Part II, 15 Cyber Operations
Daragh MurrayEdited By: Elizabeth Wilmshurst, Françoise Hampson, Charles Garraway, Noam Lubell, Dapo Akande
- Human rights remedies — Armed conflict, international — Armed conflict, non-international — International crimes
15.01 This chapter deals with cyber operations undertaken by States during situations of armed conflict.1 The question whether cyber operations may constitute an ‘armed attack’ is a matter for the ius ad bellum and is not dealt with here.2 The question whether cyber operations, in and of themselves, can give rise to an armed conflict is outside the scope of this Guide. Dependent upon the situation, cyber operations will be regulated by either the ‘active hostilities’ or ‘security operations’ framework. The circumstances in which these frameworks are applied are discussed in Section 3, and further in Chapter 4.
15.02 For the purposes of this Guide cyber operations may be divided into two broad categories: cyber operations involving monitoring activities, and cyber operations involving effects-based activities.
(p. 306) 15.03 Cyber operations involving monitoring activities collect or gather information but do not modify or interfere with that information in any way. They are passive operations. Examples include: the bulk collection of information, for instance through the tapping of Internet data cables; the targeted collection of information, for instance through the monitoring of identified individuals; or the copying of information, for instance through the copying of security-restricted data. Monitoring-based cyber operations may include the covert installation of software or hardware in order to gain access to the targeted information. However, in a monitoring-based operation this software or hardware does not interfere with the normal operation of the host system, and its activities are restricted to the collection and transmission of information.
15.04 Effects-based cyber operations are those operations that are not restricted to passive monitoring and which produce a tangible effect, either in cyber space or in the material world. These operations may damage, destroy, or modify data, or interfere with a system’s normal operation. Flooding operations are one example. These operations send a significant number of information requests to the target system, overwhelming (i.e. flooding) its computational resources, and resulting in temporary incapacitation. The most frequent flooding operations are distributed denial of service operations. Other effects-based operations may involve the infiltration of the target system in order to destroy or modify data, or to interfere with the system’s normal operation. A prominent example is the Stuxnet worm, which (a) affected the motor speed of the targeted centrifuges, resulting in physical damage and (b) interfered with the monitoring software, in order to incorrectly indicate normal operating activity.3
15.05 The cyber capability used for both monitoring-based and effects-based cyber operations may be similar. It is the payload that is the distinguishing factor. For instance, monitoring-based software may engage in effects-based activities, either consequent to reprogramming or the activation of dormant functionality. Both of these possibilities may be remotely activated.
2. Cyber Operations as an ‘Attack’ Within Armed Conflict
15.07 Cyber operations may constitute an ‘attack’ as defined under the law of armed conflict. Article 49(1) of Additional Protocol I defines attacks as ‘acts of violence against the adversary, whether in offence or in defence’.4 Under the law of armed (p. 307) conflict ‘the adversary’ is interpreted broadly and includes, for example, members of enemy armed forces, the civilian population, and civilian objects. Attacks include operations that comply with, and operations that violate, the applicable law of armed conflict. In determining whether an operation amounts to an attack, it is the destructive consequences of the operation that are decisive and not how it is conducted. This understanding of ‘attack’ applies equally in non-international armed conflict.
15.08 Two categories of effects-based cyber operations are relevant: cyber operations targeting physical infrastructure, and cyber operations targeting data. Both categories of cyber operations constitute a method or means of attack.
15.09 Cyber operations targeting physical infrastructure are those operations intended to damage, destroy, or temporarily incapacitate a physical target. Cyber operations intended to incapacitate a physical target include flooding operations designed to overwhelm a computer system, temporarily incapacitating, for example, an air defence system, or a communications network.5 Cyber operations intended to damage or destroy a physical target include operations in which the final target is the system itself, and operations in which a system is manipulated in order to damage or destroy an external physical target. Relevant examples include cyber operations that cause a system to malfunction resulting in physical damage to that system,6 cyber operations that seize control of an enemy missile system, causing it to fire on enemy targets, or cyber operations that seize control of a dam, releasing the reservoir to cause physical damage. These cyber operations are equivalent in their effects to traditional attacks. The sole distinguishing factor is the method or means employed.
15.10 Although data may exist primarily in the cyber sphere it has both a tangible existence (in the form of code) and a tangible value in the material world, and can be damaged or destroyed in a cyber operation. This data is accordingly classified as an ‘object’, and a cyber operation targeting that data as an ‘attack’ for the purposes of the law of armed conflict.7 For example, cyber operations may target digital currencies, resulting in the loss or appropriation of financial property, or may target digital property records affecting individuals’ ownership of, or access to, their property. Equally, a cyber operation may target a digital archive. This data may not have a value equivalent to digital currency, or property records, but it remains an object, similar, for example, to paper records stored in a warehouse, or family heirlooms stored in a home. Classification of data as an object is reflective of significant technological developments and advances towards an ‘information (p. 308) society’ and ‘information economy’. Activities once conducted in the material sphere are increasingly conducted in the virtual sphere. The effects of these cyber operations are equivalent to that associated with traditional attacks. The distinguishing factors are the methods and means employed and the fact that the direct physical consequences of the attack are achieved as a direct consequence of damage to data.
15.12 In international armed conflict effects-based cyber operations are regulated by the ‘active hostilities’ framework. In non-international armed conflict, effects-based cyber operations that produce effects in situations of high-intensity fighting involving sustained and concerted military operations, or in situations where a State does not exercise effective territorial control, are regulated by the ‘active hostilities’ framework. Other effects-based cyber operations are regulated by the ‘security operations’ framework.
15.13 In international armed conflict monitoring-based cyber operations targeting enemy forces and the enemy State are regulated by the ‘active hostilities’ framework. Monitoring-based cyber operations in non-international armed conflict, and monitoring operations targeting civilians in both international and non-international armed conflict, are regulated by the ‘security operations’ framework.
15.14 During international armed conflict, the ‘active hostilities’ framework regulates effects-based cyber operations that constitute attacks. Attacks are permissible against all combatants, military objectives, members of an armed group belonging to a party to the conflict, and civilians while they are directly participating in hostilities, irrespective of their location in relation to any active battlefield. The ‘active hostilities’ rules applicable to attacks are discussed further in Chapter 5.
15.15 During non-international armed conflict, the ‘active hostilities’ framework applies to effects-based cyber operations constituting attacks that produce effects in situations of high-intensity fighting involving sustained and concerted military operations, or in situations where a State does not exercise effective territorial control. These situations are discussed further in Chapter 4, Section 3.4. Outside these situations, effects-based cyber operations constituting attacks are regulated by the ‘security operations’ framework. The ‘active hostilities’ and ‘security operations’ rules applicable to cyber operations constituting attacks are discussed further in Chapter 5.
(p. 309) 15.16 During international armed conflict the law of armed conflict permits the gathering of information on enemy forces and the enemy State.8 This rule is specifically designed to regulate monitoring activities. Monitoring-based cyber operations targeting enemy forces and the enemy State in international armed conflict are accordingly regulated by the ‘active hostilities’ framework.9
15.17 In non-international armed conflict the law of armed conflict does not explicitly address intelligence gathering or monitoring activities. However, international human rights law establishes detailed rules in this regard.10 These rules accordingly provide the primary framework, and monitoring-based cyber operations are regulated by the ‘security operations’ framework.
15.18 In both international armed conflict and non-international armed conflict, monitoring-based cyber operations targeting civilians are regulated by the ‘security operations’ framework. These activities are not explicitly regulated by the law of armed conflict, but are subject to detailed international human rights law rules. International human rights law accordingly provides the primary framework.11
15.20 Cyber operations involving monitoring activities directly bring into play the right to private life established under international human rights law. Effects-based cyber operations may bring into play a number of human rights. The relevant international human rights law requirement(s) is dependent upon the specific effects in question. International human rights law requires that all foreseeable consequences of a cyber operation be taken into consideration.
15.21 In international armed conflict monitoring-based cyber operations targeting enemy forces or the enemy State are regulated under the ‘active hostilities’ framework. This section is primarily concerned with monitoring-based cyber (p. 310) operations in non-international armed conflict, and cyber operations targeting civilians in either international or non-international armed conflict.
15.22 Cyber operations involving monitoring activities directly bring into play the right to private life established under international human rights law. Other rights may be indirectly affected. For instance, a ‘chilling effect’ caused by monitoring activities may bring into play the right to freedom of expression.12
15.23 The right to private life is particularly relevant to cyber operations with intelligence gathering components, including those involving the interception of communications. The right to private life is relevant to both territorially focused and extra-territorially focused intelligence activity. Article 17 of the International Covenant on Civil and Political Rights states:
1. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.
2. Everyone has the right to the protection of the law against such interference or attacks.
2. There shall be no interference by a public authority with the exercise of this right except such as in accordance with the law and is necessary in a democratic society in the interests of national security, public safety, or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.13
15.26 The European Court of Human Rights has held that private life is a broad term that cannot be exhaustively defined. It covers, for example, an individual’s physical and psychological integrity, physical and social identity, and means of personal identification.16 Private life incorporates an inner circle of private activity, as well (p. 311) as an external element including a zone of interaction with others, even if this interaction occurs in a public context.17
15.27 During international armed conflict the law of armed conflict permits the gathering of information on enemy forces and the enemy State.18 This rule is specifically designed to regulate monitoring activities. Monitoring-based cyber operations targeting enemy forces and the enemy State in international armed conflict are accordingly regulated by the ‘active hostilities’ framework.19 International human rights law is consistent with these requirements.
a. the existence of legislation allowing for the secret monitoring of communications constitutes an interference with the right to privacy of all affected persons;20
b. the storage of data relating to an individual’s private life constitutes an interference with the right to private life,21 even if that data is collected in a public place, relates to an individual’s public activities,22 or is conducted without resort to covert surveillance methods;23
c. if information is recorded legitimately, the subsequent processing of that information may constitute an interference with the right to private life.24
15.29 International human rights law requires that, to be lawful, any interference with the right to private life must satisfy the following criteria:25
a. The interference must be established by law.
b. The interference must occur on the basis of a legitimate interest, such as national security, or the prevention of crime.
(p. 312) c. The interference must be necessary in a democratic society. In this regard relevant and sufficient reasons for the interference must be specified and the interference must be proportionate to the legitimate aim pursued.26
15.30 The ‘established by law’ criterion requires that any interference with the right to private life must have a basis in national law, understood as including rules of public international law applicable in the State concerned. This criterion also relates to the quality of the law, and requires that the law be: compatible with the rule of law; accessible; and foreseeable, such that a concerned individual can foresee the law’s consequences for them.27 The requirement of foreseeability in the context of secret surveillance is distinguished from other fields:28 it does not ‘mean that an individual should be able to foresee when the authorities are likely to intercept his communications so that he can adapt his conduct accordingly’.29 Instead it is required that detailed rules on surveillance/interception be established, in order to provide an ‘adequate indication’ of the circumstances and conditions under which the State may engage in secret surveillance/interception of communications.30
15.31 To ensure compliance with the rule of law, the law regulating measures of secret surveillance or intelligence gathering must clearly indicate the scope of the competent authority’s power in relation to the authorization of such activity, and how this power is to be exercised. This must be indicated with sufficient clarity to ensure adequate protection against arbitrary interference with the right to private life.31 The European Court of Human Rights has developed a number of minimum safeguards applicable to secret measures of surveillance. The following criteria must be incorporated into the underlying law:
a. the nature of the offences which may give rise to an interception order;
b. a definition of the categories of people liable to have their communications intercepted;
c. a limit on the duration of the interception;
f. the circumstances in which recording may or must be erased or the data destroyed.32
(p. 313) 15.32 The established by law criterion applies equally to individually targeted operations and to more general intelligence gathering operations.33 The law of armed conflict does not establish explicit rules relating to surveillance targeting enemy forces in non-international armed conflict, or surveillance targeting civilians in either international or non-international armed conflict. It is therefore likely that a legal basis for such surveillance measures must be established under national law, as required by international human rights law. The law of armed conflict provides the required legal basis for monitoring-based cyber operations targeting enemy forces or the enemy State in international armed conflict.34
15.33 Any interference must pursue a legitimate interest, such as the protection of national security or the prevention of disorder or crime. During armed conflict, intelligence gathering or other cyber operations may be justified on the basis of national security. States party to the European Convention on Human Rights are typically awarded a margin of appreciation in this regard.35
15.34 The necessity criterion requires that any interference be necessary in a democratic society. Evaluation of this criterion is dependent upon the circumstances at hand and involves establishing a proportionate balance between the legitimate interest on one hand, and the seriousness of the interference with the rights of affected individuals on the other.36 In balancing these interests, a margin of appreciation is extended to the State. The scope of this margin of appreciation is dependent on factors such as: the nature of the affected right(s); the importance of these rights to the individual; the nature, scope, and duration of possible measures; the grounds required for ordering the measures; the authority competent to authorize and supervise the measures; the remedy available under national law; and the goal underpinning the interference.37 Applied to the right to private life and cyber operations, the margin of interpretation has been interpreted narrowly in relation to: the automatic processing of personal data, particularly for policing purposes; and measures of secret surveillance.38 Any such measure will be evaluated against a test of ‘strict necessity’:
A measure of secret surveillance can be found as being in compliance with the Convention only if it is strictly necessary, as a general consideration, for the safeguarding the democratic institutions and, moreover, if it is strictly necessary, as a particular consideration, for the obtaining of vital intelligence in an individual operation.39
15.35 If surveillance measures target a specific individual, international human rights law requires that a ‘reasonable suspicion’ against the person concerned should exist.40
15.36 International human rights law requires that the authority competent to authorize surveillance must be sufficiently independent from the executive. In this regard a non-judicial authority may be compatible with international human rights law.41 A record of all interceptions must be kept in order to ensure that the relevant authority has effective access to information regarding any surveillance measures undertaken.42
15.37 Strategic monitoring or interception of communications (i.e. broad surveillance measures not directed at specific individuals) may only be permissible under certain restrictive conditions, and in respect of certain serious criminal acts.43 General mass surveillance may be regarded as interfering with the ‘essence’ of the right to private life, and as impermissible on this basis.44
15.38 The copying of certain data may bring into play the right to property established under international human rights law.45 However, a number of other elements of international law, such as the law relating to intellectual property, the principle of non-intervention, and international trade law, are also relevant. This discussion is beyond the scope of this Guide.
15.39 Effects-based cyber operations may bring into play a number of human rights. The relevant international human rights law requirement(s) is dependent upon the (p. 315) specific effects in question. For instance, a cyber operation intended to result in physical harm—by causing an explosion or causing a flight navigation system to malfunction—may bring into play the right to life. A cyber operation intended to modify or destroy individuals’ personal records may bring into play a diverse range of rights, dependent upon the content of the modified data. Potentially affected rights include the right to private life, the right to health,46 or the right to property. The ‘active hostilities’ framework incorporates relevant human rights considerations. This is discussed further in Chapter 5.
15.40 International human rights law requires that, when determining the effect of a cyber operation, it is the overall effect of a cyber operation that must be evaluated. For example, protections associated with the right to life apply ‘to any activity’ that endangers life, and any use of force may implicate right to life protections, irrespective of intent to kill.47 A calculation of effects cannot be restricted to the immediate intended purpose of the operation, but must also incorporate its ‘foreseeable consequences’.48 Of concern are those consequences that pose a ‘real risk’49 of a violation of international human rights law,50 and in particular of irreparable harm.51 For example, if a cyber operation is intended to bring down an air traffic control system as part of a military operation, the foreseeable harm to civilian aviation must be taken into consideration. Equally, if a cyber operation is intended to result in the destruction of infrastructure, the foreseeable harm to affected civilians must also be taken into consideration.
15.41 The evaluation of whether participation in a cyber operation constitutes direct participation in hostilities is determined in accordance with the law of armed conflict. The difficulty in accurately identifying the source of a cyber operation and the possibility that a computer may be manipulated to participate in hostilities without the owner’s knowledge mean that particular attention is (p. 316) necessary when determining if a civilian may be classified as directly participating in hostilities.
15.42 The evaluation of whether participation in a cyber operation constitutes an act of direct participation in hostilities must be evaluated in accordance with the law of armed conflict.52 Both effects-based and monitoring-based cyber operations may qualify as acts of direct participation in hostilities, dependent upon the circumstances. To qualify as an act of direct participation in hostilities, participation in a cyber operation must satisfy three cumulative criteria:
c. there is a belligerent nexus between the act in question and the armed conflict.53
15.44 The nature of cyber operations may increase the possibility that civilians will be directly participating in hostilities. Participation in cyber operations can occur at a significant geographical remove from the site of an armed conflict, and participation in certain cyber operations requires minimal technical expertise. For instance, while advanced technical knowledge may be required to develop a cyber capability, once developed that cyber capability can be compiled into an executable file. To launch this cyber capability an individual need only obtain the executable file (for instance, by downloading it from the Internet) and run it. Dependent on the cyber capability in question, downloading and running the file may constitute an act of direct participation in hostilities.
15.45 However, two significant issues arise in relation to determining whether participation in a cyber operation constitutes an act of direct participation in hostilities. The first is the issue of identifying the source of a cyber operation. The second is the possibility that a computer system may be manipulated and used to participate in an attack, without the owner’s knowledge. These factors require that particular caution be exercised when determining whether a civilian engaged in cyber activity may be classified as directly participating in hostilities. The precautions required in attack are relevant in this regard. These are discussed further in Chapter 5, Section 3.
15.46 Accurately identifying the source of a cyber operation can be exceptionally difficult. This gives rise to concrete difficulties when determining an individual’s participation in a cyber operation. Anonymity is a key feature of technology and the Internet. As such it can be difficult to identify (a) the individual(s) responsible for the development of a cyber capability and (b) the source of a particular operation. For instance, examination of a cyber capability may reveal its operating code, providing clues as to the identity of the developer(s). However, effectively proving an individual’s responsibility for a particular piece of code may be difficult in the absence of physical evidence. Similarly, a cyber capability may deliberately infiltrate a series of computer systems in order to mask the origin of an attack.54
5.2. The Possibility That a Computer May Be Manipulated to Participate in a Cyber Operation Without the Owner’s Knowledge
15.47 A cyber capability may manipulate a computer system in order to cause that system to participate in a cyber operation, without the system owner’s knowledge. This possibility gives rise to concrete difficulties in determining whether a particular individual participated in a cyber operation. Two examples illustrate this issue. First, a cyber capability may deliberately infiltrate a series of computer systems in order to mask the origin of an attack. Second, a cyber capability may infect a series of computer systems in order to utilize the infected network to launch an attack, without the owner’s knowledge. This is one potential basis for a flooding attack: a large number of information requests are simultaneously transmitted from a large number of infected systems, overwhelming the computational capacity of the target system.
15.48 Non-State cyber operations may be conducted by armed groups, individuals, or groups of individuals, often referred to as ‘cyber collectives’. Individuals or groups of individuals may conduct cyber operations in support of an armed group while remaining independent of that group.
15.49 Armed groups may establish a cyber unit, or task members of the armed group with conducting cyber operations on the group’s behalf. The law of armed (p. 318) conflict applies to armed groups party to an armed conflict.55 The use of force against an armed group is regulated by the ‘active hostilities’ framework or the ‘security operations’ framework, dependent upon the situation. Application of these frameworks is discussed in Chapter 4. The rules regulating the conduct of hostilities are discussed in Chapter 5. Issues relating to the qualification of cyber conduct as direct participation in hostilities are discussed in Section 5. Armed groups not qualifying as parties to an armed conflict are addressed in para. 15.51.
15.50 An individual, acting independently of a State or an armed group, may take part in cyber operations. Whether the individual’s activity constitutes direct participation in hostilities is discussed in Section 5.
15.51 A group of individuals, acting as a cyber collective, but existing independently of States and armed groups party to an armed conflict, may take part in cyber operations. Two possibilities exist in this regard. First, if the cyber collective satisfies the organization and intensity criteria established under the law of armed conflict, it may qualify as a party to a non-international armed conflict. As such, the cyber collective will be regarded as an armed group. This is discussed in para. 15.49. Second, if the cyber collective does not qualify as a party to an armed conflict, it must be regarded as a collection of individuals. Members of the cyber collective, either individually or collectively, may be directly participating in hostilities. This is discussed in Section 5.
1 Cyber operations are discussed in detail in the Tallinn Manual on the International Law Applicable to Cyber Warfare. This Guide adopts a different approach to the Tallinn Manual in certain respects. Any differences are highlighted below.
3 See further Ibid., p. 262.
5 This understanding of attack is broader than that proposed in the Tallinn Manual. The majority of experts at Tallinn were of the opinion that interference qualifies as damage if restoration of functionality requires replacement of physical components. See Ibid., p. 108.
9 For further discussion relating to the choice of the appropriate framework see Chapter 4, Section 3.
11 For further discussion relating to the choice of the appropriate framework see Chapter 4, Section 3.
13 See also American Convention on Human Rights, Article 11; Arab Charter on Human Rights, Article 21. A right to private life/privacy is not explicitly established in the African Charter on Human and Peoples’ Rights.
19 For further discussion relating to the choice of the appropriate framework see Chapter 4, Section 3.
24 Ibid., para. 59.
25 The requirements established by the Human Rights Committee to evaluate the legitimacy of any restriction reflect those established by the European Court of Human Rights. See Albert Womah Mukong v. Cameroon, Views, Human Rights Committee, Communication no. 458/1991, U.N. Doc. CCPR/C/51/D/459/1991, 10 August 1994, para. 9.7.
27 Ibid., paras. 228–9; HRC General Comment no. 16, paras. 3–4.
31 Ibid., para. 230.
36 S. and Marper v. the United Kingdom, Judgment, App. nos. 30562/04, 30566/04 (ECtHR, 4 December 2008) para. 101; HRC General Comment no. 27, paras. 13–14; Compulsory Membership in an Association Prescribed by Law for the Practice of Journalism (Arts. 13 and 29 American Convention on Human Rights), Advisory Opinion, IACtHR, 13 November 1985, para. 67.
38 S. and Marper v. the United Kingdom, Judgment, App. nos. 30562/04, 30566/04 (ECtHR, 4 December 2008) para. 102; Weber and Saravia v. Germany, Judgment, App. no. 54934/00 (ECtHR, 29 June 2006) para. 106; Szabo and Vissy v. Hungary, Judgment, App. no. 37138/14 (ECtHR, 12 January 2016) para. 57.
45 Protocol I, European Convention on Human Rights, Article 1; American Convention on Human Rights, Article 21; Arab Charter of Human Rights, Article 31; African Charter on Human and Peoples’ Rights, Article 14.
46 Consequent to the destruction or manipulation of health records. This may also affect other rights. For example, if soldiers’ blood group records are modified, resulting in incorrect blood transfusions, this may bring into play the right to life.
53 Ibid., p. 119, para. 4.
54 For instance, Ibid., p. 110, para. 19; p. 115, para. 4.
55 Ibid., Rule 34, discusses attacks against certain categories of persons, including members of an armed group.