Cyber warfare figures prominently on the agenda of policymakers and military leaders around the world. New units to ensure cyber security are created at various levels of government, including in the armed forces. But cyber operations in armed conflict situations could have potentially very serious consequences, in particular when their effect is not limited to the data of the targeted computer system or computer. Indeed, cyber operations are usually intended to have an effect in the "real world". For instance, by tampering with the supporting computer systems, one can manipulate an enemy’s air traffic control systems, oil pipeline flow systems, or nuclear plants.
The potential humanitarian impact of some cyber operations on the civilian population is enormous. Experts have been debating the applicability of the traditional rules governing the conduct of hostilities to cyber operations. In particular, the questions of when cyber war really means war in the sense of “armed conflict”, or how the most important rules on conduct of hostilities, namely the principles of distinction, proportionality, and precaution, shall be applied and interpreted in the cyber realm, are crucial.
More specifically, the resort to cyber-attacks indeed leads to reflection on the meaning of the “use of armed force” as the threshold of application of IHL. The same applies to the concept of an “armed attack”, which triggers the right of self-defence under the United Nations Charter (jus ad bellum). The “cyber-attacks” that States have engaged in so far seem to be more closely related to sabotage or espionage than to armed conflict. Would the rules governing (albeit sparsely and poorly) espionage and other hostile acts below the threshold of application of IHL not be more appropriate to apply in such situations? Once it has been determined that a cyber-attack is occurring in the context of an armed conflict – to which IHL then will apply – the question becomes one of the adaptability of the rules. In particular, the interconnectedness of cyber space poses a challenge to the most fundamental premise of the rules on the conduct of hostilities, namely that civilian and military objects can and must be distinguished at all times. Thus, whether the traditional rules of IHL will provide sufficient protection to civilians from the effects of cyber warfare remains to be seen. Their interpretation will certainly need to take the specificities of cyber space into account. In the absence of better knowledge of the potential effects of cyber warfare, it cannot be excluded that more stringent rules might be necessary.
Moreover, the destruction of information is at the core of the objectives of most cyber-attacks. Should information now be regarded as a civilian object under humanitarian law and its destruction as damage to civilian object? Today, in fact, only physical harm is included in the definition of damage. In a world increasingly dependent on information, the destruction of the banking and medical data of a country’s citizens would have drastic repercussions; in the view of some, this calls for a redefinition of the concept of a protected civilian object. The ICRC’s position in this discussion aims to be clear and pragmatic: If the means and methods of cyber warfare produce the same effects in the real world as conventional weapons (such as destruction, disruption, harm, damage, injuries or death), they are governed by the same rules as conventional weapons. Others have nevertheless taken differing positions, such as advocating for the establishment of new “rules of the road” or confidence-building measures similar to those in place in the context of nuclear disarmament, or even the drafting of a new treaty to regulate cyber weapons. The various alternatives were highlighted during the debates that led to the drafting of the Tallinn Manual on the International Law Applicable to Cyber Warfare.