Self-defence
Definition
| Self-defence |
|---|
 The United States, however, takes an outlier position, consistently arguing that any illegal use of force gives rise to the use of force in self-defence.[2] In Nicaragua, the ICJ identified “scale and effects” as criteria upon which to judge whether a use of force constitutes an armed attack. In the Court’s view, only “the most grave” uses of force do so.[3] Thus, only cyber operations that seriously injure or kill a number of persons or cause significant damage to, or destruction of, property would undoubtedly constitute armed attacks.[4] |
National positions
Australia
Estonia
Finland
France
Germany
Iran
Israel
Japan
New Zealand
Norway: 2021
| Key message |
|---|
| A cyber operation may, depending on its scale and effects, violate the prohibition on the threat or use of force in Article 2(4) of the UN Charter.
A cyber operation that is in violation of the prohibition on the threat or use of force may, depending on its scale and effects, constitute an armed attack under international law. An armed attack is the gravest form of the use of force. |
Article 2(4) of the UN Charter prohibits the threat or use of force by a State against the territorial integrity or political independence of another State, or in any other manner inconsistent with the purposes of the UN. The prohibition is a norm of customary international law. It applies to any use of force, regardless of the weapons or means employed.
There are only three exceptions to the prohibition on the use of force in the sense that using force would not be in violation of international law: if the state on whose territory the use of force takes place consents; if it is authorised by the Security Council under Chapter VII of the UN Charter; or in the case of self-defence, in response to an armed attack as recognised in Article 51 of the UN Charter.
Whether a cyber operation violates the prohibition on the threat or use of force in Article 2(4) of the UN Charter depends on its scale and effects, physical or otherwise. Depending on its gravity, a cyber operation may also constitute an armed attack under international law. In accordance with the case law of the International Court of Justice (ICJ), an armed attack is the gravest form of the use of force.
A cyber operation may constitute use of force or even an armed attack if its scale and effects are comparable to those of the use of force or an armed attack by conventional means. This must be determined based on a case-by-case assessment having regard to the specific circumstances. A number of factors may be taken into consideration, such as the severity of the consequences (the level of harm inflicted), immediacy, directness, invasiveness, measurability, military character, State involvement, the nature of the target (such as critical infrastructure) and whether this category of action has generally been characterised as the use of force. This list is not exhaustive.
Cyber operations that cause death or injury to persons or physical damage to or the destruction of objects could clearly amount to the use of force. Likewise, a cyber operation causing severe disruption to the functioning of the State such as the use of crypto viruses or other forms of digital sabotage against governmental or private power grid- or telecommunications infrastructure, or cyber operations leading to the destruction of stockpiles of Covid-19 vaccines, could amount to the use of force in violation of Article 2(4). Similarly, the use of crypto viruses or other forms of digital sabotage against a State’s financial and banking system, or other operations that cause widespread economic effects and destabilisation, may amount to the use of force in violation of Article 2(4).
A cyber operation that severely damages or disables a State’s critical infrastructure or functions may furthermore be considered as amounting to an armed attack under international law. Depending on its scale and effect, this may include a cyber operation that causes an aircraft crash.[5]
"A State that is the victim of a cyber operation that qualifies as an armed attack under international law, may exercise its inherent right of individual or collective self-defence under Article 51 of the UN Charter The right of self-defence as reflected in Article 51 is a norm of customary international law. It must be exercised subject to the requirements of necessity and proportionality, and may involve both digital and conventional means.[6]
Singapore:2021
"[..]the obligation of all States to refrain from the threat or use of force against the territorial integrity or political independence of any State. A cyber operation can cause severe consequences and effects. In determining whether a cyber operation amounts to the use of force, factors that may be taken into account include, but are not limited to, the prevailing circumstances at the time of the cyber operation, the origin of the cyber operation, the effects caused or sought by the cyber operation, the degree of intrusion of the cyber operation, and the nature of the target.
While Singapore considers the above principles to be essential ones underpinning the international legal order, Singapore’s position is that it bears noting that ultimately, none of these impair a State’s inherent right of self-defence, as provided under the UN Charter. This right of self-defence also applies in the cyber domain. In other words, a State has the inherent right of self-defence if malicious cyber activity amounting to an armed attack, or an imminent threat thereof, occurs against that State.
Malicious cyber activity attributable to a State that causes death, injury, physical damage or destruction equivalent to a traditional non-cyber armed attack, or presenting an imminent threat thereof, would constitute an armed attack. Singapore notes the increasing prevalence of this view amongst States.
In Singapore’s view, it is also possible that, in certain limited circumstances, malicious cyber activity may amount to an armed attack even if it does not necessarily cause death, injury, physical damage or destruction, taking into account the scale and effects of the cyber activity. An example might be a targeted cyber operation causing sustained and long-term outage of Singapore’s critical infrastructure.
A series or combination of cyber-attacks, whether or not it is in combination with kinetic attacks, may amount to an armed attack, even if the individual attacks do not reach the threshold equivalent to an armed attack, as long as the attacks are launched by the same actor or by different attackers acting in concert."[7]
Switzerland
The Netherlands
United Kingdom: 2018
First, there is the rule prohibiting interventions in the domestic affairs of states both under Article 2(7) of the Charter and in customary international law. This prohibition means that any activity in cyber space which reaches the level of such an intervention is unlawful. Any activity of this nature by a state could only become permissible in response to some prior illegality by another state.
The next relevant provision of the UN Charter is in Article 2(4) which prohibits the threat or use of force against the territorial independence or political integrity of any state. Any activity above this threshold would only be lawful under the usual exceptions – when taken in response to an armed attack in self-defence or as a Chapter VII action authorised by the Security Council. In addition, the UK remains of the view that it is permitted under international law, in exceptional circumstances, to use force on the grounds of humanitarian intervention to avert an overwhelming humanitarian catastrophe.
Thirdly, the UK considers it is clear that cyber operations that result in, or present an imminent threat of, death and destruction on an equivalent scale to an armed attack will give rise to an inherent right to take action in self- defence, as recognised in Article 51 of the UN Charter.
If a hostile state interferes with the operation of one of our nuclear reactors, resulting in widespread loss of life, the fact that the act is carried out by way of a cyber operation does not prevent it from being viewed as an unlawful use of force or an armed attack against us. If it would be a breach of international law to bomb an air traffic control tower with the effect of downing civilian aircraft, then it will be a breach of international law to use a hostile cyber operation to disable air traffic control systems which results in the same, ultimately lethal, effects.
Acts like the targeting of essential medical services are no less prohibited interventions, or even armed attacks, when they are committed by cyber means."[8]
United Kingdom: 2021
"An operation carried out by cyber means may constitute an armed attack giving rise to the inherent right of individual or collective self-defence, as recognised in Article 51 of the UN Charter where the scale and effects of the operation are equivalent to those of an armed attack using kinetic means. Factors in considering the scale and effects of an attack may include the (actual or anticipated) physical destruction of property, injury and death. The exercise of the inherent right of self-defence against an imminent or on-going armed attack whether by kinetic or cyber means, may itself be by cyber or kinetic means and must always fulfil the requirements of necessity and proportionality. Whether or not to have recourse to the exercise of the inherent right of self-defence will always be carefully considered having regard to all the circumstances."[9]
United States of America: 2012
"A state’s national right of self-defense, recognized in Article 51 of the UN Charter, may be triggered by computer network activities that amount to an armed attack or imminent threat thereof. As the United States affirmed in its 2011 International Strategy for Cyberspace, “[w]hen warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country.”[10]
"[...]the United States has for a long time taken the position that the inherent right of self-defense potentially applies against any illegal use of force. In our view, there is no threshold for a use of deadly force to qualify as an “armed attack” that may warrant a forcible response. But that is not to say that any illegal use of force triggers the right to use any and all force in response—such responses must still be necessary and of course proportionate. We recognize, on the other hand, that some other countries and commentators have drawn a distinction between the “use of force” and an “armed attack,” and view “armed attack”—triggering the right to self-defense—as a subset of uses of force, which passes a higher threshold of gravity."[11]
United States of America: 2020
"[..] in the exercise of its inherent right of self-defense a State may use force that is necessary and proportionate to respond to an actual or imminent armed attack. This is true in the cyber context just as in any other context."[12]
Appendixes
See also
Notes and references
- ↑ Military and Paramilitary Activities in and against Nicaragua (Nicaragua v United States of America) (Merits) [1986] ICJ Rep 14, para 95.
- ↑ US Department of Defense, Office of the General Counsel, Law of War Manual (June 2015), paras. 1.11.5.2, 16.3.3.1.
- ↑ Military and Paramilitary Activities in and against Nicaragua (Nicaragua v United States of America) (Merits) [1986] ICJ Rep 14, para 191.
- ↑ Tallinn Manual 2.0, commentary to rule 71, para 8.
- ↑ Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 69-70.
- ↑ Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 73-74.
- ↑ Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 83-84.
- ↑ Attorney General Jeremy Wright:Cyber and International Law in the 21st Century, 23 May 2018
- ↑ United Kingdom Foreign, Commonwealth & Development Office, Application of international law to states’ conduct in cyberspace: UK statement, 3 June 2021
- ↑ Harold Hongju Koh, International Law in Cyberspace, 18 September 2012, 4
- ↑ Harold Hongju Koh, International Law in Cyberspace, 18 September 2012, 7-8
- ↑ Hon. Paul C. Ney, Jr., DOD General Counsel Remarks at U.S. Cyber Command Legal Conference, 2 March, 2020