Applicability of International Humanitarian Law (IHL) on cyber warfare

Apoorva Sharma, Institute Of Law, Nirma University, Ahmadabad

The end of law is not to abolish or restrain, but to preserve and enlarge freedom. For in all the states of created beings capable of law, where there is no law, there is no freedom
-John Locke

Jus in bello, conjointly called the International Humanitarian Law [IHL] ((See generally, The Law of Armed Conflict: Constraints on the Contemporary Use of Military Force By Howard M. Hensel; The Law of Armed Conflict: International Humanitarian Law in War By Gary D. Solis; International law and armed conflict: exploring the faultlines: By Michael N. Schmitt, Jelena Pejic, Yoram Dinstein.; The conduct of hostilities under the law of international armed conflict By Yoram Dinstein; The contemporary law of armed conflict By Leslie Green; The law of war By Ingrid Detter Delupis, 2nd edn CUP 2000))is the section of law of nations, handling the protection of persons who are no longer collaborating within the hostilities which restricts the means and strategies of warfare. It includes written and customary law, because the latter has been crystallized throughout history ((ICRC has contributed with a recent customary IHL database published with the results of research on customary humanitarian law conducted in 2005, available at

International law is a body of rules and regulations governing the relation between states and International Humanitarian law is just a part of it, which applies only to armed conflict. During warfare and armed conflicts, the law that binds the countries is International Humanitarian law, which objectifies the existence of Humanity before brutal destructions.
It has its operation within these two ambits:

  • The protection of those who are not a part of the war; Civilians.
  • Restrictions on the means of warfare; in particular the weapons and the methods to be adopted during the warfare, that involves the military tactics.

International humanitarian law prohibits all means of warfare which

  • Causes injury, the consequences of which is unnecessary sufferings;
  • Causes severe and permanent damage to the environment.

This paper gives out the attainable application of the law of war in international cyber conflict, with the application of the final principles of Jus in bello in cyber-attacks. Since the law of war is applicable on all or any military operations then why should cyber warfare operation be an exception?

Can IHL be applied on cyber warfare?

International Humanitarian Law has banned the use of many weapons that includes exploding bullets, chemical and biological weapons, blinding laser weapons and anti-personnel mines. An International Criminal Court (ICC), was created by the 1998 Rome Statute to try cases relating to IHL. 21st century encountered the emergence of new military warfare concepts, and Cyber warfare is one of them. Where under, Computer networks are used for cyber-attacks instead of conventional weapons; and satellites are used for providing images far more detailed than human spies and reconnaissance units have ever offered. Cyber warfare has been explained as any hostile measure taken against an enemy designed “to discover, destroy, disrupt, alter, or transfer data kept in a computer that is manipulated and transmitted through a computer network ((Legal Vacuum in Cyber Space, International Committee of the Red Cross, available at, visited on 26 December 2012)).” Examples of hostile use includes computer attacks on air traffic control systems, on oil pipeline flow systems, controlling the activities of a particular network, edit or alter the crucial information in a network and nuclear plants. It is an attack based on networks which is adopted by many countries to reduce their frustration and also to avoid the real war situation.

Examples of Cyber attacks

Chinese attack on US and Google through Ghost net spyware network upon confidential information of more than 100 countries are few examples which acquaint us with the concepts of cyber warfare. The main issue is whether the basic principles of IHL that is military necessity, distinction and proportionality are flexible enough to accommodate 21st-century-evolvedmodern method of cyber warfare?

Contemporary armed conflicts is to be controlled through a body of law which have not yet become adaptable to contemporary legal and practical challenges, introduced by robots and robotic devices, which replaced foot soldiers, the deployment of drone instead of manned aircrafts, and by using computer networks for cyber-attacks rather than use of conventional weapons. Though one may argue that cyber warfare is not specifically a warfare technique, any illegal act done by anyone can be culminated using networks, which need not be delved into the warfare arena. Cyber operations are in fact used in crimes committed in everyday situations that have nothing to do with warfare. A large proportion of operations popularly termed as “cyber-attacks” are in fact network disruptive attacks carried out for gathering illicit information and it usually occurs outside the arena of armed conflicts. But in the situation of armed conflict, IHL is applicable when the parties resort to techniques of warfare based upon cyber operations.

Cordula Droege ((legal expert of International community for Red Cross(ICRC).)), explains that the existing legal framework is applicable and must be respected even in the cyber realm ((Coduladroega, ’’Elective affinities? Human rights and humanitarian law”, 30-09-2008 Article, International Review of the Red Cross, No. 871, published on 30-09-2008)). According to a study conducted by Mr. Anton Camen (Expert from International Committee of the Red Cross) surveyed the main areas in which new technologies challenges the existing principles of IHL: cyber-warfare, automated systems (robotics), and new kinetic weapon ((Anton canon, Anton’s weekly digest of International scholarship, Vol.3,Nos 21, published on 24 May 2012)). His conclusion was that the traditional principles of IHL are, as a rule is inductive. Thus, it is clear that the rules of IHL are flexible enough to make it applicable on cyber warfare . As it did not incorporate itself as pigeon hole ((Stasysjukna, The pigeonhole principles, Springer Berlin Heidelberg publication, ISBN; 978-3-642-17363-9))legislation but as an inductive piece which is flexible enough to accommodate changes as per changing circumstances. In fact it is the role of International committee for Red Cross (ICRC) to look upon the valid developments to be adopted into IHL. There are several examples where new developments were adopted. Few of them are:-

  • The Protocol about glary optical maser weapons, adopted at the capital of Austria Diplomatic Conference in Oct 1995, prohibits each the employment and transfer of optical maser weapons, one in every of whose specific combat functions is to cause permanent visual impairment.
  • Within the case of mines, the sphere of application of Protocol II to the 1980 Convention was extended by the adoption; in Geneva on three could 1996, of associate amended version of the Protocol on prohibitions on the employment of mines, booby traps and alternative devices. The Convention on the prohibition of the employment, reposition, production and transfer of anti-personnel mines and on their destruction, signed by 121 countries in Ottawa on 3-4 Gregorian calendar months 1997, entirely prohibits anti-personnel mines issues.

Even though IHL doesn’t specifically mention cyber warfare, the Martens clause ((Rupert Ticehurst, The martens clause and the armed conflict, International review of the red cross, published on 30-04-1997)), that is associated with accepted principle in IHL, says that, “whenever a state of affairs isn’t coated by a global agreement, “civilians and combatants stay below the protection and authority of the principles of jurisprudence derived from established custom, from the principles of humanity, and from the dictates of public conscience ((ibid)).” New technologies of all types area unit being developed all the time and IHL is sufficiently broad to accommodate these developments. IHL limits the employment of sure weapons specifically (for instance, chemical or biological weapons, or anti-personnel mines). However it additionally regulates, through its general rules, all means that and strategies of warfare, as well as the employment of all weapons. specifically, Article 36 of I protocol to the Geneva Conventions provides that, In the study, development, acquisition or adoption of a brand new weapon, means that or methodology of warfare, a High getting Party is below associate obligation to see whether or not its employment would, in some or all circumstances, be prohibited by this Protocol or by the other rule of jurisprudence applicable to the High Contracting Party ((Article 61, International Humanitarian Law – Treaties & Documents, Protocol Additional to the Geneva Conventions of 12 August 1949, and relating to the Protection of Victims of International Armed Conflicts (Protocol I), available at, visited on 28th December 2012)),” on the far side the precise obligation it imposes on States parties, this rule shows that general IHL rules apply to new technology.


Generalisation of the objective of the attack

The basic rule of the law of war (IHL) is enshrined in Additional Protocol I article 48, according which,

In order to ensure respect for and protection of the civilian population and civilian objects, the Parties to the conflict shall at all times distinguish between the civilian population and combatants and between civilian objects and military objectives and accordingly shall direct their operations only against military objectives.

This is the area of concern when it comes about cyber warfare, as it generalises the target or target of attack. As per IHL rules some principles ought to be followed just in case of a warfare. It may be a general rule that attacks ought to be used just for weakening the enemy or military forces and not for inflicting hurt to any civilian. So it states that civilians ought to be protected and separated from military networks and warfare arena. This can be referred to as the principle of ‘Distinction ((Jean- marieHenkaerts& Louise doswald-beck, principle of distinction, principle difference between civilian object and military object, section A, practice relating to Rule 7, Customary International Humanitarian Law, volume 1)).’ The principle of distinction states that parties to a conflict distinguish the least bit times between civilians and combatants and between civilian objects and military objects. Attacks could solely be directed against combatants or military objectives. Indiscriminate attacks, that are attacks that cannot be directed at a selected military objective or whose effects cannot be restricted as needed by IHL, are prohibited ((Article 48, Additional protocol I)). Similarly, attacks against military objectives or combatants are prohibited if they will be expected to cause incidental civilian casualties or harm which might be excessive in regard to the concrete and direct military advantage anticipated (so-called disproportionate attacks). Cyber-attacks have eliminated the boundaries between civilians and military. Cyber operations will raise humanitarian issues, specifically once their result is not restricted to the information of the targeted system or PC. Indeed, they are typically supposed to own an impact within the “real world.”

For example, by change of state with the supporting PC systems, one will manipulate associate enemy’s traffic management systems, pipeline flow systems or nuclear plants. The potential humanitarian impact of some cyber operations is so monumental. Cyber operations that are distributed to date, as an example in Republic of Estonia, Georgia and Asian nation, cannot seem to own had serious consequences for the civilian population.

In 2007 the Government of Estonia, the ‘most wired country in Europe’ ((Also known as E-Stonia, as the Parliament has declared internet access to be a basic human right. 95% of daily transactions are conducted online, with state services being offered such as eBusiness, eState, ePolice, eBanking and even eVoting.))decides to relocate a disputable Soviet War memorial ((For more on the so-called Bronze Soldier, and the tempestuous events that came to be known as the Bronze Night, see further e.g. A Sinisalu, ‘Propaganda, Information War and the Estonian-Russian Treaty Relations: Some Aspects of International Law’, 2008 XV Juridica International, 154-162, available at from the Tall in centre. The very next day and over the course of the subsequent 3 weeks, devastating cyber attacks, hosted by Russian state laptop servers, target and cripple parliament and ministries’ websites, government communications, on-line banking systems and websites of leading news organizations. The events lead to talks concerning ‘Web War I’ (( in NATO establishing a Tallinn-based Cooperative Cyber Defence Centre of Excellence the following year.

However, it appears that it is technically possible to interfere with airfield management systems, alternative transportation systems, dams or atomic power plants via cyber area. Probably ruinous eventualities, like collisions between craft, the discharge of poisons from chemical plants, or the disruption of significant infrastructure and services like electricity or water networks, so cannot be pink-slipped. The most victims of such operations would possibly be civilians. It is actually attainable that cyber operations may have fatal consequences for civilians. This suggests that, in coming up with and winding up cyber operations, the sole targets permissible below IHL is military objectives, like PC or computer systems employed in support of military infrastructure or of infrastructure used specifically for military functions. It follows that attacks via cyber area might not be directed against, as an example, PC systems employed in medical facilities, schools, and alternative strictly civilian installations. The problem of humanitarian concern during this respect is that cyber area is characterised by interconnectivity. It consists of innumerable interconnected PC systems across the planet. Military PC systems seem to usually be interconnected with industrial, civilian systems and to accept them in whole or partially. Thus, it would preferably be not possible to launch a cyber-attack only on military infrastructure and limit the consequences to only on to that of military objective. For example, the employment of a worm that replicates itself and cannot be controlled, and may so cause goodly harm to civilian infrastructure, would be a violation of IHL. All IHL rules governing the conduct of hostilities area unit probably applicable throughout armed conflict; however whether or not they are relevant in such a context, and the way they might be applied in are real issues.

The principle of military necessity presents a less thorny issue. Simply stated, the intended target must have military value and receive only enough force to ensure its destruction. From a targeting standpoint, the information warrior like any other military commander can easily avoid war crimes charges if he or she refrains from choosing purely civilian objectives: Stock exchanges, banking systems, universities, and similar civilian infrastructures may not be attacked simply because a belligerent has the ability to do so ((SW Brenner, MD Goodman, ‘In Defense of Cyberterrorism: An Argument for Anticipating Cyber- Attacks, Journal of Law, Technology & Policy, Vol. 2002, Issue 1 (Spring 2002)’, pp. 1-58, at 14)).’

The Additional Protocol I of the 1949 Geneva Conventions ((Protocol Additional to the Geneva Conventions of 12 August 1949, and relating to the Protection of Victims of International Armed Conflicts (Protocol I), 8 June 1977))provides in article 43 that the armed forces consists of all organised armed forces, which is under a control responsible to that party for the conduct of its subordinate. However, if one turns to states’ observe on a world level, it’ll be evident that cyber forces, commencing to represent a separate branch of each technologically advanced state’s army, has set the instance with the recent inauguration of people Cyber Command (USCYBERCOM) as Associate in Nursing militia sub-unified command, subordinate to the Department of Defence, followed by Great Britain, that launched a Cyber Security Operations Centre (( see also see also check of the cupboard workplace. Thus, if taken without any consideration that a cyber-force will represent a part of a state’s militia, it is terribly straightforward for cyber-attacks to fall among the legal scope. As for cyber-attacks area unit perpetrated by hackers, United Nations agency may be thought of as ‘mercenaries’, forward that a state hires them towage targeted cyber-attacks.

What ought to be done

The party answerable for associate attack should take measures, to the most extent possible, to avoid or minimize incidental harm to civilian infrastructure or hurt to civilians. It can be required to validate the character of the systems the area unit of which being attacked and also the attainable harm which may prove from associate attack. It additionally means once it becomes apparent that associate attack can cause excessive incidental civilian harm or casualties, it should be turned off.

Also, parties to conflicts have associate obligation to require necessary precautions against the consequences of attacks. It might so be wise for them, so as to guard the civilian population against incidental effects of attacks, to assess whether or not military PC systems area unit sufficiently break free civilian ones. The reliance of military PC systems and connections on civilian systems contractors that are used for civilian functions may well be a cause for concern.

On the opposite hand, analysis and development ought to be promoted for development of such technology that may facilitate in edging out violation of IHL by exempting civilians in an exceedingly cyber warfare. Hackers ought to be appointed to an excellent extent to avoid such things and to guard civilians. Information technology may additionally serve to limit incidental harm to civilians or civilian infrastructure. For example, it would be less damaging to disrupt the services used for military and civilian functions than to destroy infrastructure utterly. In such cases, the principle of precaution arguably imposes associate obligation on States to decide on the less harmful means that to attain their military aim.


Another issue that emerges is building upon the identity of a cyber-attack to a particular state. It’s extremely unlikely that inter state cyber-attacks will be perpetrated by the heads-of-state themselves, on condition that a high degree of experience in computer technology is required. So, since a bunch of hackers are going to be the one ‘hired’ by a government to wage the attack, however can the group’s actions be attributed to the particular state? ((International legal literature has not addressed yet effectively the subject. See Shackelford nuclear 233. Dinstein in MN Schmitt, Computer Network Attack and the Use of Force in International Law :Thoughts on Normative Framework – [s.l.] : US Air Force Academy, 1999, at 103; Barkhamsupra note 18, at 97; Graham 92 and 95. also Todd, but dealing mainly with cyber espionage))Allegedly, it’s notably tough not solely to prove that a cyber attack has taken place but conjointly to trace the culprit of associate degree attack, including seeking out the specified nexus between the hacker and therefore the accountable state so as to attribute the acts to the actual state.

In reality, however, if a black hat hacker with malicious intentions is knowledgeable in camouflaging, or maybe in fully concealing the traces that may result in him, there is another hacker, a white hat hacker, equally knowledgeable in tracing him. For the needs of this study, it will be taken with a pinch of salt that the hackers will so be geographically copied, in order to proceed to a legal analysis of however their actions will be attributed to the responsible state ((Eg, Adkins 16 describes a ‘law enforcement diagnostic tool’, the ‘Carnivore’, used by the FBI to locate and identify hackers who ‘weave and loop’ through various computers in order to hide their actual location)). Further to the present, notwithstanding the attack is geographically copied, the scope of state attribution of the acts of a bunch of hackers stumbles upon the contentious issue of behaviour in the Net ((For an analysis on territoriality and jurisdiction in cyberspace, see Van de Bogart)). Retired General Michael Hayden, former director of the U.S. National Security Agency recently declared in associate degree completely flamboyant manner that one answer being discussed in government is to easily ignore (trying associate degree attempting) to work out if the supply of an attack is state-sponsored and hold nations to blame for malicious activity coming back from their Net ((‘Former NSA Director: Countries Spewing Cyber attacks Should Be Held Responsible’, July 29, 2010, available at, an online periodical on technology issues,

In the heart of the jurisprudence of state responsibility lay the 2001 Draft Articles on Responsibility of States for Internationally Wrongful Acts, statute by the International Law Commission ((Responsibility of States for Internationally Wrongful Acts, Yearbook of the International Law Commission, 2001, vol. II (Part II), Reproduced in the annex to General Assembly Resolution 56/83 of 12December 2001, and corrected by document A/56/49 (Vol. I)/Corr.4)). Chapter II of the Draft Articles posits that attribution of a conduct to a state is effectuated during a embarrassment of ways: entomb alia, through the conduct of the De facto or De jure organs of a state ((Article 4))[even in instances wherever they exceed their authority or contravene their instructions ((Article 7)), through the conduct of persons or entities travail elements of governmental authority ((Article 5)), and through the conduct of someone or cluster of persons acting below the directions of or below the directions or management of that State ((Article 8)). The half of the latter type of ‘immutability’ is that the most arguable one. The degree of management that should be exercised by the state so as for the conduct to be attributable to it had been a key issue in different cases of the international jurisprudence ((Case Concerning Military and Paramilitary Activities in and against Nicaragua Case (Nicaragua v United States of America), 1984, ICJ Reports 392 June 27, 1986; Prosecutor v. DuškoTadić aka Dule, Sentencing Judgement, Case No. IT-94-1-T, ICTY, 14 July 2007; Case Concerning the Application of theConvention on the Prevention and Punishment of the Crime of Genocide (Bosnia and Herzegovina v.Serbia and Montenegro), ICJ General List No. 91, Judgment of February 26, 2007)). If a future cyber-attack is so waged by a bunch of hackers acting below the instructions, directions or management of a state, a specific issue can arise if the mutually contradictory dicta by the 2 world organisation tribunals square measure taken into thought.

The International Court of Justice dominated within the landmark 2007 Nicaragua Case that associate degree “Effective control” check is required for the state attribution to be achieved, whereas the International Criminal assembly for the previous Yugoslavia ((International Tribunal for the Prosecution of Persons Responsible for Serious Violations of International Humanitarian Law Committed in the Territory of the Former Yugoslavia since 1991))set within the famed Tadić Case that a looser, “overall control” check is satisfactory enough. The latter was harshly criticised by the ICJ in its landmark 2007 putting to death the Case as being unconvincing and unsuitable, because it ‘has the most important downside of broadening the scope of State responsibility well on the far side the elemental principle governing the law of international responsibility’. Thus, within the case that a future controversial cyber-attack is submitted to the International Court of Justice, it remains to be seen whether or not the standards used are tight or not and whether or not international responsibility of the perpetrator state are effectively engaged. Praiseworthy is additionally the proposal by Shackelford, UN agency moves even any and suggests that ‘using the putting to death Convention is a vehicle to carry responsible culprit nations that have putting to death as results of an enormous and deadly state-sponsored information warfare campaign.’


Thus we are able to conclude that the absence in IHL of specific references to cyber operations doesn’t mean that such operations cannot be subject to the foundations of IHL. If it means that and strategies of cyber warfare manufacture identical effects within the world as standard weapons (such as destruction, disruption, damage, injury or death), they are ruled by identical rules as standard weapons. Since the foundations of IHL area unit versatile enough to adopt the new technologies so the problems connected in cyber warfare may be eliminated by countering the new technologies with another technology. The technological limitations may be crossed through another technologies just for that analysis and development ought to be promoted and additionally ability of rising space is that the would like of the hour. Cyber-warfare may be a real and gift threat to world security. If world leaders decide that a global written agreement on cyber-warfare may be a productive step for guaranteeing peace between nations, then they’ll have to be compelled to notice compromises on variety of key problems. The first problems are those of enforceability, responsibility, privacy, and skill to tell apart between nation-states and criminals.

This could be achieved by making a cyber “license”, Just like a license is required to drive; a cyber “license” can permit a personal access to the data. Those obeying web and Net laws are left alone, whereas people or organizations that interact in ill-gotten behaviours are corrected or punished more severely ((Sharp Sr., “The Past, Present, and Future of Cybersecurity.”)). This idea aligns with the principles of the National Strategy for Trusted Identity in Cyberspace (NS-TIC). TNS-TIC may be a government-sponsored, non-public sector initiative that may give incentives for web users to buy a cyber “license” so as to access sure components of the net, like on-line bank accounts, social networking sites, and government ((National Strategy for Trusted Identities in Cyberspace.”The White House. April 2011)). Whereas a global written agreement together with technical and regulative advances has the potential to limit cyber-warfare, this approach features a range of limitations that ought to be the topic of more analysis. The first concern is that the ability to force countries to stick to the written agreement. European enforcement officers requested that Russia permit them to look for the supply of the attacks, citing a global law that Russia had sanctioned requiring that action. Russia refused and neither the supply nor the extent of state involvement of the attacks may well be evidenced.