Regulating Military Force Series – Low-Intensity Cyber Operations and Regulation of the Resort to Force


| Feb 21, 2024

Low-intensity cyber

Editors’ note: The author delivered remarks on the subject of this post at the conference “International Law and the Regulation of Resort to Force: Exhaustion, Destruction, Rebirth?” at the Centre for International Humanitarian and Operational Law, Palacký University in Olomouc, Czech Republic.

In three separate statements released on October 26, November 8, and November 12, 2023, the U.S. Secretary of Defense, Lloyd Austin, announced that U.S. military forces had conducted precision self-defense airstrikes on facilities in eastern Syria used by Iran´s Islamic Revolutionary Guard Corps (IRGC) and its affiliated groups. According to the statements, the strikes were in response to “a series of ongoing . . . attacks,” “a series of attacks,” and “continued attacks” carried out by Iran-affiliated militia groups against U.S. personnel in Syria and Iraq.

In two letters to the UN Security Council dated October 30 and November 14, 2023, the U.S. Permanent Representative to the UN argued that the United States was acting in accordance with Article 51 of the UN Charter (UNC) (here and here). These letters supplemented prior correspondence detailing the invocation of the right of self-defense under UNC Article 51 in response to a series of low-intensity attacks conducted by IRGC-affiliated groups. In this regard, the United States noted its response was brought about because “the government of the State where the threat is located is unwilling or unable to prevent the use of its territory by non-State militia groups responsible for such attacks” (here, here, and here).

That the United States is invoking its inherent right of self-defense against acts that fell short of being armed attacks comes as no surprise: according to the U.S. Department of Defense, the attacks were indeed “unsuccessful” due to the absence of significant damage to infrastructure and harm to U.S. personnel (see also here and here). U.S. doctrine on this is quite clear: for the purposes of invoking the right of self-defense, the United States will not distinguish between acts constituting a use of force under UNC Article 2(4) and acts constituting an armed attack under UNC Article 51.

It is noteworthy, however, that in each of the above statements and letters, the United States emphasized the repetitive nature of the attacks rather than the extent of the damage and/or harm caused by them. This argument is typical of those States that rely on the so-called accumulation of events theory (AoET) to justify the use of forcible defensive measures as a response to low-intensity hostile activities, such as relatively minor but repeated border incidents or skirmishes.

The rationale behind this argument is being re-evaluated in recent years to address the issue of low-intensity cyber operations (LICOs). Such cyber operations are disruptive rather than destructive in nature, have temporary rather than permanent effects, and fall short of qualifying as an armed attack (see here, here, and here). For the time being, the question remains: is the United States’ adoption of AoET-typical terminology in fact an adaptation to a future change in the character of warfare, or simply a more comprehensive justification before the international community in this particular case?

I argue in this post that, for the purposes of the right of self-defense in conflicts predominantly characterized by kinetic activities, States rely on the AoET to reconcile the gap in the threshold between acts constituting a use of force under Article 2(4) UNC and acts constituting an armed attack under Article 51 UNC. Conversely, in cyberspace, reliance on the AoET for the purposes of Article 51 appears to encompass cyber activities that traditionally would not have fallen under Article 2(4) and/or Article 51. For reasons of space, this post focuses only on the substantive requirements of the right of self-defense, leaving aside issues related to the timing of the attack or the persons responsible for it.

The Accumulation of Events Theory

The AoET refers to the practice of certain States to justify the use of force under UNC Article 51 against a series of related hostile activities. These may occur over a protracted period and each activity, considered alone, may fall short of the armed attack threshold.

In accordance with the International Court of Justice’s (ICJ) 1986 Paramilitary Activities judgment, States are allowed to resort to the use of force in self-defense only against “the most grave forms of the use of force” and not against low-intensity hostile activities such as border incidents or skirmishes. It is doubtful that this judgment marks a break from the international community’s pre-1986 understanding of UNC Article 51, at least when it comes to the gravity threshold of an armed attack.

Although the Court has been criticized for not qualifying “mere frontier incidents” as an armed attack triggering a State’s individual right of self-defense, earlier practice and opinio juris on the classification of low-intensity hostile activities is quite ambiguous. Furthermore, States that invoked the right of self-defense by relying on the AoET prior to 1986 (see Portugal here; Israel here or here), or were willing to do so (see Zambia, here and here), also claimed a situation of prolonged distress existed as they had in fact tolerated a number of low-intensity hostile activities for a considerable period.

As the recent U.S. airstrikes on Iran-affiliated militia groups have shown, the AoET finds fertile ground for application in conflict situations between a State and one or more non-State actors (NSA), particularly when NSAs use a third unwilling or unable State as a base or “safe haven” (see UNSC Res 1624/2005 and UNSC Res 1373/2001) to conduct hostile activities to the detriment of the victim State. Another common scenario is when NSAs act on the instructions of, or under the direction or control of another State (ARSIWA, Article 8 ). As a result of the politico-military strategies of the parties involved, these conflict situations are generally characterized by low-level intensities of violence which can escalate over time into a full-scale armed conflict (see, for example, 1956 Suez Crisis; 1961-1974 Liberation War; 1981 First Lebanon War).

Whether States relying on the AoET have become mainstream, as Tom Ruys argues, or whether the international community is still treading carefully with a strategy that has been used to justify retaliation and/or rationalize disproportionate defensive measures, a significant turning point appears close with regard to LICOs.

Low-Intensity Cyber Operations

Although the UNC does not define the concept of force, it is broadly accepted that Article 2(4) refers to armed force (thus implying the use of weapons) and excludes coercion based solely on psychological, economic, or political pressure. Nevertheless, the ICJ’s Nuclear Weapons advisory opinion clearly states that “any use of force, regardless of the weapons employed” (e.g., nuclear, chemical, biological, and cyber weapons) falls under the umbrella of UNC Article 2(4). Such language assigns importance to the effects caused by the weapons employed, such as the loss of life and destruction of property, rather than the physical peculiarities of the weapons themselves. It also makes redundant the question whether international law applies to cyberspace, just as it is redundant to ask whether the prohibition on the use of force and the right of self-defense extends to cyber operations that cause the loss of life and/or destruction of property.

The pivotal question here, rather, is how rules created and developed to regulate the use of physical, coercive action by military means can be used to regulate LICOs that fall below the thresholds established under UNC Articles 2(4) and/or 51. The equation here is simple: if a cyber operation has neither the scale nor consequences of resulting in the loss of life and/or destruction of property, it is not equivalent to a traditional use of force and certainly not to a traditional armed attack. If a cyber operation is not equivalent to a traditional armed attack, States may not be able to invoke Article 51 UNC in response to cyber operations.

Because LICOs are among the most common threats to date (see here and here) it seems that States’ inherent right of self-defense may have no concrete or little applicability in cyberspace, at least not as a response to LICOs. Even if one focuses on the scale and effects of the consequences of LICOs, these are disruptive and temporary rather than destructive and permanent. Therefore, any response by kinetic and/or cyber armed force would appear either disproportionate and/or unnecessary from the outset.

Prospective Solutions

To fill this legal vacuum, the Tallinn Manual 2.0 experts suggested that a series of smaller cyber operations conducted by the same originator, or originators acting in concert, may, if there is “convincing evidence,” constitute an armed attack when aggregated. The same view has been shared by Singapore in the Official Compendium of the 2021 UN Group of Governmental Experts. Yet while the Tallinn Manual 2.0 refers to cyber operations not involving the loss of life or destruction of property as an unresolved issue, Singapore stated that “in certain limited circumstances” and “taking into account the scale and impact of the cyber activity,” malicious activities not involving the loss of life and destruction of property may still be considered an armed attack, triggering the right of self-defense.

According to France, a series of cyber-attacks that does not individually reach the threshold of an armed attack (“agression armée“), may be classified as such if the accumulation of these attacks is of sufficient gravity. The 2019 and 2022 Manuel de Droit des Operations Militaires reiterated this position. France further specified that “accumulation” refers to either the effects of the attacks or the coordination and concert of the same originator or originators.

Similarly, the heads of State and government participating in the 2021 NATO Summit in Brussels, recognized in a Communiqué that, for the purpose of invoking Article 5 of the North Atlantic Treaty (and thus Article 51 UNC), “the impact of significant malicious cumulative cyber activities might, in certain circumstances, be considered as amounting to an armed attack.”

The reluctance of States to meticulously define the gravity threshold of acts constituting a use of force and/or armed attack is not peculiar to modern warfare. What is unique, however, is the willingness to lower the gravity threshold of acts constituting a use of cyber force and/or a cyber armed attack below what would traditionally be covered by UNC Articles 2(4) and/or 51. Several States are inclined towards a holistic approach to establish the scale and effects of a given cyber operation, considering the overall context and the quantitative and qualitative effects produced. In this sense, relying on the AoET may be doubly helpful as it allows the quantitative and qualitative effects of a series of LICOs to be cumulated to draw a more faithful overall context.


As warfare evolves with developments in technology, States’ defense capabilities must similarly evolve, which entails both changing strategies and ensuring such changes are legal. While changing strategies is a creative matter for national politics, the second process follows a reverse course: once a new military strategy has been adopted, it has to fit into old traditional categories of international law.

Attempts to interpret Articles 2(4) and 51 UNC in a “connotative” way, and thus to widen the range of situations in which States are justified in using force, are as old as the UNC itself. Despite the banality of this statement, one would like to believe that these attempts confirm rather than weaken the rule. Moreover, by reviving the applicability of the AoET in cyberspace to address the problem of LICOs, one would like to believe that the international regulation of the use of force is being reborn rather than exhausted, destroyed (or killed).


Angela Morello is a Ph.D. candidate and research assistant at the Department of Legal Studies, International and European Law at the Paris Lodron University of Salzburg, Austria.




Photo credit: Lewis Carlyle