International Law Riposte to Growing Cyberattacks
Updated: Oct 10, 2021
About the author: Shubham Gandhi is a IV year law student from National Law University, Jabalpur, India.
"Cyber attacks" by Christaan Colen, available here.
Strides in technology have weakened states against the threat of cyberattacks. The digitization of economic, public, trade secret, and nuclear information has rendered all of these systems prone to cyberattacks. Russia’s successful meddling into the 2016 US election exemplifies how insidious and tangible the consequences of a cyberattack can be. As states continue to contend with threats of cyberattacks, the international law that regulates them is largely undeveloped and ignored by the international community.
This article will explore the current state of international cybersecurity law, focusing on cyberattacks as a use of force under Article 2(4) of the UN Charter, and the right of self defense to cyberattacks under Article 51 of the UN Charter in the context of the challenge of attribution.
Mounting Cyberattacks and the UN charter
Over the past decade, the world has witnessed the first instances of state and non-state actors targeting countries’ civil and military services via cyberattack. In 2007, a cyberattack blocked Estonia’s websites, paralyzing the country’s Internet infrastructure, and freezing bank cards and phone networks. In 2010, Google’s password system was targeted by an anonymous cyber group, resulting in theft of user password information and intellectual property, and violating millions of people’s right to privacy.
While the threat to privacy rights and data security is grave, cyberattacks can also target a country's nuclear plants and dams, which could lead to even greater harm and loss of life. The US was subject to another cyberattack by a computer worm named Stuxnet, which infiltrated supervisory control and data acquisition systems related to the US-Iran nuclear program, resulting in damage to its uranium enrichment. South Korea also experienced a cyberattack that targeted the president as well as the military’s defense system. In its Law of War Manual, the US military even describes instances where cyberattacks could trigger a nuclear meltdown.
There is a dearth of jurisprudence governing how states can protect themselves from cyberattacks by state or non-state actors. However, there is a potential international legal framing that would allow states to respond to cyberattacks. Classifying the attacks as uses of force pursuant to Article 2(4) of the UN Charter could lead to a recognition of the right of self defense against a cyberattack pursuant to Article 51 of the UN charter.
The Meaning of “Use of Force” under Article 2(4)
The wording of Article 2(4) of the UN charter does not differentiate between war and non-war settings during which states use force. In other words, acts do not have to take place within the context of a war to be deemed a use of force under this provision. In the Advisory Opinion on the Legality of the Use of Nuclear Weapons, the International Court of Justice (“ICJ”) insisted that Article 2(4), Article 51 and Article 41 “do not refer to specific weapons.” This means that cyber operations are not precluded from being considered as uses of force under Article 2(4) of the charter.
Customary International Law and the US have both adopted a consequence based approach to classifying uses of force. This approach stresses the consequences of the attack rather than the means or weapons used. For example, in the Nicaragua Judgment, the United States was involved in military and non military activities and was supporting Fuerza Democrática Nicaragüense, a militant outfit, against the newly formed government in the state of Nicaragua. The ICJ determined that the United States violated Customary International law by “organizing or encouraging the organization of irregular forces and armed bands… for incursion into the territory of another state.” In doing so, the ICJ ratified the scale and effect test in order to determine whether the actions constituted uses of force as defined by Article 2(4). The court held that if the magnitude (scale) and the consequence of the attack (effect) is of substantial gravity, then it will constitute an armed attack, thereby triggering the right of self defence.
Similarly, in his paper “Cyber attacks, self-defence and the problem of attribution,” Nicholas Tsagourias, Professor and Director of Sheffield Centre for International and European Law summarizes circumstances in which cyber operations should fall under the expression use of force:
“An act or the beginning of a series of acts of armed force of considerable magnitude and intensity (i.e. scale) which have as their consequences (i.e. effects) the infliction of substantial destruction upon important elements of the target State namely, upon its people, economic and security infrastructure, destruction of aspects of its governmental authority, i.e. its political independence, as well as damage to, or deprivation of its physical element namely, its territory.”
Thus, pursuant to Customary International Law, cyberattacks can likely be characterized as uses of force, and thus legislated under Article 2(4) as breaches of the UN charter.
Exceptional Right of Self Defense under Article 51
Article 51 of the UN charter grants exceptional rights to its member states to defend themselves against any “armed attack.” Scholars have found that the expression “use of force” under Article 2(4) is broader than the term “armed attack” under Article 51. In differentiating between the articles, the UN sought to limit interstate war, since states would be granted the right to self defense if the use of force is qualified as an armed attack.
In simple terms, “armed attack” constitutes a use of weapons. However, in the Legality of the Use of Nuclear Weapons (supra), the ICJ states that the use of weapons is irrelevant to defining an act as an armed attack. Professor Karl Zemanek, emeritus Professor of law at the University of Vienna and member of the Institut de droit international, stated in his book ‘Armed Attack’ that, “[I]t is neither the designation of a device, nor its normal use, which make it a weapon, but the intent with which it is used and the effect. The use of any device or number of devices, which results in a considerable loss of life and/or extensive destruction of property must therefore be deemed to fulfill the conditions of an armed attack.”
The Security council reaffirmed this reasoning by recognizing hijacked planes as weapons in relation to the 9/11 attacks. Similarly, Rule 13 of the Tallinn manual states that cyberattacks are recognized as armed attacks if they pass the scale and effects tests, granting states on the receiving end the right to self defense.
Thus, cyberattacks, by applying the scale and effects test, can potentially be declared uses of force under Article 2(4) that rises to the level of an armed attack that grants the right of self defense pursuant to Article 51.
The Problem of Attribution
One critical issue that prevents states from exercising self-defense against cyberattacks is the problem of ascertaining the real perpetrator. When it comes to cyber operations carried out by non-state actors, the law as recognized by the International Law Commission, and tested in Nicaragua v. United States states that if non-state actors are working directly under the direction or control of the state, the state will be held responsible.
Permitting the state to exercise its right of self-defenses indefinitely without attributing the attack to any state or non-state actor will dampen the effects of the UN’s endeavors to reduce the use of force among member states. Such a practice will erode Article 51’s purpose of limiting the frequency and scale of forceful self-defense to those rare times where it becomes extremely necessary.
Cyberattacks can be made by using foreign servers, which makes tracing the original attacker impossible. In his book, Marco Roscini, Professor of International Law at the Westminster Law School, articulated three levels of evidence that are needed to attribute a cyber attack to a specific state: “First, the computer(s), or server(s) from which the operations originate must be located; secondly, it is the individual that is behind the operation that need to be identified; and thirdly, what needs to be proved is that the individual acted on the behalf of a state so that his or her conduct is attributable to it.”
The rising instances of cyber attacks serve as a wake up call that international institutions must address. The expression “use of force” under Article 2(4) is likely wide enough to encompass cyberattacks, potentially giving the states the right to self defense under Article 51. A unique problem of attribution arises with the cyberattack because it is increasingly difficult to objectively attribute the source of the attack. The UN should explore enforcing limitations on the right to self-defense against a cyberattack before states choose to respond to a cyberattack with physical force