¹ Protocol Additional to the Geneva Conventions of 12 August 1949, and Relating to the Protection of Victims of International Armed Conflicts (Additional Protocol I or AP I) (entered into force 7 December 1978) 1125 UNTS 3.

² Henckaerts, Jean-Marie and Doswald-Beck, Louise (eds), Customary International Humanitarian Law, Vol 1: Rules (International Committee of the Red Cross and Cambridge University Press 2005, revised 2009)Google Scholar (ICRC Study) r 8.

³ Schmitt, Michael N (ed), Tallinn Manual on the International Law Applicable to Cyber Warfare: Prepared by the International Group of Experts at the Invitation of the NATO Cooperative Cyber Defence Centre of Excellence (Cambridge University Press 2013)Google Scholar (Tallinn Manual) 258.

⁴ Social media may be divided into six main categories: collaborative projects (eg Wikipedia), blogs and microblogs (eg Twitter), content communities (eg YouTube), social networking sites (eg Facebook), virtual game worlds (eg World of Warcraft) and virtual social worlds (eg Second Life): Kaplan, Andreas and Haenlien, Michael, ‘Users of the World, Unite! The Challenges and Opportunities of Social Media’ (2010) 53 Business Horizons 61Google Scholar, although the boundaries between these categories are becoming increasingly blurred.

⁵ Dinniss, Heather Harrison, Cyber Warfare and the Laws of War (Cambridge University Press 2012)CrossRefGoogle Scholar 184.

⁶ Tallinn Manual (n 3).

⁷ Sandoz, Yves, Swinarski, Christophe and Zimmermann, Bruno, Commentary on the Additional Protocols of 8 June 1977 to the Geneva Conventions of 12 August 1949 (International Committee of the Red Cross and Martinus Nijhoff 1987)Google Scholar (ICRC Commentary).

⁸ See, eg, Lubell, Noam, ‘Lawful Targets in Cyber Operations: Does the Principle of Distinction Apply?’ (2013) 89 International Law Studies 252Google Scholar, 267; Tallinn Manual (n 3) 127.

⁹ SCADA (Supervisory Control and Data Acquisition) systems provide real-time data analysis of complex systems, reporting back to a central hub where they may be monitored and controlled.

¹⁰ As a side note, content-level data is also the most common type of data to be backed up by organisations and individuals.

¹¹ Tallinn Manual (n 3) 127.

¹² ibid.

¹³ As noted, this article will not consider the protection of certain types of content-level data other than to reiterate that some types will already be covered by protection of items such as medical records and cultural archives.

¹⁴ ICRC Commentary (n 7) paras 2007–08; Tallinn Manual (n 3) 126

¹⁵ ICRC Commentary (n 7) paras 2007–08.

¹⁶ Harrison Dinniss (n 5) 184; for a similar analysis see Lubell (n 8) 267.

¹⁷ Harrison Dinniss (n 5) 184.

¹⁸ The TCP/IP protocol (a suite of protocols or rules sets for communicating data across platforms) was standardised in 1986, allowing different networks to link with each other in a standardised way and develop eventually to form the international system of networks that we know now as the internet. The final barriers to commercialisation of the internet were removed in 1995, leading to the exponential growth of networked technologies, and the ability for cyber warfare to even exist. The first internet-based attack occurred in 1988 – the Morris worm – which caused disruption to major portions of the then internet.

¹⁹ It is to be hoped that the current project under way by the ICRC to update the commentaries will contain scope for these changes.

²⁰ Vienna Convention on the Law of Treaties (entered into force 27 January 1980) 1155 UNTS 331, art 31. The International Court of Justice has recognised in multiple cases this principle of treaty interpretation as reflective of customary international law and has extended its application as a general rule of interpretation beyond treaties to include Security Council resolutions such as the statutes of the International Criminal Tribunals for the former Yugoslavia and Rwanda.

²¹ Note that this has not prevented courts from holding electronic data to be a tangible thing for the purposes of certain domestic legislation; see, for example, cases concerning s 215 of the United States Patriot Act holding electronic records to be ‘tangible things’ for the purposes of that Act.

²² For a discussion on weapons intangibility see Harrison Dinniss (n 5) 68; Tallinn Manual (n 3) 141–42.

²³ Stuxnet is the name given to the malware that is responsible for physical damage being caused to nearly 1,000 enrichment centrifuges at the Nantanz Uranium enrichment facility in Iran. Discovered in 2010, it is widely believed to be the work of the United States and Israel working in cooperation. Neither state has commented publicly on the matter. For technical details on the attack see Nicolas Falliere, Liam O'Murchu and Eric Chien, ‘W32.Stuxnet Dossier: Version 1.4’, February 2011, http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf.

²⁴ Wiper is a mysterious and sophisticated piece of malware, discovered in April 2012, which rendered computer systems unbootable by wiping sections of the hard drives. The main computer systems affected by the virus were businesses and government departments associated with oil production in Iran. Unfortunately, as very little data survived the attacks, little is known about the malware itself but experts have cited possible links to the Duqu software, largely believed to be the work of the United States and Israel. See, generally, Kaspersky Lab, Global Research and Analysis Team, ‘What Was That Wiper Thing?’, SecureList, 29 August 2012, https://www.securelist.com/en/blog/208193808/What_was_that_Wiper_thing. Wiper appears also to have inspired copycat attack, Shamoon – an attack launched against Saudi Arabia's leading oil company, Saudi Aramco, as well as RasGas in Qatar.

²⁵ AP I (n 1) art 52(1).

²⁶ ICRC Commentary (n 7) para 3685, stating that the object and purpose of AP I is to ‘improve the protection provided by the [Geneva] Conventions to the victims of international armed conflicts’. For a detailed treatment of the Vienna Convention on the Law of Treaties as an interpretive tool for determining cyber military objectives see Kubo Mačák, ‘Military Objectives 2.0’ (2015) 4(1) Israel Law Review 55.

²⁷ The Tallinn Manual makes no distinction between the two sentences in its restatement of this rule as it relates to cyber.

²⁸ Dinstein, Yoram, The Conduct of Hostilities under the Law of International Armed Conflict (2nd edn, Cambridge University Press 2010)Google Scholar 92.

²⁹ Tallinn Manual (n 3) r 30.

³⁰ For a discussion of the difference between attacks and operations see Harrison Dinniss (n 5) 196–202 and Heather A Harrison Dinniss, ‘Attacks and Operations: The Debate over Computer Network “Attacks”’, paper presented at the conference ‘New Technologies, Old Law: Applying International Humanitarian Law in a New Technological Age’, 28–29 November 2011, Minerva Center for Human Rights, The Hebrew University of Jerusalem, http://www.academia.edu/4086617/Attacks_and_Operations__The_debate_over_computer_network_attacks.

³¹ For example, dispersible poison gases may be detectible only at the molecular or atomic level. The question of whether a determination of tangibility or intangibility should be made at the atomic or sub-atomic level is beyond the scope of this article. However, the fact that such gases are contained in a physical canister prior to dispersal is no different conceptually from code being contained in the physical infrastructure of a computer system.

³² Tallinn Manual (n 3) 106.

³³ ibid 142 (emphasis added).

³⁴ Trial of Alfied Felix Alwyn Krupp Von Bohlen Und Halbach and Eleven Others (The Krupp Trial), Law Reports of Trials of War Criminals, United States Military Tribunal, Nuremburg Vol X, 164; Trial of Carl Krauch and Twenty-Two Others (IG Farben Trial), Law Reports of Trials of War Criminals, United States Military Tribunal, Nuremburg Vol X, 46.

³⁵ Tallinn Manual (n 3) r 82.

³⁶ With the exception of medical devices, networks, etc.

³⁷ ICRC Commentary (n 7) paras 2007–08.

³⁸ The posting of steganographically altered images on social media sites is a fairly well known tactic among organised armed groups.

³⁹ See, eg, explanations of the vote by the United Kingdom (169), Canada (179), Federal Republic of Germany (188), the Netherlands (195) and the United States (204): CDDH/SR41, Official Records of the Diplomatic Conference on the Reaffirmation and Development of International Humanitarian Law Applicable in Armed Conflicts, Geneva (1974–1977) (Federal Political Department 1978) Vol VI.

⁴⁰ ICRC Commentary (n 7) paras 2020–24.

⁴¹ That is, if one path to a destination is inaccessible data can be sent via an alternative route. Indeed, different packets of information (eg pieces of a message or data request) may be sent via different routes and reassembled at the destination address.

⁴² Although note that from an operational perspective, there may be more value in intercepting and monitoring communications.

⁴³ Harrison Dinniss (n 5) 185.

⁴⁴ Dinstein (n 28) 128.

⁴⁵ US Navy, US Marine Corps and US Coast Guard, The Commander's Handbook on the Law of Naval Operations, NWP 1-14M/MCWP 5-121/COMDTPUB P58007A, 2007, para 8.2.

⁴⁶ ibid para 8.2.5.

⁴⁷ Tallinn Manual (n 3) 131.

⁴⁸ See statements made by Australia, Belgium, Canada, France, Germany, Italy, the Netherlands, Nigeria, Spain and the United Kingdom in the state practice accompanying ICRC Study (n 2) r 8.

⁴⁹ For example, in 2010, the former US Director of National Intelligence, Admiral Michael McConnell, estimated that 98 per cent of US government communications, including classified communications, travel over civilian-owned-and-operated networks and systems: Michael McConnell, Former Director of National Intelligence, Keynote Address at the Texas Law Review Symposium ‘Law at the Intersection of National Security, Privacy, and Technology’, 2 February 2010, cited in Eric Jensen, ‘Cyber Warfare and Precautions against the Effects of Attacks’ (2010) 88 Texas Law Review 1533. Civilians also make use of some military infrastructure: eg the GPS satellite network is used for a huge range of civilian applications.

⁵⁰ Droege, Cordula, ‘Get Off My Cloud: Cyber Warfare, International Humanitarian Law, and the Protection of Civilians’ (2012) 94 International Review of the Red Cross 533Google Scholar, 562, and references therein.

⁵¹ AP I (n 1) art 57(2)(a)(ii).

⁵² AP I (n 1) art 57(3) provides: ‘When a choice is possible between several military objectives for obtaining a similar military advantage, the objective to be selected shall be that the attack on which may be expected to cause the least danger to civilian lives and to civilian objects’.

⁵³ ibid.

⁵⁴ The Wiper algorithm caused disruption to Iran's oil industry systems by wiping significant sections of the hard drives; for more details see Kapersky Lab (n 24).

⁵⁵ Duqu and Flame are both instances of malware designed primarily for espionage purposes. However, both pieces of malware contained latent components or modules that would allow them to be turned into sabotaging malware had that component been activated. In an example of the efficiency of sending code to attack such malware, many instances of Flame were removed, presumably by its creators, by sending a kill command which removed all traces of the malware from the computer.

⁵⁶ AP I (n 1) art 51(5)(a) provides, as an example of a prohibited indiscriminate attack, an attack by bombardment by any methods or means which treats as a single military objective a number of clearly separated and distinct military objectives located in a city, town, village or other area containing a similar concentration or civilians or civilian objects. Dinstein notes that two exceptions remain: the first is where the military objectives in the area are not ‘clearly separated and distinct’ and, secondly, where there is no ‘similar concentration of civilians or civilian objects’: Dinstein (n 28) 119.

⁵⁷ A node is a connection or processing point in a given system or network; the exact definition will change depending on the type of network or system involved. Nodes may be virtual or physical.

⁵⁸ See n 56 above.

⁵⁹ ICRC Study (n 2) r 13 and associated practice.

⁶⁰ Tallinn Manual (n 3) 158.

⁶¹ ibid 108, referring to the object of attack.

⁶² This article will limit itself to the physical type of component as the other is dealt with as code.

⁶³ The Tallinn Manual defines a computer system as consisting of one or more interconnected computers with associated software and peripheral devices. It can include sensors and/or (programmable logic) controllers, connected over a computer network: Tallinn Manual (n 3) 258.

⁶⁴ Blue Force tracking systems allow commanders to identify and locate friendly (and enemy) forces on the battlefield via GPS location and mapping software.

⁶⁵ See n 49.

⁶⁶ ICRC Commentary (n 7) paras 2226–28.