Use of force
|Use of force|
| This prohibition is reflective of customary international law and it is frequently described as a peremptory norm of international law. However, the notion of “force” in this context is limited to armed force, and to operations whose scale and effects are comparable to the use of armed force.
At present, there is a debate as to whether cyber operations with no physical effects may amount to a prohibited use of force. It has been argued that disruptive cyber operations of this kind fall under the scope of Article 2(4) if the resulting disruption is “significant enough to affect state security”. Undoubtedly, one of the purposes of the prohibition of force under international law is to safeguard the national security of the potentially affected States. However, many forms of outside interference including various forms of political and economic coercion may affect the national security of the victim State. And yet, the drafters of the UN Charter had expressly rejected the proposal to extend the prohibition of force beyond the strict confines of military (or armed) force. This is reflected also in the preamble, which explicitly stipulates that the drafters sought “to ensure, by the acceptance of principles and the institution of methods, that armed force shall not be used, save in the common interest”.
In principle, it could be argued that the notion of “force”, like other generic terms in treaties of unlimited duration, should be presumed to have an evolving meaning.
As of 2021, there is limited State practice supporting the claim that the meaning of “force” has evolved to include non-destructive cyber operations against critical national infrastructure and no victim State of an operation of this kind has suggested that the operation would have amounted to a use of force. However, States have begun addressing this question. In particular, France and the Netherlands allow for the possibility of cyber operations, which do not produce physical effects, to qualify as uses of force, if certain criteria are met. These criteria include the seriousness and reach of a given cyber operation’s consequences and its military nature, as well as “the circumstances prevailing at the time of the operation, such as the origin of the operation and the nature of the instigator (military or not), the extent of intrusion, the actual or intended effects of the operation or the nature of the intended target”. Several of these criteria are also reflected in the Tallinn Manual 2.0.
Even if an operation does not meet the threshold of the use of force, it may still be considered a violation of other rules of international law. In this regard, the prohibition of non-intervention, the obligation to respect the sovereignty of other States, and the possible obligation to refrain from launching cyber operations against other States’ critical infrastructure are all of potential relevance.
"In determining whether a cyber activity constitutes a use of force, States should consider whether the activity's scale and effects are comparable to traditional kinetic operations that rise to the level of use of force under international law. This involves a consideration of the intended or reasonably expected direct and indirect consequences of the cyber activity, including for example whether the activity could reasonably be expected to cause serious or extensive ('scale') damage or destruction ('effects') to life, or injury or death to persons, or result in damage to the victim State's objects, critical infrastructure and/or functioning.
A use of force will be lawful when the territorial State consents, when it is authorised by the Security Council under Chapter VII of the UN Charter, or when it is taken pursuant to a State's inherent right of individual or collective self-defence in response to an armed attack, as recognised in Article 51 of the Charter."
"As stated in previous reports of the United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, international law is applicable to the use of ICTs by States. This includes the legal prohibition of the use of force in international relations, which is enshrined in the UN Charter and is also part of customary international law. It is a peremptory norm, to which only two exceptions are permitted: self-defense and authorization under Chapter VII of the Charter.
The United Nations Charter does not refer to specific weapons or other means of use of force, and therefore the legal prohibition applies to all of them. Cyber operations may amount to an illegal use of force if they are attributable to a State and if their impact is similar to the impact of a kinetic attack. It is generally understood that, to date, no state has claimed that the rule prohibiting the use of force was violated due to the conduction of a cyberattack. The lack of such a precedent only reinforces the need for caution when making analogies between cyber and kinetic actions in assessments related to jus ad bellum.
General Assembly Resolution 3314(XXIX), which contains the definition of aggression, enumerates a series of acts that qualify as such: invasion of territory by armed forces, military occupation, bombardments or the use of any weapons against the territory of another state, blockade of the ports or coasts by the armed forces, among others. Although it is not binding, GA Res 3314(XXIX) has been considered highly authoritative and has guided the ICJ in its caselaw. In many instances, it might prove difficult to establish a direct analogy between the acts listed in GA Res 3314 (XXIX) and cyber operations, due to their unique characteristics. Therefore, it is advisable to update the multilateral understanding of which acts amount to the use of force and aggression, so as to include instances of cyberattacks. While it might be challenging to find consensus on grey areas, such as the characterization of digital attacks with no direct physical effects, there are points of convergence that should be consolidated multilaterally to provide more clarity and legal certainty."
|States must refrain in their international relations from carrying out cyber operations which, based on their scale and effect, would constitute a threat or use of force against the territorial integrity or a political independence of any state, or in any other manner inconsistent with the purposes of the UN.|
"While taking measures in cyberspace, states must comply with the obligations and constraints enshrined in international law, including the UN Charter and customary international law. The threat or use of force in international relations is prohibited; however, the UN Charter foresees concrete situations where it could be allowed (in response to an armed attack, as self-defence or in accordance with chapter VII of the UN Charter).
The prohibition of the threat or use of force in cyberspace was also acknowledged and highlighted in the 2015 GGE report, endorsed by the UN General Assembly. Notably, the report states that “in considering the application of international law to State use of ICTs, the GGE identified as of central importance the commitments of States to the following principles of the Charter and other international law […] refraining in their international relations from the threat or use of force against the territorial integrity or political independence of any State […].”
A cyber operation that targets critical infrastructure and results in serious damage, injury or death, or a threat of such an operation, would be an example of use of force."
"So far, the vast majority of malicious cyber operations fall outside the scope of ‘force’. However, cyber operations might in extremis fall within the scope of the prohibition of the use of force and thus constitute a breach of art. 2 para. 4 UN Charter.
The ICJ has stated in its Nuclear Weapons opinion that Charter provisions ‘apply to any use of force, regardless of the weapons employed.’ Germany shares the view that with regard to the definition of ‘use of force’, emphasis needs to be put on the effects rather than on the means used.
Cyber operations can cross the threshold into use of force and cause significant damage in two ways. Firstly, they can be part of a wider kinetic attack. In such cases they are one component of a wider operation clearly involving the use of physical force, and can be assessed within the examination of the wider incident. Secondly, outside the wider context of a kinetic military operation, cyber operations can by themselves cause serious harm and may result in massive casualties.
With regard to the latter case, Germany shares the view expressed in the Tallinn Manual 2.0: the threshold of use of force in cyber operations is defined, in analogy to the ICJ’s Nicaragua judgement, by the scale and effects of such a cyber operation. Whenever scale and effects of a cyber operation are comparable to those of a traditional kinetic use of force, it would constitute a breach of art. 2 para. 4 UN Charter.
The determination of a cyber operation as having crossed the threshold of a prohibited use of force is a decision to be taken on a case-by-case basis. Based on the assessment of the scale and effects of the operation, the broader context of the situation and the significance of the malicious cyber operation will have to be taken into account. Qualitative criteria which may play a role in the assessment are, inter alia, the severity of the interference, the immediacy of its effects, the degree of intrusion into a foreign cyber infrastructure and the degree of organization and coordination of the malicious cyber operation."
"Under certain circumstances, a cyber operation may constitute the threat or use of force prohibited by Article 2(4) of the UN Charter. Pursuant to this article, all States shall refrain in their international relations from the threat or use of force. The Government of Japan presumes that as a general rule the threat of force refers to a State's act of threatening another State by indicating its intention or attitude of using force, without actually using force, unless its arguments or demands are accepted. The obligation to refrain from the threat or use of force in international relations is an important obligation relating to cyber operations."
"Article 2(4) of the UN Charter lays down a prohibition on the threat or use of force. It reads as follows: ‘All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state.’ This prohibition applies to the use of force in any form, regardless of the weapons or means employed.
The prohibition of the use of force is virtually absolute. There are only three situations in which the threat or use of force does not contravene international law. One is in the case of self-defence against an armed attack (article 51 of the UN Charter). Another concerns certain actions implementing a UN Security Council resolution under Chapter 7 of the Charter.7 The final exception is when the use of force takes place with the agreement of the state in whose territory that force will be used.
When applying this prohibition in the context of cyberspace, the question arises: when can cyber operations be considered ‘use of force’, given that no use is made of ‘weapons’ in the usual (physical) sense of the word? The government believes that cyber operations can fall within the scope of the prohibition of the use of force, particularly when the effects of the operation are comparable to those of a conventional act of violence covered by the prohibition. In other words, the effects of the operation determine whether the prohibition applies, not the manner in which those effects are achieved. This position is supported by the case law of the International Court of Justice, which has ruled that the scale and effects of an operation must be considered when assessing whether an armed attack in the context of the right of self-defence has taken place (see below). There is no reason not to take the same approach when assessing whether an act may be deemed a use of force within the meaning of article 2 (4) of the UN Charter. A cyber operation would therefore in any case be qualified as a use of force if its scale and effects reached the same level as those of the use of force in non-cyber operations.
International law does not provide a clear definition of ‘use of force’. The government endorses the generally accepted position that each case must be examined individually to establish whether the ‘scale and effects’ are such that an operation may be deemed a violation of the prohibition of use of force. In their 2011 advisory report ‘Cyber Warfare’, the Advisory Council on International Affairs (AIV) and the Advisory Committee on Issues of Public International Law (CAVV) noted that, ‘The customary interpretation of this provision is that all forms of armed force are prohibited. Purely economic, diplomatic and political pressure or coercion is not defined as force under article 2, paragraph 4. Suspending trade relations or freezing assets, for example, can be very disadvantageous to the state affected but has not to date been considered a prohibited form of force within the meaning of the Charter. Armed force that has a real or potential physical impact on the target state is prohibited.’ In the view of the government, at this time it cannot be ruled out that a cyber operation with a very serious financial or economic impact may qualify as the use of force.
It is necessary, when assessing the scale and effects of a cyber operation, to examine both qualitative and quantitative factors. The Tallinn Manual 2.0 refers to a number of factors that could play a role in this regard, including how serious and far-reaching the cyber operation’s consequences are, whether the operation is military in nature and whether it is carried out by a state. These are not binding legal criteria. They are factors that could provide an indication that a cyber operation may be deemed a use of force, and the government endorses this approach. It should be noted in this regard that a cyber operation that falls below the threshold of use of force may nonetheless be qualified as a prohibited intervention or a violation of sovereignty."
"The prohibition of the threat or use of force is a well-established principle of international law, being included in art. 2(4) of the UN Charter. There are only three (well determined) exceptions to this prohibition: self-defense in the event of armed aggression, UNSC Chapter VII authorization of the use of force and consent of the State on whose territory the operation takes place.
In order to ascertain whether a cyber operation represents a threat or use of force and whether it even amounts to a cyberattack, a case-by-case analysis must be carried out to determine the circumstance in which the attack occurred, the nature of the operation (military or not) and the scale and the effects of the operation (by comparison against the scale and severity of a conventional (non-cyber) act of violence covered by the prohibition).
The elements of such an analysis, from the “scale and effects” perspective, are well established in the ICJ’s relevant jurisprudence.
It is also worth noting that not all cyber operations reach the threshold of use of force and even less operations reach the threshold of an armed attack; nevertheless such operations could still be in violation of international law (being a prohibited intervention or an otherwise violation of the principle of sovereignty)."
"Article 2(4) of the UN Charter prohibits the threat or use of force against the territorial integrity or political independence of any State or in any other manner inconsistent with the purposes of the United Nations. Depending on the facts and circumstances in each case, conduct by States carried out in cyberspace is capable of constituting a threat or use of force if the actual or threatened conduct has or would have the same or similar effects of conduct using kinetic means. The circumstances in which the threat or use of force is not unlawful under international law are the same irrespective of whether the conduct is by kinetic or cyber means."
"Cyber activities may in certain circumstances constitute uses of force within the meaning of Article 2(4) of the UN Charter and customary international law. In analyzing whether a cyber operation would constitute a use of force, most commentators focus on whether the direct physical injury and property damage resulting from the cyber event looks like that which would be considered a use of force if produced by kinetic weapons. For example, cyber activities that proximately result in death, injury, or significant destruction would likely be viewed as a use of force. In assessing whether an event constituted a use of force in or through cyberspace, we must evaluate factors including the context of the event, the actor perpetrating the action (recognizing challenging issues of attribution in cyberspace), the target and location, effects and intent, among other possible issues. Commonly cited examples of cyber activity that would constitute a use of force include, for example, (1) operations that trigger a nuclear plant meltdown, (2) operations that open a dam above a populated area causing destruction, or (3) operations that disable air traffic control resulting in airplane crashes. Only a moment’s reflection makes you realize that this is common sense: if the physical consequences of a cyber attack work the kind of physical damage that dropping a bomb or firing a missile would, that cyber attack should equally be considered a use of force."
"Article 2(4) of the Charter of the United Nations provides that “All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.” At the same time, international law recognizes that there are exceptions to this rule. For example, in the exercise of its inherent right of self-defense a State may use force that is necessary and proportionate to respond to an actual or imminent armed attack. This is true in the cyber context just as in any other context.
Depending on the circumstances, a military cyber operation may constitute a use of force within the meaning of Article 2(4) of the U.N. Charter and customary international law. In assessing whether a particular cyber operation—conducted by or against the United States—constitutes a use of force, DoD lawyers consider whether the operation causes physical injury or damage that would be considered a use of force if caused solely by traditional means like a missile or a mine. Even if a particular cyber operation does not constitute a use of force, it is important to keep in mind that the State or States targeted by the operation may disagree, or at least have a different perception of what the operation entailed."
- Scenario 03: Cyber operation against the power grid
- Scenario 14: Ransomware campaign
- Scenario 16: Cyber attacks against ships on the high seas
- Scenario 17: Collective responses to cyber operations
Notes and references
- Charter of the United Nations (adopted 26 June 1945, entered into force 24 October 1945) 1 UNTS 16 (UN Charter) art. 2(4).
- Legal Consequences of the Construction of a Wall in the Occupied Palestinian Territory (Advisory Opinion)  ICJ Rep 136, para 87; Military and Paramilitary Activities in and against Nicaragua (Nicaragua v United States of America) (Merits)  ICJ Rep 14, paras 187–190.
- See, for example,The International Law Commission, 'Document A/6309/ Rev.1: Reports of the International Law Commission on the second part of its seventeenth and on its eighteenth session' Yearbook of the International Law Commission Vol. II (1966) 247 (“The law of the Charter concerning the prohibition of the use of force in itself constitutes a conspicuous example of a rule in international law having the character of jus cogens”); Christine Gray, International Law and the use of force (OUP 2018) 32; Oliver Corten, The Law against War (Hart Pub. 2010) 44; Oliver Dörr and Albrecgr Randelzhofer, ‘Article 2(4)’ in Bruno Simma et al (eds), The Charter of the United Nations: A Commentary Vol I (OUP 2012), 231, para 67 (“the prohibition of the use of force laid down in Art. 2 (4) is usually acknowledged in State practice and legal doctrine to have a peremptory character, and thus to be part of the international ius cogens”).
- Oliver Dörr and Albrecht Randelzhofer, ‘Article 2(4)’ in Bruno Simma et al (eds), The Charter of the United Nations: A Commentary Vol I (OUP 2012) 208 para 16 (“The term [‘force’] does not cover any possible kind of force, but is, according to the correct and prevailing view, limited to armed force.”).
- Cf. Ian Brownlie, International Law and the Use of Force by States (OUP 1963) 362 (“[Art 2(4)] applies to force other than armed force”); Tallinn Manual 2.0, rule 69 (“A cyber operation constitutes a use of force when its scale and effects are comparable to non-cyber operations rising to the level of a use of force.”).
- Marco Roscini, Cyber Operations and the Use of Force in International Law (OUP 2014) 55.
- Cf. Charter of the United Nations (adopted 26 June 1945, entered into force 24 October 1945) 1 UNTS 16 (UN Charter) art. 2(4) (expressly prohibiting the use of force against the “political independence” of any State).
- Documents of the United Nations Conference on International Organization (1945), vol VI, 334.
- Charter of the United Nations (adopted 26 June 1945, entered into force 24 October 1945) 1 UNTS 16 (UN Charter) preamble.
- Cf. Dispute regarding Navigational and Related Rights (Costa Rica v Nicaragua) Judgment [2009 ICJ Rep 213], para 66 (“[W]here the parties have used generic terms in a treaty, the parties necessarily having been aware that the meaning of the terms was likely to evolve over time, and where the treaty has been entered into for a very long period or is ‘of continuing duration’, the parties must be presumed, as a general rule, to have intended those terms to have an evolving meaning”).
- However, such claims are occasionally made in the scholarship: see, for example, Marco Roscini, Cyber Operations and the Use of Force in International Law (OUP 2014) 59; Nicholas Tsagourias 'Cyber Attacks, Self-Defence and the Problem of Attribution' (2012) 17 (2) Journal of Conflict and Security Law 23; Gary Brown and Keira Poellet, ‘The Customary International Law of Cyberspace’ (2012) Strategic Studies Quarterly 137.
- Dan Efrony and Yuval Shany, ‘A Rule Book on the Shelf? Tallinn Manual 2.0 on Cyberoperations and Subsequent State Practice’ (2018) 112 AJIL 583, 638.
- French Ministry of the Armies, ‘International Law Applied to Operations in Cyberspace’, 9 September 2019, at p. 7, stating that ‘France does not rule out the possibility that a cyberoperation without physical effects may also be characterised as a use of force’.
- Dutch Ministry of Foreign Affairs, ‘Letter to the parliament on the international legal order in cyberspace’ (5 July 2019) at p. 4, stating that ‘in the view of the government, at this time it cannot be ruled out that a cyber operation with a very serious financial or economic impact may qualify as the use of force’.
- Dutch Ministry of Foreign Affairs, ‘Letter to the parliament on the international legal order in cyberspace’ (5 July 2019) at p. 4.
- French Ministry of the Armies, ‘International Law Applied to Operations in Cyberspace’, 9 September 2019, at p. 7.
- Tallinn Manual 2.0, commentary to rule 69, para 9.
- Cf. US, State Department Legal Advisor Brian Egan, International Law and Stability in Cyberspace, Speech at Berkeley Law School (10 November 2016), 13 (“In certain circumstances, one State’s non-consensual cyber operation in another State’s territory could violate international law, even if it falls below the threshold of a use of force.”) (emphasis original); UK, Attorney General Jeremy Wright QC MP, Cyber and International Law in the 21st Century, Speech (23 May 2018) (“In certain circumstances, cyber operations which do not meet the threshold of the use of force but are undertaken by one state against the territory of another state without that state’s consent will be considered a breach of international law.”).
- Australian Government, Australia's position on how international law applies to State conduct in cyberspace
- Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 19.
- Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 25-26.
- Federal Government of Germany, On the Application of International Law in Cyberspace, March 2021, 6.
- Ministry of Foreign Affairs of Japan, Basic Position of the Government of Japan on International Law Applicable to Cyber Operations, 16 June 2021, 6
- Government of the Kingdom of the Netherlands, Appendix: International law in cyberspace, 26 September 2019 , 3-4.
- Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 77.
- United Kingdom Foreign, Commonwealth & Development Office, Application of international law to states’ conduct in cyberspace: UK statement, 3 June 2021
- Harold Hongju Koh, International Law in Cyberspace, 18 September 2012, 3-4
- Hon. Paul C. Ney, Jr., DOD General Counsel Remarks at U.S. Cyber Command Legal Conference, 2 March, 2020