You have downloaded a document from

The Central and Eastern European Online Library

The joined archive of hundreds of Central-, East- and South-East-European publishers,

research institutes, and various content providers

Source: Conferința Internațională Educație și Creativitate pentru o Societate Bazată pe Cunoaștere -

DREPT
The International Conference Education and Creativity for a Knowledge –based Society –
LAW
Location: Romania
Author(s): Daniela Panc (Dancă)
Title: THE APPLICABILITY OF INTERNATIONAL LAW TO CYBER ATTACKS
THE APPLICABILITY OF INTERNATIONAL LAW TO CYBER ATTACKS
Issue: VII/2013
Citation Daniela Panc (Dancă). "THE APPLICABILITY OF INTERNATIONAL LAW TO CYBER
style: ATTACKS". Conferința Internațională Educație și Creativitate pentru o Societate Bazată pe
Cunoaștere - DREPT VII:36-41.
https://www.ceeol.com/search/article-detail?id=822248
CEEOL copyright 2021

THE APPLICABILITY OF INTERNATIONAL LAW TO CYBER ATTACKS

Daniela DANCĂ, Assistant Lecturer, Ph.D. candidate

“Titu Maiorescu” University, Bucharest – Faculty of Law

Abstract
Access to information and communication technologies defines modern society and establishes moreover
new challenges and threats to international cyber security. This paper offers insight on the legal implications of
cyber attacks, emphasizing the terminology differences between concepts relevant to cyber space operations (cyber
crime, cyber espionage, cyber warfare).
The lack of treaties or customary regulation of this distinctive domain, justifies the approach to apply
existing international law to cyber attacks – this article pays particular attention to the applicability of jus ad bellum
provisions. As cyber operations are considered the new military frontier, there is strong debate on whether the war
has entered the fifth domain – cyberspace.
Moreover, this paper focuses on the reaction of states and international organizations with regard to threats
posed by unlawful cyber operations (especially after the 2007 cyber attack on Estonia). Global challenges require
global cooperation, the non-binding Tallinn Manual being one of the most important proofs that reinterpretation and
revision of international law regarding cyber warfare is needed. The attitude towards the cyber threat proves that
cyberspace has become of geo-strategic importance for the states. The brief case study on Stuxnet cyber weapon is
representative for identifying the most important elements regarding cyber attacks.

Keywords: International Law, Cyber attacks, Cyber warfare, jus ad bellum, The Tallinn Manual, Stuxnet

For well over a decade, Information Society has developed significantly, the progress of information and
communication technologies involving not only huge benefits, but also new and different vulnerabilities and threats
to the security of cyberspace, with national and international impact. Nowadays, within the international community,
the cyber warfare has become the unavoidable element in discussions about international security.
The North Atlantic Treaty Organization (NATO) acknowledges in its newest strategic report1 that one of
the three unconventional threats the organization identifies is cyber attacks of varying degrees of severity directed
against modern communications systems, along with acts of terrorism and the proliferation of nuclear and other
advanced weapons technologies.
Unlawful cyber operations may threaten national cyber security to the extent that the victim-state considers
the operations an armed conflict, thus giving rise to the newest and controversial international concept of cyber
warfare. Cyber events of recent years (especially after the release and discovery of Stuxnet) have sparked major
debate2 about the nature of conflicts in cyberspace, to the amount of considering cyber attacks an extension to
conventional war. Strategists have presented different views on whether the fifth domain of war has appeared – to
the classical fields of war (land, sea, air and space) adding the cyberspace.
On one hand, some experts consider cyber attacks a new form of military conflict (similar to traditional
armed attacks), causing the applicability of the international law governing the resort to force (jus ad bellum) and of
the provisions regulating the conduct of armed conflict (jus in bello or international humanitarian law). On the other
hand, due to the special characteristics of cyber space (anonymity, speed, absence of borders, strong liability to
change rapidly and unpredictably) specialists argue that cyber attacks fall into the category of criminal activity,
subject to domestic criminal law.3
For better understanding the international legal dilemma of cyber warfare, one must envision concepts such
as cyberspace and cyber operations and further differentiate between terms such as cyber attack, cyber crime, cyber
espionage, cyber terrorism and cyber warfare. For the time being, concepts like cyber war, cyber warfare or cyber
attack have not been authoritatively defined by the international community.

1
NATO 2020: Assured security, dynamic engagement – Analisys and Recommendations of the Group of Experts on
a New Strategic Concept for NATO, 17 May 2010, page 18.
2
Thomas Rid, Cyber War Will Not Take Place, C. Hurts & Co. Publishers, London, 2013.
3
Jeffrey Carr, Inside Cyber Warfare: Mapping the Cyber Underworld, O’Reilly Media, 2011, page 47.

CEEOL copyright 2021

CEEOL copyright 2021

The concept of Cyber warfare

Cyberspace represents the physical and non-physical environment created by all of the world’s computer
networks, including the cyber infrastructure itself. 4 Cyberspace has specific characteristics that determine its original
activity - it is the only domain which is entirely man-made, being created, maintained, owned and operated
collectively by public and private stakeholders across the globe and it changes constantly in response to
technological innovation.5
Cyber operations represent the employment of cyber capabilities with the primary purpose of achieving
objectives in or by the use of cyber space. 6
A cyber attack consists of any action taken to undermine the functions of a computer network for a political
or national security purpose. 7 An attack implies an active action, either offense or active defense. The objective of
the cyber attack makes the difference between cyber attack and cyber espionage – while in espionage the purpose is
to obtain secret and classified information using cracking techniques and malware, the cyber attack’s objective is to
modify the functioning mechanisms of computer networks in a destructive way. In certain circumstances, an act of
cyber espionage could be considered an attack, if the act results in intended significant damage to the state’s cyber
infrastructure. While the international community considers cyber attacks unlawful, the international law does not
prohibit cyber espionage.
The concept of cyber-crime is much broader than cyber attacks, as cyber crimes represent the whole
spectrum of illicit activity committed in cyberspace (financial theft, identity theft, child pornography etc.). Cyber
attacks have this particular characteristic of motivation – the cyber operation is used for a political or national
security purpose. 8 Cyber-crime regards a law enforcement issue, while cyber-war represents a military problem.
Though the term cyber warfare is controversial, several experts have defined this concept, highlighting its
most important elements. Briefly, a cyber warfare is the warfare conducted in cyber space, using cyber means and
methods.9
A more complex definition describes cyber warfare as cyber attack whose consequences rise to the level of
an armed attack; therefore one can identify the intent of cyber warfare to produce strategic effects such as
catastrophic destruction equivalent to those of a conventional armed attack. 10
Specialists debate over the terminology used to describe cyber attacks. Eugene Kaspersky, founder of the
security software company Kaspersky Lab, considers that the term cyber-terrorism is more appropriate to “cyber
warfare”. Both concepts represent means of coercion for political purposes; similar to cyber warfare, terrorism has
no legally binding, criminal law definition. Both operations induce a state of fear due to the lack of predictability
regarding the author or future operations.11 The main difference between the two concepts is that terrorism practiced
in cyberspace targets or disregards the safety of non-combatants (civilians).

Jus ad bellum and Cyber warfare

Jus ad bellum represents the law governing the resort to force between hostile states, the effects of the
armed conflict and the means and methods used on the battlefield. 12 The jus ad bellum provisions apply to cyber
attacks if cyber operations equivalence to “wrongful threat or use of force” (article 2 of the United Nations Charter),
to an “armed attack” that justifies self-defense (article 51 of UN Charter) or to “threats of the peace, breaches of the

4
Andrew Krepinevich, Cyber Warfare: A Nuclear Option?, Center for Strategic and Budgetary Assessments, 2012,
page 82.
5
Nils Melzer, Cyber warfare and International Law, Unidir Resources, 2011, page. 5.
6
Michael Schmitt, Tallinn Manual on The International Law Applicable to Cyber Warfare, prepared by The
International Group of Experts at the invitation of The NATO Cooperative Cyber Defence Center of Excellence,
Cambridge University Press, 2013, page 258.
7
Oona A. Hathaway, Rebecca Crootof, Philip Levitz, Haley Nix, Aileen Nowlan, William Perdue, Julia Spiegel,
The Law of Cyber attack, California Law Review, Vol. 100, No. 4, 2012, page 826.
8
Idem, page 836.
9
Rishabh Shrivastava, International Law and Cyber Warfare, University of Petroleum and Energy Studies, 2013,
page 3.
10
Andrew Krepinevich, Cyber Warfare: A Nuclear Option?, Center for Strategic and Budgetary Assessments, 2012,
page IV.
11
David Shamah, Latest viruses could mean „end of world as we know it,‟ says man who discovered Flame, The
Times of Israel, June 6, 2012.
12
Adrian Năstase, Bogdan Aurescu, Drept internațional public. Sinteze. Ediția a 7-a, Ed. C.H. Beck, București,
2012, pag. 402.

CEEOL copyright 2021

CEEOL copyright 2021

peace and acts of aggression” that admit Security Council Intervention (Chapter VII from UN Charter, with
emphasis on article 42).
The prohibition of the use of force in contemporary international law is regulated in the Charter of the
United Nations in article 2, paragraph (4). Applying this provision to cyber warfare, one can state that a cyber
operation that constitutes a threat or use of force against a territorial integrity or political independence of any state,
or in any other manner inconsistent with the purposes of the United Nations, is unlawful. Although the provisions of
the UN Charter apply only to its members, the prohibition extends to non-member states by virtue of customary
international law.13
The “use of force” classically implies the existence of armed force, weapons or other military capabilities.
Cyber weapons are unconventional, virtual, anonymous, so far physically non-violent weapons. Still, they represent
coercive interventions, thus the effect of a cyber operation is generally to force strategic behavior changes, without
falling into the category of non-armed measures mentioned in article 41 of the UN Charter. This article regulates
means of pressure employed by the UN whenever a threat to the peace, breach of the peace or act of aggression
exists, such as: complete or partial interruption of economic relations and of rail, sea, air, postal, telegraphic, radio
and other means of communication, and the severance of diplomatic relations.
Although a cyber weapon does not produce directly suffering, death or destruction as in conventional war,
indirectly it is probable for such consequences to be produced by cyber attacks. In comparison with kinetic attacks,
important characteristics of cyber weapons determine the technical and operational dimensions of cyber attacks: the
indirect effects are usually more important than direct effects, cyber attacks are often highly reversible on a short
time sale, the uncertainties in planning are usually high, the availability of base technology is widespread in most
cases and it requires high intelligence for successful use.14
Due to these characteristics, there is strong belief that people are far more likely to experience major cyber
attacks than nuclear attacks. The likelihood for states and non-states entities to develop cyber weapons is higher than
the likelihood of possessing nuclear arsenal, thus the probability of using cyber attacks is higher than the use of
nuclear weapons.15
There is strong debate about the legal nature of cyber weapons. On one side, they are considered different
from kinetic weapons – theory demanding for a special legal regime; on the other side, specialists consider that
cyber weapons are no different than any other weapon and therefore no new legal analysis is needed. In support of
this latter theory, the International Court of Justice clarifies 16, according to customary international law, that articles
2 (4) and 51 of the United Nations Charter “apply to any use of force, regardless of the weapons employed. The
Charter neither expressly prohibits, nor permits, the use of any specific weapon, including nuclear weapons”.
Therefore, a cyber operation could amount to a “use of force”, despite the fact that a computer is used during an
attack, rather than a more traditional weapon, weapon system or platform. 17
The Tallinn Manual defines cyber “use of force” in Rule 11, as the situation when a cyber operation’s scale
and effects are comparable to non-cyber operations rising to the level of a use of force. A cyber operation constitutes
an unlawful threat of force when the threatened action, if carried out would be an unlawful use of force (Rule 12).
Specialists provide a series of criteria to differentiate between a simple operation against a state (including cyber
operations) and a use of force, such as: severity of consequences, immediacy of the effects, directness between the
initial act and its consequences, invasiveness of cyber system, measurability of effects, military character of the
action, state involvement in conducting operations and presumptive legality of act.18
The UN Charter admits two exceptions from the principle of prohibition of the use of force: article 51
acknowledges the member-states’ right to individual or collective self-defense and chapter VII regulates the
situations when the UN Security Council may authorize the use of force.

13
Michael Schmitt, Tallinn Manual on The International Law Applicable to Cyber Warfare, prepared by The
International Group of Experts at the invitation of The NATO Cooperative Cyber Defence Center of Excellence,
Cambridge University Press, 2013, page 43.
14
Constance F. Citro, Margaret E. Martin, and Miron L. Straf, Technology, Policy, Law, and Ethics Regarding U.S.
Acquisition and Use of Cyber attack Capabilities, National Research Council, 2009, pages 79-80.
15
Andrew Krepinevich, Cyber Warfare: A Nuclear Option?, Center for Strategic and Budgetary Assessments, 2012,
pages III-IV.
16
Advisory Opinion of 8 July 1996, regarding the Legality of the Threat or Use of Nuclear Weapons.
17
Michael Schmitt, Tallinn Manual on The International Law Applicable to Cyber Warfare, prepared by The
International Group of Experts at the invitation of The NATO Cooperative Cyber Defence Center of Excellence,
Cambridge University Press, 2013, page 42.
18
Idem, pages 48-51.

CEEOL copyright 2021

CEEOL copyright 2021

Drawing an analogy between conventional war and cyber warfare with regard to article 51 of the UN
Charter, the right of individual and collective self-defense is acknowledged to states that are targeted by a cyber
attack that rises to the level of an armed attack. A cyber operation represents an armed attack depending on its extent
and triggered effects, disregardful of the intentions of the operation. As shown in customary international law and in
accordance with the International Court of Justice, the means used in the attack can be non-kinetic (for example
biological, chemical and cyber altogether).
Cyber attacks have no direct physical consequence, but they could trigger kinetic attacks. This
characteristic could be one of the reasons why no state has claimed so far the use for self-defense under article 51 of
the UN Charter with regard to any cyber incident directed against.
The right of self-defense is only entitled to States, even if the action of defense could be directed against a
non-State actor. Since the 9/11 attacks of Al Qaeda on the United States, the international community has
acknowledged the state practice of self-defense to attacks conducted by non-state actors, such as terrorist or rebel
groups. As in conventional warfare, the exercise of the right of self-defense should meet the criteria of necessity
and proportionality. Therefore, the international community accepts the exercise of the self-defense right only if the
responding state is subjected to an armed attack (depending on its scale and effect) and if the use of force in
response is necessary and proportionate.19
The use of force is stated in article 42 of the UN Charter, as a mean of restoring international peace and
security, in case the non-armed measures mentioned in article 41 are inadequate or inefficient.

Cyberspace – the newest concern for subjects of International Law

Over the past decade, the debate about enactment of cyber operations has intensified due to the increase of
international cyber incidents, especially after the 2007 cyber attack on prominent Estonian websites (it took down
the computer networks of banks, government agencies and media infrastructure). The alarming events triggered
reactions of states and international organizations that established legal and institutional measures such as: boosting
security cooperation between states, developing national cyber-security strategies or making the cyber attack one of
the key concepts in national security strategies and creating specialized units within the national defense
departments.
Several National Security Strategies have recently included a cyber dimension, in order to highlight the
challenge unlawful cyber operations constitute. The cyber threat has been highlighted at national level as one of the
challenges to public safety and to national security; for instance, the United Kingdom in the 2010 National Security
Strategy mentions the threats that British national security faces: terrorism, cyber attack, unconventional attacks
using chemical, nuclear or biological weapons, as well as large scale accidents or natural hazards.20 Romania
adopted in 2013 the Cyber Security Strategy with the purpose of maintaining a secure national cyberspace.
In 2009, the United States established the U.S. Cyber Command to conduct cyber operations. It is one of
the primary operations units within the U.S. Strategic Command of the United States Department of Defense. In
2011, the Government of Romania created the National Center for Response to Cyber Security Incidents, under the
coordination of the Ministry of Communication and Informational Society.
The European Union reacted to the necessity of implementing security measures; therefore it organized
practical exercises such as "Cyber Europe 2010" in 2010 for member states and in 2012 an exercise involving also
the private sector "Cyber Europe 2012". An EU-US table top exercise was carried out in November 2011 ("Cyber
Atlantic 2011"). Moreover, in 2013 the European Commission made a legislative proposal regarding the Cyber
Security Strategy of the European Union. 21
NATO established in 2008, in the capital city of Estonia, the Cooperative Cyber Defense Centre of
Excellence (CCDCOE), whose intense activity consists of organizing specialized annual conferences and of
publishing legal and technical books and reports. In 2009, the CCDCOE invited the independent International Group
of Experts to produce a manual on the law governing cyber warfare. As result, the most important publication of the
Center is the Tallinn Manual, which identifies the legal groundwork for cyber warfare.
The purpose of the Tallinn Manual is to examine the international law governing cyber warfare, without
giving this concept a normative sense, as this document is non-binding for the international community. The Tallinn

19
Felicia Maxim, Dreptul răspunderii statelor pentru fapte internaționale ilicite, Ediția a 2-a, Ed. Lumina Lex,
București, 2012, pag. 164.
20
A Strong Britain in an Age of Uncertainty: The National Security Strategy, october 2010, page 3.
21
Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace - Joint Communication to
the European Parliament, The Council, the European Economic and Social Committee and the Committee of the
Regions, Brussels, 2013.

CEEOL copyright 2021

CEEOL copyright 2021

Manual analyzes the applicability to cyber warfare of the international law governing the resort to force by States as
an instrument of their national policy (jus ad bellum), and the jus in bello, the international law regulating the
conduct of armed conflict (the law of armed conflict or international humanitarian law). Related bodies of
international law, such as the law of State responsibility and the law of the sea, are dealt within the context of these
topics.22

Cyber weapons – Stuxnet

Even though no international cyber incident has been characterized as “cyber war”, international
community agrees upon the fact that, for the Iranian government, the 2010 Stuxnet operation is the closest case to
describe the concept of “cyber attack”, in terms of damage caused to Iran.
Stuxnet is a computer worm launched in 2009 and 2010, which infected the software of at least fourteen
industrial sites in Iran, including the uranium-enrichment plant at Natanz. Stuxnet is the first worm known to attack
SCADA (supervisory control and data acquisition) systems, physically damaging the centrifuges at the nuclear fuel
processing plant. Stuxnet attacked Windows systems and infected project files, being configured in such a way that
it attacked only specific types of targets who met the established criteria.23
The International Group of Experts considers that the employment of Stuxnet amounts to a use of force,
being an act of intervention because the use of force is coercive per se.24
Though not officially acknowledged, it is believed that this cyber worm was created by the U.S. and Israel,
in order to sabotage Iran’s nuclear program. It is believed that the effect of the cyber worm was a delay of Iran’s
production of nuclear weapons of approximately three years.

Conclusions
The increasing prevalence in nowadays’ society of information and communication technologies has

determined a high degree of responsibility to ensure cyber security on behalf of states. The international community

reacted to the new unconventional threat of cyber operations, but its timorous measures have not helped yet to solve

the international legal dilemma of cyber warfare.

Without an adequate legal status for the concept of cyber warfare, the doctrine provides guidance with

reference to existing law, which is clearly insufficient or unsuitable to cyberspace. The applicability of international

law (especially jus ad bellum and jus in bello) to cyber operations raises a number of terminological and legal issues,

such as defining a situation of use of cyber force, the existence of cyber armed attack or the right of a cyber-targeted

state to self-defense. The non-binding Tallinn Manual gives us an insight on how existing law may be applied to

meet the notable challenge posed by cyber attacks. The law of war alone cannot regulate the challenges set by cyber

warfare, thus an extensive legal framework is needed to address this issue.

Taking into consideration the practical experience of unlawful cyber operations and the effort of specialists

to identify the legal norms that apply to this form of warfare, the most comprehensive solution to this emerging

22
https://www.ccdcoe.org/249.html visited on the 4th of November 2013.
23
Sean Collins, Stephen McCombie, Stuxnet: the Emergence of a new cyber weapon and its implications, Journal of
Policing, Intelligence and Counter Terrorism, 2012, pages 80-91.
24
Michael Schmitt, Tallinn Manual on The International Law Applicable to Cyber Warfare, prepared by The
International Group of Experts at the invitation of The NATO Cooperative Cyber Defence Center of Excellence,
Cambridge University Press, 2013, page 58.

CEEOL copyright 2021

CEEOL copyright 2021

threat is the development and adoption of a cyber-treaty. The first step into developing treaty provision or custom

regulating conduct would be the acceptance of a cyber-attack definition by world-wide governments.

Bibliography

1. A Strong Britain in an Age of Uncertainty: The National Security Strategy, United Kingdom, october 2010.
2. Andress J., Winterfeld S., Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners, Elsevier,
2013.
3. Blane J., Cyber warfare: Terror at a Click, Nova Publishers, 2001.
4. Carr J., Inside Cyber Warfare: Mapping the Cyber Underworld, O’Reilly Media, 2011.
5. Charter of the United Nations and Statute of the International Court of Justice, San Francisco, 1945.
6. Citro C., Martin M., and Straf M., Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of
Cyber attack Capabilities, National Research Council, 2009.
7. Collins S., McCombie S., Stuxnet: the Emergence of a new cyber weapon and its implications, Journal of
Policing, Intelligence and Counter Terrorism, 2012.
8. Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace - Joint Communication to
the European Parliament, The Council, the European Economic and Social Committee and the Committee of the
Regions, Brussels, 2013.
9. Godwin M., Cyber Rights: Defending Free Speech in the Digital Age, MIT Press, 2003.
10. Hathaway O., Crootof R., Levitz P., Nix H., Nowlan A., Perdue W., Spiegel J., The Law of Cyber attack,
California Law Review, Vol. 100, No. 4, 2012.
11. Karake-Shalhoub Z., Al Qasimi L., Cyber Law and Cyber Security in Developing and Emerging Economies,
Edward Elgar Publishing, 2010.
12. Krepinevich A., Cyber Warfare: A Nuclear Option?, Center for Strategic and Budgetary Assessments, 2012.
13. Maxim F., Dreptul răspunderii statelor pentru fapte internaționale ilicite, Ediția a 2-a, Ed. Lumina Lex,
București, 2012.
14. Melzer N., Cyber warfare and International Law, Unidir Resources, 2011.
15. Murphy J., Cyber War and International Law: Does the International Legal Process Constitute a Threat to U.S.
Vital Interests?, International Law Studies U.S. Naval War College, Volume 89, 2013.
16. NATO 2020: Assured security, dynamic engagement – Analisys and Recommendations of the Group of Experts
on a New Strategic Concept for NATO, 17 May 2010.
17. Năstase A., Aurescu B., Drept internațional public. Sinteze. Ediția a 7-a, Ed. C.H. Beck, București, 2012.
18. Rid T., Cyber War Will Not Take Place, C. Hurts & Co. Publishers, London, 2013.
19. Rosenzweig P., Cyber warfare: how conflicts in cyberspace are challenging America and changing the world,
ABC-CLIO, Santa Barbara, 2013.
20. Schmitt M., Tallinn Manual on The International Law Applicable to Cyber Warfare, prepared by The
International Group of Experts at the invitation of The NATO Cooperative Cyber Defence Center of Excellence,
Cambridge University Press, 2013.
21. Shakarian P., Shakarian J., Ruef A., Introduction to Cyber warfare: A Multidisciplinary Approach, Newnes,
2013.
22. Shackelford S., From Nuclear War to Net War: Analogizing Cyber Attacks in International Law, Berkeley
Journal of International Law, Volume 27, Issue 1, Article 7, 2009.
23. Shamah D., Latest viruses could mean „end of world as we know it,‟ says man who discovered Flame, The Times
of Israel, June 6, 2012.
24. Shrivastava R., International Law and Cyber Warfare, University of Petroleum and Energy Studies, 2013.
25. Winterfeld S., Andress J., The Basics of Cyber Warfare: Understanding the Fundamentals of Cyber Warfare in
Theory and Practice, Newnes, 2012.

www.ccdcoe.org
www.osce.org

CEEOL copyright 2021