Hamiltonian Journal
Code and Conflict: Rethinking the Law of Armed Conflict in Cyber Age
Share On:
In the twenty-first century, the tools of war extend beyond physical force and conventional weapons. Advances in cyberwarfare technology have escalated the scope and scale of malicious activities, evolving from petty website defacements and intellectual property theft to significant direct threats against critical infrastructure. The constant improvement of artificial intelligence (AI) adds another dimension to cyberwarfare tactics. The proliferability, destructivity, and dual-use nature of AI-enabled cyber offensives raise concerns about the ability of malicious actors to threaten the well-being, privacy, and safety of civilian populations. However, many legal precedents in warfare stem from conventional conflict and have yet to incorporate international standards and norms that address the current challenges cyber capabilities pose. This is a matter of high importance, as malicious actors have already begun to justify the use of AI-enhanced cyberwarfare tactics to conduct harmful actions against civilian populations, thereby undermining international legal principles.
With few binding legal agreements on cyberwarfare in the law of armed conflict (LOAC), customary international law (CIL) is a flexible means for states to develop new, enforceable LOAC mechanisms on cyber operations. To hold malicious states legally accountable for any cyber operations against civilian infrastructure, the United States should lead by example by revising military regulations in its Law of War Manual. This would help set the standard for new CIL restrictions and guidelines for cyberattacks in war. It is particularly important to properly categorize certain dual-use objects as necessary to civilian populations and thus prevent them from becoming military targets. This eliminates legal ambiguity, often exploited by malicious states to justify cyberattacks on civilian populations, and codifies norms into an enforceable legal framework. The establishment of a new CIL, preempted by an updated U.S. Law of War Manual that classifies essential dual-use critical infrastructure as protected from cyberattacks, would shape international cyber behavior to safeguard civilian populations in the United States and around the world in the next era of warfare.
History of the Law of Armed Conflict
Just War Theory forms the philosophical foundation of international law. With its origins in the sixth century, Just War Theory established ethical standards for the enactment and conduct of war through two primary components: jus ad bellum and jus in bello. Jus ad bellum describes the conditions upon which a state can justify war or the use of armed forces. [1] In contemporary international law, jus ad bellum prohibits the use of force except in cases to maintain or restore international peace or security. [2] Jus in bello governs wartime conduct and seeks to minimize suffering by protecting and assisting civilian victims in armed conflicts. [3]
Proportionality is a key principle for the application of jus ad bellum and jus in bello to the LOAC. When assessing the credibility of jus ad bellum claims, measuring proportionality gauges whether resorting to force is permissible. In jus in bello, proportionality guidelines prohibit the infliction of excessive harm, such as through nuclear and chemical weapons, and ensures the protection of civilians and other protected persons. [4] After the Second World War, the Geneva Conventions sought to distinguish between civilians and combatants, as well as between civilian locations and military ones. [5] In a recent application of these principles to cyberspace, a United Nations (UN) Group of Governmental Experts (GGE) specializing in cyberwarfare and international security, from twenty-five countries, including major cyber powers such as the United States, United Kingdom, Russia, and China, worked to establish international consensus on norms for cyber conduct. The GGE affirmed in 2015 the LOAC’s fundamental principles of proportionality, necessity, human dignity, and distinction in cyberspace. [6] Moreover, in their 2021 final report, the GGE recommended several norms to strengthen cyber defenses and eliminate cyberattacks on critical infrastructure that provides services to the public. [7] While norms are critical to international cooperation on cybersecurity, they do not provide an enforceable legal framework and do relatively little to deter aggressive actors who exploit ambiguity.
While international treaties remain fixed and slow to adapt, customary international law evolves gradually yet dynamically by codifying binding legal norms through state practice and legal consensus. Given the limited treaties on cyber, CIL is immensely valuable in international law through its enforceable mechanism of opinion juris, the obligation of a state to uphold legal customs on the international stage. [8] Translating international norms into CIL permits states to use evolving norms shaped by emerging challenges “as evidence of a general practice accepted as law” and further integrate them with established legal principles and laws. [9] Furthermore, its adaptability crucially addresses the emerging legal issue of cyberattacks on dual-use objects, which remains underdeveloped in the LOAC. Given the fast rise of cyber warfare tactics and technology, state behavior is of great significance and influence, particularly the identity of the state who seeks to form a new CIL.
Cyberattacks on dual-use critical infrastructure expose a legal ambiguity: the binary distinction of critical infrastructure as either a civilian or military target. Such equivocality renders civilians vulnerable to disproportionate harm and complicates the application of the LOAC. Furthermore, the digital and borderless nature of cyberspace often hinders detection and attribution, obscuring the jurisdiction of international law and the LOAC that rely on comparisons to conventional kinetic warfare. As a result, foundational LOAC principles are increasingly difficult to uphold and enforce, raising urgent questions about protecting civilians and dedicated civilian infrastructure while preserving international law in an era of complex and high-tech conflict.
Emergence of AI-Enabled Cyber Warfare in Active Military Operations
The integration of AI into cyberwarfare has increased the destructive capability and proliferability of cyberwarfare. Classical cyberattacks were manual, predictable, and required human intervention for offense and defense. Automated and iterative AI-enabled cyberattacks exponentially increase both efficiency and volume. [10] In 2024, the United Kingdom’s National Cyber Security Center (NCSC) reported a threefold increase in major cyberattacks compared to the previous year and identified the People’s Republic of China (PRC), Russia, Iran, and North Korea as highly capable state actors employing AI-enabled cyberwarfare. [11] Before 2022, many of these cyberattacks functioned as coercive tactics under the threshold of acts of war, falling into the category of gray zone aggression. The Russian invasion of Ukraine, however, marked the beginning of an integration of cyber capabilities into active military operations.
The conduct of the Russia-Ukraine War demands an unprecedented application of the LOAC to active cyber warfare military operations. Prior to its ground invasion, Russia fired the first shots in cyberspace by conducting a cyber campaign to set the stage for its kinetic operations. Russian cyber actors intended to cripple critical dual-use infrastructure such as Ukrainian government networks, ViaSat KA-SAT network, and energy grids. [12] The invasion thus became known as the “world’s first full-scale cyberwar.” [13] Before and during the invasion in February 2022, the Google Threat Analysis Group “observed more destructive cyberattacks in Ukraine during the first four months of 2022 than in the previous eight years, with attacks peaking around the start of the invasion.” [14] Russia continues to target critical infrastructure; there was a 70 percent increase in cyberattacks in 2024 where attackers aimed to steal sensitive data and disrupt civilian operations. [15]
Russia’s targeted cyberattacks on dual-use infrastructure exemplify the erosion of distinction and proportionality, the two central pillars of the Just War Theory and the LOAC. Unlike traditional military strikes, cyberattacks lack clear international definitions such as assessments of the point at which a cyber operation can justify a kinetic response or whether data qualifies as a civilian object. These attacks not only demonstrate the intent of malicious state actors to target civilian critical infrastructure, but a complete lack of regard for international voluntary norms that they helped establish one year prior at the UN GGE. As cyberwarfare continues to evolve, the absence of binding legal frameworks amplifies the risks of unchecked escalation, thereby necessitating the development of enforceable legal frameworks to address the emerging cyber threats to critical infrastructure.
Cyberwarfare’s Legal Implications
These new AI-enabled cyber operations challenge traditional definitions of distinction in warfare. According to the U.S. Law of War Manual, there are either military or civilian assets and nothing in between. [16] Military forces may redesignate civilian objects as military targets if those objects make an “effective contribution to the warfighting or war-sustaining capability of an opposing force.” [17] The ambiguity of this legal definition invites exploitation by state actors to legitimize cyberattacks on dual-use infrastructure under the guise of military necessity. In December 2024, for example, Russian hackers attacked Kyivstar, Ukraine’s largest telecommunications provider, and both disabled access for nearly twenty-four million customers and destroyed more than 10,000 computers and 4,000 servers, including cloud storage and backup systems. [18] Although civilian in nature, Kyivstar’s partial support for Ukrainian military communications allowed attackers to justify the strike under existing LOAC interpretations. This justification is further complicated by Ukraine’s use of Diia, a government app installed on over 70 percent of Ukrainian smartphones, which allows civilians to provide real-time intelligence to the Ukrainian military by reporting enemy troop movements. [19] Additionally, Ukraine has an “IT Army” of more than 400,000 civilian volunteers who work with the Defense Ministry to engage in offensive cyberattack campaigns against the Russian economy by blocking government services, infrastructure, and private companies. [20] These circumstances demonstrate the increasing blur between civilian and military boundaries. By exploiting these unsettled and equivocal definitions, malicious actors like Russia mask unlawful attacks as legally permissible, even according to the U.S. Department of Defense’s Law of War Manual, and thereby undermine both the principle of distinction and the protection of civilian life in modern conflict. [21]
Russia’s cyberattacks on dual-use infrastructure set a legal precedent for future wars, especially to other aggressive and expansionist authoritarian regimes. The PRC holds similar objectives to those of Russian cyber operatives targeting Ukraine. [22] The PRC assists Russia’s cyberspace operations by sharing malware, exploit kits, and AI-enhanced cyberwarfare tactics, as well as participating in joint cyber operations. [23] Moreover, the U.S. Director of National Intelligence designated the PRC as the most active and persistent cyber threat to the United States with planned, aggressive cyber operations meant to impede decision-making, induce societal panic, and interfere with the deployment of U.S. military forces in the event of war. [24] In these attacks against the United States, the PRC would utilize AI to conduct major cyberattacks against military and civilian targets for political and military purposes. [25] Crucially, the PRC has begun preparing for this scenario by conducting four cyber operations against the United States since 2023 to compromise U.S. dual-use critical infrastructure with preparatory implants for future destructive cyberattacks. [26] The United States must therefore not only prepare militarily for the event of a Chinese cyberattack on critical infrastructure but also establish enforceable legal frameworks to outlaw such attacks, including those Russia currently conducts in Ukraine.
By failing to solve the legal ambiguity normalizing cyberattacks on dual-use objects, the United States not only legitimizes Russia’s disproportionate harm against Ukrainian civilians, but it also gives the PRC a legal pretext to cripple societies and inflict mass harm on civilians before a single shot is ever fired.
Conclusion
The developments in cyberwarfare capabilities and the unclear legal designation of dual-use targets threaten the principles guiding international law. The gap in legal frameworks addressing these emerging threats calls for urgent action to minimize harm to civilians and attacks against dual-use critical infrastructure. In the absence of international consensus, states will establish legal precedents for cyberattacks in war through actions taken on the battlefield. As a leader in shaping international norms and as one of the world’s most powerful cyber powers, the United States should address this legal gap proactively by updating the Department of Defense’s Law of War Manual, specifically the section on dual-use objects in cyber operations. In so doing, the United States would shape CIL by codifying cyber-related proportionality norms in its own legal regulation of conduct in war. It should also revise its principle of proportionality in war to provide exemptions for dual-use objects that are “genuinely indispensable to the survival of the noncombatant population,” even if their destruction may provide a military advantage. [27] Some examples of “genuinely indispensable” dual-use objects could include water systems, energy supplies, medical services, and certain critical digital services. Moreover, sparing civilian infrastructure in war significantly reduces the risk of collateral damage, thus satisfying the principles of proportionality and distinction.
By facilitating the adoption of this new CIL, the United States serves both its moral and national security interests. This effort to reform international legal precedent reflects democratic values rather than allow for revisionist adversaries like the PRC and Russia to normalize cyberattacks against civilian infrastructure that they could weaponize for their aggressive and expansionist goals. Moreover, initiating the process to codify and enforce these international laws would guard against the PRC ostensibly justifying their planned cyber offensives against U.S. critical infrastructure that are indispensable to civilian wellbeing. The United States should also pursue diplomatic initiatives to formalize revisions to the U.S. Law of War Manual in agreements with allies such as those in NATO and the Quad. Through implementing revisions to its Law of War Manual and facilitating its adoption by allies, the United States will formulate a new international CIL on cyber operations that will preemptively outlaw any future Chinese cyberattacks on U.S. dual-use critical infrastructure.
Ultimately, if the United States codifies these stricter legal standards on cyberattacks against civilian infrastructure in its own military doctrine, it will not only strengthen its own commitment to minimizing harm to civilians but also facilitate the formation of this new CIL that holds all states accountable for cyberattacks on dual-use critical infrastructure. This would turn legal norms into binding international expectations, even in the absence of a formal treaty. Without U.S. leadership, cyberattacks on civilian critical infrastructure will not remain legal gray area — they will become the blueprint for future wars.
Nathan Lee ’24 served as an Officer of the AHS chapter at Baylor University, where he earned a B.A. in Political Science.
Notes:
[1] Olivia Chidera Maduabuchi, et al, “Epistemic Implications of St. Thomas Aquinas’ Just War Theory on Global Peace,” in Open Journal of Philosophy, 8 Aug. 2023, https:// www.scirp.org/pdf/ojpp_2023080714135527.pdf
[2] “United Nations Charter, Chapter VII: Action with Respect to Threats to the Peace, Breaches of the Peace, and Acts of Aggression,” United Nations, 26 Jun. 1945. https://www.un.org/en/about-us/un-charter/chapter-7
[3] United Nations General Assembly, 2005 World Summit Outcome, UN Doc A/RES/60/1, 24 Oct. 2005
[4] U.S. Department of Defense, Office of General Counsel. Department of Defense Law of War Manual, June 2015, updated July 2023, § 2.4. https://media.defense.gov/2023/Jul/31/2003271432/-1/-1/0/DOD-LAW-OF-WAR-MANUAL-JUNE-2015-UPDATED-JULY%202023.PDF
[5] “The Geneva Conventions and their Commentaries,” International Committee of the Red Cross, 1949, https://www.icrc.org/en/law-and-policy/geneva-conventions-and-their-commentaries
[6] Brian J. Egan, “International Law and Stability in Cyberspace,” 35 Berkeley Journal of International Law, 169 (2017)
[7] United Nations, “Report of the Group of Governmental Experts on Advancing responsible State behaviour in cyberspace in the context of international security,” A/76/135, 14 July 2021
[8] “Customary International Law: Research Guides & Background Information,” Duke Law School, https://law.duke.edu/ilrt/cust_law_2.htm#:~:text=International%20Legal%20Research& text=Customary%20international%20law%20%E2%80%9C…,a%20significant%20number%20of%20States
[9] Statute of the International Court of Justice, art. 38, June 26, 1945, 59 Stat. 1031, T.S. No. 993
[10] “The near-term impact of AI on the cyber threat,” United Kingdom National Cyber Security Center, 24 Jan. 2024, https://www.ncsc.gov.uk/report/impact-of-ai-on-cyber-threat#section_1
[11] “Annual Review 2024,” United Kingdom National Cyber Security Center, 2 Dec. 2024, https://www.ncsc.gov.uk/files/NCSC_Annual_Review_2024.pdf
[12] Nedelcho Mihaylov, “Cyber Dimensions of a Hybrid Warfare,” CyberPeace Institute, 8 Apr. 2025, https://cyberpeaceinstitute.org/news/cyber-dimensions-of-a-hybrid-warfare/
[13] “Significant Cyber Incidents Since 2006,” Center for Strategic & International Studies
[14] Shane Huntley. “Fog of war: how the Ukraine conflict transformed the cyber threat landscape.” Google Threat Analysis Group, 16 Feb. 2023. https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/
[15] “Significant Cyber Incidents since 2006”
[16] United States Department of Defense, § 5.6.1.2
[17] United States Department of Defense. § 5.6.6.2
[18] Mercedes Sapuppo, “Ukrainian telecoms hack highlights cyber dangers of Russia’s invasion,” Atlantic Council, 20 Dec. 2023, https://www.atlanticcouncil.org/blogs/ukrainealert/ukrainian-telecoms-hack-highlights-cyber-dangers-of-russias-invasion/
[19] Grace Jones, et al., “Advancing in Adversity: Ukraine’s Battlefield Technologies and Lessons for the U.S,” Belfer Center for Science and International Affairs, Harvard Kennedy School, 31 July 2023, https://www.belfercenter.org/publication/advancing-adversity-ukraines-battlefield-technologies-and-lessons-us
[20] Henrik Larsen, “Ukrainian Lessons: Civilian Tech Transforms the Battlefield,” Center for European Policy Analysis, 3 Oct. 2024, https://cepa.org/article/ukrainian-lessons-civilian-tech-transforms-the-battlefield/
[21] United States Department of Defense. § 5.6.6.2
[22] “Annual Threat Assessment of the U.S. Intelligence Community,” Office of the Director of National Intelligence, 5 Feb. 2024
[23] Evan Morgan, “Eroding Global Stability: The Cybersecurity Strategies of China, Russia, North Korea, and Iran,” Irregular Warfare Initiative, 1 Aug. 2024, https://irregularwarfare.org/articles/eroding-global-stability-the-cybersecurity-strategies-of-china-russia-north-korea-and-iran/
[24] “Annual Threat Assessment of the U.S. Intelligence Community,” Office of the Director of National Intelligence, 5 Feb. 2024
[25] Ciaran Martin, “Typhoons in Cyberspace,” The Royal United Services Institute for
Defence and Security Studies, 20 March 2025, https://www.rusi.org/explore-our-research/ publications/commentary/typhoons-cyberspace
[26] Chris Jaikaran, “Cybersecurity: Selected Cyberattacks, 2012-2024,” Congressional Research Service, 8 Jan. 2025, https://crsreports.congress.gov/product/pdf/R/R46974
[27] Henry Shue and David Wippman, “Limiting Attacks on Dual-Use Facilities Performing Indispensable Civilian Functions,” Cornell International Law Journal, Vol. 35: Iss. 3, Article 7, 2002, http://scholarship.law.cornell.edu/cilj/vol35/iss3/7
Image: “Corporal Stephen Hornbeck, field radio operator, Weapons Company,1st Battalion, 7th Marine Regiment, and a native of Chicago, works on satellite communication during a mission in Helmand province, Afghanistan, May 12, 2014. The company disrupted Taliban fighters to aid in the retrograde of Sturga II, a British base northeast of Lashkar Gah,” by Cpl. Joseph Scanlan, retrieved from https://commons.wikimedia.org/wiki/File:Satellite_Silhouette_(14098692230).jpg. This file is a work of a United States Marine or employee, taken or made as part of that person’s official duties. As a work of the U.S. federal government, it is in the public domain.