MILITARY LAW REVIEW
Volume 219 Spring 2014
GARY D. SOLIS
This discussion is out of date. Cyber warfare policy, techniques, and
strategies, along with their associated laws of armed conflict (LOAC),
are evolving so rapidly that it is difficult to stay current. A snapshot of
the topic must suffice.
Much has been made of the revolution in LOAC necessitated by the
advent of cyber warfare. But, “this is by no means the first time in the
history of [LOAC] that the introduction of a new weapon has created the
misleading impression that great legal transmutations are afoot…viz., the
submarine.”1 Hannibal’s elephants also elicited a similar erroneous
impression. In fact, cyber warfare issues may be resolved in terms of
traditional law of war concepts, although there is scant demonstration of
its application because, so far, instances of cyber warfare have been rare.
Nevertheless, although cyber questions are many, the law of war offers
as many answers.
A threshold question: does existing LOAC apply to cyber issues?
Yes, it does. The International Court of Justice (ICJ), in its 1996 Nuclear
Weapons Advisory Opinion, notes that LOAC applies to “any use of
Lieutenant Colonel, U.S. Marine Corps (Retired). J.D., University of California at
Davis; L.L.M. (Criminal Law) George Washington University Law School; Ph.D., The
London School of Economics & Political Science (Law of War); Professor of Law, U.S.
Military Academy (Retired). Professor Solis currently teaches the law of armed conflict
at Georgetown University Law Center and George Washington University Law School.
1 Yoram Dinstein, Concluding Remarks, in 89 INTERNATIONAL LAW STUDIES: CYBER
WAR AND INTERNATIONAL LAW 276, 286 (Naval War C. 2013).
2 MILITARY LAW REVIEW [Vol. 219
force, regardless of the weapons employed.”2 Whether a 500-pound
bomb or a computer is used to effect death and destruction, a weapon is a
weapon. The U.S. position is made clear in the 2011 International
Strategy for Operating in Cyberspace, when it says, “The development
of norms for State conduct in cyberspace does not require a reinvention
of customary international law, nor does it render existing international
norms obsolete. Long-standing international norms guiding State
behavior – in times of peace and conflict – also apply in cyberspace.”3
Internationally, Article 36 of 1977 Additional Protocol I, requiring
testing of new weapons and weapons systems for conformance with
LOAC, illustrates that the law of war and international humanitarian law
(IHL) rules apply to new technologies.
Defining many aspects of cyber warfare is problematic because there
is no multi-national treaty that directly deals with cyber warfare. So far,
many aspects of cyber war are not agreed upon. The law of war, as well
as customary international law, lacks cyber-specific norms, and state
practice in regard to the interpretation of applicable norms is slow to
evolve. There is not even agreement as to whether cyber attack is one or
two words. What can be said is that the jus ad bellum and jus in bello
apply to cyber operations and it is safe to follow existing LOAC/IHL, as
the United States’ International Strategy for Operating in Cyberspace
What is cyber warfare? It is not cybercrime—the use of computers
in violation of domestic law for criminal purposes. In the United States,
the Computer Fraud and Abuse Act defines Internet criminal acts.4
European Union members of the NATO alliance have domestic laws
implementing the 1995 E.U. Data Privacy Directive. Typical
cybercrimes include access offenses, the impairment of data, misuse of
devices, and interception of data offenses. Traditional criminal offenses
such as fraud, child pornography, and copyright infringement may be
facilitated through Internet access.5 On an international level,
cybercrime is addressed by the Council of Europe’s 2001 Convention on
Cybercrime, currently the only multinational treaty addressing the
2 Legality of the Threat or Use of Nuclear Weapons, Advisory Opinion, 1995, I.C.J. 226–
67, ¶ 39 (July 8).
3 White House, International Strategy for Cyberspace: Prosperity, Security, and
Openness in a Networked World 9 (May, 2011), available at http://www.slideshare.
4 10 U.S.C. § 1030 (2014).
5 JONATHAN CLOUGH, PRINCIPLES OF CYBERCRIME (Cambridge Univ. Press 2010). .
2014] CYBER WARFARE 3
criminal cyber problem. Nevertheless, cyber warfare and cyber crime
should not be confused.
The word “cyber” is not found in the 1949 Geneva Conventions or
the 1977 Additional Protocols. In common usage, “cyber” relates to
computers and computer networks; not only the Internet but all computer
networks in the world, including everything they connect with and
control. Cyber warfare may be defined as “warfare waged in space,
including defending information and computer networks, deterring
information attacks, as well as denying an adversary’s ability to do the
same. It can include offensive information operations mounted against
an adversary…”6 Cyber warfare, then, includes defense, offense, and
Cyber warfare may be engaged in by states, by agents of states, and
by non-state actors or groups. It does not necessarily constitute
terrorism, but it may, depending on one’s definition of terrorism. The
U.S. Federal Emergency Management Agency defines cyber terrorism as
“unlawful attacks and threats of attack against computers, networks, and
the information stored therein when done to intimidate or coerce a
government or its people in furtherance of political or social objectives.”7
Cyber terrorism is a relatively minor threat today, but its potential is
II. The Internet as Battlefield
The importance of the Internet to military, government, commercial,
and private interests requires no discussion. We daily read and hear of
cyber breaches and cyber incidents involving critical national
6 STEVEN A. HILDRETH, CONG. RESEARCH SERV., RL30735, CYBERWARFARE 16 (2001)
(emphasis in original). There is no definition of cyber warfare in Joint Publication 1-02,
Department of Defense Dictionary of Military and Associated Terms (amended through
October 15, 2013). Another definition is offered by the International Committee of the
Red Cross (ICRC): “[M]eans and methods of warfare that consist of cyber operations
amounting to or conducted in the context of an armed conflict within the meaning of IHL
. . .” Cordula Droege, Get Off My Cloud: Cyber Warfare, International Humanitarian
Law, and the Protection of Civilians, 94/886 INT’L REV. RED CROSS, 533, 538 (Summer,
7 CLAY WILSON, CONG. RESEARCH SERV., RL32114, BOTNETS, CYBERCRIME, AND
CYBERTERRORISM: VULNERABILITIES AND POLICY ISSUES FOR CONGRESS 3 (2008)