CYBER OPERATIONS AND THE IMPERFECT ART OF

“TRANSLATING” THE LAW OF WAR TO NEW TECHNOLOGIES

Since the inception of combat as an organized endeavor, humans have

innovated new means and methods of warfare to gain advantage over their
adversaries. Some of these innovations have been subtle. Others have been far
more impactful and transformative, resulting in profound changes to the very
character of warfare itself. History is replete with examples of science and
technology changing the face of battle—inventions as simple as the bow and
arrow and as complex as the weaponization of nuclear reactions. Although not
always the case, these technological innovations often engender increased
destruction and lethality and the attendant risk of collateral harm to civilians
and non-combatants. And for as long as humans have sought to place
boundaries around the conduct of hostilities to limit their harmful effects, at
each turn these technological developments have raised difficult moral,
ethical, and legal questions. This is especially true today with the
unprecedented pace of scientific and technological change and the continuous
advent of novel means and methods of warfare such as artificial intelligence,
cyber capabilities, unmanned vehicles, directed energy weapons, and space
capabilities. As evidenced by continued uncertainties regarding the law of
war’s role in regulating cyber operations, the process of applying extant legal
regimes to new technologies is often a stiff uphill climb.
Can the Law of War Keep Pace? 
The accelerating rate of innovation and technological change has generated
serious debates about the law of war’s ability to keep pace. Some advance the
view that the law of war is antiquated and incapable of responding adequately
to these new developments. With each new technology come overwrought
calls for new regulation or outright bans. In the context of cyber, autonomous
weapons, or drones, for example, there are numerous cries to adopt new
regimes to specifically regulate or ban these emerging means and methods of
warfare—what might be described as lex speciali within the lex specialis of the
law of war.
Others take the opposite position. They argue that the law of war is not static
and is perfectly capable of addressing the development and incorporation of
novel means and methods of warfare. It is comprised of a carefully
constructed—if imperfect—set of rules. These rules are derived from
fundamental, interrelated, and mutually reinforcing principles flexible enough
to respond to the vast majority of situations presented by new technologies.
In its Nuclear Weapons Advisory Opinion, the International Court of Justice
suggested that the cardinal principles of distinction and the prohibition on
causing unnecessary suffering, along with the “catch-all” policy reflected in
the Martens clause of the Hague Convention II and Article 1 of Additional
Protocol I, provide an effective means of addressing the rapid evolution of
military technology. The DoD Law of War Manual adopts a similar approach.
For example, on the question of weapons reviews, it clearly considers the
novelty of a weapon or capability to be immaterial to its legality. States need
not find authorization in the law of war to develop and incorporate new
weapons technologies. The presumption is the exact opposite. In the absence
of a specific prohibition, the question of legality at the procurement stage
turns solely on whether the weapon or capability can be employed consistent
with the law of war’s cardinal principles and any specifically applicable treaty
or customary international law rules. Once a new capability is integrated into
a State’s arsenal, the law of war presumptively governs its operational
employment like any other means or method of warfare.
In his oft cited speech before the U.S. Cyber Command Legal Conference in
2012, then State Department Legal Adviser Harold Koh also advocated for this
latter approach when discussing the applicability of the law of war in the
context of cyber operations. Openly rejecting the notion that the law of war is
inadequate to the task, he stated:
This is not the first time that technology has changed and that international
law has been asked to deal with those changes. In particular, because the tools
of conflict are constantly evolving, one relevant body of law—international
humanitarian law, or the law of armed conflict—affirmatively anticipates
technological innovation, and contemplates that its existing rules will apply to
such innovation.
He went on to note that the law of war provides sufficient guidance to address
new technologies at both the procurement stage and later during operational
employment of capabilities—a position echoed in the DoD Law of War
Manual’s approach generally, and with respect to its specific discussion of
cyber operations.
So far so good. Elsewhere, Professor Koh correctly eschews treating novel
means and methods of warfare as arising in a legal vacuum or “black hole.”
But as he also recognizes, new technologies can “raise new issues and thus,
new questions” that can turn on devilishly hard details. He advocates
addressing these new questions through what he has described as a
translation exercise, “where we must translate what Montesquieu called the
‘spirit of the laws’ to the present-day situation.” Overall, this is sound advice,
and experience tells us that most practitioners generally fall in the Koh camp,
and with good reason.
But as any polyglot can attest to, translation is as much—if not more—art than
science. And, more importantly, it has its limits. Specific points can often get
lost in translation, and literalism usually fails to convey accurate meaning and
intent. So, although the law of war is neither static nor incapable of adapting
to new technologies, caution is warranted in the translation process. Applying
pre-existing legal rules developed in distinct contexts to new technologies can
raise legitimate questions of whether the rules are sufficiently clear in scope or
content to adequately address a technology’s specific characteristics and
foreseeable humanitarian impact.
Specific Challenges in Translating the Law of War Concept of
“Attack” to Cyber Operations
Consider, for example, the continued uncertainty surrounding the law of war
concept of “attack” in the context of cyber operations. Translating the extant
law of war rules governing attacks—the most fundamental aspect of means-
and-methods regulation—to the cyber context has proved difficult for all but
obvious cases. It exposes both the strength and some of the distinct
weaknesses inherent in applying a rule set developed to address the sorts of
harms attendant to the use of primarily kinetic, destructive capabilities.
The term “attack” is at the heart of many of the most important jus in
bello rules regulating the conduct of hostilities such as the prohibitions on
attacking civilians or civilian objects, the ban on indiscriminate attacks, and
the rules of precaution and proportionality in the conduct of attacks. However,
notwithstanding the ubiquitous and imprecise use of the term to refer to all
manner of cyber operations, strictly and legally speaking not all harmful cyber
effects qualify as “acts of violence against the adversary”—the generally
accepted customary international law definition of attack reflected in
Additional Protocol I.
Of course, substituting “violence” for “attack” itself adds little clarity. To
understand the legal  definition of attack, one must dive even deeper. It is
generally accepted that to qualify as an act of violence, an action must cause
some injury or death to persons, or some degree—greater than de minimis—of
damage or destruction to objects. Where the employment of a means or
method of warfare crosses this threshold of harm, the full panoply of targeting
law kicks in. In contrast, while not unfettered, non-violent measures are not
subject to anywhere near the degree of regulation and restriction as are acts of
violence. As stated in the DoD Law of War Manual, “[t]he principle that
military operations must not be directed against civilians does not prohibit
military operations short of violence that are militarily necessary.”
This bright-line construct developed during an era when, based on the state of
science and technology at the time, it was typically obvious at the procurement
phase of a capability whether its purpose was to cause physical harm. And so,
it was relatively easy to identity and segregate means and methods of warfare
—whether at the procurement or employment phase—as weapons and attacks,
respectively. Thus, traditional weaponry was typically designed to cause a type
and level of harm that easily met the attack definition. However, the same
cannot be said for the wide range of effects that cyber and other novel
capabilities enable.
Where a cyber operation generates an effect amounting to physical damage to
objects, or death or injury to individuals, it is easy to conclude that AP I’s
definition of attack is triggered. In those cases, applying the law of war
targeting rules is non-controversial. The rules are perfectly capable of doing
their work.
However, the situation is different where the effects of an in bello cyber
operation fall below this bright line. There, significant questions linger as to
whether some lesser impact on the functionality of a targeted system is
sufficient to satisfy the attack definition or whether cyber operations directed
against data—no matter the impact on that data—can ever constitute an in
bello attack. Where one lands on these questions has direct implications for
the degree of discretion military commanders and operators have when
conducting cyber operations. That’s not to say that operational flexibility is a
bad thing. But from the perspective of hostilities regulation, overly literal
“translations” of the extant rules can also lead to counterintuitive, if not
outright absurd, results.
The Challenge of Digital Data
Let’s start with the open and difficult question of how to characterize digital
data. In both iterations of the Tallinn Manual (Tallinn and Tallinn 2.0), the
International Group of Experts struggled with this question. In both instances,
however, a majority came down on the side of viewing data as intangible and
therefore falling outside of the definition of “civilian object” for purposes of
the attack rules. They reached this conclusion based on a review of the ICRC’s
1987 Commentary to AP I, which characterized an object as something “visible
and tangible.” Given the undeniable importance to individuals and society
writ large that digital data holds in the information age, this is a questionable
and potentially problematic position.
Professor Michael Schmitt, the Tallinn project’s lead, has oft noted as much. If
this narrow, formalistic interpretation is correct, a finding of baseline military
necessity can justify the deletion, manipulation, or corruption of a wide swath
of non-military data that can potentially have significant impacts—both direct
and collateral—on a range of civilians and civilian entities that rely on that
data for any number of essential needs. The point is not that all negative
impacts should or could be proscribed. Some harm to civilians is an
unfortunate, but tolerated, reality of war. The point is simply to highlight the
potential discord between the existing rules and the unanticipated dynamics
of human interactions that new technologies often enable.
Incidental Civilian Harm and Proportionality
Or consider another anomaly raised by the unique nature of cyber operations
when assessed strictly against the law of war targeting paradigm: operations
anticipated to cause incidental damage to civilian objects or death or injury to
civilians may nevertheless not be subject to the rule of proportionality. How
can that be?
Consider an operation using a fully reversible effect to temporarily take a key
router off line as a means of disrupting enemy communications. Consider that
the operation involves foreseeable risk of injury or death to civilians whose
medical support devices or systems also depend on the free flow of traffic
across the router. If a kinetic means were used to destroy the router, there is
no doubt it would be considered an attack on the router and the civilians
would be considered foreseeable collateral damage for purposes of the
proportionality rule. Use of the cyber capability complicates this otherwise
straight forward analysis.
As noted above, where a cyber operation is neither intended nor reasonably
anticipated to cause physical damage to the device or network that is the
object of the operation, it is unlikely to qualify as an attack. Setting aside
debates about whether, and to what degree, causing some degradation to the
functionality of a “cyber” object might constitute an act of violence, it is
beyond dispute that not all cyber operations qualify as attacks. A reversible,
temporary effect on a router would likely fall into this category of not being an
attack. And as such, as a matter of law it would not trigger the proportionality
obligation reflected in the prohibition on indiscriminate “attacks” in Article
51 of AP I, or the precautionary obligations that attach to “attacks” in Article
57 of the same—a clearly counterintuitive result.
Looking at the Tallinn Manual 2.0, one might conclude that this is a non-
issue. Rule 92 of the Manual, which offers a definition of attack in the cyber
context, states that any operation “reasonably expected to cause injury or
death to persons or damage or destruction to objects” qualifies as an attack.
And according to the rule’s discussion the word “cause” is not limited to the
effects on the targeted cyber system but extends to “any reasonably
foreseeable consequential damage, destruction, injury, or death.” To the
extent that a cyber operation is conducted as an indirect means of causing
specific harm to persons or objects, this certainly makes sense. The example
offered in the Manual of manipulating a dam’s SCADA system with the intent
of causing a flood is a case in point. A more pointed example would be
targeting a life-support system with a reversible effect in order to kill the
dependent patient. However, this is a question of how one defines the “object”
of an attack—the dependent patient for example—but must be distinguished
from the notion of causing incidental civilian damage, injury, or death
encompassed in the proportionality rule.
Read too broadly, the definition of attack in the Tallinn Manual 2.0 would
render the proportionality rule superfluous, as it would erase any distinction
between the object of an attack and collateral or incidental harms. In so doing,
it would upend the accepted formulation in the proportionality rule for
balancing military necessity against expected incidental harms, which are
unlawful only when expected to be “excessive in relation to the concrete and
direct military advantage anticipated” by the predicate attack. The Manual’s
sweeping definition is simply discordant with the established structure of the
law of war targeting rules.
True as this may be, it is of little solace to the civilians who might nevertheless
be placed at incidental risk from non-violent cyber operations. For the vast
majority of these operations, the law of war is capable of addressing these
risks through application of its general principles. More often than not, the
risks do not involve the types of harms contemplated by the targeting rules,
and the law of war does not prohibit all incidental impact on civilians
regardless of the means employed. The DoD Law of War Manual is correct in
noting that “remote harms and lesser forms of harm, such as mere
inconveniences or temporary disruptions, need not be considered in assessing
whether an attack is prohibited by the principle of proportionality.”
But the Manual is equally correct in stating that a “cyber operation that does
not constitute an attack is not restricted by the rules that apply to attacks.”
Where the incidental harm reasonably anticipated from such operations
would involve the kinds of harm set out in the proportionality rule, the law of
war is arguably deficient.
This is not to suggest that such operations should be conducted
cavalierly. Some would argue that other provisions of law, such as the
“constant care” requirement of Article 57.1 of AP I, should fill this gap, despite
substantial uncertainty as to the normative status and contours of that
principle. Certainly as a matter of prudence and sound advice, any operational
legal advisor worth his or her salt will counsel against proceeding without a
standard proportionality analysis under such circumstances and the
hypothetical may be fairly criticized as so remote as to not warrant serious
discussion about amending the existing targeting rules.
***
The point of raising these scenarios is simply to highlight the challenges, and
limits, to applying legal frameworks developed in different eras and contexts
to new technologies. History is replete with examples of poor translations
affecting the course of history. Sometimes, new pegs are simply too square to
force through a round hole.
***
Professor Gary Corn, Colonel (Ret), is the Director of the Technology, Law &
Security Program and Adjunct Professor of Cyber and National Security Law
at the American University Washington College of Law, a Senior Fellow in
National Security and Cybersecurity at the R Street Institute, a member of the
Editorial Board of the Georgetown Journal of National Security Law and
Policy, the Principal and Founder of Jus Novus Consulting, and is an Advisory
Board Director for the Cyber Security Forum Initiative.