10 Nov The Cyber “Shipwrecked” and the Second Geneva Convention
[Jeffrey Biller, Lt Col, USAF, is the Associate Director for the Law of Air, Space and Cyber Operations at the Stockton Center for the Study of International Law, US Naval War College.]
This May, the law of naval warfare took a significant step forward with the International Committee of the Red Cross (ICRC) release of an updated commentary on the Second Geneva Convention (GCII). The updated commentary is the first since the original commentary was released in 1960, and recognizes significant changes both in the conduct of naval conflicts and interpretations of the governing law. One such significant change is the advent of the cyber domain as a key component in naval operations. This post examines one potential impact of the cyber domain on naval operations – the protections afforded to shipwrecked crews under Article 12 of GCII.
Recent examples of potential cyber operations targeting maritime vessels include the infection of an 80,000-ton ship’s navigation system via a malware-infected USB stick and the possible GPS spoofing of at least twenty ships near the Russian port of Novorossiysk. Modern naval vessels utilize programmable logic controllers to interface hardware components with the physical systems onboard a ship. This creates potential vulnerabilities to power, hydraulic, steering, propulsion, and other critical systems. Should some or all of these systems be subject to a cyber-attack during an armed conflict, with the result that the ship becomes disabled, questions arise as to the status of that ship and whether the crew must be afforded certain protections under GCII.
Article 12 of GCII provides that “[m]embers of the armed forces . . . who are at sea and who are wounded, sick or shipwrecked, shall be respected and protected in all circumstances,” affording them protections against further attack once they qualify as “shipwrecked.” Traditional notions of shipwreck conjure up images of ships ablaze and beginning to sink as the result of cannon, torpedo, or aerial bombs. However, Article 12 states, “the term ‘shipwreck’ includes shipwreck from any cause.” Given the reliance of many modern warships on cyber controlled critical systems, it begs the question: can the crew of a warship be shipwrecked, within the meaning of GCII, by purely cyber means, thereby affording protections from further attack. Although no State has yet officially addressed this specific question, a review of the updated commentary’s Article 12 analysis suggests an answer in the affirmative.
The 2017 commentary states, “to qualify as shipwrecked the person must be in a situation of peril at sea” and “in all cases the person must refrain from any act of hostility.” (See Updated Commentary, para. 1379). Thus, we have two criteria that must be met and are difficult to determine in the cyber context: establishing whether the crew of a ship disabled by cyber means is in “peril at sea,” and, if so, how to determine if that crew has refrained from engaging in hostilities.
Peril at Sea
Framing the analysis of whether a ship’s crew disabled through cyber means can be considered in peril is the guidance to read the term shipwreck “as being broad.” (See Updated Commentary, para. 1383). The 2017 commentary reiterates the 1960 commentary exhortation for the term to be “taken in its broadest sense.” (Commentary to Geneva Convention II for the Amelioration of the Condition of the Wounded, Sick, and Shipwrecked Members of Armed Forces at Sea 84–92 (Jean Pictet ed., 1960)). Despite a broad reading of the term shipwrecked, it can initially be difficult to accept that a ship with no outwardly apparent damage should be considered in peril. However, the loss of propulsion, steering, life-support, and other critical systems is enough to create a dangerous situation, even if it is not immediately life threatening. To this point, the 2017 commentary finds that “[p]ersons on a fully disabled ship . . . whose situation is dangerous but not necessarily imminently life-threatening, are also covered, as long as they refrain from any act of hostility . . . .” (See Updated Commentary, para. 1384). Furthermore, the commentary states “[s]ituations that are potentially life-threatening . . . also render persons on board ‘in peril’ at sea.” (See Updated Commentary, para. 1385).
Perhaps the primary difficulty in determining whether the crew of a ship disabled by cyber means is in peril is that the extent of that damage may be unknown, initially even to the crew itself. The damage to networked systems may require extensive repair necessitating new equipment or experts be brought on board before critical systems can be repaired. Conversely, the damage might quickly be repaired, with a ship’s weapon systems again posing a deadly threat to opposing warships.
Furthermore, the attribution of who or what is responsible for the disabling of the ship’s networks may be initially unclear. Indeed, it may be that the damage is entirely self-inflicted or unintentionally caused by malware previously and unknowingly introduced by a member of the ship’s crew. In these situations, the commentary’s inclusion of “shipwrecks caused by human error or a malfunction”(See Updated Commentary, para. 1386) in its definition of “any other cause,” makes clear that a ship’s crew could be rendered shipwrecked through cyber means even if the damage to the ship’s networks is self-inflicted or caused by means other than enemy action. Accordingly, a determination of attribution is legally unnecessary in evaluating whether protections should be afforded.
Refraining from Hostilities
In addition to being at peril, the commentary indicates that a crew does not receive the protections of Article 12 unless they also refrain from any further act of hostility. Determining whether a warship’s crew has complied with this requirement can be difficult even when the signs are visually observable, such as when members of the crew can be seen abandoning the ship. A ship’s weapon systems may remain functional even while other systems are severely damaged and there may be members of the crew operating those systems. Recall that the ship itself remains a military object subject to attack throughout; it is only the crew that receives protections in a shipwreck situation. This 2017 commentary recognizes this difficulty:
However, it will likely be very difficult or even impossible for an enemy to know whether the crew is working to repair weapons with the aim of continuing hostilities without an outward sign indicating otherwise. Furthermore, as the sailors are on board a military objective, it is likely that a disabled or damaged warship would need to surrender (e.g. by striking its colours) in order for protection to be secured. (See Updated Commentary, para. 1390).
A question specific to the cyber domain is what cyber defense measures a crew may take to prevent further cyber damage to the ship, while still refraining from hostilities. Here, the distinction between active cyber defenses, sometimes referred to as “hack-backs,” and passive defenses may hold the answer. Whereas active cyber defenses may pose a threat to opposing actors in the conflict, passive defenses pose no such threat and are akin to trying to save a damaged ship. Whereas refraining from further hostilities make no requirement that a crew stop trying to save a damaged ship, there is an obligation to refrain from acts that pose a threat to opposing forces.
Finally, determining whether a crew is refraining from hostilities in this context will likely required some communication to other forces taking part in the engagement. Unfortunately, the same cyber event that damaged other critical systems may also have damaged the disabled ship’s communications equipment. Although the commentary suggests “striking its colours” as a means of signaling the cessation of hostilities, most naval engagements of the future are likely to be fought at standoff range and visual signals may be useless.
Whereas many practical difficulties inhibit the determination of whether the crew of a ship disabled by cyber means should be afforded Article 12 protections, the commentary suggests that it is clearly possible. GCII makes no requirement as to how a ship becomes disabled and the commentary stresses that the protections are quite broad. This difficulty does raise several interesting questions for naval forces who operate warships largely dependent on networked systems. These naval powers may need to retain non-digital methods of communication such as analog radios or high-range visual systems that can indicate a ship is in peril and is refraining from hostilities. Moreover, the question of whether states employing cyber methods and means in an attempt to disable enemy warships must notify their own warships operating in the area of such efforts is a valid question.
Unfortunately, the impact of cyber operations on the Geneva Conventions was limited to the discussion of the scope of applicability in the new commentary. This is understandable given the nascent stage of determining the applicability of international humanitarian law to cyber operations. However, the increased depth of analysis in the new commentary does aid in making the analysis clearer. Ensuring that GCII protections will be afforded to the crews of potential “cyber shipwrecks” is one such area that must be considered by naval powers going forward.