Rule #1: The Law of Armed Conflict Applies to Cyber Warfare

          It is not unforeseen that the United States could suffer a major cyber attack against its military or civilian computer networks in the near future.  In fact, attacks against US companies and government facilities occur with regularity, jeopardizing confidential information, military assets and data systems previously considered secure from infiltration.  Cyber attacks can take many forms, from the transmission of viruses, to the placement of “back-door” bugs into software, to overloading network servers with massive streams of email.

          To prevent and counter attacks to military networks, the government created United States Cyber Command (USCYBERCOM), a division of United States Strategic Command (USSTRATCOM).[1]  Notably, the defense of civilian networks is the responsibility of the Department of Homeland Security.  Earlier this year, the US received a lot of attention after it was revealed that the Obama administration had authorized the use of Stuxnet, a sophisticated computer worm, against an Iranian nuclear facility, neutralizing portions of the facility’s centrifuge system.[2]

          It is no secret that the United States and many other nations are pursuing advanced cyber warfare capabilities to respond to threats in the emerging theater of warfare, cyberspace. The Chinese military has been particularly vocal in their expressions of the significance of cyberspace for military operations.  Last year two officers, writing for the China Youth Daily, stated; “[j]ust as nuclear warfare was the strategic war of the industrial era, cyber-warfare has become the strategic war of the information era, and this has become a form of battle that is massively destructive and concerns the life and death of nations.”[3]  Moreover, the Chinese military has extensively touted the creation of its own elite cyber warfare units which are said to be able to conduct sophisticated cyber operations.[4]

          The International Committee of the Red Cross (ICRC) has steadfastly argued that many of the same principles that regulate battlefield combat also apply in cyberspace.[5]  Despite the ICRC’s insistence that international humanitarian law applies by analogy to cyber warfare, the question of whether laws regulating conduct in cyberspace even existed remains unsettled among nations and legal practitioners, including many in the US government.  It was therefore a pleasant surprise when Harold Koh, Legal Advisor of the Department of State, affirmed that “[c]yberspace is not a ‘law-free’ zone where anyone can conduct hostile activities without rules or restraint” but which, in some circumstances, may be regulated by the law of armed conflict.[6]

          Last month, Koh, speaking at the Cyber Command Inter-Agency Legal Conference, laid out a series of 10 principles that would guide US government policy on cyber activities.  These principles offered insights into how the legal community has sought to address the legality of cyber activities and the many difficult challenges associated with new technologies.  Koh’s acknowledgement represents an important development in American policy, providing some clarification into the legal ramifications of this method of combat.

          But what exactly is cyber warfare?  It should not be shocking to hear that there is no internationally agreed upon definition of cyber warfare.  In the past, the ICRC has utilized the following (simplified) definition: “any hostile measures against an enemy designed ‘to discover, alter, destroy, disrupt or transfer data stored in a computer, manipulated by a computer or transmitted through a computer.'”[7]  Certainly the Geneva Conventions, even in their modern form, do not specifically address the question of cyber warfare.  Despite this omission, the framers of the Geneva Conventions, understanding the evolution of war fighting tactics, weaponry, and technology, had the wisdom to craft a set of documents which would account for the development of new means and methods of warfare and regulate them under the same basic principles recognized as customary practice during times of armed conflict.  Although cyber warfare raises many new legal complexities which will require further consideration, a few issues are settled.

          As is the case with any other application of international humanitarian law, in order for cyber activates to be subject to IHL rules, they must occur during an armed conflict.  For instance, common identity theft or the vigilante hacking of a company’s records would not be regulated by IHL, but would remain criminal acts punishable under a nation’s domestic laws.  Those cyber activities falling under the purview of IHL would need to comply with the four main jus in bello (conduct in war) principles: military necessity, distinction, proportionality, and humanity.  Accordingly, any cyber strike must be done for a militarily necessary reason (i.e. weakening opposing forces), distinguish between civilian and military targets, have a military advantage which outweighs the collateral harm caused to civilian technology or lives, and ensure that the results of the strike do not cause any unnecessary or superfluous suffering to the target.

          To see what the application of IHL might look like in practice, consider these very simple examples.  Cyber attacks targeting exclusively military targets, such as battlefield radar stations or communication facilities would likely be acceptable under IHL.  The neutralization of such facilities would weaken an opponent’s armed forces and would be unlikely to cause civilian harm.  On the other hand, attacks against civilian infrastructure, particularly medical facilities or structures that house “dangerous forces”, such as nuclear power plants or dams, would be illegal.  A cyber strike against an opposing nation’s financial institutions with the intent to spread terror amongst a civilian population would similarly be an impermissible use of force.

          But can cyber attacks themselves be considered a use of force which would trigger the application of IHL and a nation’s right to self-defense?  Yes, according to Koh, who expressed the United States’ view that a cyber attack “may in certain circumstances constitute a use of force within the meaning of Article 2(4) of the UN Charter.”[8]  While each situation is fact dependent, “cyber activities that proximately result in death, injury, or significant destruction would likely be viewed as a use of force”[9], noted Koh.  Should the United States be the victim of such an attack, it would be justified under international law to respond in self-defense.[10] Critically, this response need not be a reciprocal cyber attack, but may instead be a kinetic attack.[11]

          As Koh eloquently expressed in his address, this seems like “common sense”[12].  A cyber attack which may have the same devastating effects as a kinetic weapon need not be held to a different legal standard.  Some, like USCYBERCOM chief of staff Rear Adm. Margaret Klein, have already shot back, expressing her view that there is “a lack of clear legal guidance” about what laws apply electronic warfare.[13]  While many difficult legal questions remain to be answered[14], it would be not only counterproductive, but destructive to discard this universal body of law designed to protect humanity from the devastations of war.  The regulation of cyber activities is simply the next evolution in this essential body of law.

          In the end, the application of international humanitarian law to cyber activates will reduce harm to innocent civilians, as well as damage to civilian infrastructure and the environment.  Moving forward, more work needs to be done to create consensus on the challenging legal issues presented by cyber security and offensive cyber operations.  This will take time, but Koh’s principles do put the United States in a position to lead this conversation internationally and to shape IHL norms in the future.

 A full reproduction of Koh’s statement can be found at Opinio Juris.

[1] United States Strategic Command, US Cyber Command, Dec. 2011, available at

[2] David E. Sanger, Obama Order Sped Up Wave of Cyber Attacks Against Iran, New York Times, June 1, 2012 available at

[3] Chris Buckley, Update-1 – China PLA Officers Call Internet Key Battleground, Reuters, June 3, 2011 available at

[4] Id.

[5] See International Committee of the Red Cross, Cyber Warfare, Oct. 10, 2010 available at; See also International Committee of the Red Cross, No Legal Vacuum in Cyber Space, Aug. 16, 2011 available at

[6] Chris Borgen, Harold Koh on International Law in Cyberspace, Opinio Juris, September 19, 2012 available at (reproducing speech delivered by Koh to U.S. Cyber Command Inter-Agency Legal Conference, September 18, 2012).

[7] Cyber Warfare, supra note 5.

[8] Opinio Juris, supra note 6.





[13] Aram Rouston, US: Laws of War Apply to Cyber Attacks, Army Times, September 18, 2012 available at

[14] Challenges, among others, include proper attribution of attacks, determinations of when cyber activities qualify as a use of force, and the interconnectivity of civilian and military systems.

5 responses to “Rule #1: The Law of Armed Conflict Applies to Cyber Warfare

  1. A timely article.

    The article mentions the Stuxnet, which has been identified as a virus that was transmitted via thumb drives, and employed rootkit technology for system control and used the LNK system to propagate within the system. What does all that gobbledigook mean? There are multiple ways of getting onto a system, or “gaining entry”. Cracking passwords, or exploiting loopholes in the system are famous from Hollywood movies but these are not the only ones.

    Oftentimes, it is done with a user’s permission by posing as software that needs access — an upgrade, for instance. Once there, to gain control, a malicious piece of software needs control. A rootkit is a collection of routines that operate at the highest level of control, or gain access to that level of control — the name comes from the name of a superuser on Unix or Linux systems, “root”, and the name of a collection of routines for software developers, a software developers “kit”.

    Unfortunately, the collection of routines used to build a piece of software like Stuxnet may be “highly sophisticated”, but the same “highly sophisticated” software is used by companies to further marketing interests, protect their intellectual property, or provide features for social networks that require tracking user behavior. The only thing missing, really, is the intent to commit an act which causes “death, injury, or significant destruction.” It is not an idle worry that one of the most difficult problems in cyber war is “attribution”.

    With the state of cyberspace that much in the balance, the question of who needs to know the fundamentals of international humanitarian law becomes very critical: Everyone does, especially those who write software, apparently.

    • Thank you for reading my post and taking time to write this very insightful comment. I appreciate your description of the more technical features of viruses like Stuxnet and how seemingly benign they can be at first glance. I agree entirely that the evolution of cyber capabilities is just another reason why the public generally, and individuals like those who write software, need to be aware of international humanitarian law’s purpose, scope and implications.

  2. Pingback: Crossroads » Rule #1: The Law of Armed Conflict Applies to Cyber Warfare « Humanity in the Midst of War·

  3. Eric, dear, wish you could make a presentation on the topic during our Conference in Yerevan, dedicated to Cyberwarfare, mostly. Hope everything is fine with you and your family.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s