At the time of composing the Oslo Manual, there were some fundamental differences of opinion among States as to the interpretation or acceptability of terms such as “cyber means of warfare”, “cyber methods of warfare”, and “cyber attacks”. The Group of Experts took cognizance of those differences of opinion but concluded, coherent with the view of the International Court of Justice, as expressed in the Nuclear Weapons Advisory OpinionFootnote 1 that the cardinal principles of LOAC would apply to all forms of warfare. This includes cyber warfare.

FormalPara Rule 20
  1. (a)

    For the purposes of this Manual, “cyber operations” are operations that employ capabilities aimed at achieving objectives in or through cyberspace.

Commentary

  1. 1.

    The definition of cyber operations in this Rule is based on the definitions used in the US Joint Publications.Footnote 2 The reference to “primary purpose” in the US definition is omitted from the present Rule, as it is believed that it unnecessarily restricts the definition.

  2. 2.

    The fact that objectives are achieved “in or through” cyberspace means that the operations covered by the present definition include both those the effects of which are confined to cyberspace and those that have effects in the physical world through the manipulation, deletion or corruption of data.

  3. 3.

    The kinetic bombardment of physical cyber infrastructures would not be a cyber operation for the purposes of the present Rules.

  4. 4.

    “Cyber operations” as defined in this Rule include:

    1. a.

      Unauthorized access to computers, computer systems or networks to obtain information, but without necessarily affecting the functionality of the accessed system or amending, corrupting, or deleting the data resident therein; and

    2. b.

      Operations, whether in offence or in defence, intended to alter, delete, corrupt or deny access to computer data or software for the purposes of propaganda or deception; partly or totally disrupting the functioning of the targeted computer, computer system or network and related computer-operated physical infrastructure (if any); or producing physical damage extrinsic to the computer, computer system, or network.

  5. 5.

    “Cyberspace” is understood in this Rule as “a global domain within the information environment consisting of the interdependent network of information technology infrastructures and resident data, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.”Footnote 3

  1. (b)

    Cyber operations, when carried out as part of an armed conflict, are governed by applicable principles and rules of LOAC.

Commentary

  1. 1.

    This Rule is limited to armed conflict, whether international or non-international.

  2. 2.

    Paragraph 5 of the Commentary to Rule 2 explains the import of the phrase “applicable principles and rules of LOAC”.

  3. 3.

    The expression “when carried out as part of an armed conflict” was included in order to exclude cyber operations falling outside the scope of the armed conflict.Footnote 4

FormalPara Rule 21

With respect to an armed conflict, States bear responsibility for their cyber operations as well as other activities conducted in cyberspace that are attributable to them. Such responsibility includes actions by all persons belonging to the armed forces of the State.

Commentary

  1. 1.

    This Rule deals with State responsibility, which applies in the relations between an injured State and a wrong-doing State. Hence, its applicability would generally be confined to international armed conflicts. However, in some situations, State responsibility vis-a-vis other States will also be relevant to non-international armed conflicts.

  2. 2.

    The Rule is derived from Article 3 of the 1907 Hague Convention IV and Article 91 of AP/I.Footnote 5

FormalPara Rule 22

All those involved in the conduct of cyber operations, including attacks, are responsible for their respective roles and, commensurate with their involvement, have obligations to ensure that such operations are conducted in accordance with the applicable principles and rules of LOAC.

Commentary

  1. 1.

    The preceding Rule deals with State responsibility, whereas the present one addresses the issue of individual responsibility.

  2. 2.

    As for the general principle regarding individual responsibility, see Commentary to Rule 44.

FormalPara Rule 23
  1. (a)

    In the study, development, acquisition or adoption of a new cyber weapon, means or method of cyber warfare, a State that is party to Additional Protocol I must determine whether its employment would, in some or all circumstances, be prohibited by any rule of international law applicable to that State.

  2. (b)

    In the acquisition of a new cyber weapon or means of cyber warfare, a State that is not party to Additional Protocol I should determine whether its employment would, in some or all circumstances, be prohibited by applicable principles and rules of LOAC.

Commentary

  1. 1.

    For the interpretation of this Rule, see the Commentary on Rule 7 which is applicable mutatis mutandis.

  2. 2.

    Due to the characteristics of cyber capabilities, the distinction between “a method of cyber warfare” and “means of cyber warfare” is still unclear.

  3. 3.

    Cyber capabilities in general are not inherently unlawful.

  4. 4.

    Cyber capabilities are so diverse and their effects so dependent on the circumstances (including the characteristics of the targeted system) that a legal review can likely only be conducted with regard to each individual capability. In most cases, legality will depend on how the capability is used rather than the capability itself.

FormalPara Rule 24

In cyber operations occurring during an armed conflict, the concept of attack applies to all acts of violence against the adversary, whether in offence or defence. The acts must be intended to cause—or must be reasonably expected to result in—death, injury, destruction or damage. These acts generally do not include those intended to cause only temporary loss of functionality.

Commentary

  1. 1.

    For the interpretation of this Rule, see the Commentary on Rule 8 which is applicable mutatis mutandis.

  2. 2.

    This Rule applies in cyber operations as defined in Rule 20.

  3. 3.

    There are divergent views as to what constitutes damage in cyber warfare. One view is that damage must be limited specifically to a situation where it is physical and requires physical repairs. Another view is that extinguished or reduced functionality per se, irrespective of the need for physical repair, is sufficient.

  4. 4.

    The Group of Experts recognized that the notion of attack is based on the term “acts of violence”. Such acts generally do not include cyber operations that merely result in the loss of functionality of cyber or related infrastructure, even though these operations are often colloquially described as “cyber attacks”. Cyber operations that may be characterized as “violent”, causing an intentional destruction of physical infrastructure or an intentional infliction of physical damage to property or injury to persons, would be attacks under this Rule.

  5. 5.

    The LOAC concept of “attack” has developed in the context of the infliction of physical destruction, damage, death or injury. However, cyber operations are liable to cause only non-physical destruction or damage, such as the deletion of data. Even if such effects are not characterized as destruction or damage, the respective acts could be subject to other LOAC rules, such as those relating to the protection of enemy property.

  6. 6.

    As for the temporary disruption of functionality of cyber or related infrastructure, it must be borne in mind that—although such disruption generally does not constitute an attack—it could be a component of an attack that is intended to cause death, injury, destruction or damage, for example through the crash of an aircraft.Footnote 6 Conversely, brief or minor disruption of Internet services or briefly disrupting, disabling, or interfering with communications, would generally not per se constitute an attack.

FormalPara Rule 25

In principle, cyber infrastructure belonging to the armed forces constitutes a military objective by nature.

Commentary

  1. 1.

    For military objectives by nature, see chapter “Section IX: Military Objectives by Nature”.

  2. 2.

    The phrase “in principle” indicates that it is the general Rule subject to exceptions, such as in relation to medical installations and equipment.

FormalPara Rule 26

Cyber infrastructure which does not belong to the armed forces—even if not constituting a military objective by nature—may still be attacked if it qualifies as a military objective by location, purpose or use. Cyber infrastructure not making an effective contribution to the enemy’s military action is a civilian object and may therefore not be made the object of attack.

Commentary

  1. 1.

    The Group of Experts agreed that, at present, the reference to “location” seemed to have uncertain factual relevance to cyber warfare. Therefore, this Rule is mainly directed at use or purpose (with an understanding that purpose is related to intended future use).

  2. 2.

    For an object to be classified as a military objective, any one of the grounds specified (nature, location, purpose or use) will suffice. As long as the military objective is defined by any one of the grounds, no other ground is required for consideration.

  3. 3.

    Cyber infrastructure that is not classified as a military objective is by definition a civilian object and thus protected from being made the object of attack.

FormalPara Rule 27

The concept of direct participation in hostilities applies to civilians, including civilian employees of State agencies, who conduct cyber operations in the context of an armed conflict.

Commentary

  1. 1.

    For general remarks on the concept of direct participation in hostilities, see chapter “Section VII: Civilians Directly Participating in Hostilities”.

  2. 2.

    This Rule has a generalised applicability, not only to civilians who act individually or collectively but also to those employed by State agencies. Some States seem to be under the impression that civilian employees of State agencies are not subject to the general Rule relating to DPH. The Group of Experts believed that it needed to be made clear that DPH applies to all civilians without exception relating to their employment.

FormalPara Rule 28

Cyber operations qualifying as direct participation in hostilities may include:

  1. (a)

    Any cyber activity designed or intended to directly cause death, injury, damage or destruction to an adverse party;

  2. (b)

    Cyber defence of military objectives against enemy attacks;

  3. (c)

    Contributing to targeting procedures, such as helping to identify or prioritize targets;

  4. (d)

    Engaging in planning specific cyber attacks; or

  5. (e)

    Providing or relaying information of tactical relevance for the purpose of aiding in combat operations.

Commentary

  1. 1.

    The overall definition of activities amounting to direct participation in hostilities is highly controversial. However, the Group of Experts agreed on the five categories of activities identified in this Rule, without prejudice to other activities regarding which no consensus could be reached.

  2. 2.

    See also paragraph 1 of the Commentary to Rule 13 with regard to activities amounting to DPH.

  3. 3.

    As for paragraph (e) of this Rule, it should be noted that obtaining military intelligence as such is not sufficient to qualify as DPH. Conversely, providing or relaying such information of tactical relevance for the purpose of aiding in combat operations is undoubtedly considered DPH. There is a borderline issue of the processing of information, where the Group of Experts could not determine whether such activity is sufficient to qualify as DPH.

  4. 4.

    In view of the severe consequences of DPH the decision on whether an activity qualifies as DPH should be based on reasonably reliable information.

  5. 5.

    See also chapters “Section VII: Civilians Directly Participating in Hostilities” and “Section VIII: Civilians Participating in Unmanned Operations”.

FormalPara Rule 29

In cyber operations constituting attacks, feasible precautions should be taken where necessary in order to avoid, or in any event minimize, destruction or damage to civilian objects, or death or injury to civilians.

Commentary

  1. 1.

    The reference to “feasible precautions” here parallels Rule 14. The meaning of the phrase is defined in the Commentary to that Rule.

  2. 2.

    Taking feasible precautions will only be required when the operation constitutes an attack. See Rule 24.

  3. 3.

    For the purposes of taking feasible precautions, it may be necessary to collect information about the architecture of the network or operating system that is to be attacked. The assessment of potential or likely collateral damage will largely depend on the characteristics of the targeted system.

  4. 4.

    To identify whether the target is a military objective and to assess the expected collateral damage, Parties conducting cyber operations should, if feasible, collect sufficiently accurate information about the architecture of the enemy’s network or the relevant operating system.Footnote 7

  5. 5.

    Because of the technicalities of cyber operations, the reasonable military commander will almost inevitably need assistance from cyber experts in order to determine the potential or likely incidental civilian damage of a cyber attack, unless he or she is a trained cyber expert himself/herself.

FormalPara Rule 30

A Belligerent State should not conduct cyber operations that constitute attacks causing physical damage to or destruction of objects located in neutral territory, including neutral cyber infrastructure, unless the Neutral State is unable or unwilling to terminate an abuse of such objects or infrastructure by an adversary of the Belligerent State.

Commentary

  1. 1.

    The meaning of “attacks” in cyber warfare is explained in Rule 24 and Commentary.

  2. 2.

    It is unclear whether and to what extent the law of neutrality applies in the cyber context. Divergent views exists with respect to this question. Some States believe that the raison d’être of the law of neutrality, and its reliance on the concept of neutral territory, is inconsistent with the characteristics of cyber activities. Others, on the other hand, argue that the law of neutrality may be applied in the cyber context mutatis mutandis.

  3. 3.

    Accordingly, and since the Group of Experts recognized that there was not sufficient acknowledged State practice and opinio juris as regards cyber operations related to armed conflict, it was decided to avoid the use of mandatory language in the present Rule (such as “must” or “shall”) and instead to use “should” in the elaboration of this Rule.

  4. 4.

    This Rule is based on the principles of customary law governing neutrality, as expressed in the 1907 Hague Convention V on Neutral Powers and Persons in War on Land.Footnote 8

  5. 5.

    The inviolability of neutral territory means that Belligerent States should not conduct cyber operations constituting attacks against targets therein, regardless of their governmental or private character. As for the mere routing of data through neutral cyber infrastructure (including the Internet), see Rule 33 and accompanying Commentary.

  6. 6.

    Equally protected is cyber infrastructure that belongs to a Belligerent State although located in the territory of a Neutral State, provided that it is not being abused in support of the military activities of an adversary Belligerent State.

  7. 7.

    The Rule does not apply to espionage. Likewise, it does not apply to dissemination of propaganda or other activities that are not intended—or are not reasonably expected—to cause death, injury, destruction or damage.

  8. 8.

    Cyber operations merely causing inconvenience (as distinct from death, injury, destruction or damage) are not covered by this Rule.

  9. 9.

    In case of an abuse by a Belligerent State of objects or infrastructure located in neutral territory, cyber operations against the Neutral State amounting to use of force under the Charter of the United Nations Article 2(4) will be lawful only if they are consistent with the inherent right to self-defence (as recognized by Article 51 of the Charter) or when authorized by the Security Council.Footnote 9

  10. 10.

    The foregoing Commentary is without prejudice to the legality of an extraterritorial exercise of the right of self-defence against non-state actors located in and operating from the territory of a Neutral State.

FormalPara Rule 31

Belligerent States must not launch attacks from cyber infrastructure located in neutral territory or under the exclusive control of Neutral States.

Commentary

  1. 1.

    See Commentary to Rule 30.

  2. 2.

    The launching by a Belligerent State of attacks from neutral infrastructure against an enemy is a violation of the territorial sovereignty of the Neutral State. The Group of Experts was aware of the technical and other difficulties of definitively identifying the actual source of a cyber attack. Despite these difficulties, they took the position that the principle of the inviolability of neutral territory applies to the launching of a cyber attack. They further recognized that technology is evolving rapidly, such that the interpretation of what constitutes “launching” for these purposes is likely to be affected in the future.

  3. 3.

    In light of the interconnected nature of cyberspace (including the Internet), and the degree to which cyber infrastructure in one country is used in other countries, the Group of Experts considered that it—in view of the current extent of State practice—would impossible to apply the prohibition reflected in this Rule to cyber operations not constituting attacks. As for the meaning of “attacks”, see Rule 24. For the mere routing of data through neutral cyber infrastructure, see Rule 33.

  4. 4.

    The prohibition applies to both public and private cyber infrastructure located within neutral territory (including civilian cyber infrastructure owned by a Belligerent Party to the conflict or its nationals), and to neutral non-commercial governmental cyber infrastructure (under the exclusive control of the State) irrespective of its location.Footnote 10 Both the remote taking control of computer systems located in neutral territory to conduct cyber operations that constitute attacks and the execution of cyber operations that constitute attacks by organs or agents of the Belligerent State located in the territory of the Neutral State are prohibited.Footnote 11

  5. 5.

    In the case of botnets used to conduct attacks, the prohibition relates to the situation in which the botmaster controls a botnet from neutral territory.

FormalPara Rule 32

If in the context of an armed conflict a Belligerent Party undertakes cyber operations constituting an attack from cyber infrastructure located on Neutral territory, the neutral State must use reasonable means at its disposal to terminate the attack once it becomes aware of it.

Commentary

  1. 1.

    This Rule is based on the principles of customary law of neutrality, as expressed in the 1907 Hague Convention V on Neutral Powers and Persons in War on Land and the 1907 Hague Convention XIII on Neutrality in Naval War.Footnote 12

  2. 2.

    The duty to use reasonable means to terminate on-going cyber attacks hinges on knowledge by the Neutral State as to the use of cyber infrastructure within its territory. Such knowledge may be based either on information obtained by the Neutral State itself or on information provided to it, including by the aggrieved Belligerent State.

  3. 3.

    Assuming that such knowledge exists, the Neutral State must take reasonable action to terminate the cyber attacks by the Belligerent State. However, the Neutral State may not be able to prevent such attacks before they are launched. The Neutral State has no duty continuously to monitor cyber traffic within its territory.

  4. 4.

    The duty to use all reasonable means to terminate attacks applies to cyber attacks launched by botmasters located in neutral territory.

FormalPara Rule 33

The mere fact that cyber operations are routed through neutral cyber infrastructure does not constitute a violation of neutrality.

Commentary

  1. 1.

    The Group of Experts acknowledged that the routing of cyber operations will, likely, involve the dynamic relocation of individual packages through diverse servers.

  2. 2.

    The fact that particular packages might move through neutral cyber infrastructure (including the Internet) would not, per se, amount to a breach of neutrality.

FormalPara Rule 34
  1. (a)

    Without prejudice to Rule 32, the mere use of neutral cyber infrastructure by a Belligerent State is not generally prohibited.

Commentary

  1. 1.

    This Rule is based on Article 8 of the 1907 Hague Convention V on Neutral Powers and Persons in War on Land.Footnote 13

  2. 2.

    Rule 32, to which this Rule is subordinated, excludes cyber attacks.

  1. (b)

    Belligerent States are thus permitted to:

    1. i.

      Erect a new cyber communication installation on the territory of a Neutral State that is exclusively used for non-military communications;

    2. ii.

      Use an existing cyber communication installation established by them before the outbreak of the armed conflict (including for military communications), provided that it is open for the service of public messages; or

    3. iii.

      Use an existing cyber communication installation established by them before the outbreak of the armed conflict and which is not open for the service of public messages, provided it is for non-military communications.

Commentary

  1. 1.

    This Rule is linked to Article 3 of the 1907 Hague Convention V. The expression “for the service of public messages” is found in Article 3(b).Footnote 14

  2. 2.

    Cyber communication installations may include computers, servers, routers and networks.

FormalPara Rule 35

Any measure of restriction or prohibition taken by a Neutral State with regard to the activities referred to in Rule 34 should be impartially applied to all Belligerent States.

Commentary

  1. 1.

    This Rule is based on Article 9 of the Hague Convention V on Neutral Powers in War on Land.Footnote 15