Self-defence

From International cyber law: interactive toolkit
Jump to navigation Jump to search

Definition[edit | edit source]

Self-defence
A State may respond with force to a cyber operation that qualifies as an “armed attack” pursuant to the customary right to self-defence, as codified in Article 51 of the UN Charter. Most commentators consider only grave uses of force – typically, those that kill or injure persons or damage or destroy property – to constitute armed attacks.[1]

The United States, however, takes an outlier position, consistently arguing that any illegal use of force gives rise to the use of force in self-defence.[2]

In Nicaragua, the ICJ identified “scale and effects” as criteria upon which to judge whether a use of force constitutes an armed attack. In the Court’s view, only “the most grave” uses of force do so.[3] Thus, only cyber operations that seriously injure or kill a number of persons or cause significant damage to, or destruction of, property would undoubtedly constitute armed attacks.[4]

Publicly available national positions that address this issue include: National position of Australia (2020) (2020), National position of Brazil (2021) (2021), National position of Canada (2022) (2022), National position of Denmark (2023) (2023), National position of Estonia (2021) (2021), National position of Finland (2020) (2020), National position of France (2019) (2019), National position of Germany (2021) (2021), National position of Iran (2020) (2020), National position of Ireland (2023) (2023), National position of Israel (2020) (2020), National position of the Italian Republic (2021) (2021), National position of Japan (2021) (2021), National position of the Netherlands (2019) (2019), National position of New Zealand (2020) (2020), National position of Norway (2021) (2021), National position of the Republic of Poland (2022) (2022), National position of Singapore (2021) (2021), National position of the Kingdom of Sweden (2022) (2022), National position of Switzerland (2021) (2021), National position of the United Kingdom (2018) (2018), National position of the United Kingdom (2021) (2021), National position of the United States of America (2012) (2012), National position of the United States of America (2020) (2020), National position of the United States of America (2021) (2021).

National positions[edit | edit source]

Australia (2020)[edit | edit source]

"A use of force will be lawful when the territorial State consents, when it is authorised by the Security Council under Chapter VII of the UN Charter, or when it is taken pursuant to a State's inherent right of individual or collective self-defence in response to an armed attack, as recognised in Article 51 of the Charter.

Australia considers that the thresholds and limitations governing the exercise of self-defence under Article 51 apply in respect of cyber activities that constitute an armed attack and in respect of acts of self-defence that are carried out by cyber means. Thus, if a cyber activity – alone or in combination with a physical operation – results in, or presents an imminent threat of, damage equivalent to a traditional armed attack, then the inherent right to self-defence is engaged. Any use of force in self-defence must be necessary to repel the actual or imminent armed attack and be a proportionate response in scope, scale and duration. Any reliance on Article 51 must be reported directly to the UN Security Council.

The rapidity of cyber activities, as well as their potentially concealed and/or indiscriminate character, raises new challenges for the application of established principles. These challenges have been noted by Australia in explaining its position on imminence and the right of self-defence in the context of national security threats that have evolved as a result of technological advances. For example, in a speech to the University of Queensland in 2017, then Attorney-General, Senator the Hon. George Brandis QC, explained that:

'[A] state may act in anticipatory self-defence against an armed attack when the attacker is clearly committed to launching an armed attack, in circumstances where the victim will lose its last opportunity to effectively defend itself unless it acts. This standard reflects the nature of contemporary threats, as well as the means of attack that hostile parties might deploy. Consider, for example, a threatened armed attack in the form of an offensive cyber operation, ...which could cause large-scale loss of human life and damage to critical infrastructure. Such an attack might be launched in a split-second. Is it seriously to be suggested that a state has no right to take action before that split-second?'"[5]

Brazil (2021)[edit | edit source]

"Amongst the gravest forms of the use of force in international relations are armed attacks, which trigger the right of states to resort to self-defense, in accordance with article 51 of the UN Charter. Being self-defense an exception to the general principle on the prohibition to the use of force, it needs to be interpreted restrictively. This view is in line with the case law of the International Court of Justice, the principal judicial organ of the United Nations.

As a consequence, self-defense is only triggered by an armed attack undertaken by or attributable to a State. It is not possible to invoke self-defense as a response to acts by non-State actors, unless they are acting on behalf or under the effective control of a state. This norm becomes even more relevant with cyber operations, where technical, legal and operational challenges to determine attribution might make it impossible to verify potential abuses of the right of self defense, which in turns creates the risk of low impact persistent unilateral military action undermining the collective system established under the Charter.

In the same vein, contemporary international law does not allow for self-defense on the basis that the territorial state would be “unwilling and unable” to repress non-state actors whose cyber acts have extraterritorial effects. The definition of “armed attack” is limited to the use of force attributable to a state and, therefore, actions from non-state actors with similar effects might amount to serious crimes, but not an “armed attack”. If such a situation arises, the territorial state should adopt measures, in good faith and within its capabilities, to cease the action and ensure accountability.

If it fails to do so, this omission might constitute an internationally wrongful act, thus entailing this states’international responsibility. According to customary international law, in this case the victim state is entitled to remedies, to be pursued only through peaceful means.

Moreover, self-defense should be a temporary remedy. Member states that exercise their right to self-defense must immediately report it to the Security Council, in line with article 51 of the Charter. Given the novelty of cyberattacks and the uncertainties related to it, reporting to the Security Council is even more important. As the ICJ highlighted, “the absence of a report may be one of the factors indicating whether the State in question was itself convinced that it was acting in self defense”. Once the incident is reported to the Security Council, it is expected that the temporary act of self-help is replaced by collective action, adopted and pursued in line with the UN Charter.

For Brazil, the right to self-defense exists once there is an actual or imminent armed attack. Under international law, there is no right to “preventive self-defense” - a notion that does not find legal grounds neither in art. 51 of the Charter nor in customary international law. Finally, as with responses to armed activities using conventional weapons, self-defense against armed attacks caused by digital means must be necessary and proportionate."[6]

Canada (2022)[edit | edit source]

"46. Canada considers that the inherent right of self-defence if an armed attack occurs against a State also applies in cyberspace.[7]

47. Canada will respond to cyber activities that amount to an armed attack in a manner that is consistent with international law. Canada’s response may include cyber operations. The right to self-defence is both an individual and collective right of States."[8]

Denmark (2023)[edit | edit source]

"In certain instances, use of force may due to its scale and effects reach the level of an armed attack and thus give rise to a right to self-defence of the target State, cf. article 51 of the UN Charter. In its Nicaragua judgment the ICJ defined an armed attack as the most grave form of the use of force.[6] Denmark subscribes to the understanding that not all illegal use of force under article 2(4) of the UN Charter necessarily amounts to an armed attack under article 51 of the Charter.

Denmark takes the view that a cyber attack may qualify as an armed attack under article 51 of the UN Charter if the effects generated are comparable to effects resulting from an action, which would otherwise qualify as an armed attack. Thus, Denmark considers that a cyber operation, which e.g. leads to serious injury or death, or which causes significant physical damage, may qualify as an armed attack. This could be the case if a cyber attack leads to the disabling of an air traffic control system which causes planes to crash or an interference with the operating system of a power station, which causes serious physical damage.

Certain States take the view that an armed attack can only be undertaken by State actors or entities acting under the control or instruction of States, and thus no right to self-defense exists against an armed attack by a non-State actor. Denmark does not share this view, but contends that State practice supports that a State might in some instances and under certain conditions be permitted to exercise self-defence against an armed attack by a non-State actor."[9]

Estonia (2019)[edit | edit source]

"[...] states have the right to react to malicious cyber operations, including using diplomatic response but also countermeasures, and if necessary, the inherent right of self-defence. Cyber should no longer look like an easy choice of weapons and therefore we must be ready to use deterrence tools. First and foremost, states must refrain from the threat of or use of force against the territorial integrity and political independence of other states. However, we already know that cyber operations, which cause injury or death to persons or damage or destruction of objects, could amount to use of force or armed attack under the UN Charter. We here in Estonia are very much dependent on a stable and secure cyberspace. Such harmful effects could be caused by a cyber operation, which for example, targets digital infrastructure or services necessary for the functioning of society. And let’s not forget – growing digitalization of our societies and services can also lower the threshold for harmful effects. In order to prevent such effects, states maintain all rights, in accordance with international law, to respond to harmful cyber operations either individually or in a collective manner."[10]

Estonia (2021)[edit | edit source]

"In order to enforce state responsibility, states maintain all rights to respond to malicious cyber operations in accordance with international law. If a cyber operation is unfriendly or violates international law obligations, injured states have the right to take measures such as retorsions, countermeasures or, in case of an armed attack, the right to self-defence. These measures can be either individual or collective. The main aim of reactive measures in response to a malicious cyber operation is to ensure responsible state behaviour in cyberspace and the peaceful use of ICTs."[11]

In accordance with Article 51 of the UN Charter, states have the right for self-defence in the case of an armed attack.

"In order to assess if a cyber operation reaches the threshold of the use of force or an armed attack based on Article 2(4) or 51 of the UN Charter, we must consider the scale and effects of the operation. If the effects of a cyber operation are comparable to a kinetic attack, it could constitute an armed attack.

In such a situation, the injured state has the right to self-defence considering all applicable restrictions of the UN Charter and customary international law, such as proportionality and necessity.

In its response to an armed attack by cyber means, the injured state is not necessarily limited to taking measures by cyber means – all means remain reserved to states in order to respond to an armed attack in a manner that is proportionate and in accordance with other provisions of international law.

Estonia believes that cyber operations that cause injury or death to persons, damage or destruction could amount to an armed attack under the UN Charter."[12]

Finland (2020)[edit | edit source]

"While there is currently no established definition of a cyberattack that would pass the threshold of “use of force” in the sense of article 2(4) of the UN Charter, or “armed attack” in the sense of article 51, it is widely recognized that such a qualification depends on the consequences of a cyberattack. For a cyberattack to be comparable to use of force, it must be sufficiently serious and have impacts in the territory of the target State, or in areas within its jurisdiction, that are similar to those of the use of force. A threat of such a cyberattack could also violate Article 2(4) of the Charter, if the threat is sufficiently precise and directed against another State. Similarly, most commentators agree that when the scale and effects of a cyberattack correspond to those of an armed attack responding to the cyberattack is justifiable as self-defence. It is obvious that the attack must have caused death, injury or substantial material damage, but it is impossible to set a precise quantitative threshold for the effects, and other circumstantial factors must be taken into account in the analysis, as well."

"A question has also been raised, whether a cyberattack producing significant economic effects such as the collapse of a State’s financial system or parts of its economy should be equated to an armed attack. This question merits further consideration. Any interpretation of the use of force in cyberspace should respect the UN Charter and not just the letter of the Charter but also its object and purpose, which is to prevent the escalation of armed activities. This would mean, for instance, that the distinction between armed attack as a particularly serious violation of the Charter, on the one hand, and any lesser uses of force, on the other, is preserved. Similarly, the conditions for the exercise of the right of self-defence apply in cyberspace as they do with regard to the use of armed force. The right of self-defence arises if a cyberattack comparable to an armed attack occurs and can be attributed to a particular State. It is reasonable to think that a State victim to such an attack can respond with either cyber means or armed action. At the same time, the use of force must not be disproportionate or excessive."[13]

France (2019)[edit | edit source]

"Some cyberoperations may violate the prohibition of the threat or use of force. The most serious violations of sovereignty, especially those that infringe France’s territorial integrity or political independence, may violate the prohibition of the threat or use of force, which applies to any use of force, regardless of the weapons employed. In digital space, crossing the threshold of the use of force depends not on the digital means employed but on the effects of the cyberoperation. A cyberoperation carried out by one State against another State violates the prohibition of the use of force if its effects are similar to those that result from the use of conventional weapons. However, France does not rule out the possibility that a cyberoperation without physical effects may also be characterised as a use of force. In the absence of physical damage, a cyberoperation may be deemed a use of force against the yardstick of several criteria, including the circumstances prevailing at the time of the operation, such as the origin of the operation and the nature of the instigator (military or not), the extent of intrusion, the actual or intended effects of the operation or the nature of the intended target. This is of course not an exhaustive list. For example, penetrating military systems in order to compromise French defence capabilities, or financing or even training individuals to carry out cyberattacks against France, could also be deemed uses of force.

However, not every use of force is an armed attack within the meaning of Article 51 of the United Nations Charter, especially if its effects are limited or reversible or do not attain a certain level of gravity.

The prohibition of the use of force enshrined in the United Nations Charter applies to cyberspace. Certain cyberoperations may constitute a use of armed force within the meaning of Article 2, para. 4 of the United Nations Charter."[14]

"In accordance with the case law of the International Court of Justice (ICJ), France distinguishes the gravest forms of the use of force, which constitute an armed attack to which the victim State may respond by individual or collective self-defence, from other less grave forms. Cyberattacks may constitute a grave form of the use of force to which France could respond by self-defence."[15]

"France reaffirms that a cyberattack may constitute an armed attack within the meaning of Article 51 of the United Nations Charter, if it is of a scale and severity comparable to those resulting from the use of physical force. In the light of these criteria, the question of whether a cyberattack constitutes armed aggression will be examined on a case-by-case basis having regard to the specific circumstances. A cyberattack could be categorised as an armed attack if it caused substantial loss of life or considerable physical or economic damage. That would be the case of an operation in cyberspace that caused a failure of critical infrastructure with significant consequences or consequences liable to paralyse whole swathes of the country’s activity, trigger technological or ecological disasters and claim numerous victims. In such an event, the effects of the operation would be similar to those that would result from the use of conventional weapons.

To be categorised as an armed attack, a cyberattack must also have been perpetrated, directly or indirectly, by a State. Leaving aside acts perpetrated by persons belonging to State organs or exercising elements of governmental authority, a State is responsible for acts perpetrated by non-state actors only if they act de facto on its instructions or orders or under its control in accordance with the rules on State responsibility for internationally wrongful acts and ICJ case law. To date, no State has categorised a cyberattack against it as an armed attack.

In accordance with ICJ case law, France does not recognise the extension of the right to self-defence to acts perpetrated by non-state actors whose actions are not attributable, directly or indirectly, to a State. France has, in exceptional cases, invoked self-defence against an armed attack perpetrated by an actor having the characteristics of a “quasi-State”, as with its intervention in Syria against the terrorist group Daesh (ISIS/ISIL). However, this exceptional case cannot constitute the definitive expression of recognition of the extension of the concept of self-defence to acts perpetrated by non-state actors acting without the direct or indirect support of a State.

Nonetheless, it cannot be ruled out that general practice may shift towards an interpretation of the law of self-defence as being authorised in response to an armed attack by non-state actors whose acts are not attributable to a State. However, any such development will have to be made bearing in mind the Rome Statute of the International Criminal Court (ICC) as amended in 2010 to add the crime of aggression, and the case law of the ICC that may emerge in this sphere."[16]

"Under Article 51 of the United Nations Charter, a State that suffers an armed attack is entitled to use individual or collective self-defence. Self-defence in response to an armed attack carried out in cyberspace may involve digital or conventional means in compliance with the principles of necessity and proportionality. On a decision by the President of the Republic to commit the French armed forces, the Armed Forces Ministry may carry out cyberoperations for military purposes in cyberspace.

Cyberattacks which do not reach the threshold of an armed attack when taken in isolation could be categorised as such if the accumulation of their effects reaches a sufficient threshold of gravity, or if they are carried out concurrently with operations in the physical sphere which constitute an armed attack, where such attacks are coordinated and stem from the same entity or from different entities acting in concert. In exceptional circumstances, France allows itself to use pre-emptive self-defence in response to a cyberattack that “has not yet been triggered but is about to be, in an imminent and certain manner, provided that the potential impact of such an attack is sufficiently serious”. However, it does not recognise the legality of the use of force on the grounds of preventive self-defence.

States which, in the conduct of a cyberoperation or in their response to a cyberattack, decide to use non-state actors, such as companies providing offensive cyber services or groups of hackers, are responsible for those actors’ actions. In view of the risk of systemic instability arising from the private-sector use of offensive capabilities, France, following on from the Paris Call, is in favour of regulating them strictly and prohibiting such non-state actors from carrying out offensive activities in cyberspace for themselves or on behalf of other non-state actors.

Lastly, any response on the grounds of self-defence remains provisional and subordinate. It must be promptly reported to the UNSC and suspended as soon as the Security Council takes the matter in hand, replacing unilateral action with collective measures or, failing that, as soon as it has achieved its purpose, namely to repel or end the armed attack. Other measures, such as counter-measures or referral to the UNSC, may be preferred if they are deemed more appropriate."[17]

Germany (2021)[edit | edit source]

"The right to self-defence according to art. 51 UN Charter is triggered if an armed attack occurs. Malicious cyber operations can constitute an armed attack whenever they are comparable to traditional kinetic armed attack in scale and effect. Germany concurs with the view expressed in rule 71 of the Tallinn Manual 2.0.

Furthermore, Germany acknowledges the view expressed in the ICJ’s Nicaragua judgment, namely that an armed attack constitutes the gravest form of use of force. Assessing whether the scale and effects of the cyber operation are grave enough to consider it an armed attack is a political decision taken in the framework of international law. Physical destruction of property, injury and death (including as an indirect effect) and serious territorial incursions are relevant factors. The decision is not made based only on technical information, but also after assessing the strategic context and the effect of the cyber operation beyond cyberspace. This decision is not left to the discretion of the State victim of such a malicious cyber operation, but needs to be comprehensibly reported to the international community, i.e. the UN Security Council, according to art. 51 UN Charter.

The response to malicious cyber operations constituting an armed attack is not limited to cyber counter-operations. Once the right to self-defence is triggered, the State under attack can resort to all necessary and proportionate means in order to end the attack. Self-defence does not require using the same means as the attack which provided the trigger for its exercise.

Acts of non-State actors can also constitute armed attacks. Germany has expressed this view both with regard to the attacks by Al Qaeda and the attacks of ISIS.

In Germany’s view, art. 51 UN Charter requires the attack against which a State can resort to self-defence to be ‘imminent’. The same applies with regard to self-defence against malicious cyber operations. Strikes against a prospective attacker who has not yet initiated an attack do not qualify as lawful self-defence."

Ireland (2023)[edit | edit source]

"27. The customary international law right to self-defence is acknowledged in Article 51 of the UN Charter, which states: “Nothing in the present Charter shall impair the inherent right of individual or collective self-defence if an armed attack occurs against a Member of the United Nations, until the Security Council has taken measures necessary to maintain international peace and security.” States can invoke the right to self-defence in response to an “armed attack”. Not every threat or use of force within the meaning of Article 2(4) of the Charter will amount to an armed attack and it is necessary to consider scale and effects.[20]

28. A cyber-operation that by virtue of its scale and effects reaches the threshold of an armed attack would permit the exercise of self-defence in accordance with Article 51 and customary international law. Due to the nature of a cyber-operation, it seems that only in exceptional circumstances could it reach the threshold of “armed attack”. To reach this threshold, the scale and effects of a cyber-operation must correspond to an armed attack involving a physical use of force. It is conceivable that this need not necessitate physical damage, where for example loss or impairment of functionality to ICT infrastructure is inflicted on such a scale and with such effects that it is comparable to a conventional armed attack."[18]

Iran (2020)[edit | edit source]

"Article IV: Use of Force and Cyber Attack from the View-point of the Armed Forces of the Islamic Republic of Iran

1. Armed forces of the Islamic Republic of Iran believe that certainly, those cyber operations resulting in material damage to property and/or persons in the widespread and grave manner and or it logically is probable to result in such implications constitutes use of force. Should such operations affect the vital national infrastructures, including defensive infrastructures- whether owned by the public or private sector- they shall violate the principle of the non-use of force.

2. Armed forces of the Islamic Republic of Iran, also, believe that their right to self-defense shall be reserved if the gravity of the cyber operation against the vital infrastructure of the state is reached in the threshold of the conventionally armed attack."[19]

Israel (2020)[edit | edit source]

"First — and this has already been acknowledged by many others— the customary prohibition set out in Article 2(4) of the Charter of the United Nations, on “the threat or use of force” in international relations, is clearly applicable in the cyber domain.

We share the support among States for the view that a cyber operation can amount to use of force if it is expected to cause physical damage, injury, or death, which would establish the use of force if caused by kinetic means. For example, hacking into the computers of the railroad network of another State and programming the controls in a manner that is expected to cause a collision between trains can amount to use of force. As with any legal assessment relating to the cyber domain, as practice in this field continues to evolve, there may be room to further examine whether operations not causing physical damage could also amount to use of force.

Second, when the use of force in the cyber domain, by either a State or non-State actor, can be considered as an actual or imminent armed attack, the State under attack may act in accordance with its inherent right to self-defense, as enshrined in Article 51 of the U.N. Charter. Of course, the exercise of this right is subject to the customary principles of necessity and proportionality.

Finally, the use of force in accordance with the right of self-defense, against an armed attack conducted through cyber means, may be carried out by either cyber or kinetic means; just as use of force in self-defense against a kinetic armed attack may be conducted by kinetic or cyber means."[20]

Italy (2021)[edit | edit source]

"In line with the conclusions reached by the ICJ in the Nicaragua v. United States case, Italy considers that the gravest form of use of force constitutes an armed attack. There is no established definition or threshold of hostile cyber operations falling within ‘armed attack’ in the sense of article 51 of the UN Charter. Such assessment will be determined on a case-by-case basis depending on the consequences of any given cyber operation.

Italy deems that wrongful cyber operations conducted by State or non-State actors may constitute an armed attack when their scale and effects are comparable to those resulting from conventional armed attacks, resulting in significant physical damage of property, human injury and loss of life, or disruption in the functioning of critical infrastructure.

The occurrence of an armed attack triggers the right to self-defence, and the victim-State may resort to all necessary and proportionate means to end the aggression. The decision as to when a cyber operation amounting to armed attack would lead to collective self-defence will be taken on a case-by-case basis."[21]

Japan (2021)[edit | edit source]

"When a cyber operation constitutes an armed attack under Article 51 of the UN Charter, States may exercise the inherent right of individual or collective self-defence recognized under Article 51 of the UN Charter."[22]

Netherlands (2019)[edit | edit source]

"A state targeted by a cyber operation that can be qualified as an armed attack may invoke its inherent right of self-defence and use force to defend itself.20 This right is laid down in article 51 of the UN Charter. This therefore amounts to a justification for the use of force that would normally be prohibited under article 2(4) of the UN Charter. For this reason strict conditions are attached to the exercise of the right of self-defence.

An armed attack is not the same as the use of force within the meaning of article 2(4) of the UN Charter (see above). In the Nicaragua case, the International Court of Justice defined an armed attack as the most serious form of the use of force. This implies that not every use of force constitutes an armed attack.

To determine whether an operation constitutes an armed attack, the scale and effects of the operation must be considered. International law is ambiguous on the precise scale and effects an operation must have in order to qualify as an armed attack. It is clear, however, that an armed attack does not necessarily have to be carried out by kinetic means. This view is in line with the Nuclear Weapons Advisory Opinion of the International Court of Justice, in which the Court concluded that the means by which an attack is carried out is not the decisive factor in determining whether it constitutes an armed attack. The government therefore endorses the finding of the CAVV and the AIV that ‘a cyber attack that has comparable consequences to an armed attack (fatalities, damage and destruction) can justify a response with cyber weapons or conventional weapons (...)’. There is therefore no reason not to qualify a cyberattack against a computer or information system as an armed attack if the consequences are comparable to those of an attack with conventional or non-conventional weapons.

At present there is no international consensus on qualifying a cyberattack as an armed attack if it does not cause fatalities, physical damage or destruction yet nevertheless has very serious non-material consequences. The government endorses the position of the International Court of Justice, which has observed that an armed attack must have a cross-border character. It should be noted that not all border incidents involving weapons constitute armed attacks within the meaning of article 51 of the UN Charter. This depends on the scale and effects of the incident in question.

The burden of proof for justifiable self-defence against an armed attack is a heavy one. The government shares the conclusion of the CAVV and the AIV that ‘No form of self-defence whatever may be exercised without adequate proof of the origin or source of the attack and without convincing proof that a particular state or states or organised group is responsible for conducting or controlling the attack.’ States may therefore use force in self-defence only if the origin of the attack and the identity of those responsible are sufficiently certain. This applies to both state and non-state actors.

When exercising their right of self-defence, states must also meet the conditions of necessity and proportionality. In this regard the government shares the view of the CAVV and the AIV that invoking the right of self-defence is justifiable only ‘provided the intention is to end the attack, the measures do not exceed that objective and there are no viable alternatives. The proportionality requirement rules out measures that harbour the risk of escalation and that are not strictly necessary to end the attack or prevent attacks in the near future.’"[23]

New Zealand (2020)[edit | edit source]

"The United Nations Charter and customary international law rules concerning the use of force apply to state activity in cyberspace. Relevant obligations include:

a. the requirement to settle disputes by peaceful means;

b. the prohibition on the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the purposes of the United Nations; and

c. the right of self-defence against an imminent or ongoing armed attack.

State cyber activity can amount to a use of force for the purposes of international law. Whether it does in any given context depends on an assessment of the scale and effects of the activity. State cyber activity will amount to a use of force if it results in effects of a scale and nature equivalent to those caused by kinetic activity which constitutes a use of force at international law. Such effects may include death, serious injury to persons, or significant damage to the victim state’s objects and/or state functioning. In assessing the scale and effects of malicious state cyber activity, states may take into account both the immediate impacts and the intended or reasonably expected consequential impacts.

Cyber activity that amounts to a use of force will also constitute an armed attack for the purposes of Article 51 of the UN Charter if it results in effects of a scale and nature equivalent to those caused by a kinetic armed attack. As an example, cyber activity that disables the cooling process in a nuclear reactor, resulting in serious damage and loss of life, would constitute an armed attack."[24]

"Where malicious cyber activity gives rise to a situation leading to international friction or a dispute endangering the maintenance of peace and security, any UN Member State may bring the situation or dispute to the attention of the UN Security Council and/or General Assembly.

A state subjected to malicious cyber activity amounting to an armed attack has further recourse to the inherent right of individual and/or collective self-defence in accordance with Article 51 of the UN Charter. The right to self-defence also arises when an armed attack is imminent, including by cyber means. Any exercise of that right:

a. may include, but is not limited to, cyber activities; and

b. must be consistent with relevant UN Charter and customary international law obligations, including notification to the United Nations, necessity, and proportionality."[25]

Norway (2021)[edit | edit source]

Key message
A cyber operation may, depending on its scale and effects, violate the prohibition on the threat or use of force in Article 2(4) of the UN Charter.

A cyber operation that is in violation of the prohibition on the threat or use of force may, depending on its scale and effects, constitute an armed attack under international law. An armed attack is the gravest form of the use of force.

Article 2(4) of the UN Charter prohibits the threat or use of force by a State against the territorial integrity or political independence of another State, or in any other manner inconsistent with the purposes of the UN. The prohibition is a norm of customary international law. It applies to any use of force, regardless of the weapons or means employed.

There are only three exceptions to the prohibition on the use of force in the sense that using force would not be in violation of international law: if the state on whose territory the use of force takes place consents; if it is authorised by the Security Council under Chapter VII of the UN Charter; or in the case of self-defence, in response to an armed attack as recognised in Article 51 of the UN Charter.

Whether a cyber operation violates the prohibition on the threat or use of force in Article 2(4) of the UN Charter depends on its scale and effects, physical or otherwise. Depending on its gravity, a cyber operation may also constitute an armed attack under international law. In accordance with the case law of the International Court of Justice (ICJ), an armed attack is the gravest form of the use of force.

A cyber operation may constitute use of force or even an armed attack if its scale and effects are comparable to those of the use of force or an armed attack by conventional means. This must be determined based on a case-by-case assessment having regard to the specific circumstances. A number of factors may be taken into consideration, such as the severity of the consequences (the level of harm inflicted), immediacy, directness, invasiveness, measurability, military character, State involvement, the nature of the target (such as critical infrastructure) and whether this category of action has generally been characterised as the use of force. This list is not exhaustive.

Cyber operations that cause death or injury to persons or physical damage to or the destruction of objects could clearly amount to the use of force. Likewise, a cyber operation causing severe disruption to the functioning of the State such as the use of crypto viruses or other forms of digital sabotage against governmental or private power grid- or telecommunications infrastructure, or cyber operations leading to the destruction of stockpiles of Covid-19 vaccines, could amount to the use of force in violation of Article 2(4). Similarly, the use of crypto viruses or other forms of digital sabotage against a State’s financial and banking system, or other operations that cause widespread economic effects and destabilisation, may amount to the use of force in violation of Article 2(4).

A cyber operation that severely damages or disables a State’s critical infrastructure or functions may furthermore be considered as amounting to an armed attack under international law. Depending on its scale and effect, this may include a cyber operation that causes an aircraft crash.[26]

"A State that is the victim of a cyber operation that qualifies as an armed attack under international law, may exercise its inherent right of individual or collective self-defence under Article 51 of the UN Charter The right of self-defence as reflected in Article 51 is a norm of customary international law. It must be exercised subject to the requirements of necessity and proportionality, and may involve both digital and conventional means.[27]

Poland (2022)[edit | edit source]

5. A cyberattack may be qualified as an armed attack. The right to self-defence applies to cyberspace

"Pursuant to Article 51 of the Charter of the United Nations and customary international law, a state has the right of self-defence in the event of an armed attack. In the context of cyberspace, a cyberattack that results in death or injury of people or damage or destruction of property of significant value may be considered an armed attack. In such circumstances, according to international law, a state enjoys the right of self-defence, however, this right should be exercised in line with the principles arising from customary international law, namely the principle of necessity and proportionality.

Self-defence does not need to involve the same means through which the armed attack was inflicted. In response to a cyberattack that reaches the threshold of an armed attack, it is possible to respond both in cyberspace exclusively or with the use of traditional armed forces. Deprivation of the right to respond to such a cyberattack with kinetic means could render the self defence right illusory when the perpetrator of an armed attack is little dependent on its functioning in cyberspace.

According to international law, the right of self-defence may also apply to cyberattacks reaching the threshold of an armed attack inflicted by non-state actors. The right of collective self-defence applies to cyberspace as well. This is supported by a declaration adopted by the representatives of states attending the meeting of the North Atlantic Council during the summit of the North Atlantic Treaty Organization in Wales in 2014. The declaration stipulates among others that a cyberattack can reach a threshold that threatens national and EuroAtlantic prosperity, security, and stability. Its impact could be as harmful to modern societies as a conventional attack. It was, therefore, affirmed that cyber defence is part of NATO‘s core task of collective defence."[28]

Singapore (2021)[edit | edit source]

"[..]the obligation of all States to refrain from the threat or use of force against the territorial integrity or political independence of any State. A cyber operation can cause severe consequences and effects. In determining whether a cyber operation amounts to the use of force, factors that may be taken into account include, but are not limited to, the prevailing circumstances at the time of the cyber operation, the origin of the cyber operation, the effects caused or sought by the cyber operation, the degree of intrusion of the cyber operation, and the nature of the target.

While Singapore considers the above principles to be essential ones underpinning the international legal order, Singapore’s position is that it bears noting that ultimately, none of these impair a State’s inherent right of self-defence, as provided under the UN Charter. This right of self-defence also applies in the cyber domain. In other words, a State has the inherent right of self-defence if malicious cyber activity amounting to an armed attack, or an imminent threat thereof, occurs against that State.

Malicious cyber activity attributable to a State that causes death, injury, physical damage or destruction equivalent to a traditional non-cyber armed attack, or presenting an imminent threat thereof, would constitute an armed attack. Singapore notes the increasing prevalence of this view amongst States.

In Singapore’s view, it is also possible that, in certain limited circumstances, malicious cyber activity may amount to an armed attack even if it does not necessarily cause death, injury, physical damage or destruction, taking into account the scale and effects of the cyber activity. An example might be a targeted cyber operation causing sustained and long-term outage of Singapore’s critical infrastructure.

A series or combination of cyber-attacks, whether or not it is in combination with kinetic attacks, may amount to an armed attack, even if the individual attacks do not reach the threshold equivalent to an armed attack, as long as the attacks are launched by the same actor or by different attackers acting in concert."[29]

Sweden (2022)[edit | edit source]

"Under Article 51 of the UN Charter, States have a right of self-defence if an armed attack occurs. It is not a requirement under the right of self-defence that the armed attack use kinetic means, nor that the use of force in self-defence is limited to such means. An attack by cyber means may have the potential to constitute an armed attack if its scale and effects are comparable to an armed attack by kinetic means. The exercise of the right of self-defence needs to be reported to the Security Council. Any use of force in the exercise of self-defence, including through cyber means, needs to adhere to principles of necessity and proportionality."[30]

Switzerland (2021)[edit | edit source]

"One of the key founding principles of the UN Charter is the prohibition on the use of force (Art. 2 para. 4). There are only two exceptions: if the use of force is authorised by the UN Security Council (Art. 42) or if the strict conditions under which the right of self-defence may be exercised are fulfilled (Art. 51).

The prohibition on the use of force and the right of self-defence are also applicable to cyberspace. The right of self-defence may only be exercised if an armed attack occurs first. In accordance with ICJ case law, not every violation of the prohibition on the use of force constitutes an armed attack, but only its gravest form. In order to qualify, the scale and effect of the attack must reach a certain threshold of gravity. The ICJ has also determined that an armed attack does not necessarily have to involve kinetic military action or the use of weapons because the means by which an attack is perpetrated is not the decisive factor. A state is permitted to exercise its right of self-defence in response to a cyber incident if the incident amounts in scale and effect to that of a kinetic operation in terms of inflicting death or serious injury to persons, or extensive material damage to objects. There are no binding quantitative or qualitative guidelines as to when the threshold of an armed attack in terms of scale and effect has been reached. Current discussions on how to define an armed attack in cyberspace are focusing on attacks on critical infrastructure (e.g. nuclear power plants, power grids) which reach the required threshold in terms of scale and effect i.e. serious injury to persons and/or extensive damage to objects.

The purpose of the UN Charter must guide the interpretation of the prohibition on the use of force and the right to exercise self-defence in the face of an armed attack. The Charter's objective is to maintain and, where necessary, restore international peace and security. Consequently, even if an armed attack occurs, a state is only permitted to undertake countermeasures that are necessary and proportionate in order to repel the attack. The right of self-defence only applies if the UN Security Council has not taken the necessary measures to maintain international peace and security (Art. 51 UN Charter). If the actions taken in self-defence exceed this framework, the state itself is in breach of the prohibition on the use of force."[31]

United Kingdom (2018)[edit | edit source]

First, there is the rule prohibiting interventions in the domestic affairs of states both under Article 2(7) of the Charter and in customary international law. This prohibition means that any activity in cyber space which reaches the level of such an intervention is unlawful. Any activity of this nature by a state could only become permissible in response to some prior illegality by another state.

The next relevant provision of the UN Charter is in Article 2(4) which prohibits the threat or use of force against the territorial independence or political integrity of any state. Any activity above this threshold would only be lawful under the usual exceptions – when taken in response to an armed attack in self-defence or as a Chapter VII action authorised by the Security Council. In addition, the UK remains of the view that it is permitted under international law, in exceptional circumstances, to use force on the grounds of humanitarian intervention to avert an overwhelming humanitarian catastrophe.

Thirdly, the UK considers it is clear that cyber operations that result in, or present an imminent threat of, death and destruction on an equivalent scale to an armed attack will give rise to an inherent right to take action in self- defence, as recognised in Article 51 of the UN Charter.

If a hostile state interferes with the operation of one of our nuclear reactors, resulting in widespread loss of life, the fact that the act is carried out by way of a cyber operation does not prevent it from being viewed as an unlawful use of force or an armed attack against us. If it would be a breach of international law to bomb an air traffic control tower with the effect of downing civilian aircraft, then it will be a breach of international law to use a hostile cyber operation to disable air traffic control systems which results in the same, ultimately lethal, effects.

Acts like the targeting of essential medical services are no less prohibited interventions, or even armed attacks, when they are committed by cyber means."[32]

United Kingdom (2021)[edit | edit source]

"An operation carried out by cyber means may constitute an armed attack giving rise to the inherent right of individual or collective self-defence, as recognised in Article 51 of the UN Charter where the scale and effects of the operation are equivalent to those of an armed attack using kinetic means. Factors in considering the scale and effects of an attack may include the (actual or anticipated) physical destruction of property, injury and death. The exercise of the inherent right of self-defence against an imminent or on-going armed attack whether by kinetic or cyber means, may itself be by cyber or kinetic means and must always fulfil the requirements of necessity and proportionality. Whether or not to have recourse to the exercise of the inherent right of self-defence will always be carefully considered having regard to all the circumstances."[33]

United States (2012)[edit | edit source]

"A state’s national right of self-defense, recognized in Article 51 of the UN Charter, may be triggered by computer network activities that amount to an armed attack or imminent threat thereof. As the United States affirmed in its 2011 International Strategy for Cyberspace, “[w]hen warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country.”[34]

"[...]the United States has for a long time taken the position that the inherent right of self-defense potentially applies against any illegal use of force. In our view, there is no threshold for a use of deadly force to qualify as an “armed attack” that may warrant a forcible response. But that is not to say that any illegal use of force triggers the right to use any and all force in response—such responses must still be necessary and of course proportionate. We recognize, on the other hand, that some other countries and commentators have drawn a distinction between the “use of force” and an “armed attack,” and view “armed attack”—triggering the right to self-defense—as a subset of uses of force, which passes a higher threshold of gravity."[35]

United States (2020)[edit | edit source]

"[..] in the exercise of its inherent right of self-defense a State may use force that is necessary and proportionate to respond to an actual or imminent armed attack. This is true in the cyber context just as in any other context."[36]

United States of America (2021)[edit | edit source]

"A State’s inherent right of self-defense, recognized in Article 51 of the UN Charter, may in certain circumstances be triggered by cyber activities that amount to an actual or imminent armed attack. This inherent right of self-defense against an actual or imminent armed attack in or through cyberspace applies whether the attacker is a State actor or a non-State actor. There is no requirement that a State defend itself using the same capabilities with which it is being attacked. States may employ cyber capabilities that rise to the level of a use of force as a means of self-defense against a kinetic armed attack (i.e., one that was not launched in or through cyberspace). Additionally, States may in certain circumstances use kinetic military force in self-defense against an armed attack in or through cyberspace.

The use of force in self-defense must be limited to what is necessary and proportionate to address the imminent or actual armed attack in or through cyberspace. Before resorting to forcible measures in self-defense against an actual or imminent armed attack in or through cyberspace, States should consider whether passive cyber defenses or active defenses below the threshold of the use of force would be sufficient to neutralize the armed attack or imminent threat thereof."[37]

Appendixes[edit | edit source]

See also[edit | edit source]

Notes and references[edit | edit source]

  1. Military and Paramilitary Activities in and against Nicaragua (Nicaragua v United States of America) (Merits) [1986] ICJ Rep 14, para 95.
  2. US Department of Defense, Office of the General Counsel, Law of War Manual (June 2015), paras. 1.11.5.2, 16.3.3.1.
  3. Military and Paramilitary Activities in and against Nicaragua (Nicaragua v United States of America) (Merits) [1986] ICJ Rep 14, para 191.
  4. Tallinn Manual 2.0, commentary to rule 71, para 8.
  5. Australian Government, Australia's position on how international law applies to State conduct in cyberspace
  6. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 20.
  7. Government of Canada, International Law applicable in cyberspace, April 2022, See Footnote [29], UN Charter, supra note 7, Art. 51.
  8. Government of Canada, International Law applicable in cyberspace, April 2022
  9. Government of Denmark, "Denmark’s Position Paper on the Application of International Law in Cyberspace"(4 July 2023) 6-7. See footnote [6]: Nicaragua v. United States of America case, supra note 1, para. 191.
  10. President of Estonia: international law applies also in cyber space, 29 May 2019
  11. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 28.
  12. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 30.
  13. International law and cyberspace - Finland's national position
  14. Ministry of Defense of France, International Law Applied to Operations in Cyberspace, 9 September 2019, 7.
  15. Ministry of Defense of France, International Law Applied to Operations in Cyberspace, 9 September 2019, 8.
  16. Ministry of Defense of France, International Law Applied to Operations in Cyberspace, 9 September 2019, 8.
  17. Ministry of Defense of France, International Law Applied to Operations in Cyberspace, 9 September 2019, 9.
  18. Irish Department of Foreign Affairs, Position Paper on the Application of International Law in Cyberspace (6 July 2023) 7. See Footnote [20]: Military and Paramilitary Activities in and against Nicaragua (Nicaragua v United States of America) Merits Judgment, ICJ Reports 1986.
  19. Declaration of General Staff of the Armed Forces of the Islamic Republic of Iran Regarding International Law Applicable to the Cyberspace, August 2020
  20. Roy Schöndorf, Israel’s Perspective on Key Legal and Practical Issues Concerning the Application of International Law to Cyber Operations, 8 December 2020.
  21. Italian position paper on "International law and cyberspace", Italian Ministry for Foreign Affairs and International Cooperation.,9.
  22. Ministry of Foreign Affairs of Japan, Basic Position of the Government of Japan on International Law Applicable to Cyber Operations, 16 June 2021, 6
  23. Government of the Kingdom of the Netherlands, Appendix: International law in cyberspace, 26 September 2019 , 8-9.
  24. The Application of International Law to State Activity in Cyberspace, 1 December 2020, 1-2.
  25. The Application of International Law to State Activity in Cyberspace, 1 December 2020, 4.
  26. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 69-70.
  27. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 73-74.
  28. The Republic of Poland’s position on the application of international law in cyberspace, Ministry of Foreign Affairs of Poland, 29 December 2022, 5-6.
  29. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 83-84.
  30. Government Offices of Sweden, Position Paper on the Application of International Law in Cyberspace, July 2022,4
  31. Federal Department of Foreign Affairs, ‘Switzerland's position paper on the application of international law in cyberspace’ (May 2021) 4.
  32. Attorney General Jeremy Wright:Cyber and International Law in the 21st Century, 23 May 2018
  33. United Kingdom Foreign, Commonwealth & Development Office, Application of international law to states’ conduct in cyberspace: UK statement, 3 June 2021
  34. Harold Hongju Koh, International Law in Cyberspace, 18 September 2012, 4
  35. Harold Hongju Koh, International Law in Cyberspace, 18 September 2012, 7-8
  36. Hon. Paul C. Ney, Jr., DOD General Counsel Remarks at U.S. Cyber Command Legal Conference, 2 March, 2020
  37. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 137.

Bibliography and further reading[edit | edit source]