Information and communication technologies (ICTs) on the positive side bring profound changes through convergence, increased globalization, and access to ubiquitous computer networks. The benefits of ICTs are colossal and have reshaped economies, connected societies, and developed international relations but they are not without risks. In 2007, Estonia experienced extensive three weeks long computer hacking attacks. The Distributed Denial of Service Attack (DDoS) predominantly targeted its government portals, news outlets, internet service providers (ISPs), prominent banks, and hundreds of businesses. A similar cyber attack incident happened in 2008, during Georgia–Russia conflict over South Ossetia. In 2017, yet another cyber attack was launched against the Iranian Nuclear Facilities with the Stuxnet worm. The list continues but most notably the recent attacks that had very far-reaching consequences were the WannaCry epidemic and NotPetya cyberattack that happened in 2017. The four-day event of the WannaCry epidemic knocked out more than 200,000 computers in 150 countries. This included critical infrastructure like hospitals, where WannaCry encrypted all devices including medical equipment. The NotPetya cyberattack crippled ports, paralyzed corporations, and froze government agencies with the damage estimated at $10 billion with a single piece of code. 

How can a state react when cyberattacks are launched from or across the territories of other states that have devastating repercussions? When cyberattacks by a foreign person devastate critical infrastructure, security, and the lives of citizens, it is not only a matter of criminal law but an international issue. The rampant malicious cyber activities committed by these actors transcend beyond boundaries and therefore require the means to prevent, protect against, anticipate, detect, and respond to cyberattacks and do what is necessary to attribute them and reserve the right to respond to those which target the state through international cooperation and in that vein must be addressed by international law. 

An international wrongful act committed in cyberspace is different from traditional acts or omissions because of its concealed and indefinite character. It is almost always realized only through the consequences or the damages caused by it. This paper, assuming that a cyber attack has been committed against a state, will try to answer the question of whether a cyberattack launched in peacetime can be deemed as an "armed attack" thus justifying self-defence under international law. 

This article is limited to only self-defence by individual states in cyberspace under international law and does not extend to lawful countermeasures permitted in cyberspace. As an “armed attack” is the main requirement for the states to exercise self-defence under international law, it must be noted that the cyber attack that is tantamount to an “armed attack” under international law qualifies states to exercise their right to self-defence.

This article will analyze primary and secondary sources to answer those questions. I will first describe the existing international rules regarding self-defence, and then examine whether and when those rules permit self-defence in cyberspace. I will conclude by describing how the right to self-defence might look in real-world situations and its inadequacies in the present international law realm. 

Background: Existing International Norms on the Right to Self-Defence by the states

A. Order and Obligations Under International Law

The cornerstone of modern international law is its progress with the general prohibition of the use of force in relation to the states. The general principles governing friendly relations between states set out in the UN General Assembly’s Declaration on Principles of International Law Concerning Friendly Relations and Cooperation Among States spells out that “states shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the purpose of the United Nations.” This norm is further entrenched because there exists in international law today, in particular in the UN Charter itself, "an absolute prohibition of the use of threat or force by member states.  

B. Self-Defence under International Law

Article 2(4) of the UN Charter prohibits the use of force by any member state subject only to the two exceptions stated in the Charter itself. The first is the collective security system—actions adopted by the Security Council under Chapter VII of the Charter. The second is each state's inherent right to individual and collective self-defence in response to an armed attack. In particular, Article 51 states “[n]othing in the present Charter shall impair the inherent right of individual or collective self-defence if an armed attack occurs against a Member of the United Nations.” Since Article (2) of the Charter prohibits “use of force” and Article 51 permits self-defence measures only against an “armed attack”, there is a gap in these two requisites. The difference is due to the fact that illegal use of force not tantamount to an armed attack may be launched by one state against another, but in the absence of an armed attack, self-defence cannot be exercised by the victim state. For example, if someone fires a bullet from across the border, there is a use of force but no armed attack has occurred. Likewise, if a diplomatic staff of a state is declared persona non grata by another state or if the diplomatic staff’s official visit is refused, they are merely unfriendly acts. The state may cause harm in the political, diplomatic or economical arena due to such actions but there is no breach of international law.

A breach of international law goes beyond unfriendliness, crossing the legality. If a state ignores the immunity from local jurisdiction enjoyed by accredited diplomatic agents of another state, it amounts to a breach of international law. As a response, the victim state may use different lawful countermeasures such as diplomatic protests or economic sanctions, but what is more important to note is that they do not have the lawful recourse to exercise self-defence against the offending state.

A minimal threshold must be crossed in order for the illegal use of force to become an armed attack so that a state can exercise self-defence. The ICJ in the Nicaragua case (1986) explained the meaning of the “armed attack” as “the gravest form of the use of force,” but did not further explain the meaning of the words “grave form of the use of force”. Therefore, in the conventional international realm, what constitutes an “armed attack” is a poorly-defined concept. 

C. Is Right to self-defence in cyberspace clear under international law?

The prerequisite of an “armed attack” provokes several questions in our context: When, if ever, is a cyber attack an “armed attack” such that states can exercise their right to self-defence? The modern ICTs, especially the computer, has become a weapon used by different actors (state and non-state actors) to attack other computer systems benefiting from adversity. There are several critical incidents that stimulated the discussion on the importance and consequences of cyber attacks as a new form of armed attack. The first one occurred in Estonia in 2007, where its government and parliamentary portals, ministries, news outlets, internet service providers, major banks, and small businesses were all targeted, predominantly by a Distributed Denial of Service Attack (DDoS). 

The second incident happened in 2008, during the Georgia–Russia conflict over South Ossetia when Georgia experienced cyber-attacks similar to those suffered by Estonia a year earlier. In 2010, cyberattacks were launched against the Iranian Nuclear Facilities with the Stuxnet worm. The Stuxnet worm was designed to attack industrial control systems by forcing “Iran’s centrifuges to spin out of control” and to “deceive operators into thinking the machines were operating normally when they were actually tearing themselves apart.” These incidents have once again taken us to a square one to question if the existing international norms on the use of force and self-defence established in the UN Charter are adequate and efficient to address these new forms of attack. Therefore, the central part of this article’s discussion is whether a cyber attack can be deemed as an armed attack, thus justifying self-defence allowed by international law. But before that, a fundamental question must be asked. Is a cyber attack ever “armed"?

  

Analysis: How do states exercise self-defence in cyberspace under international law?

A. Is cyber attack ever an “armed attack”?

Article 51 of the Charter permits self-defence only “if an armed attack occurs.” The question at hand, however, is a cyberattack ever “armed”? The answer to this question lies in interpreting the term “armed”. The ICJ recognized this normative “gap” in the Nicaragua case when it found that there are “actions which do not constitute an armed attack but may nonetheless involve a use of force” and differentiated “the most grave forms of the use of force from other less grave forms.” The ICJ explained supplying weapons and providing logistical support to illegal actors (rebel groups) in another state as an example of a use of force. This means it does not amount to an armed attack against that state. 

Use of the term “armed attack” instead of Article 2(4)’s “use of force” determines the right to exercise self-defence in international law. Article 51 of the UN Charter adopts an “act-based” criteria using a specific type of action i.e armed attack instead of one based on particular consequences. In 1945, act-based criteria made sense, for the action to which states faced when the dominant attack was by the armed forces of another state. The response envisaged when there was an “armed attack” by classic military force was to exercise self-defence (as an exception to the prohibition on the use of force).

Fast forward to the early 21st century, the advent of cyber operations challenged this notion because devastating consequences could now be caused by cyberattacks that did not fit neatly into the notion of an attack that was “armed” in the kinetic sense. In cyber operations, conventional weapons are not employed, and their direct destructive effect did not result from a release of kinetic force. While ICJ opined in its Nuclear Weapons advisory opinion that the type of weapon used is immaterial to the application of Articles 2(4) and 51. This means to ascertain whether an armed attack is launched so as to justify self-defence does not necessarily depend on the choice of weapons by those actors and that Article 51 does not refer to specific weapons—it applies to any armed attack, regardless of the weapon used.  

Many scholars and states argue that a cyber attack amounts to an “armed attack” when it causes harm or damage approximately comparable to a “kinetic” or conventional attack and in particular when it hits “critical infrastructures.” An "armed attack" in cyberspace would include attacks upon computer networks if the consequences of such attacks are tantamount to conventional armed attack which usually includes substantial harm to vital civil or military networks, or loss of human life, or both.

From a legal perspective, there is no reason to differentiate between kinetic and electronic means of attack because cyberattacks could prove colossally destructive like a kinetic force (in many cases more than kinetic forces). Accordingly, I argue that some of them will surely encompass the scope of armed attacks. Furthermore, the objective of the UN Charter would make no sense if it prohibited states from responding to devastating attacks merely because such attacks were not in the international law pioneers' contemplation ages before they became technically possible. Such legal formalism (strictly applying “armed” only in the case of military operations) would have a devastating impact where cyber operations are becoming increasingly threatening. Therefore, the advent of cyber operations necessitates the inclusion of cyber attacks under the scope of “armed attack” envisaged in the UN Charter.  

The solution to the predicament lies in understanding that the act-based criteria of Article 51 must also be equally applied to consequence-based threats. This is because cyberattacks are primarily consequence-based threats. The cyberattacks that satisfy as “armed attacks” can have similar consequences to the use of kinetic force in conventional act-based threats. Therefore, the right to exercise self-defence against armed attack can be used as a right to do so when states face particular consequences that are severe enough to merit setting aside the prohibition on the use of force mandated by the UN Charter. By this understanding, “armed attack” in cyberspace can be interpreted as comprising any act that results in consequences comparable to those caused by the kinetic forces originally envisioned in the term “armed attack.” Now that I have argued why self-defence must be permitted in cyberspace when the cyber attack is tantamount to an “armed attack” under international law, the upcoming part will try to apply this doctrine in cyber attack context. 

B. Application of the doctrine: the 2007 Estonia Cyber-Attacks.

The ICJ has explained that an armed attack is the most grave form of the use of force in terms of scale and its effects. Applied to the cyber-attack context, this might mean that an attack that shuts down air traffic control systems or nuclear reactors causes damage to critical infrastructure and is considered as an armed attack. In 2007, amid the dispute with Russia, Estonia suffered a series of DDoS cyber attacks on the websites of government agencies, news outlets, major banks, and other business firms for more than 3 weeks. Can the cyber attack in Estonia in 2007 qualify as an “armed attack”?

The Nuclear Weapons Opinion highlighted that there are no criteria for specific weapons that must be used to launch armed attacks under Article 51. This means the type of instrument for an armed attack is immaterial. There is no question with regard to use of weapons in the Estonian case as self-defence can be employable against attacks using conventional or unconventional weapons.

The ICJ in the Nicaragua case and the Oil Platforms case determined that only acts of aggression of sufficient “scale and effects” constituted armed attacks. The 1996 Nuclear Weapons Opinion gave a clear idea of gravity requirement when it identified the right to self-defence as an essential condition of the "fundamental right of every state to survival”. Did the cyber attack on Estonia challenge their fundamental right to survival? Which in fact shows—-no. The gravity requirement serves as an indicator of whether the victim state's fundamental right to survival has been sufficiently impacted to justify self-defence. 

The ICJ in the Oil Platforms case considered whether Iranian missiles and mining activities, which damaged a U.S. flagged tanker and a naval frigate, constituted an armed attack against which the United States could justifiably resort to self-defence. The Court ruled that "[e]ven taken cumulatively” these incidents do not seem to the Court to constitute an armed attack on the United States, of the kind that qualified as a 'most grave' form of the use of force as in the Nicaragua case.

Understanding that the consequences of such attacks include either substantial harm to critical infrastructures, vital civil or military networks, or loss of human lives. When compared with the Estonian cyber attack—-the source of the attack was unclear, substantial harm to critical infrastructure did not occur—-it cannot invoke Article 51 of the UN charter—-right to self-defence. 

C. The issues with self-defence in cyberspace under international law.

The nature of cyberattack is distinct from the conventional use of kinetic force most notably (among others) because of its difficulty to identify the actors. The right to self-defence seems very ineffective when the states cannot identify the actors when the cyberattack is launched. For example, in the Estonian cyber attack, the actor’s I.P addresses were traced back to Russian nationalist groups, but were unable to establish direct participation by the government and therefore could not be attributed to the state. Furthermore, for the non-state actors, there were little or no discourses on whether the self-defence can be invoked to non-state actors during that time if it ever was an armed attack. This might be one of the biggest challenges to be addressed in the international law realm. 

More problems arise with the right to self-defence in cyberspace when the “armed attack” is committed by non-state actors. Traditionally, states were the centerpiece of attention by the international community. Brazil has argued that the definition of “armed attack” is limited to the use of force attributable to a state and, therefore, actions from non-state actors with similar effects might amount to serious crimes, but not an “armed attack”. If such situation arises, the territorial state should adopt measures, in good faith and within its capabilities, to stop the illegal action and ensure accountability. Brazil does not give a definitive response to whether they can use self-defence against the non-state actors. However, France takes a bold step of not recognizing the extension of the right to self-defence to acts perpetrated by non-state actors whose actions are not attributable to states. 

On the other hand, states like the USA, Germany, Israel, and the Netherlands have argued that acts of foreign non-state actors can also constitute armed attacks. My argument aligns with that of the USA and the parties because the devastation caused by both the states and the non-state actors in armed attack has the same gravity---the devastating impact on critical infrastructure and loss of human lives. It is a matter of national security and the lives of the people in the injured state and therefore, the states must have the same right to self-defence as they have with other states as per Article 51 of the UN Charter. 

D. How does self-defence work against a cyberattack qualified as an “armed attack”? 

When self-defence is permitted, the states must meet the requirements of necessity, proportionality, and immediacy. These requirements may be difficult to satisfy in the cyberspace context. Firstly, the necessity requirement means that no other feasible or practical option should be available when resorting to the use of force. Secondly, proportionality means the self-defence needs to be proportionate in relation to the gravity of the armed attack. In the Georgian cyber-attacks, the remedy must be proportionate to the threat and the harm incurred to them. For example, to mitigate the effects of the cyberattack, the state’s remedy must be proportionate to the damages caused by such an act. To assess the necessity of self-defence, the attack has to be attributed to a specific source, a state or a non-state actor.  

In the Nicaragua case, the ICJ evaluated the principle of immediacy, by stressing that “the reaction of the United States in the context of what it regarded as self-defence was continued long after the period in which any presumed armed attack by Nicaragua could reasonably be contemplated”. There is a generally accepted understanding that the action in self-defence must immediately follow the start of an attack. As Dinstein explains that immediacy intrinsically suggests that the activation of self-defence countermeasures must not be too delayed. There may be a time lag of days, weeks, and even months between the original armed attack and the sequel of self-defence. The delay may be particularly troubling after a cyber attack since cyberspace activities can produce reverberations around the world "in the time that it takes to blink an eye."

Considering these three cumulative conditions to exercise self-defence, the most obvious response to a cyber attack tantamount to an armed attack is an “on-the-spot reaction” where the computer network under attack strikes instantaneously back at the source of the cyberattack. However, a big problem arises when it is difficult to attribute to the actors during the time of attacks.

The next most effective modality of self-defence against an armed attack is the counterforce. If it is an armed attack, there is no other reason why the use of force cannot be bound within the framework of self-defence under the Charter. Provided that they are genuinely defensive, namely, future-oriented (deterrent in character) and not past-oriented (confined to punitive retaliation).

There are in fact certain advantages. Most importantly, it gives the state an opportunity to review the facts (and determine culpability) while considering options for response. Again in response, whatever is permitted or prohibited when kinetic means of force are used is equally permitted or prohibited when the means employed are electronic. This is because the principles of international law are the same notwithstanding the mode of attacks.

Conclusion

The international community recognizes that existing international law is applicable to state conduct in cyberspace as it is in the physical realm. It is essential to maintain peace and stability, promoting an open, secure, peaceful ICT environment. International law permits self-defence in cyberspace. More specifically, more states affirmed in their national position that they can use self-defence against another state if the “armed attack” has been committed by a state, and some states on non-state actors depending on cases.   

Read the footnoted article here: International Law and Self Defence in Cyberspace.


If you read this post, please leave a message for me!