The Code to Being Human: Cyber Warfare and International Humanitarian Law

International Humanitarian Law, also known as the 'Law of Armed Conflict' or 'Law of War', regulates the forces involved in warfare. IHL corresponds with Jus in Bello (during the war), i.e. it focuses on minimising the damage in armed conflict, supporting civilians, eliminating hostiles, and providing care to the victims of war. Jus in Bello and Jus ad Bellum (conditions under which one can wage war) are the two pillars of law governing all aspects of IHL.

The humanitarian provision covers the conduct of all military operations, protection of prisoners of war, detainees and civilians.

IHL was first introduced in Europe by a young businessman from Geneva called Henry Dunant. While he was passing through Europe in 1859, he witnessed the Battle of Solferino, where he saw the different horrors of war and the plight of soldiers and other combatants. IHL includes the Hague Law, which talks about the limitations of weapons and the law governing hostilities, and the Geneva Convention, which protects persons in armed conflict, i.e. soldiers, detainees, and medical personnel. IHL can thereby be defined as a "set of rules that seek to limit the humanitarian consequences of armed conflicts."

Keywords: International Humanitarian Law, Geneva Convention, Hague Convention, Cyberwarfare, Human Rights, Drone Attacks.

The emergence of cyberspace in the modern era of technology is a new warfighting domain giving rise to many challenges governing armed conflicts in several aspects. The International Committee of the Red Cross (ICRC) defines IHL as a"set of rules which seek, for humanitarian reasons, to limit the effects of armed conflict." It protects those who are not or are no longer involved in hostilities and limits the means and tactics of combat.

When dealing with IHL, it is critical to distinguish between the Jus ad Bellum, which governs when nations can go to war, and the Jus in Bello, which heads how states conduct themselves during a war. International Law regulates the use of force under Jus ad Bellum under the UN Charter Articles 2(4) and 51. A cyber-strike that damages will trigger IHL.

Nevertheless, the damage must be severe enough for the 'scale and consequences' to successfully trigger an armed attack under the Jus ad Bellum. There is no legal provision in any of the conventions or in IHL that explicitly forbids such warfare. When implementing IHL to an International armed conflict, some disconnection is observed between the treaty law and the state practice.

Modern IHL has a couple of legal principles that govern all its laws.

  1. Principle of Military Necessity, and

  2. Principle of Humanity.

The principle of military necessity allows the use of force necessary to achieve the military objective, but with limits, to the expenditure of life and resources. The principle of humanity prohibits the infliction of suffering or destruction, which would be unnecessary to win the war. IHL also has four operational codes that are embodied in all its laws. They are the principles of distinction, proportionality, precautions, and unnecessary suffering.

IHL is a specific field in international law that applies only if an armed conflict exists. It does not investigate whether the use of force by one state on another is lawful, but it applies only after a state has used force. However, it is not the only body of law that applies to armed conflict as even Human Rights Law (HRL) applies to armed conflict. IHL was conceived as the legal regime which limited the behaviour of parties in war-like situations.

Cyber Space

The first case of International Cyber Warfare was reported during a protest to destroy the Statue of the Bronze in Estonia (2007). Following which NATO got interested in the importance of global cyber warfare. This case is often referred to as Web War-I. Cyberspace is more than the 'World Wide Web' (the 'Internet'); the Internet is merely the open portion of a much broader virtual reality known as cyberspace. Individuals or groups launch cyber-attacks against networks or data in cyberspace with the intent of destabilising or corrupting digital systems. Applying IHL does not authorise cyber warfare any more than any other kind of combat. Restricting cyber activity during armed conflict does not inherently legalise or make hostile cyber operations legal. We have repeatedly heard the fear of a possible legitimisation of conflict, in our more than 150-year experience, engaging in intergovernmental talks regarding war.

Traditional geographic boundaries have been eliminated in cyberspace. States, organisations, and individuals are linked by massive, interconnected networks that rapidly transmit information and data. The application of the Law of Armed Conflict to cyber-attacks is stated in Rule 20 of the Tallinn Manual, which states that "cyber operations carried out in the context of an armed conflict are subject to the law of armed conflict." In Rules 22 and 23, the experts distinguish between international armed conflict cyber-attacks and non-international armed conflict cyber-attacks. Geneva Protocol II, 1977 indicates that "it shall not apply to situations of internal disturbances and tensions, such as riots, isolated and intermittent acts of violence, and other acts of a similar nature" in non-international armed conflicts.

If a cyber-operation is classified as an "attack" under Article 49 of Additional Protocol I, IHL will be applied. According to Article 49, "acts of violence against the enemy, whether in offence or defence," constitute an attack. As cyber operations are new technological advances, the drafters of the four Geneva Conventions and their Additional Protocols did not have them in mind when they drafted the individual treaties. The 'Martens Clause,' based on customary international law, ensures that no conduct in an armed conflict goes unregulated by IHL. It does not exclude IHL from being relevant to cyber operations.

The 'Martens Clause' is included in the GCs 50 and in Article 1(2) of the Additional Protocol I, which states, "in cases not covered by this Protocol or by other international agreements, civilians and combatants remain subject to the protection and authority of the principles of international law derived from established custom, human rights principles, and public conscience dictates."

Principle of Distinction in Cyberspace

The Jus in Bello concept of distinction establishes rules governing which targets can and cannot be attacked in times of war. According to Article 48 of Additional Protocol I to the Geneva Conventions, "the parties to the conflict shall at all times aim their activities solely at military objectives." This distinguishing principle is applied to cyber-attacks in Rule 31 of the Tallinn Manual. It is necessary to note that a cyber-attack must be an 'attack' against a civilian target to be prohibited under this principle; just sending email messages to civilian populations does not constitute a violation of this norm because it does not fulfil the definition of an attack.

Tallinn Manual on Cyber Warfare

Tallinn Manual is a non-binding document prepared by an International Group of Experts (IGE). In 2009, the NATO Cooperative Cyber Defense Centre of Excellence (NATO CCDCOE) selected IGE to draft a law governing cyberwarfare around the globe. Michael N. Schmitt led the drafters, who chaired the international law department at the U.S. Naval War College. The team consisted of a mix of well-established practitioners, academics, and technical experts in the field. The team also had some observers from NATO's Allied Command Transformation, U.S Cyber Command, and ICRC. In this regard, the Tallinn Manual provides some intriguing views. The Tallinn manual provides a judicious analysis of the Jus ad Bellum and Jus in Bello relating to cyberspace, along with other critical aspects that are to be resolved through state practice and debate. The Tallinn Manual is intended to bring "some degree of clarity to the complex legal concerns surrounding cyber operations", explicitly describing "the applicable lex lata, that is, the law now governing cyber conflict," rather than "lex ferenda, best practice, or preferred policy."

The Manual consists of ninety-five black letter rules accompanied by commentaries relating to the topic. Part I of the rules deal with Jus ad Bellum issues like sovereignty, state accountability, the prohibition on the use of force, and self-defence. Part II of the rules deal with Jus in Bello issues like permissible targets, proportionality, occupation, and neutrality. Unless otherwise specified, each rule was approved by consensus among the IGE and is meant to "replicate customary international law." Although the Tallinn Manual is a non-binding document, it emphasises that to the extent that the rules "accurately describe customary international law, they are binding on all States, subject to the possibility of a persistent objection exception."

For example, it maintains the conventional boundary between international and non-international armed conflicts and acknowledges that cyber operations alone may become armed conflicts depending on the conditions – particularly the devastating impacts of such operations. Under IHL, a "cyber-attack" is defined as "a cyber-operation, whether offensive or defensive, that reasonably causes death to persons or damage or destruction to objects." The devil, however, is in the details, namely what constitutes "damage" in the digital world.

Main Challenges raised by Cyberwarfare

Armed forces and citizens inhabit single cyberspace, and everything in the virtual world is linked. One of the essential requirements for a cyber-attack to be considered an armed conflict is to aim towards military objectives while maintaining constant concern for the civilian population. Furthermore, the unintentional civilian casualties and damage must not outweigh the actual and direct military advantage predicted by the cyber-attack. The attack must be called off if these requirements are not met. Tallinn Manual correctly recognises that collateral damage comprises both direct and indirect consequences. Any predicted indirect effect must be considered in the proportionality evaluation throughout strike preparation and implementation.

In May 2021, researchers in cyber security have identified a North Korean hacker cell as the source of a cyber-espionage campaign that employed phishing to target high-ranking South Korean government officials. The targets included the Korea Internet and Security Agency (KISA), the Republic of Korea Ministry of Foreign Affairs, the Ambassador of the Embassy of Sri Lanka to the State (in the Republic of Korea), the International Atomic Energy Agency Nuclear Security Officer, the Deputy Consul-General at the Korean Consulate General in Hong Kong, Seoul National University, and Daishin Securities. In July 2021. A widespread APT campaign was uncovered against Southeast Asian users, which is thought to be spearheaded by Chinese groups. Researchers discovered 100 victims in Myanmar and 1,400 in the Philippines. Among them were various government entities.


Cyberwarfare does not exist in a legal vacuum but is governed by well-established rules and principles. Applying these pre-existing laws and concepts to the new arena of cyberspace presents some challenges and raises several critical considerations. Some of these issues can be settled through basic treaty interpretation and a healthy dose of common sense.

Others necessitate a unanimous policy decision by the international legislator or the international community of states. Cyberspace presents a 'one-of-a-kind' battleground with numerous challenges for the Law of Armed Conflict, which applies to cyberspace.

However, the interpretation of these Jus ad Bellum and Jus in Bello concepts is a source of contention. The recently issued Tallinn Manual is a helpful guide in this regard, but it is not legally enforceable and does not contain an entire list of instructions. Attackers are unlikely to wear a uniform, openly display weapons, have a commander, or face internal disciplinary action. The Law of Armed Conflict must broaden the customary conditions for direct involvement in cyberspace or ensure that such inappropriate requirements are waived to wear a uniform or emblems.


  1. International Committee of the Red Cross, 2021. Respecting and protecting health care in armed conflicts and situations not covered by international humanitarian law - factsheet. International Committee of the Red Cross. Available at: [Accessed September 8, 2021].

  2. Schmitt, M., The International Law Applicable to Cyber Warfare. Available at: [Accessed September 8, 2021].

  3. Baer, H.D., 2012. The rule of distinction and the military response to global terrorism. Evangelical Lutheran Church in America. Available at: [Accessed September 8, 2021].

  4. Anon, Cyberwarfare and international humanitarian law: the ICRC's position. ICRC. Available at: [Accessed September 8, 2021].

  5. The American Journal of International Law, 2015. Tallinn Manual on the International Law Applicable to Cyber Warfare. [online] Vol. 108(No. 3), pp.585- 589. Available at: [Accessed 05 September 2021].

  6. Ibid.

  7. 2021. Cyberwarfare and international humanitarian law: the ICRC's position. Available at: [Accessed 06 September 2021].

37 views1 comment

Recent Posts

See All