Collateral Damage from Offensive Cyber Operations—A Systematic Literature Review

Abstract

As offensive cyber operations have become more commonplace, cyber collateral damage (CCD) to society and to civilian infrastructure has expanded in impact and severity. Several research contexts, frameworks, and methods apply to these collateral effects, especially as they pertain to reducing them. To investigate and map this area of research, five leading scientific databases (Scopus, IEEE Xplore, Springer Link, ScienceDirect, and ProQuest) were searched for papers on CCD. From 716 search results, 74 relevant papers were selected. Using surface categories as well as thematic analysis, these were grouped into the main emergent categories of legal, ethical, targeting-oriented, and econometric papers, with each category showing a recent research trend. The papers were qualitatively assessed for importance and coverage and compared bibliographically to identify key papers and authors. Within the identified areas of research, significant gaps remain. While CCD is becoming increasingly well understood from a legal and operational perspective, this accounts only for a fraction of the civilian harm caused by offensive cyber operations. This study identifies potential pathways for the synthesis of the current research areas (targeting, taxonomy, econometrics) with broader definitions of collateral damage to include civilian harm. These include updating national cyber doctrines to require collateral damage estimates, as well as exploiting emerging open datasets to understand which cyber capabilities cause the greatest collateral effects. Finally, we observe that the research definitions and taxonomy of CCD differ widely and have been subjected to limited scrutiny and challenge to date.

1. Introduction

Cybersecurity and losses from cyber incidents generate annual costs in excess of USD 150B, or 0.1% of the global GDP [1]. Moreover, 95% of these cyber incidents are malicious rather than accidental [2]. Although most malicious cyber incidents are caused by cybercrime, offensive cyber operations (OCOs) are over-represented in terms of both impact and notoriety. This study considers an OCO to be any cyber operation that is explicitly offensive, in the sense of being “activities in cyberspace that manipulate, deny, disrupt, degrade or destroy targeted computers, information systems, or networks” [3]. Moreover, the word “operation” is taken to mean that the actor conducting it is highly organized. This level of planning and capability has been limited to government organizations (including, but not limited to, military actors) or non-state entities at governmental direction. The most well-studied of these OCOs is the Stuxnet cyberspace operation that occurred in 2010, which was highly publicized, not only for its novelty and relative success but also for the considerable civilian impact of its indiscriminate spread [4]. More recently, military and state-sponsored actors have deployed ransomware and other cyberweapons against banks and government entities [5]. The sums involved in terms of direct costs and ransomware are frequently in the range of billions of US dollars. As such, OCO research has been growing rapidly as an area of interest in the last 25 years. To date, this research has naturally been focused on defense against attacks but also on intentional effects rather than on unintended consequences.

Collateral damage is a term used to refer to the unintended and damaging consequences of operations. It can be used colloquially in connection with any type of operation or, in a more formal sense, specifically when referring to military operations. This latter meaning, introduced in the 1960s, has strict definitions in military doctrine [6,7]. Typical examples of collateral damage in conventional warfare include mistakes in distinction, where civilian targets are identified as enemies and attacked, or a lack of proportionality, where civilians in the vicinity of legitimate military targets suffer greater damage than would be motivated by the military value of the target. These occurrences are especially common when using area-of-effect weapons, and the evolution of collateral damage as a military consideration has been closely tied to conflicts using strategic bombing or large amounts of artillery fire. Restricting the definition to conventional military operations offers clarity from a legal perspective—the Geneva Conventions and the laws of armed conflict (jus in bello) have widespread recognition and acceptance. However, when moving into the cyber domain, collateral damage no longer requires the target to be in close proximity to a legitimate target. Many cyberattacks (e.g., Stuxnet) use self-replication as a means of propagation and can spread long distances across geographic boundaries. Nevertheless, cyber damage, collateral or not, requires some physical impact [8]. This does not need to be the permanent destruction of equipment but can be the irreversible encryption of data or the shutdown of critical systems. Disproportional or undistinguished damage to or destruction of civilian objects is unlawful even if caused through the cyber domain. Further complicating the issue, the vast majority of OCOs are conducted by non-military actors. Only a miniscule fraction of OCOs rise to the “act of force” level as defined by the Geneva Conventions, and even fewer could be considered “acts of war”. These latter warfare-level OCOs have exclusively been associated with the Ukraine wars of 2014 and 2022. The differing definitions of cyber collateral damage (CCD) are described in more detail in Section 2.

The origins of academic research into cyber operations can be traced back only to the early 1990s. These pioneering papers generally considered cyberspace primarily as an area of information and disinformation warfare [9]. Computer network attacks—the preferred term at the time—were intended to attack information systems, as these were the only networked systems. As network-connected, computer-controlled systems have become the norm, research into the security and target potential of such cyber–physical systems (a term coined in 2006) has increased greatly [10]. Finally, within the last 10–15 years, research on OCOs on a societal scale has accelerated in line with such operations being executed in situ. These operations increasingly target not only cyber–physical systems, in the vein of the Stuxnet attack, but also IoT devices, which are plentiful and poorly secured. Attacking these systems and others using cyber operations has several complexities not encountered in conventional warfare. The interconnected nature of the Internet and the risk of malware spreading beyond targeted systems and geographic boundaries, as well as the increasing use of shared platforms, make for a complex and dangerous battlefield.

A key driver of research on the limits and legality of cyber operations is the NATO Cooperative Cyber Defence Centre of Excellence (CCDCoE), headquartered in Tallinn, Estonia. The geographic location of the center was a result of the 2006 Riga summit identifying cyberattacks as a potential asymmetric threat and of 2007 seeing a series of such attacks targeted at banking and critical infrastructure in Estonia. In 2009, work began there to describe and codify international law as it pertains to cyberwarfare. Published in 2013 and updated in 2017, this manual became known as the “Tallinn Manual” [8] and can be considered the most detailed and comprehensive work in the field. With the publication of this manual, a large field of research has also developed around it. As part of this research, and as a result of the rise in the number of state-sponsored cyber operations, “cyber collateral damage” emerged as a separate term in the mid-2010s [11].

At present, there is no comprehensive review of the scientific literature on collateral damage resulting from OCOs. Such a review would provide researchers, as well as both governmental and non-governmental entities, with an overview of researched and less researched areas.

1.1. Research Goals

The purpose of this work is to examine the existing literature for pertinent papers, analyze their findings, and quantify their value and contributions to the field. An additional goal is to identify sub-categories reflecting different aspects or specific areas of research and to cluster papers into the most common categories. The final goal is to identify areas of potential future research interest. These goals can be described in two research questions (RQs):

• What research exists on cyber collateral damage (CCD)?
• How can this body of research be analyzed in terms of common themes, the research intensity over time, and references to identify and describe research trends and gaps?

1.2. Layout of This Paper

This paper is structured as follows. Section 2 describes the field of research and provides definitions for the relevant terms. Section 3 describes the method of paper selection and analysis. Section 4 describes the results of the survey, and Section 5 provides a discussion, observations, and perspectives on the results. Finally, Section 6 draws some high-level conclusions and provides suggestions for future work.

2. Collateral Damage Within the Cyberspace Context

This section describes the terminology and concepts of civilian harm from warfare and how they have been understood within the cyber domain.

The term “collateral damage” (CD) was coined in the early 1960s to refer to the “unlimited, indiscriminate, and exhaustive” effects of warfare [6]. By more recent definition, this term refers to “unintentional damage or incidental damage affecting facilities, equipment, or personnel, occurring as a result of military actions directed against targeted enemy forces or facilities” [12]. This definition is closely aligned with the laws of armed conflict and is used in this paper when talking explicitly about collateral damage in the legal or military sense. In the context of conventional warfare, the avoidance of civilian casualties and damage to civilian infrastructure, risk calculation, and the estimation of the economic value of collateral damage have been institutionalized in many of the world’s militaries. While conventional weapons have evolved to increase their precision in targeting and reduce the risk of collateral damage, military OCOs are still developing, and damage to civilian infrastructure and commerce is common [13].

The legal framework governing the use of force in war (jus in bello) and the permissibility of a specific offensive operation is a large field of study in its own right. The legal requirement to avoid indiscriminate attacks against civilian targets was codified by the 1977 Additional Protocol I to the Geneva Convention. Legal sources [14] provide up to four principles governing the selection and targeting of legitimate targets in warfare: discrimination (between combatants and non-combatants), proportionality (between military utility and collateral damage), necessity (of the level of force used), and humanity (in the types of weapons used). These legal and ethical principles were laid down with consideration only of the context of conventional warfare and in the context of a “hot” war. Operations conducted in cyberspace add complexity both in terms of attribution and in terms of the highly variable temperature under which they are conducted.

In 2016, NATO formally recognized cyberspace as a domain of operations [15]. A cyberspace operation, then, can be defined as the “(1) use [of] cyber capabilities, such as computers, software tools, or networks [that] (2) have a primary purpose of achieving objectives or effects in or through cyberspace” [16]. A cyberspace operation of military origin can affect civil society adversely in several distinct ways:

• Unintended, damaging consequences from operations against legal and legitimate targets, e.g., in the conduct of a declared cyberwar;
• Damage from intentional operations against civilian targets, e.g., South Korean banks and television stations in 2013;
• Damage from the reuse of discovered or reverse-engineered technology, e.g., the WannaCry ransomware.

Moreover, collateral damage is not automatically unlawful per se. The rules of the Geneva Convention protect only against collateral damage that is “excessive in relation to the concrete and direct military advantage anticipated”. Minor (i.e., proportionate) and unintentional collateral damage may pass muster under this provision.

The laws of armed conflict have no bearing or relevance, however, upon cyber operations that are conducted by law enforcement or non-state actors; these make up the vast majority of operations and cause the majority of damage. Broadening the definition of collateral damage beyond the context of military cyber operations is not a new thought. Romanosky and Goldman [13] recognize that the same principles can usefully be applied to law enforcement. The value of a broader definition is in the greater coverage afforded (i.e., the vast majority of OCOs), whereas the value of the narrower definition is that it is more specific and has specific terminology that delineates it and simplifies searches (and research). This paper uses the term in the broader sense of unintentional damage caused by OCOs regardless of the originator, adopting the perspective that, unless cyber operations are conducted within the boundaries of the law, any damage that they cause is collateral to society as a whole. When cyber collateral damage is used as a term in research, it is sometimes used according to this broader definition, rather than the narrow, legalistic one. The relationship between these concepts is illustrated in Figure 1.

2.1. Prior Literature Reviews

Although no prior, dedicated review of CCD research has been found through academic search engines, a few papers in this research area include literature review sections.

• Maathuis, Pieters, and van der Berg give a review narrowly focused on CCD as it pertains to targeting and military doctrine—six sources are found [17].
• Maathuis, Pieters, and van den Berg present another review on the military and legal dimensions of CCD [18]. This paper cites five sources on military (targeting) dimensions and nine sources on legal dimensions, and they argue that “from an extensive review of the scientific literature […], one can conclude that military cyber operations lack models and methodologies for planning, execution, and assessment, although the effects of their use can impact […] collateral civilian and military actors and systems”.
• Focusing on a review of the literature in the adjacent research area of cyberattack taxonomies and ontologies, Grant also presents a secondary review on CCD [19]. The scope of this review is based solely on papers published in the proceedings of the International Conference on Cyber Conflict. Eight papers are reviewed.

Based on the limited number of sources listed in these works, more coverage should be possible through a structured literature review.

2.2. Definitions

Collateral damage—“unintentional damage or incidental damage affecting facilities, equipment, or personnel, occurring as a result of military actions directed against targeted enemy forces or facilities” [12].

Cyber, cyberspace, or cyberspace domain—upon recognizing the cyberspace domain as a domain of operations in 2016, NATO standardized the term “cyberspace”, rather than the previously more popular “cyber”. This is likely to result in military-centric papers using the term “cyberspace”, while this paper uses “cyber” throughout to refer to the collective networked and internetworked interconnection of computing systems, both civilian and military. An exception is the term “cyberspace domain” when referring to this domain in the military context.

Cyber operation—a military action utilizing cyberspace capabilities to achieve its objectives.

3. Materials and Methods

This section describes the method used to conduct the literature review, the inclusion and exclusion criteria, and the initial search outcomes.

To survey the scientific literature on CCD, a structured database search for peer-reviewed papers was conducted. The search methodology and subsequent review were constructed to explicitly fulfill the University of York Database of Abstracts of Reviews of Effects (DARE) criteria [20]. To improve the reproducibility and transparency, the search and selection process is described according to the Preferred Reporting Items for Systematic Reviews and Meta-Analyses (PRISMA) [21]. The papers identified in the search and selected for inclusion were analyzed qualitatively using thematic analysis [22], as well as quantitatively using bibliographic methods. The purpose of the qualitative analysis was to identify, cluster, and describe the themes and categories present in research on CCD. The purpose of the quantitative analysis was to identify the most important authors and papers in the field. All papers were analyzed for inclusion, and included papers were analyzed in terms of categories and thematic content to ensure consistency.

3.1. Sources and Search Methodology

To find a broad range of papers for initial screening and review, the first step was to select and search several academic databases for papers on cyber collateral damage. Multiple databases were used to increase the coverage, as recommended in [23]. The databases were selected to ensure adequate size and coverage [24], as well as based on their assessed likelihood of containing papers relevant to the target domain of cyberspace operations. The databases selected were as follows:

• Scopus, which “uniquely combines a comprehensive, expertly curated abstract and citation database with enriched data and linked scholarly literature across a wide variety of disciplines”, indexing 82 million resources;
• IEEE Xplore, “delivering full text access to the world’s highest quality technical literature in engineering and technology” and indexing 5.8 million items;
• Springer Link, “providing researchers with access to millions of scientific documents from journals, books, series, protocols, reference works and proceedings” and indexing 14.5 million resources;
• Elsevier’s ScienceDirect, “the world’s leading source for scientific, technical, and medical research” and indexing more than 15 million scientific articles;
• ProQuest, which “powers research in academic, corporate, government, public and school libraries around the world with unique content”, indexing “millions of resources”.

As the capabilities of the search engines of these databases differ, two different search strings were used for metadata and full-text searches, respectively. A challenge in constructing the search strings was the unstable terminology of cyber conflict. Up to the mid-2000s, many researchers used the phrase “computer network attack” [25], whereas more recent research generally uses “cyber” or “cyberspace”. These latter terms are used in conjunction with one or more of the terms “weapon”, “warfare”, “conflict”, “operation”, or “capabilities”, with or without a space or hyphen. A preliminary analysis showed that recent research most often discusses offensive cyber operations either under this term or as cyberspace operations. When the search engine provided advanced capabilities (i.e., filtering for English-language or peer-reviewed papers), these were used. No restriction was set on the timeframe of the search. The search was conducted in September 2024. The search results are given in

Table 1. Search results by scientific database.

Database	Search Results
Scopus	170
Springer Link	147
ScienceDirect	87
IEEE Xplore	225
ProQuest	87

. The 716 papers thus found (including duplicates) were considered for inclusion in the survey.

3.2. Inclusion Criteria (IC)

Papers were considered for inclusion in the study if they addressed cyber collateral damage, based on a keyword search for relevant terminology (“cyber”, “cyberspace”, “computer network attack”), in their

• Title;
• Keywords; or
• Abstract.

Matching papers were also screened via full-text search for the phrases “collateral damage” and “unintentional effects”. The search strings used are listed in

Table A1. Search strings.

Scientific Database	Search String
IEEE Xplore	((“All Metadata”:“Cyber” OR “All Metadata”:“Cyberspace” OR “All Metadata”:“Computer Network Attack”) AND “Full Text & Metadata”:“Collateral Damage”)
Scopus	(TITLE-ABS-KEY (“cyber” OR “cyberspace” OR “computer network attack”) AND ALL(“collateral damage”))
ScienceDirect	Title, Abstract, Keywords:(“cyber” OR “cyberspace” OR “computer network attack”) AND (“collateral damage”)
Springer Link	((“offensive cyber operation” OR “cyberspace operation” OR “computer network attack”) AND (“collateral damage”)) OR (cyber NEAR “collateral damage”)
ProQuest	((“offensive cyber operation” OR “cyberspace operation” OR “computer network attack”) AND (“collateral damage”)) OR (cyber NEAR “collateral damage”) Limit to: Peer Reviewed

. Papers that gave an indication of covering CCD based on matching these criteria were further screened against the exclusion criteria.

3.3. Exclusion Criteria (EC)

Search results were excluded if they were

• Duplicates between search engines;
• Written in a language other than English;
• Not published in an academic/scientific context, e.g., featuring in trade journals, or not a research paper, e.g., conference track descriptions; or
• Irrelevant, i.e., papers that fit the search criteria but were not relevant to the question of civilian harm from cyber operations, as determined by coding the text for keywords [26].

3.4. Search Outcomes

Deduplication and screening yielded 54 papers fitting the criteria. The references of these 54 papers, as well as papers published in the same book or Special Issue where applicable, were also screened according to the inclusion and exclusion criteria. This single-step “snowballing” process added another 17 papers to the review. Three further papers matching the criteria were previously known to the author despite not being found in the search or references. In cases where papers existed in multiple versions, e.g., both conferences and journals, these were collated and only the most recent version used. These papers are indicated with an asterisk in

Table A2. Papers included in the review.

Title	Authors	Publication	Year	Prominence
The principle of proportionality in an era of high technology	Beard J.	Complex Battlespaces: The Law of Armed Conflict and the Dynamics of Modern Warfare	2018	1
Precision cyber weapon systems: An important component of a responsible national security strategy?	Hare F.B.	Contemporary Security Policy	2019	3
International Conflict and Security Law: PRINCIPLES OF INTERNATIONAL LAW	Blank L.R.	International Conflict and Security Law: Principles of International Law	2023	1
Assessment Methodology for Collateral Damage and Military (Dis) Advantage in Cyber Operations	Maathuis C.; Pieters W., Van Den Berg J.	Proceedings—IEEE Military Communications Conference, MILCOM	2018	3
Is the principle of distinction still relevant in cyberwarfare?	Bannelier K.	Research Handbook on International Law and Cyberspace	2021	2
Recommendations for Enhancing the Results of Cyber Effects	Orye E., Maennel O.M.	International Conference on Cyber Conflict, CYCON	2019	3
Tackling uncertainty through probabilistic modelling of proportionality in military operations	Maathuis C., Chockalingam S.	European Conference on Information Warfare and Security, ECCWS	2023	3
Collateral damage outcomes are prominent in cyber warfare, despite targeting	Hirsch C.	Proceedings of the 13th International Conference on Cyber Warfare and Security, ICCWS 2018	2018	2
Restraint under conditions of uncertainty: Why the United States tolerates cyberattacks	Kaminska M.	Journal of Cybersecurity	2021	2
Distinctive ethical challenges of cyberweapons	Rowe N.C.	Research Handbook on International Law and Cyberspace	2015	1
Building an ontology for planning attacks that minimize collateral damage: Literature survey	Grant T.	14th International Conference on Cyber Warfare and Security, ICCWS 2019	2019	3
Proportionality in cyber targeting	Roscini M.	Routledge Handbook of War, Law and Technology	2019	1
Decision support model for effects estimation and proportionality assessment for targeting in cyber operations	Maathuis C., Pieters W., van den Berg J.	Defence Technology	2021	2
The ethics of cyberweapons in warfare	Rowe N.C.	International Journal of Technoethics	2010	2
Deterring strategic cyberattack	Elliott D.	IEEE Security and Privacy	2011	1
Ethics of cyber war attacks	Rowe N.C.	Cyber Warfare and Cyber Terrorism	2007	2
A non-militarised approach to cyber-security	Adams A., Reich P., Weinstein S.	11th European Conference on Information Warfare and Security 2012, ECIW 2012	2012	1
Malware is called malicious for a reason: The risks of weaponizing code	Cobb S., Lee A.	International Conference on Cyber Conflict, CYCON	2014	3
Considering internal vulnerabilities and the attacker’s knowledge to model the impact of cyber events as geometrical prisms	González-Granadillo G., et al.	Proceedings—15th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, 10th IEEE International Conference on Big Data Science and Engineering	2016	1
Moral Cyber Weapons	Denning D.E., Strawser B.J.	Ethics of information warfare (Law, Governance and Technology Series)	2014	2
Exploring the prudent limits of automated cyber attack	Caton J.L.	International Conference on Cyber Conflict, CYCON	2013	1
Cyber warfare: Issues and challenges	Robinson M., Jones K., Janicke H.	Computers and Security	2015	2
Fighting power, targeting and cyber operations	Ducheine P., Van Haaster J.	International Conference on Cyber Conflict, CYCON	2014	2
Towards reversible cyberattacks	Rowe N.C.	9th European Conference on Information Warfare and Security 2010, ECIW 2010	2010	2
Determining the utility of cyber vulnerability implantation: The heartbleed bug as a cyber operation	Sigholm J., Larsson E.	Proceedings—IEEE Military Communications Conference, MILCOM	2014	3
A control measure framework to limit collateral damage and propagation of cyber weapons	Raymond D., Conti G., Cross T., Fanelli R.	International Conference on Cyber Conflict, CYCON	2013	3
The principle of distinction and Cyber war in international armed conflicts	Dinstein Y.	Dinstein Y.	2012	3
A methodology for cyber operations targeting and control of collateral damage in the context of lawful armed conflict	Fanelli R., Conti G	2012 4th International Conference on Cyber Conflict, CYCON 2012—Proceedings	2012	3
Understanding Cyber Collateral Damage	Romanosky S., Goldman Z.	Journal of National Security Law & Policy	2017	3
Deterrence Theory and the Challenge of Applying It to Cyber Warfare	Mazanec B.M., Thayer B.A.	Deterring Cyber Warfare: Bolstering Strategic Stability in Cyberspace	2015	1
Wired Warfare: Computer Network Attack and Jus in Bello	Schmitt M.N.	International Review of the Red Cross	2002	2
Section II: Cyber Operations	Dinstein Y., Dahl A.W.	Oslo Manual on Select Topics of the Law of Armed Conflict	2020	2
Challenges of civilian distinction in cyberwarfare	Rowe N.C.	Ethics and Policies for Cyber Operations	2016	3
The Ethics of Cyberattack	Lee S.P.	The Ethics of Information Warfare	2014	1
Permissible Preventive Cyberwar: Restricting Cyber Conflict to Justified Military Targets	Lucas G.R.	The Ethics of Information Warfare	2014	2
Conceptualization and cases of study on cyber operations against the sustainability of the tactical edge	Monge M.A.S., Vidal J.M.	Future Generation Computer Systems	2021	1
Cyber Warfare. Techniques, Tactics and Tools for Security Practitioners, 2nd edition	Andress J., Winterfeld S.	Syngress	2014	1
Cyber Vulnerability Implantation Revisited	Sigholm J., Larsson E.	MILCOM 2021–2021 IEEE Military Communications Conference (MILCOM)	2021	3
An analysis for a just cyber warfare	Taddeo M.	2012 4th International Conference on Cyber Conflict (CYCON 2012)	2012	1
Cyber Offense and Targeting	Couretas J.M.	An Introduction to Cyber Analysis and Targeting	2022	2
Wired warfare 3.0: Protecting the civilian population during cyber operations	Schmitt M.N.	International Review of the Red Cross	2019	3
Joint Targeting in Cyberspace	Smart S.J.	Air & Space Power Journal	2011	2
Cyber weapons and precision-guided munitions	Acton J.	Understanding cyber conflict: Fourteen analogies	2017	3
An Examination of the Operational Requirements of Weaponised Malware	Easttom C.	Journal of Information Warfare	2018	1
Cyber Warfare: Applying the Principle of Distinction in an Interconnected Space	Geiß R., Lahmann H.	Israel Law Review	2012	3
Get off my cloud: cyber warfare, international humanitarian law, and the protection of civilians	Droege C.	International Review of the Red Cross	2012	3
Humanitarian Law: Developing International Rules for the Digital Battlefield	O’Donnell, B.T., Kraska, J.C.	Journal of Conflict & Security Law	2003	3
Cyber Warfare and Precautions Against the Effects of Attacks	Jensen E.T.	Texas Law Review	2009	2
The Strategic Promise of Offensive Cyber Operations	Smeets M.	Strategic Studies Quarterly	2018	1
Responding to International Cyber Attacks as Acts of War	Sklerov M.	Inside Cyber Warfare	2009	2
International Law and Information Operations	Wingfield T.	Cyberpower and National Security	2009	2
Computer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework	Schmitt M.N.	Columbia Journal of Transnational Law	1998	1
Tallinn Manual 2.0 on the International Law Applicable to Cyber Warfare *	Schmitt M.N. (ed.)	Cambridge University Press	2017	3
The Law of Cyber-Attack	Hathaway O., et al.	California Law Review	2012	1
Conceptualizing Financial Loses as a Result of Advanced Persistent Threats	Levine C.	Honors College Theses	2013	1
Cyber-attacks, cryptocurrencies, and cyber-security	Caporale G.M., et al.	CESifo, Munich	2020	1
The Ingredients of Cyber Weapons	Repel D., Hersee S.	10th International Conference on Cyber Warfare and Security (ICCWS)	2015	1
Limiting the undesired impact of cyber weapons: technical requirements and policy implications	Bellovin S.M., Landau S., Lin H.S.	Journal of Cybersecurity	2017	3
Cyberneutrality: Discouraging Collateral Damage	Kohler K.	ETH CSS Policy Perspectives	2022	3
Civilians in Cyberwarfare: Casualties	Brenner S., Clarke L.	Science and Technology Law Review	2017	3
Cyber House Rules: On War, Retaliation and Escalation	Cavaiola L., Gompert D., Libicki M.	Survival	2015	2
Cyber Warfare & Inadvertent Escalation	Acton J.	Daedalus	2020	2
Avoiding civilian harm from military cyber operations during armed conflicts	Lawson E., Macák K.	ICRC Expert Meeting	2020	3
Distinction and Proportionality in Cyber War: Virtual Problems with a Real Solution	Pascucci P.	Minnesota Journal of International Law	2017	3
Proportionality in Attack on Data: Balancing Military Advantage and Collateral Damage in Cyberspace	Normelli N.	Uppsala University	2021	3
Unexpected Consequences From Knock-On Effects: A Different Standard for Computer Network Operations?	Jensen E.T.	American University International Law Review 18, No. 5	2003	3
Effects Assessment for Targeting Decisions Support in Military Cyber Operations	Maathuis C.	TU Delft	2020	3
On Cyberwarfare	Schreier F.	Geneva Centre for the Democratic Control of Armed Forces	2015	2
Cyberspace in Peace and War *	Libicki M.C.	Naval Institute Press	2021	3
Cyberspace Operations Collateral Damage-Reality or Misconception?	Bertoli G., Marvel L.	Cyber Defense Review	2017	3
Applicability of Jus in Bello in Cyber Space: Dilemmas and Challenges	Wang Q.	International Journal of Cyber Warfare and Terrorism	2014	2
Human Centered Explainable AI Framework for Military Cyber Operations	Maathuis C.	MILCOM 2023–2023 IEEE Military Communications Conference	2023	2
The Weaponization of Artificial Intelligence in Cybersecurity: A Systematic Review	Nobles C.	Procedia Computer Science	2024	2
Towards Econometric Estimation of the Cost of Cyber Conflict	Larsson E., Sigholm J.	Procedia Computer Science	2024	3

and in the tables which begin each section describing a category. In total, 74 relevant papers were found in the survey. The selection process, with reasons for inclusion and exclusion, is shown in the PRISMA flow diagram in Figure 2.

3.5. Limitations

Literature reviews are naturally susceptible to certain constraints and biases. The aggregation and synthesis of published work creates a risk of publication bias, as studies with statistically significant or palatable results are more likely to be published [27]. In addition, these papers were located through keyword-based searches in indexing search engines and in a necessarily limited set of databases. The risk of database bias was addressed through the use of multiple databases, as well as through reference snowballing against the papers identified in the database search. Broad search strings were used, and a comparatively large set of papers was manually screened, moving some risk from the automated search to the filtering stage. Filtering data involves subjective decision making; the unfiltered search results have been published alongside the paper to enable further process review. Papers that did not use standard nomenclature may also have been missed in the keyword search. This was addressed by using multiple keywords to cover the evolving terminology of the field, but it is a particular risk when the terminology has changed during the time period studied. Selected papers were fully read to build up themes within the literature, and this reading introduced subjective opinions regarding the content and meaning. This subjectivity was mitigated somewhat by considering the self-described research fields of journals, as well as directly using the language of selected papers to understand what the authors considered to be their field of research or expressed contribution. Finally, the sources themselves may be old or biased, and this bias can propagate into the review. Careful reading and the use of multiple sources, as well as the use of newer sources to supersede older ones, somewhat reduces this risk.

4. Results

This section describes and synthesizes key findings from papers included in the literature review and presents the findings of the bibliographic analysis.

4.1. Categories and Thematic Analysis

The 74 included papers were read and analyzed from two perspectives: first according to the category or theme in which the paper discussed CCD and then according to the degree of prominence that this subject had within the scope of the text. The category of each publication was determined by first analyzing the title, keywords, abstract, and publication venue. The categorization was also informed by and drawn from the CCD research areas identified by Robinson, Jones, and Janicke [28], given in Figure 3. The full text was then read with the goal of finding underlying themes—the “red thread of underlying meanings, within which similar pieces of data can be tied together” [22]. These themes were determined by first coding the text into keywords, e.g., as described by Naeem, Ozuem, and Ranfagni [26]. The thematic coding process for an included paper is visualized in Figure 4. Recurring themes from the papers were then added to the list of surface categories to form the final list of categories. As an example, legal research was identified in titles, abstracts, and publication venues, but taxonomies of cyber collateral damage were developed as a theme recurrently coded in the text. The thematic coding was considered complete when all codes that were found to recur both within and between papers had been identified and mapped to a theme. Themes recurring within three or more papers were assigned as a category.

The subject matter categories identified in the text can be expressed by the following questions, which describe the recurring subject matter among the papers:

• Does this paper concern legal aspects of CCD and the (legal, rather than ethical) permissibility and constraints at play?
• Does this paper concern the targeting of cyber operations specifically to avoid or minimize CCD?
• Does this paper concern ethical aspects of CCD (frameworks and processes to determine whether an attack is justified)?
• Does this paper concern the economically adverse outcomes of CCD and the potential costs to the target and civil society, e.g., by quantifying it?
• Does this paper attempt to model and estimate CCD from the perspective of the attacker?
• Does this paper seek to create a taxonomy or definition of CCD types?

The distribution of papers matching each category is given in

Table 2. Categories of subjects in CCD papers.

Topic (Cluster)	Number of Papers
Legal	24
Targeting	16
Ethical	14
Econometric	8
Estimation, modeling, and assessment	5
Taxonomy	3

, and the corresponding papers are described in their respective subsections. Few papers covered more than one of these questions in depth, and several papers covered none of them. The disjunct nature of these clusters can be taken to mean that the research areas are only weakly interrelated in current practice.

The level of prominence afforded to CCD in the paper was evaluated, and the papers were categorized according to whether they took cyber collateral damage as their main topic (numerically represented as 3), whether they repeatedly or deeply touched upon the topic (2), or whether they mentioned it only briefly or in passing or discussed collateral damage without distinguishing it as a separate topic (1). The distribution of papers according to prominence is given in

Table 3. Prominence of CCD as a subject in selected papers.

Level of Prominence	Papers Found
Main topic of paper (3)	30
Deeply explored or recurring topic (2)	22
Limited analysis of topic (1)	22

.

The included papers and their respective levels of prominence are listed in Table A2. The rest of Section 4 describes each category of papers listed in Table 2 in turn and describes the relevant contents of each paper with a prominence rating of two or higher. The following subsections begin with tables (

Table 4. Key “legal” category papers.

Authors	Year	Title
Dinstein Y.	2012	The principle of distinction and cyber war in international armed conflicts
Romanosky S., Goldman Z.	2017	Understanding Cyber Collateral Damage *
Schmitt M. N.	2019	Wired warfare 3.0: Protecting the civilian population during cyber operations
Geiß R.; Lahmann H.	2012	Cyber Warfare: Applying the Principle of Distinction in an Interconnected Space
Droege C.	2012	Get off my cloud: cyber warfare, international humanitarian law, and the protection of civilian
O’Donnell B.T.; Kraska J.C.	2003	Humanitarian Law: Developing International Rules for the Digital Battlefield
Brenner S.; Clarke L.	2017	Civilians in Cyberwarfare: casualties
Pascucci P.	2017	Distinction and Proportionality in Cyber War: Virtual Problems with a Real Solution
Normelli N.	2021	Proportionality in Attack on Data: Balancing Military Advantage and Collateral Damage in Cyberspace
Schmitt M. (ed)	2017	Tallinn Manual 2.0 on the International Law Applicable to Cyber Warfare *
Jensen E.T.	2003	Unexpected Consequences From Knock-On Effects: A Different Standard for Computer Network Operations?
Bannelier K.	2021	Is the principle of distinction still relevant in cyberwarfare? From doctrinal discourse to States’ practice
Ducheine P.; Van Haaster J.	2014	Fighting power, targeting and cyber operations
Schmitt M.N.	2002	Wired Warfare: Computer Network Attack and Jus in Bello
Dinstein Y.; Dahl A.W.	2020	Oslo Manual on Select Topics of the Law of Armed Conflict, Section II: Cyber Operations
Wang Q.	2014	Applicability of Jus in Bello in Cyber Space: Dilemmas and Challenges
Jensen E.T.	2009	Cyber Warfare and Precautions Against the Effects of Attacks
Sklerov M.	2009	Responding to International Cyber Attacks as Acts of War
Wingfield T.	2009	International Law and Information Operations
Schreier F.	2015	On Cyberwarfare

and

Table 5. Key “targeting” category papers.

Authors	Year	Title
Hare F.B.	2019	Precision cyber weapon systems: An important component of a responsible national security strategy?
Maathuis C.; Pieters W.; Van Den Berg J.	2018	Assessment Methodology for Collateral Damage and Military (Dis)Advantage in Cyber Operations
Orye E.; Maennel O.M.	2019	Recommendations for Enhancing the Results of Cyber Effects
Fanelli R.; Conti G.	2012	A methodology for cyber operations targeting and control of collateral damage in the context of lawful armed conflict
Acton J.	2017	Cyber weapons and precision-guided munitions
Bellovin S.M.; Landau S.; Lin H.S.	2017	Limiting the undesired impact of cyber weapons: technical requirements and policy implications
Lawson E.; Mačák K.	2020	Avoiding civilian harm from military cyber operations during armed conflicts
Libicki M.C.	2021	Cyberspace in Peace and War *
Maathuis C.; Pieters W.; van den Berg J.	2021	Decision support model for effects estimation and proportionality assessment for targeting in cyber operations
Hirsch C.	2018	Collateral damage outcomes are prominent in cyber warfare, despite targeting
Couretas J.M.	2022	Cyber Offense and Targeting
Smart S.J.	2011	Joint Targeting in Cyberspace
Ducheine P.; Van Haaster J.	2014	Fighting power, targeting and cyber operations

) listing key papers in the described categories, with some papers appearing in multiple categories.

4.2. Legal Aspects of Cyberwarfare and the Permissibility of Collateral Damage

The largest cluster found in the search encompasses papers that investigate the legal permissibility of offensive cyber operations and of civilian harm in their conduct. This topic is most often framed in terms of the legal constraints placed upon cyberwarfare by the laws of armed conflict and international humanitarian law. Foundational overviews that describe legislation and boundaries are given by Schmitt [25], Hathaway et al. [30], Dinstein [14], Wingfield [31], Sklerov [32], and Wang [33]. There is general agreement that offensive cyber operations fall under the legal definition of “attack” in cases where they “entail loss of life, injury to human beings or tangible damage to physical property” [14].

Several papers also consider the circumstances that cause an OCO to rise to the threshold where it can be considered a “use of force” under the standards of international law, thus being cause for redress or a proportional response in kind. This significant question is central to the Tallinn Manual [8] and is based on earlier work by Schmitt [25,34], Jensen [35], and Wingfield [31]. The analysis of such an attack can be performed using seven criteria defined by Schmitt to evaluate whether it rises to the “use of force” threshold [34]. These attacks can incur collateral damage in the legal sense, i.e., by causing disproportionate or undistinguished harm.

The publication of the Tallinn Manual divided research into “before” and “after”. Some of the work conducted prior to the publication of the Manual has fallen by the wayside, e.g., that of O’Donnell and Kraska [36]. Subsequent scholarship has been able to draw upon the Manual when analyzing CCD, either by using it, building upon it, or critiquing it [37]. Further analysis of the legal criteria of proportionality (Rule 14) and distinction (Rule 31) is provided by Normelli [38], Pascucci [39], Bannelier [40], Beard [41], and Geiß and Lahmann [42]. These papers are strictly concerned with the interpretation and application of the laws of armed conflict. A broader view of the consequences for civilians in a cyberwarfare context is given by Jensen [43], Brenner [44], Schmitt [45], and Droege [46]. The interconnectedness of the cyber realm and the high and increasing number of dual-use systems such as cloud platforms and undersea communication cables to provide critical infrastructure mean that the current law may not be sufficient for this task. In addition, while some nations have accepted that cyberwarfare is warfare and should be regulated as such, this view has not been universally accepted. No cases have yet been tried under international law. Unless non-aligned nations show interest in a cyber treaty [46] or in the voluntary regulation of cyberwarfare, the value of the Manual will be limited.

While the first Tallinn Manual concerned cyberwarfare in isolation, more recent work on the laws of war has been performed from the perspective of integrating the regulation of cyber operations with that of other operations with high risks of collateral damage, such as air and missile warfare. The legal frameworks regulating aerial attacks are regularly cited as sources of comparison in the application of the laws of war to the cyber domain [14,33]. The Oslo Manual on Select Topics of the Law of Armed Conflict, published in 2020, also includes a chapter on combined conventional–cyber operations [47].

The laws of armed conflict have a high level of international respect and recognition within the rule-based order. Public perception of the undesirable impact of war is, however, often counted in lives lost, whereas cyber operations typically cause great economic damage but little or no loss of life. This causes a gap between law and perception, which is not accounted for in legal study and is predicated upon the equally unlawful nature of property damage and the loss of life. Thus, cyber conflict brings with it increased challenges—or, some would say, opportunities—of attribution and deterrence. There is a natural desire to apply laws and doctrines perceived to be reliable and efficient to solve these challenges in other contexts than armed conflict. Romanosky and Goldman take a notable step in this direction by exploring the ability to transfer military law and doctrine to law enforcement [13]. Their analysis is notable for being the first to define cyber collateral damage as a term.

Finally, a quote from Dinstein [14] summarizes perhaps the greatest challenge when considering collateral damage in a cyber context from a purely legislative perspective: “The difficulty is that military advantage and civilian casualties have no common denominator.”

4.3. Targeting in Cyber Operations—Collateral Damage Considerations

Another significant cluster of research concerns the targeting of cyber operations against desired targets only. Papers within this cluster consider how a cyberweapon can be targeted, or a cyber operation conducted against a specific and delimited target, in such a way as to minimize collateral effects. Most of this research starts by formally defining a basis for the evaluation of intended and unintended consequences. Fanelli and Conti [48]; Ducheine and van Haaster [49]; Maathuis, Pieters, and van der Berg [17]; and Orye and Maennel [50] all present such definitions. Notably, these definitions are significantly different. There are three main points of agreement:

• No commonly accepted definitions exist for concepts like “cyberwar”, “information war”, or “collateral damage”;
• Collateral damage is undesirable and illegal and must be taken into account; and
• Cyber effects are difficult to measure.

Stuxnet, a “game-changing” cyberweapon [51], famously included several failsafes to protect against unintended harm. This is one of the foundational observations inspiring the argument that OCOs can and should be developed discriminately, i.e., that it is both required by the laws of armed conflict and technically possible to do so. Hirsch [52] describes the failure of such mechanisms, leading to indiscriminate and virus-like spread, as a loss of integrity. Most authors take a legalistic approach to targeting, noting the existence of laws, and implicitly assume that they are there to be followed. Fanelli and Conti [48]; Cavaiola, Gompert, and Libicki [53]; and Acton [54] all note that a more prosaic reason exists for precise targeting and stealthy operation: to increase cyberweapons’ efficiency and to avoid escalation and retaliation.

One of the most well-used targeting frameworks is the Joint Targeting Cycle [7], as shown in Figure 5. The idea of applying this to the cyber domain has been independently proposed by Ducheine and van Haaster [49], Smart [55], Couretas [56], and Monge and Vidal [57]. Their motivation is that the use of such a framework would create specified and mandatory steps to calculate and predict collateral damage before operations are conducted and ensure that the collateral outcomes are assessed after them.

Finally, a reverse approach to targeting is the identification of attack modalities that have an increased risk of collateral damage. Libicki [58] presents a list of five such modalities, shown in

Table 6. High-risk cyberattack modalities, adapted from Libicki [58].

Attack Modality	Collateral Damage Risk
Replicating attack vectors	Complicated and expensive clean-up
Drive-by attacks	Scattershot approach, many unintended targets
Supply chain attacks	Scattershot approach, many unintended targets
Third-party DDoS (bots)	Use of third party causes unpredictable results
Flooding attacks (DDoS)	Spillover to adjacent systems/networks

.

The following subsections once again begin with tables (

Table 7. Key “ethical” category papers.

Authors	Year	Title
Hare F.B.	2019	Precision cyber weapon systems: An important component of a responsible national security strategy?
Kaminska M.	2021	Restraint under conditions of uncertainty: Why the United States tolerates cyberattacks
Rowe N.C.	2010	The ethics of cyberweapons in warfare
Rowe N.C.	2007	Ethics of cyber war attacks
Cobb S.; Lee A.	2014	Malware is called malicious for a reason: The risks of weaponizing code
Denning D.E.; Strawser B.J.	2014	Moral Cyber Weapons
Rowe N.C.	2016	Challenges of Civilian Distinction in Cyberwarfare
Lucas Jr. G.R.	2014	Permissible Preventive Cyberwar: Restricting Cyber Conflict to Justified Military Targets
Acton J.	2020	Cyber Warfare & Inadvertent Escalation

,

Table 8. Key “econometric” category papers.

Authors	Year	Title
Hare F.B.	2019	Precision cyber weapon systems: An important component of a responsible national security strategy?
Sigholm J.; Larsson E.	2014	Determining the utility of cyber vulnerability implantation: The heartbleed bug as a cyber operation
Rowe N.C.	2016	Challenges of Civilian Distinction in Cyberwarfare
Sigholm J.; Larsson E.	2021	Cyber Vulnerability Implantation Revisited
Kohler K.	2022	Cyberneutrality: Discouraging Collateral Damage
Larsson E.; Sigholm J.	2024	Towards Econometric Estimation of the Cost of Cyber Conflict

and

Table 9. Key “CDE” category papers.

Authors	Year	Title
Maathuis C.; Pieters W.; Van Den Berg J.	2018	Assessment Methodology for Collateral Damage and Military (Dis)Advantage in Cyber Operations
Orye E.; Maennel O.M.	2019	Recommendations for Enhancing the Results of Cyber Effects
Maathuis C.; Chockalingam S.	2023	Tackling uncertainty through probabilistic modelling of proportionality in military operations
Maathuis C.; Pieters W.; van den Berg J.	2020	Decision support model for effects estimation and proportionality assessment for targeting in cyber operations
Maathuis C.	2021	Effects Assessment for Targeting Decisions Support in Military Cyber Operations

) listing key papers in the described categories.

4.4. Ethical Aspects of Collateral Damage from Offensive Cyber Operations

Although ethical considerations might seem to be key to all discussions of collateral damage, only a subset of papers have taken them as their primary concern. These papers investigate how to conduct cyber operations ethically in order to reduce the risk of collateral damage. Under the assumption that “cyberwarfare is warfare” [8], the context of the so-called Just War Theory applies [59,60]. This theory stipulates that wars must be started for morally justifiable reasons and conducted ethically. Cyberweapons must thus be designed with ethics in mind and used in an ethical manner against permissible targets [61,62]. Denning [59] further notes that, in the ideal case, the use of cyber capabilities would reduce the collateral damage caused by any given operation compared to conventional warfare.

The cluster of papers considering ethical issues is adjacent to that of targeting, as improved targeting would reduce collateral damage, and perfect targeting would eliminate it entirely—solving key ethical issues. Of course, one can never assume perfect targeting and must thus consider the ethics of the inevitable collateral effects. This seemingly fundamental line of reasoning is brought forward by both Rowe [63] and Hare [29], respectively. They note that the promise of action at a distance is also a curse due to the large range of operations, with difficulties in remotely identifying the context of any target.

Hare also quotes one US official stating, “If you shut down our power grid, maybe we will put a missile down one of your smokestacks” [64]. This threat implies both dominion over the kinetic domain and the use of precision-guided munitions (PGMs). Acton [54] and Hare [29] both note the similarity between PGMs and “sophisticated” cyberweapons. While the legal similarities have already been noted, the evolution of PGMs was also accompanied by a discussion of the potential for improved discrimination and more ethical conduct in war, and research into ethical cyber operations appears to follow a similar path [65].

Both legal and ethical challenges are raised by the fact that cyber operations often involve perfidy, i.e., the obfuscation of the military origins of an attack or the impersonation of civilians [25,63,66]. This is desirable in terms of military utility, both by improving the chance of mission success and by making attribution more difficult [63]. The normalization of such unethical practices raises long-term questions regarding the credibility of regular armed forces operating in cyberspace. Similarly, many operations utilize weaponized malware or newly developed military malware. Although these tools are designed not to spread uncontrollably, malware is called malicious for a reason [67]. Many tools making use of undisclosed vulnerabilities have been found in the wrong hands, with few official comments on improved practices to reduce this societal risk [68].

4.5. Econometric Aspects of Cyber Collateral Damage

An inherent challenge in comparing military utility and collateral damage is that they use very different metrics. Militaries do not generally assign a value in dollars and cents to targets on the battlefield, and many modern wars have seen munitions with the same production cost as a family car fired against combatants who could not afford one. Few studies attempt to rigorously quantify the economic costs of cyber operations, let alone CCD. Historically, the economics of war have been studied with the goal of increasing the capacity of nation states to wage war more effectively and obtain better value for money [69]. More recently, econometric models have been developed to quantify the societal costs of warfare [70]. These have not yet been broadly adapted to the cyberspace domain, but several papers discuss the costs of conducting cyber operations, both directly and to society. Levine lists some direct costs of two cyber operations [71]. Sigholm and Larsson [72,73] present a longitudinal study aiming to understand the cost–benefit tradeoff when implanting vulnerabilities into civilian or dual-use software. Pulling together data on the early phase of the Ukraine conflict (2014–2021) from various sources, Larsson and Sigholm propose a method and demonstrate its applicability in conducting an economic bottom-up assessment of societal harm from cyberwarfare [74].

It is common to translate concepts from the physical world and conventional operations to the cyber domain. Kohler observes that there is a long-standing practice of compensating for collateral damage in neutral territories [75]. This nicety does not necessarily extend to the combatants themselves, as their compensations are typically settled in a negotiated peace agreement. Recently, the concept of gaining protection by moving information operations to a neutral and protected territory has been realized in Ukraine, by rapidly migrating data to safe harbor countries. In addition to greatly increased protection against cyberattacks, this has provided a conduit for economic support and sponsorship [76]. A full account of the economic dimension of cyber operations in this ongoing conflict is yet to be provided.

4.6. Collateral Damage Estimation, Modeling, and Assessment

Well-established models exist for the estimation of collateral damage in a structured and formalized manner for conventional, kinetic operations [77]. These are mature enough that the US Armed Forces provides a straightforward five-day course to teach and certify collateral damage estimation [78]. Another indicator of maturity is that the same concepts and frameworks are used both by US and EU forces, e.g., using the model shown in Table 10 and Figure 6.

Unclassified research applying these concepts to the cyber domain and specifically to OCOs is both scant and rife with scope limitations and qualifying statements. Romanosky and Goldman [13] note that “[in] cyber and cyber-physical systems […] collateral effects can be much more difficult to predict, rendering ineffective traditional approaches to collateral damage estimation”. Nevertheless, a method or model is necessary. Orye and Maennel [50] adapt a US questionnaire with several qualitative questions to consider before attacking, offering a simple but robust approach. Two further models are given by Maathuis, Pieters, and van der Berg [17,18] and Fanelli and Conti [48]. Both take the same approach, dividing the effects into planes (temporal, geospatial, logical, etc.) and evaluating these along an axis from worse to better. The authors of [17] closely follow the five-step approach used in conventional collateral damage estimation, but also assess military advantages and disadvantages. Finally, Maathuis and Chockalingam [79] and Maathuis [80] have given the most ambitious models for the assessment of CCD. They propose using probabilistic and ML-assisted methods to estimate the effects of cyber operations to ensure that the collateral effects are proportional to the military utility.

Table 10. Collateral damage estimation process, adapted from European Union Military Committee (2016).

Process Step	Description
CDE 1	Target validation, initial assessment
CDE 2	General, target size assessment
CDE 3	Weaponeering assessment
CDE 4	Refined assessment
CDE 5	Casualty assessment

Table 10. Collateral damage estimation process, adapted from European Union Military Committee (2016).

Process Step	Description
CDE 1	Target validation, initial assessment
CDE 2	General, target size assessment
CDE 3	Weaponeering assessment
CDE 4	Refined assessment
CDE 5	Casualty assessment

Figure 6. Collateral damage estimation model, adapted from [81].

Figure 6. Collateral damage estimation model, adapted from [81].

The following subsections once again begin with tables (

Table 11. Key “taxonomy” category papers.

Authors	Year	Title
Raymond D.; Conti G.; Cross T.; Fanelli R.	2013	A control measure framework to limit collateral damage and propagation of cyber weapons
Bertoli G.; Marvel L.	2017	Cyberspace Operations Collateral Damage-Reality or Misconception?
Rowe N.C.	2021	Distinctive ethical challenges of cyberweapons

and

Table 12. Key papers outside categories.

Authors	Year	Title
Smeets M.	2018	The Strategic Promise of Offensive Cyber Operations
Lawson E.; Mačák K.	2017	Avoiding civilian harm from military cyber operations during armed conflicts
Rowe N.C.	2010	Towards reversible cyberattacks

) listing key papers in the described categories.

4.7. Taxonomies of Cyber Collateral Damage

In order to describe the different causes and types of CCD, taxonomies are given by Rowe [63], Raymond et al. [82], and Bertoli and Marvel [83]. While this cluster contains only three papers, it is a key requirement in theorizing CCD research. Their respective models are noticeably dissimilar—the first two each consider a list of distinct factors, which can be unified into the following:

• Direct collateral damage;
• Errors in targeting;
• Costs of recovering from direct damage due to a cyberweapon;
• Costs of attack propagation;
• Costs of attack analysis and the development of mitigation measures;
• Psychological damage;
• Costs of vulnerability disclosure.

Bertoli and Marvel [83] take a different approach, simplifying and mapping Rowe’s categories [63] into four interacting contributing factors, as shown in Figure 7.

4.8. Notable Contributions Outside Categories

A few papers consider notable aspects of CCD outside the identified categories and themes. Three such papers are described in this section.

While OCOs can be and have been conducted to achieve operational and tactical goals, they are often considered in terms of strategic effects. In particular, Smeets [84] and Lawson and Mačák [85] consider the outsized impacts of cyber operations when utilized against critical infrastructure such as electric grids, water networks, and hospitals. The potential for immediate action at a geographically great or unbounded range, the need to prepare and stockpile vulnerabilities in advance of an attack, and the risk of impacting significant areas around the target are similar to those of nuclear capabilities primarily kept in reserve as deterrence. On the other hand, Smeets argues that the potential for precise strikes with low collateral damage provides an extra option for state leaders. Unlike conventional attacks, one could imagine drawing upon crypto-ransomware to render the damage from cyberattacks reversible [86]. This would both reduce the hesitation felt when ordering an attack and make it possible to reduce collateral damage by selectively reversing the effects on civilian targets.

4.9. Bibliographic Analysis

A bibliographic analysis of the reviewed papers was performed against four different metrics: the number of papers published in each year, key publication outlets, the number of citations, and the clustering of internal references between the papers in the review.

The number of papers published in each year from 1998 to 2024 is shown in Figure 8. The overall number of papers on CCD greatly increased after the mid-2000s, but the research interest has decreased to a low but consistent level. It is possible that this is because of a temporary peak in interest after the Stuxnet operation. Understanding and regulating cyber operations using a military context, as well as the laws of armed conflict, is naturally more attractive when more such operations are being conducted. If so, it would be reasonable to expect renewed interest in CCD as more such cyber operations are conducted in the Russo–Ukrainian war.

Of the 74 papers in the review, no more than seven were published by any single publication outlet, and only six publication outlets had more than one included publication (Figure 9). While the NATO-sponsored International Conference of Cyber Conflict (CyCon) and the various conferences of the Conference on Cyber Warfare and Security (previously the Conference of Information Warfare and Security) are undoubtedly the most important publication outlets in this field, there is a considerable number of conferences, journals, books, and reports. Excluding books and reports, this review considers papers from 28 different journals and conference proceedings. Although a previous literature review [19] exclusively utilized the proceedings of a single conference, doing so cannot be recommended. Of the journals identified in this review, the Journal of Cybersecurity is notable for recognizing the inherently interdisciplinary nature of the cyber domain and encouraging a broad range of submissions.

As noted in Section 4.3, legal papers were the most common category found in the survey. Considering the category of the most referenced papers, papers investigating law applied to cyber operations are once again the most numerous. The numbers of citations for the ten most cited papers in the survey are given in Figure 10. The two most cited authors in the survey are Michael Schmitt and Eric Talbot Jensen, each representing two of the ten most cited papers, with the Tallinn Manual also being edited by Schmitt. Six of the ten most cited papers are legal works, while another three are textbooks or articles, providing a broad overview of the field of cyberwarfare.

The relationships between the papers in the survey were also visualized using a reference graph (Figure 11). Papers were clustered in the graph using the Yifan Hu layout [87], which uses a physics-based model to minimize the energy of the system and thus the distance between interconnected nodes. The layout positions the Tallinn Manual (23 references) in the center. The lower half is dominated by other legal works referencing Schmitt 2002 [25] (14 references) and Schmitt 1998 [34] (10 references). All but one of these references predate the publication of the Tallinn Manual, indicating that it has replaced them as a work of reference on cyber law. The papers in the legal CCD category generally show a much higher level of reference interconnection, indicating that this research area is a true community.

The upper-left quadrant has a significant cluster around Romanosky and Goldman [13] (nine references). The typical context for these citations is to explain the cyber–physical nature of CCD, where a cyberattack has collateral effects on real-world services and equipment. Finally, the upper-central area shows the interconnection between the works of Clara Maathuis, one of few researchers predominantly working with CCD.

5. Discussion

This section identifies trends and gaps in the current research and highlights opportunities for synthesis and future research.

5.1. Research Trends and Gaps

The papers were categorized into six emergent categories. Overall, 63 out of 74 papers covered material from one or more of these categories. Of these, only seven papers covered more than one category. This unidisciplinary approach to the field means that some of the intersections between categories offer areas to explore. Well-researched interfield areas include those between cyber law and cyber ethics and between cyber law and targeting, but no paper in the review had interdisciplinary coverage between targeting and financial estimation, e.g., by using econometric methods like bottom-up accounting in the planning phase of an operation in order to estimate and reduce the economic value of the expected collateral damage. Another notable gap is that concerning multidisciplinary studies assessing which of the many possible responses was most appropriate to a given attack—each paper assessed the possibilities narrowly, in terms of a given category of inquiry.

The expansion and contraction of the research field over time shows both trends and gaps. A clear, underlying theme of CCD research as a whole is the importance of targeting—an issue that is repeatedly mentioned, even in papers that are not targeting-centered (e.g., [29]). It can be stated that the single most important area of improvement to OCO methodologies to reduce collateral damage is improved targeting. A simple (or naive) approach would be applying the Joint Targeting Cycle to all cyber operations, i.e., as proposed by Ducheine and van Haaster [49] and Monge and Vidal [57]. The interface between open research and military methodologies for targeting is opaque, but declassified documents from US Cyber Command show that this approach was considered and rejected in 2016. The reasoning was that the JTC is “optimized for lethal effects but sub-optimized for nonlethal effects” [88]. Implicit in this reasoning is that virtuous combatants actively wish to avoid collateral damage and would use tools and techniques that were developed for this purpose. While classified methods and processes to estimate, control, and minimize CCD undoubtedly exist among the world’s militaries, it bears considering whether the net benefit of open international collaboration is greater than the operational risk of disclosing these methods. Policymakers should not wait for such collaboration but should ensure that national cyber doctrine contains language that directs and requires cyber operations to be conducted using a formalized and explainable process for targeting. Such language is often missing today, while some doctrines make explicit reference to conducting offensive operations “below the level of armed conflict” [89].

The origin of many cyber operations is never discovered. Even if the originating country can be determined, it is not always clear whether the operation was conducted by the country’s military, by a civilian intelligence agency, by state-backed civilians or consultants, or by cybercriminals. Even when the originating actor is known, classifying them is not always straightforward. In the Ukraine conflict, a volunteer “IT army” of some 200,000 individuals was formed using a Telegram channel [90]. Elements of this IT army were able to disrupt Russian food production using a denial-of-service attack against a critical support system [91]. Indeed, cyberattacks on national critical infrastructure have become “a staple of statecraft” [85]. Is this collateral damage? Under the strict legal and doctrinal definition, it is not. The majority of papers analyzed here implicitly or explicitly adhere to this definition, while most civilian harm from OCOs falls outside it, stemming instead from operations explicitly directed against civilian targets. There is an active discussion on the militarization of the cyber domain, with Lin, Allhoff, and Abney [92], Libicki [58], Backman [93], and others contending that OCOs should generally be considered a civilian and societal problem. It is certainly the case that stakeholders within urban critical infrastructure must prepare for state-sponsored cyberattacks, as seen when the 2017 WannaCry attack disrupted hospitals across the world [94,95]. There is a contradiction that must be resolved when the majority of OCOs fall outside the rule-based international order and defense research is tasked to ignore them but where public perception indicates that these operations are a national security issue. Polling or interview studies to assess public opinion, as well as a case-based overview of each response domain and mechanism (sanctions, litigation, technical blocks, military response and deterrence, etc.), would help to inform policy.

Another research gap concerns the economic and econometric analysis of offensive cyber operations. Research on defense economics has traditionally been concerned primarily with achieving the greatest possible military capability at a given level of spending [69]. Conducting a cost–benefit analysis on defense investments requires a reliable and efficient way to measure and compare the costs and benefits. Previous research on military cost–benefit analysis has used the Value of a Statistical Life (VSL) as a measure of benefits [96]. As an example, force protection measures such as the armor plating of vehicles can be directly compared in terms of the additional cost for the statistical value of lives saved [97]. Transferring these concepts to the cyber domain is not straightforward. For cyber incidents, there is considerable research aimed at quantifying the total damage to the afflicted organization, e.g., from industry estimates or by utilizing the Real Cyber Value at Risk model [74,98]. The cost of conducting an offensive operation is less well understood due to operational secrecy, but a few cost estimation models can be found. As an example, the RAND Corporation used the darknet pricing of exploits to model cyberweapon acquisition costs for the United States Marine Corps [99]. The data availability problem can also be bypassed by considering only the smaller question of the collateral cost to military benefit. An analysis of the benefit of military operations in general and cyber operations specifically has recently been proposed in terms of their military utility [100,101,102]. This analysis is qualitatively driven, leading to a lack of numerical comparisons of the cost to benefit. In addition, the well-explored VSL model is a poor fit for operations where loss of life is rare. Further developing a quantitative approach to the utility of cyber operations would enable cost–benefit analysis and an opportunity for more informed decision making when considering whether to conduct a cyber operation.

Only three papers contain taxonomies of the types and causes of CCD. This could indicate that thinking on the issue is now mature, and it is certainly possible that the work of Bertoli and Marvel [83] will be the last word. Unfortunately, they illustrate their model with an example from outside the cyber domain, and, in fact, no author has applied their taxonomy to a real-world operation. A study mapping concrete cases to this taxonomy would illustrate the validity and completeness of the model. A similar case study that could be used as a reference is that in [37], where the authors performed a critical analysis of the applicability and value of the Tallinn Manual, investigating how it corresponds to 11 different OCOs.

Finally, it is worth considering which of the reasons for the development and use of cyber capabilities cause the greatest amount of CCD. As noted by Cavaiola, Gompert, and Libicki [53] and others, OCOs can be conducted at a greater range of intensity than conventional operations. This range also translates into public perceptions of the seriousness of the attack. National differences in attitudes to total war influence what is considered acceptable CD, as does the naming and identification of victims [103]. Many actors are clearly interested in cyber capabilities that can be used without raising the temperature of a conflict in the public eye, as well as in below-threshold capabilities that extend soft power. A potential research question to investigate is how these capabilities differ from general and/or above-threshold capabilities technically, psychologically, and in terms of cost and benefit. While the public may find more discrete capabilities and operations palatable, there is also an increased risk of leaks and diplomatic fallout involved in zero-day hoarding, self-replicating weapons, and perfidy. The debate on the tradeoff between cyber capability cost and value will only increase as the relationship between these aspects becomes better understood.

5.2. Legal Responses to Cyberattacks in Theory and Practice

The 2007 Estonian cyberattacks and the 2010 Stuxnet attack accelerated the creation of the first version of the Tallinn Manual. It was aimed at describing the application of the laws of war to cyberwarfare, i.e., when cyberattacks rise above the use of force threshold defined by Article 2(4) of the UN Charter [34]. The absence of such attacks informed the second version of the Manual, which broadened its scope to address attacks below this threshold [37]. The original precept of the Manual that “cyber warfare is warfare” can correspond to some real-world conditions, such as the 2022 invasion of Ukraine. On the day of the invasion, kinetic warfare was combined with denial-of-service attacks on government agencies, but also with a malicious update disabling Viasat satellite modems in civilian use. As a result, multiple Ukrainian government agencies moved their digital services to US-owned cloud services in NATO-affiliated countries [76]. This digital exodus has proved effective in protecting them from the most overt and easily attributable cyberattacks, but exploratory and clandestine operations by state-backed actors continue, with Microsoft listing attacks by 14 such actors in 2024 [104].

While the Viasat attack and the Notpetya ransomware attacks directly targeted civilians for military gain, the 2010 Bangladesh Bank cyber robbery and the 2017 WannaCry ransomware attacks on urban critical infrastructure, which have been formally attributed to North Korea, do not fit neatly into the conventional understanding of the interstate use of force. Nevertheless, local governments are under constant cyberattack [95]. In general, the legal publications reviewed have not addressed these grey-zone attacks [30], and, in practice, these attacks have so far been met with diplomacy (e.g., sanctions) rather than with legal challenges or missiles. The continuing gap between legal understanding and reality has not gone unnoticed. NATO CCDCOE is developing the Tallinn Manual 3.0 under a five-year project running from 2021 to 2026. While this program should consider the callous disregard of civilian harm displayed in the cyberattacks in the Ukraine conflict, it is not clear that a NATO program is the right forum to address state-backed cybercrime against banks and civilian targets for purely financial gain. In the absence of a specific treaty on conduct in cyberspace, as called for in [46], a separate organization should be integrated into the Tallinn 3.0 process and take a coordinating role when considering below-threshold attacks of a strongly suspected interstate nature. Although these attacks are crimes and could be within the remit of INTERPOL or the United Nations Office of Drugs and Crime (UNODC), it has become common practice to see cyber conflict resolution take the form of sanctions and diplomacy [105]. Reflecting this reality, the UN has established an Open-Ended Working Group on information and communication technologies [106]. This working group is already tasked with investigating responsible state behavior in cyberspace and could add a much-needed component of norms and diplomacy to the Tallinn process.

5.3. The Use of AI in Collateral Damage Estimation and Assessment

Some of the most recent papers in the review have been tied to the emergence of deep learning and generative artificial intelligence and its applicability to cyber operations [107,108]. While this area of research was not yet common enough among the papers reviewed to draw broader conclusions from existing research, AI and ML are areas of greatly increasing research interest and have considerable applicability to cyber operations. Some of the most promising areas for AI/ML implementation include precisely those fundamental to reducing collateral damage: decision support systems for improved targeting, as well as explanatory tools to verify the legality of proposed actions. Within the domain of privacy research, multiple research tools exist for AI-assisted compliance verification, e.g., as it pertains to GDPR [109]. This type of tool could assist or replace the “lawyer in the loop” necessary to set rules of engagement (ROE), identify and assess targets, or determine the permissibility of attacks in both cyber and conventional cases. The use of AI tools when there is a risk of human harm introduces an explainability challenge when these tools are based on black-box reasoning, making the system’s basis for determination opaque. Explainable AI (XAI) tools provide a solution to this dilemma, but at the cost of reduced accuracy compared to deep learning systems [110]. These systems are designed to be explainable, transparent, and interpretable and can provide not just a decision by itself but an accompanying chain of reasoning, which can be followed and verified. The significant research effort devoted to the use of XAI in other high-risk fields, such as clinical decision support, could be recontextualized for cyber ROE. At present, state-of-the-art XAI decision support systems are not able to reliably explain all cases encountered [111]. Nevertheless, an AI-proposed solution is likely to save work compared to manually producing one for each operation.

The development of AI tools for a cyberwarfare context requires training data, which can be sensitive or classified. This secrecy increases the risk of bias in decision making, where current process biases are replicated by the system. As the open and external verification of the decision making is untenable from a security perspective, developers should ensure that AI systems used for decision support are also trained on appropriate ethical frameworks, e.g., by setting the Just War Theory as a guardrail.

Previous studies applying ML tools to collateral damage assessment and estimation have noted the limited number of existing models that can be directly applied to machine-based evaluation [79,80]. When developing a system using human and AI elements for decision making, there is a risk that important value judgements are performed as part of data entry, e.g., when coding the CD potential as high, medium, or low for a specific operation, as in [79]. The decision basis generated by the system may seem credible due to the use of advanced technology when, in practice, a simpler lookup or heuristic would have been possible using the coded inputs provided by an experienced system operator. The value of AI decision support is increased when it can replicate, replace, or offload these operators and form independent value judgements. Doing so in an explainable way has the potential both to reduce the work of CD assessment, improve targeting, and lessen the collateral impacts of operations.

5.4. Future Research Opportunities

The vast majority of CCD research is derived from first-principles thinking based on law and doctrine. Open datasets of OCOs exist [112,113], but they have barely begun to be used for empirical and quantitative studies. A future research agenda would benefit from taking these real-world data into greater account when assessing societal impacts. Similarly, several interesting methodologies have been proposed for targeting, damage modeling, and assessment [17,18,48,50]. Few, if any, of these models have been tested in simulations or using real-world data. A scenario-based simulation study comparing two or more models could provide an open discussion for the betterment of cyber doctrine. Mining datasets to understand the where, when, who, and why of OCOs would also provide a fuller picture of the research avenues. A starting step could be the verification of the analysis recently provided by the Cyber Peace Institute [113], using the methodology provided in [114]. A similar analysis for the period of 2013–2021 was performed in [74] by applying econometric methods (bottom-up accounting and counterfactual analysis) to the cyber domain. The continuation of this study in interdisciplinary collaboration with economists would ensure the rigor and validity of the results. The broader study of the economic cost of cyberattacks to critical infrastructure and local governments would add additional value, but the challenge of distinguishing attributable cyber operations from for-profit ransomware complicates the picture. Nevertheless, research that reproduces or improves on the cost estimates provided by industrial reports and “grey literature” (e.g., [2,104]) would add considerably to the understanding of the societal cost and risk.

While the retroactive econometric estimation of collateral damage can identify the human and hidden costs of cyberwarfare, collateral damage estimation models can reduce or obviate these costs by setting cyber ROE and helping to select the right missions and targets. As noted by Romanosky and Goldman [13], traditional approaches to collateral damage estimation are ineffective for cyber operations. Their proposed collateral damage estimation model is valuable in being simple and robust, but one of the steps of the model is considering the question, “What is my new estimate of the range of collateral effects to data, computing, or IT systems?”—a question that itself requires a sub-model of considerably greater scope and complexity to answer. This research area also provides an opportunity for improved national cyber policy, i.e., by requiring each operation to be followed up with an estimation of the collateral damage caused. Performing such analysis as part of a battle damage assessment (BDA) is already routine, and there is no reason that it should not be included when operating in the cyber domain.

6. Conclusions

The purpose of this paper was to provide a systematic literature review of research on collateral damage in the cyber domain. It is clear from the newness and limited number of papers found directly from the keyword search that the field is still in a developing phase. This research area can primarily be categorized into legal, ethical, targeting-oriented, and econometric papers, as well having some smaller amounts of research in the areas of collateral damage estimation and taxonomy. Legal scholarship on CCD is the most well-developed and interconnected category. Interdisciplinary papers straddling two or more categories are rare, and the potential for an improved understanding of CCD and civilian harm through collaborative work across categories is considerable.

By improving our understanding of CCD, the end goal should be to reduce it. At present, there is still more work to be conducted in understanding it, especially beyond the legal context. A major limitation in delimiting and scoping CCD research is the understanding of how “collateral damage” is used as a term. Public perceptions of cyber operations extend across cyber crime, warfare, espionage, sabotage, subversion, and illegal attacks against civilian targets. While the laws of armed conflict would protect these targets, these laws apply only to military cyber operations conducted on a “use of force” level, as understood under the Geneva Convention. Most attacks are conducted below this threshold. A convenient response is to restrict the domain of research to the most well-regulated and exclude the majority of real-world cyber operations [115]. This strict compartmentalization of collateral damage as distinct from civilian harm is useful for research but does not reflect public perception. The proposal by Droege [46] and Romanosky and Goldman [13] to expand international law so that it covers cyber operations conducted under civilian auspices could be effective in reducing civilian harm. Alternatively, a cyber treaty or resolution mechanism under the auspices of the United Nations could reduce the number and impact of operations conducted below the threshold of warfare. In addition, the diplomatic resolution of low-level cyber conflict should be further integrated via the Tallinn 3.0 process.