@Tedwellstood, as always you raise some really good points, as well as some interesting examples. I absolutely agree with you, and in previous posts have written that cyber weapons are being used (not to mention being used extremely effectively), and I don’t see this changing any time soon. In-fact, with the economy of scale and nations reliance on ICT infrastructure, military organisations would be naive not to embrace cyber weapons as priority offensive and defence capability. As we have both highlighted, the Israeli attack on Syria (OP Orchard) has ‘general’ consensus by the international community as an intentional and tactical cyber attack, and my argument would be: How is this any different than an air to surface missile (such as the Israel Popeye prototype) destroying the air defence systems (a cyber platform was used in place of conventional platform, infrastructure and loss of life was reduced (from the attacker perspective), and it was deemed a proportionate response by the aggressor?
The Geneva Convention ties into the Law of Armed Conflict (that I addressed above) and yes it does state that indiscriminate attacks cannot be conducted against civilian targets and populations. Targets need to be military or military objectives in nature, so for example, destroying an (civilian) oil refinery that is used to fuel aircraft is potentially a perfectly acceptable target, if open war has been declared. Civilian casualties are not prohibited under international law (and are at times unavoidable) however need to be minimised and proportionate to the objective — this has caused debate, highlighted by the conflict between Israelis and Palestinians. So although legal doctrine currently exists and is specific enough to address particular aspects (i.e. chemical and biological weapons being against human right) , legal interpretation and flexibility exists, and potential abuse can take place.
Another illustration, a cyber attack that is deployed to cripple a nations financial or power distribution infrastructure (that enables their armed forces), may have a somewhat indiscriminate impact on civil matters, denying the population to basic necessities such as access to warmth or food for example. This however could be deemed perfectly legal and proportionate in regards to a cyber attack, but illegal if the infrastructure were disabled through conventional means. Aspects such as direct loss of life or infrastructure damage would be taken into consideration, and as there are limited case studies to establish an international ‘legal norm’ it is hard to say what stance the international community would take.
The Tallinn Manual is a promising move forward to acknowledging cyber warfare in the realm of modern conflict, however the weakness here is that a large portion of critical parties still need to come to the table and ratify the document. Similarly the US and Russia have make moves in establishing governance (interesting read) over cyber conflict, again not establishing itself in the same esteem as the Geneva Convention.
My follow on, or take away from this would be that perhaps something major needs to take place before all parties come together and establish sound legal practice and regulation on cyber warfare, just like the various amendments of the Geneva Convention were established after major conflicts throughout history (WW1 and WW2). Regardless, with the reliance of ICT in the modern world, there is no doubt that solid and agreed regulation on how cyber warfare can be implemented need to be established. Conventional limitations should be reflected for cyber weapons, regardless of perceived impact and loss of life, a hospital should not be the target of a cyber attack in the same way it cannot be targeted by conventional weapons. But this needs to be its own document, as the delineation on ICT damage and physical damage has too much variance or room for interpretation.
The conundrum that is faced here is not unique in the military context; regulation with privacy, big data and international commerce is also struggling to keep the pace with developments in ICT. One would hope that given the implications in such a field (armed conflict) it will prompt major governments and the UN to establish something sooner rather than later, or will this simply be a resulting product after our first full scale cyber war?