A Proposal for an International Convention To Regulate the Use of Information Systems in Armed Conflict

From Cybersecurity Wiki
Jump to navigation Jump to search

Full Title of Reference

A Proposal for an International Convention To Regulate the Use of Information Systems in Armed Conflict

Full Citation

Davis Brown, A Proposal for an International Convention To Regulate the Use of Information Systems in Armed Conflict, 47 Harv. Int'l L.J. 179 (2006). Web



Key Words

Casus Belli, Civilian Participation, Combatant Status, Cyber Warfare, DDoS Attack, Geneva Conventions, Kinetic Attack, Lawfare, Laws of War, Malware


This Article examines the principles and specific areas that a comprehensive body of international law regulating information warfare must cover. It explores the tension between the needs of military forces to engage in information warfare and the rights of non-participants to safety and security. In doing so, the Article attempts to fashion a legal standard that is palatable to the major participants in information warfare. To that end, a hypothetical convention, Regulating the Use of Information Systems in Armed conflict, is presented at the end of this work.

Scope of the Convention

Why is a separate convention necessary at all? According to the author, the value of a separate legal instrument addressing the law of information warfare lies in memorializing the rules. This is particularly true for areas in which conventional LOAC does not at neatly—some problems are better settled not by scholars but by the states that will themselves be governed by the solution. In areas where conventional Laws of armed conflicts does provide a ready-made solution, a separate instrument would strengthen the rules by clarifying and codifying them. This, indeed, is the role of most treaty-based international law. Finally, a settled, codified statement of the law of information warfare would go far in alleviating military commanders’ apprehension of the consequences of violating such law. In the United States, for example, commanders tend to be quite wary of innovative but relatively untested means of warfare, particularly when the rules of conduct are so arcane and ill-defined.

Defining the weapon. Three information weapons are identified: the code, the computer system, and the operator. Each of these weapons becomes subject to the international law regulating armed conflict. The use of these weapons is constrained by the principles of distinction, military necessity, proportionality, humanity, and chivalry, and the weapons themselves become legitimate targets.

Defining when computers are used in armed conflicts. The authors makes clear that the proposed convention covers information attacks in armed conflict and therefore omits discussion of espionage or sabotage.

The Principle of Distinction

This part focuses on the application of “Geneva” law, which relates to the protection of non-participants in an armed conflict.

Status of Information Warriors. A lawful combatant has the right to kill enemy forces in battle or drop a bomb on a legitimate military target, but not to kill an unarmed civilian, engage in looting or rape, or firebomb an undefended civilian population center. Information attacks also achieve results or effects that may be considered criminal acts if carried out by unlawful combatants. Therefore, when the objective of an information attack is to achieve a result or effect that would otherwise require a conventional attack, the information attack should be conducted only by lawful combatants.

Principle of Distinction Applied to Information Attack. The effects of information attacks on the civilian population itself. The basic rule in protecting civilians against the effects of war is that the warring parties “shall at all times distinguish between the civilian population and combatants and between civilian objects and military objectives and accordingly shall direct their operations only against military objectives. Three types of information attacks are analyzed under this principle: inflicting physical damage; inflicting economic damage; and propagating malicious code.

Methods and Means of Warfare

This part is devoted to the application of “Hague” law—the legal constraints on the methods and means of warfare. The right of belligerents to select methods and means of warfare is not unlimited. That right is governed by the four basic principles of Hague law:

Military necessity. Under the principle of military necessity, an attack on a particular target is lawful only if its destruction, damage, or neutralization furthers a legitimate military objective or confers a definite military advantage. When this principle is applied to information attacks, attacks on most of the enemy’s military computer systems are permitted. However, the same cannot be said of information attacks against purely civilian computer systems.

Humanity. Information attacks can offend the principle of humanity if they cause superfluous injury and unnecessary suffering to their targets.

Proportionality. In applying this principle, which acts as an arbitrator between necessity and humanity, the author proposes that military forces should first have to determine whether passive defensive measures are adequate to defend against the attack or a counter-attack against the attacking servers is necessary. If the latter, leaders must then consider the importance of the attacked systems as well as the harm that would result if the attack were successful in disabling those systems. Finally, the military forces would be able to take into account the likelihood that an offensive counter-attack may serve to deter attacks in the future.

Chivalry. Perfidy should include the creation or alteration of images or recordings for the purpose of advancing a claim that another state committed an attack against protected persons or sites, or that it is about to do so, when the state advancing such a claim knows or reasonably should know that its claim is false. The commission of such an act should be considered a war crime.


The article then goes on to discuss the application of the principled of neutrality. According to the author, the principles underlying existing international law on neutrality remain strong enough to apply to warfare in the information age, as long as they are crafted in a balanced manner. Neutral states have rights in information warfare, as in any other branch of warfare, and consequently have the responsibility of even-handedness in exercising those rights. At the same time, belligerent states have an obligation to respect that neutrality. International law must be adapted to preserve these rights and obligations in the information age.

Enforcement of the Law of Information Warfare

The author reaches the conclusion that weak enforcement mechanism carrying the support of all of the states most affected by the convention is better than a strong mechanism carrying no such support.

Additional Notes and Highlights

Expertise Required: Law - Moderate


 I. Scope of the Convention
   A. Understanding the Need
   B. Deaning the Weapon
   C. When Are Computers Used in Armed Conoict?
     1. Deanitions
     2. Casus Belli
     3. Espionage and Sabotage
   D. Conclusion
 II. The Principle of Distinction
   A. Status of Information Warriors
   B. Principle of Distinction Applied to Information Attack
     1. Physical Damage
     2. Economic Damage
     3. Malicious Code
   C. Conclusion
 III. Methods and Means of Warfare
   A. Military Necessity
   B. Humanity
   C. Proportionality
   D. Chivalry
     1. Prohibition of Perady
     2. Perady and Malicious Code
     3. Morphing
   E. Conclusion
 IV. Neutrality
   A. Information Attacks by or Against Neutral States
   B. Misuse of a Neutral State’s Cyberspace
   C. Use of Neutral States’ Systems as Conduits for Information Attacks
   D. Conclusion
 V. Enforcement of the Law of Information Warfare
 VI. Conclusion
 Appendix: Draft Convention Regulating the Use of Information Systems in Armed conflicts