KIMS Periscope No. 332
Cyberwarfare and the Maritime Domain
ICRC Regional Resource Network, Asia Pacific
Head of ICRC Mission in Seoul
Malicious cyber measures encountered in the maritime domain range from simple criminality, through terrorism, to attacks in the context of armed conflicts. Cyber operations within the context of an armed conflict may also affect civilian shipping, and in an armed conflict, the employment of cyber operations is subject to international humanitarian law (IHL).
Cyber operations during armed conflict risk harming civilians by disrupting infrastructure and services essential to civilians, and this is equally applicable at sea. Armed forces often use civilian digital infrastructure, exposing them to risk of attack during armed conflicts. For example, civilian satellite navigation systems could be disrupted by cyber-attacks, causing major impacts not only to navies but also to relief operations of humanitarian workers. Moreover, with the continued digitization of civilian maritime- and military naval platforms – for example, the use of uncrewed maritime systems – create further vulnerabilities to cyber-attacks.
The wider Asia-Pacific, which is home to around 60% of the world’s population and the future home of the world’s largest economic powers, is also an area where tensions (including tensions in the maritime domain) proliferate. According to an IBM report, the Asia-Pacific region was the region that suffered under the most cyber ‘attacks’ in 2022 for the second consecutive year, accounting for 31% of all incidents remediated worldwide. Cyber operations against critical infrastructure enabling the delivery of essential services for the civilian population and telecommunications can result in serious disruptions. Many States in the region or operating therein have known cyber capabilities and are also known to be expanding this capability rapidly (both for offensive and defensive purposes).
There is no reason to think that this will not also focus on the maritime domain wherein the military and civilians operate, with the latter encompassing both government and private civilian components. International law, that includes IHL, regulates the conduct of Parties to armed conflicts in the maritime domain as it does in all other domains. Means and methods of warfare have changed dramatically since the 19th century but at the forefront of warfare, the ‘age-old’ strategy to defeat an enemy without firing a single ‘shot’ is married with warfare through newer digital means.
Warfare through digital means, or cyber warfare, is increasingly filling the minds of planners and executors of military operations in all domains, as all domains are linked to the cyber domain. Cyber capabilities include influencing, degrading, or destroying an enemy’s cyber abilities; ‘blinding’ an enemy through jamming or overloading sensors, weapon direction capabilities and communications; deceiving an enemy through spoofing or disinformation fed through digital means; gaining access to digital infrastructure to see what enemies see, think, plan, know, and more.
A Party to a conflict may employ only such means and methods of warfare as would comply with the rules of IHL and specifically those regulating the conduct of hostilities. Existing IHL rules already offer strong protection by imposing important limits on cyber operations, but the nature of cyberspace poses challenges for interpretation. There is a need for States to work towards understanding how IHL applies in the cyber domain. Cyber warfare is expected to play an ever-increasing role in naval warfare, and States need to continue their exchanges and develop a common understanding on the rules that regulate cyber operations during armed conflicts, including those at sea.
During armed conflicts, IHL obliges belligerents to distinguish between the civilian population and combatants and between civilian objects and military objectives. The possible targets of cyber operations in the maritime domain could include military objectives such as warships, naval auxiliaries, military aircraft, and military naval coastal installations. It is possible that civilian merchant vessels may find themselves liable to capture during armed conflict at sea and as such they could be subjected to cyber measures in the process of effecting that capture. In the strictly defined and limited instances where the enemy’s use of civilian objects in the maritime domain is such that they may fulfil the definition of a military objective within the meaning of IHL, they may be subjected to attacks through cyber operations too, although these cyber measures must be in accordance with the rules and principles governing the conduct of hostilities notably distinction, proportionality, and precautions.
In circumstances where the use of civilian sealift capability is such that it qualifies to be classified as a military objective within the meaning of IHL, it may put civilian operators and crews at risk of losing their protection from direct attack or they may be incidentally harmed. A direct contribution to an enemy’s war fighting efforts would carry the most risk and it is to be expected that any merchant shipping contracted to support the war fighting efforts of a belligerent could become the subject of not only kinetic attack, but also cyber operations.
Associated infrastructure such as ports, roadsteads, and terminals and the digital infrastructure necessary to sustain an adversary’s military operations may equally become the focus area of a belligerent’s cyber activities. As vessels have become increasingly digitised and data-linked, a cyber operation may be used to affect systems of a ship that ensures its safe passage such as stability and ballast systems, the rudder and engines, and various systems on board that is relied upon for safe navigation and operation.
The degradation of a vessel’s navigation capabilities or the jamming or spoofing of its Global Positioning System (GPS) or Automatic Identification Systems (AIS) is another area that has emerged as the object of cyber operations. To make a vessel seem what it is not, or be present where it is not, or to appear that it is not present where it actually is, has multiple possible applications and utilities for a belligerent and risks to an opposing belligerent. Uncertainty and degradation of the location data of civilian maritime shipping risks the inability of maritime and aeronautical search and rescue coordinators to assist a vessel in distress, while planners and executors of naval operations may not be aware of the presence of protected objects or persons in the vicinity of intended military operations. A civilian object may be inadvertently targeted, damaged, or destroyed as an unintended consequence due to the inaccuracy or falsification of location and identification information.
While more clarity is needed on the notion of attack under IHL in the context of cyber, it is generally agreed that cyber operations (also in the maritime domain) that result in physical damage would qualify as an attack that could trigger the application of IHL. Whether the mere loss of functionality would have similar effects remains to be determined. Certain types of data such as data related to objects indispensable to the survival of the civilian population are subject to specific protection under IHL. The assertion that deleting or tampering with such essential civilian data would not be prohibited by IHL in today’s data-reliant world seems difficult to reconcile with the objective and purpose of IHL. Logically, the replacement of paper files and documents with digital files in the form of data should not decrease the protection that IHL affords to them. Excluding essential civilian data from the protection afforded by IHL to civilian objects would risk resulting in an important protection gap.
When considering incidental civilian harm in the maritime domain resulting from cyber operations that qualify as attacks under IHL, all reasonably foreseeable direct and indirect harm must be considered, including – for example – the degradation of infrastructure or systems required for continued safe civilian maritime operations for vessels, which is not directly and immediately caused by the cyber operation, but is nevertheless the product thereof. IHL affords strong protection provided that the rules and principles, notably that on distinction, proportionality, and precautions are applied in good faith. IHL is of critical importance in guiding lawful cyber-operations during armed conflicts including in the maritime domain.
Against this backdrop, the International Committee of the Red Cross (ICRC) is conscious that the exact limits that IHL imposes on cyber operations during armed conflicts remain subject to different views. Hence, collaboration with States, notably with military and cyber experts is crucial when it comes to addressing the humanitarian consequences posed by cyber means of warfare. If cyber capabilities are used in situations of armed conflict, notably in the maritime domain, civilians must remain protected by the principles of IHL.
The ICRC engages with States and militaries to allow a dialogue and raise questions to identify limits on cyber operations. As a neutral, impartial, and independent humanitarian organisation, the ICRC was mandated by the community of States to save lives and protect the dignity of people affected by armed conflicts. Considering the maritime domain, and cyber, it aims to ensure that cyber operations do not expose critical civilian infrastructure and civilian populations to additional harm. The ICRC is committed to dialogue and exchange of experience on these matters and perspectives on the matter. We also support States in their endeavour to further study – nationally and internationally – how and when IHL applies to cyber operations in the maritime domain.
André Smit is the Regional Legal Adviser for Maritime Matters (Asia Pacific) at the International Committee of the Red Cross Regional Resource Network for Asia Pacific in Bangkok.
Jamila Hammami is the Head of Delegation of the International Committee of the Red Cross Delegation in Seoul.
- THE HINDU BUREAU, “IBM report says Asia-Pacific region faced the brunt of cyberattacks in 2022; manufacturing industry most targeted.” The Hindu. February 22, 2023.
- Bart Hogeveen, The Future of Cyber Warfare in the Indo-Pacific”, January 13, 2023.
- Laurent Gisel, Tilman Rodenhäuser, Knut Dörmann, “Twenty years on: International humanitarian law and the protection of civilians against the effects of cyber operations during armed conflictss” The ICRC, March 2021.
The opinions expressed in this article are the author’s own and do not reflect the view of KIMS.