Recently, the EastWest Institute held a conference that, among other topics, considered possible “markers” for cyber warfare. As they described the potential problem, “The Geneva and Hague Conventions direct that protected entities, protected personnel and protected assets [such as doctors, ambulances, or hospitals] be marked in a clearly visible and distinctive way [e.g., with a red cross]. However, there are no distinctive, clearly visible, markers in cyberspace for such entities, personnel or related assets.”
Even though military and civilian entities are deeply intertwined in cyberspace, this problem may fortunately be neither as pressing nor as stark as feared. There are four reasons for this: the Geneva Conventions would not cover typical “hacking,” there are already existing markers, state practice seems to be already constrained, and military attacks may not rely heavily on the Internet. Let us look at each in turn.
First, International Humanitarian Law (also called the Laws of Armed Conflict), of which the Geneva Convention is a cornerstone, does not apply to the typical hacking, criminal intrusions, or even state-sponsored espionage which are today’s most significant information security concerns.
IHL typically applies to international armed conflict, “all cases of declared war or to any other armed conflict which may arise between two or more of the High Contracting parties.” In a detailed analysis for the National Research Council, Michael Schmitt, a noted lawyer specializing in cyber conflict issues, wrote that the “mainstream” view is that “non-destructive computer network exploitation, espionage, denial of service attacks and other actions would not initiate an armed conflict.”
According to Schmitt, to qualify as an armed attack, “the destruction of or damage to the data would have to result in physical consequences, as in causing a generator to overheat and catch fire or rendering a train or subway uncontrollable such that it crashed.” Accordingly, the Geneva Convention would only cover the most significant attacks, equivalent to the destruction or disruption caused by kinetic military weapons.
IHL can also cover non-international conflicts; however according to Schmitt, it would be “exceptionally difficult for cyber operations standing alone to rise to the level of non-international armed conflict.” Again, even if a state used cyber operations against internal dissidents or rebels, the Geneva Convention would not apply.
The Geneva Conventions would therefore only apply if a nation conducted cyber attacks that equaled the destructive power of kinetic attacks or were used alongside such attacks. This excludes nearly every attack, intrusion, or hack yet seen in the history of cyber conflict. Arguably, these criteria have only been met once, during the 2008 war between Russia and Georgia, and even then, only if the cyber attacks were directed by the Russian government.
Second, contrary to the notion that there are “no distinctive, clearly visible, markers in cyberspace,” markers exist in many forms, the most obvious being domain names, Whois records, or webpages. Adversaries, whether national militaries or young hoodlums, cannot help but notice if their intended target is in a top-level domain ending in .museum or .edu – just a few of the domains extremely unlikely to contain legitimate military targets. Any person or organization wanting an Internet domain name is required to provide contact information to the Whois database allowing anyone to check the registration. While this information is often lacking or out of date, it is both universally known within the cyber community and indeed routinely checked by both attackers and defenders in cyberspace. A last obvious marker is the website itself, which should clearly indicate if it represents a legitimate military target. Of course, none of these markers are perfect, but they are already in place and part of the normal functioning of cyberspace.
Third, existing state policy and practice seems to generally respect these markers (or at least notice them) in order to discriminate between military and civilian targets.
Both the United States and the United Kingdom have committed to following the laws of armed conflict and discriminating between protected and non-protected targets per the Geneva Convention. (Keep in mind that, as noted above, espionage does not fall under IHL and is certainly well practiced by states and others.)
Is this policy matched by state practice? The evidence is mixed but promising.
Unfortunately, the popular view of military cyber attack as “hacking” has given a false sense that militaries will flail around like a teenage hacker in a Mountain Dew-fueled rage looking for any vulnerable computers that might belong to a possible adversary. This is far from the case. Achieving offensive military effects in cyberspace is rather a precise application of non-kinetic capabilities. Western militaries, at least, seem to want the precise effects of careful aim in cyberspace just as they do in kinetic warfare.
One reason for the precision and caution is because, as noted by the National Research Council, “Cyberattacks are often very complex to plan and execute” and “collateral damage and damage assessment of a cyberattack may be very difficult to estimate.” In one of the few real military cyber operations known to the public, according to the Washington Post, the U.S. military planned and conducted a takedown of a Saudi-based website hosting a forum for extremists but “inadvertently disrupted more than 300 servers in Saudi Arabia, Germany and Texas.” Apparently, Britain’s MI6 has had more success, replacing a bomb-making recipe with one for cupcakes, according to recent press resports.
And while Stuxnet, another possible example of a state-sponsored attack, is concerning for many reasons, the specialists who created it took tremendous care to ensure it would discriminate, only causing destruction to an exceptionally small range of targets: nuclear facilities in Iran.
Some non-state attackers – the so-called advanced persistent threats – also are very deliberate in their choice of targets. They know what they want and have a good idea of where to get it, having resource, patience, and motivation.
Of course, not all adversaries, even those linked to states, are so discriminating. One previously mentioned possible example is the cyber attacks, apparently by proxies, during the war between Russia and Georgia. Legitimate government or dual-use targets (such as government web sites) were struck in addition to targets unlikely to be legitimate, including “Georgian financial institutions, business associations, [and] educational institutions” according to the U.S. Cyber Consequences Unit. Even so, these targets were not necessarily hit out of ignorance because of an absence of markers: it is possible, perhaps even likely, the attackers knew they were hitting protected targets. This is likely also the case in purported cases of North Korean or Chinese government incidents.
Fourth, it is misperception that military targets will be on the Internet since that is the portion of cyberspace most familiar to us. However, to achieve operationally significant non-kinetic effects, militaries will typically have to target industrial control systems (e.g., SCADA) or closed battlefield systems (e.g., missile fire-control systems) which are not yet highly connected to the public Internet. Markers for these systems are likely unnecessary as an adversary that gets to them either (a) took a significant amount of time and resources to locate them in the first place or (b) can identify them relatively quickly after the initial intrusion.
Moving Forward: For these reasons, the need for new IHL-relevant markers for cyber conflict may not be pressing. That said, the EastWest Institute’s process is worthwhile, on the right track and can help in at least three concrete ways:
- As discussed in this blog, there is much confusion about the scope of the markers issue. A global conversation can help clear away many of the misperceptions.
- To be complete, IHL protections should cover not only the information systems of protected entities but also their communications traffic and data which could easily be taken down by careless military attacks against network nodes or data centers. Yet, concern for traffic and data has not yet fully part of the discussion and will need to be folded into the EWI process.
- Quick progress is possible by more fully developing a list of existing markers and whether these would usually mark legitimate, dual-use, or protected targets. For example, any targets in a .mil domain are likely to be legitimate, those in .museum would not. (“Restricted” top-level domains – such as a proposed .bank domain, available only to registered financial institutions – would make for even clearer markers.) It would be relatively simple to so categorize all top-level domains. With that completed and agreed to, other quick wins may become rapidly apparent.
Markers for cyber conflict are important, since civilian and military targets are entangled. However, as this blog has argued, it may not be an immediately pressing issue. Either way, the existing process is a productive way to bring together participants from many countries and backgrounds to both make progress on markers and highlight the need for Geneva Protections to apply to cyber conflict.
Jason Healey is the Director of the Cyber Statecraft Initiative at the Atlantic Council of the United States. You can follow his comments on cyber issues on Twitter, @Jason_Healey.