Protecting Societies – Anchoring a new protection dimension in international law during armed conflict: An agenda for discussion

Adversarial military cyber operations carried out during armed conflict can affect the functioning of civilian societies in unprecedented ways, challenging the protective reach of international humanitarian law (IHL). In light of this, we argue for a recognition of new protection needs to shield critical societal processes from military cyber threats in situations of armed conflict.

A few examples of recent cyberoperations, all of which occurred in times of peace, leaving us concerned what militarily capable actors might be able to do in situations of armed conflict, will help to set the scene: a DDoS attack against a civilian society (Estonia 2007); operations disrupting the physical operational technology of power grids (Ukraine 2016); crippling ransomware attacks against the IT systems of local administrations, bringing public services in entire cities to a standstill (Baltimore, U.S. 2019); destructive wiper malware that exploits vulnerabilities in ubiquitous operation systems and erases data in essential systems all across the globe, leading to widespread disruptions and massive economic damage (NotPetya 2017); and sustained, concerted digital disinformation campaigns that interfere with democratic decision-making processes and lead to a lasting erosion of trust in the media and democratic institutions (since at least 2014).

As these incidents show, the digital transformation has left civilian infrastructures and societal processes with entirely novel vulnerabilities and attack surfaces. Today’s military cyber capabilities have the potential to severely impact essential societal processes across economic, financial, scientific, cultural, and healthcare domains as well as public information spaces. While such consequences may be diffuse, intangible, and difficult to measure, in an interconnected world they can affect entire societies and cause systemic disruption to societal processes and public life on a major scale.

The problem is that such effects do not easily map onto IHL’s traditional rationale of providing essential protection against the ramifications of kinetic warfare and physical violence. What seems increasingly crucial is not only the protection of the civilian population in and of itself, i.e. the natural persons and their physical assets directly at risk from harm, but systemic societal processes writ large whose disruption will entail serious repercussions for the civilian population in its entirety. The challenge ahead, then, is to anchor this additional protection dimension in IHL without overstretching this legal regime’s protective reach that by its very nature must consider the military necessities and realities of war.

To be sure, in principle at least, existing rules of IHL – on the basis of a progressive and dynamic interpretation – are not necessarily failing in their effect. They undoubtedly yield protection in cases where military cyber operations cause effects akin to those of traditional kinetic warfare. And existing rules can be applied also to certain losses of functionality where no physical destruction occurs. What is more, on the basis of special protection regimes and specific provisions, IHL provides some additional protection for the healthcare and cultural sectors and with regard to essential civilian logistical supply chains and drinking water installations.

Regarding the latter, the prohibition to target objects indispensable to the survival of the civilian population is particularly relevant and potentially pathbreaking in the cyber context in that it is not limited to “attacks” within the meaning of IHL or a particular type of operation. But the protection of all other essential societal functions, services, or processes – i.e. those that cannot be subsumed under one of the above categories – depends, first and foremost, on the legal qualification of the cyber operation that targets or otherwise affects them. Generally, only operations that can be considered attacks trigger a number of legal restraints based on fundamental rules of IHL, namely the principles of distinction, of proportionality, and of precautions in attack. The problem is that views on the scope and interpretation of IHL’s attack notion vary considerably among states and other stakeholders. Just contrast France’s expansive understanding, which considers it sufficient when a targeted system can no longer provide the service for which it was installed, with Israel’s recently published cautious reading of “attack”, which limits the notion to (expected) physical damage. The law as it currently stands renders a broad spectrum of views at least legally defensible. But for states and societies that are increasingly reliant on a functioning cyber ecosystem, the stakes might simply be too high to tolerate such interpretive grey zones.

After all, operations that would seem to fall into such grey zones could include the paralysation of a country’s administration nation-wide, the encryption of tax records of thousands or millions of citizens, the breaking down of communal services like electricity or garbage disposal, or the disruption of financial markets or supply chains on a large scale. In view of their scale and gravity – and leaving aside the effects these operations would have on third (neutral) states in a globalized and economically interdependent world – such operations go beyond what in our view could or should be considered permissible psychological warfare, sanctions, or a seizure of property. It is furthermore not clear how operations, such as the encryption of tax records, would contribute to military objectives. Unless genuine blackmailing of the civilian population – beyond propaganda and traditional psychological operations – was to become part of future warfare, as some military thinkers predict, it would be hard to justify them from a military perspective as well. By leaving essential societal processes in a legal grey zone, the trend towards such blackmailing strategies is reinforced, with a real risk of a gradual undermining of the fundamental understanding that the civilian population must not be targeted in times of armed conflict.

While we are keenly aware of the inherent limits of IHL’s regulative reach – indeed this is a legal regime of last resort, “a handbrake on our worst impulses” aiming to provide baseline rather than perfect or fully comprehensive protection – it seems unthinkable to us that in twenty-first century warfare such practices should go entirely unrestrained by IHL especially when they have nation-wide effects. The primary question therefore is not so much whether such new forms of warfare and the damages they cause can in principle be subsumed under individual rules of IHL, as that is neither here nor there, but whether certain societal processes and functions must be considered assets so essential as to require legal protection under IHL in times of armed conflict. Debates about the notion of attack or whether data could be considered an object, sophisticated and fruitful as they are, are at risk of missing the bigger picture that what is at stake is a wholly new set of protection needs relating to the disruption of central societal processes and functions. Indeed, contemporary discussions too often remain in a twentieth-century mindset in that they are “object-focused”, i.e. they consider loss of functionality in relation to specific objects that therefore serve as “intermediaries” for the law to grasp the loss of their functionality as a relevant risk or damage. But for IHL to fully map onto the twenty-first century’s digital threat landscape, a more explicit and direct recognition of the protection needs of core societal processes and functions as such will be required. After all, in light of cyber operations that could combine technical intrusion and manipulation with disinformation campaigns to undermine a state’s financial or administrative systems, the crucial aspect will often not be the loss of functionality of a given object but the disruption of an important societal process or system as such. It is for all these reasons that we are putting the matter of society protection forward as a new protection dimension in IHL and international law more generally, with a view to initiating a broad-based discussion that is focused on contemporary and future protection needs in relation to military cyber threats. With this blog post, which summarizes the first findings of our background research undertaken as part of the digitalization and new technologies cluster at the Geneva Academy of International Humanitarian Law and Human Rights, we hope to provide a starting point for such deeper engagement with the societal implications of tomorrow’s armed conflicts.

Of course, IHL is not the only legal framework providing legal protection in times of armed conflict. Alongside the applicable IHL framework, international human rights law (IHRL), in principle, also provides protections for civilian society. Indeed, in many ways, human rights protections, given their societal anchoring, are better tailored to grasp and address the systemic ramifications of manipulative military cyber operations affecting societal processes. However, the application of IHRL to transnational military cyber operations during armed conflict meets a number of legal obstacles and points of contention that have not been resolved entirely to date, at least not on a universal level. For one, the relationship between IHL and IHRL in many ways remains unsettled. Thus far, the debate has mostly focused on the context of the right to life in armed conflict and the right to personal liberty in relation to detention. But as exposed by our examples of cyber operations above, it now becomes apparent that under the conditions of contemporary cyber warfare, the conflicting parties’ armed forces gain access to tools that allow for operations against the adversary that potentially implicate the scope of a wholly different array of human rights guarantees. What is more, if anything, the ECtHR’s recent judgment in Georgia v. Russia (II), with its reference to the “active phase of hostilities”, has added new conceptual ambiguities regarding the relationship between IHL and IHLR in times of armed conflict.

The second obstacle is the question of the extraterritorial or, for our purposes, ‘virtual scope’ of existing human rights guarantees. In order for those rights to be engaged by an adversarial military cyber operation in the course of an international armed conflict or other types of extra-state combat engagement, the acting state must be bound by IHRL. In this context, the majority of the group of experts that drafted the Tallinn Manual 2.0 concluded that under international law de lege lata, “physical control over territory or the individual is required before human rights law obligations are triggered” (Tallinn Manual 2.0, rule 34, para. 9). More recently, the UN Human Rights Committee adopted a more expansive approach regarding the right to life which, even though it was clearly geared towards lethal military operations outside traditional theatres of conflict, could be transposed to the cyber context. In legal scholarship, similarly expansive approaches have already been adopted with regard to the right to health and in relation to cyber operations with extraterritorial effects. But while we fail to see any doctrinal reasons as to why the same consideration could not be applied to other human rights guarantees, it is far more doubtful whether this development already finds the necessary support in state practice and opinio juris.

The upshot of all this is that even though human rights law could grasp many of the societal repercussions under discussion in principle, what protection it can actually yield in times of armed conflict in many instances currently remains unclear.

The detrimental effects and consequences at issue traditionally would have been considered lawful in times of armed conflict and beyond the protective reach even of IHL. Therefore, relying (exclusively) on human rights law to overcome longstanding certainties and conceptions and to introduce a new protection dimension in times of armed conflict, is likely to remain an eternal interpretative uphill battle. After all, IHL’s traditional silence regarding the disruption of societal processes could easily be invoked to support lex specialis-type arguments, with a view to preventing human rights law from filling the gaps. Against this backdrop, we feel that if such a novel protection dimension was to be recognized and included in the legal framework applicable to armed conflicts, as a first step it needs to be recognized within IHL.

Interestingly, in the realm of the jus ad bellum, states currently appear to be more readily prepared to include new dimensions of protection that accept non-physical effects on a wide range of societal processes (economic, financial, cultural) as falling within the scope of concepts such as sovereignty, non-intervention, or the use of force. For instance, in its recent official statement, Israel concedes that “there may be room to further examine whether operations not causing physical damage could also amount to a use of force” while taking an explicitly more restrictive stance in the realm of the jus in bello. Considering how traditional distinctions between peace and war continue to erode in cyberspace, similar protection needs would seem to attach in both of these dimensions. It is telling that contemporary discussions about sovereignty or the non-intervention principle in the cyber context appear to be increasingly protection-oriented, i.e. they focus on the protection of specific assets (e.g. critical infrastructure, healthcare facilities) – rather than the more traditional delimitation of the domaine réservé and sovereign prerogatives – a discursive shift that is reminiscent of IHL protection debates. Thus, in recent debates regarding Covid-19-related cyber interferences with the health sector, it was interesting to see how IHL’s traditional protection focus on hospital protection informed contemporary norm-clarification attempts on the level of the jus ad bellum.

From here, there are several possible ways forward; they are not mutually exclusive. One is to follow the ICRC’s approach and to engage in a broad and dynamic interpretation of notions such as “attack” or “proportionality” that guide the existing body of law. This important process is currently ongoing. The forthcoming Tallinn Manual 3.0 is likely to give these discussions and iterative norm-clarification efforts an additional boost. Still, we remain concerned that in spite of all these welcome endeavours, ultimately too much interpretive ambiguity might remain, not least in view of how much states’ and experts’ positions on the matter currently diverge. A second possibility is the development and promotion of para- or proto-legal principles for state behaviour in cyberspace during armed conflict in regard to the protection of society that states can voluntary agree on and abide by. Such non-binding norms could conceivably be made part of existing norm-finding and norm-developing processes for responsible state behaviour in the use of information and communication technologies, such as the UN GGE and UN OEWG frameworks, similar to the recommendations laid down in paragraph 13 of the 2015 GGE Report. A third, but at least for the time being unrealistically ambitious approach, would be to suggest the formulation of a new rule. Broadly following the example of Article 54 AP I, such a rule could aim to protect core societal processes and functions that are indispensable for a society to function. Apart from all the difficult line-drawing and threshold discussions that such an approach would inevitably entail, it would arguably also involve a reconceptualization of the protective reach of IHL that includes the protection of society (and its processes) as such. We say “arguably” because a broad interpretation of the existing concept of the “civilian population” potentially already comprises the societal processes and functions laid out here, i.e. there is a “backdoor” to accommodate these novel protection needs within the existing legal framework. We feel, however, that to meaningfully expand IHL’s traditionally narrow focus on objects, kinetic warfare, and physical destruction, a more explicit recognition of the protection needs of increasingly digitalized societies is called for.