By: David Gallagher
On Friday, November 4th, the North Carolina Journal of International Law was honored to host a number of distinguished scholars at its annual symposium in Chapel Hill, titled, “Cyberwarfare and International Law.” Major James E. Tucker—Chief of Cyber Special Programs Law, Headquarters 24th Air Force/Air Forces Cyber, Office of the Staff Judge Advocate—presented his research about “the way contemporary international law treats civilians in traditional warfare as well as the treatment of civilians in the cyberspace domain.”
Tucker discusses several terms and assumptions that are important to note in order to fully understand and appreciate his scholarship:
- Non-state-affiliated civilians = Private citizens; not state actors; not an armed force;
- LOAC = Law of Armed Conflict; comes into play when 2+ nations are involved in an international armed conflict;
- Cyberwarfare = Cyber operations; not physical (or kinetic) attack;
- Targeting civilians = When civilians lose their ‘civilian protection’ and can be targeted by physical or cyber means;
- DPH = Civilian direct participation in hostilities; what causes civilians to lose their protection/immunity from being targeted;
- Logic bomb = Malicious code inserted into a computer network with the intent of disrupting the network’s operation or causing other harm
The Major’s research explores the legal uncertainties that currently exist when dealing with private, non-state-affiliated citizens who engage in hostilities (DPH), and at what point these actors lose their ‘civilian’ status, thus opening themselves up to being ‘targeted’ by state/military forces.
One of the most important unresolved issues in the field of cyberwarfare crime is the applicability, if any, of traditional international law (UN Charters, LOAC, etc.) to non-state actors who participate in cyber hostilities. Even if these international law standards do apply to the cyberwarfare realm, Tucker notes that these treaties and charters often define and discuss issues in terms of traditional air, ground, or sea warfare: not hostilities in the cyber domain. These uncertainties are further complicated when thought about in conjunction with the innate complexities cyberwarfare and cyber-crime present, such as attribution difficulties in distinguishing between state and non-state actors. Furthermore, we are unlikely to see a breakthrough in international treaties concerning this subject because countries do not want to put themselves at a competitive disadvantage. For example, why would a nation like the U.S., China, or Russia (known to be some of the most advanced users of cyberwarfare) agree to stop engaging in cyber activities against other states when doing so would have a more beneficial effect on the smaller nations to the treaty/agreement than it would for them?
Major Tucker does provide a bit of solid ground, however, outlining a framework of criteria that can be used to gauge whether a non-state-affiliated actor has engaged in DPH, thereby potentially forfeiting their civilian protection. The three factors are:
- The threshold of harm: Act likely to adversely affect an armed force’s military operations or capacity;
- Existence of a direct causal link: Link between the act and the harm likely to occur as a result of that act;
- Belligerent nexus: Act specifically designed to directly cause threshold of harm.
Tucker explains that the Tallinn Manual — a non-binding study of international law conducted by experts at the invitation of NATO’s Cooperative Cyber Defence Center of Excellence—suggests that the first factor (threshold) should be considered in terms of likely harm, and the second factor (causal link) should be interpreted as intended harm. The Tallinn Manual also makes it clear that, since the threshold of harm factor is thought of as likely harm, it is not a requirement for the harm to actually materialize in order for that criteria to be met.
This distinction between likely and actual harm creates an interesting issue when determining if a civilian has engaged in DPH. Consider the following scenario: a non-state-affiliated civilian begins to assemble the software and computer equipment necessary to design and implement a “logic bomb” via an act of cyberwarfare on another state. When do the civilian’s actions rise to the level of DPH so that a state’s actors may consider that civilian a target? Tucker explains that the majority of the Tallinn drafters took a broad view of DPH, concluding that “a civilian is directly participating in hostilities from the beginning of his involvement through the point in time where the civilian terminates an active role in the operation.” While Tucker seems to agree that this definition may be sufficient when dealing with physical attacks and conventional warfare (example: a civilian creating, assembling, and detonating an IED in an armed conflict zone), he has doubts as to its effectiveness in the cyber domain:
The problem with this majority view is that it does not make clear to the participating civilian or to the State being attacked the window of time during which the civilian may be directly and legally targeted. The civilian may terminate an active role by no longer checking the status of the ongoing cyber operation, but the State may still attribute the operation to the civilian and target him. The State may not discover the ongoing cyber operation until after the civilian has terminated an active role, but the State has no way of knowing the civilian has terminated his active role in the ongoing cyber operation.
The problems illustrated by Tucker’s analysis present even more of a challenge when thought about in terms of repeated or aggregate actions/participation by a civilian actor. For example, could one civilian—who is a well-known hacker notorious for the use of logic bombs—be said to satisfy the DPH requirement at an earlier stage (buying the software), while another civilian—whose involvement in cyberwarfare is completely unknown — retains their civilian protections for a longer period of time? The Major explains that the Tallinn Experts are split on the subject:
One view is in line with the ICRC in that each cyber act must be treated separately in terms of direct participation analysis. On the other hand, another view is that it would make more operational sense if direct participation begins with the first cyber operation and continues throughout the period of intermittent activity.
Tucker points out the lack of clarity concerning civilian DPH in the cyberwarfare realm to illustrate the uncertainties that exist in the current state of international law and LOAC. To provide non-state-affiliated actors and states alike with more clear governing standards going forward, Tucker suggests that existing LOAC principles be amended to account for the more “nuanced’ and “temporal” considerations that present themselves in the cyber domain.
 James E. Tucker, The Targeting of Non-State-Affiliated Civilians in Cyberspace: Lagging LOAC Principles Cause Uncertainty on Both Sides 2 (May 9, 2015) (unpublished LL.M. thesis, The Univeristy of Nebraska College of Law).
 Tallinn Manual on the International Law Applicable to Cyber Warfare, Michael N. Schmitt, ed., 2013 (available at http://www.peacepalacelibrary.nl/ebooks/files/356296245.pdf) [https://perma.cc/4HUR-59XV][hereinafter Tallinn Manual].
 Tucker, supra note 1, at 22; Tallinn Manual, supra note 7, Rule 35, at para. 4.
 Tucker, supra note 1, at 22; Nils Melzer, International Committee of the Red Cross, Interpretive Guidance on the Notion of Direct Participation Under International Humanitarian Law, Part V, 2009.
 Tucker, supra note 1, at 28; Tallinn Manual, supra note 7, Rule 35, at para. 8.
 Tucker, supra note 1, at 28.
 Tucker, supra note 1, at 30; Tallinn Manual, supra note 7, Rule 35, at para. 10.
 Tucker, supra note 1, at 42.