Accountability for civilians participating in cyber operations
Increasingly, states partner with non-state actors to ensure the defense of their interests in the cyber space. Understanding the status of those actors, who may be called to perform cyber operations against foreign state actors, proves arduous.
In the US, a number of tools, including the 2022 National Defense Authorization Act and the Joint Cyber Defense Collaborative initiative, demonstrate the taking into account of a need to enhance private-public coordination. France opened its campus cyber in 2022 under the patronage of the President. The creation of the entity aims at strengthening the cooperation amongst stakeholders, at contributing to the development of cybersecurity commons, at supporting research and innovation, and at developing trainings in cybersecurity. The UK, in its 2021 Integrated Review of Security, Defence, Development and Foreign Policy, also dedicates a role to the private sector. Singapore created the Cyber Security Agency (“CSA”) in 2015, in order to enhance the public-private collaboration.
Such entities play a significant role in the defense of the interests of the states, and in the case a conflict arises, they might be included in the defense of the interest of the state. In case of an international armed conflict, some of the companies participating in this type of coordination initiative and their employees may therefore participate in operations contributing to an armed conflict.
Consider a simple scenario: State Yellow has an established partnership with a Yellowian tech company Y to protect its interests in the cyberspace, when an International Armed Conflict erupts with State Blue. Yellow uses Y to conduct cyberoperations as part of its International Armed Conflict with Blue. What is the status of Y and its operators?
The determination will rely on the foundational International Humanitarian Law distinction between civilians and combatants, and the implications it carries. In an International Armed Conflict, civilians are defined negatively as any persons who is not a combatant. Combatants are defined by deduction of those individuals entitled to the Prisoners of War (PoW) status. They broadly consist in armed forces and attached groups. The determination of the status of these operators carries significant consequences for the treatment they are entitled to, and mainly dictates:
the treatment they will receive in case of capture;
whether the operator may or may not be prosecuted for their participation;
whether and how they might be targeted by enemy forces and how.
The Tallinn Manual developed a framework by opining predominantly that, while companies were to be considered as “an organized armed group belonging to a party”, individual contractors, on the other hand, were to be qualified as civilians directly participating in hostility.
1. Accountability for companies
The fate of companies and their employees appears to be quite straightforward. The Tallin Manual reveals that the majority of experts took the position that the company “that has been contracted by a party to the conflict to perform specific military operations such as cyber attacks against the enemy” “qualifies as an organised armed group belonging to a party.” The employees would therefore be members of an armed group belonging to a party.
Both the company and its employees would thus qualify as combatants if, according to article 4A(2) of the Third Geneva Convention, they :
are under responsible command;
wear attire or emblems that allow them to be distinguishable;
carry their weapons openly; and
conduct their operations in accordance with IHL.
This determination has three main effects.
Treatment upon capture:
Combatants benefit from the Prisoner of War status upon capture. They must, as a result, be treated humanely, and repatriated diligently.
Immunity from prosecution:
Combatants benefit from immunity and may therefore not be prosecuted for their participation in war in the limits of the respect of the law of armed conflict.
Susceptibility to intentional targeting:
Combatants are, by principle, lawful targets, unless hors de combat. The fact that operators are remote legally do not alter their combatant status. They may be targeted “by cyber or other lawful means”, including kinetic.
2. Accountability for individuals
The Tallin Manual experts took a different approach for “individual contractors” and opined they would not benefit from the combatant status. The phrasing, and the use of the term “contractor” in particular, seems to frame individuals who contract with a state to perform a mission. Given the extent of the consequences of such a distinction, and the little difference in practical terms between a freelancer and the employee of a firm, the finding may seem surprising.
The civilian participating in hostilities does not necessarily amount to them losing their civilian protection. Three criteria determine whether the acts undertaken by civilians constitute direct participation in hostilities, resulting in the loss of protection:
threshold of harm : “The act must be likely to adversely affect the military operations or military capacity of a party to an armed conflict or, alternatively, to inflict death, injury, or destruction on persons or objects protected against direct attack.” In that respect, the Tallinn Manual gives as an instance the case where cyber operation “disrupts the enemy’s command and control network” or even, for a minority of experts, “acts that enhance one’s own military capacity”, such as the “maintaining passive cyber defences of military cyber assets”.
direct causation : “there must be a direct causal link between the act and the harm likely to result either from that act, or from a coordinated military operation of which that act constitutes an integral part.”
belligerent nexus : the act must be specifically designed to directly cause the required threshold of harm in support of a party to the conflict and to the detriment of another
Would these conditions be met, civilians would be deprived of protection “for such time” as they “directly participate in hostilities”. This deprivation has three main effects.
Treatment upon capture:
Civilians participating in hostilities do not benefit from the treatment prisoners of war shall be entitled to. They still benefit, nonetheless, from the article 75 of the Additional Protocol I fundamental guarantees, that have become customary.
Immunity from prosecution:
Civilians directly participating in hostilities do not have immunity and may be prosecuted under domestic law for the cyber operations they conduct and that breach domestic law, even if these are lawful under the laws of armed conflict.
Susceptibility to intentional targeting:
As a result of them directly participating in hostilities, a civilian loses the protection from attack “for such time” as they directly participate. The period during which the civilian loses his or her protection has been a matter of debate. The Tallin Manual experts in majority took the position that the duration of an individual’s direct participation extends from the beginning of his involvement in mission planning to the point when they terminate an active role in the operation. In the instance of a mission, consisting of a number of operations, experts did not agree on whether the “such time” period should consist in the mission as a whole, or whether each action should be a separate participation. The stakes are significant, as in the first case, the civilian would only be a lawful target during each operation, immediately before and immediately after, whereas in the second case, the civilian would become so during a period of days, weeks or months during which the mission would last.
Additionally, the Tallinn Manual provides that a civilian directly participating in hostilities may “be attacked by cyber or other lawful means.” A civilian directly participating in hostilities may therefore be targeted to the same extent a combatant would be. There is no recognized duty, for instance, to capture a civilian directly participating in hostilities more than there would be one in the case of combatant, and it is lawful for armed forces to kill an enemy that could be captured instead, as long as they do not surrender. The so-called Pictet theory, albeit debated, has not been integrated to international humanitarian law.
3. Conclusion
It is essential for a civilian engaging in armed conflict to account for the consequences of them reaching the threshold of direct participation in hostilities. A civilian may not become a lawful target or be subject to prosecution as long as they do not reach the threshold. As soon as the acts performed adversely affect the military operations or military capacity of a party to an armed conflict or, alternatively, inflict death, injury, or destruction on persons or objects protected against direct attack, they, however, become a lawful target, whilst not benefitting from combatant status, therefore being subject to prosecution under domestic law of the enemy state. In that situation, it may be pertinent to consider becoming a combatant in order to benefit from immunity against prosecution, especially when the participation lasts over an extended period during which the civilian may be lawfully targeted. Both the combatant and the civilian directly participating in hostilities are indeed lawful targets, however only the combatant benefits from immunity from prosecutions. It is therefore about recognizing this threshold and identifying when it is worth becoming a combatant instead of a civilian directly participating in hostilities. In other words, when considering participating in hostilities, especially over an extended period of time, one would be advised to either remain under the threshold of harm in order to maintain a civilian status, or consider one’s integration to the armed forces in order to benefit from the combatant status.
The distinctive criteria, consisting in whether the participation in hostilities is individual – that would apply to a freelancer – or was conducted as an employee of a company qualified as an organized armed group belonging to a party, seems abrupt, and might gain in granularity in the next editions of the Tallin Manual. The reasoning appears all the more debatable as the determination bears significant consequences for the operators.
The fast-paced development of the use by states of civilians in their cyber activities will raise more questions in the near future. One is already the responsibility of states using civilians in warfare, with some scholars going as far as arguing that “states employing civilians to perform the intelligence functions, attack execution, or any of the other operations essential to a successful destructive Computer Network Attack" would be in violation of the law of war. It is also quite interesting to notice that, would a company contractor fail to fit the four criteria seen above to be qualified as an armed group belonging to a party, its participation in the armed conflict would likely potentially give rise to a non-international armed conflict between the company, as a non-state armed group, and a state. Lastly, this topic also echoes the debate surrounding targeted killings. Indeed, as the operator may attack remotely, potentially from the territory of a state where no hostilities take place, lawfully targeting them may amount to assassination. The prohibition of treachery would potentially protect operators, combatants or civilians, from being lawfully targeted in these conditions, although the rule has been weakened by the US’, amongst others’, use of drone strikes.