About the author(s):
Over the past couple of years, a group of esteemed military and humanitarian law experts (assisted by cyber/technical experts) has convened to draft the Tallinn Manual on the International Law applicable to Cyber Warfare. The Manual will be published in print by Cambridge University Press, but a draft is already available online via de Stockton LOAC/IHL research portal (a useful website, set up by Sasha Radin (who also happens to be researching on armed groups and IHL), that offers links to, e.g., military manuals and legal as well as fact-finding reports).
The Manual sets forth a number of rules (95) on how international law applies to cyber warfare. It is divided in a jus ad bellum (“international cyber security law”) and a jus in bello (“law of cyber armed conflict”) part. “As cyber attacks, the perpetrators of such attacks, and the objects of such attacks, can differ from participants and targets in kinetic warfare, the experts sought to answer whether and how in cyber situations the existing law and case law would apply. The Manual explains, for example, that with regard to State involvement into the action of an armed group, “merely taking measures to maintain rebel access to the national cyber infrastructure was not considered by the Experts to” internationalise a conflict between a State and a non-state actor. “By contrast, providing specific intelligence on cyber vulnerabilities that renders particular rebel cyber attacks possible would, in their view, suffice.” On that basis, the Manual concludes that since “there is no definitive evidence that the hacktivists involved in the cyber operations against Estonia in 2007 operated pursuant to instructions from any State, nor did any State endorse and adopt the conduct”, that situation was not an international armed conflict.
With regard to conflicts between a State and an armed group, the Manual states that
[s]ome members of the International Group of Experts took the position that an international armed conflict can also exist between a State and a non-State organised armed group operating transnationally even if the group’s conduct cannot be attributed to a State. […] The majority of the Experts rejected this view on the ground that such conflicts are non-international in character (Rule 23).
This is relevant because cyber operations can be launched from any location with access to a computer and a network, far away from the actual combat zone. As the Manual considers, “[s]ome States have weak regulatory regimes governing cyber activities or are technically incapable of effectively policing cyber activities occurring on their territory.”
In relation to armed groups involved in an international armed conflict, the issue of “belonging to a Party to the conflict” for the purposes of prisoner of war status, was discussed. The Manual explains that
a State may turn to a group of private individuals to conduct cyber operations during an armed conflict because the group possesses capability or knowledge that State organs do not. The group belongs to a party to the conflict and, so long as it meets the other requirements of combatancy, its members will enjoy combatant status.
What is to be considered as an organised armed group is also discussed and it is held that it would be “highly unlikely” that a group that basically only interacts through the internet, and as such is a sort of “virtual organization”, would fulfill the organisational requirements (for a discussion on the organisational requirements, see here and here). A Common Article 3 conflict exists hwne there is fighting of a certain level of intensity between two parties that fulfill the organisational requirements. Additional Protocol II of 1977 adds the extra requirements that one of the parties has to be the government, and that the parties need to exercise a certain territorial control. In this light, the Manual considers that
[c]ontrol over cyber activities alone is insufficient to constitute control of territory for Additional Protocol II purposes (although control over cyber activities may be indicative of the degree of territorial control a group enjoys).
The 215 pages of the Manual over a good overview of the current state of the law related to cyber warfare, but the rules and commentary are broader then just cyber activities and can be seen a reflection the judicial and academic discussion of all relevant topics of law on the use of force and international humanitarian law, e.g. counter measures, self-defence, means and methods of warfare, precautions, and perfidy.