel has moved cautiously with respect to several aspects of the law where reasonable states acting in good faith currently differ, and regarding which a less conservative, yet still defensible, position would seem better suited to Israel’s challenging circumstances. Nevertheless, caution is merited in questioning the positions, for Israel is best situated to assess its own cyber security interests and how they factor into the available interpretive margin of appreciation.