The basic rule of the law of war is enshrined in AP I article 48, according which,

in order to ensure respect for and protection of the civilian population and civilian objects, the Parties to the conflict shall at all times distinguish between the civilian population and combatants and between civilian objects and military objectives and accordingly shall direct their operations only against military objectives.

The principle of distinction is further clarified in AP I Chapters II and III, dealing with the protection of civilians and civilian population (articles 50 and 51), and with the protection of civilian objects (articles 52 to 56), respectively.


According to article 52 (2), attacks shall be limited strictly to military objectives, which are further described as objects which by their nature, location, purpose or use offer a definite military advantage by means of their total or partial destruction, capture or neutralisation.According to a research paper by Banks, US Air Force Major,

‘the principle of military necessity (sic) presents a less thorny issue. Simply stated, the intended target must have military value and receive only enough force to ensure its destruction. From a targeting standpoint, the information warrior –like any other military commander– can easily avoid war crimes charges if he or she refrains from choosing purely civilian objectives: Stock exchanges, banking systems, universities, and similar civilian infrastructures may not be attacked simply because a belligerent has the ability to do so.’

His argument, however, presents some ‘major’ flaws too, as he obviously confuses the principle of distinction with that of military necessity, applying the latter in an erroneous way.

The bedrock IHL rule of distinction is particularly hard to be applied in today’s interconnected computer networks which render the line distinguishing between civilian and military targets particularly blurred.

The reason for that is that military objectives which can be attacked and civilian objects which must be respected are both based on SCADA, Supervisory Control and Data Acquisition systems, as the latter control power, water and other complex networks, which support simultaneously civilian and military uses.

Kelsey correctly argues that ‘while the legality of potential cyber attacks will often be clear, the nonlethal potential of cyber warfare may lead to more frequent violations of the principle of distinction than in conventional warfare’.

Naturally, this civilian-military intermingling raises a further problem associated with modern warfare, as it further exacerbates the difficulty in dealing with dual-use targets.

Nevertheless, it has to be admitted that the NATO bombardment of the Serbian media station RTS in Kosovo resulting in 16 casualties could easily have been bloodless had it been effectuated via a cyber attack.


The principle of distinction between combatants and civilians is further clarified by AP I article 43, defining the term ‘armed forces’.According to article 43 (2) ‘members of the armed forces of a Party to a conflict are combatants, that is to say, they have the right to participate directly in hostilities’.

Who are the ‘civilians’ then? Article 50 uses a negative definition to describe that civilians are simply all the persons which do not belong in the category of the combatants and of the prisoners of war (POWs).

Watts has composed a sixty-page legal assessment on the ‘current’ legal framework of the cyber-combatant status, concluding that lawyers from military, humanitarian and academic backgrounds all resort to the Geneva Conventions’ criteria in order to evaluate lawful participation in cyber-hostilities, which results in the ‘current applications of accepted legal standards for combatants status to suffer detachment from reality’.

Aldrich raises an interesting point:

‘If teenage hackers in the enemy’s country unilaterally decide to aid their government by creating havoc through their use of computers, do they become fair game for attack by the opposition?’

This paper answers that they could potentially fit in the levée en masse category, according to article 4 A (6) of the third Geneva Convention, to whom a POW status is granted:

Inhabitants of a non-occupied territory, who on the approach of the enemy spontaneously take up arms to resist the invading forces, without having had time to form themselves into regular armed units, provided they carry arms openly and respect the laws and customs of war.

However, certain –rather obvious- practical issues are raised when this definition is applied in a cyber conflict. How can someone ‘carry arms openly’ in a computer network attack? Would it suffice e.g. for script kiddies to just attach a signature in the ready-made worm they attack the enemy networks with?

The most fundamental problem when trying to apply the existent IHL definitions to ‘cyber combatants’ is the intrinsic difficulty –if not inability- for them to ‘carry their arms openly’, as the combatants defined by IHL are obliged to do at all times. It is acknowledged that failure to do so results in them not only in them losing their combatant privilege in case they are captured, but also in their acts being characterised as perfidious, stumbling upon another IHL principle, the prohibition of perfidy.

‘A civilian is any person who does not belong to one of the categories of persons referred to in Article 4 (A) (1), (2), (3) and (6) of the Third Convention and in Article 43 of this Protocol.’