Maria Popescu

Are principles of international law on the use of force relevant to cyber-attacks?

Our current modern world has become more and more dependent on information and
information technology - both in day to day life but also in terms of military performance -
hence, this gives rise to new forms of attack that previously did not exist. Cyber Warfare as a
whole has been rising significantly during the last decade as not only does it provide
opportunities to strike vital information from adversaries but it is able to do so inexpensively,
remotely and overall effectively with little risk. Given the fact that the concept of “cyber
warfare” is somewhat new, the actual legality of the concept “remains unsettled” - in this sense it
is important to understand that the International humanitarian law (IHL) that conventionally
interprets “armed conflict”, more specifically in the form of conventional military practices, has
had to adapt in order to tackle the new issue of cyber warfare and more specifically cyber
attacks. It must be noted that while there are a vast number of opinions on how to actually tackle
the problem, it is agreed across the world that this issue has to be faced, as cyber warfare is fully
operational and presents a great and imminent risk on the international sphere.

In order to analyze the topic at hand we must understand what cyber attacks are - these can be
described as being destructive in nature and more specifically defined by the US Army’s
DCSINT Handbook NO1.02 as “the premeditated use of destructive activities, or the threat
thereof, against computers and/or networks with the intention to cause harm or to further social,
ideological, religious, political or similar objectives or to intimidate any person in furtherance of
such objectives”1. The main legal framework that is used in order to address the situation refers
to the IHL - more specifically it is able to address two main problems that are derived from cyber
attacks - firstly, “when is it legal for one nation to use force against another?”, this concept being
referred to as “jus ad bellum” and secondly, “what are the rules that govern behaviour of
combatants who are engaged in armed conflict?” - referred to as “jus in bello”. While these
concepts set down a main basis it is important to understand their direct impact on how to
regulate cyber attacks.

When analyzing how to effectively apply the IHL to cyber attacks we must first understand
whether the state can legally use force in order to respond to these sort of threats - this body of
law is governed by the “jus ad bellum” principle - which determines whether or not a state can
use force against another state. Given the fact that there are no precedents in terms of whether
cyber attacks can be categorized as destructive enough to entail the use of force on another
nation we must try to analyze the current legislation and interpret it to the best of our abilities.
When looking at Article 2 (4) of the UN charter we can see that this specific provision directly
“prohibits the use of force against another state in the international community”2. However there
are two main exceptions to this provision (detailed in Articles 39 and 51), these note that the use
of force is allowed in the cases where: the actions are authorized by the Security Council or in
the cases where the nation acts in self-defense. In this sense we must understand that given the
unknown nature of cyber-attacks and the uncertainty of a response from the Security Council in
such situations, many states will opt in exercising their right to self defense when facing such a
threat. Hence, when looking at a nation's right to self defence we must understand that the UN

1
U.S. Training & Doctrine Command, DCSINT Handbook No. 1.02 Critical Infrastructure Threats and Terrorism at
VII-2 (2006).
2
United Nations Charter, Article 2(4)
 Maria Popescu

charter merely reaffirms what is stated in customary international law (CIL) - that the states have
the right to survive within the international community - however such a “defense” must be in
compliance with the 2 main principles of CIL - necessity and proportionality. Therefore, we can
analyze that a state meets the “necessity” requirement in the cases in which a peaceful resolution
cannot be obtained (hence there is a necessity to use force), while the “proportionality”
requirement outlines that the state must limit its self-defense actions only to the amount of force
that is required to defeat an ongoing attack or to avoid a future one - no excess. However, what is
difficult in such situations is to actually define what necessity and proportionality entail in terms
of cyber attacks - while the principles can be applied to cyber attacks, the uncertainty and
unknown of the situation make it hard for them to be applied effectively.

Furthermore, it must be noted that other factors must also be considered, these refer to: whether a
cyber attack can be classified as an armed attack, whether a cyber-attack should be handled as an
issue of national security or a law enforcement situation (this further depends on the nature of the
attack - magnitude, effect etc.) and whether it can be proved that the anticipated attack was
imminent. Overall, this suggests that even though the state can have the right to use force against
a cyber attack, it can be difficult to argue that it does so in self defense as due to its (the attacks)
nature it is hard to prove that it complies with all the aspects required to sustain such a use of
force.

Moreover, we must also look at the situation in which the use of force is deemed acceptable - in
this case we need to analyze what laws govern the state once it has entered into conflict - dictated
by the “jus in bello” principle. Even though cyber-attacks represent a new weapon/form of
attack, they should be considered just as threatening and serious as any other weapon in our
current arsenal (even more so due to their unknown reach and power) hence applying the same
laws to govern their scope is essential. In this sense cyber attacks should be regulated as any
other armed conflict - based on the principles of jus in bello - military, necessity, distinction,
proportionality and neutrality.

Overall, while it is clear that some principles of international law can be applied to guide the use
of force on cyber-attacks there is not a clear guideline to this matter (as current legislation is
somewhat incomplete and imperfect), hence letting a great deal up to the interpretation of states,
which can in turn cause more harm than good. It must be noted that even if cyber-attacks cannot
be classified in some cases under the armed conflict regulations and hence treated accordingly,
we must take into account that this does not mean that they are unregulated - other legal
frameworks such as domestic laws and the international law of countermeasures also address
such threats. In conclusion, while the current international law does not fully regulate such
attacks it is important to understand that strides are being made worldwide to regulate them - all
of which are made on the basic principles on which the current law is already built.
 Maria Popescu

References:

Gervais, M. (2012). Cyber-Attacks and the Laws of War. Berkeley Journal of International Law, 30, 525-531.
https://doi.org/10.2139/ssrn.1939615

Brownlie, I. (2012). International Law and the Use of Force by States (p. 362). Oxford: Oxford University Press.

United Nations Charter, Articles, 2(4), 39, 51

Wingfield, T. (2000). The Law of Information Conflict: National Security Law in Cyberspace. Falls Church, VA:
Aegis Research Corp..

Madubuike-Ekwe, J. (2021) Cyberattack and the Use of Force in International Law. Beijing Law Review, 12,
631-649. doi: 10.4236/blr.2021.122034.
Valo, J. and D Jarna Petman (2014). Cyber Attacks and the Use of Force in International Law. [online] Available at:
https://helda.helsinki.fi/bitstream/handle/10138/42701/Cyber%20Attacks%20and%20the%20Use%20of%20Force%
20in%20International%20Law.pdf?sequence=2 [Accessed 22 Dec. 2019].