Summary of the paper`s background
The Talinn
Papers is a peer reviewed publication of the NATO Cooperative Cyber Defense
Centre of Excellence, designed to inform strategic dialogue regarding cyber
security within the alliance and beyond.
The Law of Cyber Targeting
The war
between Russia and Georgia (2008) marked the birth of cyber war ( not
hacktivism). Today we see cyber operations (CO) in Syria and Ukraine. Attention
must be paid to the law that governs these activities. Given the novelty of CO
as a method of warfare during an armed conflict any alleged misuse has the
potential for strategic consequences. NATO CCDCE has taken a global lead in
addressing this issue. The following questions are asked:
What
applies to my operation ?
May I
engage the intended target ?
Is the
weapon that I use legal ?
What
precautions must I take to avoid collateral damage ?
Do the
scope and degree of likely collateral damage prohibit me from engaging the
target ?
This paper
will explain how each is resolved with respect to CO.
The Applicable Law (Part I)
International
Humanitarian Law ( IHL ) comes into play when there is an armed conflict in
legal parlance ( international and not international). To kill members of the
civilian population is a violation of IHL and a war crime. There is no
normative or practical logic for distinguishing between an CO and a kinetic
operation (e.g. Stuxnet 2010). The enemy must be an organized armed group which
is difficult to see in most cyber threats. The group must be armed and not only
long to “denial of service actions (Estonia) In simple terms: The cyber
conflict must start looking like war.
The Applicable Law (Part II)
Any
discussion of targeting begins within the principle of distinction which is
codified in Article 48 ( Geneva Conventions). Attacks against civilians and
civilian objects are prohibited, indiscriminate attacks are forbidden, parties
to a conflict must take precautions to minimize civilian harm when planning and
conducting attacks and so forth.
Controversy
surrounds the issue of whether the nation attacks should be interpreted more
broadly. A CO targeting civilian cyber infrastructure (CCI) without physical
effects could be far more detrimental than one causing limited damage. Consider
an attack during an armed conflict on the enemy`s CCI: It seems incongruent to
prohibit only the latter. If Data is treated as an object any manipulation of
civil data would be qualify as unlawful damage or destruction (mind the
deletion of a forum or blog post).Unless a CO has consequences that at least
affect the functionality of an object it does not qualify as attack and
therefore it is not prohibited. During an armed conflict it is generally legal
to conduct CO against civilians as long as they are not harmed or injured.
Denial of service is lawful until physical effects like starvation or illness.
The Target
CO must be
frequently implicate the prohibition on attacking civilian objects, which are
not military ones. Military objects are objects which by their nature,
location, purpose or use make an effective contribution to military action and
whose total or partial destruction, capture or neutralization in the
circumstances ruling the time, offers a definite military advantage. “ A
particular location might be to open dame gates to flood an area and deny its
use to the enemy. A civilian object can become a military object though
purpose: A civilian server farm that will store military data which may be
attacked even before data storage begins or air traffic control or airspace
management systems ( “war fighting or war supporting objects). Many war
sustaining targets cannot be struck kinetically in a fashion that would
generate the same effects as cyber attacks (bank systems for example). Persons
may qualify as targets like combatants. Civilians qualify as well for the time
they are members of an armed organized group with a continuous combat function.
All those who conduct CO against the enemy or who defend against hostile
operations have a continuous combat function and would be targetable. Analogue
to human shields would be the development of more specific to an attack of the
enemy system allowing CO to be launched from one`s home or business by others.
The Weapon
While
certain uses of cyber weapons (malware) violate OHL such as attacking
civilians, cyber weapons may also be unlawful per se. Weapons are prohibited
when they:
-Cannot be
directed at a specific military objective
-Generate
uncontrollable effects
Cyber
weapons may at times run afoul of these prohibitions – consider malware
intended for use against military cyber infrastructure linked to civilian networks.
If the malware is designed to spread randomly though the system into which it
is introduced it is indiscriminate by nature and prohibited per se. The most
well known indiscriminate cyber weapon
is the malicious but seemingly innocuous e-mail attachment sent to a
combatant`s private e-mail account. Since the attacker has no control to whom
it might be it would be indiscriminate ( mind of puppy or kitten videos).
Restrictions do not bear on malware that does not cause injury, damage or loss
of system functionality. Cyber weapons can be employed against closed military
systems in which the risk of bleed over into civilian networks is low.
Precautions to avoid Civilian Harm and
Collateral Damage
An attacker
must take constant care to spare the civilian population, civilians and
civilians objects. He must do everything feasible to verify that the target is
not protected by IHL select the weapon, tactic and target that will minimize
civilian harm without forfeiting military advantage or cancel an attack when reason
to believe that the attack may be unlawful comes to light and warn the civilian
population of any attack that may affect them.
An attack
which may expected to cause incidental loss of civilian life injury o
civilians, damage to civilian objects or a combination thereof which would be
excessive in relation to the concrete and direct military advantage anticipated
is prohibited.
Conlusion
On the one
hand options that are in fact lawful are sometimes needlessly taken off the
table out of misguided concern as to their legality. On the other hand unlawful
options are in times seriously considered thereby risking public and
intentional condemnations should they be selected. The normative fog of Cyber
war is beginning to clear.
Keine Kommentare:
Kommentar veröffentlichen