This paper will identify, raise awareness of, and help reduce risks to NATO’s nuclear weapon systems arising from cybersecurity vulnerabilities. It aims to respond to the need for more public information on cyber risks in NATO’s nuclear mission, and to provide policy-driven research to shape and inform nuclear policy at member-state level.
5. Legal Implications of Attacking Dual-use C3 Systems
Given the complexity and sophistication of C3 systems, it is difficult, if not impossible, to entirely predict and anticipate outcomes of a cyberattack and/or the probability of a given outcome. For example, an attack on a dual-use C3 system may have unintended consequences, such as the rapid increase of temperature of the hardware due to the modification of settings and parameters, consequently causing physical damage to the targeted assets when perhaps the initial motivation behind the attack was limited to merely modifying settings and parameters. Potential unintended consequences add layers of uncertainty and complexity to problems of misinterpretation and could potentially add escalatory pressure. These unintended consequences can subsequently have serious legal implications, notably in the realm of law of armed conflict/international humanitarian law (IHL).
In an armed conflict, an armed attack must respect the principles of distinction, proportionality and precautions. These principles may be (unintentionally) violated due to the dual-use nature (military and civilian) of assets used for both nuclear and conventional C3. In the context of an armed conflict, if the affected assets were used both for military and civilian applications, determining the extent to which the attack on these assets would constitute a ‘definite military advantage’ at the time of the operation would be key in determining the legality of the attack vis-à-vis the principle of distinction. For instance, global navigation satellite systems (GNSS) play a crucial role in accurate timing and synchronization, as well as in weapon guidance (navigation), all of which constitute critical elements for both nuclear and non-nuclear operations. However, an operation directed at GNSS assets could not only prove to be highly escalatory for the reasons outlined above, but may also potentially constitute a violation of the legal principle of distinction, given that the same assets are used not solely in the defence sector, but throughout national critical infrastructure sectors for civilian purposes. While dual-use C3 assets may be cost-effective and practical from an operational perspective, with the growing sophistication and increasing number of offensive cyber operations they may be problematic from an IHL perspective.
The assessment of an attack’s legality may prove to be challenging in the context of cyber operations against NC3 systems, as there may be conflicting views on whether or not there is an armed conflict – thus how the norms on the conduct of hostilities in IHL apply.
This is of importance given the potential for unintended consequences of cyber operations and what this may mean for the civilian sphere. Indiscriminate cyber operations may cause damage without distinction to military objectives and civilian objectives. In the context of a cyber operation on a dual-use C3 asset in an armed conflict, it is almost impossible to ensure that the direct and indirect consequences of the attack remain within the existing legal frameworks for the conduct of hostilities and do not spill over to cause harm on civilian objects. However, it is important to note in this context that damages caused to these civilian objects may to a certain extent be lawful as long as they are proportionate.
Another key aspect is the customary precautionary principle against the effects of an attack, for which parties to a conflict ‘must take all feasible precautions to protect the civilian population and civilian objects under their control against the effects of attacks’. There is value in examining the extent to which states have a legal obligation in ensuring and taking ‘all feasible precautions’ to protect these dual-use assets that the civilian sphere and the military may depend on for C3 purposes (e.g. weather forecast satellites) against the effects of attacks.
In addition, the assessment of an attack’s legality may prove to be challenging in the context of cyber operations against NC3 systems, as there may be conflicting views on whether or not there is an armed conflict – thus how the norms on the conduct of hostilities in IHL apply (and whether the law of armed conflict is applicable, at all) – unless the attack is obviously part of a wider conflict. It is also debatable whether a cyber operation is considered to cross the threshold of armed conflict, and thus for the laws of armed conflict to be applicable. This uncertainty may particularly dominate when the attacks are of relatively low impact, and thus may not even be considered as an ‘attack’ in its legal sense. Such operations can be even more problematic if the disruption comes from a non-state armed group.