Cyber Warfare and Its Limits: A Response to Soesanto and Gajos

On Nov. 3, Lawfare published a thought-provoking piece by Stefan Soesanto and Wiktoria Gajos advancing the argument that Western governments should learn from Ukraine’s offensive cyber strategy and adopt what the authors call a “responsibly irresponsible” approach to cyber warfare. While they present compliance with international humanitarian law (IHL, also referred to as the law of armed conflict) as a worthy aspiration, they frame it as ultimately at odds with “the realities of contemporary digital conflict”.

The idea that the necessities of war should take precedence over the rules of war is not new. In the 19th century, it appeared as the German maxim “Kriegsraison geht vor Kriegsmanier.” In the 20th century, it reemerged in the post-Nuremberg trials in the form of the (unsuccessful) attempts by some defendants to justify actions such as reprisal killings of civilians during World War II. And in the 21st century, it seems to return as claims that “idealistic legalism” and “arcane rules” lead to inescapable defeat on the digital battlefield, leaving belligerents with no choice but discard these “taboos and legal limitations.”

It would be easy to dismiss such calls as incompatible with the post-1945 legal order and the fundamental protections enshrined in core international treaties, including the Geneva Conventions and their Additional Protocols. To stop the discussion there, however, would be to miss an opportunity to test the robustness of these legal frameworks and to consider whether they remain fit for purpose in the digital age.

In what follows, I focus on two of Soesanto and Gajos’s main arguments. First, they propose broadening the category of permissible targets in times of armed conflict by endorsing offensive cyber operations against civilian infrastructure. Second, they encourage a broader involvement of civilians—such as hacktivists and volunteers—in offensive cyber campaigns against the enemy. I take up each in turn after offering some preliminary remarks about the assumptions that seem to underlie their case.

Clarifying Assumptions

First, one of the article’s unspoken assumptions is that the cyber strategies it holds up as exemplars have made a discernible difference in the armed conflict between Russia and Ukraine. While this assessment lies outside my area of expertise, a growing body of scholarship questions whether that is so. For example, in a 2025 study in Survival, Matthew Calabria, former director for cyber operations and incident response in the Office of the National Cyber Director at the White House, argues that the experience from Ukraine shows that cyberattacks are “all but ineffectual during long, grinding campaigns of attrition.” If that is correct, the case for a “responsibly irresponsible” approach rests on shaky ground: States would sacrifice the broader good of the rule of law for little or no practical gain.

Second, the authors’ argument loses a great deal of force once we recall what IHL is really about. It is not a set of rules drafted by utopian idealists with no sense of what war entails. IHL rules were forged on battlefields and transformed into written law by state representatives, including countless military professionals with extensive experience fighting wars. As a result, IHL embodies a careful balance between military necessity and humanity. It does not prohibit warfare, but it takes the realities of armed conflict into account. For that reason, some of the operations that the authors flag as worth emulating may already be lawful, which undercuts the suggestion that belligerents should discard legal limits wholesale to achieve operational effects. For example, software used to reconfigure combat drones may be targetable as a lawful military objective, and hacking enemy surveillance cameras for intelligence on troop movement is generally consistent with the IHL rules on the conduct of hostilities.

Offensive Cyber Operations and Civilian Infrastructure

Soesanto and Gajos suggest that adversary civilian infrastructure—such as banks, internet service providers, supermarkets, or online retail platforms—is “too irresistible not to target” in cyberspace. The implication here is that such objects should be fair game and that if the rules say otherwise, they may have to yield.

The rules, as it happens, do say otherwise. IHL contains a clear and unequivocal prohibition on attacking civilian objects, codified in Article 52(1) of Additional Protocol I and universally accepted as reflecting customary international law binding on all states. While there is debate about the types of effects that a cyber operation must produce to qualify as an “attack” under IHL, where that threshold is met, targeting civilian objects such as banks or supermarkets is a violation of IHL and potentially a war crime.

In the pressure of operations, it may be tempting to expand the circle of permissible targets to include parts of the civilian infrastructure. But that is precisely why states agreed to these rules in the first place. They cannot be brushed aside simply because a conflict presents an “irresistible” target of opportunity. To see the moral hazard more clearly, we only need to invert the scenario. Imagine yourself or your loved ones on the receiving end of such operations in wartime. You wake up to find your banking app showing your lifetime savings wiped out, supermarkets in your area closed by a supply chain outage, and your pharmacy unable to dispense the medication you need. These effects are not necessities of warfare and are precisely the outcomes the law was designed to prevent.

This discussion also echoes earlier debates about whether IHL applies to cyber operations at all. In a piece I co-authored with Tilman Rodenhäuser at the time, we asked what modern conflicts might look like if it did not. The answer was and remains stark. Without the constraints of the law, civilians could be deprived of essential services such as electricity and water for extended periods through cyber means. Unscrupulous commanders might see no legal obstacle to releasing malware expected to incidentally disable computers and networks at hospitals in enemy territory. Third states could suffer significant collateral harm from cyber operations with indiscriminate effects, which IHL would otherwise prohibit. That is why the current, near-universal consensus that IHL governs cyber operations in armed conflict matters. Calls to weaken these constraints in the cyber context needlessly reopen an earlier debate and overlook the very real human costs identified then.

Compliance with law is more than just a restraint. For militaries, it also has operational value: Armed forces that internalize and follow the law tend to be more disciplined and more effective. In this sense, compliance is part of their professional identity. In the words of the U.S. Army’s field manual, observing IHL “enhances the legitimacy of our operations and supports the moral framework of our armed forces.” For civilians, there is an important dividend after the guns fall silent. Societies tend to reconcile more readily after wars fought within the bounds of the law, as respect for IHL helps prevent war crimes and thus eases the burden for transitional justice efforts. Conversely, sustained patterns of violations poison post-conflict settlements and can entrench “spirals of retribution and violence.” Hence, abiding by IHL during war also shapes the peace that follows.

Civilian Involvement on the Digital Battlefield

Soesanto and Gajos also argue in favor of “militarizing non-state actors, including domestic hacktivists and international volunteers.” This approach, however, sits uneasily with a growing body of expert work that points in the opposite direction. In November, the International Committee of the Red Cross (ICRC) and the Geneva Academy published a report—marking the culmination of a multiyear research and consultation process—that warns that involving civilians in cyber and other digital activities during armed conflict exposes them to “a significant risk of harm.” The report emphasizes also the imperative of ensuring their respect for IHL if they do. I share that assessment. (Full disclosure: Soesanto and I were among the experts consulted for this report, but neither of us took part in drafting the text.)

As Mauro Vignati and I explained in an earlier Lawfare piece, at least some forms of civilian involvement on the digital battlefield—such as engaging civilian hackers in offensive operations against enemy targets—may qualify as direct participation in hostilities under IHL. According to Article 51(3) of Additional Protocol I and customary international humanitarian law, civilians are protected against attack unless and for such time as they directly participate in hostilities. Encouraging civilians to conduct offensive cyber operations therefore exposes them to grave harm, including loss of protection and potential loss of life.

In a 2023 article in the International Review of the Red Cross, I argued that due to these risks, such encouragement places states in tension with a number of rules of international law, including the duty to exercise constant care to spare civilians from the effects of hostilities, the obligation to respect the right to life of persons under their jurisdiction, and the duty to do everything feasible to ensure that children do not directly participate in hostilities.

Even setting the law aside, Soesanto and Gajos’s proposed policy is problematic from a pragmatic perspective. Governments that instrumentalize civilians for offensive cyber operations must address risks such as weak command and control, poor compliance culture, and operational noise from unskilled volunteers. There is also a significant post-conflict concern. Groups that learn to operate outside legal frameworks are unlikely to disband when the fighting stops; they can drift into cybercrime, creating a persistent law enforcement problem for the very states that empowered them in the first place.

None of this means that states are without options to leverage civilian cyber expertise. IHL leaves room for responsible models. In particular, states may want to integrate specialists into reserve or auxiliary structures, place them under a formal chain of command, clarify their status, vet and train them, and subject their activities to oversight and accountability. Estonia’s practice reflects this approach: Its Cyber Defence Unit consists of vetted volunteers and is embedded in the national defence architecture. Italy and Ukraine are reportedly pursuing similar approaches. This path recognizes the value of civilian talent without outsourcing offensive operations to loosely governed groups that are not trained on elementary legal rules, and it reduces the risk that wartime networks morph into peacetime criminal enterprises.

The ICRC/Geneva Academy expert report mentioned above points governments in this direction as well. It recommends that states avoid, to the extent feasible, involving civilians in activities that bring them close to hostilities. If they nevertheless choose to do so, governments should give careful consideration to the risks involved. Where the intention is to use civilians in ways that place them near or within the conduct of hostilities, states “should integrate such civilians into their armed forces, or at least inform them of the relevant risks and their obligations.”

That is what a responsibly responsible approach looks like.

***

Soesanto and Gajos’s article invites governments to expand the category of permissible targets and encourage civilians to join the war effort on the digital frontlines, feeding the narrative that IHL is an encumbrance that contemporary conflict can no longer bear. The law, however, is not a switch to be flipped when inconvenient. In states governed by the rule of law, and especially those that are parties to the International Criminal Court, disregarding IHL is not a policy or an operational choice—it may well be a war crime.

States have bound themselves by the rules of IHL for wars of the future, including those with a cyber component. Its rules protect civilians against physical and cyber harm, and they help commanders wage wars effectively and with discipline. They also preserve the legitimacy that democratic societies depend on in peacetime and during conflict, and create the conditions for reconciliation once hostilities end.

The better path is not to be “responsibly irresponsible,” but responsibly responsible. States should maintain and reinforce the consensus that IHL applies to cyber operations and accept the legal constraints it entails. If civilian expertise is needed, states should integrate it in responsible and lawful ways and ensure civilians are informed about the risks of joining in and about the rules they must respect. To ignore these limits is to risk sliding toward the same lawlessness that democracies condemn in their adversaries.