Angela Morello[1]
The existing international legal regime of jus ad bellum and jus in bello, whether treaty-based or customary in nature, was created and developed on the premise that armed conflicts not only involve the use of weapons but that the use of these weapons causes, or is likely to cause, the destruction of life and property. Thus, until the advent of cyberspace, existing State practice and opinio juris, while not always consistent, shared at least one common starting point: use of force equals physical, coercive actions by military means. It would now be redundant to ask whether international law applies to cyberspace, as it would be redundant to ask whether cyber operations that cause, or are likely to cause, the destruction of life and property are covered by the prohibition of the use of force and the right of self-defence. Indeed, both questions must be answered in the affirmative. The pivotal question here is how rules created and developed to regulate the use of physical, coercive actions by military means, can regulate low-intensity cyber operations, namely, such operations below the thresholds established under Articles 2 (4) and/or 51 of the UN Charter, and customary international law. Note that the emphasis on analysing the applicability of these rules in cyberspace is not explained by the absence of other possible responses to low-intensity cyber operations (e.g., countermeasures; the invocation of the plea of necessity; liability for transboundary torts). Instead, the emphasis is due to (1) the existence of a concrete problem, e.g., low-intensity cyber operations are the most common threat in cyberspace; (2) the possibility that the right of self-defence, an inherent right of States, does not find concrete application in cyberspace; and (3) the way certain States and scholars have approached this problem, e.g., by resorting to an unorthodox theory of international law, such as the Accumulation of Events Theory.
Jus ad Cyber Bellum
The international community’s interest in cyberspace dates back to the late 1990s, when the General Assembly adopted Resolution 53/70 on a Russian proposal on developments in cyberspace that were considered potentially incompatible with “the principle of non-use of force, non-interference in internal affairs and respect for human rights and freedoms” [2] to increase exponentially when a series of malicious cyber activities hit Estonia in 2007. Estonia became the seat of the NATO Cooperative Cyber Defence Centre of Excellence, whose first commissioned work resulted in nothing less than the publication of the first and second editions of the “Tallinn Manual on the International Law Applicable to Cyber Operations”,[3] a non-legally binding book edited by Professor of International Law Michael N. Schmittwith the involvement of an international group of legal and technical experts.[4] The Tallinn Manual is a good example of how (part of) the international community is attempting to adapt existing rules of international law, specifically those of jus ad bellum and jus in bello, to new warfare by means of interpretation and analogy. This choice of methodology reflects both the lack of cyber-related State practice and opinio juris and the lack of cyber-related multilateral binding treaties. As of today, the international community has been unable to agree on the creation (or the need) of a new binding treaty to regulate the applicability of the jus ad bellum and jus in bello in cyberspace, torn between those who preach the illogicality of creating new rules without assessing how the old ones might be applied,[5] and those who preach the need for the clarity that only a new treaty would provide.[6] However, applying existing international law to cyberspace through interpretation and analogy in the case of low-intensity cyber operations has revealed certain gaps.[7] Cyber operations do not necessarily involve the use of weapons nor cause the destruction of life and property. Under international law, the destruction of life and property has traditionally been the hallmark of those acts that constitute a use of force in violation of Article 2 (4) of the UN Charter (UNC) and customary international law,[8] whereas an exception to this prohibition is the inherent right of States to use defensive force as a response to an armed attack under Article 51 UNC and customary international law. The equation is simple: if a cyber operation does not result in the destruction of life or property, nor in the scale and effect of its consequences, it is not equivalent to a traditional use of force and, at worst, to a traditional armed attack. If a cyber operation is not equivalent to a traditional armed attack, States may not be able to invoke their inherent right of self-defence in cyberspace. Since low-intensity cyber operations are the most common threat in cyberspace,[9] it seems that the State’s inherent right of self-defence has no concrete applicability in cyberspace, at least not as a response to low-intensity cyber operations.
The Accumulation of Events Theory
To fill this legal vacuum, the Tallinn Manual 2.0, a few States, such as Singapore, France and Austria, and NATO have addressed the applicability of the Accumulation of Events Theory (AoET) in cyberspace. In legal doctrine and international jurisprudence, the AoET, refers to the interpretation of Articles 2 (4) and 51 UNC in a connotative way,[10] thus closing the gap between acts constituting a use of force and acts constituting the most grave use of force, e.g., an armed attack,[11] especially when it comes to assessing the proportionality of the use of defensive measures in relation to the attack suffered.[12] So, for example, in assessing the responsibility of Nicaragua for certain transborder incursions in the territory of Honduras and Costa Rica, the International Court of Justice (ICJ) seemed to recall the AoET when stating that “very little information is however available to the Court as to the circumstances of these incursions or their possible motivations, which renders it difficult to decide whether they may be treated for legal purposes as amounting, singly orcollectively, to an armed attack by Nicaragua […]”.[13] In the Oil Platforms Case (Islamic Republic of Iran v USA) the ICJ reasoned whether the “attack, either in itself or in combination with the rest of the series of attack […] (could) be categorized as an ‘armed attack’ on the United States justifying self-defense”,[14] concluding that “even taken cumulatively” the incidents in question could have not reached the threshold of an armed attack.[15] In Armed Activities on the Territory of Congo (Dem Rep Congo v Uganda) the ICJ concluded stating that “even if (the) series of deplorable attacks could be regarded as cumulative in character, they still remained non-attributable to the DRC”.[16]
When it comes to cyber operations, according to the Tallinn Manual 2.0, a series of smaller cyber operations conducted by the same originator (or originators acting in concert) may, if there is “convincing evidence”,[17] constitute an armed attack when aggregated. The same view is shared by Singapore in the Official Compendium of voluntary national contributions on the applicability of international law in cyberspace of the 2021 UN-based GGE processes. However, while the Tallinn Manual refers to cyber operations not involving the destruction of life and property as an unresolved issue,[18] Singapore stated that “in certain limited circumstances”[19] and “taking into account the scale and impact of the cyber activity”,[20] malicious activities not involving the destruction of life and property may still be considered an armed attack. The French General Secretariat for Defence and National Security stated in 2018 that it cannot be excluded that a series of cyber-attacks, which do not in themselves reach the threshold of an armed attack (“agression armée”),[21] may be classified as such if the aggregation of these attacks is of sufficient gravity to be considered an armed attack. This position was reiterated by the French Ministry of the Army in 2019 and 2022, first in a white paper on the applicability of international law in cyberspace,[22] and second in the most recent Manuel de droit des operations militaires.[23] The Austrian Ministry of Foreign Affairs specified in its recent Position Paper on Cyber Activities and International Law, that “an armed attack can also consist of a series of attacks”.[24] Furthermore, Austria clarified that “while one cyber activity in isolation may not constitute an armed attack, several cyber activities may still constitute such an attack if, taken together, they are sufficiently grave to reach the threshold of an armed attack”.[25] In contrast to the French position, Austria does not take a stance on whether, for the purposes of aggregation, the cyber activities should be conducted by the same originator or by different originators acting in concert. An analysis of the Italian position on international law and cyberspace reveals a certain degree of ambiguity, which does not clarify whether Italy is inclined to accept the AoET for the purposes of self-defence. Nevertheless, it is notable that Italy advocates a case-by-case approach when identifying whether a cyber operation reaches the threshold of a use of force or armed attack. It is also worth noting that Italy has specified that disruptive (and not only destructive) cyber operations can reach the threshold of an armed attack when the scale and effects of their consequences are comparable to those of an armed attack conducted with kinetic means.[26] Finally, NATO has reiterated on at least two occasions that Article 5 of the Washington Treaty can be invoked in the event of a “single or cumulative set of malicious cyber activities (that) reach the level of an armed attack”.[27]
Legal Implications
Assuming, for the sake of brevity, that the AoET is accepted in international law, dealing with its application in cyberspace opens an infinite Pandora’s vase of interconnected issues. First, it has to be determined whether both cyber operations below the threshold of Article 2 (4) UNC, and cyber operations below the threshold of Article 51 UNC, can be aggregated for the purposes of the AoET, or only the latter. It has to be determined whether, due to the evolution of warfare and the needs of the time, Articles 2 (4) and 51 UNC and their customary reflections have to be reinterpreted as including both disruptive and destructive cyber operations, or only the latter. In this sense, there is a tendency of certain States to include under the umbrella of Article 2 (4) UNC also cyber operations that cause economic rather than physical damage (e.g., France,[28] Norway,[29] Singapore,[30] and Italy[31]). Yet, reinterpreting a rule of customary international law in order to adapt its content to cyber operations is at odds with the two-element approach (recently reaffirmed by the International Law Commission)[32] required to identify the existence of a rule of customary international law: State practice on the one hand, and opinio juris on the other. This leaves little room for interpretation, and little room for soft law, where the Tallinn Manual 2.0, State position papers or NATO communiqués have no legal authority per se. Furthermore, most published views on the international law applicable to cyberspace are those of like-minded (Western) States, which limits the likelihood of identifying a generally accepted opinio juris.
Another set of issues relates to whether States can invoke Article 51 UNC against armed attacks conducted by non-State actors. In other words, can a State resort to defensive kinetic and/or cyber force, against an aggregation of cyber operations conducted by non-State actors? Germany, the Netherlands, and the United States shared in the 2021 GGE Official Compendium the view that the right of self-defence can be invoked against non-State actors.[33] A view that has been lately shared in both the Austrian and Italian position papers on International law and Cyberspace.[34] Conversely, Brazil reiterated that, particularly in cyberspace, where abuses regarding the invocation of the right of self-defence are unlikely to be proven, “it is not possible to invoke self-defence in response to acts of non-state actors, unless they are acting on behalf of or under the effective control of a state”.[35] A view that has also been shared by the French Ministry of the Armed Forces, whereas France’s invocation of the right of self-defence in Syria against Daesh was an exceptional measure against a “quasi-state”.[36] Yet, France does not exclude that the general practice of States could evolve to include the right of self-defence against armed aggression by a non-state actor not attributable to a State.[37]
The AoET has always found fertile ground in low-intensity conflicts involving States and non-State actors, the latter acting on behalf of other States or independently but taking advantage of those States that were unwilling or unable to stop them. In light of the fact that an armed attack, as defined by the AoET, is an aggregation of cyber operations, and given that cyber operations are typically launched from different States, and that these States may be unwilling, unable, or merely unaware of their status as cyber sanctuaries, it is necessary to determine against whom the right of self-defence is directed. Are the States that are unwilling, unable, or unaware that they are cyber sanctuaries the intended targets of the right of self-defence? Or should we conclude that, in the absence of a direct or indirect attribution, the right of self-defence simply has no place in cyberspace, regardless of the threshold of gravity issue and regardless of which theory, orthodox or unorthodox, States seek to apply?
Concluding Thoughts
In 1997, John Arquilla and David Ronfeldt, recently labelled cyberwar alarmists, wrote in one of the first academic works on cyber defence, along with the well-known quote “Cyberwar is coming”,[38] that “the world is entering – indeed, it has already entered – a new epoch of conflict (and crime)”.[39]According to the authors, the information age has brought qualitative changes in who, how and where conflicts will be fought in the future. In describing what cyberwar would look like, they listed a number of features that are now considered facts: the predominant role of non-State actors and thus the decentralisation of conflicts; the blurring of the lines between defence and attack; and the disruptive rather than destructive nature of the consequences of cyber operations. Some ten years earlier, in 1986, the US Army Training and Doctrine Command (TRADOC), was asked by the US Department of the Army to come up with solutions to the issue of low-intensity conflicts (LICs). TRADOC defined low-intensity conflicts as “limited politico-military struggle […] confined to a geographical area and […] characterised by limitations in weapons, tactics and levels of violence”.[40] TRADOC admitted that LICs were “the most likely conflict [the US] will face in the foreseeable future [and that] as a nation we don’t understand it and as a government we are not prepared to deal with it”.[41]
Warfare changes to adapt to the needs of times, and every change bring with it two elements: the fear that the changing nature of warfare will be the dominant one in the future, leaving States without adequate responses. Second, the increasing involvement of non-State actors as active rather than passive actors in State-based conflicts. Cyberwarfare and hackers today; guerrilla warfare and guerrilleros yesterday. Warfare is changing to adapt to the needs of the times, for it is profoundly tied to the development of technology; and profoundly tied to the development of technology are States and, by extension, individuals. When the US Department of the Army asked TREDOC to find solutions to the problem of LICs, it was because a familiar warfare was shifting to a less familiar one that favoured the “weakest” over the “strongest”.[42] Note that the first Joint Low-Intensity Conflict Project is to be located within the dynamics of the Cold War, the post-Vietnam period, and the US struggles in Central America (e.g., the US support for the Contras against the Frente Sandinista de Liberacion Nacional did not end as planned).[43] When warfare changes to meet the needs of times, States change to meet the needs of warfare, first by adopting updated strategies of warfare, and second by justifying or excusing them to the international community. The initial process, the implementation of updated strategies, is predominantly a matter of national politics and military strategy. Thus, the demands of the United States to categorise as LICs those arenas of violence characterised by guerrilla and popular warfare, or by terrorism, was driven by the necessity to identify an effective strategy for comprehending and ultimately mastering an innovative and increasingly spreading form of warfare. The second process, however, the justification of new strategies of warfare before the international community, seems to proceed in the opposite direction. Once a new strategy of warfare has been adopted, it must be brought into line with the existing traditional categories of international law. Thus, the prohibition of the threat and use of force in Article 2(4) UNC and in customary international law has mostly been understood to prohibit the use of physical, coercive means that result or are likely to result in the destruction of life and property. Nevertheless, as evidenced by the attempts to legitimate the application of the AoET in cyberspace, as well as the attempts to bring disruptive cyber operations under the umbrella of Article 2(4) and/or Article 51 UNC, it may be argued that this time the law is adapting to warfare rather than warfare adapting to the law. But with what (practical and legal) implications?
[1] Mag.a, Dott.ssa Angela Morello is a doctoral candidate and University Assistant in Public International Law at the University of Salzburg at the chair of Univ. Prof. Dr. Kirsten Schmalenbach. I previously addressed this issue in a post published in Articles of War, commencing with the recent kinetic practice of the United States in Syria. The post is available here: https://lieber.westpoint.edu/low-intensity-cyber-operations-regulation-resort-force/ accessed 11 July 2024.
[2] UNGA, ‘Letter dated 23 September 1998 from the Permanent Representative of the Russian Federation to the United Nations addressed to the Secretary-General’ (UN Doc A/RES/53/70, 1998).
[3] Michael N Schmitt (ed), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (2nd edn, Cambridge University Press 2017).
[4] The legal authority of the Tallinn Manual is that of “not official document, but rather the product of two separate endeavors undertaken by groups of independent experts […] it is not a best practices guide, does not represent progressive development of the law, and is policy and politics- neutral”. See Schmitt (n 3) 2-3. Nonetheless a significant portion of recent cyber agendas and official statements (albeit mostly by like-minded) States such as Austria, Germany, the Netherlands, Norway, Japan, as well as Pakistan, explicitly refer to and rely on the Tallinn Manual when outlining how international law applies to cyberspace. The question can therefore be raised as to whether the authority of the Manual will in future be more than that of a subsidiary means of establishing the rule of law within the meaning of Article 38(1)(d) of the ICJ Statute, thus challenging the discrepancy between soft and hard law.
[5] See for example Michael N Schmitt, “The Law of Cyber Conflict: Quo Vadis 2.0” in Waxman and Oakley (eds), The Future of Armed Conflict (OUP 2022). See also UNGA, “Albania, Argentina, Australia, Austria, Belgium, Bulgaria, Chile, Colombia, Croatia, Cyprus, Czechia, Denmark, Dominican Republic, Egypt, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Japan, Latvia, Lithuania, Luxembourg, Malta, Monaco, Netherlands, Norway, Paraguay, Poland, Portugal, Republic of Korea, Republic of Moldova, Romania, Senegal, Slovakia, Slovenia, Spain, Sweden, Switzerland, Tunisia, Türkiye, Ukraine, United Kingdom of Great Britain and Northern Ireland, United Republic of Tanzania and United States of America: draft resolution. Program of action to advance responsible State behaviour in the use of information and communications technologies in the context of international security” (13 October 2022) UNGA Doc A/C.1/77/L.73.
[6] See for example UNGA, „Azerbaijan, Belarus, Bolivia (Plurinational State of), Cambodia, China, Cuba, Democratic People’s Republic of Korea, Eritrea, Iraq, Lao People’s Democratic Republic, Nicaragua, Russian Federation, Syrian Arab Republic, United Republic of Tanzania, Venezuela (Bolivarian Republic of) and Zimbabwe: revised draft resolution. Developments in the field of information and telecommunications in the context of international security” (20 October 2022) UNGA Doc A/C.1/77/L.23/Rev.1*.
[7] See among others Schmitt (nr 3) 342 ff.
[8] The scope of Article 2 (4) UNC is defined by an “all-inclusive prohibition” of the threat or use of force between States (see Documents of the United Nations Conference on International Organization San Francisco (1945) Vol VI, 335). Force has traditionally been understood as physical, coercive actions by military means, causing the destruction of life and property, and involving the use of weapons. With weapons being interpreted as including both kinetic and non-kinetic weapons, such as bacteriological, biological, and chemical weapons [see for example Legality of the Threat or Use of Nuclear Weapons (Advisory Opinion) [1996] ICJ Rep 226, para 39]. Therefore, the prohibition does not cover psychological, economic, or political pressure [see among others Russel Buchan and Nicholas Tsagourias, Regulating the Use of Force in International Law (EE 2021) 19 ff; Yoram Dinstein, War, Aggression and Self-Defence (4th edn, CUP 2005) 85 ff; Christine Gray, International Law and the Use of Force (3rd edn, OUP 2013) 6 ff]. This interpretation has found support in the wording of the preamble of the UNC; in the fact that international treaty law often associates the term “force” with the adjective “armed”; or in the travaux préparatoires of the UNC, where the Brazilian proposal to include “economic measures” and the Iranian proposal to include the prohibition of intervention in the internal affairs of other States, did not find confirmation in the final text [ see the Documents of the United Nations Conference on International Organization San Francisco (1945) Vol VI, 559; 563]. Another suggestion that force refers to armed force solely, is to be found in the UNGA Friendly Relations Declaration of 1970, under which States that use or encourage the use of economic and political coercion against other States, as well as States that “organize, assist, foment, finance, incite or tolerate subversive, terrorist or armed activities directed towards the violent overthrow of the regime of another State […]”, violate the principle of non-intervention, but not the principle not to use force [see UNGA Res 2625 (XXV) (24 October 1970)].
[9] See EuRepoC, Cyber Incident Dashboard – Cyber Incident Intensity https://eurepoc.eu/de/dashboard accessed 11 July 2024; CFR, Cyber Operations Tracker (2005-2023) https://www.cfr.org/cyber-operations/ accessed 11 July 2024; CPI, Cyber Threats https://cyberconflicts.cyberpeaceinstitute.org/threats accessed 11 July 2024.
[10] Normann M Feder, ‘Reading the UN Charter Connotatively: Toward a New Definition of Armed Attack’ (1987) 19 (2-3) NYU J Int´I L & Pol 395.
[11] Case Concerning Military and Parmilitary Activities in and against Nicaragua (Nicaragua v United States of America) [1986]ICJ Rep 14, para 191.
[12] Tom Ruys, “Armed attack” and Article 51 of the UN Charter: Evolutions in Customary law and practice (CUP 2010) 168 ff.
[13] ibid, para 191, para 232.
[14] Oil Platforms Case (Islamic Republic of Iran v USA) [2003] ICJ Rep 161, para 64.
[15] ibid.
[16] Armed Activities on the Territory of Congo (Dem Rep Congo v Uganda) (Merits) [2005] ICJ Rep 223, para 146.
[17] Schmitt (ed) (n 3) p 342.
[18] Schmitt (ed) (n 3).
[19] UN GGE, Singapore (13 July 2021). Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States submitted by participating governmental experts in the Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security established pursuant to General Assembly resolution 73/266, UN Doc A/76/136 p 84.
[20] ibid.
[21] SGDSN, “Revue stratégique de cyberdéfense” (12 February 2018) 82.
[22] Ministère des Armées, “Droit International Appliqué aux Opérations dans le Cyberspace” (2019) 9.
[23] Ministère des Armées, “Manuel de Droit des opérations militaires” (2022) 296.
[24] BMEIA, “Position Paper of the Republic of Austria: Cyber Activities and International Law” (April 2024) 7.
[25] ibid.
[26] MAECI,”Italian Position Paper on International Law and Cyberspace” (2021) 8-9.
[27] NATO, “Vilnius Summit Communiqué – Issued by NATO Heads of State and Government participating in the meeting oft he North Atlantic Council in Vilnius” (11 July 2023) para 66. Available here: https://www.nato.int/cps/en/natohq/official_texts_217320.htm?selectedLocale=en accessed 11 June 2024. See also NATO, “Brussel Summit Communiqué issued by the Heads of State and Government participating in the meeting oft the North Atlantic Council in Brussel” (14 June 2021). Available here: https://www.nato.int/cps/en/natohq/news_185000.htm?selectedLocale=en accessed 11 June 2024.
[28] Droit International Appliqué aux Opérations dans le Cyberspace (n 22) 7.
[29] UN GGE, Norway (n 19) 70.
[30] UN GGE, Singapore (n 19) 84.
[31] Position Paper of the Republic of Austria: Cyber Activities and International Law (n 24) and Italian Position Paper on International Law and Cyberspace (n 26).
[32] See ILC, Draft Conclusions on Identification of Customary International Law, with Commentaries (2018) UN Doc A/73/10.
[33] UN GGE (n 19).
[34] Italian Position Paper on International Law and Cyberspace (n 26).
[35] UN GGE, Brasil (n 19) 20.
[36] Droit International Appliqué aux Opérations dans le Cyberspace (n 22) 9.
[37] ibid.
[38] John Arquilla and David Ronfeldt (eds), In Athena’s Camp: Preparing for Conflict in the Information Age (RAND 1997) p 3.
[39] ibid.
[40] Joint Low-Intensity Conflict Project United States Army Training and Doctrine Command, Joint Low-Intensity Conflict Project Final Report: Volume I Analytical Review of Low-Intensity Conflict (23 October 1987) 1-2.
[41] ibid.
[42] See among others Avi Kober, ‘Low-intensity Conflicts: Why the Gap Between Theory and Practice?’ (2002) 18(1) Defense & Security Analysis 15.
[43] Case Concerning Military and Parmilitary Activities in and against Nicaragua (Nicaragua v United States of America) (n 11).