Computers and War
Full Title of Reference
Computers and War: The Legal Battlespace
Michael N. Schmitt, Heather A. Harrison, Thomas C. Wingfield, Computers and War: The Legal Battlespace. Paper prepared for Informal High-Level Expert Meeting on Current Challenges to International Humanitarian Law, June 25-27, 2004. Web
- Issues: Cyberwar
This article briefly addresses the legal issues surrounding computer use in classic kinetic-based warfare. Attention then turns to the most significant phenomenon for humanitarian law, namely the employment of information technology during network-centric, four-dimensional operations, which increasingly characterize twentieth-first century conflict.
VIRTUAL WARFARE AND THE AUTOMATION OF THE DECISION-MAKING PROCESS
Automation or "the man out of the loop" phenomenon have made it increasingly possible for computers to carry out tasks previously performed by humans. In the near future, remotely-controlled unmanned Predator aircraft may contain sensors that feed onboard computers with data about the characteristics (heat and electronic signatures, speed, and so forth) of potential targets. Those falling within set parameters might well be automatically engaged.
At the present moment, computers manage target lists, maintain target data, determine the optimal mission route and weapon, and calculate likely collateral damage and incidental injury. Although human beings remain deeply embedded in the decision process — especially when collateral damage or incidental injury — is likely, computers perform an ever-growing share of targeting functions. But in most cases, computers boost the reliability of information feeding the decision and attack processes, thereby fostering humanitarian ends. One could argue that a state with the technological and financial wherewithal to field computer-assisted processes and equipment must do so to comply with the “all feasible” standard.
INFORMATION OPERATIONS AND INFORMATION WARFARE:
Information operations (IO are those “actions taken to affect adversary information and information systems while defending one’s own information and information systems.” IO can occur during peacetime and at every level of warfare. “Information warfare” (IW), by contrast, is IO “conducted during time of crisis or conflictto achieve or promote specific objectives over a specific adversary or adversaries”; it encompasses “attack and defend” functions. The United States Air Force sub-divides IW into its offensive counterinformation and defensive counterinformation aspects. Offensive IW embraces psychological operations, electronic warfare, military deception, physical attack, and information attack (computer network attack-CNA). Ultimately, the goal of IW is to achieve dominant “information superiority” over the opponent.
WHEN DOES INFORMATION OPERATION RISE TO A "USE OF FORCE" UNDER INTERNATIONAL LAW?
There are three schools of thought.
- The first is that it is not the means of attack that matters, it is the amount of damage done. It should be immaterial whether a power transmission sub-
station is destroyed by a 2000-lb bomb or by a line of malicious code inserted into the sub-station’s master control program.
- The second approach, more popular in academic circles, takes the position that the Charter was meant to favor resolution of conflict by other than military means. Consistent with this approach, only an armed attack (a classic attack with traditional military forces) constitutes a use of force -- the means of attack matters.
- A third approach, embraced by the authors, urges a case-by-case analysis that considers both the qualitative and quantitative aspects of an operation. In this method, the following criteria, albeit not exclusive, act as indicators of the extent to which the international community is likely to judge an
information operation a use of force: severity of consequences; immediacy; directness; invassiveness; measurability; presumptive legitimacy; and responsibility.
WHEN MAY A STATE RESPOND WITH ARMED FORCE TO AN IO ATTACK?
Those considering launching an information operation must understand that the meaning of “armed attack” will ultimately be determined by the target state. An attack against a “vital national interest,” for example, the national banking system, might well cross that state’s threshold even without causing direct damage or injury. In this sense, many of the same factors used to assess whether an operation is a “use of force” may also prove useful in estimating whether a particular operation will be characterized by the victim as a de facto armed attack.
APPLICABILITY OF ARMED CONFLICT TO IO
Use of the military, however, is not determinative; if it were, a state could avoid application of humanitarian law simply by using forces other than the military to conduct violent attacks against an adversary. Rather, the reference to the armed forces must refer to the application of force, which in turn implies the causation (or intent to cause) of physical damage or human injury. Thus, to the extent a state-based information warfare attack causes such effects, humanitarian law applies.
A computer itself is in no way indiscriminate, for it can transmit code very directly. Code can be written, however, that spreads indiscriminately from computer to computer; indeed, most computer viruses are designed to operate in precisely this fashion. Even in a closed network, there is a high risk that malicious code could be transferred into external networks through, for instance, files contained on diskettes.
But when does a computer network attack amount to an “attack” under humanitarian law? The resolution of this issue has implications beyond the parameters of indiscriminate attack, for all humanitarian law targeting prohibitions are framed in terms of prohibitions or limitations on “attacks.”
LEGITIMATE TARGETS OF IO
Humanitarian law only permits attacks on military objectives. Military objectives are objects which “by their nature, location, purpose, or use make an effective contribution to military action and whose total or partial destruction, capture or neutralization, in the circumstances ruling at the time, offers a definite military advantage.” (Rome Statute for International Criminal Court, Protocol I)
The United States interprets military objectives expansively by including not only war- supporting targets, but also those that are “war-sustaining,” such as economic targets not directly related to military functions. The classic example would be an industry that serves as the dominant source of export income for a country. To the extent that industry can be crippled, the enemy’s ability to finance (sustain) its war efforts diminishes. Thus, whereas all would accept the legitimacy of launching computer network attacks against the enemy’s military POL (petroleum, oil, lubricants) system, conducting the same attack against oil export assets would be controversial.
WHAT LIMITATIONS ARE THERE ON TARGETING LAWFUL TARGETS WITH INFORMATION WARFARE?
Even if an information warfare operation targets a legitimate military objective, it is forbidden if disproportionate, i.e., “expected to cause incidental loss of civilian life, injury to civilians, damage to civilian objects, or a combination thereof, which would be excessive in relation to the concrete and direct military advantage anticipated.”38 This proportionality balancing test is undeniably one of the most difficult tasks for a commander during combat planning.
WHO MAY CONDUCT INFORMATION WARFARE?
A looming challenge for humanitarian law lies in determining the legal status and treatment of individuals armed with CPUs and keyboards sitting at desks far from the battlefront. How does the basic humanitarian law principle that only combatants have the right to participate in hostilities, while civilians enjoy protection from the dangers arising from military operations, apply to cyber-hostilities?
Is CNA an example of a type of warfare anticipated by this provision? Computer network attack is by its very nature a covert method of warfare and many authors have cited its possible use as a force multiplier for militarily weaker opponents. This suggests the possibility that CNA preparatory acts from non-military computers.
Civilians are entitled to specially protected status under humanitarian law as long as they refrain from taking a “direct part” in hostilities. Those who do directly participate become unlawful combatants and lose civilian status during their involvement. They do not benefit from the prisoner of war status combatants enjoy and may be prosecuted for their actions in domestic or international tribunals.
More problematic is the civilian computer technician who maintains the network from which an attack is launched. While IT support appears ripe for civilian outsourcing, parallels may be drawn with the civilian aircraft maintainer who repairs, loads, and launches aircraft hundreds of miles from a conflict. Regardless of proximity to the battle-space and/or civilian status, maintenance of a weapons system is an act which has a direct causal relationship with the harm done to the enemy.