The challenge is not whether existing international law applies to cyberspace …. The challenge is providing decision makers with considerations that may be taken into account when determining how existing international law applies to cyber activities.Footnote 1
Introduction
In November 2017, a new US military lawyer was deployed to an exercise designed to simulate large-scale combat operations against a near-peer adversary. Her unit's senior military attorneys were committed to operations elsewhere. As a result, and within a year of law school graduation, she served as the sole attorney advising the exercise-based combat operations of a Corps-level Joint Operations Center (JOC).Footnote 2 For three weeks, she monitored and advised on all operational activity in the Corps JOC across multiple domains of warfare, including the cyber domain.
That a junior military legal adviser would be called upon to advise at that level of command is extraordinary in the context of modern, law-saturated US military operations. While the exercise context explains the situation in significant part, these circumstances may closely resemble a new normal in tomorrow's wars. Anticipated increases in military sensing and targeting capabilities will place traditionally centralized command and control facilities and their large staffs at enormous, even intolerable risk.Footnote 3 Survival and success will require smaller, highly dispersed command elements that exercise widely delegated authority across every domain of war.
Future large-scale combat operations will also afford reduced opportunities for the exhaustive coordination and staffing, including legal support, that have characterized twenty-first-century warfare. To survive and win, States’ armed forces are likely to wrest control of strategic assets and their considerable effects from high-level, specialized organizations and disseminate them to lower, tactical-level units, commanders, and their staffs.Footnote 4 The dispersal and delegations that these developments require will have profound operational and legal implications for all domains of war,Footnote 5 but none more so than the cyber domain. Traditional models of command and control and legal oversight by large consolidated staff organizations may no longer be feasible or fit for purpose on the modern battlefield.
Simultaneously with dispersed command and authority delegation, US plans for near-future war envision significant integration of cyber operations into nearly every battlefield activity. Some of that near future is already unfolding in the ongoing conflicts in Ukraine and Gaza.Footnote 6 If previous practice had seen cyber operations and operators cloistered into national-level, domain-specific campaigns, ongoing military art and emerging US doctrine envision highly integrated and increasingly delegated cyber capabilities and operations. The Pentagon's shorthand for this integration and synchronization of its warfighting capabilities is “multi-domain operations”, or in US military circles, MDO.Footnote 7 It envisions the complete and seamless fusion of warfighting capabilities and lines of effort, including cyber operations, into a unified and mutually supporting enterprise of targeting.
This turn from a centralized and specialized model of cyber planning and execution toward a generalist model with greater operational integration will see a parallel shift in supporting legal expertise. Legal support to wartime cyber operations will migrate in significant part from large staff sections of comparatively specialized military cyber lawyers to smaller cadres of generalist law of war practitioners. While diligent and trusted staff members, these generalist military lawyers bring comparatively lower degrees of familiarity, experience and facility with the policies and legal intricacies that have formed US military cyber law practice. More so than their specialist counterparts, they will require and benefit from clear legal policy guidance across the entire spectrum of wartime cyber operations that their units will carry out.
However, existing US military legal resources for wartime cyber operations are sparse. This is particularly true of law of war rules applicable to operations characterized as below the jus in bello threshold of attack. Personal and recent publicly available experience indicate that operations below the attack threshold account for a significant portion of cyber operations during armed conflict. While US legal doctrine in that realm is thin and ambiguous, academic and humanitarian communities offer refined and increasingly progressive legal schemes for law of war (and other) regulation of non-attack cyber operations. The task of applying these progressive, often avant-garde legal analyses to actual operations is difficult and highly fraught. The extent to which they reflect lex lata as understood by States, and particularly by the United States, is often unclear.
A survey of emerging US cyber warfighting concepts evaluated against rudimentary legal guidance developed nearly a decade ago makes clear the need for updated wartime cyber law doctrine. As cyber capabilities and operations proliferate and are further integrated into US military units’ operational authority and organic capabilities, the advantages to staking out clear opinio juris on these matters extend beyond providing responsible and consistent operational law advice. Updated and authoritative military cyber legal doctrine will ensure effective planning and execution of US wartime cyber operations. It will also serve many strategic and diplomatic legal interests of the international legal system as a whole.
The cyber domain in armed conflict
The threats posed to States by cyber operations have been widely recognized since the turn of the last century. Meanwhile, cyber operations’ simultaneous potential to be effective lines of effort in States’ own campaigns is equally appreciated. In 1999, as a herald of the wartime role of cyber operations, the US Department of Defense (DoD) issued new legal guidance on information operations, including their cyber aspects.Footnote 8 By 2005, the DoD had formally recognized cyberspace as its fifth operational domain alongside land, sea, air and space.Footnote 9 In 2009, the US secretary of defence merged two defence organizations to form the national-level US Cyber Command.Footnote 10 And in 2018, the US president elevated Cyber Command to a unified combatant command, completing in large part the evolution of cyber operations into a full-fledged US warfighting function.Footnote 11
The United States’ largest alliance structure has largely followed suit. While the North Atlantic Treaty Organization (NATO) did not formally designate cyberspace as an operational domain until 2016, it recognized the role that cyber operations play in its security far earlier.Footnote 12 At its Prague Summit in 2002, NATO first identified cyber operations as a threat to the alliance.Footnote 13 In 2008, it accredited the Cooperative Cyber Defence Centre of Excellence in Tallinn, Estonia as a hub for cyber wargaming and research on the technical, policy and legal aspects of cyber operations.Footnote 14 And by 2014, NATO recognized cyber attacks as a basis for the invocation of its collective self-defence provision.Footnote 15
Recognition of the threat that cyber capabilities pose to States and the private sector alike has rapidly increased. A 2024 threat report by CrowdStrike reflects a 60% global increase in the number of interactive intrusion campaigns by adversaries, with North America leading the surge.Footnote 16 The National Security Agency's 2023 cyber security report reflects similar trends, emphasizing a global landscape that is becoming more complex as technology advances.Footnote 17 The threat posed by cyber capabilities is no doubt becoming more common, more complex and more pervasive. In a word, cyber operations are now or will soon become ubiquitous in both everyday life as well as war.
Ongoing conflicts reinforce the point. Throughout the Ukraine–Russia conflict, both belligerents have used cyber capabilities to support and achieve their operational goals.Footnote 18 The second invasion phase of that conflict began with a massive and successful cyber operation against Viasat, an American satellite company that provided internet connections to much of Ukraine, with Russia using destructive wiper malware to disable and destroy Viasat modems and routers.Footnote 19 The operation launched just hours before the 2022 physical invasion. Since then, Moscow has worked persistently to disrupt Elon Musk's Starlink transmissions in Ukraine through cyber and kinetic means.Footnote 20 Similarly, both Israel and Hamas appear to rely on the cyber domain for military advantage in their ongoing conflict. From cyber attacks on the Israeli government and security sectors to widespread Israeli communications blackouts in the Gaza Strip, it is clear that the use of the cyber domain to achieve military advantage is more or less guaranteed in the wars of today and those of the future.Footnote 21
Cyber integration
Just as important as the fact of their wartime use is how armed forces will use cyber operations during armed conflict. Recently updated military doctrine confirms the merger and integration of a wide range of cyber operations into conventional military planning and concepts. Cyber operations are increasingly considered part of, rather than distinct from, the conventional capabilities that armed forces employ in war. US military doctrinal sources routinely refer to both “kinetic and non-kinetic … fires”.Footnote 22 The former category includes conventional strikes relying on releases of stored energy for effects, while the latter describes “actions designed to produce effects without the direct use of the force or energy of moving objects and directed energy sources”.Footnote 23 In practical terms, non-kinetic fires typically employ assets other than traditional weapons, including electromagnetic or cyber tools.Footnote 24
New US military doctrine directs commanders to integrate both forms of fires, kinetic and non-kinetic, in all domains of war under the guise of multi-domain operations.Footnote 25 A senior US leader recently lamented past failure in that respect, observing that “for the longest time we kept different types of fires (example, strike, info ops, and cyber) separated and compartmented and did not fully realize their interdependencies”.Footnote 26 Emerging doctrine on multi-domain operations seeks to remedy this defect. It demands complete and seamless integration of cyber capabilities and units into all combat operations.Footnote 27
A 2023 US Army publication, vaguely titled Information, provides important details concerning the integration of cyber forces, tools and operations into warfighting.Footnote 28 It aligns the Army's approach to the larger information realm with the US vision for multi-domain operations. It also elevates information activities and considerations from their former status as supporting aspects of conflict to full warfighting functions in their own right.Footnote 29 The publication summarizes the approach and instructs Army commanders to more clearly account for information capabilities and effects as follows:
Army forces employ information in combination with physical action to influence threat decision making and behavior. They attack threat data, information, and networks to influence threat perceptions and behavior and to affect the threat's ability to exercise command and control of its own forces.Footnote 30
The directive to “attack” as an information activity is particularly eye-catching. It reflects an active, even aggressive mindset toward information activities. Among four principles to guide pursuit of information advantage, the publication directs that actions be “offensively oriented”.Footnote 31 Offensive orientation envisions seizing and maintaining the initiative over enemy information activity, acting quickly against adversary information platforms and adapting rapidly to deprive enemy forces of potential information advantages.Footnote 32 At every turn, this new doctrine conditions commanders to think of information as part of, rather than as supporting, combat power – an integral part of the “total means of destructive and disruptive force that a military unit/formation can apply against an enemy”.Footnote 33 It instructs Army forces to “employ all relevant capabilities to attack threat data, information, and networks”.Footnote 34
A DoD-level publication offers a similarly broad and vigorous attitude toward information power. It characterizes information power as “the ability to exert one's will through the projection, exploitation, denial, and preservation of information”.Footnote 35 In a surprisingly frank though no doubt accurate assessment, the aforementioned Information document identifies “smartphones, the internet, and social media” as information platforms relevant to warfighting.Footnote 36 Both sources anticipate the same approach to information by US adversaries;Footnote 37 commanders are advised to anticipate that enemy “information warfare” attacks will target “data and information, telecommunications systems and infrastructure, population groups, and relevant actors”.Footnote 38
Other elaborations on the Information attack directive are worth attention for later legal consideration. First, extensive US and adversary reliance on cyberspace and electromagnetic spectrum (EMS)-reliant technologies explain the publication's emphasis on developing information attack capabilities.Footnote 39 Few States seem capable of fighting to their full potential in a cyber-degraded battlespace. Denying, disrupting, destroying or manipulating a broad range of the enemy's cyber and EMS systems (including, as noted above, “smartphones, the internet, and social media”), as well as the data they store and transmit, are attack priorities. Anticipated military advantages of these attacks include degrading adversary command and control and reducing an enemy's own information warfare capabilities.Footnote 40
Second, like generally applicable US targeting doctrine, information attack doctrine emphasizes effects over destruction for its own sake. In conjunction with kinetic targeting means, combinations of “electromagnetic attack, cyberspace attack … [and] classified capabilities” are intended to achieve adverse effects on an enemy's ability and will to resist.Footnote 41 Destruction, degradation or denial of a target system or data are of far less significance than the impact these actions have on enemy operations and the tactical, operational or strategic advantage they create. Targets may be selected not according to their nature but rather according to how the enemy uses or may use them. Beyond obvious enemy military assets, information attack doctrine identifies “cyberspace reconnaissance, social media exploitation, and collection of publicly available information” as important sources of adversary military advantage, the deprival or disruption of which produces significant military effects.Footnote 42
Finally, and importantly for the purposes of later discussion of international legal considerations, information doctrine uses the term “attack” broadly. Beyond the effect of destruction, US military thinking understands less severe effects such as disruption, degradation and manipulation as important attack effects.Footnote 43 Operations that produce immediate effects short of physical destruction, including jamming, manipulating content, slowing function or blocking access to adversary information assets, against a broad array of targets, are widely included in the ambit of information attack in US operational doctrine.
Dispersion
The maturation of the cyber domain as a full-fledged and integrated warfighting realm coincides with a revolution in US concepts of wartime command and control. The scale, pace and lethality of future large-scale combat operations are thought to require significant adjustments to the facilities and procedures that direct and supervise fighting units. Survival in an environment of omnipresent sensors and accurate long-range fires will require wide geographic dispersal of forces and headquarters. Military theorists assert that this form of fighting will demand an operational area so large that States’ armed forces cannot form for linear, continuous attacks; instead, effective operations will require the physical separation of forces and their headquarters in order to operate independently in smaller, cellular elements.Footnote 44
This non-linear, dispersed character of future warfare will greatly complicate communications and coordination between units and their respective headquarters.Footnote 45 Long-standing US doctrine has expected command and control systems to function in the setting of integrated and consolidated command posts.Footnote 46 Successful and effective command posts have been physically configured into large, consolidated facilities to ensure the efficient passage of information from one staff element to another. Newly updated doctrine, however, emphasizes command post scattering and mobility to avoid attack. The massive, centralized command posts seen in recent counter-insurgency and counterterrorism campaigns will not be tenable or able to survive in large-scale combat operations, owing in large part to the large electronic signatures they emit.Footnote 47 New doctrine emphasizes that the size of a command post directly affects its electronic signature, and acknowledges that large command posts present great physical and electromagnetic risk.Footnote 48 Physical dispersion to minimize electronic and other communications emissions is therefore required. And like their colleagues in the intelligence, operations and logistics staff sections, military legal practitioners and their commanders must prepare to function in a fractured version of command and control, facing communication challenges at a scale not seen in recent armed conflict.
Delegation
Distinct from – though related to – command dispersal is the notion of delegation. It is not widely appreciated that US military lawyers spend enormous amounts of time and energy analyzing and advising on sources of domestic operational and legal authority to conduct operations. Every command function and activity must be clearly grounded in an express source of command authority.Footnote 49 As noted above with respect to dispersion, emerging US command doctrine envisions planning, decision-making and fighting in significantly dispersed and even degraded environments, particularly with respect to information systems.Footnote 50 To rely on unified or national-level organizations to command forces and direct warfighting in this environment courts delay and disaster. Disruptions of communications will likely require delegations of both operational and legal authority to act quickly and decisively, including in the cyber domain.
For now, it appears that most States restrict authority to approve many cyber operations, particularly offensive cyber operations, to their highest levels of government.Footnote 51 For example, publicly available sources identify US approval authority for offensive cyber operations at the presidential level, unless specific operations are delegated to the secretary of defence.Footnote 52 Even recently updated US information doctrine does not clearly or publicly anticipate independent cyber operations authority at the brigade (approximately 3,000–5,000 soldiers) or lower levels.Footnote 53 To that end, commanders and their staffs are cautioned that coordinating for space and cyberspace capabilities often requires coordination and approval through the headquarters of several Army echelons.
Though they represent an understandably cautious approach considering the sensitive, interconnected and overwhelmingly civilian nature of cyberspace, these processes are often cumbersome and inefficient. While policies requiring high-level approval for cyber activity may be appropriate outside the context of armed conflict, the intensity and pace of modern warfare, particularly large-scale combat operations, seems likely to demand delegation to lower levels of command. Current authority structures are particularly at odds with the integration and synchronizations of kinetic and non-kinetic fires envisioned in emerging US multi-domain warfighting doctrine.
There are, however, signs that such adjustments to wartime cyber authorities may already be under way.Footnote 54 US targeting doctrine already instructs commanders to “gain authorities and permissions for Information Related Capabilities to broaden options”, and to “[b]e prepared to spend time gaining authorities and permissions for info-related capabilities”.Footnote 55 And the procedural vehicles for requesting such authorities are in place and well practiced by military lawyers – for example, US standing rules of engagement provide familiar and ready-made procedures for such delegations.Footnote 56
While responsive to the emerging demands of large-scale combat and multi-domain operations, in a legal sense, delegations of authority require that lower levels of command understand the application of international law to a broader operational range and in greater depth than previously. Together, the growth of States’ military cyber forces, clear doctrinal signals that cyber operations will be integral to warfighting, and greater delegation of authority to conduct cyber activities make a compelling case for renewed attention to how the law of armed conflict regulates cyber means and methods of war as well as the extent to which supporting legal doctrine is fit for that purpose.
US wartime cyber law doctrine
Early legal assessments of cyber military operations devoted significant attention to determining whether the law of war applied at all to the cyber realm.Footnote 57 The novelty and idiosyncrasies of the cyber domain, the historical settings of law of war formation, and political considerations had led some to resist the application of the law of war to activities in cyberspace.Footnote 58 However, the prevailing view, including that of the United States, now clearly holds that cyber means are fully capable of activating the law of war's “armed conflict” threshold and that its rules and principles regulate wartime resorts to cyber capabilities.Footnote 59
Attention – military, humanitarian and academic – has shifted to questions relating to how the law of war applies to cyber operations. Views are available from a range of sources and can be distinguished in large part according to the degree of determinacy they provide. For US military lawyers, the DoD Law of War Manual (DoD Manual) is the most comprehensive and influential source of law of war doctrine.Footnote 60 Its stated purpose is “to provide information on the law of war to DoD personnel”Footnote 61 – yet few if any US military lawyers can claim comprehensive familiarity with the DoD Manual. Its size and density prevent most judge advocates from full, rote knowledge of its guidance; instead, it serves (and was likely intended) as a work of reference to be consulted rather than internalized.
Despite its size and purpose, the DoD Manual leaves much unexplained.Footnote 62 For instance, because the United States has signed but not ratified Additional Protocols I and II to the 1949 Geneva Conventions, the legal basis for many rules applicable to the conduct of hostilities is not always entirely clear. Moreover, although the DoD Manual often expresses rules in language identical or similar to Additional Protocols I and II, it does not always indicate whether many of their provisions reflect customary international law.Footnote 63 The Manual also confines itself almost exclusively to rules derived from the law of war, a position that is not surprising in light of long-standing restrictive US legal policies concerning the applicability of other legal regimes, such as international human rights law, to armed conflict.Footnote 64
Prominent among the DoD Manual's chapters addressing specialized realms of warfighting – including those on the sea, in space and in the air – is its cyber operations chapter.Footnote 65 This chapter materialized shortly after US recognition of cyberspace as an operational domain,Footnote 66 yet, even at the date of its publication, it was clear that the Manual had left pressing questions concerning international law and cyber operations unaddressed.Footnote 67 Likely owing to the still-nascent condition of State cyber practice, the DoD Manual declined to stake out meaningful positions on a number of cyber-related legal issues. And although DoD has updated and reissued the Manual three times since 2015, it has made no substantive changes to the cyber operations chapter.Footnote 68
The DoD Manual often declines to offer the doctrinal detail or precision found in other legal resources. Modern judicial decisions, humanitarian organizations’ publications and academic law of war scholarship often greatly exceed the Manual in terms of detail and interpretation.Footnote 69 By comparison with these sources, the Manual frequently preserves a high degree of legal indeterminacy. That observation is particularly true of the Manual's cyber chapter, which observes that
[p]recisely how the law of war applies to cyber operations is not well-settled, and aspects of the law in this area are likely to continue to develop, especially as new cyber capabilities are developed and States determine their views in response to such developments.Footnote 70
The law of war attack threshold
Prominent among these “how” questions is the translation of the important law of war notion of “attack” to the cyber context. The law of war now offers a highly refined regulatory regime for operations that amount to attack. While it is tempting to apply these rules outside the context of attack, doing so as a matter of law risks profound legal error. Indeed, no step toward identifying the correct legal framework for a wartime cyber operations may be more important than the attack/non-attack determination.
At its outset, the DoD Manual's cyber chapter helpfully reminds readers that operations colloquially termed “cyber attacks” are not necessarily attacks for law of war purposes. Casual resort to the term “cyber attack” as a generic reference to any manner of malicious activity or event in cyberspace abounds in news media and even in technical and doctrinal publications. Thus, the Manual offers several examples of malicious though sub-attack cyber operations, including “defacement of websites, network intrusions, the theft of private information, or the disruption of … internet services”.Footnote 71 Cataloguing other examples of military cyber operations that may not amount to attacks under the law of war, the Manual offers
reconnaissance (e.g., mapping a network), seizure of supporting positions (e.g., securing access to key network systems or nodes), and pre-emplacement of capabilities or weapons (e.g., implanting cyber access tools or malicious code). In addition, cyber operations may be a method of acquiring foreign intelligence unrelated to specific military objectives, such as understanding technological developments or gaining information about an adversary's military capabilities and intent.Footnote 72
These examples make the important operational point that non-attack cyber activities are essential and expected facets of modern warfighting. They also illustrate that a wide range of cyber activities during warfare may be conducted free from the legal restraints applicable to de jure attacks.
To that end, the DoD Manual's cyber chapter repeatedly emphasizes the attack threshold as a critical step in legal analysis of cyber operations. It first instructs that cyber operations amounting to attack must comply with law of war targeting rules, including those of distinction and proportionality.Footnote 73 The chapter indicates that a cyber attack which destroys enemy computer systems would be unlawful if directed against civilian objects, including cyber infrastructure.Footnote 74 In its simplest expression, the rule of distinction requires that belligerents only direct attacks at combatants and persons taking direct part in hostilities,Footnote 75 and that they not attack other persons. With respect to objects, the rule requires belligerents to limit attacks to military objectives, and to spare civilian objects. It is perhaps the most important rule of the law of war, an assessment reinforced by the Additional Protocol I (AP I) article that codifies the rule for that instrument's States Parties, entitled “Basic Rule”.Footnote 76
While indeed fundamental, the obligation to distinguish combatants from civilians and military objectives from civilian objects does not apply to all wartime conduct. Any number of presumably non-attack military activities may be lawfully directed at either civilians or civilian objects during war. These include, to name only a few, intelligence collection, internment, search, requisition, confiscation, psychological operations, and electronic and other communication jamming.
Yet curiously, the DoD Manual's cyber chapter offers no cyber-specific criteria for distinguishing attack from non-attack operations. It instead provides a cross-reference to the Manual's general discussion of the law of war attack threshold. And although that section addresses attack terminology, including phrases such as “object of attack”, “direct attack” and “intentional attack”, it offers no clarification on the term “attack” itself.Footnote 77
While the cyber chapter lacks cyber-specific, positive criteria for assessing whether cyber activity amounts to attack, to its credit, a negative definition of sorts can be discerned from the chapter. A section addressing non-attack cyber operations concludes that operations resulting only in reversible or temporary effects do not amount to attacks. It further identifies defacements, disruptions of service, interference with communication, and propaganda as non-attack cyber operations. Importantly, the section indicates that such operations, and presumably any other non-attack cyber activity, “need not be directed at military objects, and may be directed at civilians or civilian objects”.Footnote 78 It immediately adds, however, that such operations “must not be directed against enemy civilians or civilian objects unless the operations are militarily necessary”.Footnote 79
Recent academic literature on the attack threshold in cyber contexts reveals that the DoD Manual's cyber chapter has left much unaddressed. For instance, in its chapter on conduct of hostilities, the Tallinn Manual 2.0 on International Law Applicable to Cyber Operations (Tallinn Manual 2.0) offers extensive analysis of law of war attack rules.Footnote 80 Although not a NATO- or State-endorsed product, the Tallinn Manual 2.0 has been highly influential. Many views offered in it, including minority views of the group that drafted it, have found expression in subsequent State expression on international law and cyber operations.Footnote 81
The Tallinn Manual 2.0 addresses in detail cyber attacks against persons and against objects, and precautionary rules applicable to attack. Concerning the notion of “attack” itself, it recites Article 49(1) of AP I, emphasizing especially the element of violence. According to the Tallinn Manual, violence extends beyond the release of kinetic force to include means involving and effects resulting from cyber operations. The Manual maintains that violence resulting from a cyber operation in the form of death, injury, destruction or damage is sufficient to amount to an attack.Footnote 82
However, the Tallinn Manual 2.0's group of experts was split on important questions relating to the attack threshold. For instance, the group agreed that operations against data which in turn foreseeably produce physically destructive effects qualify as attacks.Footnote 83 Still, whether cyber operations that confine destruction or damage to data, as such, amount to attacks produced a range of opinions. A majority concluded that they do not because data are “intangible” and do not fall within the plain meaning of the term “object”.Footnote 84 The question of whether cyber operations that merely affect functionality of target systems amount to attacks also produced a variety of opinions, with a minority of the experts concluding that they do not.Footnote 85 And while the majority of experts concluded that effects on functionality may satisfy the violence element of the attack threshold, that majority was split on more specific questions relating to the nature and degree of function loss and the remedial measures required to restore functioning.Footnote 86 Meanwhile, a growing body of academic and humanitarian scholarship has similarly staked out a wide range of views, many quite expansive, on cyber operations and the law of war attack threshold.Footnote 87
Likely prompted by these private writings, as well as by mounting operational experience, many States, including US allies, have offered refined views on cyber operations and the attack threshold.Footnote 88 For example, Israel recently expressed the view that only cyber operations resulting in physical damage meet the violence element of the law of war attack threshold.Footnote 89 France, by contrast, offers a broad interpretation of cyber operations amounting to attack. Its Ministry of Armies’ recent statement on international law and cyberspace maintains that if targets “no longer provide the service for which they were implemented, whether temporarily or permanently, reversible or not”, the cyber operation that produced these effects amounts to an attack.Footnote 90 For its part, Australia has offered an ambiguous position, simply instructing its forces that cyber activity may amount to attack if “it rises to the same threshold as a kinetic ‘attack’”. That view has prompted some to presume that effects on functionality or that require repair notwithstanding lack of physical damage amount to attack under the Australian view;Footnote 91 a contrary conclusion, however, cannot be ruled out.
A slew of other law of war rules accompanies and supports the rule of distinction. Like the rule itself, however, each is usually understood only to apply to operations amounting to attack. A particularly important though problematic rule is the obligation to take feasible precautions.Footnote 92 The DoD Manual's cyber chapter offers unclear advice concerning this duty; precautions are a ruleset usually associated with the law of war attack regime, but the cyber chapter may suggest to some readers that precautions apply to “cyber operations” rather than only to cyber attacks. Two readings of the relevant section are possible.
By the first and perhaps plainest reading, the chapter's choice of the term “cyber operations” rather than “attacks” is understood to be deliberate and to indicate that all cyber operations, including those that do not amount to attack, require law of war precautions. As noted previously, US cyber operational doctrine views influencing the entirety of the information sphere as relevant to multi-domain operations. Such wartime cyber operations could foreseeably affect and even harm civilians and civilian objects. The urge to recognize a legal duty to take precautions to mitigate harmful effects on civilians during such operations, including an obligation to minimize incidental cyber effects, is understandable.
By the second reading, however, the DoD Manual's cyber chapter could be understood to indicate that all cyber operations merely require consideration as to whether precautions apply as determined by the chapter's preceding guidance on the attack threshold. This latter reading is preferred. It is consistent with the chapter's preceding insistence that attack rules only apply to operations amounting to attack, and it also better aligns with the chapter's succeeding two examples of precautions in a cyber context, both of which refer to “attack”.Footnote 93 The narrow reading also tracks well with that section's instruction that precautions “should”, as opposed to “must”, be applied to cyber operations.Footnote 94 Additionally, the DoD Manual's general chapter on conduct of hostilities applies the term “must” with respect to precautions in attack and the term “should” with respect to precautions in kinetic non-attack activities of destroying or seizing enemy property already under one's control.Footnote 95 Finally, this narrow reading comports well with the October 2014 US statement to the United Nations Group of Governmental Experts indicating that the precaution of reducing incidental effects applies to death, injury and damage to civilians and civilian objects, effects usually indicative of an attack.Footnote 96 All the same, it would be helpful if the DoD Manual's cyber chapter were to include a clearer expression and cyber-specific comment on precautions with respect to non-attack activities.
The non-attack legal framework
In armed conflict, the number and nature of rules applicable to attack operations differs significantly from operations below that threshold, as does States’ doctrinal legal guidance. To its credit, the DoD Manual's cyber chapter makes clear that law of war rules applicable to non-forcible means or methods of hostilities regulate non-attack cyber operations. The chapter cites and cross-references the Manual's general sections addressing destruction and seizure of enemy property in this regard.Footnote 97 However, the extent to which cyber operations can be analogized to such conventional wartime acts effectively and consistently by military lawyers is cause for concern. The cyber chapter acknowledges as much when it observes that
[c]ertain cyber operations may not have a clear kinetic parallel in terms of their capabilities and the effects they create. Such operations may have implications that are quite different from those presented by attacks using traditional weapons, and those different implications may well yield different conclusions.Footnote 98
Destruction and seizure
Destruction and seizure of enemy property, as well as requisition and confiscation during belligerent occupation, implicate succinct, almost cursory law of war rules. The Hague Regulations of 1907 simply state that the destruction or seizure of enemy property is forbidden unless doing so is required by imperative military necessity.Footnote 99 Other law of war instruments address destruction and seizure in similarly svelte provisions. Destruction or seizure may amount to a war crime or grave breach of the 1949 Geneva Conventions when “not justified by military necessity and carried out unlawfully and wantonly”, and when undertaken against property protected under one of the four Conventions.Footnote 100 The Rome Statute of the International Criminal Court similarly prohibits “[d]estroying or seizing the enemy's property unless such destruction or seizure be imperatively demanded by the necessities of war”.Footnote 101
Despite its earlier reference to destruction and seizure as relevant to non-attack cyber operations, the DoD Manual's cyber chapter offers no cyber-specific guidance on either of the above-mentioned rules of the Hague and Geneva Conventions. Instead, it cross references the Manual's general chapter on conduct of hostilities.Footnote 102 That section offers select elaborations on the rules of seizure and destruction. First, it re-emphasizes that both seizure and destruction must be “imperatively demanded by the necessities of war”.Footnote 103 The imperative necessity standard is usually distinguished from that of mere necessity. The Manual earlier clarifies that law of war references to imperative or absolute military necessity, versus mere military necessity, “must not be conflated with mere convenience”, suggesting an elevated or heightened standard for the former.Footnote 104 Imperative demand may be understood to require that no other option is available to achieve the same or similar military advantage.Footnote 105
Importantly, the section leaves unaddressed the question of what acts constitute either destruction or seizure. This omission is perhaps understandable in the physical realm for which the section was written, where each act is relatively easily discerned with respect to physical objects and property. However, the question of whether many of the cyber acts that emerging doctrine counsels commanders to direct at adversary information capacity – including disruption, degrading, manipulation, rerouting and interception of communications and data – amount to destruction or seizure is unaddressed by either the general conduct of hostilities chapter or the cyber chapter, and therefore remains unclear.
Destruction, as a law of war term of art, is distinct from violence associated with attack, notwithstanding that the effects or consequences of destruction and attack may in fact be otherwise indistinguishable.Footnote 106 In fact, control of property is a critical concept in destruction – it is what distinguishes the violence prerequisite of attack from the violence inherent in destruction. The violence associated with the former is intended to deprive an adversary of control over an object or location,Footnote 107 whereas violence associated with the latter is usually understood to take place out of contact with the enemy and only against objects under a force's own control. The rules applicable to each activity are distinct and depend for their operation on an acute understanding of context. Similarly, physical control, usually to the exclusion of another, is the essence of seizure of property under the law of war.
As with so many concepts transposed from the physical to the cyber realm, however, defining and identifying cyber control can be complicated and thorny. Under what circumstances armed forces can be said to exercise control for purposes of distinguishing destruction from attack is particularly difficult to discern. Some cyber operations may undoubtedly give an armed force effective control over enemy infrastructure or data. That control may be highly analogous, for instance with respect to exclusion of enemy access or use, to the physical control that establishes conditions to which law of war destruction rules apply. Yet the DoD Manual's cyber chapter includes no cyber-specific guidance on control, either for purposes of law of war destruction analysis or otherwise.
The concept of seizure presents similar complications when applied to the cyber realm. It generally refers to the taking of a person or of property. As distinct from confiscation, seizure does not include a transfer of ownership rights.Footnote 108 Yet as noted previously, the DoD Manual offers examples of non-attack cyber activities involving “reversible or temporary effects” aimed at denying the enemy access to cyber infrastructure or data. Such operations could reasonably be equated to law of war seizures.Footnote 109 If so, denials of access to adversary digital property may be considered justified only by imperative military necessity.
For its part, the Tallinn Manual 2.0 confines treatment of seizure largely to settings of belligerent occupation.Footnote 110 Other sources, most notably the military legal manuals of important US allies, take a broader approach: some signal application of law of war rules governing seizure during the invasion phases of armed conflict.Footnote 111
Finally, the DoD Manual's cyber chapter leaves unclear how exactly to conceive of the notion of property in reviews of wartime cyber operations.Footnote 112 Cyberspace is widely understood to be comprised of three interrelated layers: physical, logical and cyber-persona.Footnote 113 While defining property in the physical layer of cyberspace is not difficult (servers, wires, etc.), defining property in the logical layer can be complicated. The logical layer is inherently intangible, and workable, universally useful legal definitions are elusive.Footnote 114 While the instinct to analogize cyber phenomena, including aspects of the logical layer, to the physical world is understandable, clear evidence of States’ intent to do so for legal purposes remains important, particularly for military legal advisers during armed conflict.
Constant care?
Lastly concerning putative non-attack rules, Article 57(1) of AP I states that “[i]n the conduct of military operations, constant care shall be taken to spare the civilian population, civilians and civilian objects”.Footnote 115 A notoriously ambiguous provision, constant care has gained recent traction in law of war academic circles. In light of its generalized wording, some interpret its obligations as merely aspirational.Footnote 116 They argue that the constant care passage must be read in conjunction with the remainder of Article 57, comprised of rules that solely govern attacks.Footnote 117 That context, combined with the fact that the article title of Article 57 refers to “Precautions in Attack”, leads proponents of this restrictive position to conclude that constant care only applies in the attack setting.Footnote 118
However, a robust and growing body of private scholarship understands the constant care obligation more broadly. For example, the International Committee of the Red Cross (ICRC) considers that the use of the word “shall” indicates that this provision is binding on States party to AP I independently of the remainder of Article 57.Footnote 119 Moreover, the ICRC commentary to the article emphasizes that the words “military operations” in paragraph (1) should be understood to refer to “any movements, manoeuvres, and other activities whatsoever carried out by the armed forces with a view to combat”.Footnote 120 The reference to “military operations” stands in contrast to the repeated “attack” references in paragraphs 2–5 of Article 57, indicating the former's application to “all domains of warfare and all levels of operations”.Footnote 121
Others in academia, including with respect to the cyber domain, also understand the rule of constant care as a “standalone” obligation.Footnote 122 The rule's expansive, continuous application to all military activities suggests to some that it should be extended beyond foreseeable physical harm and should apply to the protection from being subject to arbitrary interference with aspects of personal life and privacy.Footnote 123 Many States party to AP I directly support such an expansive view of constant care: for example, the United Kingdom considers “military operations”, as the phrase appears in the constant care rule, to include even movements and deployments of armed forces.Footnote 124 The United Kingdom explains that “the commander will have to bear in mind the effect on the civilian population of what he is planning to do and take steps to reduce that effect as much as possible”.Footnote 125
For its part, the DoD Manual largely elides the notion of constant care. It includes no reference to constant care in its cyber chapter, and its general coverage of feasible precautions offers only a single concluding passage on constant care, framed in the third person with respect to AP I States Parties. The Manual simply notes: “Parties to AP I have agreed that ‘[i]n the conduct of military operations, constant care shall be taken ….’ [They] may … interpret it in a manner consistent with the discussion in this section [on precautions].”Footnote 126
In fairness, this summary treatment is in many respects justifiable. First, the United States, though a signatory State, is not a State party to AP I. Second, the DoD Manual seems to anticipate that much of what the constant care obligation amounts to is required by the feasible precautions obligation, covered in significant detail elsewhere in the Manual. Of course, that view does not account for the expansive understandings of constant care described previously. Third, many of the emerging and broad views of the constant care obligation, particularly concerning its cyber applications, post-date publication of the DoD Manual's cyber chapter. Last, it is likely that much of the protective work performed by the treaty-based constant care rule is understood by the United States to coincide with the broad regulatory functions that law of war principles perform. One of the present authors has previously commented elsewhere on the Manual's extensive treatment of law of war principles, including their binding character and role in regulating battlefield conduct.Footnote 127 Addressing cyber operations, the Manual advises that when no specific law of war rule applies, law of war principles guide conduct during wartime cyber operations.Footnote 128 All the same, an explicit and unequivocal evaluation as to whether the rule of constant care obligation reflects a customary obligation in any form owed by US forces would be a constructive addition to the cyber chapter.
Concluding thoughts
On its initial publication, the cyber chapter of the DoD Manual was perhaps the right product for its time. It provided US military lawyers with an initial outline of international legal subjects relevant to emerging cyber operations, and it simultaneously accounted for the fledgling character of State cyber practice, particularly in war. The cyber chapter wisely reserved for later development many, if not most, interpretations of precisely how law of war rules operate with respect to wartime cyber activities.
Much has changed, however, since initial publication of the cyber chapter. Private manuals, scholarship and commentary have proffered greatly expanded analyses of concepts skimmed over by the chapter, including the law of war attack threshold, non-attack rules on destruction and seizure, and the putative constant care obligation. Instructing military lawyers to analogize to the physical contexts for which those rules were initially designed proved a useful start to adapting the law of war to cyberspace. However, it seems the broader law of war community, including many States, has matured beyond these analogies, advocating and adopting cyber-specific understandings of important law of war rules. Writings exist on the benefits and imperative of States contributing clear opinio juris to the greater law of war dialogue.Footnote 129 Those arguments apply with equal force to the operational cyber contexts described in this article, including command dispersion, delegation, and integrations of fires.
Debate concerning the attack threshold and applicability of attack-related rules to cyber operations is not merely academic – for instance, lack of consensus concerning operation of the attack definition in cyber operations prevented NATO from addressing the issue in a recent allied joint publication.Footnote 130 More important than keeping pace or competing with private and academic views, however, is ensuring that US military legal guidance keeps pace with the cyber operational picture. The cyber domain has matured greatly, both in technical and military doctrinal terms, since the initial publication of the cyber chapter. No longer a sideshow or supporting effort to warfighting, cyber operations and the cyber domain are becoming integral facets of the complex multi-domain sphere of war. The full integration of cyber operations into targeting processes ensures that such operations will be featured more regularly, against more objectives, and producing a wider range of effects than previously. Combined with the dispersion of forces and delegations of authority required by large-scale combat operations, the imperative to publish clear and up-to-date cyber legal doctrine is compelling.
It is easy, even for those indoctrinated to military dialect and culture, to discount large-scale combat operations, multi-domain operations and their accompanying concepts and doctrine, including integration, synchronization, command dispersal and delegation, as more Pentagon babble. But historically, the law of war has relied for its effectiveness on regular evolution and adaptation to changes in the character of war as expressed in military doctrine and practice in war. The emergence and maturation of cyberspace as a domain of warfare has in many ways outpaced law of war doctrine. States, including the United States, have shown little appetite for the sorts of deliberate and focused law-making efforts that have previously kept the law of war current and relevant. Meanwhile, much legal guidance that applies the existing law of war to wartime cyber operations rests on ambiguous platitudes and strained analogies that do not account for the operational realities of this most complex domain.
The mantra that “the law of war applies to all cyber operations” is no longer sufficient. This chant is void of the practical guidance that decision-makers require to confidently and legally manoeuvre in cyberspace. To remain on-pace with this domain and arm military advisers with the necessary legal tools, the United States must adapt law of war cyber doctrine to the realities of current and future warfare. Cyber will not wait; we must catch up.