top of page

Soft Law and the Soft Enemy: The Conundrum of Cyber Attacks and the Use of Force

The dependency of humans on computer systems and networks is increasing exponentially. Today, computers are used for medical records, military information, and emergency services and for varied other purposes. However, this increasing reliance on the computer networks comes at a price; vulnerability to attacks and infiltration. Recent examples of the Pegasus software, Russian cyber-attack orchestrated by the Killnet group against countries of North Atlantic Treaty Organization [“NATO”] networks are a few instances of this hidden warfare.

Cyber-attacks came into the focus at the international level from 1990’s. Examples of this are the cyber-attacks conducted against Estonia and Russia in 2007 and 2008 respectively. The Stuxnet cyber operation of 2010 is another instance of the same. A cyber-attack is one which is expected to result in injury or death of persons, and damage and destruction to property or objects. Cyber-attacks can be conducted from a remote facility outside the target state. Some states are weaker and more vulnerable than other and cyber-attacks can have a disproportionate impact on their defense or military capabilities. Thus, it is necessary to resolve the ambiguity surrounding the cyber-attacks and application of jus ad bellum.

CYBER ATTACKS AND THE USE OF FORCE

Art. 2(4) of the United Nations Charter states that “all members shall refrain from the threat or use of force against the territorial integrity and political independence of any state or in any manner inconsistent with the purposes of the United Nations”. This provision does not mandate the method via which the threat or use of force must be conducted. Any threats or uses of force which impact international stability violate Art. 2(4) of the Charter. Therefore, theoretically, a threat issued through the internet stands at par with the threat issued by traditional means.

Territorial integrity or political independence

Art. 2(4) prohibits the use of force against the territorial integrity or political independence of any state. Prima facie it can be argued that types of ‘force’ which does not violate the territorial integrity or political independence of a state are not prohibited under the Charter. This interpretation is particularly problematic for cyber-attacks to be qualified as ‘use of force’ as they do not indulge in violation of territorial sovereignty in the traditional framework. For instance, the attacks on South Korea and the USA did not constitute a territorial violation even though it had an impact on thousands of computers in these two states. However, this view does not hold ground as the prohibition under Art. 2(4) was intended to be comprehensive and inclusive in nature.

Further, the terms ‘territorial integrity’ and ‘political independence’ have been separated by ‘or’ and have to be seen as alternatives. It is sufficiently foreseeable that most forcible actions of any kind undertaken without the consent of the target state violate either the territorial integrity or political independence in some manner. Besides, Art. 2(4) states ‘or in any other manner inconsistent with the purposes of the UN’. One primary purpose of the UN is the peaceful settlement of disputes. Thus, the term ‘territorial integrity and political independence’ does not prove to be a barrier against inclusion of cyber-attacks under the ambit of Art. 2(4).

The definition of “force”

The definition of the term ‘force’ is widely contested. According to Art. 31 of the Vienna Convention on the Law of Treaties [“VCLT”] instruments must be interpreted according to their ordinary meaning in light of their objects and purpose. The preamble of the UN Charter states that armed force must not be used except to protect common interest. The travaux preparatoires of Art. 2(4) indicate that political or economic coercion is excluded from its ambit. Thus, interpreting ‘force’ in context of the goals of the Charter indicates that it should be constricted to ‘armed force.’ The Declaration on Friendly Relations also adopts a definition similar to that in Art. 2(4).

However, this does not mean that for an action to qualify as an armed force, a physical or kinetic force is needed. The ICJ in the Nuclear Weapons Advisory opinion stated that the prohibition of use of force and self-defense apply to ‘any force, regardless of the weapons employed.’ The ICJ in Nicaragua held that the ‘scale and effects’ have to be considered while determining the criteria for an attack. Hence, an effects based approach is widely followed. Thus, the consequences ensuing after an attack is the determinative factor to decide if it falls under prohibition contained in At. 2(4).

Finding The Middle Ground

Though the effects-based approach enjoys relative popularity, the author believes that there are a few caveats that need to be kept in mind.

First, different states have different capacities to respond to a cyber-attack. Powerful and developed states may be able to successfully fend off a cyber-attack without suffering much from its consequences and effects. While weaker states may face severe impacts from similar cyber-attacks. If an effects-based approach is followed for qualification as ‘use of force’ under Art. 2(4), such a cyber-attack may not satisfy the threshold if directed against a powerful state but would if against a weaker state.

Second, there is a lack of prescriptive threshold for determining the effects of a cyber-attack. It has been argued that to qualify under Art. 2(4), the force must result in violence. Following this approach, it can be concluded that those attacks which cause physical destruction of property or loss of life are characterized as use of force under Art. 2(4) of the Charter. The Stuxnet cyber-attack on Iran in the year 2010 is the most befitting example. Stuxnet was a malware which was used for the purpose of disrupting Iran’s nuclear facilities and its capability to refine weapons-grade uranium, and this was an attack which led to actual physical damage. Further, this was a state sponsored cyber-attack (believed to be conducted by the US and Israel) to disrupt Iranian nuclear facilities.

This narrow approach of requiring physical is restrictive and has is not tenable in this current era which is so heavily dependent on technology. The attacks against Estonia and Georgia in 2007 and 2008 respectively are a perfect example of this situation. There, the damage caused, though not physical in nature had devastating consequences.

The author believes that a middle ground must be followed, one which does dilute the ‘use of force’ threshold to a great extent and which does not prescribe the narrow requirement of physical damage. Thus, the effects-based approach must be adopted with the caveat that cyber-attacks having wide ranging effects (albeit not physical) should also be included.


CYBER ATTACKS AND SELF-DEFENSE

Art.51 of UN Charter gives the states a right to use of force in self-defense in case an armed attack occurs. Art. 51 is more restrictive than Art. 2(4) as use of force in self-defense is justified only when an ‘armed attack’ occurs. This qualification excludes the action when is preventive or anticipatory in character. However, there are different views regarding whether a state can exercise the right to self-defense after a cyber-attack is over. A reading of Articles on State Responsibility of Internationally Wrongful Acts [“ARSIWA”] suggest that International law restrictively permits actions in the form of reprisals and retaliation when carried out in accordance of Chapter II of Part III of the Articles.

Defining the term ‘armed attack’

The primary issue here is whether cyber-attacks qualify as armed attack under Art. 51 of the Charter to justify an action in self-defense. The ICJ in Nicaragua adopted a very restrictive view and stated that only military attacks rise to the level of armed attack under Art. 51 of the Charter. The UN mandates a narrow set of conditions in which an action in self-defense is permitted. These include the existence of an armed attack which is clear, unambiguous in nature and cannot be misrepresented or fabricated.

The ICJ in Nuclear Weapons Advisory Opinion stated that “the choice of means of an attack is immaterial to the issue whether an operation qualifies as an armed attack”. Further, in Nicaragua it was held that there is a difference between the ‘most grave’ and ‘less grave’ forms of force. The former rose to the standard of an armed attack and justified an action in self-defense.

The factor used to determine whether a cyber-attack qualifies as an armed attack to invoke an action in self-defense depends upon the scale and effects of the attack i.e. the scale and effects of a cyber-attack must be equivalent to those arising from a traditional kinetic armed attack. Thus, cyber-attacks which are sufficiently destructive are termed as ‘armed attack’. The level of intrusion does not play a very important role in this determination. For instance, a cyber-attack which impacts the air traffic control is destructive as it would probably lead to loss of life. Further, the nature of information or data lost has an important role to play to decide whether a cyber-attack satisfies the armed attack threshold or not. These can be classified as armed attacks even though there is no loss of life, property or destruction of any kind. This is because naturally this is sensitive information which if leaked would have devastating repercussions for a state. To conclude, the effects and probable consequences of an attack ​are more important than the means utilized to carry out the attack.

Cyber-attacks and Anticipatory Self Defense

The right of anticipatory self-defense or pre-emptory self-defense is a contested point under international law. In the Caroline case it was stated that a right of anticipatory self-defense exists when ‘the necessity of that self-defense is instant, overwhelming and leaving no choice of means and no moment of deliberation.’

Cyber-attack conducted by a foreign government against a target state warrants a forcible action by the latter to stop the on-going attack or prevent future ones. However, there are some obvious concerns. In the era of developing cyber capabilities, identifying the source of an attack is extremely difficult. Further, ‘trapdoors’ can be set up in order to mislead the target state regarding the scope of the attack. Due to this, the target state cannot quantify the amount and type of data lost and also cannot identify the source of the attack.

Here the element of proportionality assumes even greater significance. There is a two-fold test to be fulfilled: One, the method of response must be appropriate to the threat or grievance (jus ad bellum); Two, the effects and results of the attack are appropriate considering the level of destruction it will cause (jus in bello). An example of the same might be a full-scale cyber-attack accompanied by air strikes is a disproportionate response to a cyber-attack which temporarily disrupted telecommunication facilities.

CONCLUSION

The 21st century has seen massive development of information technology and infrastructure. However, these are vulnerable to cyber-attacks. There is ambiguity regarding the exact scope and nature of cyber-attacks the application of the principles of jus ad bellum in the area. In the contemporary paradigm where immense developments are seen in the field of information technology and infrastructure, there is a need for a binding law governing this field. Therefore, it is pertinent that the threshold for ‘armed attack’ must be restrictive and not all-encompassing to prevent unnecessary resort to violence and forcible action behind the veil of an action taken in self-defense.

18 views0 comments