Taylor Grossman is a Senior Researcher in the Cyberdefence Project with the Risk and Resilience Team at the Center for Security Studies (CSS) at ETH Zurich. She is also a nonresident scholar with the Technology and International Affairs Program at the Carnegie Endowment for International Peace, and an Editor with Binding Hook, an ECCRI organization. Her other research interests include cyber norm development, ethics of war, and bureaucratic politics in national security decision making. She holds an MPhil in International Relations from the University of Oxford and a B.A. in Political Science from Stanford University.

‍

Twitter

This paper seeks to address the following research question: how can we assess the undesired consequences and harm to civilians and civilian objects of cyber effect operations? And what guidelines can be developed to minimize the undesired collateral consequences of these operations? The primary focus will be on cyber effects operations conducted during an armed conflict, although the framework and guidelines developed may also be further adapted to situations outside of armed conflict.

Current collateral damage assessment frameworks were built for kinetic operations (See, for example, “Allied Joint Doctrine for Joint Targeting” 2021, 1–2; “Law of War Manual” 2015, 1011; “USAF Intelligence Targeting Guide” 1998). Although some have been adjusted to try and incorporate cyber operations, traditional assessment tools do not consider the inherent differences of cyber operations (Romanosky and Goldman 2017; Schmitt 2014; Kreps and Schneider 2019; Dam, Lin, and Owens 2009).

The relationship between the spatial area of damage and collateral damage is more complex for cyberattacks as compared to kinetic attacks (Smeets and Lin 2018). Indeed, offensive cyber capabilities do not have the same kind of restrictions as a nuclear missile or conventional bomb; their effects can be selectively distributed in and across (a geographical) space whilst potentially remaining distinctive and targeted (Smeets and Lin 2018). Furthermore, cyber operations can be reversed in ways kinetic strikes cannot, making long-term strategic outcomes more difficult to accurately measure (Rowe 2010).

A targeted cyberattack also requires a thorough understanding of the enemy’s network and IT infrastructure, which is often difficult to generate in the context of an ongoing armed conflict when time is scarce and attack tempos are raised. Conducting a cyber effects operation that minimizes collateral damage requires specific technical and policy considerations (Bellovin, Landau, and Lin 2017). Finally, establishing and quantifying the harms caused by cyber operations can prove difficult. Traditional military doctrine defines collateral damage in terms of casualties, and physical damage / destruction caused by operational activities (See, for example, “Allied Joint Doctrine for Joint Targeting” 2021). While some cyber effects operations create physical harms, other operations result in more nebulous consequences, including data destruction or manipulation, connectivity disruption, and identity exposure. No clear consensus exists on whether these activities constitute collateral damage if they affect civilians or civilian objects (Romanosky and Goldman 2017; Schmitt 2014).

This paper proposes to develop an initial framework for assessing the (un)desired consequences of civilian harm caused by cyber effects operations. In section one, this paper will review existing assessment mechanisms in the kinetic realm for assessing collateral damage. In section two, this paper will develop specific considerations for assessing consequences of civilian harm in the case of cyber effect operations. In section three, the paper will propose a preliminary assessment matrix. Finally, in section four, the paper will briefly apply the assessment matrix to several short case studies of cyber effects operations.