Cyber Defense Review

Cyberspace and the Law of War

By Col (Ret) Gary Brown, LtCol Kurt Sanger | November 06, 2015

The stated purpose of the Department of Defense (DoD) Law of War Manual is “to provide information on the law of war to DoD personnel responsible for implementing the law of war and executing military operations.”[1] Judge advocates are responsible for advising commanders regarding laws applicable to operations, but ultimately commanders are accountable for the consequences of their operations. At over 1,100 pages, the Manual is too detailed to be useful reading for commanders, who must be concerned with every aspect of the mission; the intended audience for the Manual is judge advocates. If DoD intended for the Manual to help judge advocates advise commanders regarding operations in cyberspace, however, it might have used more of the pages providing detailed discussions of realistic cyber issues.

In demonstrating the application of law in this new area of operations, the cyber operations chapter in the Manual relies on simple examples of potential cyber operations that lead to indisputable conclusions. It avoids the unique options cyberspace presents decision makers and fails to raise the difficult questions that will confront military lawyers. The cyber operations chapter also introduces a novel principle, avoiding unnecessarily inconveniencing civilians, that has never been applied to military operations, and is rejected expressly in another chapter of the Manual.[2]

Judge advocates advising cyber operations commanders will be called on to provide clear operations advice in a timely fashion. Preparing that advice requires, among other things, a grasp of pertinent legal issues, and analyzing legal issues surrounding any military operation begins with the principles of the law of war. According to the Manual, those principles are military necessity, distinction, proportionality, humanity, and honor. When a commander asks if an operation is legal, attorneys consider the probable and possible actions and effects the operation may include in light of these principles and then render a legal opinion based on the information available. Operational objectives and the means to achieve them must comply with the law of war.

One of the few constants in the ever-changing environment of warfare are the values protected by the law of war, which was originally based on the notion of just war. The challenge for operational legal advisers is applying law crafted for a different type of warfare to the unique situations created by cyber effects, capabilities, and threats. Armed conflict offers a relatively flexible legal environment – after all, it regulates death and destruction – so the actual application of the law is more important than the letter. Legal advisers are involved not just at the execution stage, but also during operational planning, where pertinent references and guidance is even more important.  Unfortunately, the cyber operations chapter adds uncertainty to an already difficult task.  To illustrate critical elements of the application of the law, the chapter evidences no willingness to take a stand on how the law applies to actual situations, preferring to revert to the unlikely, easily resolved hypotheticals DoD has been using since the ‘90s. For instance, the chapter unhelpfully offers cyber activities that “(1) trigger a nuclear plant meltdown; (2) open a dam above a populated area, causing destruction; or (3) disable air traffic control services, resulting in airplane crashes” may be regarded as a use of force under jus ad bellum.[3]

One of the most difficult tasks in cyberspace operations has been determining a definition of “attack.” The definition is critically important because it determines both when and how the law of war applies.  Confusingly, “attack” is used to mean two different things in international law.  Defining an attack outside an existing state of war is important to the determination of whether a State has proper justification for going to war. In the context of an existing armed conflict, the definition of attack is used to determine how the law applies.

In the absence of a pre-existing armed conflict, a cyberattack against the US by another State would justify a forcible US response under the customary law of self-defense, as noted in the United Nations (UN) Charter.[4] But what is a cyberattack, and what are the criteria for assessing whether a particular action warrants that characterization? In the purely kinetic realm, these considerations are generally straightforward. Kinetic attacks include such things as invasion with armed forces, aerial bombardment, and missile strikes.  It would put too fine a point on it to say that determinations of kinetic attacks are invariably simple, but it’s certainly true that when the aggressive activity is virtual, it is significantly more of a challenge.

Cyber capabilities offer the opportunity to affect almost everything important to daily life – transportation, essential utilities, finances, communications, and more. Merely identifying a target as important does not answer the question of whether affecting it is an attack, however.  At what point, if ever, would a State disrupting another State’s banking system become an attack? After a week? After all the accounts are zeroed out? What about disrupting essential civilian utilities?  How long and how extensive would a cyber event in that area have to be before it would lawfully permit a State to respond with force in self-defense? It is important to remember that the right of self-defense does not require a response in kind; that is, a State could respond to a cyberattack with a cyber operation or more traditional military means. What about a State stealing large amounts of personal or commercial data and using it for profit and blackmail? Or, if a hacker were able to disrupt command and control of nuclear forces, would that permit the use of armed force in self-defense?[5]

These are just a few of the interesting and difficult questions regarding the application of the law of war to cyber operations.  Instead of tackling this rich vein of issues, DoD’s long-awaited guidance mentions three scenarios in which cyber operations may constitute uses of force: cyber operations triggering a nuclear plant meltdown, opening a dam leading to destruction, and causing plane crashes by disabling air traffic control services.[6] These scenarios are frustrating for several reasons.  It is virtually certain that any nation targeted by these hypothetical cyber operations would consider them uses of force, and have a right to do so under the UN Charter.  Further, the cyber aspects of these events is minimized by the extreme results, making them ill-suited for illustrating issues uniquely associated with cyber warfare. Finally, the equivocal terms used to describe even these extreme examples (may, might, likely) illustrate an unfortunate disinclination to go out on even the shortest of limbs to commit to a position on any cyber scenario. Commanders demand certainty from their legal advisers; these examples provide little foundation for a lawyer to provide actual advice regarding the cyber operations many of their commanders will confront.

The DoD Manual provides even less guidance regarding in bello matters (the conduct of cyber hostilities).  Under the heading “Cyber Operations that Constitute ‘Attacks’ for the Purpose of Applying Rules on Conducting Attack,” the manual states “[i]f a cyber operation constitutes an attack, then the law of war rules on conducting attacks must be applied to those cyber operations.”[7] This statement sets the tone for the section –true but uninteresting.  The only example mentioned relevant to conduct of hostilities law is an operation that destroys computers.  The direct kinetic effect of such a cyber operation makes the application of the law of war uncontroversial.

On the flip side, the Manual indicates in the next section that, if a cyber action is not an attack, then the rules that apply to attacks do not apply. The two indicators given to help operational lawyers advise on this difficult issue are whether the operation’s effects are temporary or reversible.  Unfortunately, these are among the least useful considerations, because there are significant questions regarding the concept of “reversible” effects, and the notion of temporary effects in cyber can have a variety of meanings. For example, if temporary merely means non-permanent, then it really means the same as reversible. If temporary requires some shorter duration, it would be helpful if the chapter specified what it might be. The term reversible is similarly ambiguous. A reversible cyber effect might permit no deletion of data, or it might permit the deletion of all the data on a system as long as a backup exists that can be used to return it to its original state. The examples given fail to explore the edges of these questions, and so provide little guidance.

It is critical to know whether an activity constitutes an attack in the course of an armed conflict, because that will determine how the principles of the law of war apply, and whether they apply at all. If the action were not an attack, for example, the most relevant provisions pertaining to the principles of distinction and proportionality would appear to be inapplicable.

In assessing proportionality, other chapters in the Manual indicate that economic harm is not a consideration, using as an example “civilian businesses in the belligerent State being unable to conduct e-commerce.”[8] This is consistent with the position on the irrelevance of inconvenience to the proportionality determination reflected earlier in the Manual. It seems odd that, although the Manual takes the firm position that there is no consideration of inconvenience in an actual attack, the cyber chapter specifies that with cyber operations that are not serious enough to be considered attacks, potential civilian inconvenience must be considered. This places an additional restraint on a type of operations that are by their nature less violent than the kinetic operations that have no such limitation. No rationale is provided for this distinction.

Another noteworthy aspect of the cyber operations chapter is that it limits itself to a curious set of references that do not fully reflect the thinking on the law of war’s application to cyber operations. The chapter’s 16 pages include 78 footnotes, over half of which are references to other sections of the Manual.  Its other major sources are a 2012 speech by former State Department Legal Adviser Harold Koh and a 1999 DoD General Counsel opinion regarding information operations. US sources generate almost all the additional citations, ignoring the vital contributions private and public experts from around the globe have contributed. The limited range of sources in the cyber chapter is an exception to the practice throughout the Manual, and seems to run counter to the stated purpose of footnotes as set out in paragraph 1.2.2, “to help practitioners research particular topics discussed in the main text.” The selection of sources also seems at odds with US policymakers’ embrace of multi-stakeholder governance of the internet, which takes into account a variety of views. Ultimately, the chapter is not deeply referenced enough to advance scholarly debate, and lacks the detail necessary to advance operational decision-making.

Lack of publicly available evidence likely played a role in the decision not to provide more definitive guidance to the field with the chapter. The cyber operational practice from which enduring lessons could be drawn is still quite limited. This is in complete contrast to the kinetic realm, in which thousands of years and millions of warriors have contributed to shaping the laws of war, rules of engagement, and standard operating procedures.

Nevertheless, the brief history of cyberspace operations offers examples that could have been drawn upon to pinpoint issues. Events such as Stuxnet, Sony Pictures, Estonia, Georgia, Saudi Aramco, and others could have been used to discuss whether the law of war applied to those operations, whether its main principles were observed, and how the conduct of operations might have better observed those principles. These discussions could have identified considerations military attorneys may need to evaluate in future cyberspace operations. Including practical discussion of the issues would have more closely mirrored the way examples are used through the rest of the Manual.[9]

Where the real world does not offer many examples, the imagination could have. The Manual cites as an attack a State disabling another’s air traffic control systems, leading to plane crashes.[10] A more challenging example would have been the disabling of air traffic control systems that did not lead to plane crashes, leaving civilian air grounded and military air in disarray. In the context of international armed conflict, this would raise interesting issues regarding sovereignty, military necessity, distinction, and other legal and operational concerns.

Challenging hypotheticals would have helped judge advocates frame practical operational questions more appropriately. Though the harder cases may not yet have consensus solutions, lawyers deal with unique, novel situations routinely. Challenging cases highlight considerations necessary for all cases. There is hardly an operational situation that has a textbook answer. In this regard, cyberspace operations are no different than kinetic operations.

While it is understandable that DoD may have wanted to wait for more cyber operational experience before providing written guidance, there is a cost associated with waiting. With or without DoD’s guidance, cyber operations will occur, and into the void left by DoD will flow law and policy guided by the potentially unrealistic thoughts of scholars and the interests of States not necessarily aligned with the US. Already debates at the UN and discussions from academics are beginning to shape international opinion about the rules of cyberwarfare. The UN discussions are heavily influenced by China and Russia, whose visions of cyberspace international law and policy may be gaining traction in the international community.[11] Finally, the Tallinn Manual provides the most comprehensive analysis of the law of war related to cyber operations, and it is coming to be seen as the most definitive reference on the topic.[12]

Even if questions cannot be answered now, they should be asked and asked frequently, in as many forums as possible, legal, academic, and those focused on military operations. While there is value in strategic ambiguity, i.e., keeping adversaries in the dark about exact intentions, the Manual also provided a safe opportunity to signal to the international community that the US cares deeply about the development of the rule of law applicable to cyberspace. The Manual states that it “represents the legal views of the Department of Defense” and that “lthough the preparation of this manual has benefited from the participation of lawyers from the Department of State and the Department of Justice, this manual does not necessarily reflect the views of any other department or agency of the U.S. Government or the views of the U.S. Government as a whole.”[13] This offers an ideal forum for advancing US thinking and promoting norms that apply to this domain on which so much of human activity now depends. Rather than take such a proactive approach, however, DoD appears to have thrown up its collective hands, proclaimed “we don’t know,” and left it to unit level legal advisers to figure it out with little guidance.


[1] DoD Law of War Manual 2015, p. 1.

[2] DoD Law of War Manual 2015, Chapter XVI (pp. 994-1009).

[3] DoD Law of War Manual 2015, p. 998.


[5] We limit the discussion to state-sponsored actors here as non-State actors raise issues beyond the scope of this article.

[6] DoD Law of War Manual 2015, p. 998.

[7] DoD Law of War Manual 2015, p. 1003.

[8] DoD Law of War Manual 2015, p. 1005.

[9] Among dozens of demonstrations of the useful selection of examples are sections 5.25.2 and 5.26.1 of the Manual, which offer practical examples of ruses of war and propaganda, respectively.

[10] DoD Law of War Manual 2015, 998

[11]  James Andrew Lewis, “Liberty, Equality, Connectivity: Transatlantic Cybersecurity Norms,” CSIS (Feb. 2014), ; Office of the Secretary of Defense, Annual Report to Congress, Military and Security Developments Involving the People’s Republic of China 2015, p. 15 ; Sonya Sceats, “China’s Cyber Diplomacy: a Taste of Law to Come?”, The Diplomat, January 14, 2015,

[12] Gary Brown was an official observer to the Tallinn Manual, and is a member of the Group of Experts authoring Tallinn Manual 2.0.

[13] DoD Law of War Manual 2015, 1