Digital technologies are daily features in today’s armed conflicts. Civilians living through wars rely on digital networks and devices for access to essential services and information; and militaries need data centers, digital communications, satellites, and more to conduct operations. It is often the private sector that manages and secures these digital technologies, with companies providing services and infrastructure directly to both civilians and belligerents.
This intersection of cyberspace, business, and conflict poses the risk that belligerents may attack a company’s assets or employees for supporting an adversary—attacks that can result in incidental harm to civilians proximate to these assets or reliant on these services. How such attacks should be treated under international law raises pressing questions.
International humanitarian law (IHL) holds many of the answers in situations where tech company employees and properties are located in the territory of a state (or states) where an armed conflict is taking place. By regulating belligerent conduct during hostilities and providing protections for civilians, civilian objects, and other specifically mentioned persons and objects, IHL generally protects company property and personnel against kinetic and nonkinetic attacks. But the rules of IHL also contain narrow exceptions for when that protection may cease. If governments are going to ask tech companies to support them in armed conflicts, and if companies are going to offer them their services and infrastructure, there needs to be a channel of communication that allows these types of wartime implications to be raised, discussed, and addressed.
IHL and the Private Digital Sector
Company Property
The world is replete with the property of digital technology companies—including in locations of armed conflict. Such property includes offices, factories, computers, printers, routers, modems, fiber-optic cables, data, and other hardware, software, and network infrastructure; it is critical to the existence of the digitalized environment that civilians rely on for essential services, such as medical care, electricity, and water. Attacking a company’s property—whether through kinetic or nonkinetic means—can consequently have devastating effects.
IHL does not explicitly mention these private digital tech properties. Nonetheless, they are classified as “civilian objects,” unless they qualify as “military objectives” (discussed below). Under IHL’s cardinal principle of distinction, civilian objects must not be the target of attack. In the digital context, this means a belligerent would be prohibited under the principle of distinction from directing a kinetic or nonkinetic attack (as understood under IHL) against the property of, for example, a digital technology company if that property were used exclusively to maintain the operating system of a financial banking institution that services only civilians.
But when a digital technology company is providing its support to a belligerent, questions may arise regarding whether that company’s assets remain protected as civilian objects under IHL or whether any of its assets qualify as military objectives. In contrast to civilian objects, military objectives may be attacked, provided other principles and rules of IHL are complied with. How IHL defines military objectives therefore matters greatly to such a company.
As far as objects are concerned, IHL defines military objectives as being “limited to those objects which by their nature, location, purpose or use make an effective contribution to military action and whose partial or total destruction, capture or neutralization, in the circumstances ruling at the time, offers a definite military advantage.” Under this definition, items such as routers, modems, and fiber-optic cables could qualify as military objectives when used by belligerents or by companies that support belligerents. And as digital tech companies and militaries increase their security partnerships, there will likely be an increase in private-sector assets that qualify as military objectives during armed conflicts.
That is not to say that every military use of a company’s goods or services results in company property qualifying as a military objective. For example, private technology companies supporting a military’s medical services or management of detainees would not meet the military objective test.
This relationship between the definition of a military objective under IHL and a belligerent’s reliance on digital tech companies demonstrates the need for clear communication channels that allow parties to understand and address the consequences of each other’s actions. When a belligerent uses a company’s goods and services, the two parties should discuss what protections IHL will afford, and under what circumstances those protections might cease. This could allow both the company and the belligerent to avoid, or at least mitigate, the dangers of attacks, and the company to inform staff of the risks they may be exposed to.
This dialogue needs to extend beyond considering risks to the company alone. In the kinetic world, belligerents must apply the principles and rules of IHL in battlefields where civilians and civilian objects mingle closely with military objectives. When the rules are not complied with, civilians and civilian infrastructure suffer; but not all such harm is necessarily prohibited. While belligerents have a legal obligation to take all feasible precautions to avoid, or at least minimize, foreseeable incidental civilian death, injury, and damage, IHL tolerates a certain degree of harm, provided the attack is not indiscriminate or disproportionate.
Similar considerations apply to the cyber context. The design of cyberspace allows for considerable civilian and military co-reliance on the same digital infrastructure. In today’s digital ecosystem, a cyberattack could be lawfully directed at a belligerent’s data center located on the territory of that belligerent provided it qualifies as a military objective. But the same attack could incidentally kill or injure civilians if the data center also serviced a heating plant in winter; a kinetic attack on the data center could kill a (civilian) company employee working there. The interconnected relationships that tech companies have with civilians and belligerents expose civilians, including company personnel, to harms that IHL aims to avoid or minimize but may not necessarily prohibit.
Consequently, a company may want to inform a belligerent it supports of the risks to civilians—including its own employees—if the company’s infrastructure were to be attacked. These details may help that belligerent comply with its IHL obligations to protect civilians and civilian objects under its control against the dangers of military operations by opposing belligerents. For example, a belligerent may decide not to use for a military purpose a network that is particularly critical to the safety or health of civilians. Companies may also want to inform opposing belligerents of these same risks to help belligerents comply with their IHL obligations to protect civilians and civilian objects when they conduct attacks.
Additional Legal Issues of Particular Relevance
To gain a fuller picture of how IHL prohibits and avoids—or at least minimizes—civilian harm in the cyber context, it is also necessary for companies to understand how belligerents interpret the word “attack” under IHL and what protections they believe IHL affords civilian “data.” “Attack” is a legal term of art under IHL, defined as an act of violence against the adversary, in the offense or defense. Several states, the International Committee of the Red Cross (ICRC), and other experts have taken the position that for a cyber operation to constitute an attack, it must be expected to cause death, injury, or damage. If a cyber operation constitutes an attack, it is regulated by rules that are essential for protecting the civilian population and objects, such as the prohibition on attacks against civilians and civilian objects, the prohibition on indiscriminate and disproportionate attacks, and the obligation to take all feasible precautions to minimize civilian harm when carrying out attacks.
Industry writ large should understand that some states favor an interpretation wherein a cyber operation that is expected to cause damage must cause physical damage for it to constitute an attack; under this interpretation, IHL’s rules that specifically regulate attacks would not constrain a cyber operation that, for example, caused production lines exclusively dedicated to civilians to slow down or stall without causing any physical damage. In contrast, the ICRC’s view—which is shared by several other states—is that the damage does not have to be physical for a cyber operation to constitute an attack.
The debate on “data” is equally relevant. IHL contains an obligation to respect and protect certain entities, such as medical services—including their data. But aside from a few other exceptions, the protections that IHL affords data hinge on whether civilian data is protected from attack in the same way that civilian objects are protected. Since digital technology companies rely extensively on software and data, these companies, and the civilians who depend on them, have a significant stake in states’ interpretations of how IHL protects civilian data. If civilian data was not afforded the same protection as civilian objects under IHL, then—similar to targets of cyber operations that did not constitute attacks—data would not be protected by some of IHL’s more clearly articulated constraints. In the ICRC’s view, this interpretation would not align with the goal of IHL: to protect civilians and others from the dangers of warfare. Indeed, several states agree that civilian data should receive the same protections as civilian objects.
Company Employees
Tech company employees are protected as “civilians” under IHL when they are not a member of a state’s armed forces or a member of an organized group that belongs to a party to an armed conflict. But the protection against attack that IHL affords a (civilian) company employee would not apply when the employee is directly participating in hostilities (DPH).
While civilians were never meant to “DPH” on behalf of a party to an armed conflict, there is nothing in IHL that expressly prohibits them from doing so. For a civilian to DPH, a cumulative three-part test must be met. This test was put forward by the ICRC in 2009 and has since received support from several states. When the test is met, IHL protection against a direct attack—whether through cyberspace or kinetically—is temporarily suspended for the period during which civilians are DPH. The criteria are:
1. The act must be likely to adversely affect the military operations or military capacity of a party to an armed conflict or, alternatively, to inflict death, injury, or destruction on persons or objects protected against direct attack (known as the “threshold of harm” criterion);
2. There must be a direct causal link between the act and the harm likely to result either from that act, or from a coordinated military operation of which that act constitutes an integral part (known as the “direct causation” criterion); and
3. The act must be specifically designed to directly cause the required threshold of harm in support of a party to the armed conflict and to the detriment of another (known as the “belligerent nexus” criterion).
When a government asks a company to provide support to its military operations, it is important for the company to know if its employees might meet these criteria. If employees do meet the criteria and are located in the territory of a belligerent, they may become the lawful target of an attack. Such an outcome is a clear illustration of why it is essential for companies and governments to engage in dialogue to consider the risks posed to company employees.
There are interpretive nuances to these criteria that are important in the cyber context. For example, in the ICRC’s view, a company employee would not lose their protection against direct attack by a belligerent when they are totally unaware of the inadvertent repercussions of their activities. Given that cyberspace is replete with anonymity, it is conceivable that a cyber threat intelligence firm could provide threat intelligence to a party to an armed conflict without the firm’s employees knowing who the threat was and how the intelligence would be used. In these circumstances, the employee would not lose their protection against attack. But, even if the employee knew these details, the information shared may not have a direct causal link to any harm, failing the “direct causation” criterion.
Similarly, employees may engage in cyber defense activities that directly deter an unlawful attack against civilian digital infrastructure and, in doing so, adversely affect the belligerent’s military operation. In the ICRC’s view, these types of actions would not qualify as DPH because the act was not specifically designed to cause harm in support of a party to the armed conflict and to the detriment of another.
This is not to say that private-sector employees cannot lose their IHL protection against direct attack—for example, an employee engaging in an offensive cyber operation that directly targets a belligerent as part of an armed conflict (provided their action meets the three-part test). So might, more exceptionally, cyber threat intelligence sharing and cyber defense services. Government and industry circles often applaud the national security successes of these two specific types of partnerships. But in situations of armed conflict, they come with unique associated risks for employees working in the territory of a belligerent.
Directly participating in hostilities also has a temporal element that is important to consider in the cyber context. In instances when the three DPH criteria are met, loss of protection lasts only “for such time” as the civilian engages in DPH. The ICRC interprets this temporal element narrowly, such that protection from attack is lost only during specific acts of DPH (which includes “measures preparatory to the execution of such an act, as well as the deployment to and return from the location of its execution, where they constitute an integral part of such a specific act or operation”) and regained in moments in between.
Some states have criticized this approach for unfairly creating a “revolving door” that allows civilians who repeatedly engage in DPH to regain their protection too easily. But the problem with a broad interpretation of the temporal element is that a tech company employee who engages in acts of DPH in the territory of a belligerent, even if only infrequently during a work week from their office, might lose protection from attack not only while they engage in those specific acts of DPH, but also throughout the day when they are engaged in activities unrelated to acts of DPH. This would expose civilian tech workers to dangers during the exact times when IHL intended them to be protected from attack.
But even if states resolve these legal debates, murky facts may present additional challenges. Belligerents may not know whether a worker is, say, acting in defense of civilians or with total unawareness of their unintended effects. Under these conditions, it is imperative that belligerents ensure they are properly applying the DPH rule.
This starts with states providing clear guidance to military operators on what factors need to be considered when assessing the activities of private-sector cyber actors. Additionally, in cases of doubt that a civilian is engaging in DPH, IHL obligates belligerents to presume civilians are protected against attack; if a belligerent has doubts that a tech company employee is meeting DPH’s three-part criteria, attacking the employee is prohibited. Beyond this, parties to an armed conflict could decide to direct a cyberattack only against “military objectives,” provided all principles and rules of IHL are complied with, rather than making costly errors in targeting civilians who remained protected.Finally, tech companies and the governments they work with could provide public information to clarify that employees operating in an armed conflict are not engaging in DPH, where this is the case. Importantly, however, not sharing this information cannot be taken as displacing a belligerent’s obligation to independently assess whether a civilian is engaging in DPH.
Conclusion
The International Committee of the Red Cross, the organization I work for, is starting to tackle these issues by talking to tech company policymakers, the lawyers who counsel them, and governments. We are trying to better understand how different tech companies envisage the roles they play during situations of armed conflict, how they think about their government partnerships, and how they prioritize and address risks that might arise when belligerents rely on their workers, services, and infrastructure. With this information, the ICRC hopes to help companies and governments assess and address risks that could have consequences not only for employees and assets but also for civilians living through armed conflict.
In this pursuit, in January 2022, I wrote a piece for Articles of War that focused on the need for states to clarify how they interpret IHL’s principle of distinction when they enter into public-private partnerships with digital technology companies on the battlefield. I followed that with a piece for Tech Policy Press and a lengthier law journal article that offered recommendations that companies could follow to avoid or minimize those risks, and explained that company employees must also comply with relevant rules of IHL.
This article is meant to demonstrate why it is also in the interest of governments and digital technology companies to discuss these risks and consider how best to manage them, whether as a matter of law or policy. There are already plenty of examples from ongoing armed conflicts that point to the value of government-to-industry discussions. Given the continued expansion of public-private partnerships—including in situations of armed conflict—the importance of IHL when anticipating risks will undoubtedly continue to demand our consideration, attention, and dialogue.
– Jonathan Horowitz is Deputy Head of the Legal Department to the ICRC’s Delegation for the United States and Canada, based in Washington, DC. He focuses on legal issues relating to urban warfare, partnered military operations, and new and emerging technologies in armed conflict. Published courtesy of Lawfare.