The Pentagon’s Law of War for Cyberspace


In June 2015, the United States published its first ever “Department of Defense Law of War Manual,” with a separate chapter on “Cyber Operations” and several other innovations compared with preexisting single service law manuals in various versions for over a century.

Of special note, and not surprisingly, the Manual confirmed long-standing U.S. abstention from the regimes of additional protocols (AP) I and II of the Geneva Conventions on the laws of war of August 12 1949. The United States has signed but not ratified these protocols. AP I dictates that “works or installations containing dangerous forces, namely dams, dykes and nuclear electrical generating stations, shall not be made the object of attack, even where these objects are military objectives, if such attack may cause the release of dangerous forces and consequent severe losses among the civilian population.”

An effect of the non-ratification of AP I is that the United States reserves the right, if military necessity dictated it, to attack civil nuclear power plants, as well as dams—subject of course to other principles of humanitarian international law.  The manual says:

Certain facilities containing dangerous forces, such as dams, nuclear power plants, or facilities producing weapons of mass destruction, may constitute military objectives. There may be a number of reasons for their attack, such as denial of electric power to military sources, use of a dangerous facility (e.g., by causing release from a dam) to damage or destroy other military objectives, or to pre-empt enemy release of the dangerous forces to hamper the movement or advance of U.S. or allied forces.

The chapter on cyber operations specifically allows for pre-placement in wartime of cyber weapons (often called time-release “logic bombs”):

Cyber operations can be a form of advance force operations, which precede the main effort in an objective area in order to prepare the objective for the main assault. For example, cyber operations may include reconnaissance (e.g., mapping a network), seizure of supporting positions (e.g., securing access to key network systems or nodes), and pre-emplacement of capabilities or weapons (e.g., implanting cyber access tools or malicious code).

While this statement in the manual refers to the U.S. view of its own actions in wartime, it would also be regarded by most states as the applicable international law in peacetime.

These two things taken together represent an important evolution in the use of cyber operations to control and lessen the destructive potential of war and civilian casualties. After all, the use of cyber operations against a civil nuclear power plant provides the attacker with more options for disabling the power plant and controlling the consequences than use of a kinetic attack might. The United States has always regarded its right to attack such facilities in wartime as limited by consideration of the need to avoid as far as possible large scale civilian casualties.

Read the full article here

Credit: The Diplomat