AS guaranteed by the UN Charter, a state always has the natural right to defend itself in case of an armed attack. Meaning, if the scale and consequences of the use of force against a state reaches the level of an armed attack, then the victim state may use force to defend itself.
Cyber operations are now a key element of modern warfare and an increasing focus of militaries around the world. The question is: when is a cyber attack an act of warfare? A cyber law pioneer on the subject is Tallin Manual 2.0, a product of NATOs Cooperative Cyber Defense Centre of Excellence (CCDCOF) in Tallin, Estonia, which analyzes how international law as it currently stands applies to cyber operations. According to the manual, for a cyber attack to reach the level of an armed attack, the consequences of the attack need to be comparable to those of a kinetic attack. Thus, if a cyber operation seriously injures or kills a number of people or causes significant damage to or destruction of property, it would, under international law, be considered an armed attack. It does not matter whether it is directed against military or civilian personnel or against public or private properties.
A classic theoretical example is when cyber weapons as tools or viruses are used and accidentally cuts power to a hospital or medical center endangering civilian lives. Another example is a cyberattack on a country’s banking system. If the attack resulted in grave physical damage, then such is an armed attack although, at the moment, consequence as mentioned remains unreported.
The reality of a cyber attack could, perhaps, be illustrated by the reported incident in Iran where a bug wreaked havoc on Iranian uranium centrifuge operations which became widely known because the bug proliferated broadly beyond the Iranian system but did not have an impact on systems outside the country’s nuclear program due to the fact that the effects were specifically targeted. This example demonstrates that cyber weapons are still incredibly new compared to the more conventional warmaking counterparts.
The Tallin Manual 2.0 mentions that cyber operations have become part of modern warfare and are therefore governed by the law of armed conflict. In connection therewith, what comes to mind are the principles of necessity and proportionality in the law of war which asks whether the amount of force required to repel the armed attack outweighs the anticipated collateral damage to civilian objects and non- combatants. Maarja Nagel of NATOs law branch of its CCDCOF believes a cyber attack could be met by ‘countermeasures,’ a form of self-help in international law, allowing a state to respond by taking actions that would, under normal circumstances be contrary to international law. “There are, however, strict limitations placed on countermeasures and they must be aimed at inducing the other state to resume lawful behavior, rather than as a punishment or revenge. They must also be proportionate.” Economic sanctions or expulsion of the responsible state’s diplomats are examples. So, too, is suspension of exchange of information or cooperation between national computer emergency response teams.
There are experts from the military, however, who consider cyberspace as the “fifth domain” of warfare after land, sea, air and space. But others are of the view that the latter are “inherently geographical” while the cyber domain is not. Cyber operations could be used to conduct large-scale espionage or subversion which are hardly new elements in the world of defense. “Weapons systems, decision-making systems are increasingly cyber- and artificial intelligence-enabled and cannot be considered as a fifth domain somehow distinct from others because that is not really how it works.” In other words, the digital frontline is not (yet) a warfare domain.
Besides, there are indeed areas of ambiguity in international law that need clarity in order to do legal adjustments. Cyber operations vis-à-vis the law of armed conflict is one of them. Much depend on practice or the process through which international law is interpreted and further developed via actual behavior of states.
As cyber warfare matures and types of attacks evolve and become a threat with increasingly local ramifications, the often quoted Martens Clause in international la—which provides that where the law of war does not address a particular case, reference should be to the “rule of the principles of the law of nations, as they result from usages established among civilized people from the laws of humanity and the dictates of public conscience”—still expects equal application among states in the 21st century.