Cyber operations and their destructive capabilities were brought to the attention of the international legal community in the late 1990s. Significantly, in 1999 the US Naval War College became the first institution from which a major international legal conference was convened on cyber warfare and international law. Although most States recognize the cyber threat, its legal implications are not widely understood. This article will analyze the laws of war in the jus ad bellum context (law on the commencement of hostilities) as it applies to Cyber Warfare. It will propose a gap in the current law which I argue means that the current laws of war are inadequate in dealing with the evolution of warfare to the cyber realm.
1. UN Charter’s Prohibition on the Use of Force
When analyzing international law on jus ad bellum as it currently pertains to Cyber Warfare, our analysis first turns to the general prohibition on the use of force between States contained in Article 2(4), UN Charter. A persistent debate since the drafting of Article 2(4) of the UN Charter is whether provisions of the Article cover only the use of certain types of force or whether the provisions extend further.[i]
Article 2(4) requires that “All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.” Analyzing Article 2(4) requires interpretation according to the rules set out in the Vienna Convention on the Law of Treaties 1969 (VCLT). As per Article 31 of the VCLT, all treaty terms must be given their proper meaning regarding the object and purpose of the treaty: see Arbitral Award of 31 July 1989, Guinea-Bissau v Senegal, para 48. Additionally, Article 31(2) of the VCLT stipulates that the “context” for the purposes of interpreting a treaty shall include the treaty’s preamble. In reference to the UN Charter, the Preamble makes it clear that one purpose of the Charter is to “ensure…that armed force shall not be used, save in the common interest.” It can therefore be concluded that a fundamental purpose of the UN Charter is to limit the rights of its Member States to use armed force.
1.1. Meaning of “Armed Force”
Following from the above conclusions, it is now important to define “armed force.” As per Black’s Law Dictionary, the term “armed” is defined as being “[e]quipped with a weapon” or “[i]nvolving the use of a weapon.”[ii] Therefore, if “armed” requires the wielding of a weapon, the next logical question must pertain to the definition of a “weapon.”
Ian Brownlie argued that the proper test in determining whether there has been an unlawful use of force is to establish whether the apparatus used caused “destruction to life and property.” Indeed, as per the International Court of Justice (ICJ) in the Legality of the Threat or Use of Nuclear Weapons advisory opinion, Article 2(4)’s prohibition on the use of force applies “to any use of force, regardless of the weapons employed.”[iii] Consequently, the “effects-based” approach as espoused by Brownlie has gained acceptance in international legal literature and is significant in the scholarship surrounding cyber warfare. For instance, the National Research Council states that traditional Laws of Armed Conflict defines the use of force as “death or physical injury to people and destruction of physical property.” Note that in the Nuclear Weapons advisory opinion, the ICJ held in paragraph 39 that Article 2(4) of the UN Charter does not refer to specific types of weapons. Considering that cyber capabilities can be used as a weapons system, it follows that a State will be able to use force through cyber means. Consequently, for there to be an unlawful “use of force” as per Article 2(4) of the UN Charter, physical damage to persons or property must result from a cyber operation. Yet, this is not the end of the story. The UN Charter does not just provide that all uses of force are illegal – it also allows in Article 51 for States to defend themselves in response to an ‘armed attack’.
1.2. Cyber Operations: “Use of Force” Vs. “Armed Attack”
The distinction between “force” and “armed attack” is significant in the jus ad bellum context. While Article 2(4) prohibits the “threat or use of force,” Article 51 provides for the right of self-defense (including collective self-defense) in response to an “armed attack.” The specific language used in Article 51 when compared with Article 2(4) indicates a distinction between the prohibition on the “use of force” in Article 2(4) and the exception in the case of an “armed attack.”
As such, where is the metaphorical line drawn triggering the labelling of a cyber operation as the use of force or an “armed attack”? Traditionally, the type of force required to qualify as an “armed attack” is considered a “grave attack” (causing destruction to property, death to civilians, etc.) executed by the armed forces of another State. Yet, this does not provide clarity as to the line between the use of “cyber force” and a “cyber-attack.”
The ICJ in Nicaragua v. United States held in paragraphs 191 and 195 that it was “necessary to distinguish the gravest forms of the use of force (those constituting an armed attack) from other less grave forms,” such as “mere frontier incident[s].” The ICJ further held that the determination of whether an act constituted an “armed attack” depends on the “scale and effects” of the action. This was endorsed in the Oil Platforms (Iran v. United States), Armed Activities (Democratic Republic of the Congo v. Uganda), and Partial Award, Jus Ad Bellum, Ethiopia Claims (Ethiopia v. Eritrea) cases. However, the Court has tended to “avoid pronouncing on the most contentious issues” involving the definition of armed attack, leading to much confusion.[iv] It is submitted, however, that the distinction between “armed force” and “armed attack” applies in the context of cyber warfare. If the use of cyber force rises to the level of a “cyber-attack,” Article 51 of the UN Charter will be triggered.
An implication of the above analysis is that cyber operations crossing the threshold of an “armed attack” can allow for such responsive options as defensive cyber operations or the use of kinetic military force. Designating a cyber operation as the “use of force” or an “armed attack” can indicate further consequences for mutual defense treaties requiring collective responses to “attacks.” For instance, NATO has declared that alliance defense commitments extend to cyberspace. Furthermore, some States have taken the definitive position that cyber operations can rise to the level of the “use of force” or an “armed attack.” The United States has declared that if the result of a cyber operation is to cause the same (or similar) type of damage as conventional kinetic force, then it is appropriate to treat such actions under international law as an act of kinetic force.
2. Gaps in the Current Law Relating to Cyber Warfare and Conclusion
The above interpretation espoused by the United States and others is unsatisfactory in that it leaves many grey areas. For instance, how should States treat cyber operations that do not cause physical injuries or destruction to persons or property, but that nonetheless can cause grave or substantial harm?
Take, for example, a situation where a cyber operation launched by State X causes the shutdown of the New York Stock Exchange (NYSE) or a major outage of banking and financial services. This could wreak havoc on the US economy.[v] Yet, since force is currently defined as effects based on physical property or injury to persons, such a situation (though catastrophic) would not be considered the “use of force” under current international law.[vi] On the other hand, take for example a hypothetical situation where missiles destroyed the NYSE and all the servers housing the NYSE’s economic data. Imagine that there were no persons killed or injured and that damage was solely to physical property. The NYSE has been shut down with all data wiped out, leading to catastrophic effects on the economy.
The difference between the second scenario and the first is that the second involved the use of conventional kinetic force and the first involved a cyber operation. Yet, both scenarios lead to the same catastrophic effect of destroying the data housed in the NYSE. Since only the second scenario involved the physical destruction of property, that is the only situation where State X’s actions constitutes the “use of force” under current standards of jus ad bellum. However, such an approach fails to acknowledge the importance of data in modern interconnected societies, illustrating how international law has not evolved adequately to deal with the advent of Cyber Warfare. In the end, the evolution in the law of jus ad bellum must respond to new developments in human warfare.
Andrew Hashim is an LL.M. student at Columbia Law School and holds a BA (Hons) in Law with Senior Status from the University of Cambridge and a joint BA with International Honors in International Relations from the College of William & Mary and the University of St. Andrews. He is a member of the Bar of England & Wales (Barrister, Lincoln’s Inn). His prior experience includes a Judicial Internship with The Honorable Judge Evan J. Wallach, US Court of Appeals for the Federal Circuit.
[i]See generally Grigori Tunkin, Law and Force in the International System (1985).
[ii]Armed, Black’s Law Dictionary (10th ed. 2014)
[iii]Ian Brownlie, International Law and the Use of Force by States, 362, 431 (1963).
[iv]Christine Gray, International Law and the Use of Force (4th ed. 2018).
[v]Jack Goldsmith, How Cyber Changes the Laws of War, 24 The European Journal of International Law 129, 132-137 (2013).
[vi]James A. Green, The Regulation of Cyber Warfare Under the Jus Ad Bellum, Cyber Warfare: A Multidisciplinary Analysis 96, 104 (James A. Green ed., 2015).