This paper will identify, raise awareness of, and help reduce risks to NATO’s nuclear weapon systems arising from cybersecurity vulnerabilities. It aims to respond to the need for more public information on cyber risks in NATO’s nuclear mission, and to provide policy-driven research to shape and inform nuclear policy at member-state level.
5. Legal Implications of Attacking Dual-use C3 Systems
Given the complexity and sophistication of C3 systems, it is difficult, if not impossible, to entirely predict and anticipate outcomes of a cyberattack and/or the probability of a given outcome. For example, an attack on a dual-use C3 system may have unintended consequences, such as the rapid increase of temperature of the hardware due to the modification of settings and parameters, consequently causing physical damage to the targeted assets when perhaps the initial motivation behind the attack was limited to merely modifying settings and parameters. Potential unintended consequences add layers of uncertainty and complexity to problems of misinterpretation and could potentially add escalatory pressure. These unintended consequences can subsequently have serious legal implications, notably in the realm of law of armed conflict/international humanitarian law (IHL).
In an armed conflict, an armed attack must respect the principles of distinction, proportionality and precautions.121 These principles may be (unintentionally) violated due to the dual-use nature (military and civilian) of assets used for both nuclear and conventional C3. In the context of an armed conflict, if the affected assets were used both for military and civilian applications, determining the extent to which the attack on these assets would constitute a ‘definite military advantage’ at the time of the operation would be key in determining the legality of the attack vis-à-vis the principle of distinction.122 For instance, global navigation satellite systems (GNSS) play a crucial role in accurate timing and synchronization, as well as in weapon guidance (navigation),123 all of which constitute critical elements for both nuclear and non-nuclear operations. However, an operation directed at GNSS assets could not only prove to be highly escalatory for the reasons outlined above, but may also potentially constitute a violation of the legal principle of distinction, given that the same assets are used not solely in the defence sector, but throughout national critical infrastructure sectors for civilian purposes.124 While dual-use C3 assets may be cost-effective and practical from an operational perspective, with the growing sophistication and increasing number of offensive cyber operations they may be problematic from an IHL perspective.
The assessment of an attack’s legality may prove to be challenging in the context of cyber operations against NC3 systems, as there may be conflicting views on whether or not there is an armed conflict – thus how the norms on the conduct of hostilities in IHL apply.
This is of importance given the potential for unintended consequences of cyber operations and what this may mean for the civilian sphere. Indiscriminate cyber operations may cause damage without distinction to military objectives and civilian objectives.125 In the context of a cyber operation on a dual-use C3 asset in an armed conflict, it is almost impossible to ensure that the direct and indirect consequences of the attack remain within the existing legal frameworks for the conduct of hostilities and do not spill over to cause harm on civilian objects. However, it is important to note in this context that damages caused to these civilian objects may to a certain extent be lawful as long as they are proportionate.126
Another key aspect is the customary precautionary principle against the effects of an attack, for which parties to a conflict ‘must take all feasible precautions to protect the civilian population and civilian objects under their control against the effects of attacks’.127 There is value in examining the extent to which states have a legal obligation in ensuring and taking ‘all feasible precautions’ to protect these dual-use assets that the civilian sphere and the military may depend on for C3 purposes (e.g. weather forecast satellites) against the effects of attacks.
In addition, the assessment of an attack’s legality may prove to be challenging in the context of cyber operations against NC3 systems, as there may be conflicting views on whether or not there is an armed conflict – thus how the norms on the conduct of hostilities in IHL apply (and whether the law of armed conflict is applicable, at all) – unless the attack is obviously part of a wider conflict. It is also debatable whether a cyber operation is considered to cross the threshold of armed conflict, and thus for the laws of armed conflict to be applicable.128 This uncertainty may particularly dominate when the attacks are of relatively low impact, and thus may not even be considered as an ‘attack’ in its legal sense. Such operations can be even more problematic if the disruption comes from a non-state armed group.129
121 The principles of distinction, proportionality and precautions in attack are of customary nature, and are respectively codified for international armed conflicts in Articles 48, 51(5)(b), and 58 of the 1977 Additional Protocol I to the 1949 Geneva Conventions. These principles are also applicable in non-international armed conflicts.
122 The legality of an armed attack on a dual-use object (which may have both military and civilian functions) depends on whether, at the time of the attack, it would have constituted a ‘definite military advantage’. For the ICRC’s definition of military objectives, see: International Committee of the Red Cross (undated), ’Rule 8. Definition of Military Objectives’, https://ihl-databases.icrc.org/customary-ihl/eng/docs/v1_rul_rule8 (accessed 17 Oct. 2019).
123 Unal (2019), Cybersecurity of NATO’s Space-based Strategic Assets, p. 10.
124 A cyber operation on a dual-use C3 asset may potentially constitute a violation of the customary principle of distinction between civilian objects and military objectives in IHL, as codified in Articles 48 and 52(2) of the 1977 Additional Protocol I to the 1949 Geneva Conventions. Parties to a conflict must distinguish at all times between military objectives and civilian objects while directing an armed attack. For a discussion on whether the principle of distinction applies in cyber operations, see Lubell, N. (2013), ‘Lawful Targets in Cyber Operations: Does the Principle of Distinction Apply?’, International Law Studies, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2719034 (accessed 25 Dec. 2019). The International Criminal Tribunal for the former Yugoslavia examined the issue of dual-use objects that may be both a military objective and a civilian object and the legality of armed attacks on such dual-use objects. For a discussion, see: Cotter, M. (2018), ’Military Necessity, Proportionality and Dual-Use Objects at the ICTY: A Close Reading of the Prlić et al. Proceedings on the Destruction of the Old Bridge of Mostar’, Journal of Conflict and Security Law, 23(2), pp. 283–305, https://doi.org/10.1093/jcsl/kry015 (accessed 27 Sept. 2019). The First Tallinn Manual argues that ‘an object used for both civilian and military purposes – including computers, computer networks, and cyber infrastructure – is a military objective.’ The Manual is not legally binding and offers a potential interpretation of the law on cyber operations, which may (or may not) be applied in the context of a cyber operation on a GNSS asset. See International Group of Experts at the Invitation of The NATO Cooperative Cyber Defence Centre of Excellence (2013), Tallinn Manual on the International Law Applicable to Cyber Warfare, New York: Cambridge University Press, p. 134.
125 International Committee of the Red Cross (2019), International Humanitarian Law and Cyber Operations during Armed Conflict, https://www.icrc.org/en/download/file/108983/icrc_ihl-and-cyber-operati… (accessed 25 Dec, 2019)
126 This is in accordance with the customary rule of proportionality, based on which the launch of an attack that ‘may be expected to cause incidental loss of civilian life, injury to civilians, damage to civilian objects, or a combination thereof’ should not ‘excessive in relation to the concrete and direct military advantage’. See International Committee of the Red Cross (undated), ‘Rule 14. Proportionality in Attack’, https://ihl-databases.icrc.org/customary-ihl/eng/docs/v1_rul_rule14 (Accessed 10 June, 2020).
127 International Committee of the Red Cross, ‘Rule 22. Principle of Precautions against the Effects of Attacks’, https://ihl-databases.icrc.org/customary-ihl/eng/docs/v1_rul_rule22 (accessed 26 Sept. 2019).
128 Krawczyk, L. (2019), ‘How does cyber warfare fit in the framework of International Humanitarian Law?’, Leiden Law Blog, 9 August 2019, https://leidenlawblog.nl/articles/cyber-warfare-the-definition-challenge (accessed 20 Dec. 2019).
129 The rules applicable to an armed conflict between states are different from those applicable to an armed conflict between a state and a non-state armed group. The threshold to trigger the application of IHL is higher if the adversary of the state party to the armed conflict is a non-state entity, and the latter must meet a certain number of criteria in order to be considered party to an armed conflict with a state under IHL.