In June 2015, the United States published its first ever “Department of Defense Law of War Manual,” with a separate chapter on “Cyber Operations” and several other innovations compared with preexisting single service law manuals in various versions for over a century.
Of special note, and not surprisingly, the Manual confirmed long-standing U.S. abstention from the regimes of additional protocols (AP) I and II of the Geneva Conventions on the laws of war of August 12 1949. The United States has signed but not ratified these protocols. AP I dictates that “works or installations containing dangerous forces, namely dams, dykes and nuclear electrical generating stations, shall not be made the object of attack, even where these objects are military objectives, if such attack may cause the release of dangerous forces and consequent severe losses among the civilian population.”
An effect of the non-ratification of AP I is that the United States reserves the right, if military necessity dictated it, to attack civil nuclear power plants, as well as dams—subject of course to other principles of humanitarian international law. The manual says:
Certain facilities containing dangerous forces, such as dams, nuclear power plants, or facilities producing weapons of mass destruction, may constitute military objectives. There may be a number of reasons for their attack, such as denial of electric power to military sources, use of a dangerous facility (e.g., by causing release from a dam) to damage or destroy other military objectives, or to pre-empt enemy release of the dangerous forces to hamper the movement or advance of U.S. or allied forces.
The chapter on cyber operations specifically allows for pre-placement in wartime of cyber weapons (often called time-release “logic bombs”):
Cyber operations can be a form of advance force operations, which precede the main effort in an objective area in order to prepare the objective for the main assault. For example, cyber operations may include reconnaissance (e.g., mapping a network), seizure of supporting positions (e.g., securing access to key network systems or nodes), and pre-emplacement of capabilities or weapons (e.g., implanting cyber access tools or malicious code).
While this statement in the manual refers to the U.S. view of its own actions in wartime, it would also be regarded by most states as the applicable international law in peacetime.
These two things taken together represent an important evolution in the use of cyber operations to control and lessen the destructive potential of war and civilian casualties. After all, the use of cyber operations against a civil nuclear power plant provides the attacker with more options for disabling the power plant and controlling the consequences than use of a kinetic attack might. The United States has always regarded its right to attack such facilities in wartime as limited by consideration of the need to avoid as far as possible large scale civilian casualties.
Nevertheless, it may be time for the United States to consider a principle other than military necessity in framing its approach to the laws of war, including cyber attack on civil nuclear power stations. This is the principle of restraint.
In 2014, the EastWest Institute released a paper promoting the idea that states might commit in peacetime to refrain from cyber operations of any kind against civil nuclear power plants. While the report, titled “A Measure of Restraint in Cyberspace: Reducing Risk to Civilian Nuclear Assets,” focused on the peacetime regime, the proposal has a necessary implication for how states might consider targeting such facilities in time of war.
This report recommended opening a “debate among states and corporations with the purpose of promoting early agreement that use of technological attacks (including cyber means) against the safe operation of civil nuclear assets in peacetime should be prohibited by a legally binding multilateral instrument.”
The main purpose of such an initiative was seen by the EastWest report as promoting restraint in development and application of cyber weapons and cyber arsenals and as a confidence building measure in cyber space military affairs. The report noted progress within multilateral frameworks on quite general norms for protecting critical infrastructure, but it suggested that more urgent and more specific action was needed. It said that “a practical beginning may be to quarantine selected critical information infrastructure” such as civil nuclear assets from cyber attacks during peacetime: “There is an urgent need to reach consensus, as cyber attacks become more sophisticated and risks to essential services continue to grow”.
This proposal would fit quite neatly with the general propositions in a new book by Barry Posen which is arguably one of the most important sets of ideas for U.S policy since George Kennan’s famous “long telegram” of 1946 advocating economic and political containment of the Soviet Union. Posen’s book, Restraint: A New Foundation for US Grand Strategy, as summarized by the author, argues that the United States should abandon “an embedded system of ambitious and costly excess” and abandon its grand strategy of liberal hegemony. Posen argues that the country “should focus on a small number of threats, and approach those threats with subtlety and moderation.”
This principle of restraint, as advocated by Posen, is particularly apt in cyberspace as the United States prepares, as announced by its Cyber Command just this year, to expand its arsenal so that commanders at all levels of war have cyber options. This year also saw China and Russia move robustly in military planning for cyber space to keep pace with the United States.
The opening of the 1946 long telegram from Kennan is instructive. He justified sending an extended essay as follows: the challenge “involves questions so intricate, so delicate, so strange to our form of thought, and so important to analysis of our international environment.” As Posen is now arguing, it may be past time for the United States to follow once again a grand strategy “so strange to our form of thought” in its grand strategy. It might begin to articulate how the Posen principle of restraint might apply to the inevitable and necessary development of military options in cyber space.