During the conflict, several defacement and denial-of-service cyber operations were directed against Georgia. The targets included the President’s website, Georgian Parliament, Defense and Education ministries, Foreign Affairs, media outlets, banks, and private servers.3 Websites were replaced with pictures of Adolf Hitler and Georgian President Mikheil Saakashvili. While no physical damage occurred, the Georgian government was unable to broadcast information about the conflict and Georgian banks went offline for ten days.4

Most of the cyber operations during this conflict were traced to Russia, but no conclusive evidence determined that the Russian government conducted the attacks or was officially involved. Some of the operations were even traced back to Russian government computers, but the possibility that these computers were taken over by the attackers is not ruled out.5

B. International Humanitarian Law and the Rome Statute

The Rome Statute defines four categories of war crimes, two concerning international armed conflicts and two concerning non-international armed conflicts.6 The first category of war crimes with respect to international armed conflicts is grave breaches of the 1949 Geneva Conventions.7 The second category enumerates other serious violations of the laws and customs in international armed conflicts “within the established framework of international law.”8 This reference to international law implies that individuals are responsible whenever they violate principles of international humanitarian law, such as the principle of distinction between combatants and civilians, the principle of proportionality, or the principle of military necessity.9

C. The Principle of Distinction in International Humanitarian Law

Article 48 of the 1977 Additional Protocol I to the Geneva Convention (“Additional Protocol I”) states that all parties to a conflict must:

[A]t all times distinguish between civilian population and combatants and between civilian objects and military objectives and accordingly direct their operations only against military objectives.10

Military commanders must limit attacks to strictly military targets, which are defined as those that:

[M]ake an effective contribution to military action and whose total or partial destruction, capture, or neutralization, in the circumstances ruling at the time, offers a definite military advantage.11

The word “operation” is not entirely inclusive in Article 48.12 Operations targeting civilians that are purely psychological are lawful under international humanitarian law.13 Operations must cause physical harm or suffering in order to be prohibited.14

Subsequent articles elaborate on the basic rule of Article 48 by setting prohibitions, limitations, and requirements on attacks. Article 51 begins by stating:

[The] civilian population and individual citizens shall enjoy general protection against dangers arising from military operations.15

Subsequent paragraphs of Article 51 focus on the word “attack.” It prohibits “indiscriminate attacks,” making civilians “the object of attack.”16 Under Article 52(4), indiscriminate attacks take two forms.17 First, an indiscriminate attack could be:

[A]n attack by bombardment by any methods or means which treats as a single military objective a number of clearly separated and distinct military objectives located in a city, town, village or other area containing a similar concentration of civilians or civilian objects.18

Second, it could be an attack which may be expected to cause incidental loss of civilian life, injury to civilians, damage to civilian objects, or a combination thereof, which would be excessive in relation to the concrete and direct military advantage anticipated.”19

While Article 51 focuses on prohibiting attacks on citizens, Article 52 prohibits attacks on civilian objects and limits attacks to military objects and purposes.20 It also bars parties from rendering useless objects that are indispensable to the survival of the civilian population such as foodstuffs, agricultural areas, or drinking water installations in Article 54. Article 55 forbids attacks on the natural environment.21 Article 56 requires militaries to use discernment when deciding whether to attack works of dangerous forces such as dams or nuclear electrical generating stations even when they are military objectives so as not to cause severe losses of civilians.22

Some objects serve both civilian and military purposes. These dual-use objects slightly complicate the principle of distinction by affecting military decision makers. Dual-use objects could be power-generating stations, telecommunications, bridges, and other civilian infrastructure used by military in times of war.23 If an object makes a substantial contribution to military action, the object’s military use may convert a civilian object into a legitimate military object.24

Article 48 uses the term operation, while the subsequent articles frame operations by using the term “attack.” The first paragraph of Article 57 states:

In the conduct of military operations, constant care shall be taken to spare the civilian population, civilians and civilian objects.25

The following paragraph begins “with respect to attacks” and lists all of the precautions when an aggressor is deciding whether to launch an attack.26 Restricting operations in terms of “attack” occurs elsewhere in Additional Protocol I. Medical units are prohibited from being the “object of attack,”27 and combatants must:

[D]istinguish themselves from the civilian population while they are engaged in an attack or in a military operation preparatory to attack.28

How does international humanitarian law define attack? Article 49 of Additional Protocol I defines attacks as “acts of violence against the adversary in offense or defense.”29 The International Committee of the Red Cross’s commentary states:

[T]he word operation should be understood in the context of the whole section; it refers to military operations during which violence is used.30

The text of Article 49 seems to describe the act itself as violent, rather than the consequence of the act being violent. This would limit an attack to a kinetic force. The ICRC commentary also suggests that an attack implies combat action.31 While these sources appear to limit the definition of an attack, one could look at the Protocol’s purpose to determine another meaning. With so much attention given to civilians and civilian objects, the Protocol’s purpose seems to be more concerned with an act’s effects rather than its medium.

Other rules in Additional Protocol I corroborate a more flexible definition of attack. Article 51 states civilians are protected from “dangers” due to military action and limits acts whose main goal is “to spread terror among the civilian population.”32 This implies that the result of the act matters more than the act itself. Further, Article 57 requires methods to be carefully selected to avoid “incidental loss of civilian life, injury to civilians and damage to civilian objects.”33 In the conduct of military operations, parties have a duty to exercise constant care to minimize the loss of civilian lives and damage to civilian objects, regardless of the attack’s method.34

It also requires advance warning be given “which may affect the civilian population.” Paragraph 3 of that article requires militaries to choose the attack that will “cause the least danger to civilian lives.”35 This language is oriented toward the effect, rather than the cause, supporting the more flexible definition of attack.

D. Cyber Attacks and the Principle of Distinction

Considering the more inclusive interpretation of an attack, cyber operations should be considered an attack if the effects of that attack cause physical damage and destruction or even intend to cause physical damage or destruction. Therefore, analyzing a cyber attack’s compliance with the principle of distinction should be similar to a conventional or kinetic attack.36 Relevant principles of international humanitarian law apply to cyber weapons just as they do to other types of warfare.37 Some attacks will clearly comply with or violate the principle of distinction, while others will be more challenging to analyze.

A party conducting a cyber attack on a purely military target is allowable.38 For example, a party could target an air defense station and disable its systems for a period of time in order to accomplish a larger military objective.39 Doing this in lieu of a conventional attack that might cause excessive collateral damage to civilian objects is governed by international humanitarian law, but does not violate it.40

In another hypothetical, military planners could devise an attack to insert false messages and targets into another military’s defense command network. This attack would limit the defense’s ability to target planes. This is a bit murkier, because the false signals could cause the defense network to target relief planes or civilian planes. International humanitarian law requires militaries to know where the strike will take place and know all of the repercussions of the strike.41 If the false signals did in fact endanger civilians or civilian objects, the commander would have to reconsider the operation entirely, or choose to launch a different attack in order to follow international humanitarian law.42

Continuing along the spectrum of civilian and military objects, a cyber attack that disrupted an air traffic control system that caused a civilian plane to crash would certainly violate international humanitarian law. Such an attack would be the direct cause of civilian death and destruction. A high civilian death toll, unnecessary injury, and the lack of a clear military advantage gained from an attack suggest a violation of international humanitarian law.43

Given this interpretation of what constitutes an attack, the aforementioned Russian operations against Georgia can be analyzed under the conventional principle of distinction. This method can be used for any cyber operations. The operations disrupted communication to the public, caused many entities to go offline, and likely caused psychological damage to civilians. However, no physical damage or destruction occurred directly because of these cyber operations. Therefore, it does not violate international humanitarian law.

While this interpretation of the principle of distinction permits Russia’s cyber attacks against Georgia, the difference in consequences between cyber attacks and conventional attacks should not be ignored. International humanitarian law needs to create more nuanced language concerning the unique types of disruption that cyber warfare can cause. This will allow entities to know what is legal under international humanitarian law. Just as important, States will know when they can retaliate in self-defense.

III. Can Cyber Warfare Alone Trigger an Armed Conflict?

According to the International Committee of the Red Cross Commentary of 2020, when a State relies on cyber operations against another in conjunction with conventional forces, it is clear that this situation amounts to an international armed conflict.44 It is less clear, however, when cyber operations are the only means by which a State takes hostile action.45 The situation becomes even more complicated when these cyber operations are isolated acts. This section will examine whether cyberwarfare alone, without any conventional or kinetic warfare occurring, can establish an international or non-international armed conflict.

Although cyberwarfare is not explicitly addressed in the Geneva Conventions or other sources of international humanitarian law, the analysis in the previous section paves the way toward equating the standard of what triggers international armed conflict for cyber attacks and conventional attacks.

A. WannaCry Attack

On May 12, 2017 a ransomware cryptoworm known as WannaCry encrypted hundreds of thousands of computers in more than 150 countries over a span of just three hours.46 The ransomware encrypted each computer’s files and demanded cryptocurrency in ransom to unlock the files.47 The attack ended later that day when a cyber researcher discovered and activated the ransomware’s kill switch, stopping the spread of the malicious software.48

WannaCry is a self-propagated malware, classified as crypto-ransomware that spread around the Internet affecting more than 200,000 computers.49 A malware is malicious software that is intentionally designed to do harmful actions to a computer system.50 A crypto-ransomware is a program that encrypts user’s files for money extortion purposes.51 WannaCry also has a computer worm component.52 A computer worm is a harmful program that can spread to other computers through computer networks.53 WannaCry utilized Bitcoin for receiving victims’ payment.54 Bitcoin is a digital currency that allows anonymous transactions.

Additionally, WannaCry uses the Tor network to communicate between the malware operator and the malware itself.55 The Tor network is a network of routers that allows anonymous Internet communication.

Weeks earlier, a hacking group called the Shadow Brokers stole and published hacking tools developed by the National Security Agency.56 These tools were used to target Microsoft Windows users that had not updated their software.57 The cryptoworm spread through those computers’ public networks, infecting hospitals, government systems, railway networks, and private companies.58

Although not a direct target, the United Kingdom’s National Health Service (NHS) was particularly affected.59 Over one third of all trusts were affected across England either because the systems were infected or because the systems were turned off as a precaution.60 At least 603 primary care and other NHS organizations were also infected.61 An estimated 19,000 appointments and operations were cancelled due to this attack and the attack cost NHS over £92 million in disruption to services and associated IT upgrades.62

In December 2017, the United States government formally ascribed the attack to North Korean actors.63 In September 2018, a criminal complaint was unsealed charging North Korean citizen Park Jin Hyok for his involvement in multiple cyber-attacks, including WannaCry.64 The complaint alleged that Park worked for a government-sponsored hacking team called the Lazarus Group as well as a North Korean government front company, Chosun Expo Joint Venture.65

B. Defining International Armed Conflict

In order to determine whether cyber operations alone could trigger an international armed conflict, the resort to armed force and the degree of a State’s control must be assessed.

1. Resorts to Armed Force Between States

The International Criminal Tribunal for the Former Yugoslavia established a generally accepted interpretation of armed conflict in Tadić.66 It found that:

[A]rmed conflict exists whenever there is a resort to armed force between States or protracted armed violence between governmental authorities and organized armed groups or between such groups within a State.67

This definition is different than an armed attack, which is the necessary condition for acts in self-defense.68 Unlike an armed attack, an international armed conflict does not require certain scale or effects from the hostilities.69

By establishing that an armed conflict exists whenever there is a resort to armed force between States, this implies that the threshold for an international armed conflict is relatively low.70 In most cases, any use of armed force between States will qualify as an international armed conflict. The ICRC commentary to the Geneva Conventions states that:

Any difference arising between two States and leading to the intervention of members of the armed forces is an armed conflict within the meaning of Article 2, even if one of the Parties denies the existence of a state of war. It makes no difference how long the conflict lasts, how much slaughter takes place, or how numerous are the participating forces; it suffices for the armed forces of one Power to have captured adversaries falling within the scope of Article 4. Even if there has been no fighting, the fact that persons covered by the Conventions are detained is sufficient for its application. The number of persons captured in such circumstances is, of course, immaterial.71

Article 2 of the Geneva Conventions of 1949 states that the Conventions apply:

[T]o all cases of declared war or of any other armed conflict which may arise between two or more High Contracting Parties, even if the state of war is not recognized by one of them.72

An armed conflict exists even if the parties do not consider themselves at war.73 The wording of Article 2 suggests that an armed conflict exists even if a state of war is not recognized by one of the parties, but international humanitarian law applies even when neither party recognizes a state of war.74 More important today is the existence of an armed conflict rather than a declared state of war. The Geneva Conventions do apply to cases of declared war, even if no fighting takes place, but conflicts after World War II have been less concerned with formal statements of war.75

In 2013, the Tallinn Manual on the International Law Applicable to Cyber Warfare established a newer definition that acknowledged the prevalence of cyber operations as a means of force.76 While it does not carry as much weight in international humanitarian law, it states that an international armed conflict exists “whenever there are hostilities, which may include or be limited to cyber operations, occurring between two or more States.”77

An alternative view argues that an international armed conflict comes into effect only when it reaches a certain intensity threshold.78 This is more in line with a non-international armed conflict, which will be discussed later. Others contend, however, that this alternative view is mistaken in analogizing to the definition of a non-international armed conflict.79 Akande asserts that requiring an intensity threshold for an international armed conflict leaves any conduct that doesn’t meet that threshold ungovernable.80 This differs from non-international armed conflicts, where domestic law and international human rights law govern activity that does not meet its intensity threshold.81 Therefore, the threshold for an international armed conflict remains low.

As mentioned earlier, Additional Protocol I defines violence through attacks as “acts of violence against the adversary in offense or defense.”82 According to Article 49(1), violence is defined in terms of the consequence of physical or mental damage, where physical damage applies in the case of objects and physical persons and mental damage applies only in the case of physical persons.83 This definition of violence is directed toward specific consequences to the object of the attack rather than the violent act itself. Under this definition, it is clear that any operation by a State or attributable to a State that results in damage or destruction of objects of another State would trigger an international armed conflict.

Another definition of an attack, albeit more liberal, includes cyber operations that target civilians and civilian objects regardless of whether physical damage or injury occurred.84 This inclusion lowers the threshold of an international armed conflict and would give targeted countries greater margin to retaliate against highly disruptive but non-destructive attacks. This lower threshold presents two hurdles. First, it has much less credibility under international humanitarian law.85 Second, its greater inclusivity has little to no means of distinguishing an attack from a non-attack.86

Not all cyber attacks cause violence, but instead substantially disrupt or inconvenience military or civilian operations—disrupting a network or causing loss of access to Internet are just two examples. Cyber espionage is another common act that is more concerned with gathering intelligence but does not cause tangible or harmful effects. This nuance makes defining “armed force” more complicated when analyzing cyber operations.

Sources of international humanitarian law have not committed to whether cyber operations that do not physically destroy or damage military or civilian infrastructure is armed force, thus triggering an international armed conflict given that it occurred between two States.87 Under current interpretation, it seems that a cyber attack that is invasive but non-destructive would not trigger an international armed conflict.88 The WannaCry attack, therefore, would not be considered sufficient to trigger an international armed conflict. This should not be the case. Under the current interpretation of an attack, an attack occurs when a target experiences physical damage to a military or civilian object. The definitions of physical damage and military or civil objects, however, have not included a State’s infrastructure in the digital realm. This level of nuance can likely only be clarified by discussions among States and incremental clarity on a case-by-case basis through court decisions. Invasive cyber operations should be responded to by target States with the principle of proportionality in mind.

2. State Control

Non-state actors commonly launch cyber attacks, but a non-state actor cannot trigger an international armed conflict without linkage to a State. In some situations, States provide support to a non-state armed group, and this support causes the armed conflict to take on international character.89 In order to determine that a relationship of subordination exists between the State and non-state actor, one needs to prove that the non-state actor is acting on behalf of the State.90

The particular level of control the State exhibits over the non-state actor has been debated. In its judgment on genocide in Bosnia, the International Court of Justice discussed whether armed forces acted on behalf of the Federal Republic of Yugoslavia. The Court applied the “effective control” test that was used in Nicaragua.91 In Nicaragua, the Court differentiated two categories of individuals that act on behalf of the State without being a core to the military operations of the State.92 The first category is totally dependent on the State.93 They are paid, equipped, supported, and operate according to the planning and direction of the State.94 The second category of individuals is also paid and equipped by the State, but maintains some independence in their actions.95 The Court determined that acts committed by the first category were attributable to the State.96 For the second category, the Court established a higher standard.97 In order for the second category’s actions to be attributable to the State, those specific actions must have been directed or enforced by the State.98 The issuance of directions from the State must exist as well as the enforcement of those directions.99

In Tadić, the International Criminal Tribunal’s Appeals Chamber had to establish whether the armed conflict was international in order for the Trial Chamber to exercise jurisdiction.100 The Court in this case identified multiple degrees of control. The first degree of control is essentially the “effective control” test, but only applies to individuals who were engaged by the State to commit specific illegal acts against another State. The second degree of control applies to organized armed groups and does not require as high of a standard. Specific instructions are not required for each operation, but equipping, financing, and providing operational support are still required.

Regardless of which test is implemented, the relationship between the non-state actor and State should fulfill these requirements regardless of whether the attack was via cyber operations or a conventional method. It is worth noting that for cyber attacks, attribution could prove to be more difficult since hackers can remain anonymous more easily. In the WannaCry attack, enough information was gathered to identify one of the hackers. There is also potentially enough information to connect this hacker to the North Korean government, although that remains less certain.

C. Cyber Operations and Non-International Armed Conflict

In order to determine whether cyber operations alone could trigger a non-international armed conflict, the requisite threshold of violence and the degree of the armed group’s organization must be assessed.

1. Threshold of Violence

Non-international armed conflicts have a relatively higher threshold than international armed conflicts. In the Tadić judgment, the ICTY stated that a conflict exists only when there is “protracted armed violence.”101 Situations of internal disturbances, riots, and isolated and sporadic acts of violence do not constitute a non-international armed conflict.102 The ICTY considers various factors in its assessment of whether protracted violence occurred, including the number of victims, the gravity and recurrence of the attacks, and the temporal and territorial expansion of violence.103

When considering these factors, it is very difficult for a cyber attack to rise to this threshold. The ICTY seems to put more weight on the intensity of the violence than the duration of it.104 However, Article 1(2) of Protocol Additional to the Geneva Conventions of 12 August 1949, and Relating to the Protection of Victims of Non-International Armed Conflicts of 8 June 1977 states the Protocol does not apply to “isolated and sporadic acts of violence and other acts of a similar nature,” thus nullifying an isolated cyber attack regardless of its intensity.105 Therefore, network intrusions, data theft and manipulation, and random denial-of-service attacks executed by a non-State actor would not trigger a non-international armed conflict, although they could potentially be considered “attacks” under Article 49 of Additional Protocol I if performed during a pre-existing armed conflict.106

The WannaCry attack was an isolated incident and only lasted a few hours. Further, no known deaths or even physical damage resulted from this attack. WannaCry could be considered “isolated or sporadic” and therefore does not attain the threshold of violence required to trigger a non-international armed conflict. This type of attack on cyber infrastructure is increasingly common, and could have the nuance of invading cyber infrastructure should be addressed.

2. Degree of Organization

Second, for a non-international armed conflict to exist, parties to a conflict must be sufficiently organized.107 Sufficient organization entails an established command structure and a capacity to sustain military operations.108 The International Criminal Court (“ICC”) Pre-Trial Chamber held that:

[T]he involvement of armed groups with some degree of organization and the ability to plan and carry out sustained military operations would allow for the conflict to be characterized as an armed conflict not of international character.109

“Some degree of organization” allows for multiple interpretations. The flexibility has never been clarified, and the purpose of this standard also remains uncertain.110 The 2008 Report of the International law Association’s Use of Force Committee suggests:

The criteria of organization and intensity are clearly related and should be considered together when assessing whether a particular situation amounts to an armed conflict. It seems that the higher the level of organization the less degree of intensity may be required and vice versa.111

While a minimum standard is not determined, a balancing test offers some clarity. On the extremes of the organization spectrum, the Taliban or Revolutionary Armed Forces of Colombia would meet the organization threshold if they were to conduct cyber attacks, but a similar cyber attack by a private individual would not meet that threshold.112

The ICTY referred to factors such as the existence of headquarters, internal regulations and disciplinary rules, the issuance of orders, political statements, and a spokesperson, when evaluating the Kosovo Liberation Army’s structure.113 Virtual groups, groups that are exclusively online and consist of people in different locations, are becoming more common in an increasingly digital world. A virtual group’s status as an organized armed group does not transpose well to the ICTY’s factors. Even without considering the geographic question, a virtual group has no physical headquarters or tangible meeting points. It is also difficult to identify natural persons in a virtual group, although that could improve as forensic investigations become more technologically capable of identifying natural persons.114 A means of issuing orders is clearly possible in a virtual group, but the capacity to truly enforce those orders is more dubious. These factors make it unlikely that, under current international humanitarian law, a completely virtual group would constitute an organized armed group.115 Groups exist that are not entirely virtual and these should be evaluated on a case-by-case basis.

IV. Conclusion

Cyber operations, when occurring in conjunction with conventional methods of warfare that elicited an armed conflict, should be treated the same as conventional attacks. The principle of distinction in Additional Protocol 1 governs all types of operations and attacks and is primarily concerned with an attack’s violent consequences. Although cyber operations target the enemy State through a different medium, their effects can be the same as a conventional attack. As States and other entities rely more on cyber infrastructure and, conversely, become more vulnerable to cyber attacks, deference to cyber operations should only increase.

It is more difficult for a cyber attack to rise to the threshold of armed conflict, whether international or non-international. In cyber operations where the effects cause physical damage or destruction of military or civilian objects, a stronger case can be made, given other requirements of an armed conflict are met. When a cyber operation only affects cyber infrastructure, however, attaining the status of armed conflict is unlikely.

Endnotes — (click the footnote reference number, or ↩ symbol, to return to location in text).

1. 1.

   Council of the European Union, Independent International Fact-Finding Mission on the Conflict in Georgia, 1 O.J. (Sep. 2009), available online. ↩

2. 2.

   Id. ↩

3. 3.

   Przemyslaw Roguski, Russian Cyber Attacks Against Georgia, Public Attributions and Sovereignty in Cyberspace, Just Security (Mar. 6, 2020), available online. ↩

4. 4.

   Id. ↩

5. 5.

   Id. ↩

6. 6.

   Rome Statute of the International Criminal Court, Adopted by the United Nations Diplomatic Conference of Plenipotentiaries on the Establishment of an International Criminal Court, Jul. 17, 1998, U.N. Doc. A/CONF.183/9, as amended [hereinafter Rome Statute], Art. 8, available online. ↩

7. 7.

   Id. ↩

8. 8.

   Id. ↩

9. 9.

   Hortensia D. T. Gutierrez Posse, The Relationship Between International Humanitarian Law and the International Criminal Tribunals, 88 Int’l Rev. Red Cross 65, 81 (Mar. 2006), available online. ↩

10. 10.

    Protocol Additional to the Geneva Conventions of 12 August 1949, and Relating to the Protection of Victims of International Armed Conflicts, Art. 48 (Jun. 8, 1977), [hereinafter Additional Protocol I], available online. ↩

11. 11.

    Id. art. 52.2. ↩

12. 12.

    Michael N. Schmitt, Cyber Operations and the Jus in Bello: Key Issues, 87 ILS 89, 92 (2011), available online. ↩

13. 13.

    Id. at 93. ↩

14. 14.

    Id. ↩

15. 15.

    Additional Protocol I, supra note 10, art. 51.1. ↩

16. 16.

    Id. arts. 51.2, 51.4. ↩

17. 17.

    Id. art. 51.5. ↩

18. 18.

    Id. ↩

19. 19.

    Id. ↩

20. 20.

    Id. art. 52. ↩

21. 21.

    Id. arts. 54.2, 55. ↩

22. 22.

    Id. art. 56. ↩

23. 23.

    Marco Sassòli, Legitimate Targets of Attacks Under International Humanitarian Law, Harv. Humanitarian Init. 7 (Jan. 27, 2003), available online. ↩

24. 24.

    Id. ↩

25. 25.

    Additional Protocol I, supra note 10, art. 57.1. ↩

26. 26.

    Id. art. 57.2. ↩

27. 27.

    Id. art. 12. ↩

28. 28.

    Id. art. 44.3. ↩

29. 29.

    Id. art. 49.1. ↩

30. 30.

    Commentary on the Additional Protocols of 8 June 1977 to the Geneva Conventions of 12 August 1949, ICRC ¶ 1875 (Yves Sandoz, Christophe Swinarski & Bruno Zimmermann, eds., 1987), available online. ↩

31. 31.

    Id. ↩

32. 32.

    Additional Protocol I, supra note 10, arts. 51.1, 51.2. ↩

33. 33.

    Id. art. 57.2. ↩

34. 34.

    Id. ↩

35. 35.

    Id. arts. 57.2, 57.3. ↩

36. 36.

    Jeffrey T.G. Kelsey, Hacking into International Humanitarian Law: The Principles of Distinction and Neutrality in the Age of Cyber Warfare, 106 Mich. L. Rev. 1427, 1447 (2008), available online. ↩

37. 37.

    Id. ↩

38. 38.

    Id. at 1438. ↩

39. 39.

    Brian T. O’Donnell & James C. Kraska, International Law of Armed Conflict and Computer Network Attack: Developing the Rules of Engagement, 76 Int’l L. Stud. 395, 402 (2002), available online. ↩

40. 40.

    Additional Protocol I, supra note 10, art. 57. ↩

41. 41.

    Id. art. 51. ↩

42. 42.

    See Kelsey, supra note 36, at 1438. ↩

43. 43.

    Id. ↩

44. 44.

    Knut Dörmann, Cordula Droege, Helen Durham, Liesbeth Lijnzaad, Marco Sassòli, Philip Spoerri & Kenneth Watkin, eds., ICRC, Commentary of 2020 on Convention (III) Relative to the Treatment of Prisoners of War Geneva, 12 August 1949, ¶ 287 (2020) [hereinafter ICRC Commentary 2020], available online. ↩

45. 45.

    Id. ↩

46. 46.

    Zach Whittaker, Two Years After WannaCry, a Million Computers Remain at Risk, TechCrunch, May 12, 2019, available online. ↩

47. 47.

    Id. ↩

48. 48.

    Id. ↩

49. 49.

    Waleed Alraddadi & Harshini Sarvotham, A Comprehensive Analysis of WannaCry: Technical Analysis, Reverse Engineering, and Motivation, available online. ↩

50. 50.

    Id. ↩

51. 51.

    Id. ↩

52. 52.

    Id. ↩

53. 53.

    Id. ↩

54. 54.

    Id. ↩

55. 55.

    Id. ↩

56. 56.

    Kate Conger & Taylor Hatmaker, The Shadow Brokers Are Back With Exploits for Windows and Global Banking Systems, TechCrunch, Apr. 14, 2017, available online. ↩

57. 57.

    Id. ↩

58. 58.

    Id. ↩

59. 59.

    National Audit Office, Investigation: WannaCry Cyber Attack and the NHS (Apr. 24, 2018), available online. ↩

60. 60.

    Id. ↩

61. 61.

    Id. ↩

62. 62.

    Id. ↩

63. 63.

    Thomas P. Bossert, It’s Official: North Korea is Behind WannaCry, Wall St. J., Dec. 18, 2017, paywall. ↩

64. 64.

    Press Release, U.S. Dept. of Just., North Korean Regime-Backed Programmer Charged with Conspiracy to Conduct Multiple Cyber Attacks and Intrusions (Sep. 6, 2018), available online. ↩

65. 65.

    Id. ↩

66. 66.

    The Prosecutor v. Dusko Tadić, IT-94-1-A, Decision on the Defence Motion for Interlocutory Appeal on Jurisdiction ¶ 70 (ICTY AC, Oct. 2, 1995) [hereinafter Tadić], available online, archived. ↩

67. 67.

    Id. ↩

68. 68.

    United Nations Charter, art. 51. ↩

69. 69.

    See Schmitt, supra note 12, at 93. ↩

70. 70.

    Sylvain Vité, Typology of Armed Conflicts in Humanitarian Law: Legal Concepts and Actual Situations, 91 Int’l Rev. Red Cross 69, 72 (Mar. 2009), available online. ↩

71. 71.

    Jean S. Pictet, ed., ICRC, Commentary on the Geneva Convention Relative to the Treatment of Prisoners of War 23 (1960), available online. ↩

72. 72.

    Geneva Convention IV Relative to the Protection of Civilian Persons in Time of War, 75 U.N.T.S. 287, Art. 2 (Aug. 12, 1949, entry into force Oct. 21, 1950) [hereinafter Fourth Geneva Convention], available online. ↩

73. 73.

    Id. ↩

74. 74.

    Id. ↩

75. 75.

    Christopher Greenwood, The Concept of War in Modern International Law, 36 ICLQ 283 (1987), paywall, doi. ↩

76. 76.

    Tallinn Manual on the International Law Applicable to Cyber Warfare 71 (Michael N. Schmitt ed., 2013) [hereinafter Tallinn Manual]. ↩

77. 77.

    Id. ↩

78. 78.

    Dapo Akande, Classification of Armed Conflicts: Relevant Legal Concepts, in International Law and the Classification of Conflicts 14 (Elizabeth Wilmhurst ed., Jul. 2012), available online, doi. ↩

79. 79.

    Id. ↩

80. 80.

    Id. ↩

81. 81.

    Id. ↩

82. 82.

    Additional Protocol I, supra note 10, art. 49.1. ↩

83. 83.

    Id. ↩

84. 84.

    See Schmitt, supra note 12, at 94. ↩

85. 85.

    Id. ↩

86. 86.

    Id. ↩

87. 87.

    Helen Durham, Cyber Operations During Armed Conflict: 7 Essential Law and Policy Questions, ICRC (Mar. 26, 2020), available online. ↩

88. 88.

    Id. ↩

89. 89.

    ICRC Commentary 2020, supra note 44. ↩

90. 90.

    Id. ↩

91. 91.

    Military and Paramilitary Activities In and Against Nicaragua (Nicaragua v. United States), Judgment, 1986 I.C.J. Rep. 14, ¶ 105–15 (Jun. 27, 1986), available online. ↩

92. 92.

    Id. ↩

93. 93.

    Id. ↩

94. 94.

    Id. ↩

95. 95.

    Id. ↩

96. 96.

    Id. ↩

97. 97.

    Id. ↩

98. 98.

    Id. ↩

99. 99.

    Id. ↩

100. 100.

     Antonio Cassese, The Nicaragua and Tadić Tests Revisited in Light of the ICJ Judgment on Genocide in Bosnia, 18 EJIL 649 (Sep. 1, 2007), available online, doi. ↩

101. 101.

     Tadić, supra note 66, ¶ 70. ↩

102. 102.

     Rome Statute, Art. 8.2(e). ↩

103. 103.

     Robin Geiss, Cyber Warfare: Implications for Non-international Armed Conflicts, 89 Int’l L. Stud. 627, 632 (2013), available online. ↩

104. 104.

     Id. at 633. ↩

105. 105.

     Id. at 634; Protocol Additional to the Geneva Conventions of 12 August 1949, and Relating to the Protection of Victims of Non-International Armed Conflicts, 1977 U.N.T.S. 609 (Jun. 8, 1977) [hereinafter Additional Protocol II], available online. ↩

106. 106.

     Additional Protocol I, supra note 10, art. 49. ↩

107. 107.

     Tadić, supra note 66, ¶ 70. ↩

108. 108.

     The Prosecutor v. Fatmir Limaj, Haradin Bala, and Isak Musliu, IT-03-66-T, Judgement ¶ 129 (ICTY TC II, Nov. 30, 2005) [hereinafter Limaj], available online. ↩

109. 109.

     The Prosecutor v. Thomas Lubanga Dyilo, ICC-01/04-01/06, Decision on the Confirmation of Charges ¶ 233 (PTC I, Jan. 29, 2007), available online. ↩

110. 110.

     See Geiss, supra note 103, at 634. ↩

111. 111.

     Mary Ellen O’Connell & Judith Gardam, ILA, Initial Report on the Meaning of Armed Conflict in International Law (2008), available online. ↩

112. 112.

     See Geiss, supra note 103, at 634. ↩

113. 113.

     Limaj, supra note 108, ¶¶ 98, 113–17. ↩

114. 114.

     See Geiss, supra note 103, at 634. ↩

115. 115.

     Id. ↩