Professional Documents
Culture Documents
Abstract
Access to information and communication technologies defines modern society and establishes moreover
new challenges and threats to international cyber security. This paper offers insight on the legal implications of
cyber attacks, emphasizing the terminology differences between concepts relevant to cyber space operations (cyber
crime, cyber espionage, cyber warfare).
The lack of treaties or customary regulation of this distinctive domain, justifies the approach to apply
existing international law to cyber attacks – this article pays particular attention to the applicability of jus ad bellum
provisions. As cyber operations are considered the new military frontier, there is strong debate on whether the war
has entered the fifth domain – cyberspace.
Moreover, this paper focuses on the reaction of states and international organizations with regard to threats
posed by unlawful cyber operations (especially after the 2007 cyber attack on Estonia). Global challenges require
global cooperation, the non-binding Tallinn Manual being one of the most important proofs that reinterpretation and
revision of international law regarding cyber warfare is needed. The attitude towards the cyber threat proves that
cyberspace has become of geo-strategic importance for the states. The brief case study on Stuxnet cyber weapon is
representative for identifying the most important elements regarding cyber attacks.
Keywords: International Law, Cyber attacks, Cyber warfare, jus ad bellum, The Tallinn Manual, Stuxnet
For well over a decade, Information Society has developed significantly, the progress of information and
communication technologies involving not only huge benefits, but also new and different vulnerabilities and threats
to the security of cyberspace, with national and international impact. Nowadays, within the international community,
the cyber warfare has become the unavoidable element in discussions about international security.
The North Atlantic Treaty Organization (NATO) acknowledges in its newest strategic report1 that one of
the three unconventional threats the organization identifies is cyber attacks of varying degrees of severity directed
against modern communications systems, along with acts of terrorism and the proliferation of nuclear and other
advanced weapons technologies.
Unlawful cyber operations may threaten national cyber security to the extent that the victim-state considers
the operations an armed conflict, thus giving rise to the newest and controversial international concept of cyber
warfare. Cyber events of recent years (especially after the release and discovery of Stuxnet) have sparked major
debate2 about the nature of conflicts in cyberspace, to the amount of considering cyber attacks an extension to
conventional war. Strategists have presented different views on whether the fifth domain of war has appeared – to
the classical fields of war (land, sea, air and space) adding the cyberspace.
On one hand, some experts consider cyber attacks a new form of military conflict (similar to traditional
armed attacks), causing the applicability of the international law governing the resort to force (jus ad bellum) and of
the provisions regulating the conduct of armed conflict (jus in bello or international humanitarian law). On the other
hand, due to the special characteristics of cyber space (anonymity, speed, absence of borders, strong liability to
change rapidly and unpredictably) specialists argue that cyber attacks fall into the category of criminal activity,
subject to domestic criminal law.3
For better understanding the international legal dilemma of cyber warfare, one must envision concepts such
as cyberspace and cyber operations and further differentiate between terms such as cyber attack, cyber crime, cyber
espionage, cyber terrorism and cyber warfare. For the time being, concepts like cyber war, cyber warfare or cyber
attack have not been authoritatively defined by the international community.
1
NATO 2020: Assured security, dynamic engagement – Analisys and Recommendations of the Group of Experts on
a New Strategic Concept for NATO, 17 May 2010, page 18.
2
Thomas Rid, Cyber War Will Not Take Place, C. Hurts & Co. Publishers, London, 2013.
3
Jeffrey Carr, Inside Cyber Warfare: Mapping the Cyber Underworld, O’Reilly Media, 2011, page 47.
4
Andrew Krepinevich, Cyber Warfare: A Nuclear Option?, Center for Strategic and Budgetary Assessments, 2012,
page 82.
5
Nils Melzer, Cyber warfare and International Law, Unidir Resources, 2011, page. 5.
6
Michael Schmitt, Tallinn Manual on The International Law Applicable to Cyber Warfare, prepared by The
International Group of Experts at the invitation of The NATO Cooperative Cyber Defence Center of Excellence,
Cambridge University Press, 2013, page 258.
7
Oona A. Hathaway, Rebecca Crootof, Philip Levitz, Haley Nix, Aileen Nowlan, William Perdue, Julia Spiegel,
The Law of Cyber attack, California Law Review, Vol. 100, No. 4, 2012, page 826.
8
Idem, page 836.
9
Rishabh Shrivastava, International Law and Cyber Warfare, University of Petroleum and Energy Studies, 2013,
page 3.
10
Andrew Krepinevich, Cyber Warfare: A Nuclear Option?, Center for Strategic and Budgetary Assessments, 2012,
page IV.
11
David Shamah, Latest viruses could mean „end of world as we know it,‟ says man who discovered Flame, The
Times of Israel, June 6, 2012.
12
Adrian Năstase, Bogdan Aurescu, Drept internațional public. Sinteze. Ediția a 7-a, Ed. C.H. Beck, București,
2012, pag. 402.
peace and acts of aggression” that admit Security Council Intervention (Chapter VII from UN Charter, with
emphasis on article 42).
The prohibition of the use of force in contemporary international law is regulated in the Charter of the
United Nations in article 2, paragraph (4). Applying this provision to cyber warfare, one can state that a cyber
operation that constitutes a threat or use of force against a territorial integrity or political independence of any state,
or in any other manner inconsistent with the purposes of the United Nations, is unlawful. Although the provisions of
the UN Charter apply only to its members, the prohibition extends to non-member states by virtue of customary
international law.13
The “use of force” classically implies the existence of armed force, weapons or other military capabilities.
Cyber weapons are unconventional, virtual, anonymous, so far physically non-violent weapons. Still, they represent
coercive interventions, thus the effect of a cyber operation is generally to force strategic behavior changes, without
falling into the category of non-armed measures mentioned in article 41 of the UN Charter. This article regulates
means of pressure employed by the UN whenever a threat to the peace, breach of the peace or act of aggression
exists, such as: complete or partial interruption of economic relations and of rail, sea, air, postal, telegraphic, radio
and other means of communication, and the severance of diplomatic relations.
Although a cyber weapon does not produce directly suffering, death or destruction as in conventional war,
indirectly it is probable for such consequences to be produced by cyber attacks. In comparison with kinetic attacks,
important characteristics of cyber weapons determine the technical and operational dimensions of cyber attacks: the
indirect effects are usually more important than direct effects, cyber attacks are often highly reversible on a short
time sale, the uncertainties in planning are usually high, the availability of base technology is widespread in most
cases and it requires high intelligence for successful use.14
Due to these characteristics, there is strong belief that people are far more likely to experience major cyber
attacks than nuclear attacks. The likelihood for states and non-states entities to develop cyber weapons is higher than
the likelihood of possessing nuclear arsenal, thus the probability of using cyber attacks is higher than the use of
nuclear weapons.15
There is strong debate about the legal nature of cyber weapons. On one side, they are considered different
from kinetic weapons – theory demanding for a special legal regime; on the other side, specialists consider that
cyber weapons are no different than any other weapon and therefore no new legal analysis is needed. In support of
this latter theory, the International Court of Justice clarifies 16, according to customary international law, that articles
2 (4) and 51 of the United Nations Charter “apply to any use of force, regardless of the weapons employed. The
Charter neither expressly prohibits, nor permits, the use of any specific weapon, including nuclear weapons”.
Therefore, a cyber operation could amount to a “use of force”, despite the fact that a computer is used during an
attack, rather than a more traditional weapon, weapon system or platform. 17
The Tallinn Manual defines cyber “use of force” in Rule 11, as the situation when a cyber operation’s scale
and effects are comparable to non-cyber operations rising to the level of a use of force. A cyber operation constitutes
an unlawful threat of force when the threatened action, if carried out would be an unlawful use of force (Rule 12).
Specialists provide a series of criteria to differentiate between a simple operation against a state (including cyber
operations) and a use of force, such as: severity of consequences, immediacy of the effects, directness between the
initial act and its consequences, invasiveness of cyber system, measurability of effects, military character of the
action, state involvement in conducting operations and presumptive legality of act.18
The UN Charter admits two exceptions from the principle of prohibition of the use of force: article 51
acknowledges the member-states’ right to individual or collective self-defense and chapter VII regulates the
situations when the UN Security Council may authorize the use of force.
13
Michael Schmitt, Tallinn Manual on The International Law Applicable to Cyber Warfare, prepared by The
International Group of Experts at the invitation of The NATO Cooperative Cyber Defence Center of Excellence,
Cambridge University Press, 2013, page 43.
14
Constance F. Citro, Margaret E. Martin, and Miron L. Straf, Technology, Policy, Law, and Ethics Regarding U.S.
Acquisition and Use of Cyber attack Capabilities, National Research Council, 2009, pages 79-80.
15
Andrew Krepinevich, Cyber Warfare: A Nuclear Option?, Center for Strategic and Budgetary Assessments, 2012,
pages III-IV.
16
Advisory Opinion of 8 July 1996, regarding the Legality of the Threat or Use of Nuclear Weapons.
17
Michael Schmitt, Tallinn Manual on The International Law Applicable to Cyber Warfare, prepared by The
International Group of Experts at the invitation of The NATO Cooperative Cyber Defence Center of Excellence,
Cambridge University Press, 2013, page 42.
18
Idem, pages 48-51.
Drawing an analogy between conventional war and cyber warfare with regard to article 51 of the UN
Charter, the right of individual and collective self-defense is acknowledged to states that are targeted by a cyber
attack that rises to the level of an armed attack. A cyber operation represents an armed attack depending on its extent
and triggered effects, disregardful of the intentions of the operation. As shown in customary international law and in
accordance with the International Court of Justice, the means used in the attack can be non-kinetic (for example
biological, chemical and cyber altogether).
Cyber attacks have no direct physical consequence, but they could trigger kinetic attacks. This
characteristic could be one of the reasons why no state has claimed so far the use for self-defense under article 51 of
the UN Charter with regard to any cyber incident directed against.
The right of self-defense is only entitled to States, even if the action of defense could be directed against a
non-State actor. Since the 9/11 attacks of Al Qaeda on the United States, the international community has
acknowledged the state practice of self-defense to attacks conducted by non-state actors, such as terrorist or rebel
groups. As in conventional warfare, the exercise of the right of self-defense should meet the criteria of necessity
and proportionality. Therefore, the international community accepts the exercise of the self-defense right only if the
responding state is subjected to an armed attack (depending on its scale and effect) and if the use of force in
response is necessary and proportionate.19
The use of force is stated in article 42 of the UN Charter, as a mean of restoring international peace and
security, in case the non-armed measures mentioned in article 41 are inadequate or inefficient.
19
Felicia Maxim, Dreptul răspunderii statelor pentru fapte internaționale ilicite, Ediția a 2-a, Ed. Lumina Lex,
București, 2012, pag. 164.
20
A Strong Britain in an Age of Uncertainty: The National Security Strategy, october 2010, page 3.
21
Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace - Joint Communication to
the European Parliament, The Council, the European Economic and Social Committee and the Committee of the
Regions, Brussels, 2013.
Manual analyzes the applicability to cyber warfare of the international law governing the resort to force by States as
an instrument of their national policy (jus ad bellum), and the jus in bello, the international law regulating the
conduct of armed conflict (the law of armed conflict or international humanitarian law). Related bodies of
international law, such as the law of State responsibility and the law of the sea, are dealt within the context of these
topics.22
Conclusions
The increasing prevalence in nowadays’ society of information and communication technologies has
determined a high degree of responsibility to ensure cyber security on behalf of states. The international community
reacted to the new unconventional threat of cyber operations, but its timorous measures have not helped yet to solve
Without an adequate legal status for the concept of cyber warfare, the doctrine provides guidance with
reference to existing law, which is clearly insufficient or unsuitable to cyberspace. The applicability of international
law (especially jus ad bellum and jus in bello) to cyber operations raises a number of terminological and legal issues,
such as defining a situation of use of cyber force, the existence of cyber armed attack or the right of a cyber-targeted
state to self-defense. The non-binding Tallinn Manual gives us an insight on how existing law may be applied to
meet the notable challenge posed by cyber attacks. The law of war alone cannot regulate the challenges set by cyber
Taking into consideration the practical experience of unlawful cyber operations and the effort of specialists
to identify the legal norms that apply to this form of warfare, the most comprehensive solution to this emerging
22
https://www.ccdcoe.org/249.html visited on the 4th of November 2013.
23
Sean Collins, Stephen McCombie, Stuxnet: the Emergence of a new cyber weapon and its implications, Journal of
Policing, Intelligence and Counter Terrorism, 2012, pages 80-91.
24
Michael Schmitt, Tallinn Manual on The International Law Applicable to Cyber Warfare, prepared by The
International Group of Experts at the invitation of The NATO Cooperative Cyber Defence Center of Excellence,
Cambridge University Press, 2013, page 58.
threat is the development and adoption of a cyber-treaty. The first step into developing treaty provision or custom
Bibliography
1. A Strong Britain in an Age of Uncertainty: The National Security Strategy, United Kingdom, october 2010.
2. Andress J., Winterfeld S., Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners, Elsevier,
2013.
3. Blane J., Cyber warfare: Terror at a Click, Nova Publishers, 2001.
4. Carr J., Inside Cyber Warfare: Mapping the Cyber Underworld, O’Reilly Media, 2011.
5. Charter of the United Nations and Statute of the International Court of Justice, San Francisco, 1945.
6. Citro C., Martin M., and Straf M., Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of
Cyber attack Capabilities, National Research Council, 2009.
7. Collins S., McCombie S., Stuxnet: the Emergence of a new cyber weapon and its implications, Journal of
Policing, Intelligence and Counter Terrorism, 2012.
8. Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace - Joint Communication to
the European Parliament, The Council, the European Economic and Social Committee and the Committee of the
Regions, Brussels, 2013.
9. Godwin M., Cyber Rights: Defending Free Speech in the Digital Age, MIT Press, 2003.
10. Hathaway O., Crootof R., Levitz P., Nix H., Nowlan A., Perdue W., Spiegel J., The Law of Cyber attack,
California Law Review, Vol. 100, No. 4, 2012.
11. Karake-Shalhoub Z., Al Qasimi L., Cyber Law and Cyber Security in Developing and Emerging Economies,
Edward Elgar Publishing, 2010.
12. Krepinevich A., Cyber Warfare: A Nuclear Option?, Center for Strategic and Budgetary Assessments, 2012.
13. Maxim F., Dreptul răspunderii statelor pentru fapte internaționale ilicite, Ediția a 2-a, Ed. Lumina Lex,
București, 2012.
14. Melzer N., Cyber warfare and International Law, Unidir Resources, 2011.
15. Murphy J., Cyber War and International Law: Does the International Legal Process Constitute a Threat to U.S.
Vital Interests?, International Law Studies U.S. Naval War College, Volume 89, 2013.
16. NATO 2020: Assured security, dynamic engagement – Analisys and Recommendations of the Group of Experts
on a New Strategic Concept for NATO, 17 May 2010.
17. Năstase A., Aurescu B., Drept internațional public. Sinteze. Ediția a 7-a, Ed. C.H. Beck, București, 2012.
18. Rid T., Cyber War Will Not Take Place, C. Hurts & Co. Publishers, London, 2013.
19. Rosenzweig P., Cyber warfare: how conflicts in cyberspace are challenging America and changing the world,
ABC-CLIO, Santa Barbara, 2013.
20. Schmitt M., Tallinn Manual on The International Law Applicable to Cyber Warfare, prepared by The
International Group of Experts at the invitation of The NATO Cooperative Cyber Defence Center of Excellence,
Cambridge University Press, 2013.
21. Shakarian P., Shakarian J., Ruef A., Introduction to Cyber warfare: A Multidisciplinary Approach, Newnes,
2013.
22. Shackelford S., From Nuclear War to Net War: Analogizing Cyber Attacks in International Law, Berkeley
Journal of International Law, Volume 27, Issue 1, Article 7, 2009.
23. Shamah D., Latest viruses could mean „end of world as we know it,‟ says man who discovered Flame, The Times
of Israel, June 6, 2012.
24. Shrivastava R., International Law and Cyber Warfare, University of Petroleum and Energy Studies, 2013.
25. Winterfeld S., Andress J., The Basics of Cyber Warfare: Understanding the Fundamentals of Cyber Warfare in
Theory and Practice, Newnes, 2012.
www.ccdcoe.org
www.osce.org