I have been asked to write a chapter, tentatively entitled “Law and Warfare in the Cyber Domain,” for the next edition of Moore, Roberts & Turner, eds., National Security Law. As part of that effort, I have been thinking about where the gaps are in the domain of international humanitarian law as applied in cyberspace. What follows below is a portion of the chapter and it is my best effort to create a taxonomy of cyber war questions (I tend to like taxonomies).
I offer it for two reasons -- first, as we head into the 4th of July holiday, I imagine some of you are looking for something "fun" to read over the weekend (not!). Second, and more importantly for me, I do not pretend to comprehensive knowledge of IHL. If any reader has constructive ways of improving this analysis, I would welcome your feedback:
A Taxonomy of Cyber War IHL Questions --
Questions of jus ad bello and jus in bellum barely begin to delimit the scope of legal questions relating to the nature of cyber conflict in this new domain. Few, if any, of the conflicts we can imagine will involve actions that rise to the level of an armed attack sufficient to trigger the application of international humanitarian law. Even the pseudo-conflict in the cyber domain between Russian and Ukrainian actors seems not to have involved “armed attacks” as international humanitarian law would define them.
More to the point, even fewer of the conflicts will involve armed actions between the military of nation states. Even if the tools used rise to the level of sufficient significance to merit classification as an armed attack, the likely combatants may well be non-state actors. To be sure a true cyber war between nation states may occur – but it is most likely to occur in the context of a kinetic armed conflict. Put colloquially, our cyber war with China will be coincident with a military confrontation over Taiwan.
As a consequence, much of the discussion of the application of international humanitarian law to cyber seems rather mis-focused on events that are unlikely to occur. Instead, we can imagine any number of far more plausible conflicts that involve a nation state and a group of non-state actors (whether those actors are organized groups or ad hoc amalgams of individuals, and whether those groups are motivated by profit, pride, or politics) and we can equally imagine conflicts where the tools of choice involve activity that is below the level of an armed attack in international law – acts we might call “sub war” acts involving the degradation of information, the disruption of communications, or even the destruction of capabilities.
How should we characterize these types of activities as a legal matter and what, if any, international laws govern the conduct of these activities? The answer to these questions requires, in the first instance, that we develop a taxonomy of cyber conflict – in effect scoping the domain. An effective taxonomy allows for two useful and interrelated definitional questions to be identified: First, it permits us to understand the domain of certain applicable laws and identify those domains for which applicable laws have yet to be developed. Second, it allows us to specify the boundary questions between domains – boundaries that often require legal, as well as practical definition.
To see what this means in the context of the cyber domain consider that our first effort to map international humanitarian law onto the domain of cyber conflict (through the efforts of the Tallinn Manual experts) has been limited to categorizing how existing international humanitarian law will apply to nation-versus-nation cyber conflicts that rise to the level of an armed conflict. These same experts have also announced their next project (helpfully called Tallinn 2.0) that will, when completed, attempt to characterize how international law will apply to sub-war conflicts between nations.
But that, as the chart below makes clear, barely begins to scratch the surface of the potential modalities of cyber conflict. We have no real idea (much less international agreement) as to what law applies to cyber conflicts between say, a nation and a non-state actor when the level of the conflict is equivalent to an armed attack. Put prosaically, what international law applies to a US response to an attack by, say, a hacker group that destroys a nuclear power plant (say, for avowed ideological reasons)?
Nor do we know what law might apply when a nation acts preemptively against a non-state actor to forestall such an armed attack. And we also have no idea how the laws might change in either of these situations when the cyber operation involves the use of tools that have less than kinetic “armed attack” effects. And, finally, international law generally applies only to States, not to individuals or non-state actors, so the domain of conflict between non-state groups is utterly terra incognito for the law.
Conceptualizing the domain in this way gives us a useful theoretical framework for a broader consideration of international humanitarian law in the cyber domain. It helps us identify at least two important boundary questions that the law will need to address:
• What is the difference, in the cyber domain between acts of armed warfare and sub-war acts?
• How do we distinguish non-state actors from state actors, and what rules of command and control allow us to attribute the acts of non-state actors to a nation state?
It also allows us to identify two important questions of the appropriate scope and jurisdiction of law in the domain:
• What international law controls cyber conflicts between a state and a non-state group?
• What international law controls cyber conflicts between two non-state groups in the cyber domain?
To be sure, these questions may have tentative answers that are derived from existing international law. There is a relatively robust doctrine of attribution, for example that defines the degree of control necessary to impute the actions of a non-state actor to a state. Likewise, norms of international humanitarian law applicable in non-international armed conflict in the kinetic context are well-known (to include, e.g., the provisions of Article 3 common to the four Geneva Conventions (1949), the 1977 Second Additional Protocol to the Geneva Conventions (where the State has ratified), and norms of customary international law. But there is no international agreement that those laws are applicable in the cyber domain in the first instance. And there is even less agreement as to how they might be implemented if applicable.
Finally, little law exists regarding the reciprocal obligations of the non-state actors themselves. While, for the most part, international law does not regulate the conduct of individuals and non-State actors, perhaps in the cyber domain we will need to modify that background rule. For in cyber, more so that in the physical world, individuals and groups of individuals are uniquely empowered to contest cyber conflicts against a nation state and against each other. It would be odd, indeed, if there were no law to govern such conflicts