Cyber Symposium – Diplomatic Considerations for Armed Attack

Editor’s note: The following post highlights a subject addressed in the symposium entitled The Evolving Face of Cyber Conflict and International Law: A Futurespective presented by the Lieber Institute for Law and Warfare at the American University, Washington College of Law in June 2022. For a general introduction to this symposium, see Professor Sean Watts’ introductory post.

When cyber policymakers, diplomats or lawyers brief ministers of foreign affairs, defense, and military leaders, they are routinely asked a simple political question – what actually constitutes an armed attack in cyberspace?

The response they get varies depending on their country’s dependency on digital technologies, on its cyber resilience and robustness of key infrastructures, as well as on its cyber defense and offense posture. This means that the thresholds differ. A small digitally dependent State with limited resources might qualify a cyber attack as an armed attack if its vital data and digital governance system are destroyed, whereas a larger country with significant cyber capabilities may draw the line at a cyber attack against a civilian nuclear power station. To date, the world has not witnessed a declaration of war over an offensive cyber operation, nor have States openly qualified a particular cyber attack as an armed attack. However, professional cyber policy and legal experts should be ready for this eventuality.

A number of States have articulated their opinions on the threshold of use of force or armed attack in the compendium attached as an annex to the most recent cyber security UN Group of Governmental Experts (UN GGE) report in 2021. Many countries consider a cyber operation as an armed attack in cyberspace if it is conducted against critical civilian or military infrastructure, it has a scale and impact comparable to a kinetic attack, and it results in loss of life and/or damage to property. Some countries also specify that the cyber attack must be attributed to a State to trigger the self-defense option as laid out in UN Charter Article 51. The United States even goes a step further and specifies how the country plans to respond to a cyber attack that would constitute a basis for self-defense. Possible response options include the intent to use a kinetic response if this is considered proportionate and necessary.

The diversity of views among the UN Member States on the threshold of cyber armed attack, among other questions, is considerable. During the UN GGE negotiations, the issues of attribution, self-defense and jus ad bellum topics triggered heated discussions. This led to many developing nations voicing their concern that, due to their limited cyber capacities, they cannot perform, for example, their due diligence responsibilities and fear consequences if their territory is used to launch malicious cyber operations. Moreover, views on the application of international law in cyberspace still diverge among the NATO Allies as well. Similar to Article 5 decision-making in the kinetic domain, NATO has adopted a policy of “strategic ambiguity” on cyber threshold issues. This allows NATO Allies to remain ambiguous on the exact threshold of an armed attack and reserve the right to use collective self-defense by North Atlantic Council decision, i.e. by political decision of all NATO Allies.

Every politician wants to see hard evidence before declaring a war, which might be difficult to produce efficiently and with full accuracy in case of a cyber operation. Therefore, it would be an equally complicated political decision, even if one considers the current technological capacity of most NATO countries. In addition to defining a cyber operation as an armed attack, a good politician will follow up with a question on how to respond to such operations. To stop ongoing hostilities and deter further use of force, the response by in-kind or kinetic force should be imminent and not delayed by few weeks or months until the necessary attribution data can be verified. In case other territories were used for launching the cyber operation, coordination with partner countries might be warranted. In the end, there will be more questions than answers that political decision-makers will have.

Very serious and damaging cyber operations certainly warrant a robust response, or the culprits will grow more careless when launching future operations. Therefore, the cyber policy community in NATO countries, together with international law experts, should clarify many legal issues and develop better national and international coordination mechanisms concerning jus ad bellum and its application in cyberspace. In addition to defining the threshold questions, there should equally be an understanding, what policy implications States will need to consider when developing response options and who are their national and international coordination partners.

***

Heli Tiirmaa-Klaar is the Director of the Digital Society Institute at the European School of Management and Technology in Berlin. From 2018 to 2021, she served as Ambassador for Cyber Diplomacy and Director General for the Cyber Diplomacy Department at the Estonian Ministry of Foreign Affairs.  

Photo credit: Unsplash