On 31 October 2024, the International Conference of the Red Cross and Red Crescent adopted an unprecedented resolution on protecting civilians against the potential human cost of digital activities during armed conflicts. This post offers a critical appraisal of the resolution’s main aspects against the background of its adoption. As will be explained, the resolution is both groundbreaking in its ambition and detail, yet limited in certain respects, leaving crucial questions about implementation and enforcement unanswered.
The International Conference: A historic forum for modern issues?
Global efforts to regulate State behaviour in cyberspace typically centre on New York, where the UN General Assembly-mandated intergovernmental efforts regarding international security in the use of information and communication technologies (ICTs) unfold. Given this focus, it’s unusual for an important multilateral resolution on digital and cyber issues to emerge from Geneva. Yet, as will be seen, this resolution falls well within the broad mission of the International Conference to “examine and decide upon humanitarian matters of common interest” and to contribute “to the respect for and development of international humanitarian law” (Articles 8 and 10(2) of the Statutes of the International Red Cross and Red Crescent Movement).
The International Conference is one of the oldest and largest multilateral forums in the world. Its inaugural meeting took place in 1867 in Paris, and in modern times, it is held every four years, with this year marking the 34th session. From the perspective of international humanitarian law (IHL), this year’s conference was especially significant and attracted additional attention as it coincided with the 75th anniversary of the 1949 Geneva Conventions.
The Conference brings together all components of the International Red Cross and Red Crescent Movement, including the 191 National Societies, the International Federation of Red Cross and Red Crescent Societies (IFRC), and the International Committee of the Red Cross (ICRC). (Full disclosure: I served as a Legal Advisor to the ICRC until 2023, but I was not involved in the work on the resolution analysed in this post.) Just as importantly, the Conference is attended by the 196 States party to the Geneva Conventions, which – thanks to the treaties’ universal ratification – effectively means all States. This unique blend of non-governmental organizations and State representatives gives the Conference its distinct “hybrid status, both private and public”.
In the long history of the International Conference, this was the first time that it addressed the use of ICT capabilities during armed conflict, including cyber and information operations. This reflects the growing importance that ICTs play during armed conflicts, both for better and for worse. On the one hand, ICTs may help people survive by locating essentials such as food, water, and shelter, as well as staying in touch with their loved ones in highly volatile and dangerous situations. On the other hand, these technologies can be and are also used for military purposes, resulting in considerable risks of harm to the affected populations.
Resolutions adopted by the International Conference are, with few exceptions, not legally binding. This means they typically do not impose new legal obligations on States, the violation of which would entail responsibility under international law. However, this does not mean that they are without legal relevance for States. When resolutions express particular views and interpretations of international law, they can serve as evidence of the opinio juris of the States voting for them and reflect those States’ subsequent practice in relation to the interpretation of the Geneva Conventions and their Protocols. As François Bugnion noted in a 2009 article, these resolutions “constitute a position adopted by the international community that needs to be taken into account by the belligerents” (at p. 704). States recognize this significance, a fact evident in the careful – and at times contentious – process of negotiating the language of these resolutions.
Although the present resolution was adopted by consensus, it cannot be said to reflect the views of all participating States at the Conference. This is because a few States opted to use a little-known procedural mechanism to “disassociate” themselves from the resolution after it was passed. By doing so, they allowed the consensus to stand without blocking the resolution’s adoption or taking it to a vote, but they signalled that they did not fully endorse all of its content. Eight States (Belarus, Cuba, Iran, Mali, Myanmar, North Korea, Russia, and Syria) disassociated themselves in this way. Nonetheless, with all other States as well as all National Societies fully supporting the resolution, one can say that, while it may not represent the unanimous view of the entire international community, it comes very close.
Key concerns: Impact of digital activities during armed conflicts
The resolution’s preambular section offers a detailed catalogue of the risks and dangers posed by the use of ICTs in armed conflict. Much of this mirrors the longstanding concerns raised by international organizations like the ICRC, civic associations such as the Cyber Peace Institute, and academic institutions like the Geneva Academy, who have been sounding the alarm about these issues for years. What stands out, however, is the unprecedented level of detail in this resolution – a degree of specificity not previously seen in documents adopted by such a broad coalition of States.
In particular, States have noted the following:
- The use of ICTs by parties to armed conflicts may result in harm to civilians, particularly where these means are directed against or incidentally affect civilian critical infrastructure and essential services (preambular para. 7).
- When States and Movement components lack adequate capacities to detect and defend against malicious ICT activities, this may make them more vulnerable (preambular para. 8).
- The scale, speed, and reach of malicious ICT activities – especially on social media platforms – can harm civilians, including when ICTs are used for child recruitment (preambular para. 9).
- The use of AI and other emerging technologies in malicious ICT activities may further amplify the scale and speed of these activities, as well as their potential harm (preambular para. 11).
- ICTs can enable or encourage civilians to participate in conflict-related ICT activities without being fully aware of the associated risks or legal implications (preambular para. 12).
- Malicious ICT activities impacting humanitarian organizations, such as data breaches and disinformation, may disrupt relief operations, erode trust, threaten the safety and security of personnel, and ultimately hinder these organizations’ access to affected populations (preambular para. 14).
(I have slightly shortened and paraphrased these paragraphs for clarity; please consult the full text of the resolution for the precise agreed language.)
This overview underscores that participating States are acutely aware of the need to protect people and institutions from the potential human cost of ICT activities during armed conflict. Such awareness is essential for meaningful discussions on which measures can and must be taken to prevent or minimize these harms, including through the clarification and development of the applicable law.
ICT in armed conflict: The question of applicability of IHL
The resolution stops short of explicitly affirming that ICT activities during armed conflict are governed – and thus limited – by IHL. Urban Prapotnik, one of Slovenia’s representatives at the Conference, publicly noted that such language was discussed among the delegates but they ultimately failed to reach consensus. I share his regret, as this would have been a valuable opportunity for the resolution to contribute to the development of common understandings in this area.
Nevertheless, the issue is far less controversial today than it was some years ago. This is because in 2021, States reached an agreement on language referring to the applicability of IHL in the context of discussions on how international law applies to the use of ICTs by States (at para. 71(f)). The report of a Group of Governmental Experts (GGE) that contained that formulation was subsequently endorsed by a consensus resolution of the UN General Assembly that same year. Since then, experts have thus spoken of an international consensus that IHL governs cyber operations during armed conflict.
Although the resolution does not explicitly affirm the applicability of IHL, its language aligns closely with this broad consensus. This is not only because its operative paragraphs 2 and 3 restate the GGE formulation mentioned above. In addition, the text of the resolution is replete with references to rules and principles of IHL in relation to the use of ICTs by parties to armed conflicts. Operative paragraph 4, for instance, states:
reiterates that, in situations of armed conflict, IHL rules and principles – including the principle of distinction, the prohibition of indiscriminate and disproportionate attacks, the obligations to spare the civilian population, civilians and civilian objects in the conduct of military operations, and to take all feasible precautions to avoid, and in any event minimize, incidental civilian harm, the prohibition of encouraging or inciting violations of IHL, and the prohibition of acts or threats of violence, the primary purpose of which is to spread terror among the civilian population – serve to protect civilian populations and other protected persons and objects, including against the risks arising from ICT activities;
The phrase “IHL rules and principles … serve to protect … against the risks arising from ICT activities” strongly implies that IHL is applicable to such activities; otherwise, this entire statement would lose its meaning. Likewise, the obligations to “respect and protect medical personnel, units and transports” (operative paragraph 6), to “allow and facilitate impartial humanitarian activities”, and to “respect and protect humanitarian personnel and objects” (operative paragraph 7) can only be read as an affirmation of these long-standing IHL obligations in relation to ICT activities. To sum up, today States agree that even cyber wars have limits.
Prohibition of the encouragement of violations of IHL through digital means
Operative paragraph 4 is additionally valuable for listing specific rules and principles that States consider relevant in this context. One notable inclusion is the “prohibition of encouraging or inciting violations of IHL”, which addresses a troubling aspect of many modern conflicts that is further intensified by social media. Unlike the other obligations and prohibitions listed in this paragraph, the prohibition against encouraging or inciting IHL violations is not codified in a single treaty rule.
However, as the International Court of Justice clarified in the Nicaragua case (1986), this prohibition follows from the obligation to respect and ensure respect for IHL enshrined in Article 1 common to the four Geneva Conventions (see at para. 220). Importantly, States participating in the 30th International Conference in 2007 endorsed this interpretation in a resolution on reaffirmation and implementation of IHL (operative paras 1–2).
The adoption of the present resolution in 2024 reaffirms the enduring relevance of this interpretation, extending it to the digital context. This aligns with a broad consensus among international law experts, as reflected, for instance, in para. 8 of the Oxford Statement on the Regulation of Information Operations and Activities, which has been signed by over a hundred scholars and practitioners.
Civilianization of the digital battlefield
Another notable development relates to the ongoing trend of involvement of civilians and civilian entities – such as tech companies – in digital activities related to armed conflicts. As mentioned earlier, the resolution’s preamble identifies this as a key concern (see preambular para. 12 paraphrased above), and I fully agree. As Mauro Vignati and I have explained elsewhere, such involvement places individuals at risk of harm and erodes the IHL principle of distinction.
The operative part addresses this issue primarily in relation to tech companies, as seen in operative paragraph 11:
also encourages all Movement components, as appropriate and in accordance with their respective mandates, to disseminate IHL to private technology companies and make them aware that providing ICT services to clients that are or may become involved in armed conflict involves certain risks and to engage, as appropriate, with these companies to encourage them to consider adopting measures to protect the needs of all people affected by armed conflict consistent with applicable international and national law;
First, a word on the scope of this paragraph. Curiously, the delegates removed a reference to States from the draft resolution (which originally addressed “States, as well as Movement components”). However, States are legally obliged to disseminate IHL as widely as possible (see Articles 47/48/127/144 of Geneva Convention I/II/III/IV, Article 83 of Additional Protocol I, and Article 19 of Additional Protocol II), a duty reaffirmed by operative paragraph 9 of this resolution. Hence, there can be little doubt that the responsibility to disseminate IHL to tech companies is shared by both States and Movement components.
The oblique reference to “certain risks” in operative paragraph 11 alludes to the danger that the company staff and/or clients’ ICT activities will qualify as direct participation in hostilities and possibly convert company assets and other civilian objects into military objectives, thereby resulting in a loss of protection under IHL. This is a serious consideration that companies need to be aware of, and States have a critical role in conveying this message (for more, see Jonathan Horowitz’s recent post on this topic).
The paragraph also encourages tech companies to take measures to “protect the needs of all people affected by armed conflict”. Although private companies are not expected to be as impartial as humanitarian organizations, the delegates were surely mindful of criticism, such as that surrounding Elon Musk’s rapid deployment of Starlink in Ukraine compared to much longer delays in Gaza. Nevertheless, the resolution’s language here is notably soft, leaving considerable discretion to the relevant actors.
Finally, while the preamble rightly highlights the risks associated with civilians’ involvement in hostilities through digital means, it is regrettable that the operative section does not provide stronger guidance on how this issue should be addressed. At a minimum, the Conference could have expressly echoed the ICRC’s earlier call on States to reverse this trend and “stop turning a blind eye to the participation of private hackers in armed conflict”.
The only hint that this issue was discussed appears in the final clause of operative paragraph 9, which urges States “to take measures to prevent and suppress IHL violations … including with regard to ICT activities.” Although the resolution does not elaborate further, the ICRC has noted that preventive measures could include public statements discouraging private hackers from involvement in conflict-related cyber operations. Similarly, suppressive measures could encompass enacting domestic laws to criminalize cyber operations that amount to war crimes, and then their investigation and prosecution.
Future directions: What impact will the resolution have?
This resolution is a rich and valuable resource that will likely become a key reference for multilaterally agreed language, or “acquis”, on protecting civilians from harm caused by the use of ICTs during armed conflicts. Its content will no doubt be closely examined by State representatives involved in multilateral processes, such as the ongoing Open-Ended Working Group (OEWG) in New York, and we may see its language echoed in future outputs, including the OEWG’s final report, anticipated in July 2025.
Beyond that, the resolution itself charts the way forward in relation to several of the issues it addresses. In particular, it encourages the ICRC to continue working with States and Movement components on the “digital emblem” – an initiative to create a digital means of identifying the digital infrastructure and data of institutions that are entitled to display the distinctive emblems recognized under IHL (such as the red cross and red crescent). This endorsement is likely to give the digital emblem initiative a significant boost in the diplomatic field.
Upon its adoption, State representatives reportedly praised the resolution as “the first humanitarian ICT resolution” and a “really significant step forward”. Øistein Mjærum of the Norwegian Red Cross welcomed the resolution as “nybrottsarbeid” (groundbreaking) and shared that he had long doubted whether agreement on its text could be achieved at the Conference. As the saying goes, however, the proof of the pudding is in the eating: only time will tell to what extent this resolution will influence the development of law and policy on these issues in both domestic and international contexts.