General security

Jus in Cyber Bello: How the Law of Armed Conflict Regulates Cyber Attacks Part I

April 10, 2014 by Dimitar Kostadinov

What is Jus in Bello and Does it Regulate Cyber Attacks?

Jus in bello is a Latin term that means “law in waging war.” From a scholar’s point of view, it is known also as international humanitarian law (IHL), whereas military experts refer to it as the law of armed conflict (LOAC).

Jus in bello is comprised of the 1899 and 1907 Hague Conventions, the four Geneva Conventions supplemented by two Additional Protocols of 1977, as well as customary law and State practice. In addition, the non-binding handbook “Tallinn Manual on the International Law Applicable to Cyber Warfare” , created by an independent International Group of Experts (IGE) at the invitation of NATO, apply the extant jus in bello norms to cyberspace.

Generally speaking, IHL endeavours to minimize unnecessary harm throughout an armed conflict, establishing rules of proper conduct of hostilities.

For IHL to govern a cyber attack, it must constitute an “armed conflict”. The International Committee of the Red Cross (ICRC) lays down only two types of armed conflicts existing in IHL: [i]nternational armed conflicts, opposing two or more States, and non-international armed conflicts between governmental forces and non-governmental armed groups, or between such groups only (ICRC, 2008, par. 2).”

But does LOAC regulate cyber attacks after all? In its Legality of the Threat or Use of Nuclear Weapons advisory opinion, the International Court of Justice (ICJ) invoked “the Martens Clause” in the Preamble to the Hague Convention IV of 1907, which stipulates: “[E]ven in cases not explicitly covered by specific agreements, civilians and combatants remain under the protection and authority of principles of international law derived from established custom, principles of humanity, and from the dictates of public conscience.”

This serves as reaffirmation that even without being mentioned explicitly, IHL extends to the sphere of cyberspace. For that reason, the present article will try to examine closely the modern phenomena called cyber warfare through the prism of some of the long-standing institutes that lay the foundations of jus in bello.

In Bello Military Necessity for Point of Departure

Military necessity is a legal notion frequently used in IHL as part of the legal justification criteria when it comes to evaluating the potential legitimate military targets. Yet despite its ubiquity, the term “military necessity” not only is too broad spectrum, but its content is rather vague as well. Although the following definitions may not distinguish themselves with particular conceptual purity, they strive to simplify the notion so as to become more manageable and susceptive to application in the world of cyber warfare. Hence, for the purpose of this paper, “military necessity” should be interpreted as simple as defining both words that construct the expression:

Military – An adjective that gives away the nature of the act (even the legitimate participants with a few exceptions), namely, an act undertaken in times of armed conflict whether interstate or intrastate.

Necessity – A word that serves to indicate the importance of the act, its inevitability and unavoidability. There is also a strain of extremity (e.g., fight for survival) within this meaning, therefore it is almost tantamount to the ultima ratio regis concept.

Somewhere in-between, the concrete military advantage ensuing from the specific hostile act is another factor that underpins the military necessity. Warring military parties can consider the imperatives of winning the battle or war and the practical requirements of a military situation at any time.

As far as cyber attacks are concerned, assessing their in bello necessity does not pose novel challenges.

The notion of military necessity has a key role because it has a temporal precedence over the other IHL principles, which seek to balance this “need” to take up arms, a need to win the military struggle. Consequently, one should envisage a hostile cyber act out of military necessity in the first place, then this hostile cyber act should comply with other IHL principles: humanity, proportionality, distinction/discrimination, neutrality, and perfidy.

Diagram 1

IHL Principles

Principle of Humanity

Ar. 35 (2) of AP I

2. It is prohibited to employ weapons, projectiles and material and methods of warfare of a nature to cause superfluous injury or unnecessary suffering.

Ar. 23(e) of the 1907 Hague Convention

In addition to the prohibitions provided by special Conventions, it is especially forbidden

(e) To employ arms, projectiles, or material calculated to cause unnecessary suffering;

We can derive the principle of humanity indirectly from Article 23(e) of the 1907 Hague Convention and the Article 35 (2) of AP I, where it is formulated as “unnecessary suffering”. Aiming at alleviating the grievous consequences of ongoing hostilities, the juxtaposition of humanity tenet with the principle of military necessity is evident.

RULE 42 – Superfluous Injury or Unnecessary Suffering

3. The term ‘superfluous injury or unnecessary suffering’ refers to a situation in which a weapon or a particular use of a weapon aggravates suffering without providing any further military advantage to an attacker.

Under regulation is the choice of weapons and methods of warfare. In this regard, some scholars argue that cyber war is more humane since nonlethal information weapons can be used in lieu of kinetic, destructive weapons to achieve the same result, while at the same time producing fewer casualties and interim disruption of affected targets.

Rendering a power plant inoperable or disabling a radar system at an airport for a short period of time with the help of an information incursion may save lives and property on both sides to the conflict, hence it will prove to be more “humane”.

Principle of Neutrality


1. The law of neutrality applies only during international armed conflict. It is based on Hague Conventions V and XIII and customary international law. The International Group of Experts unanimously agreed that the law of neutrality applied to cyber operations.

Strictly speaking, the principle of neutrality applies in international armed conflicts only. Its pragmatic logic, however, predicates its usage as a core pillar into the practice of non-international armed conflicts as well.

RULE 91 – Protection of Neutral Cyber Infrastructure

The exercise of belligerent rights by cyber means directed against neutral cyber infrastructure is prohibited.

RULE 92 – Cyber Operations in Neutral Territory

The exercise of belligerent rights by cyber means in neutral territory is prohibited.

Extended to the sphere of information technology, cyber neutrality is “the right of any nation to maintain relations with all parties engaged in a cyber conflict.” And with respect to the refraining part: “To remain neutral in a cyber conflict a nation cannot originate a cyber attack, and it also has to take action to prevent a cyber attack from transiting its Internet nodes (Korns, 2008, p. 62).”

RULE 93 – Neutral Obligations

A neutral State may not knowingly allow the exercise of belligerent rights by the parties to the conflict from cyber infrastructure located in its territory or under its exclusive control.

Neutrality depends on the legal status of the relevant medium where the armed conflict takes place. Not much of surprise, the architecture of the Internet is not favourable to the principle of neutrality. A myriad of global network connections encompassing public and private sectors are not territorially restricted, and the data being transmitted transcends national jurisdictions. Potential cyber war can hardly be confined to military networks alone, and this raises the question of whether cyber attacks can be conducted with such sophistication and precision that neutral states would remain unaffected.

Additionally, cyber attacks are not easily attributable – a hacker having a domicile in one country may control a multinational botnet and harm networks in another. Latency of certain acts in cyberspace, for instance, cyber exploitation, can also impede a state to maintain its neutral reputation unblemished.

RULE 94 – Response by Parties to the Conflict to Violations

If a neutral State fails to terminate the exercise of belligerent rights on its territory, the aggrieved party to the conflict may take such steps, including by cyber operations, as are necessary to counter that conduct.

Ipso facto. The existence of belligerents’ activities on the neutral territory in combination with a failure of the neutral state to cope with them provides enough justa causa for the aggrieved party to undertake necessary measures (another spice of the “military necessity” principle perhaps) to ward off the menace. Good examples would be the terrorist attacks organized by Al-Qaida against the United States from within Afghanistan or by Hezbollah against Israel but originating from Lebanon. In these cases, the neutral host states were either unwilling or unable to subdue the terrorist “parasite” cells settled in their territory, and by this to protect the attacked states.

Although the permissibility of such interstate force is controversial in view of the UN Charter prescriptions, the fundamental obligation of states to prevent their territory from being used as a launching pad for hostile activities against other states is widely recognized.

Hence, a state victimized by cyber attacks conducted by private actors from within another state may resort to cyber or other measures to curb the danger, provided that the host leaves its networks at the criminals’ disposal, regardless of the reason.

In fact, the unspecified legal status of cyberspace should be examined along with one possible revision of the concept of online neutrality. After all, if the Internet is considered:

— sovereign territory, then “[b]elligerents are forbidden to move troops or convoys of either munitions of war or supplies across the territory of a neutral Power” (Art. 2 Hague Convention 1907).

— partial or complete commons, then “[t]he neutrality of a Power is not affected by the mere passage through its territorial waters of war-ships or prizes belonging to belligerents” (Art. 10, Convention (XIII) concerning the Rights and Duties of Neutral Powers in Naval War 1907).

Principle of In Bello Proportionality

Article 51(5) (b) of AP I

(b) An attack which may be expected to cause incidental loss of civilian life, injury to civilians, damage to civilian objects, or a combination thereof, which would be excessive in relation to the concrete and direct military advantage anticipated.

The aim of this rule is simple – belligerent should not begin an offensive if it will cause superfluous suffering or damage disproportional to the expected military advantage.

Before pulling the trigger, the commander needs to weigh out whether the anticipated concrete and direct military advantage will be of sufficient extent so as to validate its legal status in spite of the presumption that there will be collateral damage. It should be noted that collateral damage is always expected here.

Again, it all comes down to the question whether the concrete and direct (“substantial and relatively close”) military advantage would worth the harm that is expected to occur. You can see in diagram 2, for instance, that the anticipated military advantage is greater than the potential “incidental loss of civilian life, injury to civilians, damage to civilian objects, or a combination thereof.”

Diagram 2

Proportionate Cyber Attack

51 – Proportionality

4. As an example of the operation of this Rule, consider the case of a cyber attack on the Global Positioning System. The system is dual-use and thus a lawful target. However, depriving the civilian users of key information such as navigational data is likely to cause damage to, for instance, merchant vessels and civil aircraft relying on Global Positioning System guidance. If this expected harm is excessive in relation to the anticipated military advantage of the operation, the operation would be forbidden.

Principle of In Bello Distinction

Ar. 51 (4) of AP I

4. Indiscriminate attacks are prohibited. Indiscriminate attacks are:

(a) Those which are not directed at a specific military objective;

(b) Those which employ a method or means of combat which cannot be directed at a specific military objective; or

(c) Those which employ a method or means of combat the effects of which cannot be limited as required by this Protocol; and consequently, in each such case, are of a nature to strike military objectives and civilians or civilian objects without distinction.

Diagram 3

Visual Illustration of How Ar. 51 (4) of AP I Apply to Cyber Attacks

Under this basic rule, belligerents should always be capable of discriminating between combatants and civilians, and military and civilian objects respectively. Unfortunately, the principle of distinction runs against the very nature of cyberspace.

Cyber attacks definitely may put in jeopardy the integrity of this longstanding tenet because they may strike military targets, but their consequences can nevertheless spread over other unintended objects.

  1. Correlation between the Special Protection to Certain Objects and the Principle of Distinction /and Proportionality/

As far as the principle of distinction is concerned, there must be employed means and methods of cyber warfare which will not target the objects that have special protection.

Article 36 of AP I– New weapons

In the study, development, acquisition or adoption of a new weapon, means, or method of warfare, a High Contracting Party is under an obligation to determine whether its employment would, in some or all circumstances, be prohibited […]

Regarding means and methods, LOAC clearly prescribed an obligation to states to evaluate new weapons, including cyber weaponry, and whether their employment would completely or partially infringe some standards set out by IHL. States, however, are not obliged to publicise these analyses, and the majority of these findings are not open to the general public.

IHL gives special protection to certain individuals, groups, areas, and even objects. Medical facilities, for instance, must not be attacked and must at all times be protected from the ravages of war. Consequently, computer attacks that may shut down the electricity generating system used by a hospital or lead to corruption of a medical database are most likely acts in violation of this special protection. From IHL point of view, the Obamacare cyber attacks could be seen as a violation of the ban to engage healthcare institutions, of course, under the assumption that there is an ongoing armed conflict in the first place.

Another set of objects that must not fall among the range of military objects are “works of installations containing dangerous forces, namely dams, dykes and nuclear electrical generating stations”, because an eventual attack against them “may cause the release of dangerous forces and consequent severe losses among the civilian population.” Therefore, a cyber attack that manipulates the computer system of a dam to open the floodgates and inundate local residential area is against the law.

Marking the computer-controlled systems of installations serving facilities that have special IHL protection (e.g., hospitals) in order to be ensured that they are respected and duly protected from infection with military malware is a cyber-specific problem that needs to be addressed somehow if politicians and legislators want to have maximum compliance with jus in bello in cyberspace.

Conversely, a cyber attack should be directed at military objects only as stipulated by LOAC, unless other norm overrides that rule (lex specialis).

Article 52 of AP I – General protection of civilian objects

2. Attacks shall be limited strictly to military objectives. In so far as objects are concerned, military objectives are limited to those objects which by their nature, location, purpose or use make an effective contribution to military action and whose total or partial destruction, capture or neutralization, in the circumstances ruling at the time, offers a definite military of advantage.

The U.S. government considers certain economic targets to fall under the broad interpretation of “definite military advantage”. Those are objects that “indirectly but effectively support and sustain the enemy’s warfighting capability.”

A key issue in need of a sensible resolution is whether data constitutes an “object” under the IHL; perhaps we do not realise it, but no cyber operation can be conducted without changing or deleting data existing at least temporarily in intruded systems. With this in mind, data should probably be a “military objective” and not be directly targeted if it does not fulfil all defining features of such.

Notably, existing humanitarian norms allow the intentional destruction of civilian property to a degree rendered absolutely necessary in terms of military objectives – a fact that may procure an equitable solution to the otherwise perplexed relationship between data and jus in bello provided that the former is considered property. As Melzer summarizes: “[A]ny compromise norm which states may develop for cyberspace along these lines would imperatively have to include a proportionality assessment weighing the expected benefit of the operation against the harm inflicted by the deletion, modification or manipulation of civilian data (Melzer, 2011, p. 32).”

  1. Factors to Be Considered Under the Principles of Distinction and Proportionality

Unpredictable Knock-on Effects

As slightly alluded to above, cyber attacks can be particularly dangerous because their effects are unpredictable and could endanger the civilians and civilian objects that should otherwise be spared. The term “knock-on effects” fits neatly to describe such consequences “known as second and third tier effects that were not accounted for in the planning stages of the attack, but occur due to some unexpected agent or circumstance.”

Imagine the following scenario found in the US Operational Law Handbook contents: cyber attack against an electrical grid sustaining adversary’s command and control system>the cyber attack causes prolong blackout among numerous civilities facilities producing in turn follow-on effects such as>unsanitary water due to malfunction in water purification facilities and sewer system, and therefore spread of diseases>an increase in traffic accidents preceded by a failure of traffic signals>immediate death of innocent civilians because the life support systems at emergency medical centres fail.

By comparison, in a real life scenario the Syrian Electronic Army hacked The Associated Press’s Twitter account in April 2013 to release fabricated news of an attack on the White House. As a result, the Dow Jones index dropped by 150 points.

Dual-use Targets

Although having a primarily single function, dual-use targets can serve both civilian and military purposes, but are intertwined in depth with collateral damage. Targets like that are electrical grids, airports, communication systems, railways, etc.

Diagram 3

The legal obligation to physically separate civilian and military objects is more or less inapplicable in the context of contemporary ICT networks since 95% of all military communications utilize civilian networks at some point, thus making civilian networks appetizing military targets. Nowadays, the military counts on identical communication nodes, public utility grids, navigation satellites, software and hardware, and technical personnel comprised of the civilian populace.

Before launching a cyber attack, a decision-maker should access the concrete situation under the principle of distinction. If a cyber assault on military traffic control system will feasibly bring down only a troop transport, then it abides by this rule. However, if there is a conceivable doubt that the effect will spread in civilian networks, then the cyber attack option should drop out.

A great example of how the principle of distinction can influence “military necessity” is the plan of NATO forces to launch a cyber attack against Swiss bank accounts belonging to Slobodan Milošević. The reason was simple: if he cannot finance the warfare, soon the conflict will die out by itself. Eventually, NATO decided not to use cyber attack as there was no way to make it attack the Milošević‘s accounts and omit those belonging to other bank clients.

Cyber Attacks May Easily Go Indiscriminate

Precise distinction is a prerogative reserved to highly sophisticated cyber attacks. On the other hand, either because of a hidden agenda or a technological or human error, a cyber attack can easily go wrong and transform swiftly into an indiscriminate avalanche sweeping away everything on its way. In the end, if a virus has the ability to replicate itself in order to affect as many computers as possible, it will be difficult for the decision-maker to justify its usage under LOAC.

Conficker is a fast-spreading worm that exploits a vulnerability (MS08-067) in Windows OS. Discovered in 2008, it has infected millions of computers for the purpose of establishing a botnet infrastructure. Conficker spreads by several means and has three variants, one of which exploits peer-to-peer networking capabilities – a great example of how malware mutates and evolves in time.

And great sophistication is not an ultimate guarantee that there will be no errors or unforeseen consequences. If a computer virus is virulent enough, it will not take much time to seep out of the initially targeted military network of a state into its civilian systems or even to neutral states or allies. Presumably, such viruses will perhaps be deemed indiscriminate since they are unable to restrict its blast to military objects only, therefore they will be banned under the principle of discrimination as prescribed in AP I.

Statistics provided by Kaspersky Labs showed that by the end of September 2010, Stuxnet had infected 100,000 computers in about 30 organizations across the world. Allegedly, although its creators had taken precaution to limit its spread, something must have gone amiss because it crawled out beyond its intended target. The oil giant Chevron admitted that the Stuxnet infected their system back in 2010, a Russian Nuclear Plant fell victim, and rumour has it that even the Fukushima nuclear accident might had been precipitated by the notorious worm. For what it’s worth, these facts lean to the popular assumption that cyber attacks may have unpredictable side effects.

Owing to the nature of the damage cyber attacks inflict, assessing them through the proportionality prism may prove challenging. An ex ante jus in bello analysis of DDoS attack’s proportionality may carry much more uncertainty than a conventional strike. Most of all, such an analysis requires again anticipating unpredictable at first look consequences.

Back in 2003, O’Donnell and Kraska (p. 134) expressed an opinion that “information warfare may prove to be an effective means of coercion that is more adept at insulating civilians from the dangerous kinetic effects of war.” A decade later, we are still not completely aware if that is in fact true.

Reference List

Clayton, M. (2014). Massive cyberattacks slam official sites in Russia, Ukraine. Retrieved on 07/04/2014 from

DeLuca. C. D. (2013). The Need for International Laws of War to Include Cyber Attacks Involving State and Non-State Actors. Retrieved on 02/07/2013 from

Dörmann, K. (2004). The applicability of the additional protocols to computer network attacks: an ICRC approach. In Bystrom, K. (Ed.), International Expert Conference on computer network attacks and the applicability of international humanitarian law: Proceeding of the Confrence. Stockholm: National Defence College.

Franceschi-Bicchierai, L. (2013). Expert: Stuxnet Virus Infected Russian Nuclear Plant. Retrieved on 07/04/2014 from

Graham, D. (2010). Cyber threats and the law of war. Journal of National Security Law and Policy, 4, 87-104.

Hague Convention 1907. Convention (IV) respecting the Laws and Customs of War on Land and its annex: Regulations concerning the Laws and Customs of War on Land. The Hague, 18 October 1907. Retrieved on 07/04/2014 from

Hampson, F. (2011). Military Necessity. Retrieved on 07/04/2014 from

Hathaway, O., Crootof, R., Levitz, P., Nix, H., Nowlan, A., Perdue, W., Spiegel, J. (2012). The Law of Cyber-Attack. California Law Review, 100 (4), 817-886.

Heneghan, T. (2011). NSA Virus “Stuxnet” Hacked Fukushima Before HAARP-Caused Earthquake. Retrieved on 07/04/2014 from

International Committee of the Red Cross (ICRC) (2008). How is the Term “Armed Conflict” Defined in International Humanitarian Law? Retrieved on 07/04/2013 from,0,822

ICRC (1977). Protocol Additional to the Geneva Conventions of 12 August 1949, and relating to the Protection of Victims of International Armed Conflicts (Protocol I). Retrieved on 17/02/2013 from

ICRC (1977). Protocol Additional to the Geneva Conventions of 12 August 1949, and relating to the Protection of Victims of Non-International Armed Conflicts (Protocol II). Retrieved on 17/02/2013 from

International Court of Justice (1996). The legality of the threat or use of nuclear weapons. Retrieved from

International Criminal Court (2002) Elements of Crimes. Retrieved on 07/04/2014 from

Johnson, R. (2012). ‘I Count The Bodies And Watch The Funerals’ — A Drone Pilot Speaks Out. Retrieved on 07/04/2014 from

Kanuck, S. (2010). Sovereign Discourse on Cyber Conflict Under International Law. Retrieved on 07/04/2014 from

Kelly, M. (2013). Associated Press Twitter account hacked, tweet about White House attack ‘untrue’. Retrieved on 07/04/2014 from

Kodar, E. (2010). Applying The Law of Armed Conflict to Cyber Attacks: From The Martens Clause to Additional Protocol I. Retrieved on 02/07/2013 from

Korns, S. and Kastenberg, E. (2009). Georgia’s Cyber Left Hook. Retrieved on 07/04/2014 from

Melzer, N. (2009). Direct Participation in Hostilities. Retrieved on 07/04/2014 from

Melzer, N. (2011). Cyberwarfare and International Law. Retrieved on 02/07/2013 from

O’Donnell, B. T. & Kraska, J. C. (2003). Humanitarian Law: Developing International Rules for the Digital Battlefield. Journal of Conflict and Security Law, 8(1), 133–55.

Ophardt, J. A. (2010). Cyber Warfare and the Crime of Aggression: the Need for Individual Accountability on Tomorrow’s Battlefield, Duke L. & Tech. Rev, 003.

Prescott, J. M. (2012). Direct Participation in Cyber Hostilities: Terms of Reference for Like-Minded States? Retrieved on 07/04/2014 from

Rowe, N.C. (2013). Cyber Perfidy. Retrieved on 07/04/2014 from

RT (2013). Stuxnet goes out of control: Chevron infected by anti-Iranian virus, others could be next. Retrieved on 07/04/2014 from

Schmitt, M. (2011). Cyber operations and the jus ad bellum revisited. Villanova Law Review, 56, 569-606.

Schmitt, M. (2012). “Attack” as a Term of Art in International Law: The Cyber Operations Context. Retrieved on 07/04/2014 from

Shackelford, S. J. (2009). From Nuclear War to Net War: Analogizing Cyber Attacks in International Law. Retrieved on 02/07/2013 from

The International Group of Experts at the Invitation of The NATO Cooperative Cyber Defence Centre of Excellence (2012). The Tallinn Manual on the International Law Applicable to Cyber Warfare. Retrieve on 17/02/2013 from

United Nations (1945). United Nations Charter. Retrieved from

Wortham, A. (2012). Should Cyber Exploitation Ever Constitute a Demonstration of Hostile Intent That May Violate UN Charter Provisions Prohibiting the Threat or Use of Force? Federal Communications Law Journal, 64(3), 644-650.


  1. The image used in “Visual Illustration of How Ar. 51 (4) of AP I Apply to Cyber AttackDiagram is provided by the U.S. Army for Fotopedia
  2. Pacemaker images used in Example of Cyber Perfidy Diagram are provided by Steven Fruitsmaak for Wikipedia, and Wikipedia Commons
Posted: April 10, 2014
Dimitar Kostadinov
View Profile

Dimitar Kostadinov applied for a 6-year Master’s program in Bulgarian and European Law at the University of Ruse, and was enrolled in 2002 following high school. He obtained a Master degree in 2009. From 2008-2012, Dimitar held a job as data entry & research for the American company Law Seminars International and its Bulgarian-Slovenian business partner DATA LAB. In 2011, he was admitted Law and Politics of International Security to Vrije Universiteit Amsterdam, the Netherlands, graduating in August of 2012. Dimitar also holds an LL.M. diploma in Intellectual Property Rights & ICT Law from KU Leuven (Brussels, Belgium). Besides legal studies, he is particularly interested in Internet of Things, Big Data, privacy & data protection, electronic contracts, electronic business, electronic media, telecoms, and cybercrime. Dimitar attended the 6th Annual Internet of Things European summit organized by Forum Europe in Brussels.