The Evolving Interpretation of the Use of Force in Cyber Operations: Insights from State Practices
Editors’ note: This post is drawn from the author’s article-length work with Professor Michael Schmitt, “Cyberspace and the Jus ad Bellum: The State of Play” appearing in International Law Studies. The post and the article are both based on course work that the author completed in her final year as a cadet at the U.S. Military Academy West Point.
In an era when cyber activities are reshaping global security dynamics, the interpretation and application of international law, especially concerning the prohibition on the use of force under Article 2(4) of the UN Charter, has become increasingly complex. This post delves into how States have addressed the prohibition. It aims to tease loose where there appears to be consensus, as well as potential fault lines. A forthcoming companion post will do the same concerning the right of self-defense in cyberspace. Both posts draw on deeper treatment of the subject in Cyberspace and the Jus ad Bellum: The State of Play, an article I published with Professor Michael Schmitt in International Law Studies. Our paper analyzed the positions of 39 individual States, as well as those of NATO and the African Union (AU), which represent the views of 30 and 55 States, respectively.
The primary aim of the article was to understand how States are responding to the critical question of when a hostile cyber operation rises to the level of a “use of force” under Article 2(4) of the UN Charter, and what this means for the application of international law in cyberspace. Given the rapidly evolving nature of cyber threats and the lack of consensus on applying traditional legal frameworks to cyberspace, this study is crucial for identifying emerging trends in State practice and providing insights into the evolving interpretation of the jus ad bellum, helping to inform legal advisors on these developments.
The Core Issue: Article 2(4) of the UN Charter
Article 2(4) of the UN Charter lies at the heart of legal discourse surrounding the use of force in cyberspace. A cornerstone of international law, it sets forth the fundamental rule that States may not engage in the threat or use of force. Specifically, Article 2(4) states, “All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.”
Traditionally, this prohibition has been understood in the context of conventional military actions, such as invasions or the exchange of fires. However, the rise of cyber operations introduced a layer of ambiguity that complicates its application.
Cyber operations are inherently different from traditional uses of force in that they may generate serious effects that are not physically destructive or injurious in nature, such as substantial economic damage or the loss of functionality of critical systems. This raises the question of how such cyber operations fit within the Article 2(4) framework and what criteria should be employed to assess whether they constitute a use of force.
The growing recognition of the need to adapt traditional legal standards to the realities of modern conflict has prompted States to adopt various analytical frameworks. In this regard, two related notions have emerged when considering uses of cyber force: the “consequence-based approach”; and the “scale and effects test.” Understanding them is essential for navigating the complexities of cyber warfare.
The Consequence-Based Approach: A Focus on Impact
The consequence-based approach has been adopted by most States that have taken public positions on the qualification of cyber operations as a use of force, and it was notably endorsed and adopted by the Tallinn Manual group of experts during its discussions on the applicability of international law to cyber warfare. It emphasizes that the primary determinant of whether a cyber activity constitutes a use of force is its impact rather than the specific technical methods employed in its execution (see rule 69). This pragmatic view recognizes that the ultimate goal of the prohibition on the use of force is to prevent harm, regardless of how that harm is inflicted.
Of the 142 States endorsing an opinion on the matter, none opposed the applicability of the consequence-based approach to use of force determinations. For example, the Netherlands states that “the effects of the [cyber] operation determine whether the prohibition applies, not the manner in which those effects are achieved.” Germany similarly aligns itself with the consequence-focused framework, stating that “with regard to the definition of ‘use of force,’ emphasis needs to be put on the effects rather than the means used.” The United States, Australia, Finland, Italy, and Poland have also adopted this approach. In fact, many States have already begun to establish the specific circumstances under which this approach applies.
No State has challenged the notion that consequences causing substantial harm to individuals or significant damage to property can be considered uses of force. On the contrary, some States have offered examples of cyber operations that would qualify as uses of force based on the consequences they generate. For instance, Iran points to cyber operations that could lead to “material damage to property and/or persons” in a “widespread and grave manner,” or where such consequences are “logically … probable.” Israel offers “hacking into the computer of the railroad network of another State and programming the controls in a manner that is expected to cause a collision between trains,” as a possible example of a use of force. The United States asserts that if the physical damage of a cyber activity would result in “the kind of damage that dropping a bomb or firing a missile would,” this cyber activity should be considered a use of force. This trend reflects a growing interest in establishing when the consequence-based approach applies to classifying cyber actions as uses of force.
Scale and Effects Test: A Structured Evaluation
Beyond States’ agreement to consider the specific consequences of a cyber operation, an approach to evaluating those consequences is gaining traction. The Tallinn Manual experts agreed that a cyber operation’s “scale and effects” were the central factor in the assessment. This concept draws from the International Court of Justice’s Paramilitary Activities judgment, establishing the scale and effects test for self-defense assessments (para. 195). The Tallinn Manual later adopted the test to determine when a cyber operation constitutes a use of force (see Schmitt/Pakkam, p. 202).
The approach provides a structured methodology for assessing the consequences of cyber operations vis-à-vis the use of force prohibition. “Scale” denotes the extent of the attack, while the “effects” prong focuses on the nature and severity of the resulting consequences. This dual focus allows for a nuanced analysis that recognizes the diverse impacts that cyber operations can produce.
A growing number of States embraces the scale and effects test, with States such as Canada, Denmark, Germany, New Zealand, Italy, Ireland, Sweden, and Norway expressly adopting it. NATO’s incorporation of this approach into its Allied Joint Doctrine for Cyberspace Operations further solidifies its significance (AJP-3.20, para. 3.7). No State has contested the application of the test as a valid framework for assessing the consequences of cyber operations, reflecting broad consensus on its relevance.
The question is what scale and effects. In this regard, the Tallinn Manual experts stated that a cyber operation may be deemed a use of force when “its scale and effects are comparable to non-cyber operations rising to the level of a use of force” (rule 69). Numerous States support this principle, a good example being Australia. That country further underscored that this assessment should consider the intended or reasonably expected consequences of cyber actions, including the potential for significant damage or destruction to life and infrastructure. Other States advocating a comparative analysis with traditional kinetic operations under international law include Canada and Israel.
Importantly, scale and effects assessments are context specific. Indeed, the fifty-five member States of the African Union agree that determining whether a cyber operation qualifies as a use of force “should be undertaken on a case-by-case basis,” a sentiment the United States echoed.
Applying Scale and Effects: The Multi-Factor Approach in Cyber Operations
However, questions remain regarding the specific scale and effects that a cyber operation must have to qualify as a use of force. This leaves some ambiguity in the test’s practical implementation. Several States (e.g., Costa Rica, AU) are of the view that comparing the consequences of cyber operations to consequences generated by non-cyber operations fails to fully resolve the ambiguity inherent in the scale and effects approach, especially for operations that are not directly injurious or destructive.
To address the complexities of this classification, the first Tallinn Manual international group of experts built upon earlier work by one of its authors to identify key factors that States might consider when assessing whether their own or another State’s cyber operations rise to the level of a use of force. Though it is not exhaustive, this multi-factor approach includes such criteria as severity, immediacy, directness, invasiveness, and the nature of the target. The Tallinn Manual experts asserted that the severity of a cyber operation is the most decisive factor, but beyond clear cases, this and other factors should be considered together, with their importance determined by the specific circumstances. Ultimately, this multi-factor approach operationalizes the scale and effects test, providing a nuanced framework for determining when cyber operations cross the threshold into the realm of uses of force.
No State has pushed back against the premise that States will look to a variety of factors when assessing the scale and effects of a hostile cyber operation attributable to a State. Instead, the number of States embracing this multi-factor approach is growing. For example, the French Ministry of the Armies stated in 2019 that “in the absence of physical damage, a cyber operation may be deemed a use of force” based on various criteria, including the circumstances surrounding the operation and the nature of the instigator. Similarly, the African Union has underscored the need for a nuanced evaluation, noting that factors like “the duration of the attack, the nature of the targets attacked, the locations of the targets attacked, and the types of weapons used” should be considered alongside the effects of the attack. The United States offers factors such as “context, the actor perpetrating the action, the target’s location, the effects of the cyber activity, and the intent of the actor, acknowledging the complexities of attribution in cyberspace” (see also Denmark and Sweden).
This pattern merits a cautionary note: States are trending toward picking and choosing from among Tallinn Manual factors, and sometimes adding their own. On the one hand, the States’ acknowledgment that the lists are not exhaustive reduces the likelihood of conflicting approaches developing. However, while there is no internationally agreed-upon framework for evaluating the scale and effects of cyber operations, no State has disagreed with the trend toward applying the multi-factor approach.
Challenges and Unresolved Questions
The growing digitalization of societies, as noted by Estonia, raises significant questions about the applicability of the jus ad bellum to cyber operations that cause severe economic harm without physical effects. Historically, economic actions by States, such as sanctions, were generally not viewed as a use of force, but the rise of cyber operations has prompted a reevaluation of this perspective.
Several States are now addressing these questions directly. The Netherlands asserts that “at this time it cannot be ruled out that a cyber operation with a very serious financial or economic impact may qualify as the use of force.” Denmark states that it “generally cannot be ruled out that acts of economic or political coercion can fall within the purview of Article 2(4) of the UN Charter” if they disrupt a State’s financial system. Norway emphasizes that “the use of crypto viruses or other forms of digital sabotage against a State’s financial and banking system … may amount to the use of force in violation of Article 2(4).” France has similarly indicated that a cyber operation targeting a nation’s economy “may, in certain circumstances, qualify as an armed attack,” suggesting that economic impacts can be seen as a use of force.
These positions reflect a growing consensus among certain States about the potential for cyber operations to constitute uses of force, particularly when significant economic consequences are involved. However, the lack of a comprehensive international consensus on these specific issues underscores the ongoing challenges and unresolved questions surrounding the legal implications of cyber activities with economic consequences in the context of the use of force.
Conclusion
The consequence-based approach is gaining traction among States as they seek to clarify the legal implications of cyber operations. The Tallinn Manual experts emphasize that a cyber operation’s “scale and effects” are central to assessing whether it constitutes a use of force. This concept encompasses both quantitative factors, such as the extent of the operation, and qualitative factors, including the nature and severity of the resulting effects.
To operationalize the scale and effects framework, States are increasingly adopting a multi-factor approach. This methodology allows for a nuanced evaluation that considers various criteria—such as severity, context, and the nature of the targeted systems—when assessing the consequences of cyber actions.
There is a growing consensus among States regarding the importance of these assessments. No State has disputed the necessity of evaluating the consequences of cyber operations through the lens of scale and effects. Furthermore, they agree that operations leading to significant impacts—whether economic, infrastructural, or functional—can indeed qualify as uses of force under international law.
In summary, the convergence on the consequence-based approach, with a focus on scale and effects, and its operationalization through a multi-factor assessment indicates that States are increasingly aligned in their interpretations of how to classify cyber operations. This alignment reflects a significant trend toward recognizing that the impacts of cyber operations, particularly those causing substantial economic damage or loss of functionality, can cross the threshold for a use of force, thereby shaping the emerging legal framework governing State behavior in cyberspace and influencing determinations in this evolving area of international law.
***
Second Lieutenant Anusha Pakkam graduated from the United States Military Academy in the Class of 2024 and currently serves as an intelligence officer for the 12th Combat Aviation Brigade in Ansbach, Germany.
Photo credit: Unsplash