BORDERLESS NETWORKS AND DISAPPEARING FRONT LINES: HUMAN RIGHTS AND

CYBER WARFARE
ABSTRACT
With the development of technology, borders can be said to be disappearing as cyber
warfare is now replacing traditional methods of warfare. Following the widespread
WannaCry attack launched in 2017, cyber warfare features prominently on the agenda of
policy makers and military leaders around the world, as it is increasingly being used by
states. Although the perpetrators of the attack have been charged in the US, the wider impact
on the human rights of civilian populations has gone unaddressed. Keeping this in mind, this
article will focus on the implications to international humanitarian law and identify the
gaps that need to be filled to achieve its goal: uphold human dignity and prevent
unnecessary human suffering. First, this article will contextualise the application of IHL to
cyber warfare. Then, the author will analyse how to determine whether the cyber operations
have been carried out in the context of and in nexus with armed conflicts. Once determined,
the article identifies the principle of distinction and neutrality as being of major significance
and evaluates their applicability in light of the WannaCry attack. In conclusion, the article
recommends amendments to the interpretation of IHL to accommodate the changing nature
of warfare.
INTRODUCTION
In May 2017, a cyber-attack targeted Microsoft computers across the globe, effectively
crippling the NHS and significantly disrupting patient care. The so-called WannaCry hack
shut down hundreds of thousands of computers with a message from hackers demanding
ransom payments.1 Acknowledging that such threats are imminent, the French Defence
Secretary stated that “if a threat is over the heads of all of us, that’s the cyber threat and it has
no border.”2
Developments in technology, such as the invention of drones and crucial information
systems,3 have revolutionised international affairs. Therefore, it comes as no surprise that
states have included cyber warfare in their military planning and organisation.4 These range
from states with very advanced statements of doctrine and military organisations envisaging
the employment of hundreds or thousands of individuals to simpler arrangements
incorporating cyber warfare into existing electronic warfare capabilities. These operations are
also being devised to reduce the loss of human life.5 For the purposes of this article, ‘cyber
warfare’ refers to cyber operations conducted in or amounting to an armed conflict.
Traditional wars of state against state have considerably reduced in number. This is because
the capacity of State actors to unilaterally employ force against other states has been

1 Department of Health, National Audit Office, Investigation: WannaCry cyber-attack and the NHS, <
https://www.nao.org.uk/wp-content/uploads/2017/10/Investigation-WannaCry-cyber-attack-and-
the-NHS.pdf> [accessed 19 February 2019].
2 Corfield, Gareth, ‘En garde! 'Cyber-war has begun' – and France will hack first, its defence sec

declares’ The Register < https://www.theregister.co.uk/2019/01/22/france_cyber_war/> [accessed 8

March 2019].
3 Kaldor, New and Old Wars - Organized Violence in a Global Era, 6 (Polity Press, 3rd ed. 2012).
4Center for Strategic and International Studies, Cybersecurity and Cyberwarfare – Preliminary

Assessment of National Doctrine and Organization, UNIDIR Resources Paper, 2011, available at:
http://www.unidir.org/files/publications/pdfs/cybersecurity-and-cyberwarfare-preliminary-
assessment-of-national-doctrine- and-organization-380.pdf [last accessed 18th February 2019].
5 Shane, Scott, ‘Cyberwarfare emerges from shadows of public discussion by US officials’, The New York

Times <https://www.nytimes.com/2012/09/27/us/us-officials-opening-up-on-cyberwarfare.html>
[accessed 18 February 2019]. 

considerably weakened due to the destructiveness of new military technology.6 Although
directed at computers, such operations could cause a tremendous degree of human suffering.
In times of armed conflict, in particular, there are grounds for concern that cyber operations
will be used to undermine the functioning of the critical infrastructure of crucial importance
to the civilian population. However, the borderless network of the Internet has caused the
disappearance of front lines. This is worrisome as mere state action cannot then effectively
prevent against the threat.7
The humanitarian and security concerns surrounding cyber warfare have become increasingly
significant since the WannaCry attack.8 Attacks targeting the healthcare industry are likely to
lead to loss of human dignity and cause human suffering as technology is being used to run
life-sustaining machinery such as MRI machines, heart defibrillators and electric
wheelchairs.9 This article will focus on attacks of critical infrastructure such as social security
and patient information which are a direct threat to the lives and well-being of civilians.
Although the North Korean hackers believed to be responsible for the attack have been
charged in a domestic court, the humanitarian suffering caused has been ignored.10 As the
concerns raised are of major significance to the modern battlefields, this article seeks to
analyse the prevailing norms of international humanitarian law (IHL).11
Keeping in mind the human rights concerns this issue raises, the article will focus on the
implications to IHL and identify the challenges to be overcome to preserve human dignity and
prevent unnecessary human suffering. First, this article will highlight the difficulties in
applying the long-established rules of IHL to hostilities involving cyber operations. Then, this
article will analyse how to determine whether the cyber operations have occurred within a
situation of armed conflict, as IHL only applies in that context. Once this has been
determined, the article identifies the principles of distinction and neutrality as being
significant and evaluates them in light of the WannaCry attack. In doing so, the article finds
that although the principles of distinction and neutrality lend themselves to cyber warfare to
a certain extent through analogy, they need to be developed in order to achieve the goals of
IHL and regulate the disappearing front lines.
THE EVOLUTION OF INTERNATIONAL HUMANITARIAN LAW
If the law is to remain effective over time, it must be responsive to context. When significant
contextual transformations take place, new norms emerge, old norms expire, and their
interpretation shifts. The speed of such an evolutionary process is influenced by a number of
actors – non-governmental advocacy groups, international organisations, international

6 Kaldor, supra note 3.
7 Dobrygowski, Daniel, ‘What would a cyberwar look like?’ WEForum
<https://www.weforum.org/agenda/2018/04/what-would-a-cyberwar-look-like/> [accessed 8 March
2019].
8 Theodore, Christakis, and Bannelier, Karine, ‘Reinventing Multilateral Cybersecurity Negotiation

after the Failure of the UN GGE and Wannacry: The OECD Solution,’ EJIL Talk!
<https://www.ejiltalk.org/reinventing-multilateral-cybersecurity-negotiation-after-the-failure-of-the-
un-gge-and-wannacry-the-oecd-solution/> [accessed 19 February 2019].
9 Morris, Evans, ‘Can Cyberattacks Cause Human Fatalities?’, The Doctor Weighs In

<https://thedoctorweighsin.com/can-cyberattacks-cause-human-fatalities/> [accessed 6 April 2019].

10 Bing, Christopher and Lynch, Sarah, ‘U.S. charges North Korean hacker in Sony, WannaCry

cyberattack’, Reuters <https://www.reuters.com/article/us-cyber-northkorea-sony/u-s-charges-

north-korean-hacker-in-sony-wannacry-cyberattacks-idUSKCN1LM20W> [accessed 18 February
2019] [hereinafter Reuters].
11Convention Concerning the Laws and Customs of War on Land (Hague IV),3 Martens Nouveau

Recueil (3d) 461; Additional Protocol I, art 36.

tribunals and political action groups.12 However, they are principally driven by states, as was
famously laid down in the Lotus case.13
Explained broadly, international law represents the consensus among states as to rules that
govern their interactions.14 States consent by opting into treaty regimes or by engaging in
practices out of a sense of obligation (opinio juris) that when combined with the practice of
other states crystallises into customary international law.15 As the consent of States reflects
their interests, their conduct is dictated by their selfish interests as well as principled values.
In the field of IHL, States have agreed to limitations on their freedom in the battlefield to
achieve humanitarian ends. Although the prevailing legal consensus is that restrictions should
apply to the use of cyber weapons during times of war, no apparent provision in international
law explicitly bans or regulates their use.16
A UN Working Group of Governmental Experts (GGE) was set up to discuss the development
in the field of information and telecommunications in the context of cybersecurity.17 The
group failed to reach a consensus on whether IHL applies to the cyberspace.18 Academics
have argued that the existing framework is not well-suited to cope with the new paradigm of
cyber warfare and have called for the legislation of a new convention to regulate their use.19
Others, including the US government, have opposed the need for such a convention and have
argued that the current framework could be applied to cyber warfare through analogy.20 This
article will argue that IHL applies to cyber warfare through analogy, but it must evolve to
accommodate developments in technology.
Within the Situation of Armed Conflicts
The IHL framework only applies within the situation of armed conflict. Legislative change in
IHL is likely to be slow as they evoke contrasting positions among States due to the
politicisation of the subject matter. The cardinal principles were defined broadly to
accommodate this. However, in the case of cyber warfare, their capacity to accommodate
change may prove insufficient. The framework was designed to apply to methods and means
of warfare involving the use of physical force and therefore are not directly applicable to
manipulations of data in cyberspace.21

12 Glennon, Michael, ‘The Road Ahead: Gaps, Leaks and Drips’, INT'L L. STUD., 83. (2013) 362.
13 S.S. Lotus (Fr. v. Turk.), 1927 P.C.I.J. (ser. A) No. 10, 144 (Sept. 7).
14 Schmitt, Michael, ‘The Law of Cyber Warfare: Quo Vadis?’ Stan. L. & Pol'y Rev., 25 (2014) 269, 272.
15 Statute of the International Court of Justice art. 38(1), June 26, 1945, 59 Stat. 1055; North Sea

Continental Shelf (Ger. v. Den.; Ger. v. Neth.), 1969 I.C.J. 3, 77 (Feb. 20).
16 Dormann, Knut, ‘Computer network attack and international humanitarian law, International

Committee of the Red Cross’, May 19, 2001, para. 29, http://www.icrc.org/web/eng/
siteengO.nsf/htmlall/5p2alj.
17 Fidler, David, ‘The UN Secretary-General's Call for Regulating Cyberwar Raises More Questions Than

Answers’, <https://www.cfr.org/blog/un-secretary-generals-call-regulating-cyberwar-raises-more-
questions-answers> [accessed 19 February 2019).
18 Schmitt, Michael and Vihul, Liss, ‘International Cyber Law Politicized: The UN GGE’s Failure to

Advance Cyber Norms’, Just Security <https://www.justsecurity.org/42768/international-cyber-law-

politicized-gges-failure-advance-cyber-norms/> [accessed 19 February 2019].
19 Brown, Davis, ‘A Proposal for an International Convention to Regulate the Use of Information

Systems in Armed Conflict’, Harv. Int'l L.J. 47 (2006) 179 [hereinafter Brown].
20 Dept. of Defense Office of Gen. Counsel, ‘An Assessment of International Legal Issues in Information

Operations’ 11 (1999), http://www.maxwell.af.mil/ au/awc/awcgate/dod-io-legal/dod-io-legal.pdf

(hereinafter DOD Assessment); Scott, Roger, ‘Legal Aspects of Information Warfare: Military
Disruption of Telecommunications’, Naval L. Rev. 45 (1998) 57,59.
21 Diamond, Eitan, ‘Applying International Humanitarian Law to Cyber Warfare (2014) Law and

National Security: Selected Issues 67’ <

At the outset, it might seem that it would be easy to establish the nexus with an armed conflict
in relation to cyber operations occurring against the backdrop of an existing armed conflict.
However, even in such situations, it is by no means self-evident. It might be difficult to
ascertain that the operations are related to the armed conflict. Further, due to the nature of
cyber operations, it may be difficult to identify the actor carrying them out and to establish
that it was conducted on behalf of a party to the conflict.22 As long as the connection to the
armed conflict remains in doubt, so does the applicability of IHL.
The cases where cyber warfare does not occur alongside other forms of hostilities, as in the
case of the WannaCry attack, can be more problematic, and questions of whether the cyber
operations themselves amount to an armed conflict arise. In identifying this it is important to
distinguish between the two types of armed conflicts in international law – international
armed conflicts, occurring between states, and non-international armed conflicts, where at
least one party is a non-state actor.
International armed conflicts occur when there is a resort to armed force between
states.23 Therefore, cyber warfare can only be said to occur in the context of an international
armed conflict if the a) cyber operations are attributable to a State and b) they amounted to a
resort to armed force against another state.
Although such attribution is difficult, it has been suggested that the application of certain legal
presumptions could mitigate this.24 For example, a state could be presumed to be responsible
for any cyber-attack originating from its governmental infrastructure although there is no
basis for this in international law. Moreover, the difficulty in shielding computer
infrastructure from such manipulations would place an unreasonable burden on states and
will be elaborated upon under the principle of neutrality. Besides, the scope of a state’s legal
responsibility for cyber operations is also affected by the potential attribution of operations
conducted by private groups within their territory to them.25 After a year-long investigation
in the case of WannaCry, the attack was attributed to elite North Korean hackers, the ‘Lazarus
Group’.
The general rule in international law in this regard is that the action is attributable to the state
if the action has been carried out under the instructions of or under the direction or control
of that State.26 If the authoritarian nature of the State of North Korea is taken into
consideration, it is possible that the State may have exercised effective control27 over specific
operations or had ‘overall control’, as is required. 28
The second criterion, namely that they amounted to a resort of use of force against another
state, is also difficult to establish as they entail the use of physical force. There is agreement
among analysts that computer network attacks that lead to physical destruction parallel to the

https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3093068> [accessed 18 February 2019]
[hereinafter Diamond].
22 Id.
23 ICTY, Prosecutor v. Tadic, Case No. IT-94-1-A, Appeals Chamber Decision on the Defence Motion

for Interlocutory Appeal on Jurisdiction, 2 October 1995 [hereinafter Tadic], Para. 70.
24 Droege, Cordula, ‘Get off My Cloud: Cyber Warfare, International Humanitarian Law, and The

Protection of Civilians’ International Review of the Red Cross 886 (2018) 533, 543.
25 Tallinn Manual on the International Law Applicable to Cyber Warfare 211 (Michael N. Schmitt ed.,

2013) [hereinafter Tallinn Manual], Rule 7.

26 International Law Commission, Draft Articles on the Responsibility of States for Internationally

Wrongful Acts, Yearbook of the International Law Commission, 2001, Vol. II (Part Two) at Article 8.
27 International Court of Justice, Military and Paramilitary Activities in and against Nicaragua

(Nicaragua v United States) Judgment of 27 June 1986, paras. 115–116.

28 ICTY, Prosecutor v Dusko Tadic, IT-94-I, Appeals Chamber Judgement of 15 July 1999, para 120.
destruction produced by attacks employing kinetic force would amount to an armed attack.29
However, cyber operations are capable of effecting other equally destructive forms of harm
such as the disruption of the supply of vital resources or critical information systems. If this
requirement is read in line with IHL’s humanitarian purpose, cyber operations like WannaCry
producing grave humanitarian consequences should be considered to be within the ambit of
‘armed force’.
If either of the above two criteria fails to be satisfied, an international armed conflict is not
said to exist although a non-international armed conflict might. The latter is said to exist
if the armed violence involves at least one non-state actor where the a) the parties involved
satisfy a minimum level of organisation and b) the armed violence reaches a minimum level
of intensity.30 Therefore, although Lazarus Group may fail to satisfy the test for state
responsibility, they may better satisfy the criteria of a non-international armed conflict as a
non-state actor.
In the context of cyber warfare, the virtually organised groups generally active in cyberspace
will rarely, if ever, satisfy the requirement for organisation. This includes a level of hierarchy
and a command structure that allows for the implementation of basic IHL principles.31 This
is potentially hard to prove when the groups are only connected by virtual communication.32
However, since an individual within the group has been identified, and the group is wanted
for more than one cyber-attack, it is possible that the group follow a command structure
satisfying a minimum level of organisation.33 This requirement could also be said to have been
met if it is seen that the cyber operations conducted have resulted in harm akin to that in an
armed conflict.34
However, due to the absence of instructive state practice or opinio juris in the context of
armed conflicts, it remains unclear when cyber warfare can be said to satisfy the criteria.
However, if established that the cyber operations are occurring in the context of armed
conflicts, the principles of IHL such as the principle of distinction and neutrality, will apply.
Principle of Distinction
In the 1996 Advisory Opinion on Nuclear Weapons, the International Court of Justice
established the principle of distinction as a cardinal principle of IHL.35 This precept of
distinction recognised as a part of modern customary international law is contained in Article
48 of the 1977 Additional Protocol I to the Geneva Convention (Additional Protocol I) entitled
the ‘basic rule’. Under this principle, parties to an armed conflict must always distinguish
between civilians and civilian objects on the one hand, and combatants and military targets
on the other.36 The treaty bars belligerents from rendering useless those objects that are
indispensable to the survival of the civilian population, such as foodstuffs, drinking water

29 Diamond, supra note 20, at 71.
30 Tadic, supra note 22, para 70.
31 ICTY, Prosecutor v. Boskoski, IT-04-82-T, Trial Chamber Judgment of 10 July 2008, paras. 199–

203.
32 Tallinn Manual, supra note 24, Commentary on Rule 23, paras. 13-15.
33 Reuters, supra note 9.
34 Diamond, supra note 20.
35 Legality of the Threat or Use Weapons, Advisory Opinion, 1996 I.C.J. 226, 257 (July 8) [hereinafter

Advisory Opinion].
36 Protocol Additional to the Geneva Conventions of 12 August 1 949, and Relating to t Protection of

Victims of International Armed Conflicts (Protocol I) June 8, 1977 1125 U.N.T.S. 3 [hereinafter
Additional Protocol I] art. 48.
installations and supplies.37 Consequently, States must never use weapons that are incapable
of distinguishing between civilian and military targets.38
The meaning of ‘attack’ is important in this context as humanitarian law’s prohibitions only
apply to cyber operations that qualify as such. Article 49(1) of Additional Protocol I defines
an attack as ‘acts of violence against the adversary, whether in offence or in defence.’39 This
definition was formed at the time when attacks were carried out almost exclusively by the use
of physical force which were by nature violent. To include cyber warfare, the term should be
broadly interpreted keeping in mind the overarching humanitarian purpose of IHL.40
Although this broad interpretation may not be a popular opinion and can be said to be
stretching the cyber warfare analogy beyond credibility, not doing so could risk the law
becoming obsolete. Further, there is the possibility that excluding cyber operations from the
notion of attack would release these operations from the requirement to adhere to the
principle of distinction in the choice of targets, a fundamental principle of IHL. Therefore,
cyber operations leading to direct physical damage or casualties must be considered an
‘attack’.41
Attacks must be limited to strictly military targets, which the treaty defines as those objects
that ‘make an effective contribution to military action and whose total or partial destruction,
capture or neutralisation, in the circumstances ruling at the time, offers a definite military
advantage’.42 Belligerents have a further duty to refrain from undertaking attacks whose
primary purpose is of spreading terror among the civilian population.43 This principle can
easily be applied to cyber warfare, as academics and military operators are of the opinion that
a legitimate military target for a physical attack is a legitimate military target for a cyber-
attack.44
The primary difficulty in applying these rules to cyber warfare lies in the fact that most cyber
infrastructure is dual-use,45 serving both civilian and military objectives. Computers control
a large part of our civilian and military infrastructure, including communications, power
systems, sewage regulation, and healthcare.46 Moreover, the Internet provides nearly
universal interconnectivity of computer networks with no distinction between civilian and
military uses.47 It is well-accepted practice that dual-use objects be treated as military
objects.48 This would effectively mean that there would be no prohibition on global cyber-
attacks affecting computers worldwide such as WannaCry if they are found to be occurring
during an armed conflict.

37 Id., art 54(2).
38 Advisory Opinion, supra note 34.
39 Additional Protocol I, supra note 35, art 49(1).
40 Schmitt, supra note 13, at 295.
41 Lubell, Noam, ‘Lawful Targets in Cyber Operations: Does the Principle of Distinction Apply?’, Int’l L.

Stud. 89 (2013) 252.

42 Id., art 52(2).
43 Id., art 51(2).
44 Bradley, supra note 12; DOD Assessment, supra note 19.
45 O'Donnell, Brian & Kraska, James, ‘Humanitarian Law: Developing International Rules for the

Digital Battlefield,’ J. Conflict & Security L. 8 (2003) 133, 157.

46 Antolin-Jenkins, Vida, ‘Defining the Parameters of Cyberwar Operations: Looking for Law in All The

Wrong Places?’ Naval L. Rev. 51 (2005) 132, 132.

47 Id., 137-138.
48 Additional Protocol I, supra note 35, art 52(2); Int’l Comm. Of the Red Cross, Customary

International Humanitarian Law (Jean-Marie Henckaerts & Louise Doswald-Beck eds., 2005),
available at http://www.icrc.org/eng/assets/files/other/customary-international-humanitarian-law-
i-icrc-eng.pdf [hereinafter Customary IHL], Rule 29.
By way of offering a solution to this problem, Geiß and Lahmann envisaged the disentangling
of military and civilian infrastructure by allowing only certain forms of cyber-attack, namely
those that can be reversed.49 However, it is unlikely that states will agree to such rigid
solutions and therefore the principle of proportionality is said to provide a more flexible
solution. As per Article 51(5)(b) of Additional Protocol I, ‘incidental loss of civilian life, injury
to civilians, damage to civilian objects or a combination thereof is prohibited if it is excessive
in relation to the concrete and direct military advantage anticipated’.50 This principle has
reached the status of customary international law, and there is no controversy regarding its
general applicability to cyber warfare.51 Therefore, to achieve the humanitarian goal of
preventing human suffering and preserving human dignity, the principle of proportionality
would prevail to overcome the dual-use nature of Internet infrastructure.
Principle of Neutrality
Keeping in mind the global nature of the cyber-attack using the WannaCry ransomware,
another significant principle is the principle of neutrality. Found primarily in The Hague
Conventions, it provides that the territory of a neutral state is inviolable and imposes duties
and rights on belligerent and neutral states to maintain that neutrality.52
Neutrality law regulates the coexistence of war and peace and gives the states not party to the
conflict the ability to maintain relations with all belligerents.53 A key duty with regard to the
discussion of cyber warfare is that belligerents may not move troops, weapons or other
resources across their territory.54 In situations of naval conflict, the belligerent may move
their troops across neutral waters but may not engage in any act of hostility while in those
waters.55
Interestingly, neutrality law contains a telecommunications exception as under Article 8 of
the 1907 Hague Convention V, which does not call upon the neutral Power to forbid all
belligerents from using telegraph or telephone cables belonging to it or its nationals, including
legal and natural persons.56
The use of the internet to conduct cross-border cyber-attacks, as in the case of WannaCry,
violates the principle of neutrality when the belligerent launches an attack that crosses the
Internet nodes of a neutral state.57 The limited exception to telecommunications does not
extend to cyber warfare as Hague Convention V explicitly states that belligerents "are
forbidden to move troops, or convoys of either munitions of war or supplies across the
territory of a neutral Power.”58 Rather than transmitting a mere communication signal, in the
case of a cyber-attack, the belligerent is moving a weapon, designed to kill, injure, or disable
people or to damage or destroy property, across the territory of a neutral Power.59 As Brown

49 Robin Geiß and Henning Lahmann, ‘Cyber Warfare: Applying the Principle of Distinction in an
Interconnected Space’, Israel Law Review 45. 3. (2012) 381, 390.
50 Additional Protocol I, supra note 35, art 51(5)(b).
51 Kelsey, Jeffrey, ‘Hacking into International Humanitarian Law: The Principles of Distinction and

Neutrality in the Age of Cyber Warfare’ Michigan Law Review 106(7) (2008) 1427.
52 Convention Respecting the Rights and Duties of Neutral Powers and Persons In Case Land, Oct. 18,

1907, 36 Stat. 2310, T.S. 540 [hereinafter 1907 Hague Convention V]; Convention Concerning the
Rights and Duties of Neutral Powers in Naval War, Oct. 18, 1907, 36 T.S. 545 [hereinafter 1907 Hague
Convention XIII].
53 Neff, Stephen, ‘The rights and duties of neutrals’ 1 (2000).
54 Hague Convention V, supra note 50, art. 2.
55 Hague Convention XIII, supra note 50, art I, art II.
56 Hague Convention V, supra note 50, art. 8.
57 DOD Assessment, supra note 19, at 10.
58 Hague Convention V, supra note 50, art 2 (emphasis added).
59 Brown, supra note 18, at 184.
has noted, when an information packet containing a malicious code travels through computer
systems across neutral states, neutrality is violated when construed in a strict sense.60 The
Hague Convention V prohibits the movement of even a single electron across the territory of
a neutral state.61 Therefore, the violation of borders no longer requires the physical movement
of troops or supplies.
Like any other attack that violates the territory of a neutral power, a cyber-attack risks
drawing the neutral state into the conflict. For example, the WannaCry ransomware attack
may have originated from North Korea, but in spreading to countries such as the UK and
India, it travelled through the territory of neutral countries. As there is an obligation on such
neutral powers to detect such attacks and prevent them,62 a failure to do so would entitle the
opposing belligerent to attack the neutral state to end the attack.63 Even if it were possible to
detect the attacks, the only effective action under the present structure of the Internet that the
neutral state could take to prevent the cyber-attacks from leaving its territory is to sever all
connections with computer systems in other states.64
Therefore, belligerents and neutral powers face significant difficulties in complying with IHL
under the present structure of the Internet. Recognising these difficulties, the scope of these
rights and duties should change and offer states an effective way to maintain neutrality while
avoiding the unrealistic limitations on the use of cyber weapons.65 Academics have suggested
an intent-based approach to neutrality where the belligerent would not violate IHL unless he
directed the cyber weapon to the territory of the neutral state.66
CONCLUSION
Although the UN GGE failed to reach a consensus on the applicability of IHL to cyberspace,
it is clear from the above discussion that it can be applied to the context of cyber warfare by
analogy to a certain extent. Analysing the situation in the WannaCry global cyber-attack, this
article has shown that the IHL framework applies to the conduct of cyber warfare. It has
demonstrated that violations of the principles of distinction and neutrality are more likely in
the case of cyber warfare than in traditional warfare.
As the Internet infrastructure consists of dual-use objects, any attack will potentially cause
human suffering. To strengthen the principle of distinction to effectively reduce the damage
to civilian population and property, states can create new provisions to allow only certain
types of cyber warfare or use the principle of proportionality to effectively curb the intensity
of such attacks. Further, cyber-attacks have led to the disappearance of ‘borders’ in a
traditional sense as the territory of neutral states can now be violated without the use of
physical force. However, the law of neutrality needs to be developed to protect the rights and
duties of belligerents and neutral states under the present structure of the Internet by allowing
for an intent-based approach.
Therefore, although IHL lends itself to be applied by analogy to cyber warfare, it needs to be
expanded. This development is essential to effectively regulate the emerging borders and to
achieve its humanitarian goals: upholding human dignity and preventing human suffering.

60 Id., at 210.
61 Hague Convention V, supra note 50 art. 2.
62 Hague Convention V, supra note 50, art 5.
63 Brown, supra note 18, 210.
64 Brown, supra note 18, 210.
65 Jeffrey, supra note 50, 1435.
66 Id., 1448; Brown, supra note 18, 210-11.
BIBLIOGRAPHY
• Antolin-Jenkins, Vida, ‘Defining the Parameters of Cyberwar Operations:
Looking for Law in All the Wrong Places?’ Naval L. Rev. 51 (2005) 132.
• Bing, Christopher and Lynch, Sarah, ‘U.S. charges North Korean hacker in
Sony, WannaCry cyberattack’, Reuters < https://www.reuters.com/article/us-
cyber-northkorea-sony/u-s-charges-north-korean-hacker-in-sony-wannacry-
cyberattacks-idUSKCN1LM20W> [accessed 18 February 2019].
• Brown, Davis, ‘A Proposal for an International Convention to Regulate the Use
of Information Systems in Armed Conflict’, Harv. Int'l L.J. 47 (2006) 179.
• Centre for Strategic and International Studies, Cybersecurity and Cyberwarfare
– Preliminary Assessment of National Doctrine and Organization, UNIDIR
Resources Paper, 2011, available at:
http://www.unidir.org/files/publications/pdfs/cybersecurity-and-
cyberwarfare-preliminary-assessment-of-national-doctrine- and-
organization-380.pdf [last accessed 18 February 2019].
th

• Convention Concerning the Laws and Customs of War on Land (Hague IV),3
Martens Nouveau Recueil (3d) 461.
• Convention Concerning the Rights and Duties of Neutral Powers in Naval War,
Oct. 18, 1907, 36 T.S. 545.
• Convention Respecting the Rights and Duties of Neutral Powers and Persons in
Case Land, Oct. 18, 1907, 36 Stat. 2310, T.S. 540.
• Corfield, Gareth, ‘En garde! 'Cyber-war has begun' – and France will hack first,
its defence sec declares’ The Register
<https://www.theregister.co.uk/2019/01/22/france_cyber_war/> [accessed
8 March 2019].
• Department of Health, National Audit Office, Investigation: WannaCry cyber-
attack and the NHS, <https://www.nao.org.uk/wp-
content/uploads/2017/10/Investigation-WannaCry-cyber-attack-and-the-
NHS.pdf> [accessed 19 February 2019].
• Dept. of Defense Office of Gen. Counsel, ‘An Assessment of International Legal
Issues In Information Operations’ 11 (1999), http://www.maxwell.af.mil/
au/awc/awcgate/dod-io-legal/dod-io-legal.pdf.
• Diamond, Eitan, ‘Applying International Humanitarian Law to Cyber Warfare
(2014) Law and National Security: Selected Issues 67’
<https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3093068> [accessed
18 February 2019].
• Dobrygowski, Daniel, ‘What would a cyberwar look like?’ WEForum
<https://www.weforum.org/agenda/2018/04/what-would-a-cyberwar-look-
like/> [accessed 8 March 2019].
• Dormann, Knut, ‘Computer network attack and international humanitarian
law, International Committee of the Red Cross’, May 19, 2001, para. 29,
http://www.icrc.org/web/eng/ siteengO.nsf/htmlall/5p2alj.
• Droege, Cordula, ‘Get off My Cloud: Cyber Warfare, International
Humanitarian Law, and The Protection of Civilians’ International Review of the
Red Cross 886 (2018) 533.
• Fidler, David, ‘The UN Secretary-General's Call for Regulating Cyberwar Raises
More Questions Than Answers’, <https://www.cfr.org/blog/un-secretary-
generals-call-regulating-cyberwar-raises-more-questions-answers> [accessed
19 February 2019].
• Glennon, Michael, ‘The Road Ahead: Gaps, Leaks and Drips’, INT'L L. STUD.,
83. (2013) 362.
• ICTY, Prosecutor v Dusko Tadic, IT-94-I, Appeals Chamber Judgement of 15
July 1999.
• ICTY, Prosecutor v. Boskoski, IT-04-82-T, Trial Chamber Judgment of 10 July
2008, paras. 199–203.
• ICTY, Prosecutor v. Tadic, Case No. IT-94-1-A, Appeals Chamber Decision on
the Defence Motion for Interlocutory Appeal on Jurisdiction, 2 October 1995.
• Int’l Comm. Of the Red Cross, Customary International Humanitarian Law
(Jean-Marie Henckaerts & Louise Doswald-Beck eds., 2005), available at
http://www.icrc.org/eng/assets/files/other/customary-international-
humanitarian-law-i-icrc-eng.pdf.
• International Court of Justice, Military and Paramilitary Activities in and
against Nicaragua (Nicaragua v United States) Judgment of 27 June 1986,
paras. 115–116.
• International Law Commission, Draft Articles on the Responsibility of States
for Internationally Wrongful Acts, Yearbook of the International Law
Commission, 2001, Vol. II (Part Two).
• Kaldor, New and Old Wars - Organized Violence in a Global Era, 6 (Polity Press,
3rd ed. 2012).
• Kelsey, Jeffrey, ‘Hacking into International Humanitarian Law: The Principles
of Distinction and Neutrality in the Age of Cyber Warfare’ Michigan Law Review
106(7) (2008) 1427.
• Legality of the Threat or Use Weapons, Advisory Opinion, 1996 I.C.J. 226, 257
(July 8).
• Lubell, Noam, ‘Lawful Targets in Cyber Operations: Does the Principle of
Distinction Apply?’, Int’l L. Stud. 89 (2013) 252.
• Morris, Evans, ‘Can Cyberattacks Cause Human Fatalities?’, The Doctor
Weighs In <https://thedoctorweighsin.com/can-cyberattacks-cause-human-
fatalities/> [accessed 6 April 2019].
• Neff, Stephen, ‘The rights and duties of neutrals’ 1 (2000).
• O'Donnell, Brian & Kraska, James, ‘Humanitarian Law: Developing
International Rules for the Digital Battlefield,’ J. Conflict & Security L. 8 (2003)
133.
• Protocol Additional to the Geneva Conventions of 12 August 1 949, and Relating
to t Protection of Victims of International Armed Conflicts (Protocol I) June 8,
1977 1125 U.N.T.S. 3.
• Robin Geiß and Henning Lahmann, ‘Cyber Warfare: Applying the Principle of
Distinction in an Interconnected Space’, Israel Law Review 45. 3. (2012) 381.
• S.S. Lotus (Fr. v. Turk.), 1927 P.C.I.J. (ser. A) No. 10, 144 (Sept. 7).
• Schmitt, Michael and Vihul, Liss, ‘International Cyber Law Politicized: The UN
GGE’s Failure to Advance Cyber Norms’, Just Security
<https://www.justsecurity.org/42768/international-cyber-law-politicized-
gges-failure-advance-cyber-norms/> [accessed 19 February 2019].
• Schmitt, Michael, ‘The Law of Cyber Warfare: Quo Vadis?’ Stan. L. & Pol'y Rev.,
25 (2014) 269, 272.
• Scott, Roger, ‘Legal Aspects of Information Warfare: Military Disruption of
Telecommunications’, Naval L. Rev. 45 (1998) 57.
• Shane, Scott, ‘Cyberwarfare emerges from shadows of public discussion by US
officials’, The New York Times
<https://www.nytimes.com/2012/09/27/us/us-officials-opening-up-on-
cyberwarfare.html> [accessed 18 February 2019]. 

• Statute of the International Court of Justice art. 38(1), June 26, 1945, 59 Stat.
1055; North Sea Continental Shelf (Ger. v. Den.; Ger. v. Neth.), 1969 I.C.J. 3, 77
(Feb. 20).
• Tallinn Manual on the International Law Applicable to Cyber Warfare 211
(Michael N. Schmitt ed., 2013) [hereinafter Tallinn Manual].
• Theodore, Christakis, and Bannelier, Karine, ‘Reinventing Multilateral
Cybersecurity Negotiation after the Failure of the UN GGE and Wannacry: The
OECD Solution,’ EJIL Talk! <https://www.ejiltalk.org/reinventing-
multilateral-cybersecurity-negotiation-after-the-failure-of-the-un-gge-and-
wannacry-the-oecd-solution/> [accessed 19 February 2019].