result in a significant loss of life, injury, destruction of critical infrastructure, or serious economic impact should be closely assessed as to whether or not they would be considered an unlawful attack or an act of war.”11 His statement affirms the reality that an assessment of what amounts to an act of war is “more a political judgement than a military or legal one.”12 Professor Michael Schmitt and Liis Vihul, the chief executive officer of Cyber Law International, state that war is a “historical term that no longer enjoys the normative meaning associated with it for centuries, when the fact that states were ‘at war’ or had engaged in ‘an act of war’ meant that certain bodies of law, such as the law of war and neutrality law, applied.”13 Instead, “the traditional understanding of war has fallen into desuetude, replaced by a complex admixture of legal concepts.”14
After World War II, a normative scheme in the form of the Charter of the United Nations (UN) was crafted by the international community. The charter, combined with customary international law norms, dictates how and when states may employ force.15 The rules applicable during warfare were also reexamined by the international community, which abandoned the need for a declaration of war as the threshold for the application of the law of war.16 Instead, this body of law was relabeled the “law of armed conflict,” commonly referred to as “international humanitarian law,” which applies whenever armed conflict occurs. The United States has interpreted “armed conflict” according to Common Article 2 of the 1949 Geneva Convention to include “any situation in which there is hostile action between the armed forces of two parties, regardless of the duration, intensity or scope of the fighting.”17 Therefore, by these standards, “the concept of armed conflict implies forceful acts at whatever level.”18 For cyber operations to satisfy the armed criteria of armed conflict, they would have to result in injury or death of persons or damage or destruction of property. A host of legal regimes provide the basis for the further interpretation of how international law is applicable to cyber operations.
Legal Regimes
Article 2(4) of the UN Charter prohibits the use of force “against the territorial integrity or political independence of any state.”19 Unlike the charter, no similar international convention exists today for cyber operations. The closest consensus treatise is the Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (hereafter Tallinn Manual 2.0), written by lawyers, practitioners, and researchers, albeit primarily through Western perceptions, who called themselves the International Group of Experts. The aim of the Tallinn Manual 2.0 is to place existing international law, known as lex lata (the law as it exists), pertinent to cyber operations into statutory form.20 Rule 68 of the Tallinn Manual 2.0 decrees that “a cyber operation that constitutes a threat or the use of force . . . is unlawful.”21 The Cyber Act of War Act of 2016 introduced to Congress mirrors the US administration’s evaluation of a cyber operation “in terms of the use of force rather than acts of war.”22 It specifically asks the president to determine when an action in cyberspace constitutes an act of war by considering which effects may be equivalent to “an attack using conventional weapons, including with respect to physical destruction or casualties.”23 Harold Koh, a legal adviser at the Department of State, made this same correlation in 2012 by stating, “In analyzing whether a cyber operation would constitute a use of force, most commentators focus on whether the direct physical injury and property damage resulting from the cyber event looks like that which would be considered a use of force if produced by kinetic weapons.”24
Koh explained that if a cyberattack created the same physical consequences caused by dropping a bomb or firing a missile, that cyberattack should equally be considered a use of force.25 Likewise, the US Department of Defense (DOD) Law of War Manual delineates that cyber operations may constitute a use of force within the meaning of Article 2(4) if they “cause effects that, if caused by traditional physical means, would be regarded as a use of force under jus ad bellum,” the law of war governing the resort to force.26 Such cyber operations include those that “(1) trigger a nuclear plant meltdown; (2) open a dam above a populated area, causing destruction; or (3) disable air traffic control services, resulting in airplane crashes.”27 In addition, cyber operations that “cripple a military’s logistics systems” would qualify as a use of force,28 although “not every use of force rises to the level of an armed attack” according to the International Court of Justice.29
Michael Schmitt, who served as the general editor of the Tallinn Manual 2.0, says that while “it is clear that every an armed attack must at least amount to a use of force,” consistent with the approach of the International Court of Justice, “only the gravest uses of force are armed attacks.”30 Therefore, the qualification of a cyber operation as an armed attack “requires the resulting harm, or the harm that is intended to result, to reach a certain threshold of severity.”31 That threshold is measured in the scale and effects of the cyber operation. The International Group of Experts agreed that “a cyber operation that seriously injures or kills a number of persons or that causes significant damage to, or destruction of, property would satisfy the scale and effects requirement.”32 In contrast, they also concluded that cyber operations for intelligence gathering or theft, as well as cyber operations that “involve brief or periodic interruption of non-essential cyber services, do not qualify as armed attacks,”33 although Schmitt argues that states will treat cyber operations “with very severe consequences, such as the targeting of the state’s economic well-being or its critical infrastructure as armed attacks to which they are entitled to respond in self-defense.”34
Article 51 of the UN Charter demarcates “the inherent right of individual or collective self-defense if an armed attack occurs against a Member of the United Nations.”35 The charter also recognizes the inherent right of states to use force in self-defense—which is a just cause for military action,36 though many constraints on self-defense exist. Rule 72 of the Tallinn Manual 2.0 declares, “A use of force involving cyber operations undertaken by a State in exercise of its right of self-defense must be necessary and proportionate.”37 Necessary implies that a use of force is needed to repel an imminent or ongoing attack. Proportionate limits the “scale, scope, duration and intensity” of the response.38 Once an armed attack is over, the right of self-defense ceases. However, if the victim state concludes that “its attacker intends to conduct further cyber operations at the armed attack level,” it may treat the operations as “an ongoing campaign against which it may take defensive action at any point.”39
Cyber operations that qualify as an armed attack certainly constitute an “internationally wrongful act.” However, numerous cyber operations that fall below the threshold of armed attack in this category of acts are unlawful. Rule 14 of the Tallinn Manual 2.0 defines an internationally wrongful act as “an action or omission that both (1) constitutes a breach of an international legal obligation applicable to that State; and (2) is attributable to the State under international law.”40 The first condition for a breach of an international legal obligation “may consist of a violation of a State’s treaty obligations, customary international law, or general principles of law.”41 Prominent examples of relevant customary norms that constitute internationally wrongful acts “are respect for sovereignty (Rule 4), the prohibition of intervention (Rule 66), and the prohibition of the use of force (Rule 68).”42 Rule 4 delineates that whether sovereignty has been violated by remote cyber operations depends on “two different bases: (1) the degree of infringement upon the target State’s territorial integrity; and (2) whether there has been an interference with or usurpation of inherently governmental functions.”43 Rule 4 explains that the first is based “on the premise that a State controls access to its sovereign territory . . . and the second on the sovereign right of a State to exercise within its territory ‘to the exclusion of any other State, the functions of a State.’”44
In regard to what
