The new DoD Law of War manual includes some interesting discussion points on the use of cyber during an armed conflict:
In this regard, DOD notes that using cyber capabilities to trigger a nuclear plant meltdown, open a dam above a populated area, or disable air traffic control services resulting in airplane crashes, would “likely be considered” a cyber attack. No surprises there. However, the DOD manual goes on to include in this category crippling a military’s logistics system. Although how extensive an attack would have to be to be considered “crippling” isn’t specified, it’s potentially quite a leap from bursting the Hoover Dam to conducting a long-term denial of service disruption against Transportation Command’s computer network, delaying the movement of troops and materiel. This standard could be especially problematic if applied by a smaller State with a less robust military logistics capability. For example, in a situation like the 2007 events in Estonia, a relatively small State might incidentally have its military logistics system crippled when civilian communications in the country are disrupted. Until now, disrupting communications (like in Estonia) probably wouldn’t have been considered a sufficient basis for exercising the right of self-defense.
The DOD manual discusses the meaning of cyber attack during armed conflict (in bello), as well. The definition of attack is important within on-going armed conflicts because it determines when the principles of the law of armed conflict apply. The DOD manual notes the term doesn’t encompass defacing government webpages; briefly disrupting Internet service in a minor way; briefly disrupting, disabling, or interfering with communications; or disseminating propaganda. However, the DOD manual modifies its stance by introducing a unique principle of cyber warfare – Avoidance of Unnecessary Inconvenience. “[E]ven if a cyber operation is not an ‘attack’ or does not cause any injury or damage that would need to be considered under the proportionality rule, that cyber operation still should not be conducted in a way that unnecessarily causes inconvenience to civilians or neutral persons.” Perhaps the language is just a specific articulation of the principle of humanity, for example, and is also applicable to kinetic warfare, but it appears to be new. It’s not clear that inconvenience has ever been a consideration in warfare, as emphasized in chapter 5, footnote 306 of the DOD manual.
The idea of Avoidance of Unnecessary Inconvenience is an intriguing addition to the Law of War Manual. While it is understandable in the kinetic realm, I wonder about the applicability in the cyber domain.
I cannot fathom DoD intending for this rule to prevent inconveniencing civilians from, say, accessing Facebook, twitter, xVideos, YouTube, and other wonderful cyber-oriented activities. But then again, maybe they do?