|Cyberwarfare, military activities in cyberspace conducted by a state against another state and intended to disrupt or destroy computing or communication systems or data, is a recent addition to the warfaring arsenal. The international laws of armed conflict set out an obligation for states at war to protect civilians from the effects of the conflict. As societies continue to expand their activities in the cyber realm, the risk of cyberwarfare negatively affecting the civilian population increases. The international community, recognizing this risk, is engaged in a political dance trying to identify the constraints that international law already places on cyberwarfare while staking out ground to preserve its effectiveness as a means of influencing other states’ policies. This dissertation project addresses some of the problems posed by the use of computing and network technology as weapons and targets in the context of international armed conflict. It brings together material drawn from computing technology, military handbooks, policy research, international standards for records preservation, nongovernment organizations, international humanitarian law, international human rights law, the international laws of armed conflict, and real-world examples to reveal the complexity and nuances of using operations in cyberspace to produce effects in meatspace, the physical world of humans, buildings, equipment, and artefacts.
First, I argue that since there is no significant difference between using cyber means of war and conventional means of war, it is appropriate to treat developments in cyberwarfare under the existing international laws of armed conflict. Then I introduce the Tallinn Manual, a handbook on the international law applicable to cyber operations, and the events that led to its development. I examine how well the Tallinn Manual documents the protections, prohibitions, and permissions extended under the laws of armed conflict, concluding that it is a faithful interpretation of international law.
The application of international law to warfare is always messy and imprecise. Its application to cyberwarfare is no different. This does not mean that the constraints of international law are without value or purpose. On the assumption that no state wants to start an international armed conflict, but is prepared to respond to uses of force, I apply some of the principles expressed in the Tallinn Manual to establish qualitative assessments of the severity of initial aggressive cyberoperations against a state, classifying them as moderate or flagrant attacks depending on the harm they produced. This helps the target state determine whether there is just cause for a use of force, either cyber or conventional, in response, and the constraints that apply to any response that may be permissible under international law.
International law also affords protections for human rights, both in peace time and during times of conflict. I argue that cyberwarfare exposes more civilian objects, including objects of cultural significance and records needed to safeguard human rights, to harm through both conventional and cyber attacks. If human rights are to be protected, the records (digital or otherwise) that serve as evidence in support of rights claims must be protected as well. I conclude that international law already sets out the obligation for these protections, but the interpretation of international law must make explicit the expectation that all parties in an armed conflict will make efforts to identify and preserve these objects for the wellbeing of persons in a postconflict society.
Finally, I demonstrate the breadth and applicability of further work in this area. I point out some other problems that branch off from this particular project: the separation of information content from its representation in different media, human rights in the cyber domain, the use of computing and communication technology to produce social or economic disruption, the status of privately-owned satellites under the multiple international treaties and conventions during times of armed conflict, and the assignment of peacetime responsibility for safeguarding data essential for the protection and provision of human rights.