Cyber Operations and GCII Obligations to “Respect and Protect”

[Jeffrey Biller, Lt Col, USAF, is the Associate Director for the Law of Air, Space and Cyber Operations at the Stockton Center for the Study of International Law, US Naval War College.]

The use of hospital ships in wartime has always been a contentious issue. Although serving a humanitarian need recognized by most parties, profound suspicion of their misuse led to many attacks against these protected vessels, particularly during the First and Second World Wars. Although some attacks resulted from misidentification, many were quite intentionally targeted. Unrestricted submarine warfare campaigns often included deliberate attacks on hospital ships. One such example was the Soviet hospital ship, the Armenia. On 7 November 1941, a German torpedo bomber attacked the Armenia, sinking her without warning. All but 8 of the 7,000 on board died in the attack.

Although a tragedy by any measure, there were several questions as to her status as a hospital ship. The Armenia was clearly marked with large Red Cross symbols and was certainly being used appropriately at the time. However, she also had light anti-aircraft weapons on board, was under armed escort, and had been previously used in the conflict to transport military supplies. This incident, and many others like it, demonstrated the need to clarify and progress the rules related to the protection of hospital ships in the Second Geneva Convention (GCII). This post, the fourth in a series (see here, here, and here) examining the impact of cyber on the law of naval warfare through the lens of the updated commentary to GCII, analyzes the obligation to “respect and protect” hospital ships and coastal rescue craft, found in Articles 22, 24 and 27, in the light of cyber operations.

First, it should be stated that Article 22’s obligation to respect and protect includes the more specific language that protected vessels “in no circumstances be attacked or captured.” Although the obligation to respect and protect is broader than these specific terms, it is helpful nonetheless as “attack” is an IHL term of art that has been frequently analyzed in the cyber context. Para 1985 explicitly states that the prohibition on attack includes “the use of means and methods that, by whatever mechanisms or effects, severely interfere with the functioning of the equipment necessary for the operation of a military hospital ship, such as so-called ‘cyber-attacks’.” Given that the commentary references the Tallinn Manual’s Rule 70 here, it is helpful to follow the reference for further analysis.

The black letter rule in the Tallinn Manual states that medical personnel and transports, including those vessels identified in GCII, “may not be made the object of a cyber attack.” Recall, cyber attack is the exact phrase used in para 1985. Although not defined in the commentary, Tallinn’s Rule 30 defines cyber attack as “a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction of objects.” It is well understood that the Tallinn Manual is only the opinion of a group of experts and therefore not primary law. However, Rule 30’s definition tracks with the Additional Protocol (I) definition of attack, requiring “acts of violence against the adversary.” Thus, the commentary and the Tallinn Manual appear to agree that cyber operations resulting in injury or death, and (at least) physical damage and destruction, to a protected crew or vessel are prohibited. The logical follow-on question is whether “damage” to a network system includes the pure loss or degradation of functionality. The law here is unsettled and thus the loss of functionality, on its own, cannot be read definitively to qualify as an attack.

However, both the updated commentary and the Tallinn Manual agree the requirement to respect and protect goes beyond attacks. The commentary summarizes the extended obligation to respect and protect in para 1996 as the obligation “to refrain from all actions that interfere with or prevent such ships from performing their humanitarian tasks.” Therefore, cyber operations are prohibited that result in loss or degradation of network functionality necessary to a protected vessel’s performance of its humanitarian function.

Para 1996 does include a qualifier to that protection, referencing the Article 31 allowance for parties to the conflict to “control and search the vessels mentioned in Articles 22, 24, 25 and 27.” This includes the right to “control the use of their wireless and other means of communication” and “put on board their ships neutral observers who shall verify the strict observation of the provisions contained in the present Convention.” These “control and search” provisions are in place “to verify whether their employment conforms to the provisions of Articles 30 and 34 and to the other provisions of the Convention,” as para 2276 puts it. Recognizing that a physical presence in no longer required to verify compliance, para 2277 suggests “innocent employment of these vessels can often be ascertained by other means, at least to some extent, in particular by satellites and other means of reconnaissance.” This could indicate that cyber intelligence operations are appropriate that, while not affecting the functionality of the vessel, are used to verify its compliance with the convention. Indeed, this was the conclusion drawn by the Tallinn Manual’s group of experts in the commentary to Rule 71, governing the requirement to respect and protect computer systems related to medical units and transports.

This analysis leaves open questions regarding several potential categories of cyber operations. For example, cyber intelligence operations not for the purpose of compliance verification, but rather the collection of intelligence regarding associated forces. Another potential is the use of protected naval vessels as a pass through to levy cyber effects against non-protected enemy systems. These and other examples may not explicitly violate the terms of protection in GCII, but nevertheless open the possibility of protected vessels becoming a cyber-battleground. This could divert protected vessels from focus on their missions and raise the likelihood of unintentional damage to network systems vital to the performance of their humanitarian mission. Given the ambiguity present in this aspect of the law, and the importance of protecting humanitarian missions, perhaps the obligation to respect and protect is an area where nations can work together to develop ever-elusive cyber norms.