Online Warfare: The Applicability of International Law in Cyberspace

In 2016, NATO recognised cyberspace as the fourth operational domain of warfare after air, land and sea.[1] Cyberspace is being used increasingly by states for both defensive and offensive purposes. Therefore, it is necessary to establish how international law governs this domain, especially considering the particular complexity of cyberspace for issues of attribution, use of force and lawful responses.

What is cyberspace?

One of the main complexities with cyberspace as the fourth operational domain is defining its parameters. While land, sea and air all have clearly established borders, this is not the case for cyberspace. Additionally, there is currently no binding legal definition of cyberspace. However, some soft law instruments provide relatively authoritative legal definitions. The Tallinn Manual, which is a guide on the applicability of international law in cyberspace drafted by experts from the NATO Cooperative Cyber Defence Centre of Excellence, defines cyberspace as: “The environment formed by physical and non-physical components to store, modify, and exchange data using computer networks."[2] Similar to the definition of an armed attack in the Geneva Conventions’ Additional Protocal,[3] a cyber attack is defined as: “A cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects.” These definitions imply that cyber attacks do not encompass all cyber operations. For instance, cyber espionage or jamming would not fall under the definition unless conducted in a particularly harmful way.[4]

Three main types of cyber operations can be generally distinguished. First, there is a denial-of-services attack. Such an attack makes a computer system unavailable to users by sending data that causes the network to crash. Second, there are control system attacks. These are not meant to destroy the computer’s operating system, but rather to change the data by using ‘worms’ or ‘viruses’ so the illusion that the network is functional is maintained. Finally, there are information gathering attacks. As the name implies, these attacks essentially steal information and gather data.[5] In order to combat cyberoperations pre-emptively, states may use passive cyber defences such as firewalls, anti-virus software, and intrusion detection or prevention systems. These generally do not qualify as cyberattacks. [6]

International law in cyberspace

Currently, the only treaties in cyberspace are the Budapest Convention on Cybercrime[7] and the EU Cybersecurity Act.[8] Additionally, the United Nations General Assembly (UNGA) has adopted the United Nations Convention against Cybercrime in 2024, which aims to strengthen international cooperation in combatting cyber threats.[9] These conventions, however, are not aimed at governing interstate behaviour, but rather individual action in cyberspace. They include, for example, articles on the national measures to be taken against cyber offences. Therefore, these treaties represent a harmonisation of different national criminal laws, rather than cyberattacks between states.

So, while there is no treaty specifically governing state action in cyberspace, there are some influential soft law instruments governing the area. Firstly, there is the previously mentioned Tallinn Manual drafted by NATO experts.[10] Secondly, the UNGA has adopted the UN Group of Governmental Experts’ report on cybersecurity.[11] This report asserts that the UN Charter is fully applicable to cyberspace and also emphasises the relevance of key principles outlined in Article 2 of the UN Charter in cyberspace, such as sovereign equality, the applicability of human rights and the prohibition to use force. Although UNGA resolutions are non-binding recommendations, they still reflect the general opinion of the international community and may influence the creation of future treaties.

The lack of specific international law and jurisprudence in the area of cyberspace, raises several important questions on how the United Nations Charter practically applies in cyberspace. Especially regarding the attribution of cyber attacks, the equivalence of cyberattacks to the use of force and finally, the responses to a cyberattack that are lawful under international law.[12]

Attribution in cyberspace

Considering the prevalence of non-state actors and the possibility of attacks from a distance, it becomes difficult to determine when an attack is attributable to a state in cyberspace. With cyberattacks, a state not only needs to prove that an attack has occurred and that damage has been caused, but also that the attack, even when performed by an individual, is attributable to a state.

The UNGGE report establishes two main guidelines in this regard.[13] Firstly, states must honour their existing legal obligations regarding attribution. This means that Article 8 of the Responsibility of States for Internationally Wrongful Acts[14] applies equally in cyberspace. Therefore, an act is attributable to a state if it is carried out by the state or a state organ, or if a person or group of people is acting under the state's direction or control. If an individual hacker is acting independently, they will regularly be tried under national criminal laws. Secondly, states should not knowingly allow their territory to be used for internationally wrongful acts using ICTs. This means that if a state is aware its territory is being used to commit a wrongful act using ICTs, it must take all appropriate and reasonable measures to address the situation.[15]

While these two guidelines clarify the rules of attribution in cyberspace, they raise important questions about their practical applicability. Firstly, even with the physical use of force, it is difficult to determine when a state has effective control over a group of people; this is even more challenging in cyberspace since people are more easily anonymised. Secondly, it is difficult to determine what constitutes appropriate and reasonable measures and how a state may be sanctioned when they do not take these measures.[16] 

Equivalence to the use of force

The second main issue in applying the UN Charter to the area of cyberspace concerns the applicability of Article 2(4), that is, the prohibition on the threat and use of force against the territorial integrity of a state.[17] Firstly, it is unclear how the principle of territorial integrity applies in cyberspace, due to its lack of physical characteristics. The UNGGE report clarifies that sovereignty and territorial integrity in cyberspace are closely tied to the physical ICT infrastructure within a state's borders.[18] In other words, states retain sovereignty over physical elements of cyberspace on their territory, but it remains unclear how state sovereignty relates to the non-physical parts of cyberspace. Secondly, it is unclear if and when a cyberattack can be considered equivalent to the use of force and whether it is therefore prohibited under the UN Charter. The UNGGE report maintains that states must also refrain from the use of force in their ICTs. However, the UNGA does not further clarify when the use of ICTs can be considered equivalent to the use of force. So far, there is a general consensus that the equivalence of a cyberattack is measures through the effects-based doctrine. In other words, only if the effects of a cyberattack are equivalent to those caused by a physical attack will a cyberattack be considered prohibited under article 2(4) of the UN Charter.[19] This approach, however, does not consider many other negative effects that a cyberattack may cause, such as the unavailability of important resources or the stealing of data.

Lawful responses to cyber attacks

Related to the difficulty of comparing cyberattacks to physical attacks, are the lawful responses that a state may launch in response to a cyberattack. Under the UN Charter there are four possible responses to state action: self-defense, countermeasures, retorsion and UNSC aid. Firstly, in response to an armed attack, a state may defend itself according to article 51 of the UN Charter.[20] However, due to the unclarity of whether a cyber attack can be considered equivalent to the use of force, it is unclear whether a state can resort to self-defence in cyberspace.[21] Secondly, in response to an illegal act, a state may take countermeasures. Examples of such acts would be, for example, the breach of the principle of non-intervention, which has been deemed to apply in cyberspace by the UNGGE report.[22] It is more clear how non-intervention could be applied in cyberspace, since intervening in both physical and digital state property would likely qualify as an intervention in a state’s internal affairs. The difficulty here mainly lies in determining whether non-cyber countermeasures, such as tariffs, are also allowed under the UN Charter. Moreover, the practical application of countermeasures would become difficult, considering the difficulties in attributing acts in cyber space to specific states, especially considering that countermeasures may only be conducted by an injured State to induce or cause the responsible State to resume compliance with its international legal obligations. Thirdly, states may resort to retorsion, which are considered lawful, yet unfriendly measures, such as restricting diplomatic relations or severing economic and commercial cooperation. A state can take these measures at any time, and it is therefore likely these are also allowed in cyberspace.[23] Finally, a state may request assistance from the UN Security Council (UNSC) under article 39.[24] In case the UNSC deems the situation to be a threat to peace, the state is then allowed to use force and request aid from the other UN states. This UNSC authorisation, however, has never been given in response to a cyberattack yet so it is unclear how this would apply.

The Stuxnet attack of 2010

In order to illustrate these issues tied to cyberspace in practice, the 2010 Stuxnet attack on Iran’s nuclear facilities will be discussed. This attack can be considered a control system attack, since a worm, known as Stuxnet damaged nearly 1,000 centrifuges in the facility by causing them to malfunction while maintaining the illusion of normal operations to Iranian engineers. While no state has officially claimed responsibility for this attack, it is often linked to the United States and Israel.[25] After Stuxnet, Iran never officially claimed to have taken any actions in response to the attack. However, several cyberattacks directed at the United States have been considered to be responses to the Stuxnet attack.[26] 

This case shows the difficulties in attributing a cyberattack to a state, considering the difficulties in proving their involvement. Even years after the attack occurred, it is not certain who the responsible states were. Moreover, while the attack did not cause direct physical harm to people, it damaged infrastructure central to Iran’s national security. It remains unclear, however, whether this would be considered equivalent to the use of force. Finally, it is unclear which lawful responses Iran would have been allowed to take.

Conclusion

As illustrated in this Article, the main instrument that governs state action in cyberspace is the UN Charter. While it is clear that the general principles the Charter conveys apply in cyberspace, there are uncertainties regarding their practical applicability. While states have issued individual statements on the applicability of international law in cyberspace,[27] in order to create more legal certainty in cyberspace, a treaty or another authoritative legal statement is necessary to solidify the necessary definitions and practical applicability of the principles. Furthermore, future jurisdiction by the International Court of Justice might provide more clarity as regards the applicability of the current norms.

[1]NATO Cooperative Cyber Defence Centre of Excellence. (2016, July 21). NATO recognises cyberspace as a ‘domain of operations’ at Warsaw Summit. https://ccdcoe.org/incyder-articles/nato-recognises-cyberspace-as-a-domain-of-operations-at-warsaw-summit/

[2] Schmitt, M. N. (Ed.). (2017). Tallinn manual 2.0 on the international law applicable to cyber operations (2nd ed.). Cambridge University Press. https://doi.org/10.1017/9781316822524

[3] International Committee of the Red Cross (ICRC). (1977). Protocol Additional to the Geneva Conventions of 12 August 1949, and relating to the protection of victims of international armed conflicts (Protocol I), 8 June 1977. https://ihl-databases.icrc.org/en/ihl-treaties/api-1977

[4] Schmitt, M. N. (Ed.). (2017). Tallinn manual 2.0 on the international law applicable to cyber operations (2nd ed.). Cambridge University Press. https://doi.org/10.1017/9781316822524

[5] Stockburger, P. Z. (2016). Known unknowns: State cyber operations, cyber warfare, and the jus ad bellum. American University International Law Review, 31(3), 545–586. https://digitalcommons.wcl.american.edu/auilr/vol31/iss3/4

[6] Schmitt, M. N. (Ed.). (2017). Tallinn manual 2.0 on the international law applicable to cyber operations (2nd ed.). Cambridge University Press. https://doi.org/10.1017/9781316822524

[7] Council of Europe. (2001). Convention on Cybercrime (CETS No. 185). https://www.coe.int/en/web/cybercrime/the-budapest-convention​

[8] European Parliament & Council of the European Union. (2019). Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act). Official Journal of the European Union, L 151, 15–69. http://data.europa.eu/eli/reg/2019/881/oj​:contentReference[oaicite:0]{index=0}

[9]United Nations Office on Drugs and Crime. (2024, December 24). United Nations Convention against Cybercrime. https://www.unodc.org/unodc/en/cybercrime/convention/home.html

[10] Schmitt, M. N. (Ed.). (2017). Tallinn manual 2.0 on the international law applicable to cyber operations (2nd ed.). Cambridge University Press. https://doi.org/10.1017/9781316822524

[11] United Nations General Assembly. (2021, July 14). Report of the Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security (A/76/135). https://documents.un.org/doc/undoc/gen/n21/075/86/pdf/n2107586.pdf​aspi.org.au+6

[12] Hollis, D. (2021, June). A brief primer on international law and cyberspace. Carnegie Endowment for International Peace. https://carnegieendowment.org/2021/06/14/brief-primer-on-international-law-and-cyberspace-pub-84819

[13] United Nations General Assembly. (2021, July 14). Report of the Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security (A/76/135). https://documents.un.org/doc/undoc/gen/n21/075/86/pdf/n2107586.pdf​aspi.org.au+6

[14] International Law Commission. (2001). Draft articles on responsibility of states for internationally wrongful acts, with commentaries. Yearbook of the International Law Commission, 2001, Vol. II, Part Two. https://legal.un.org/ilc/texts/instruments/english/commentaries/9_6_2001.pdf

[15] United Nations General Assembly. (2021, July 14). Report of the Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security (A/76/135). https://documents.un.org/doc/undoc/gen/n21/075/86/pdf/n2107586.pdf​aspi.org.au+6

[16] Maintaining Peace and Security in Cyberspace: Multilateral Approach of the United Nations on Advancing Responsible State Behaviour in Cyberspace

[17] United Nations. (1945). Charter of the United Nations. https://www.un.org/en/charter-united-nations/

[18] United Nations General Assembly. (2021, July 14). Report of the Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security (A/76/135). https://documents.un.org/doc/undoc/gen/n21/075/86/pdf/n2107586.pdf​aspi.org.au+6

[19]Von Heinegg, W. H. (2012, June). Legal implications of territorial sovereignty in cyberspace. In 2012 4th International Conference on Cyber Conflict (CYCON 2012) (pp. 1–13). IEEE. https://doi.org/10.1109/CYCON.2012.6334192

[20] United Nations. (1945). Charter of the United Nations. https://www.un.org/en/charter-united-nations/

[21] Schmitt, M. N. (Ed.). (2017). Tallinn manual 2.0 on the international law applicable to cyber operations (2nd ed.). Cambridge University Press. https://doi.org/10.1017/9781316822524

[22] United Nations General Assembly. (2021, July 14). Report of the Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security (A/76/135). https://documents.un.org/doc/undoc/gen/n21/075/86/pdf/n2107586.pdf​aspi.org.au+6

[23] Henyka, C. (2022). Maintaining peace and security in cyberspace: Multilateral approach of the United Nations on advancing responsible state behaviour in cyberspace. Cyber Conflict and International Relations: A Comprehensive Analysis of Cyber Deterrence Strategies in Contemporary Geopolitics. https://www.researchgate.net/publication/378334428_Cyber_Conflict_and_International_Relations_A_Comprehensive_Analysis_of_Cyber_Deterrence_Strategies_in_Contemporary_Geopolitics 

[24] United Nations. (1945). Charter of the United Nations. https://www.un.org/en/charter-united-nations/

[25] Farwell, J. P., & Rohozinski, R. (2011). Stuxnet and the future of cyber war. Survival, 53(1), 23–40. https://doi.org/10.1080/00396338.2011.555586

[26] Ameli, S. R., Hosseini, H., & Noori, F. (2019). Militarization of cyberspace, changing aspects of war in the 21st century: The case of Stuxnet against Iran. Iranian Review of Foreign Affairs, 10(29), 99-136.

[27] Foreign, Commonwealth & Development Office. (2021, May 3). Application of international law to states’ conduct in cyberspace: UK statement. UK Government. https://www.gov.uk/government/publications/application-of-international-law-to-states-conduct-in-cyberspace-uk-statement/application-of-international-law-to-states-conduct-in-cyberspace-uk-statement ; Government Offices of Sweden. (2022). Sweden’s position paper on the application of international law in cyberspace. https://www.government.se/contentassets/3c2cb6febd0e4ab0bd542f653283b140/swedens-position-paper-on-the-application-of-international-law-in-cyberspace.pdf ; Global Affairs Canada. (2022, April 28). International law applicable in cyberspace. Government of Canada. https://www.international.gc.ca/world-monde/issues_development-enjeux_developpement/peace_security-paix_securite/cyberspace_law-cyberespace_droit.aspx?lang=eng#a2; Ministry for Europe and Foreign Affairs (France). (2021). France’s position on international law applied to cyberspace. https://documents.unoda.org/wp-content/uploads/2021/12/French-position-on-international-law-applied-to-cyberspace.pdf.