Cyber Operations and International Humanitarian Law — Lecture Key Takeaways

Speaker: Captain Christian P. Fleming, Senior Military Instructor, U.S. Defense Institute of International Studies; Adjunct Instructor, Center for Global Affairs, New York University (NYU)

In the second in the series of lectures organized by the Center of Civil Liberties during this year’s Ukrainian Week of International Criminal Justice, Christian P. Fleming looked at how International Humanitarian Law (IHL) applies to cyber operations and the limits IHL imposes on the conduct of cyber operations in the context of an international armed conflict. 

The lecture can be summarized as providing a conceptual and legal framework for answering the following questions:

  • What constitutes an “armed attack” in cyberspace, that is, when is a cyber operation subject to IHL?
  • How do the principles of IHL apply to cyber warfare, in particular in terms of limiting cyber operations targeting or affecting civilians and/or civilian objects?

Below we go over the main points raised during the lecture by Christian P. Fleming to answer the questions above.

Applicability of IHL Principles

The fundamental principles of IHL, or what is better known in the US military milieu as the Law of Armed Conflict, are applicable regardless of the weapons or tactics used in an international armed conflict. This means that the following principles are applicable to cyber operations conducted during an international armed conflict like Russia’s war on Ukraine:

  • Distinction
  • Proportionality
  • Precautions
  • Military necessity

By looking at some examples during the lecture, it was clear that the application of these principles to operations in cyberspace may not always be straightforward and clear-cut given that there is no body of law adopted by States to govern cyber warfare. However, the current approach relies on existing conventions, treaties and customary law.

In addition, following the massive cyber operation organized by Russia against Estonia in 2007, a group of experts studied the question of what constitutes an armed attack in cyberspace. The outcome was the publication of the Tallinn Manual on the International Law Applicable to Cyber Warfare. Even though this is not law, the manual offers guidance, and since then, some States have made proclamations over what they believe the international law is when it comes to cyber operations.

What Constitutes a Cyber Attack?

Given that it is attacks that are regulated under IHL, we need to start with a definition of what constitutes an attack in cyberspace. Under IHL, a cyber operation conducted against civilians that does not amount to an “attack” would not be prohibited.

According to Art. 49(1) of Additional Protocol I, “attacks” are:

acts of violence against the adversary, whether in offence or defence

In cyberspace, the mode and tactics of a cyber operation are not violent acts in themselves. That is why it is necessary to look at the consequences of a cyber operation to evaluate whether it amounts to an attack.

The Tallinn Manual offers a good starting point for a definition of a cyber attack:

a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects

This definition, however, raises at least two questions:

  • What amounts to an “object” in cyberspace?
  • Can “damage” be interpreted to include loss of functionality? 

The majority of views in the Tallinn Manual does not deem data to qualify as an “object” given that objects implies a physical, tangible object. However, these experts view loss of functionality that may result from targeting data to amount to damage under IHL. It was also noted that States are taking this view, that loss of functionality should be deemed “damage”.

At the same time, a cyber operation can be an integral part of a wider operation that constitutes an attack even if on its own the operation would not be deemed a cyber attack.

Applying IHL Principles to a Cyber Attack


The principle of distinction is used to determine who and what can be targeted by distinguishing between civilians and combatants and between civilian objects and military objects under Art. 48 of Additional Protocol I. This means that a cyber operation tantamount to an attack is prohibited from directing it at civilians and civilian objects. The definitions of civilian and civilians are negative ones, that is, civilians are those who are not military.

It is important to understand the definition of civilians to determine when a civilian or a group of civilians loses their protected status under IHL. This determination can be made based on status or conduct. For example, civilians can lose their protected status if participating in a cyber operation that is deemed an attack.

Under the other associated principles, proportionality and precautions, a cyber operation has to be put in context and the intent and the reasonably foreseeable effects have to be considered. Proportionality means that cyber operations leading to excessive incidental loss of life or damage to civilians are also prohibited even if they did not intend to target civilians. In addition, the principle of precautions prohibits cyber attacks against military objects that can be expected to cause incidental civilian harm and whose foreseeable consequences are not limited to the targeted cyber system.

Military Necessity: Superfluous Injury and Unnecessary Suffering

The principle of military necessity prohibits cyber attacks that use means and methods that go beyond what is necessary to achieve the legitimate objective of a conflict. This includes operations that aggravate suffering without providing an additional military advantage.


We recommend that you watch the video in full for more information and a wide range of interesting examples to illuminate the different points raised during the lecture.

You can learn more about the other lectures part of the Ukrainian Week of International Criminal Justice in these video recordings: 

Попередня Наступна