Abstract
Cyberspace is increasingly becoming part of the battlefield in situations of armed conflicts. While the rules of the ius in bello governing such situations were drafted when physical violence was the main harm from which civilians needed to be protected, many of the harms arising from military cyberoperations are non-physical, which leads to legal unclarity and potential protectionary gaps. In the absence of state action to clarify existing rules or establish new rules to protect civilians, this article turns to International Human Rights Law (IHRL) as an alternative protectionary mechanism. Focusing on the European Convention of Human Rights (ECHR), it is concluded that although the ECHR covers many of the relevant harms, questions of applicability will most likely limit its practical effect. Nevertheless, in non-international armed conflicts and when developing cyberweapons, human rights might help to address non-physical harms caused by cyberoperations.
1. Introduction
With tensions running high between Russia and the US, Ukrainians already have a lot to be worried about in the offline world.1 The online world, however, currently seems no less scary with the following message being displayed on Ukrainian government websites: ‘Ukrainians! … All information about you has become public. Be afraid and expect worse. It’s your past, present and future’.2 Assuming experts are correct in connecting this cyberoperation to the ongoing armed conflict, it would be only the latest of many incidents showing that cyberspace is not only essential for civilian life; it is also becoming increasingly relevant for military operations.3
In traditional conflicts, civilians are protected by international humanitarian law (IHL), which seeks to limit the effects of armed conflict on the civilian population.4 The pivotal question regarding cyberoperations is the following: Can the rules of the ius in bello also protect civilians in cyberspace? To answer this question in the affirmative, IHL would first and foremost have to apply to military cyberoperations. On this matter, a stable consensus has arisen: in principle, IHL does apply to cyberoperations.5 The second, and far more difficult question is: how does IHL apply to military cyberoperations? When answering this question, it is worth recalling the historic context of IHL. While the drafters of the key IHL treaties – the Geneva Conventions of 1949 (GC) and their Additional Protocols of 1977 (AP 1 and 2)6 – have always been very conscious of the constantly changing nature of warfare,7 for the longest time there has been a remarkable level of consistency with regards to one characteristic of armed conflict: its physicality.8 Since IHL balances military necessity with humanity, it accepts that civilians have to endure certain ‘inconveniences,9 but they must still be protected from the worst forms of disturbance. In traditional armed conflict, the most obvious (if not only) form of such a severe disturbance was physical harm. Yet, this does not square well with modern warfare: cyberoperations can cause great disruption without physical damage. As will be explained in more detail below, this entails considerable legal grey zones regarding the application of existing IHL rules to cyberoperations. The key question seems to be the following: is physical violence really the only nuisance from which civilians should be protected, or are there other, non-physical harms which should not be inflicted upon civilians, even in times of armed conflict? Due to an almost complete lack of state practice and opinio iuris on this question, civilians are left in limbo.10
This article explores whether this lack of effective protection could be mitigated by shifting the focus to a related, but separate body of law: International Human Rights Law (IHRL). Unlike IHL, IHRL has a long history of acknowledging non-physical goods, and consequently, non-physical harm. As states seem unwilling to update or at least clarify the rules of the ius in bello, one might ask whether IHRL could be used to ‘patch’ the protectionary gaps left by the unclarities surrounding the application of IHL to non-physical cyberoperations. This article seeks to address this question in three steps:11 Part I will outline why IHL might currently not be sufficient to protect civilians from significant disruption; Part II will then discuss how IHRL might complement IHL to overcome these protectionary gaps; this approach will be critically assessed in Part III. It is argued that while human rights will certainly not compensate for the uncertainty surrounding the legal limits of military cyberoperations, they might be useful as a minor, temporary correction mechanism.
2. A world of ‘violence’: the conduct of hostilities in cyberspace and IHL
Limiting the effects of something as unbridled as armed conflict is an ambitious endeavour. IHL relies on multiple instruments to achieve this goal. One of the most important instruments of IHL is the principle of distinction (PoD),12 which is best summarised by Art 48 AP1’s ‘basic rule’:
‘[T]he Parties to the conflict shall at all times distinguish between the civilian population and combatants and between civilian objects and military objectives and accordingly shall direct their operations only against military objectives.’
This ‘cardinal principle’ is fundamental to the protectionary framework of IHL.13 By erecting the irrefutable assumption that attacking civilians or purely civilian objects is never militarily necessary and hence never lawful,14 it effectively removes a certain set of people and objects from the class of legitimate targets. However, although fundamental, the PoD is not necessarily all-encompassing. Particularly with respect to cyberspace, a considerable legal grey zone regarding the applicability and material scope of the PoD has emerged, blurring the lines between what is permissible and what is not.15
2.1. The attack threshold (Art 49(1) AP1)
Regarding the general applicability of the PoD, Art 48 AP1 seems to suggest that all military operations are covered.16 However, Art 48’s ‘basic rule’ is given a practical legal effect by the more concrete provisions succeeding it.17 Since most of these provisions speak of ‘attacks’,18 it is concluded that only when mounting an attack as defined in Art 49 AP1 do states have to distinguish between civilians and military objectives.19 For all other military operations, except those directed at special targets,20 there would be no obligation to discriminate between civilians and military objectives (Art 52(1) AP1), no obligation to avoid disproportionate ‘collateral damage’ (Art 51(5)b AP1), and no obligation to take all necessary precautions (Art 57(2) AP1). Consequently, the question of what qualifies as an attack becomes essential. Art 49 AP1 provides a seemingly simple answer, stating that ‘[attacks] means acts of violence against the adversary’. There seems to be a broad consensus on a reading of Art 49 AP1 that links ‘violence’ to the effects of an operation, not the means used to create these effects.21 Hence, the crucial question is not whether an operation is mounted through violent means, but whether its effects are violent.
Some argue that the ordinary meaning (Art 31(1) Vienna Convention on the Law of Treaties (VCLT) of Art 49 AP1 allows no other interpretation than requiring physical effects to qualify an operation as an ‘an act of violence’.22 It is argued that the drafters intentionally used the term ‘violence’ since it is not any kind of harm civilians were meant to be protected from, but only the worst type, i.e., physical harm.23
Proponents of the opposing view refer to Art 52(2) AP1: they argue that if an attack necessarily had to cause physical effects, the mention of ‘neutralization’ – understood as ‘rendering dysfunctional without physical damage’ – in the definition of a military objective would be nonsensical.24 They conclude that the mere disruptive effect of operations rather than their physicality should be considered. This contextual interpretation can further be supported by a reference to the general ‘object and purpose’ (Art 30(1) VCLT) of the PoD: IHL seeks to protect civilians from the effects of armed conflict.25 If these disruptive effects are no longer purely physical, the pertinent provisions need to be interpreted accordingly.26
Having considered these different views, what is the law? The answer to this question remains unclear. While the International Committee of the Red Cross (ICRC)27 as well as Germany,28 France, Chile, Guatemala, and Ecuador adopt the non-physical approach, Peru, Denmark, and the US Department of Defence (DoD) insist on physical effects.29 Most other states have not clearly stated their views on the question. Hence, it seems fair to conclude that the applicability of the PoD is not clear-cut, but stuck in a considerable grey zone which allows states to at least plausibly claim that targeting civilians is permissible if the effects are non-physical.
2.2. The notion of ‘objects’ (Art 52(2) AP1)
Closely related to the question of the attack threshold is the question of whether data qualifies as an object.30 This question is crucial since the principle of distinction prohibits attacks not only on civilians (Art 51 AP1), but also on civilian objects (Art 52 AP1). The 1987 Commentary to the Additional Protocols explicitly states that the ordinary meaning of ‘object’ is something visible and tangible, which is why the Tallinn Manual experts rejected the notion of data as an object.31 Others have criticised this view mainly on two grounds. Firstly, the question of whether something intangible can be considered an object was only discussed by the drafters of the Commentary, not the drafters of the Protocols. Hence, one might question the validity of the Commentary’s focus on tangibility.32 Secondly, given the centrality of data in contemporary society, allowing the destruction of essential civilian data seems irreconcilable with the object and purpose (Art 31(1) VCLT) of the PoD.33 It is concluded that since destroying essential civilian data can have far more devastating effects than physical violence, it would be absurd if such data was not protected as a civilian object under IHL.34
As with the attack threshold, the persistent lack of state practice and opinio iuris does not permit any final conclusion. While Norway and Peru seem to accept the notion of data as an object, Denmark does not. France and Chile presented middle-ground positions.35 With two plausible interpretations of the law and only a few states speaking out, it is difficult to tell where the law stands exactly. Again, it is the question of whether only physical destruction qualifies as an effect of armed conflict from which civilians need to be shielded. Since the internet allows us to move important assets and activities into a non-physical space, it challenges the traditional assumption that anything that is not physical cannot cause serious harm to civilians. Until states explicitly embrace the idea that the physicality-focused rules extend to the logical and content layer of cyberspace,36 this assumption might bring massively disruptive cyberoperations into the realm of what is lawful in armed conflict. This is a highly undesirable state of affairs, and hence, it might be reasonable to look for protectionary norms outside of IHL which are less premised on the idea of physical harm.
3. Can human rights law fill the gaps?
Such norms could potentially be found in IHRL. Since IHRL generally seeks to protect individuals from undue interference by states, its conception of harm is much less geared towards the exceptionally violent circumstances of armed conflict, which could help to circumvent many of the problems identified above. This idea will be explored with reference to three rights, which are likely to be affected by military cyber operations.37 To establish a clear frame of reference, the analysis will focus on the European Convention of Human Rights (ECHR). The ECHR was chosen for two reasons. Firstly, it has one of the richest and most up-to-date bodies of case-law. Secondly, the binding nature of the judgments of the European Court of Human Rights (ECtHR) allows for effective enforcement of its provisions and hence, practical protectionary value.
3.1. Right to respect for private and family life (Art 8 ECHR)
Art 8 ECHR stipulates ‘the right to respect [the] private and family life, … home and … correspondence’. The idea at the core of this provision is the protection of individuals against arbitrary interference by public authorities, i.e., the negative ‘right to be left alone’.38 However, the term ‘respect’ has been interpreted as entailing a positive duty on the State to protect its subjects from interference with their rights under Art 8 ECHR.39 For the purposes of this article, respect of private life is particularly relevant. It secures for ‘the individual a sphere within which he can freely pursue the development and fulfilment of his personality’ and establish relationships with other people.40 This sphere contains several aspects of a person’s life: their ‘physical and psychological integrity’, professional activities, autonomy and identity (including the right to control images of oneself), and personal data.41 All these concepts are increasingly connected to the internet: we communicate and interact with others on social networks, we work remotely using clouds and video-conferencing, and we upload images and other personal data. A military operation blocking access to social media or clouds, or leaking or deleting images or other personal data would hence probably be liable for infringing Art 8 ECHR,42 regardless of the physical or non-physical nature of the interference with these rights.
3.2. Freedom of expression/Access to information (Art 10 ECHR)
Art 10 ECHR protects both the dissemination of and access to information and ideas, regardless of a potential commercial purpose or the medium used.43 Hence, both traditional outlets like print media or television, and text messages or websites are within its scope. Generally, Art 10 ECHR is considered essential not only for the functioning of democratic societies, but also for ‘the individual’s self-fulfilment’.44 Since the internet has become ‘one of the principal means by which individuals exercise their right to freedom of expression and information’,45 military operations online could easily affect freedom of expression and access to information, either when parts of the population are cut off from the internet as a whole or when specific outlets are targeted.46 Overall, as a ‘political’ right, Art 10 ECHR might be less relevant for the humanitarian goal of protecting civilians.47 However, due to its connection to the individual’s self-fulfilment and its enormous importance for the more long-term goal of ensuring a healthy democracy, military cyberoperations affecting Art 10 rights might still be highly relevant in the future.48
3.3. Right to property (Art 1 Protocol 1 to the ECHR)
The right to property was added to the ECHR in 1953 when its First Protocol entered into force.49 It consists of three ‘rules’: the peaceful enjoyment of possessions, the prohibition of deprivation of property, and the right of the State to control the use of possessions.50 The ECtHR established in its case law that ‘possessions’ needs to be understood very broadly, including not only ownership, but also pecuniary rights (e.g., shares, patents, arbitration awards).51 Two broad categories of interference through military operations can be imagined. Operations targeted, e.g., at online banking or related services could interfere with the first rule as they could effectively prevent civilians from enjoying their possessions whenever and however they want. In addition, the second rule could be violated when intellectual property or purely digital assets are destroyed as data is being deleted or altered in the course of an operation.52 This could amount to a de facto expropriation violating Art 1 of the First Protocol.53
4. No easy patch
While the substance of the ECHR rights might cover civilian harm caused by military cyberoperations, this is only necessary but not sufficient for the Convention to have any protectionary effect. To do so, the respective norms would further have to be applicable. There are two main obstacles in this respect:54 the potential lex specialis nature of IHL and the extraterritorial applicability of the ECHR.
4.1. IHL and IHRL: A difficult relationship
IHRL and IHL have very different origins.55 While IHL is premised on the idea that even in armed conflict, honour – or humanity – imposes limits on the conduct of hostilities, IHRL is based on the notion of inherent rights.56 Hence, the former constitutes a balance between military necessity and humanity, while the latter balances different rights when they are in conflict with each other or with a ‘legitimate aim’. Some argue that this makes IHL the law to apply in wartime – it effectively supplants IHRL, the law of peacetime, during armed conflict.57 This approach was rejected by the International Court of Justice (ICJ) in its Nuclear Weapons Advisory Opinion. The Court stated that ‘the protection offered by human rights conventions does not cease in case of armed conflict’.58 However, the Court did accept that IHL might apply as lex specialis and hence effectively supersede certain human rights provisions. In its Wall Advisory Opinion,59 the Court clarified this idea. It argued that although human rights norms would not be displaced by IHL, they should be interpreted in the light of the laws of war, especially in relation to questions regarding the right to life.60 Yet, this approach is criticised for introducing an inadmissible acceptance of serious human rights violations into the body of human rights law. The UN Human Rights Committee, on the other hand, suggested another approach which focuses more on the complementarity of IHL and IHRL. According to this so-called ‘belt and suspender’ approach, the norm which would provide better protection to the individual is to be applied. In practice, however, determining which norms are more apt to provide protection is not always straightforward.61 Overall, the precise relationship between IHL and IHRL remains rather obscure.62
How does this impact the utility of IHRL to protect civilians from the negative impact of military cyberoperations? Regarding the complementary approach, it has been outlined above how IHL might not provide sufficient protection. Hence, it seems plausible to argue that IHRL provides better protection from non-physical harm and therefore, prevails. But even following the lex specialis approach, there is a case to be made for the application of IHLR: assuming that non-physical harm is not covered under the pertinent rules of IHL on the conduct of hostilities since these norms focus on violent events, one might argue that this leaves room for IHRL to cover non-violent harm. On the other hand, IHL could be seen as the more appropriate body of law since the heat of the moment governing armed conflict requires a body of law that commanders are familiar with and can apply without having to engage in lengthy legal assessments such as an IHRL proportionality assessment.63 However, cyberoperations often require a long time of planning. They are usually conducted remotely and hence, do not underlie the special pressures of an active combat situation. Therefore, it seems sensible to believe that IHRL could reasonably be applied to military cyberoperations in situations of armed conflict.64
4.2. Extraterritoriality in a borderless space
Traditionally, human rights law governs the relationship between the State and its subjects. This is reflected in Art 1 ECHR, which limits the applicability of the Convention to persons within a Member State’s jurisdiction. On several occasions, the ECtHR has confirmed that the Convention is based on an ‘essentially territorial notion of jurisdiction’ and hence, primarily applies on a Member State’s territory.65 However, the ECtHR defined two general exceptions to this rule in Al-Skeini. Firstly, the Convention might apply extraterritorially if a person is under the physical control of a Member State’s agent.66 The Court emphasised that only physical control, not general authority, is required to trigger the applicability of the Convention.67 While one might imagine exceptional circumstances in which a military cyberoperation could give rise to such a situation, the harm caused by such an operation will likely be physical and hence, governed by the PoD in the first place. Thus, this first exception is not as relevant in the context of non-physical cyberoperations.
The second exception concerns situations in which the Member State has effective control over an area. The judges considered two criteria in this respect: the extent of the State’s military presence, and its military, economic, and political support for the local administration.68 It is hard to see how cyberoperations alone would allow the establishment of such a level of control. Consequently, unless a Member State conducts military operations in an area that is under its effective physical control, the ECHR will most likely not be applicable. In fact, military cyberoperations against the population of a non-member state might more closely resemble the airstrikes that were not deemed sufficient to trigger the applicability of the ECHR in Banković.69 This leads to the conclusion that the effective protectionary effect of the ECHR in international armed conflicts might be strongly limited by its likely inapplicability.
4.3. Sneaking IHRL in through the backdoor?
Does this mean IHRL, and for the purposes of this note the ECHR, cannot close any of the gaps of IHL identified above? While the precise answer to this question will frequently depend on the facts of a specific case, three general points remain to be made in favour of the utility of IHRL. Firstly, the most pressing problem of extraterritorial applicability might be less pressing in situations of non-international armed conflict.70 In this case, extraterritoriality is not an issue since the Member State would act on its own territory. Secondly, some provisions of IHL might allow the integration of IHRL directly into the IHL framework. Most notably, Art 36 AP1 obliges states to review their weapons with the view of IHL and ‘any other rule of international law applicable to the High Contracting Party’. In principle, this obliges states to take IHRL into account when developing cyberweapons. It should be noted, however, that in practice this obligation is highly dependent on the goodwill of states.71 Another avenue might be found in Art 1(2) AP1, the infamously vague Martens Clause.72 One might argue that cyberoperations constitute precisely the kind of technological development Art 1(2) AP1 seeks to cover.73 Further, assuming that commonly accepted guarantees of IHRL can either be subsumed under ‘established custom’ or the ‘principles of humanity’, Art 1(2) AP1 could be at least an auxiliary tool to justify the application of IHRL in military cyberoperations in situations of armed conflicts.74 Lastly, when cyberoperations are launched against an ECHR signatory with effects materialising on its territory, the aforementioned positive obligations of Member States to safeguard the enjoyment of certain rights could be used to order Member States to take measures to limit the negative effects on civilians. Admittedly, these are only very small patches. Yet, when taken together they could at least mitigate some of the harm civilians might suffer from future military cyberoperations.
5. Conclusion
This article explored whether IHRL might help to close the protectionary gaps in IHL created by the uncertainty surrounding cyberoperations having non-physical yet highly disruptive effects. It was argued that these gaps are largely related to IHL’s focus on physical harm. Looking at the body of IHRL, which is more embracive of non-physical harms, it showed that in their substantive dimension the rules of IHRL would indeed be suitable to cover the most pertinent gaps in the protectionary net of IHL. However, questions of extraterritorial application will most likely limit the effective reach of IHRL. Yet, in non-international armed conflict as well as through Art 36 AP1, Art 1(2) AP1 and positive obligations of states in relation to certain rights, IHRL might still play a role in preventing harm arising from military cyberoperations. Thus, as long as states disagree on how IHL applies in cyberspace, IHRL might at least provide a very limited, temporary patch.
In the end, IHL’s focus on physicality can be seen as a balance between military necessity and humanity: when non-physical operations took the form of spreading propaganda or gathering information, the drafters decided to set the severity threshold of what civilians would need to be shielded from at physicality. Yet, in modern day conflict, physicality is no longer as strictly correlated with severity as it used to be.
Paradoxically, it might be precisely its ‘peacetime’ provenance that makes IHRL the more future-proof regime in this respect: it does not define a rigid parting line between acceptable and unacceptable harm but requires a proportionality assessment for each interference with human rights. As the line drawn by IHL treaties no longer adequately separates severe harm from minor inconveniences, turning to IHRL might seem reasonable. Although its direct protectionary effect might be limited by issues of applicability, it could generally be helpful in informing debates on how IHL’s balance could be reconfigured: namely, how to draw the line between which level and type of harm is generally justified by military necessity and which is not. The answer will, and probably should not, be the same as in IHRL. But since both are ultimately concerned with human dignity,75 it would nevertheless be odd if the gap between IHL and IHRL protections became overly wide. Right now, the gap is potentially very wide, and until IHL catches up with reality, this could mean that indiscriminate cyberoperations remain a dreadful (but lawful) reality for civilians in armed conflict. In other words, it could be their ‘past, present and future’.
I would like to thank Dr Devika Hovell for her valuable feedback on this article.
[1] ‘Ukraine tension: US and Russia hold ‘frank’ talks’ BBC (London, 21 January 2022) <https://www.bbc.com/news/world-us-canada-60077776> accessed 23 January 2022.
[2] Luke Harding, ‘Ukraine hit by ‘massive’ cyber-attack on government websites’ The Guardian (Kyiv, 14 January 2022) <https://www.theguardian.com/world/2022/jan/14/ukraine-massive-cyber-attack-government-websites-suspected-russian-hackers> accessed 23 January 2022.
[3] Earlier incidents include Georgia, where the Russian military invasion in 2008 was preceded by a number of Denial of Service (DoS) operations targeting, inter alia, ‘media, communications and transportation companies’. See John Markoff, ‘Before the Gunfire, Cyberattacks’ The New York Times (New York, 12 August 2008) <https://www.nytimes.com/2008/08/13/technology/13cyber.html> accessed 11 December 2021. Ukraine had been hit by cyberoperations before, cutting roughly 230,000 Ukrainians off from electricity. See Kim Zetter, ‘Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid’ (Wired, 3 March 2016) <https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/> accessed 11 December 2021. For a general overview, see Laurent Gisel, Tilman Rodenhäuser and Knut Dörmann, ‘Twenty years on: International humanitarian law and the protection of civilians against the effects of cyber operations during armed conflicts’ (2020) 102(913) International Review of the Red Cross 287, 289.
[4] Note that IHL only applies if there is a nexus to armed conflict. This article will not explore the question of when IHL applies to cyberoperations but will focus on situations with a clear connection to an armed conflict triggering the applicability of IHL.
[5] This does not mean that IHL applies to every cyberoperation: A nexus with an armed conflict (see n 4) is necessary. Michael N. Schmitt, ‘Wired warfare 3.0: Protecting the civilian population during cyber operations’ (2019) 101(1) International Review of the Red Cross 333, 334. Gisel and others (n 3) 292.
[6] Note that this essay will mostly refer to the existing treaty law. However, all norms of IHL mentioned in the piece also apply as customary international law, both in international and non-international armed conflict.
[7] Yves Sandoz and others (eds), Commentary on the Additional Protocols of 8 June 1977 to the Geneva Conventions of 12 August 1949 (International Committee of the Red Cross and Martinus Nijhoff Publishers 1987) 45.
[8] Reading the ICRC’s founding father’s memoires, it seems fair to conclude that Henri Dunant was strongly motivated by the suffering he witnessed on the battlefield. In this sense, one might argue that the very reason why a whole body of law on limiting the effects of armed conflict emerged was the visible and palpable destructiveness of war. Henri Dunant, A Memory of Solferino (Ravenio Books 2013).
[9] Michael N. Schmitt, Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (Cambridge University Press 2017) 418.
[10] Cordula Droege, ‘Get off my cloud: cyber warfare, international humanitarian law, and the protection of civilians’ (2012) 94(886) International Review of the Red Cross 533, 578. See also Gisel and others (n 3) 334. See also Schmitt ‘Wired warfare 3.0’ (n 5) 336-337.
[11] Note that the idea is not to present a comprehensive and complete answer to the question asked. Instead, this article seeks to float the idea of bringing IHRL into the debate around military cyberoperations and endeavours to sketch out in broad strokes if such an approach could be desirable and feasible.
[12] However, IHL’s protectionary toolkit also contains pre- and post-conflict safeguards. For instance, Art 83 AP1 obliges the parties to disseminate the Conventions and their protocols even in peacetime. After the termination of an armed conflict, certain provisions on prisoners of war still apply until their return home (Art 5 Geneva Convention III).
[13] Legality of the Threat or Use of Nuclear Weapons (Advisory Opinion) [1996] International Court of Justice Reports 226 (Nuclear Weapons Advisory Opinion) [78].
[14] This is not to say that the PoD outlaws any attack resulting in civilian casualties. However, civilians or civilian objects must never be the primary target of an attack and if civilians or civilian objects are harmed, the civilian harm must not be excessive in relation to the sought military advantage (Art 51(5)b AP1).
[15] See e.g., Michael N. Schmitt, ‘Grey Zones in the International Law of Cyberspace’ (2017) 42(2) Yale Journal of International Law Online 1, 20. Uncertainty about the law inherently favours considerations of military necessity over humanity because the lack of clear limits allows for a Lotus-inspired argumentation: what is not explicitly prohibited, is allowed.
[16] In fact, some argue that the drafters chose the term ‘military operations’ precisely because they meant to extend the reach of the PoD to all operations, not just attacks. Proponents of this view further point to the chapeau of Art 51 and the constant care standard set out in Art 57(1), both speaking of ‘military operations’ instead of attacks. See Heather Harrison Dinniss, Cyber Warfare and the Laws of War (Cambridge University Press 2012) 196-202.
[17] Droege, ‘Get off my cloud’ (n 10) 554.
[18] Note that certain protections do not depend on the occurrence of an ‘attack’ within the meaning of Art 49 AP1. For instance, Art 54(2) AP1 states that both attacking and rendering useless objects indispensable to the survival of the civilian population is prohibited. As already mentioned, the constant care standard of Art 57(1) AP1 also applies more broadly. Moreover, relief actions and the personnel undertaking them are protected in general terms, without any reference to an attack (see Art 70(4) and 71(2) AP1).
[19] This view is based on a contextual interpretation of the Protocol. See Vienna Convention on the Law of Treaties (VCLT) art 31(2).
[20] See (n 18).
[21] Michael N. Schmitt, ‘The Law of Cyber Targeting’ (2015) 68(2) Naval War College Review 11, 16.
[22] Yoram Dinstein, ‘The Principle of Distinction and Cyber War in International Armed Conflicts’ (2012) 17(2) Journal of Conflict and Security Law 261.
[23] Eric Talbot Jensen, ‘Cyber Attacks: Proportionality and Precautions in Attack’ (2012) 89 US Naval War College International Law Studies 198, 207. See also Michael N. Schmitt, ‘Rewired warfare: rethinking the law of cyber attack’ (2014) 96(893) International Review of the Red Cross 189, 202. This reading is criticised for its absurd under-inclusiveness: while (physically) destroying cables carrying civilian internet-borne communication would be impermissible, disabling the same communication by altering the (logical) code that makes them functional would be permissible.
[24] The reasoning behind this view is the following: ‘The fact that CNA [computer network attack] does not lead to the destruction of the object attacked is irrelevant. … By referring not only to destruction or capture of the object but also to its neutralization the definition implies that it is irrelevant whether an object is disabled through destruction or in any other way.’ Knut Dörmann, ‘Applicability of the Additional Protocols to Computer Network Attacks’ (International Expert Conference on Computer Network Attacks and the Applicability of International Humanitarian Law, Stockholm, November 2004) 6.
[25] This purpose is explicitly mentioned in Art 48 AP1: ‘In order to ensure respect for and protection of the civilian population and civilian objects …’. A similar sentiment can be derived from the title of the pertinent section (‘Part IV: Civilian population – Section 1 – General protection of the civilian population from the effects of hostilities’).
[26] Robin Geiß and Henning Lahmann, ‘Cyber Warfare: Applying the Principle of Distinction in an Interconnected Space’ (2012) 45(3) Israel Law Review 381, 383. However, this view is being criticised on two grounds. Firstly, it is submitted that Art 52(2) AP1 was still drafted with an attack in mind. Hence, neutralisation should not be read as a non-violent way of rendering a military objective dysfunctional, but as an attack that does not completely destroy, but still render an object dysfunctional. Secondly, some point out that in military parlance, neutralisation is not necessarily understood as a non-violent action. Michael N. Schmitt, ‘‘Attack’ as a Term of Art in International Law: The Cyber Operations Context’ (4th International Conference on Cyber Conflict, Tallinn, June 2012) 11. See also Schmitt, ‘Rewired warfare’ (n 23) 198.
[27] Note that the ICRC is not a full subject of public international law and, hence, does not directly influence the formation of customary international law. However, since it is arguably the most respected entity regarding the interpretation and development of IHL, its views still have some relevance.
[28] The Federal Government of Germany, ‘On the Application of International Law in Cyberspace’ (March 2021) <https://www.auswaertiges-amt.de/blob/2446304/32e7b2498e10b74fb17204c54665bdf0/on-the-application-of-international-law-in-cyberspace-data.pdf> accessed 7 January 2022.
[29] Note that the US DoD position not only considers the physicality of effects, but also their reversibility.
[30] If this was the case, the principle of distinction would apply to any operation deleting or damaging civilian data. See Gisel and others (n 3) 317.
[31] Schmitt, Talinn Manuel 3.0 (n 9) 437.
[32] Dinniss (n 16) 46.
[33] Gisel and others (n 3) 319. On the object and purpose of the PoD, see (n 25).
[34] Some authors have proposed a distinction between operational-level data, i.e., the code, and content-level data, i.e., the input that is processed according to the rules set out in the operational-level data. While tampering with content-level data will leave the system as such intact, interference with operational-level data will impact the functionality of the system. It is argued that at least operational-level data should be seen as an object. Dinniss (n 16).
[35] Gisel and others (n 3) 319-320.
[36] The logical and content layer comprise the code and content data, respectively, making up cyberspace. They are carried by the physical layer, i.e., the necessary hardware and infrastructure. Only the physical layer of cyberspace is currently clearly captured by IHL. For a more detailed description of the three layers model, see Yochai Benkler, ‘From Consumers to Users: Shifting the Deeper Structures of Regulation Toward Sustainable Commons and User Access’ (2000) 52(3) Federal Communications Law Journal 561.
[37] Note that this list is certainly not conclusive. Many other rights might be affected, e.g., the right to health, or the right to freedom and association. Moreover, note that this section does not seek to present a complete analysis of potential violations. It merely provides examples of how cyberoperations might affect the respective rights.
[38] William A. Schabas, The European Convention on Human Rights: A Commentary (Oxford University Press 2015) 366.
[39] ibid 368.
[40] Bruggeman and Scheuten v Federal Republic of Germany (1977) 3 EHRR 244, para 55.
[41] S. and Marper v the United Kingdom App nos 30562/04 and 30566/04 (ECtHR, 4 December 2008), para 41.
[42] However, not every infringement would be a violation: Art 8(2) ECHR establishes the possibility for states to limit the rights set out in Art 8 ECHR, if this is necessary, e.g., for the maintenance of national security. While states usually enjoy a wide margin of appreciation in assessing such a necessity, this margin narrows considerably if a particularly important aspect of an individual’s private life is affected.
[43] Schabas, The European Convention on Human Rights (n 38) 455.
[44] Palomo Sánchez and Others v Spain App nos 28955/06, 28957/06, 28959/06, and 28964/06 (ECtHR, 12 September 2011) [53]. See also Lingens v Austria App no 9815/82 (ECtHR, 8 July 1986), para 41.
[45] Ahmet Yıldırım v Turkey App no 3111/10 (ECtHR, 18 December 2012), para 54.
[46] For example, the cyberoperations against Estonia in 2007 affected several newspaper outlets; see Damien McGuinness, ‘How a cyber attack transformed Estonia’ BBC (Tallinn, 27 April 2017) <https://www.bbc.com/news/39655415> accessed 11 December 2021. Linking Art 10 back to the discussion of data as an object, note that the ECtHR considers internet archives critical for the dissemination of information. Hence, an operation destroying or tampering with such archives could very well fall within the ambit of Art 10; see Times Newspapers Ltd v the United Kingdom App nos 23676/03 and 3002/03 (ECtHR, 10 March 2009).
[47] Louise Doswald-Beck and Sylvain Vité, ‘International Humanitarian Law and Human Rights Law’ (1993) 33(293) International Review of the Red Cross 94, 101.
[48] As for Art 8 ECHR, the freedom of expression can be limited by law or derogated from in a state of emergency (Art 15 ECHR). Still, especially when it comes to political issues, the margin of appreciation granted to the government is narrow. See Axel Springer AG v. Germany App no 39954/08 (ECtHR, 7 February 2012) para 90.
[49] Schabas, The European Convention on Human Rights (n 38) 12.
[50] Sporrong and Lönnroth v Sweden App nos 7151/75 and 7152/75 (ECtHR, 23 September 1982) para 61.
[51] Interestingly, the French version of Art 1 First Protocol speaks of ‘biens’, just like Art 52(1) AP1. However, the ECtHR case law made clear that ‘possessions’ does not only cover physical property but is far broader than that. Furthermore, there have been proposals to treat data as such property. While this is certainly an approach de lege ferenda at best, such a development would certainly strengthen the case to consider data as something as worthy of protection as physical property. See Ivan Stepanov, ‘Introducing a property right over data in the EU: the data producer’s right – an evaluation’ (2020) 34(1) International Review of Law, Computers & Technology 65.
[52] See, e.g., Neij and Sunde Kolmisoppi v Sweden App no 40397/12 (ECtHR, 19 February 2013).
[53] The protection of property is not entirely unknown to IHL: apart from the general protections for civilian objects in AP1, Art 46 of the Hague regulations of 1907 stipulates the obligation to respect private property if a state has authority over the territory of a hostile state. Furthermore, the destruction or seizure of the enemy’s property is strictly limited by military necessity (Hague Regulations 1907 art 23(g)).
[54] Note that the possibility to derogate from certain rights set out in Art 14 ECHR is not considered a fundamental obstacle. While derogations could certainly limit the protectionary effect of the ECHR, states would still at least have to demonstrate how such derogations are ‘strictly required by the exigencies of the situation’. A derogation aimed at facilitating operations against civilians which do not bear any military necessity will be hard to justify under this standard.
[55] Doswald-Beck and Vité (n 47) 94.
[56] Cordula Droege, ‘The Interplay Between International Humanitarian Law and International Human Rights Law in Situations of Armed Conflict’ (2007) 40(2) Israel Law Review 310, 313.
[57] Presenting, but not adopting this view, see Noam Lubell, ‘Parallel Application of International Humanitarian Law and International Human Rights Law: An Examination of the Debate’ (2007) 40(2) Israel Law Review 648, 649.
[58] Nuclear Weapons Advisory Opinion (n 13) [25].
[59] Legal Consequences of the Construction of a wall in the Occupied Territory (Advisory Opinion) [2004] International Court of Justice Reports 136 (The Wall Advisory Opinion) [106].
[60] William A. Schabas, ‘Lex Specialis? Belt and Suspenders? The Parallel Operation of Human Rights Law and the Law of Armed Conflict, and the Conundrum of Jus Ad Bellum’ 2007) 40(2) Israel Law Review 592, 596.
[61] ibid 593.
[62] Lubell (n 57) 650.
[63] Remember that, as mentioned above, Art 8 and Art 10 ECHR can be restricted if this is ‘necessary … in the interests of national security, territorial integrity or public safety’. Hence, even if the ECHR applies, states might still conduct certain cyberoperations interfering with these rights if the interference is prescribed by law and passes the test of proportionality. Although the latter will be highly dependent on the specific facts of a case, it seems plausible that interfering with purely civilian data or internet uses will usually be insufficient to achieve one of the legitimate objectives set out in the Convention. In borderline cases, however, the question of what would constitute a legitimate interference will be highly relevant. A similar argument can be made for a derogation under Art 15 ECHR and the question of what is ‘strictly required by the exigencies of the situation’.
[64] This is not to say that the two should blend into each other. As eloquently put by one author: ‘Each of these bodies has unique advantages in particular circumstances and we must take care not to lose these advantages in the course of our search for smoother co-application.’ See Lubell (n 57) 655.
[65] Marek Szydlo, ‘Extra-Territorial Application of the European Convention on Human Rights after Al-Skeini and Al-Jedda’ (2012) 12(2) International Criminal Law Review 271, 282.
[66] Al-Skeini and Others v. The United Kingdom App no. 55721/07 (ECtHR, 7 July 2011), para 134.
[67] ibid, para 136.
[68] Al-Skeini (n 65) para 135; paras 38-140.
[69] In Banković, the ECtHR ruled that the NATO airstrikes against the Serbian radio and television headquarters in Belgrade were not governed by the ECHR. See Banković and Others v Belgium and Others App no 52207/99 (ECtHR, 12 December 2001) [74-75].
[70] The internet shutdown in Kazakhstan amid significant civil unrest hints at why such protection might be needed. See Carly Olson and agencies, ‘Kazakhstan internet shutdown deals blow to global bitcoin mining operation’ The Guardian (London, 6 January 2022) <https://www.theguardian.com/world/2022/jan/06/kazakhstan-bitcoin-internet-shutdown> accessed 8 January 2022. See also Lubell (n 57) 658.
[71] In fact, it is generally considered that the outcomes of the reviews are not legally binding. Only a limited number of states have adopted formal procedures in the first place. Isabelle Daoust, Robin Coupland and Rikke Ishoey, ‘New wars, new weapons? The obligation of States to assess the legality of means and methods of warfare’ (2002) 84(846) International Review of the Red Cross 345, 360 & 363-364.
[72] Antonio Cassese, ‘The Martens Clause: Half a Loaf or Simply Pie in the Sky?’ (2000) 11(1) European Journal of International Law 187, 189.
[73] International Committee of the Red Cross (n 7) 39. In fact, the Commentary explicitly states that Art 1(2) seeks to reverse the Lotus-assumption which was identified as one of the reasons why legal uncertainty might tip the balance between military necessity and humanity towards the former. See (n 15).
[74] Note that Marten’s clause should not be construed as being a new independent rule. Rather, it is a confirmation that existing rules apply even in situations that were not foreseen by the drafters of pertinent IHL treaties. See Cassese (n 71) 189. See also Yoram Dinstein, The Conduct of Hostilities under the Law of International Armed Conflict (Cambridge University Press 2016) 14.
[75] Droege ‘The Interplay Between International Humanitarian Law and International Human Rights Law in Situations of Armed Conflict’ (n 56) 312.
Tatjana Grote
BA International Relations (Technical University Dresden) ’20, LLM (LSE) ’22 and Public International Law Notes Editor of the LSE Law Review 2021-22