The Law of Attack in Cyberspace: Considering the Tallinn Manual's Definition of 'Attack' in the Digital Battlespace
IN THIS ARTICLE
'Attack' is a term of central importance in the Law of Armed Conflict, the body of international rules and standards that regulate conduct in armed conflict (jus in bello). A 1977 amendment to the Geneva Conventions of 1949, 'Protocol I,' defines an attack as an '[act] of violence against the adversary, whether in offence or defence.'1 The term's importance lies in its centrality to other prohibitions in the Law of Armed Conflict, for example the principle that individual civilians and civilian populations 'shall not be the object of attack.'2
A lawful attack in armed conflict is predicated on four cumulative conditions. First, the target must be a 'military objective.' Second, the 'means' and 'method' employed to attack the target must be lawful. Third, the attacker must take specified precautions. Finally, the attack must not cause damage to civilian objects or civilians excessive in relation to the concrete and direct military objective anticipated.3 Attacks which do not meet these four conditions are considered unlawful. However, operations that do not meet the threshold of attack are not subject to the aforementioned conditions. This brief analysis thus explores the 'threshold question:' what constitutes an 'attack' with specific reference to military operations conducted in the digital battlespace?
Means and methods of warfare that did not result in the release of violent kinetic forces were beyond contemplation when the Additional Protocols were drafted. In that light, the metric of 'consequential harm' based solely on "damage, destruction, injury or death" may unfortunately be outmoded.
To address this question, the recently released Tallinn Manual – a non-binding document that explores the applicability of international humanitarian law and the doctrines of jus ad bellum to cyber conflicts – must be considered. As such, the Manual's definition of a 'cyber attack' is explored before applying the definition in two contexts: cyber operations conducted against cyber infrastructure and cyber activities conducted against physical objects which rely on computer systems and data. These examples illuminate potential deficiencies in the Tallinn Manual's definition and contextualization of cyber attacks.
The Tallinn Manual's Definition
The Tallinn Manual's Rule 30 offers the definition of 'cyber attack' as 'a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects.'4 There are two notable features to be highlighted in the International Group of Experts' reasoning. First, the reference to 'acts of violence' in Article 49 of Additional Protocol I was construed as not limiting the scope of an 'attack' to activities which release kinetic force. Second, the focus for what constitutes a cyber attack is the cyber operations' consequences: it was agreed by the International Group of Experts that the existence of 'consequential harm' flowing from the cyber operation would qualify the cyber operation as an attack.5 The notion of consequential harm 'encompasses any reasonably foreseeable consequential damage, destruction, injury or death.'6 This was qualified by stating de minimis damage or destruction does not meet the threshold of consequential harm which constitutes an 'attack.'7
In previous applications of the Law of Armed Conflict, terms such as 'damage,' 'injury' and 'danger' have all been collocated with individuals and physical objects. However, computer systems and data are often a cyber operation's key targets. The question this section will consider is whether operations directed against computer systems and data in different contexts can cause 'consequential harm' sufficient to fall within the definition of a 'cyber attack.'
Cyber Operations Directed Against Cyber Infrastructure
Cyber operations directed at online infrastructure (i.e.: websites) with little or minimal interference to physical infrastructure are unlikely meet the requirements of a 'cyber attack' as defined by the Tallinn Manual. In the 2008 conflict between Russia and Georgia in South Ossetia, defacement and denial of service8 activities were used against Georgian governmental websites.9 These websites were rendered unusable for hours, and therefore could not disseminate information about the conflict. Similar activities were witnessed in 2007, where Estonian news outlets, banks and government ministries were denied service and spammed. Leaving aside the targeting issues presented by cyber operations against such websites, do cyber operations such as this lead to 'damage, destruction, injury or death'? While they created disruption, confusion and defacement, it is unlikely physical harm to persons or physical objects could be attributed to the operations. These activities, therefore, likely fall below the threshold of 'consequential harm' and are therefore unlikely to be 'cyber attacks.' As Schmitt states, '[s]tate practice provides no support for the notion that causation of inconvenience is intended to be prohibited in IHL.'10
Cyber Operations Directed Against Physical Objects Reliant on Computer Systems
The position becomes decidedly more complex when examining cyber operations directed against computer systems and data upon which the functionality of physical objects relies. Indeed, the International Group of Experts were split on this issue. It is worth replicating in detail the Tallinn Manual's comments on point:
Within the International Group of Experts, there was extensive discussion about whether interference by cyber means with the functionality of an object constitutes damage or destruction for the purposes of this Rule. Although some Experts were of the opinion that it does not, the majority of them were of the view that interference with functionality qualifies as damage if restoration of functionality requires replacement of physical components […] Those [E]xperts taking this position were split over the issue of whether the 'damage' requirement is met in situations where functionality can be restored by reinstalling the operating system. 11
It would appear from the International Group of Experts' somewhat divided opinion that the 'live' issues are: (1) whether impaired functionality alone can constitute a cyber attack and (2) if impaired functionality alone cannot constitute an attack, what threshold 'damage' is sufficient to constitute an attack?
Impairments to Functionality without Damage
Cyber operations present an array of methods to interfere with physical objects.12 Interference can be total, partial, temporary or permanent. Consider, for instance, a cyber operation conducted by A to disrupt B'santi-stealth radar so a stealth fighter can complete a reconnaissance mission in B's territory.1314 Suppose that the operation renders the anti-stealth radar inaccessible to B's military personnel for a period of less than 40 minutes, by locking B's military personnel out of their computers. On face value, it would appear the short-term interference described is little different from the effects of the denial of service attacks in Georgia and Estonia – disruption without damage.
Let us take the example one step further. Suppose that the cyber operation above rendered B'santi-stealth radar inaccessible for a period of 4 days, rather than 40 minutes. During that period of time, a number of reconnaissance missions were successfully conducted. According to the definition propounded by the Tallinn Manual, it is highly doubtful this would constitute a 'cyber attack,' so long as B's facilities did not require physical maintenance. This paper contends the majority of military commanders would find this result untenable: between forty minutes and four days, there should be a point at which the cyber operation's disruption becomes an attack.
This ability to interfere with physical objects reliant on data without damage perhaps exemplifies the dilemma the Law of Armed Conflict faces with the advent of cyber warfare. Indeed, means and methods of warfare that did not result in the release of violent kinetic forces were beyond contemplation when the Additional Protocols were drafted.15 In that light, the metric of 'consequential harm' based solely on 'damage, destruction, injury or death' may unfortunately be outmoded.
Beyond Consequential Harm
This paper proposes a recalibration of the Tallinn Manual's Rule 30, so as to afford the definition of 'cyber attack' the capacity to include substantial interference occurring permanently or temporarily with physical objects' functionality. In other words, it would expand the definition of 'cyber attack' to include neutralisation. Neutralisation is not a novel concept to the Law of Armed Conflict; it was contemplated when framing the law of attack in Additional Protocol I16 and was also included in Additional Protocol I's definition of 'military objectives.'17 We can infer that it has long been understood that if an object is disabled through destruction or other means it may confer a military advantage. The challenge for the International Group of Experts becomes formulating the content of the term 'neutralisation,' so as to avoid an over-inclusive definition of 'cyber attack' which may encompass mere inconvenience and interference.
A cyber attack is a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to, or neutralisation of, objects.
This analysis considers the law of attack in the context of military operations in cyberspace, and is thus limited in scope to those attacks occurring in the context of armed conflict. The definition of 'consequential harm' - the central component of the recently-published Tallinn Manual's definition of a 'cyber attack,' may be deficient when applied to operations which target physical objects reliant on computer systems and data. Principally, there potentially exists a contradiction between the law's application in a situation where a physical object's functionality is substantially impaired without resulting damage. One possible solution is to include the concept of 'neutralisation' within the definition of 'cyber attack' so as to account for such significant, but non-damage inducing, disruptions – a situation which is likely to arise in the current generation of information warfare, where data and computer systems are increasingly becoming targets of the highest value.
Both, M. and Partsch K.J. et al (eds.) New Rules for Victims of Armed Conflicts: Commentary on the Two 1977 Protocols Additional to the Geneva Conventions of 1949 (Martinus Nijhoff Publishers, 1982).
Graham, David. 'Cyber Threats and the Law of War' (2010) 4 Journal of National Security Law & Policy 87.
Kelsey, Jeffrey. 'Hacking into International Humanitarian Law: the Principles of Distinction and Neutrality in the Age of Cyber Warfare' (2008) 106(7) Michigan Law Review 1427.
Schmitt, M.N. Essays on Law and War at the Fault Lines (Asser Press, 2012).
Schmitt, Michael. 'Classification of Cyber Conflict' (2012) 17(2) Journal or Conflict & Security Law 245.
Schmitt, Michael N. '”Attack” as a Term of Art in International Law: The Cyber Operations Context” in C. Czosseck, K. Ziolkowski (eds.) 2012 4th International Conference on Cyber Conflict (COE Publications, 2012).
Schmitt, Michael N. 'Cyber Operations and the Jus in Bello: Key Issues' (2011) 41 Israel Yearbook on Human Rights 113.
Schmitt, Michael N. (ed.), Tallinn Manual on the International Law Applicable to Cyber Warfare (Cambridge University Press 2013), 106.
Shackelford, Scott. 'From Nuclear War to Net War: Analogizing Cyber Attacks in International Law' (2012) 27 Berkeley Journal of International Law 192.
1.) Additional Protocol I to the Geneva Convention of 12 August 1949, and Relating to the Protection of Victims of International Armed Conflicts, opened for signature 12 December 1977, 1125 UNTS 3, Art 49.
2.) Ibid, Art 51.2.
3.) M.N. Schmitt, Essays on Law and War at the Fault Lines (Asser Press, 2012) 176.
4.) Michael N. Schmitt (ed.), Tallinn Manual on the International Law Applicable to Cyber Warfare (Cambridge University Press 2013), 106.
5.) Ibid, 107.
8.) A denial of service, also known as a distributed denial of service, is an attempt to make an online service unavailable to real users by continuously flooding it with phony, computer-generated requests.
9.) Michael N. Schmitt, 'Cyber Operations and the Jus in Bello: Key Issues' (2011) 41 Israel Yearbook of Human Rights 113, 113.
10.) Ibid, 121.
11.) Michael N. Schmidt, above n 4, 108-109.
12.) Here, physical objects are taken to mean buildings, infrastructure, communications and weapons systems.
13.) Notably, this type of operation was not categorised as a ruse of war by the International Group of Experts.
14.) Also assume A and B are states, and signatories to Additional Protocol I of the Geneva Convention.
15.) Michael N. Schmitt, '”Attack” as a Term of Art in International Law: The Cyber Operations Context” in C. Czosseck, K. Ziolkowski (eds.) 2012 4th International Conference on Cyber Conflict (COE Publications, 2012) 283, 290.
16.) M. Both, K.J. Partsch et al (eds.) New Rules for Victims of Armed Conflicts: Commentary on the Two 1977 Protocols Additional to the Geneva Conventions of 1949 (Martinus Nijhoff Publishers, 1982)325.
17.) Above n 1, Art 52(2).