I would like to thank Samit D’Cunha, Pierrick Devidal, Laurent Gisel, Duncan Hollis, Victoria Luckenbaugh, Kubo Mačák, Ralph Mamiya, Laura Walker McDonald, Matt Pollard, Tilman Rodenhäuser, Fasya Addina Teixeira, Mauro Vignati, Lakmini Seneviratne, Austin Shangraw, Mark Silverman, and Claude Voillat for their comments on earlier drafts. This article was written in a personal capacity and does not necessarily reflect the views of the ICRC.
Private technology companies (tech companies) are increasingly providing their digital goods and services to clients living and working in situations of armed conflict. Tech companies may own, operate, or maintain significant portions of the digital infrastructure that allow day-to-day essentials—such as water, medical care, and electricity—to reach civilians living in places affected by armed conflict. They may own communications platforms that people use to call emergency services. They may own social media outlets that organizations rely on to inform communities in need about access to humanitarian services or that families use to maintain contact with each other. Those fighting today’s armed conflicts, including well-resourced militaries, and less-developed non-state armed groups, also undoubtedly rely on hardware, software, and networks manufactured, serviced, and secured by tech companies. They use them to coordinate and carry out a wide array of military operations, including the management of troop movements, military fuel and spare parts, and medical supplies. This paper’s premise is that as tech companies increase their involvement in armed conflict, the legal implications they face under international humanitarian law (IHL)—a body of law that regulates who and what is protected from the hostilities of armed conflict—also rise. Recognizing that cyberspace spans the globe with little concern for geography and borders, Section II discusses how this reality effects the applicability of IHL’s principles and rules relating to tech company employees and properties. From there, Section II explains the protections IHL affords the employees and properties of tech companies operating in situations of armed conflict and when, in exceptional circumstance, those protections might be lost. Section III moves on to discuss how IHL addresses situations where civilians and civilian objects get caught in the “digital crossfire” when they are reliant on, or located in proximity to, tech companies involved in armed conflict. Section IV concludes with practical recommendations for companies to take to minimize risks to their employees, property, civilian customers and surrounding civilians and civilian objects, including civilian infrastructure.
TABLE OF CONTENTS TABLE OF CONTENTSPrivate technology companies (tech companies) are increasingly providing their digital goods and services to clients living and working in situations of armed conflict. These companies may own, operate, or maintain significant portions of the digital infrastructure that allow day-to-day essentials—such as water, medical care, and electricity—to reach civilians living in places affected by armed conflict. Information and telecommunications companies may provide people with the ability to call emergency services. Social media companies may own platforms that organizations rely on to inform communities in need about access to humanitarian services or that families use to maintain contact with each other. Those fighting today’s armed conflicts, including well-resourced militaries and less-developed non-state armed groups, also undoubtedly rely on hardware, software, and networks manufactured, serviced, and secured by digital tech companies. Cloud computing and other digital services offer opportunities for belligerents to coordinate and carry out a wide array of military activities, including the management of troop movements, military fuel and spare parts, and medical supplies. As this paper discusses, some of these military activities might make some of this digital infrastructure lawfully targetable under international humanitarian law (IHL), but some of these activities, such as medical services, would be protected from attack.1
The urbanization of warfare—the phenomenon of parties increasingly fighting in urban areas where civilians bear the brunt of the hostilities—is another factor pulling the tech sector into armed conflicts due to the interconnected presence and density of the sector’s hardware, software, network infrastructure, and services.2 Additionally, many States are, in times of peace, developing national cyber security strategies reliant on a backbone built of private-public partnerships that will presumably carryover into times of war.3 Through these or other close partnerships, tech companies may find themselves—whether voluntarily or out of a legal obligation—working with States that are parties to an armed conflict.
Also consider that unwitting civilians risk being exposed to harm when, for example, one side of an armed conflict targets a company’s products or services that both civilians and the adversary rely on. Given the ubiquity of digital services in our daily lives, cyberspace’s interconnected uses by civilians and militaries expose civilian populations to the harms of “digital crossfire,” including harms that IHL—a body of law that regulates who and what is protected from the hostilities of warring parties—aims to avoid or minimize but may not entirely prohibit.
This paper’s premise is that as tech companies increase their involvement in armed conflict, the legal implications they face under IHL also rise. Recognizing that cyberspace spans the globe with little concern for geography and borders, Section II discusses how this reality affects the applicability of IHL’s principles and rules relating to tech company employees and properties. From there, the section explains the protections IHL affords to the employees and properties of tech companies operating in situations of armed conflict and when, in exceptional circumstances, those protections might be lost. Section III moves on to discuss how IHL addresses situations where civilians and civilian objects get caught in the “digital crossfire” when they are reliant on, or located in proximity to, tech companies involved in armed conflict.
While parties to an armed conflict are the ones primarily responsible for complying with IHL, Section IV concludes with practical recommendations for companies to take to minimize risks to their employees, property, and surrounding civilians and civilian objects, including civilian infrastructure. These recommendations build off of the United Nations Guiding Principles on Business and Human Rights4 as well as the United Nations mandated Working Group on Business and Human Rights, which places an emphasis on companies adopting conflict sensitive approaches and heightened due diligence to identify, prevent, mitigate, and account for how businesses address their adverse impacts.5
With its focus on IHL, this paper does not address situations where tech companies are providing digital services outside the context of an armed conflict, including activities that are unrelated to an armed conflict even when they occur in the territory where an armed conflict is taking place. Conclusions drawn from this paper therefore are not applicable to the provision of digital service that are not linked to an armed conflict.6
International humanitarian law is a body of international law that applies to, and only to, situations of “armed conflict,” which is a legal term with precise legal definitions.7 More specifically, IHL regulates the behavior of parties to armed conflict by placing limits on their means and methods of warfare and by providing various protections to the civilian population and others. The limits and protections reflect a balance between the principles of humanity and military necessity, with the object and purpose of IHL being to limit the suffering caused by war and to alleviate its effects.8 This balance shapes the context in which IHL’s rules and other principles (such as distinction, proportionality, and precautions) must be interpreted.9 Each of these principles are elaborated on below. But, in summary, the principle of distinction prohibits directing attacks at civilians and civilian objects, and requires limiting attacks only against combatants and military objects, provided the attacks comply with other rules and principles of IHL.10 The proportionality principle prohibits attacks that are expected to cause civilian harm that is excessive in relation to the concrete and direct military advantage anticipated.11 And the principle of precaution obligates belligerents to take all feasible precautions to avoid, or at least minimize, incidental civilian harm from attacks.12 It also obligates parties to do everything feasible to protect civilians and civilian objects under their control from the effects of an adversary’s attack.13
States, academics, and others have heatedly debated whether IHL applies to belligerents conducting cyber operations in armed conflict. The emerging consensus is that it does. Notably, in 2021, States collectively agreed it was time to start assessing “how” and “when” IHL applies rather than isolate the discussion only to “whether” it applies.14 There nonetheless remain other important questions around IHL’s applicability to consider. Notably for the cyber context, IHL’s applicability is often said to extend to the entirety of the territory of the State (or States) where an armed conflict is taking place.15 This means that IHL’s principles and rules on what is protected from attack would apply to tech company employees and properties located in the territory of such States. While the remaining sections of this paper relate to tech companies operating under these circumstances, cyberspace networks span the globe with little concern for geography and borders. A tech company with employees and property located in the territory of a State not party to an armed conflict may therefore be capable of providing goods and services in the territory of a State where an armed conflict exists. This can include providing goods and services in support of the warring parties. In such situations, the question arises whether IHL is the proper body of international law to regulate whether and how those employees and property are protected from being attacked.
This paper does not address this question in detail. Suffice it to say that it will primarily be the jus ad bellum—the body of international law regulating the resort to use of force between States—that determines if a State is prohibited or not from taking such action against a tech company located in a non-belligerent State (i.e., a State not party to an armed conflict). Under this body of law, a State is prohibited from using force against another State without its consent.16 The only exceptions to this rule are if the U.N. Security Council authorizes the use of force or when a State can make a claim to act on its inherent right to self-defense against an “armed attack.”17 Some States debate whether a cyber operation can ever amount to an “armed attack.” For those States that agree that it can, they often point out that any action taken in self-defense must be necessary and proportionate.18
Debates also exist over whether a State may ever claim a right to self-defense in response to the acts of non-state groups that are unattributable to another State. There is additional controversy over the requisite organizational attributes of such groups and, moreover, whether a single individual could ever engage in acts that could provide a legitimate claim to self-defense.19 These legal issues are of course directly relevant to the foundational question of whether the acts of private tech company employees located in a non-belligerent State could ever make them or the properties of their company potential targets in the name of self-defense.
Whatever the answer is to that legal question, there remain legal and other considerations to take into account. Private individuals, including tech company employees, located in a non-belligerent State who support one side of an armed conflict or harm the other side still have the potential to cause significant foreign relations consequences, even if their actions cannot trigger claims of self-defense. These could include undesired and escalatory diplomatic exchanges between States, claims that the hosting State is breaching the law of neutrality for not ceasing a tech company’s support to a party to an armed conflict, law enforcement responses such as criminal charges against the employee and extradition requests, and economic sanctions against a company and its employees.
Consider also what happens if—whether lawfully or not under the jus ad bellum—a State takes action against a tech company located in a non-belligerent State. If this action constitutes a resort to armed force as understood under IHL, then IHL will become applicable. That standard—“resort to armed force”—is the standard that brings into existence an international armed conflict as defined under Article 2 common to the four 1949 Geneva Conventions and, as such, IHL would then regulate that use of force (and any subsequent hostilities) by virtue of it being part of the new international armed conflict.20 Under this interpretation, the resort to armed force (whether through kinetic or through another type of operation that would amount to this standard) against a tech company’s employees or properties, even if located in a non-belligerent State, would then have to comply with IHL, and in particular with its principles and rules of distinction, proportionality, and precaution.
Having just touched on the topic of IHL, the remainder of this paper explores additional IHL implications that arise when a tech company’s employees and properties are located in a State where an armed conflict is taking place.
A quick internet search of job openings at Amazon, Google, Huawei, Meta, Microsoft, and Yandex illustrates who big tech companies employ.21 They include people who work in hardware and software development, incident response, marketing, retail, security and support services, and many other fields. It would similarly be impossible to provide an exhaustive list of all the types of properties tech companies own and operate. They might include office buildings, production factories, warehouses, and the land their built on; the personal computers, printers, desks, and company delivery trucks used by employees; and company routers, modems, fiber optic cables, and other hardware, software, network infrastructure, and data.
It is helpful to parse out tech companies in this way because many of IHL’s most foundational principles and rules relate to people and objects. Most notably, IHL affords civilians and civilian objects protection against direct attack by parties to armed conflict. In contrast, parties to an armed conflict are not prohibited from directing attacks against combatants and military objectives,22 provided other applicable principles and rules of IHL are complied with.23 Paired together, these two rules form IHL’s cardinal principle of distinction. Whether that protection from attack is afforded to the employees and properties of a private tech company, therefore, generally boils down to assessing whether its employees and any pieces of property qualify as “civilians” and “civilian objects” under IHL, respectively.
Generally, tech company employees qualify as civilians and therefore must not be attacked. That is true because the employees usually are not members of a State’s armed forces; their company is not regarded as “belonging to a party to an armed conflict,”24 and they are not directly participating in hostilities (DPH). If, however, exceptional circumstances arise where an employee falls into any one of these three categories, they may no longer be protected from attack. Tech companies and their employees need to be aware of all three categories, but this paper focuses only on the issue of DPH.
Civilians were never meant to directly participate in hostilities on behalf of a party to an armed conflict.25 But history has repeatedly shown that they nonetheless do.26 In response to the untenable result of civilians participating in hostilities while being legally shielded against being attacked, Article 51(3) of Additional Protocol I, which reflects customary international law applicable in international and non-international armed conflict, codified as treaty law the rule that civilians shall be protected against attack “unless and for such time as they take a direct part in hostilities.”27 The questions then arise: what constitutes direct participation in hostilities, and how is it applied to a civilian tech company employee engaging in activities related to an armed conflict?
In 2003, the International Committee of the Red Cross (ICRC) and T.M.C. Asser Institute initiated a project to help clarify the contours of DPH. The project consisted of expert consultations spanning six years. During that time, the experts discussed countless operational contexts and scenarios, including DPH’s relationship to cyberspace. Experts considered, for example, whether civilians should lose their protection against attack when making use of electronic means with the aim of diminishing the military capacity of an adversary (this was specifically in reference to “computer network attacks (CNA)”);28 when electronically seizing control over remotely guided weapons, weapons carriers, or computer networks used by the adversary;29 when providing, gathering, analyzing, and transmitting intelligence data through unauthorized access to computer networks used by an adversary;30 and when electronically depriving an adversary access to financial assets or resources by seizing control over bank accounts and cash reserves.31
After the consultations concluded, the ICRC published its Interpretive Guidance on the matter in 2009.32 According to that guidance and as echoed by certain States,33 determining whether a civilian is engaging in DPH requires applying a precise and purposefully narrow three-part cumulative test.
1. The act must be likely to adversely affect the military operations or military capacity of a party to an armed conflict or, alternatively, to inflict death, injury, or destruction on persons or objects protected against direct attack (known as the “threshold of harm” criterion);
2. There must be a direct causal link between the act and the harm likely to result either from that act, or from a coordinated military operation of which that act constitutes an integral part (known as the “direct causation” criterion); and
3. The act must be specifically designed to directly cause the required threshold of harm in support of a party to the armed conflict and to the detriment of another (known as the “belligerent nexus” criterion).
When all three criteria are cumulatively met, the consequences are significant. Notably, the civilian—who otherwise had unconditional protection from attack—loses that protection for such time as they are engaging in DPH. Another consequence is that when a civilian engages in DPH they expose proximate civilians and civilian objects to risks of incidental harm that IHL aims to avoid or at least minimize but may not fully prohibit.34
Given that the object and purpose of IHL is to limit the suffering caused by war and to alleviate its effects, the three DPH criteria were narrowly tailored to reflect, as one expert put it, that “not everything beneficial to the military is DPH.”35 As an illustration, the group of experts who gathered to write the Tallinn Manual 2.0 on International Law Applicable to Cyber Operations (Tallinn Manual 2.0) agreed that “designing malware and making it openly available online, even if it may be used by someone involved in the conflict to conduct an attack” does not constitute DPH.36 The Tallinn experts drew the same conclusion for “maintaining computer equipment generally, even if such equipment is subsequently used in the hostilities.”37 But it is equally true that civilian activities in or through cyberspace may qualify as DPH.
The first criterion listed in the DPH guidance—the “threshold of harm” criterion—requires that “the act must be likely to adversely affect the military operations or military capacity of a party to an armed conflict or, alternatively, to inflict death, injury, or destruction on persons or objects protected against direct attack.”38 Adverse effects on military operations or capacity is not confined to killing or injuring people or damaging objects. It may include, for example, adverse effects on troop movements, logistics, and communications.39 It is also regularly accepted that the requisite harm may be met through offensive and defensive activities.40 The DPH Guidance also explained that “[e]lectronic interference with military computer networks could also suffice, whether through computer network attacks (CNA) or computer network exploitation (CNE), as well as wiretapping the adversary’s high command or transmitting tactical targeting information for an attack.”41
In the cyber context, where proliferation of tools that civilians now have access to and the ease at which they can cause disruptions, the DPH criteria demands scrupulous application. For example, the threshold of harm criterion requires causing a concrete impact on enemy operations or activities. Otherwise, it cannot be said to be “adversely affecting” them.42
The fact that the threshold of harm criterion will “generally be satisfied regardless of quantitative gravity,” provided it is expected to cause harm “of a specifically military nature,”43 also demands applying narrow interpretations of the other two criterion and the temporal element of the notion of DPH. In other words, for the DPH test to retain its protective value, its other criteria and elements must be restrictively interpreted. Beyond this, it could be advisable for States to clarify whether a specific threshold of harm for adverse military effects should be part of the criterion, or whether other limiting factors should be defined, especially given the unique nature of cyberspace.44
The second DPH criterion is “direct causation.” This means there “must be a direct causal link between the act and the harm likely to result either from that act, or from a coordinated military operation of which that act constitutes an integral part.”45 How this criterion is interpreted matters deeply for tech company employees because they may engage in acts that have varying degrees of directness to any harm they may cause. For example, an employee might conduct routine and generic cyber hygiene that prevents a party to an armed conflict from conducting a cyber operation against a computer system. Or, they might share intelligence with a party to an armed conflict about specific military cyber operation being conducted by the other side. An employee might also directly remove a specific military cyber threat from a specific system or network that the employee is paid to defend. An employee might even be allowed to carry out an offensive cyber operation on a system controlled by a party to the conflict.
Whether a tech company employee carries out any of these or other activities, the ICRC Interpretive Guidance takes the position that the direct causation criterion should be understood as meaning that the harm in question must be brought about in “one causal step.”46 The guidance also explains that in the case of collective military operations, for an act to meet the direct causation criterion, it must be an “integral part” of a “coordinated military operation” that directly causes harm. The DPH experts discussed the choice of the term “integral” at length, with its proponents emphasizing that “integral part” should be interpreted narrowly to include only those acts that would “have to be an actual ‘part of’ and not merely a ‘contribution to’” an operation.47 The guidance explains that the criterion would be met if an act is an integral part of a concrete and coordinated tactical operation that directly causes the threshold of harm in one causal step.48
Applying this criterion correctly is particularly relevant to the tech sector because of the strong public-private cybersecurity partnerships that are being built on the premise that the private sector should inform the public sector about cyber threats so that the public sector can neutralize them. Every case will need to be assessed on its facts. Only under exceptional circumstances set out above would intelligence-sharing fulfill the direct causation criteria. For example, the criterion has been interpreted to encompass gathering and passing intelligence on enemy operations provided that this gathering and transmission of information is integral to a specific cyber operation and that the operation causes the threshold of harm.49 Conversely, the DPH experts generally agreed “that civilians merely answering questions asked by passing military personnel could not be considered as directly participating in hostilities.”50 Though the experts were not discussing cyber-related intelligence sharing, it should be deduced from this that providing generalized information to a party to an armed conflict relating to, for example, cyber hygiene or other such information that is not an integral part of a concrete and coordinated military operation that directly causes the threshold of harm, would not qualify.51
The third DPH criterion—known as the “belligerent nexus” criterion—requires that the act must be “specifically designed” to directly cause the required harm in support of a party to the armed conflict and to the detriment of another. The rule reflects IHL treaty law, which describes the term “hostilities” and individual “attacks” as activities that are directed at “injuring the enemy” and “against the adversary,” respectively.52 On that basis, the DPH guidance takes care to point out that this criterion would not be met if, for example, a large group of refugees or other fleeing civilians inadvertently blocked an access road used by the military. The guidance explains that such conduct lacks a belligerent nexus because it is not “specifically designed to support one party to the conflict by causing harm to another.”53
The guidance also specifies that civilians do not lose their protection from attack when they are “totally unaware of the role they are playing in the conduct of hostilities” or when their acts are conducted in “self-defense or in defense of others against violence prohibited under IHL.”54 Such self-defense includes, for example, the use of necessary and proportionate force by civilians “to defend themselves against unlawful attack or looting, rape, and murder by marauding” where its purpose “clearly is not to support a party to the conflict against another.”55 When civilians engage in such acts, similar to the blocked road example above, the acts do not meet the “specifically designed” element of the belligerent nexus threshold and, therefore, do not meet the criterion. Mačák provides compelling justifications for why it is so important that this is the end result:
There is a wide range of situations, in which reporting the position of the enemy to the authorities is a normal (i.e., non-hostile) civilian conduct, which should not be construed as an act leading to the person’s targetability. Otherwise, for instance, internally displaced persons arriving in camps would not be able to tell their stories to the government authorities if they contained information on the location of enemy forces – or a civilian air traffic controller could not report the approach of enemy military aircraft in the course of her work – without becoming targetable under IHL.56
Understanding the limits of the belligerent nexus criterion is important when applying it to the cyber context. The ubiquity of digital goods and services in the everyday lives of people living in situations of armed conflict and their interconnected use by civilians and militaries means that the employees of digital tech companies may inadvertently engage in acts that harm one party to an armed conflict while supporting its adversary. Such inadvertent harm may be caused when an employee defends against an unlawful attack against civilian networks in a necessary and proportionate manner; or when an employee is unable to attribute a cyber-attack but flags it nonetheless to a party to the armed conflict, not knowing that doing so would have a direct adverse effect on the opposition’s military operation.57 In both cases, applying the same logic as above, the belligerent nexus would not be met and the employee would not lose their protection from attack.
There remains, however, the challenge of how parties to armed conflict and tech company employees are to apply these considerations in practice. For example, when a tech company employee engages in defensive cyber activities without knowing that they will adversely affect the military cyber operations of a party to an armed conflict, how is that party to distinguish the employee’s activity from activities with similar effects that were “specifically designed” to support one party of an armed conflict and be to the detriment of the other side? And if a tech company employee is told to engage only in self-defense cyber activities to protect civilians, how will the employee know whether the portion of a network used by civilians that they are responsible for defending might be a lawful target because it is being simultaneously used by a party to the armed conflict in a manner that makes it qualify as a military objective. How are parties to armed conflict and tech company employees supposed to act in such instances of uncertainty? Here are four considerations:
1) The ICRC guidance says that the determination of the belligerent nexus must be “based on information reasonably available to the person called on to make the determination, but they must always be deduced from objectively verifiable factors.”58 To avoid error or misapplication of DPH, it is therefore helpful for States to provide guidance that instructs their military cyber operators what those factors might be. 2) There is also the rule of IHL that in cases of doubt, a civilian must be presumed to be protected against direct attack.59 3) Additionally, for legal, operational, humanitarian, and policy considerations, parties to an armed conflict could decide to direct their operations only against objects, such as networks or computers that would fulfill the definition of “military objectives” because of their use in military operations, rather than targeting persons and risking erroneous DPH assessments that could result in civilian death and injury.60 All of these legal obligations and policy options offer important safeguards to shield civilians from losing the protections that IHL intends to afford them. 4) And, as Section IV shows, there are additional proactive measures tech companies can take to further clarify when their employees are not engaging in DPH.
In the exceptional instances when the three narrowly construed DPH criteria are met, loss of protection lasts only “for such time” as the civilian engages in DPH.61 This reflects IHL’s fundamental principle of military necessity, which precludes engaging in hostile acts that provide no military value. How this temporal element applies to tech company employees engaging in DPH will therefore naturally reflect the duration of the employee’s DPH activities. This means that loss of protection could differ between employees who engage in tasks that constitute DPH for long periods of time compared to employees who are only given specific tasks that constitutes DPH for short durations.
Similar to the three criteria, the ICRC guidance interprets this temporal element narrowly, such that protection from attack is lost only during specific acts of DPH (which includes “measures preparatory to the execution of such an act, as well as the deployment to and return from the location of its execution, where they constitute an integral part of such a specific act or operation”)62 and regained in moments in between. Some have criticized this approach for unfairly creating a “revolving door” that allows civilians who repeatedly engage in DPH to regain their protection too easily. Critics say this places civilians who engage in DPH on “a better footing than lawful combatants.”63 In response to this concern, some argue that a civilian who repeatedly participates in hostilities is targetable until such participation permanently ceases.64
The implication of such an expansive interpretation of the temporal element of DPH is that a tech company employee who engages in DPH, even if only infrequently during a work week from their office, might lose protection from attack not only while they engage in those specific acts of DPH, but also continuously from morning to night and at home for an extended time period.65 This result would reduce the temporal element of DPH to being almost meaningless in most cases; and the legal distinction that IHL intentionally makes between civilians who temporarily lose protection and other individuals who continuously lose protection would all but evaporate.66 This outcome is why the guidance explains that this revolving door is “an integral part, not a malfunction, of IHL. It prevents attacks on civilians who do not, at the time, represent a military threat.”67 In summation, while the application of the temporal element of DPH to tech company employees will hinge on the operational realities of their tasks, it is equally clear that an expansive interpretation of “for such time” would expose civilian tech workers to attack during the times when IHL intended them to be protected civilians.
The use of artificial intelligence and autonomy in cyber capabilities may raise additional temporal factors to consider. For example, an employee might activate automated tasks or autonomous systems that patch vulnerabilities or find vulnerabilities to exploit. These tasks may then persist without requiring the employee to take any further active role. If activating such tasks qualify as DPH, does the employee’s loss of protection conclude at the conclusion of the task, or at the end of the employee’s active role in the task? It has been persuasively argued that the end of DPH is dependent on the end of the worker’s active role and not on the duration of the task. The reasoning for this is that after the worker ends their active role there is no longer a justification for targeting them because they are no longer directly participating in the activity.68
The cyber context illustrates that there remains room for States to provide further clarity on the contours of DPH.69 But it remains true that parties to armed conflict must comply with their obligations under IHL, including the principle of distinction when it comes to tech company employees. This means adhering to the purposefully narrowly formulated DPH criteria so not to mislabel protected civilians as civilians who may be attacked. It means complying with IHL’s obligation to do everything feasible to verify whether a civilian has lost protection from attack.70 When situations of doubt arise as to whether a civilian is engaging in DPH, it also means presuming they are not doing so.71 As will be discussed in Section III, adherence to these principles and rules of IHL also helps reduce “digital crossfire” that puts other civilians at risk of being incidentally harmed. Finally, as set out in Section IV, there are also measures tech companies can take—and may be obligated to take—to advance IHL’s aim to protect civilians against dangers arising from military operations.
This part focuses on how the principles and rules of IHL protect the properties of private digital tech companies. The principles and rules most relevant to this discussion are those prohibiting attacks against civilian objects and regulating those against military objectives.72 Recall from above that the properties of a tech company might include offices, factories, warehouses, computers, printers, desks, routers, modems, fiber optic cables, and other hardware, software, network infrastructure, and data. Given its vastness, companies have considerable interest in understanding how IHL applies to their properties when operating in the context of an armed conflict. One expert has gone so far as to foreshadow that cyber operations “misattributed to innocent civilian assets and systems makes distinction of means far more important than distinction of personnel launching attacks.”73
Under the principle of distinction, IHL prohibits attacks directed against civilian objects but does not prohibit attacks against military objectives.74 In so far as objects are concerned, military objectives are “limited to those objects which by their nature, location, purpose or use make an effective contribution to military action and whose partial or total destruction, capture or neutralization, in the circumstances ruling at the time, offers a definite military advantage.”75 Determining whether a piece of tech company property qualifies as a military objective requires that it be assessed against this definition. When it comes to “objects,” if a piece of property does not fall within the scope of the definition of a “military objective” then IHL regards it as a “civilian object” and, as such, prohibits attacks from being directed at it.76 If it does fall within the definition, it may be attacked, provided other principles and rules of IHL are complied with.77
Loss of protection has consequences that extend beyond the tech companies. This is also important for the companies to keep in mind. Military objectives, when targeted, expose proximate civilians and civilian objects to risks of incidental harm that IHL may not prohibit. For example, if a piece of tech company property qualifies as a “military objective” it may still be targeted in some circumstances even if civilians rely on it to receive essential services.78
All of these consequences demand a clear understanding of how to assess whether, and if so which, piece or pieces of tech company property qualify as a civilian object or military objective.
A “military objective” is not meant to refer to the general or abstract objective of a military action (e.g., its aim, purpose, or goal), but—as far as company properties are concerned—it relates to specifically identifiable pieces of a company property that may be targetable (e.g., specific buildings and computer hardware, and arguably also software).79 It would also be inaccurate to assess a company, as a whole, as a military objective. A company is an abstract legal entity and not an “object” as understood by IHL. And even if some company buildings or other assets qualify as military objectives, this will usually not be the case for all of a company’s properties. It is very unlikely that a company’s total property will qualify as a military objective. This may be the case only if every one of its pieces of property fulfill the definition of a military objective.80 The Tallinn Manual 2.0 put a particular emphasis on this point, pointing out that “an entire computer network does not necessarily qualify as a military objective based on the mere fact that an individual router so qualifies;” and that in the context of social media platforms used for military purposes, “their military use does not mean that Facebook or Twitter as such may be targeted; only those components thereof used for military purposes may be attacked,”81 provided they meet the definition of military objective.
When judged in light of the definition of a military objective, objects that tech companies own that are exclusively used for civilian purposes do not fall within the scope of the definition. IHL would prohibit, for example, an attack against objects that exclusively maintain the operating system of a water treatment facility that constitutes a civilian object.82 International humanitarian law would also prohibit attacking objects that exclusively provide services to specifically protected entities under IHL, such as hospitals.83 It is also well-accepted under IHL that objects do not constitute military objectives when they merely generate support for the war effort or boost civilian morale and nothing more. Such objects owned and operated by social media companies would therefore benefit from that same protection.84
A more complex example is where a piece of tech company property (e.g., computer consoles) is used to defend against an unlawful military operation against the civilian population. In the author’s view, if such a piece of property were used solely to protect the civilian population from such an attack and caused no harm other than thwarting the operation, it would be absurd for that property to qualify as a military objective. Such a result would imply that the use of civilian property solely to defend a civilian population against unlawful attacks would constitute an “effective contribution to military action” and that destroying it would provide a military advantage. This result is plainly antithetical to the principle of distinction, which prohibits attacking civilians and civilian objects precisely because they do not contribute to military action and their destruction offers no military advantage. Similarly, it is not enough to claim that any piece of tech company property used by the military is a military objective. Networks used by the military for personal or other non-military use would not qualify as military objectives if they do not make an effective contribution to military action or when attacking them provides no military advantage.85
On the other hand, examples of pieces of tech company property that may qualify as military objectives include specific pieces of cyber infrastructure that provide a party to an armed conflict command and control capabilities for military operations,86 surveillance,87 or intelligence sharing platforms.88 For an object to qualify as a military objective, it does not matter who the object belongs to; it therefore does not matter if the piece of property in question is owned by the State or a private company.89 The Tallinn Manual experts similarly agreed that a factory that produces hardware or software under contract to the enemy’s armed forces would also constitute a military objective; a position this author agrees with provided the factory fulfills the full definition of military objective and the hardware or software is not, for example, used for detainee management or military medical services.90
It also does not matter whether the object is used offensively or defensively for it to qualify as a military objective. Tech company computers used to repel military cyber intruders that have entered an adversary’s network and tech company computers used to plant malware into a military’s operating system could both qualify as a military objective if they met the definition. A piece of property may also constitute a military objective due to its relationship with another military objective. A scenario can be imagined where a cyber-attack is directed at a privately owned civilian aviation air traffic control tower that the enemy military temporarily uses to enable offensive air operations. In this example, the air traffic control tower might qualify as a military objective because of its “use” in relation to other military objectives, namely the enemy fighter jets.
The protections that IHL affords tech company property may also have to be assessed in situations where civilians and the military are mutually reliant on the same piece of property. These can be difficult cases to assess, but they can be a common feature in today’s armed conflicts due to the intertwined and unsegregated nature of military and civilian networks.91 Imagine the case of a company that runs a single server that detects and deters malware on civilian and military operating systems. This carries certain risks for the company since under IHL such a server may constitute a military objective despite it also providing services to civilians.92 “Dual-use” services could similarly arise when a tech company enables the functioning of infrastructure that provides power to the civilian population and a military base. If a party determines that the power provides an effective contribution to its enemy’s military action and that a power cut would provide it with a definite military advantage, and provided other principles and rules of IHL are complied with, it may decide to attack the electric grid or the utility company with air power to no consequence of the tech company. But it also may decide to direct an attack against relevant pieces of the tech company if this accomplishes the same effect as the power cut.93
The shared use of cyberspace by civilians and militaries also highlights the importance of ensuring that an assessment of whether an object is a military objective must be based on whether the object’s destruction, capture, or neutralization provides a direct military advantage determined by the circumstances ruling at the time. To illustrate this point, the Tallinn Manual 2.0 uses the example of a civilian air traffic control system that is temporarily used for military purposes before returning to be used exclusively for civilians. While the system may have qualified as a military objective whilst used by the military, Tallinn Manual 2.0 explains that it ceased being so once it returned to providing exclusively civilian functions.94
As seen, “military objective” is a legal term of art with a dynamic definition. The interconnectivity between cyber space, tech company goods and services, and those living and operating in situations of armed conflict—whether as civilians or opposing militaries—may produce complex environments that make it particularly important to determine whether pieces of tech company property are protected from attack or whether some of them may qualify as a military objective. Though not covered in this paper, this operational landscape is made more complex by legal debates over what constitutes an “attack” under IHL and what protections IHL affords data.95 Because of these complexities, it will be important that parties to armed conflict comply with their obligations under the principle of distinction as well as their related obligation to do everything feasible to verify whether an object qualifies as a military objective.96 Given the potential for military objectives to revert back to civilian objects,97 these assessments and verifications cannot be one-offs, but must be valid based on the circumstances ruling at the time. And when situations of doubt arise as to whether an object normally dedicated to civilian purposes is being used to make an effective contribution to military action, it must be presumed as not doing so.98 Additionally, as discussed in Section III below, parties to armed conflict must comply with IHL’s prohibition on indiscriminate and disproportionate attacks and its obligations to take all feasible precautions to avoid or at least minimize incidental civilian harm, which includes damage to civilian objects. Finally, and as discussed in Section IV, tech companies can and should take—and may be obligated to take—steps that reduce risks to themselves and surrounding civilians.
To further understand the implications that arise under the principle of distinction when tech companies operate in situations of armed conflict, it is helpful to examine how IHL treats employees who use pieces of company property that qualify as military objectives. It is similarly helpful to examine how the law treats company property that employees use when they are engaged in DPH. There is nothing particularly unique about these symbiotic relationships between people and objects when applied to tech companies in wartime. But examining their legal relationship demonstrates that we must not conflate the two distinct tests for determining when tech company employees and pieces of company property lose their protection against attack.
To demonstrate this point, take the example of a tech company building where employees are contracted to develop military cyber weapons to be used by a party to an armed conflict. It is widely agreed that a factory that produces munitions for a party to the conflict may be liable to attack because it qualifies as a military objective as the munitions factory makes an effective contribution to military action and its destruction would offer a definite military advantage.99 The same then could be said of the building where the cyber weapons are being developed. At the same time, however, it is generally agreed upon and State practice demonstrates that the civilian workers making the munitions are not engaging in DPH.100 The same reasoning applies to the tech company employees producing the cyber weapons. As long as the production of the weapons is not an integral part of a specific concrete and coordinated military operation that directly causes the harm, they would not meet the DPH direct causality criterion.101
It is also possible to test the proposition that an object does not necessarily qualify as a military objective when a civilian is using it to engage in DPH. Imagine the case of a tech company employee who is engaging in DPH when using a dedicated company server to design bespoke malware to disrupt a command-and-control system being used by a party to the armed conflict. In these circumstances, it would be reasonable to conclude the server is making “an effective contribution to military action.”102 The server would, therefore, meet the first element of the definition of a military objective. But that is only one part of the analysis. The partial or total destruction, capture or neutralization of the server must also be expected to offer a “definite military advantage” in the circumstances ruling at the time.103 This is where cyberspace’s unique quality of resiliency through redundancy amplifies the importance of the second part of the definition. Let us say the employee’s company has server redundancy and the employee is able to continue designing the malware uninterrupted when the primary server is attacked. The question then arises whether an attack against the server could be expected to yield a definite military advantage when the employee continues to operate unimpeded? If such advantage cannot be expected, then the server would not qualify as a military objective.104
When tech companies operate in situations of armed conflict, it is not only their employees and property that may face the dangers of attack. This paper touched on this issue above in its discussion around “dual-use” military objectives. It is worth expanding on. The intermingled and interconnected relationship that tech companies have with civilian populations may also expose the latter to the harms of digital crossfire, in particular harms that IHL aims to avoid or minimize but may not prohibit. Such harm might be caused by a kinetic airstrike that incidentally kills or injures civilians or damages or destroys civilian objects located in close physical proximity to a tech company building that qualifies as a military objective. Similarly, incidental civilian harm might result from a belligerent cyber-attack aimed at damaging tech company infrastructure that both supports the belligerent’s adversary and is necessary for providing essential services to the civilian population through digital means.105
This conclusion may seem counterintuitive to IHL’s aim to ensure respect for and protection of the civilian population and civilian objects in situations of armed conflict.106 But it is equally true that IHL tolerates a certain degree of incidental civilian harm, in particular when attacks are directed at military objectives and persons who are not protected against attack, including civilians engaging in DPH. Provided that parties fulfil all their IHL obligations, in particular to take all feasible precautions to avoid, or at least minimize, incidental death and injury of civilians and damage to civilian objects (hereafter referred collectively to as “incidental civilian harm”),107 an attack may not be prohibited if the incidental civilian harm is not expected to be “excessive” in relation to the attack’s anticipated concrete and direct military advantage.108 This is why a company’s involvement in an armed conflict runs a risk of exposing civilians and civilian objects to dangers they otherwise may not face. It is also another reason why interpretations of DPH and “military objective” matter so much. Broad interpretations of these terms would lead to more people and objects being regarded as lawful targets, which increases the potential for civilians to get caught in digital crossfires. Conversely, narrow interpretations reduce the number of lawful targets, which reduces that risk.
The tolerance that IHL has for incidental civilian harm must not, however, be overstated. States wrote IHL’s rules against indiscriminate attacks and its principles and rules of precaution and proportionality in purposefully broad and protective terms. States have widely agreed that these same principles and rules apply to cyber-attacks in situations of armed conflict.109 By way of example, an indiscriminate cyber-attack is one that is not directed at a specific military objective, employs a method or means of combat which cannot be directed at a specific military objective, or employs a method or means of combat the effects of which cannot be limited as required by international humanitarian law.110 Setting loose a “worm” (a self-replicating or self-propagating computer program) that damages anything it encounters with the hope that it eventually damages an adversary’s computer network would, therefore, be prohibited as an indiscriminate attack under IHL.111 International humanitarian law would also arguably regard as indiscriminate (and in any case violating the obligations of precautions, discussed below) an attack damaging a cloud server that co-locates its services to civilians and a military adversary, provided that it would be feasible to have instead attacked clearly separated and distinct parts of the server that constituted military objectives.112
The principles and rules of precaution and proportionality provide additional guardrails in IHL that further aim to avoid, or at least minimize, incidental civilian harm. The ICRC has taken the view that when applying the obligations of precaution and proportionality, all foreseeable incidental civilian harm—both direct and indirect—must be considered.113 This is a position States generally agree with.114 Direct civilian harm relates to consequences that are directly and immediately caused by a cyber-attack. All other civilian harm is considered indirect harm; sometimes referred to as the “reverberating” effects of an attack.115 For example, if it is reasonably expected that a cyber-attack against a commercial satellite used by the military will also result in damage to merchant vessels and civil aircraft that rely on it, all feasible precautions must be taken to avoid, or at least minimize that damage. If those harms cannot be avoided, that damage must be part of the proportionality assessment to ensure the attack is not disproportionate.116 And if the attack is expected to be disproportionate, it cannot go forward.117
The standard for assessing incidental civilian harm is based on an ex-ante standard of “foreseeability.”118 Importantly, the principles and rules of precaution and proportionality do not place geographic or temporal limits on the incidental civilian harm that parties to an armed conflict must take into account.119 Even transborder harm that is expected to occur in non-belligerent States needs to be accounted for.120 In comparison, the “military advantage” that is weighed against incidental civilian harm under the proportionality principle is that which is “concrete and direct,” meaning it has a narrower scope. The drafting history of Additional Protocol I shows that these terms were used to confine military advantage to that harm which is “substantial and relatively close, and that advantages which are hardly perceptible and those which would only appear in the long term should be disregarded.”121 The expected military advantage assessed therefore cannot be merely speculative. The tolerance IHL has for civilian harm also hinges on what qualifies as “damage” to civilian objects and what protections IHL affords civilian “data.” Without addressing those two definitional issues further, suffice it to say that narrow protective interpretations will allow for greater civilian harm, whereas broader protective interpretations tolerate less.122
Having set out some of the legal implications that arise when tech companies provide digital goods and services in situations of armed conflict, this paper concludes by offering recommendations for those tech companies to consider. The assumption behind these recommendations is that alongside parties to armed conflict, these companies can and should play a role in protecting civilians and civilian objects against the dangers of cyber and other military operations.
While only a short initial exploration, these recommendations build off of the United Nations Guiding Principles on Business and Human Rights and the emphasis that the UN mandated Working Group on Business and Human Rights places on the need for companies to adopt conflict sensitive approaches and heightened due diligence to identify, prevent, mitigate, and account for how they address their adverse impacts.123 Some of these recommendations may in fact reflect legal obligations or liabilities that companies already have under national laws. At the same time, if a tech company does not follow this paper’s recommendations, this would not absolve the warring parties from complying with their obligations under IHL, in particular, the prohibition against directing attacks against protected civilians and objects, the prohibition against indiscriminate and disproportionate attacks, and the obligation to take all feasible precautions to avoid or minimize incidental civilian harm, as well as the obligation to do everything feasible to protect civilians and civilian objects under their control from the effects of an adversary’s attack.124
Company decision-makers should familiarize themselves with necessary understandings of IHL as they relate, in particular, to the notion of “direct participation in hostilities,” “attacks,” “military objectives,” and “civilian objects.”125 This could be accomplished through IHL training programs that help them understand the implications that the basic rules and principles of IHL have for their company’s activities in situations of armed conflict. States could also promote this educational measure as part of their obligation to encourage the teaching of IHL and to ensure respect for IHL.126 Having this understanding and knowledge of IHL will be key for company policy makers and lawyers to conduct IHL assessments and make proper use of their findings, which is the next recommendation.
For tech companies to understand some of the most consequential IHL implications of their activities, companies should audit or otherwise assess whether any of their employees are engaging in DPH and whether any of their properties qualify as military objectives. Doing so may be particularly relevant for companies that support critical infrastructure, own communications and cloud computing services, provide cyber defense services, and design and produce other cyber tools and capabilities that may be used militarily in situations of armed conflict.
If a company wants to retain IHL’s legal protections against attack for its employees and properties, it should ensure its employees do not engage in DPH and that its properties do not qualify as military objectives.
While it is the obligation of belligerents to do everything feasible to verify that its targets are military objectives, companies that engage solely in civilian activities could also consider making information about those activities available to warring parties. This might help prevent targeting errors and mitigate civilian harm by countering misunderstandings over whether a company’s employees or any of its properties are liable to attack by belligerents.
Companies engaged solely in civilian activities could also make available to warring parties information about incidental civilian harm that may be directly or indirectly caused by a belligerent attack. Parties to an armed conflict would be legally obligated to take this information into account to ensure their attacks are not disproportionate. This information also helps warring parties assess what precautionary measures to take to avoid or minimize civilian harm.
While there are urgent humanitarian and practical reasons why civilians, including private company employees, should not engage in DPH,127 if a company nonetheless employs workers to DPH, those employees must comply with relevant rules of IHL.128 Notably, for example, civilians are liable under international criminal law if their acts constitute violations of IHL that amount to war crimes.129
To minimize incidental civilian harm, these companies may also need to act consistently with IHL’s rules on taking precautions against the effects of attack.130 The rule requires parties to take all feasible measures, even in peacetime, to avoid placing civilians who are under their control in harm’s way. It is a rule based on the simple notion that civilians are safest when not exposed to the dangers of conflict. One way a tech company could avoid putting civilians in harm’s way could be to segment the goods and services it provides to militaries from those used by civilians to reduce the risk of incidental civilian harm.131
This paper has explained that the decisions a tech company makes about the goods and services it provides in situations of armed conflict have the potential to place its employees, its civilian customers, and other proximate civilians in harm’s way. Companies should therefore, at a minimum, be transparent and alert employees of potential worker safety risks they might face when performing tasks that may qualify as DPH or working in facilities that may qualify as military objectives. Companies should also, as much as possible, be transparent about the incidental harms their civilian customers and other proximate civilians might face when those companies’ digital goods or services are being used in armed conflict.
It is the parties to an armed conflict that are primarily responsible for complying with IHL, which includes protecting civilians from harm, whether the harm arrives though digital or more conventional means. At the same time, the ubiquity of the digital environment is increasingly bringing tech companies into contact with the realities of war. As companies find themselves involved in armed conflicts, and the lives of people living through those conflicts, they will have to decide how to navigate this space. To do this, IHL provides rules of the road that companies will need to be familiar with. IHL offers protections to a company’s civilian employees and properties from attack. But it is also the choices of a company that can influence when those protections may cease and when civilians may be exposed to the crossfire of armed conflict.
This paper focuses on when and how those protections apply and when and how those protections may be lost, in particular in the narrow and exceptional circumstances when employees are engaging in DPH and when pieces of company property qualify as military objectives. The paper also reminds us how that loss of protection may put surrounding civilians and civilian objects at risk of incidental harm that IHL aims to avoid or minimize but may not prohibit. This paper further demonstrates that broad interpretations of DPH and “military objective” hold the potential to significantly expand the number of targets on the battlefield, both in the physical world and in cyberspace, and correspondingly expand the risk of collateral damage further, beyond the object and purpose of IHL.
Finally, this paper recommends to tech companies operating in conflict environments that they should familiarize themselves with IHL; assess the IHL implications of their activities; develop policies aimed at mitigating harm to workers, properties, and surrounding civilians; and inform workers, civilian customers, and other proximate civilians about dangers they might face. These recommendations, which are additional to the obligations that IHL places on parties to armed conflicts, offers a path that can help digital tech companies support the fundamental humanitarian aim of IHL toprotect civilians and civilian objects from the dangers of armed conflict.