Cyber Symposium – The Evolution of Cyber Jus ad Bellum Thresholds
Editor’s note: The following post highlights a subject addressed in the symposium entitled The Evolving Face of Cyber Conflict and International Law: A Futurespective presented by the Lieber Institute for Law and Warfare at the American University, Washington College of Law in June 2022. For a general introduction to this symposium, see Professor Sean Watts’ introductory post.
The full birth of international cyber law can be pinpointed to 2009 with some degree of accuracy. In the late 1990s, the U.S. military tentatively began to consider how international law applied to “computer network attack” and “computer network exploitation” (the term “cyber” would catch on later). Notable in this regard were a major international conference at U.S. Naval War College that resulted in the book Computer Network Attack and International Law and the release of An Assessment of International Legal Issues in Information Operation by the Department of Defense’s Office of the General Counsel. However, the attacks of 9/11 in 2001 and the wars in Afghanistan and Iraq that followed diverted the international law community’s attention from the subject.
In 2007, that attention was refocused dramatically back on cyber issues when nationwide hostile cyber operations targeted new NATO member Estonia (2004). Most were launched from Russian territory. Unfortunately, government attorneys throughout the Alliance were unprepared to assess their legal nature or NATO’s possible responses under international law. The elephant in the room was the question of whether the operations qualified as an “armed attack” triggering Article 5 of the North Atlantic Treaty.
The Parties agree that an armed attack against one or more of them in Europe or North America shall be considered an attack against them all and consequently they agree that, if such an armed attack occurs, each of them, in exercise of the right of individual or collective self-defence recognised by Article 51 of the Charter of the United Nations, will assist the Party or Parties so attacked by taking forthwith, individually and in concert with the other Parties, such action as it deems necessary, including the use of armed force, to restore and maintain the security of the North Atlantic area.
The following year, hostile cyber operations figured prominently during the international armed conflict between Russia and Georgia. But, again, government legal advisers faced an unexplored legal landscape.
As a result, in 2009, the newly established NATO Cooperative Cyber Defense Center of Excellence launched what would become known as the “Tallinn Manual Project,” the first in-depth consideration of whether, and if so, how, international law governed activities in cyberspace. In light of events in Estonia and Georgia, the decision was made to focus on the law governing the use of force (jus ad bellum) and international humanitarian law (jus in bello); I was appointed Director. An International Group of Experts (IGE) convened to delve into the matter completed its work in 2013 by publishing the first Tallinn Manual. A follow-on project by a new IGE, Tallinn Manual 2.0, examined cyber-related peacetime international law and was published in 2017. A third phase, Tallinn Manual 3.0, is now underway.
Lying at the heart of the first Tallinn Manual, included in the second, and central to the Tallinn Manual 3.0 effort is the jus ad bellum. In this post, I examine the evolution in understanding how the prohibition on the use of force found in Article 2(4) of the UN Charter and the right of self-defense in Article 51 of that instrument (and their customary law counterparts) apply to cyber operations. It is a journey that began in isolation with the first Tallinn Manual IGE, but one in which States are increasingly playing a central role, appropriately so.
Consensus on the Rules
During the early years of the cyber age, many questioned whether the law governing the use of force, or even international law more generally, applied in cyberspace. Fortunately, misguided claims that cyberspace is a normative Wild West have faded away over time.
Indeed, both Tallinn Manual IGEs quickly recognized the applicability of the use of force prohibition and the right of self-defense in the cyber context. And in reports that the UN General Assembly has endorsed, the UN Groups of Governmental Experts (GGE) that have been formed to consider cyber issues since 2004 (there have been six) have consistently confirmed that the UN Charter applies to cyber operations (2013, 2015, 2021, endorsements here, here, and here).
Concerning the obligation in Article 2(4) to refrain from the use of force against other States, the 2021 UN GGE Report noted that “adherence by States to international law, in particular their Charter obligations, is an essential framework for their actions in their use of ICTs” (information and communications technology). Later, the report specifically refers to the use of force prohibition in language drawn verbatim from Article 2(4), as had its 2015 counterpart.
As to defensive action under Article 51 in response to a cyber “armed attack,” the report provides, “recalling that the Charter applies in its entirety, the Group noted again the inherent right of States to take measures consistent with international law and as recognized in the Charter and the need for continued study on this matter.” Although the UN GGE has never used the term “self-defense” in its reports, and despite a strange episode in which proposed inclusion of the term led, in part, to the failure of the 2016-2017 UN GGE to issue a consensus report, it is undeniable that the right of self-defense in the cyber context is universally accepted. After all, the term “inherent right” in the 2021 UN GGE Report (and its earlier counterparts) is drawn directly from Article 51, while the acknowledgment that the entire UN Charter applies can mean nothing else. The fact that the 2021 UN GGE Report was “welcomed” by the General Assembly in December 2021 renders the conclusion incontrovertible.
From the first consideration of the subject, there has been little sincere objection to the application of the prohibition of the use of force and the right of self-defense to cyber operations causing physical damage or injury that, if caused by non-cyber means, would reach those thresholds. The question has always been, and remains, whether the prohibition and the right encompass cyber operations generating other consequences.
The Use of Force Threshold
UN Charter Article 2(4) provides, “All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.” In assessing whether a non-destructive and non-injurious cyber operation qualifies as a use of force, the inaugural Tallinn Manual IGE adopted an approach that I had proposed in a 1999 Columbia Journal of Transnational Law article.
In the piece, I argued that it was reasonable to interpret the use of force prohibition as extending below the physical damage or injury threshold. My conclusion was partly based on the International Court of Justice’s (ICJ) finding in Paramilitary Activities that the mere arming and training of guerillas amounted to a use of force (¶ 228). The obstacle to application in the cyber context, however, was that no accepted standard for making the determination existed. In its absence, I suggested that States look to various non-exclusive factors when assessing whether a cyber operation has crossed the use of force threshold: severity, immediacy, directness, invasiveness, measurability, and presumptive legitimacy.
The International Group of Experts concurred with the factors but added several others, some at the suggestion of States: military character, degree of State involvement, prevailing political environment, whether the cyber operation portends the future use of military force, the identity of the attacker, any record of cyber operations by the attacker, and the nature of the target (such as critical infrastructure). Tallinn Manual 2.0 maintained the approach of its precursor.
A further modification came with the first IGE’s adoption of the notion of “scale and effects” in the use of force rule (“A cyber operation constitutes a use of force when its scale and effects are comparable to non-cyber operations rising to the level of a use of force.”). The ICJ had used the standard in its 1986 Paramilitary Activities judgment only to assess whether an action qualified as an “armed attack,” the criteria for determining whether a right of self-defense exists in a particular situation (¶ 195). The Experts “found the focus on scale and effects to be an equally useful approach when distinguishing acts that qualify as uses of force from those that do not. In their opinion, ‘scale and effects’ is a shorthand term that captures the quantitative and qualitative factors to be analysed in determining whether a cyber operation qualifies as a use of force.” The second IGE retained the scale and effects standard for use of force determinations.
Only a few States have expressed a position on cyber uses of force that goes beyond noting that the prohibition applies in the cyber context. Nearly all those have articulated some variant of the Tallinn Manual approach – either adoption of the scale and effects test in the use of force context or enumeration of illustrative factors in the appraisal, or both. The following are non-exclusive examples (emphasis added).
Australia (2021): In determining whether a cyber activity constitutes a use of force, States should consider whether the activity’s scale and effects are comparable to traditional kinetic operations that rise to the level of use of force under international law.
Canada (2022): In Canada’s view, cyber activities may amount to such a threat or use of force where the scale and effects are comparable to those of other operations that constitute the use of force in international law. Canada will assess cyber activities that may amount to a threat or use of force on a case-by-case basis.
Estonia (2021): States must refrain in their international relations from carrying out cyber operations which, based on their scale and effect, would constitute a threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the purposes of the UN.
Germany (2021): Germany shares the view expressed in the Tallinn Manual 2.0: the threshold of use of force in cyber operations is defined, in analogy to the ICJ’s Nicaragua judgment, by the scale and effects of such a cyber operation. Whenever scale and effects of a cyber operation are comparable to those of traditional kinetic uses of force, it would constitute a breach of art. 2 para. 4 UN Charter.
The determination of a cyber operation as having crossed the threshold of prohibited use of force is a decision to be taken on a case-by-case basis. Based on the assessment of the scale and effects of the operation, the broader contextof the situation and the significance of the malicious cyber operation will have to be taken into account. Qualitative criteria which may play a role in the assessment are, inter alia, the severity of the interference, the immediacy of its effects, the degree of intrusion into a foreign cyber infrastructure and the degree of organization and coordination of the malicious cyber operation.
France (2019): A cyber operation carried out by one State against another State violates the prohibition of the use of force if its effects are similar to those that result from the use of conventional weapons. However, France does not rule out the possibility that a Cyber operation without physical effects may also be characterised as a use of force. In the absence of physical damage, a cyber operation may be deemed a use of force against the yardstick of several criteria, including the circumstances prevailing at the time of the operation, such as the origin of the operation and the nature of the instigator (military or not), the extent of intrusion, the actual or intended effects of the operation or the nature of the intended target. This is of course not an exhaustive list. For example, penetrating military systems in order to compromise French defence capabilities, or financing or even training individuals to carry out cyberattacks against France, could also be deemed uses of force.
NATO (2020): For example, if COs [cyberspace operations] cause effects that, if caused by traditional physical means, would be regarded as a use of force under Article 2(4) of the UN Charter or an armed attack under jus ad bellum, then such COs could similarly be regarded as a use of force or armed attack.
Criteria that could be considered in making this assessment include the scale and effects of the attack, which might take into account such factors as interference with critical infrastructure or functionality, severity and reversibility of effects, the immediacy of consequences, the directness between act and consequences, and the invasiveness of effects.
Netherlands (2021): It is necessary, when assessing the scale and effects of a cyber operation, to examine both qualitative and quantitative factors. The Tallinn Manual 2.0 refers to a number of factors that could play a role in this regard, including how serious and far-reaching the cyber operation’s consequences are, whether the operation is military in nature and whether it is carried out by a state. These are not binding legal criteria. They are factors that could provide an indication that a cyber operation may be deemed a use of force, and the government endorses this approach.
Norway (2021): Whether a cyber operation violates the prohibition on the threat or use of force in Article 2(4) of the UN Charter depends on its scale and effects, physical or otherwise.
… A number of factors may be taken into consideration, such as the severity of the consequences (the level of harm inflicted), immediacy, directness, invasiveness, measurability, military character, State involvement, the nature of the target (such as critical infrastructure) and whether this category of action has generally been characterised as the use of force. This list is not exhaustive…. [A] cyber operation causing severe disruption to the functioning of the State such as the use of crypto viruses or other forms of digital sabotage against governmental or private power grid- or telecommunications infrastructure, or cyber operations leading to the destruction of stockpiles of Covid-19 vaccines, could amount to the use of force in violation of Article 2(4). Similarly, the use of crypto viruses or other forms of digital sabotage against a State’s financial and banking system, or other operations that cause widespread economic effects and destabilisation, may amount to the use of force in violation of Article 2(4).
United States (2022, Navy, Marine Corps, Coast Guard): Cyberspace operations may rise to the level of a use of force within the meaning of Article 2(4) if their scale and effects are analogous to other kinetic and nonkinetic operations that are tantamount to the use of force… There is no single formula to determine whether cyberspace operations constitute the use of force, although elements that inform a State’s determination include:
5. Measurability of effects
6. Military character
7. State involvement
8. Presumptive legality of the operations.
Particularly noteworthy are the positions of the Netherlands, Norway, and France concerning cyber operations targeting a nation’s economy or financial system. While the Netherlands raises the prospect that they might qualify as a use of force, Norway adopts that view. France, as discussed below, goes further by suggesting that such operations could even rise to the level of an armed attack triggering the right of self-defense. In this regard, it should be noted that most States, and the ICJ, consider armed attacks to be the “most grave” form of the use of force (Paramilitary Activities, ¶ 191). By contrast, the United States takes the unique, and in my view less supportable, position that all uses of force are armed attacks triggering the right of self-defense.
In summary, most States have not addressed the use of force threshold issue. But among those that have, the “scale and effects” approach first suggested by the Tallinn Manual IGEs appears to be taking hold. And in that group of States, some have shown a willingness to consider non-destructive and non-injurious operations as sometimes qualifying as a use of force by reference to factors like those identified by the Tallinn Manual Experts. Most others have not ruled out such an approach.
The Self-Defense Threshold
The right of self-defense is set forth in Article 51 of the UN Charter: “Nothing in the present Charter shall impair the inherent right of individual or collective self-defence if an armed attack occurs against a Member of the United Nations, until the Security Council has taken measures necessary to maintain international peace and security.” As noted, most States and international law experts view an “armed attack” as a particularly grave “use of force,” the notable exception being the United States. I support the former view.
In light of this “gap” between the two thresholds, the approach described above vis-a-vis the use of force threshold does not map neatly onto the armed attack threshold. Indeed, in my 1999 article, I was of the view that physical damage or injury was necessary to reach the latter. I have since moderated that view and support an approach to armed attack analogous to that used for use of force assessments. But like most States, I would set the armed attack bar higher, as did the ICJ in Paramilitary Activities.
Both Tallinn Manual IGEs split on the issue, although the Experts agreed that armed attack was a higher threshold than use of force. The common thread running through their analysis was the interpretation of armed attack in the cyber context merited greater caution. As the Netherlands Ministry of Foreign Affairs emphasized in a 2019 letter to the Dutch Parliament, “At present there is no international consensus on qualifying a cyberattack as an armed attack if it does not cause fatalities, physical damage or destruction yet nevertheless has dire non-material consequences.”
Thus, States have been reticent to discuss the armed attack threshold with any granularity. Instead, the tendency is to confirm that if the effects of a cyber operation would rise to the level of an armed attack had they been caused by traditional non-cyber means, the cyber operation qualifies as such too. Several examples illustrate the trend (emphasis added).
Australia (2021) Thus, if a cyber activity – alone or in combination with a physical operation – results in, or presents an imminent threat of, damage equivalent to a traditional armed attack, then the inherent right to self-defence is engaged.
Estonia (2021): In order to assess if a cyber operation reaches the threshold of the use of force or an armed attack based on Article 2(4) or 51 of the UN Charter, we must consider the scale and effects of the operation. If the effects of a cyber operation are comparable to a kinetic attack, it could constitute an armed attack.
Finland (2020): Most commentators agree that a cyberattack which is comparable to an armed attack in terms of its extent and impacts equates to an armed attack, and self-defence is justified as response.
Germany (2021): Malicious cyber operations can constitute an armed attack whenever they are comparable to traditional kinetic armed attack in scale and effect. Germany concurs with the view expressed in rule 71 of the Tallinn Manual 2.0.
Italy (2021): Italy deems that wrongful cyber operations conducted by State or non-State actors may constitute an armed attack when their scale and effects are comparable to those resulting from conventional armed attacks, resulting in significant physical damage of property, human injury and loss of life, or disruption in the functioning of critical infrastructure.
New Zealand (2020): Cyber activity that amounts to a use of force will also constitute an armed attack for the purposes of Article 51 of the UN Charter if it results in effects of a scale and nature equivalent to those caused by a kinetic armed attack.
United Kingdom (2021): An operation carried out by cyber means may constitute an armed attack giving rise to the inherent right of individual or collective self-defence, as recognised in Article 51 of the UN Charter where the scale and effects of the operation are equivalent to those of an armed attack using kinetic means.
As with the use of force threshold, France is a trailblazer in interpreting the norm. In 2019, it announced, “A cyberattack could qualify as an armed attack when it causes substantial loss of life or significant physical or economic damage. This would be the case of an operation in cyberspace affecting critical infrastructure with significant consequences, or likely to paralyze whole sectors of the country’s activity, to trigger administrative or ecological disasters and to cause many victims.” In making the announcement, France was the first state to unequivocally adopt the view that the notion of an armed attack includes cyber operations that do not cause physical damage or injury. This was a possibility that had been raised earlier by the Netherlands’ then Minister of Defense, although it does not explicitly appear in the most recent expression of Dutch views on how international law applies in cyberspace.
In 2021, Singapore also stretched the envelope a bit when it noted, “it is also possible that, in certain limited circumstances, malicious cyber activity may amount to an armed attack even if it does not necessarily cause death, injury, physical damage or destruction, taking into account the scale and effects of the cyber activity. An example might be a targeted cyber operation causing sustained and long-term outage of Singapore’s critical infrastructure.” Anecdotally, I can confirm that government officials in many States are thinking along the same lines – that severity of harm matters more than the nature of harm with respect to the law of self-defense.
As with the use of force threshold, most states have not addressed the self-defense threshold. Those that have done so are cautious in adapting it to the unique characteristics of cyber operations, especially the possibility of causing severe but non-destructive and non-injurious consequences.
Numerous issues beyond the use of force and armed attack thresholds remain unsettled in the jus ad bellum as applied to cyberspace. But they are not cyber-unique. Instead, they tend to mirror ones that already resist State consensus in the non-cyber context. For example, may the effects of multiple cyber operations be aggregated to reach the thresholds? How early can anticipatory self-defense be mounted against future cyber armed attacks? When does a response to a cyber armed attack become mere retaliation? Does the right of self-defense exist in response to non-State actors’ cyber attacks that are not attributable to another State? May a victim State conduct a forcible response into the territory of another State in response to cyber attacks by non-State actors from that (the unwilling/unable debate)?
But the advent of cyber capabilities has uniquely implicated the threshold at which a cyber operation risks breaching the obligation to restrain from the use of force against other States and that which enables a State to respond to a hostile cyber operation with cyber or non-cyber measures at the use of force level. And these two questions lie at the heart of the jus ad bellum’s application in cyberspace.
Michael N. Schmitt is the G. Norman Lieber Distinguished Scholar at the United States Military Academy at West Point. He is also Professor of Public International Law at the University of Reading; Professor Emeritus and Charles H. Stockton Distinguished Scholar-in-Residence at the United States Naval War College; and Strauss Center Distinguished Scholar and Visiting Professor of Law at the University of Texas.
Photo credit: Pexels