Cyber Conflict and International Law
This article provides a brief overview of the international principles and standards applicable to cyber conflict. The main assumption is that globalization and technological development have changed the international order. These changes affect the nation states and principles and standards established to regulate their relations. The existing international law has limited applicability to regulate potential cyber conflict. Therefore, the International Community must take further steps to prevent these challenges.
Globalization and technological development have challenged the concept of order that has underpinned the modern era[1]. The interconnectivity and interdependence in cyberspace involve all walks of life from international politics and global economics to individual citizens[2]. As a result, we witness rapid changes in the nature of states; economic disproportion that undermined political structures; and breeds challenges to effective mechanisms for the Great Powers to consult and possibly cooperate on the most consequential issues. The 2018 World Threat Assessment[3] of the US Intelligence community states that:
“The potential for surprise in the cyber realm will increase in the next year and beyond as billions more digital devices are connected—with relatively little built-in security—and both nation states and malign actors become more emboldened and better equipped in the use of increasingly widespread cyber toolkits”.
Both state and non-state actors abusing cyberspace challenge the meaning of national borders and the traditional concepts of military and civilian security.
Many states approach cyberspace only from a technological perspective. In reality, cyberspace activities have already had and will continue to have an ever-greater impact across the spectrum of political, security, economic and social aspects of society. The cyber power has thus become a game changer. Both state and non-state actors abusing cyberspace challenge the meaning of national borders and the traditional concepts of military and civilian security. These asymmetric capabilities provide an opportunity for inferior actors (both state and non-state) to challenge the national security calculus of mightier opponents and to neutralize their advantages. The ability to undermine traditional borders and to blur the line between law enforcement and military responsibilities provide an advantage against the states obligated to abide by international principles and standards that ensure international peace and security. Thus, cyber aspects, among others, should be reflected in both national and international law.
International legal aspects to secure peace and security from cyber threats
In the most general terms, International law is the set of rules generally regarded and accepted as binding in relations between states and international organizations that they have formed[4]. It serves as a framework for the practice of stable and organized international relations[5]. For the purpose of this debate, one of the ways to systematize the principles and standards that ensure international peace and security is to divide it into 4 different categories. These categories are:
- Ius contra bellum (principles and standards that urge nation states to resolve disputes in a peaceful manner)[6]
- Ius ad bellum (principles and standards that define the threshold before nation state(s) or international organization can use force as an instrument to resolve disputes)
- Ius in bello (principles and standards that regulates the conduct of hostilities and protection of the participants in conflict)
- Ius post bellum (principles and standards that regulate the termination of hostilities and transitioning from conflict to peace)
This analogy follows the international politics (diplomatic activities) and efforts in this context. Namely, the so-called preventive diplomacy reflects the ius contra bellum regulations. Consequently, the ius ad bellum reflects conflict management in diplomacy; ius in bello reflects the conflict resolution efforts in diplomacy; and ius post bellum reflects the diplomatic and additional set of activities for the transition from conflict to peace.
The military, as an instrument of national power, follows political decisions and acts in accordance with the rules of law in achieving strategic ends. Consequently, the operational wisdom has developed phases in planning of the military operations that reflects the accomplishment of the political objectives and end-states that reflect this systematization. Therefore, the US for example (and this has been a leading principle for many other nations) has developed phases of the military operations planning process that reflects the above described reality[7].
It is not clear whether existing principles and standards of the international law regarding the use of force are applicable to cyber conflict or not.
Unlike activities in physical space that are more or less framed and regulated by these phases (principles and standards, diplomatic activities and military operations, accordingly) cyberspace activities blend these phases together and challenge appropriate responses. Tied by these principles and standards and obligations to respect basic democratic ideas, states usually face challenges in terms of appropriate risk assessment and response. Hence, operational and legal challenges follow the contemporary military operations in response to cyber threats.
Even though some state and organizations have vocally reaffirmed readiness to use force in response to cyber-attacks, the legal community is not united on this matter. More precisely, it is not clear whether existing principles and standards of the international law regarding the use of force are applicable to cyber conflict or not. Furthermore, among those who have agreed to this applicability, there are disagreements over which cyber-attacks could trigger the applicability of international law of armed conflict (ILOAC) as a legal framework to launch a military response. Regardless of these debates, we will provide a brief overview of the existing principles and standards of international law that could apply to a potential cyber conflict.
Contra bellum and cyber threats
The cornerstone of the law against the use of force is set in article 2(4) of the United Nations Charter. According to this provision: “All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations” (The Charter of the United Nations, 1945). According to some views, the International Law Commission considered Article 2 of the UN Charter as expressing fundamental rights and duties of States[8]. Summarising the different treaties, declarations and drafts, Katharina Ziolkowski collated the catalogue of the fundamental rights and duties of States applicable to our context of interest[9]. In the same vein, the Friendly Relations Declaration could be seen at first sight as reflecting fundamental rights and duties of States[10]. Although all of these regulations and principles remain valuable, the practice shows that states also believe that the ius contra bellum legal framework could be built from the bilateral engagement.
Ad bellum aspects of potential cyber conflict
Force in response to cyber-attacks could be used either under the framework of self-defense prescribed under Article 51 or after UN Security Council authorization under the Article 42.
Under the existing international law, states could only use force as an exception to the general prohibition defined under Art 2(4) from the UN Charter. Legally, this could be done either under the framework of self-defense prescribed under Article 51 or after UN Security Council (UNSC) authorization under the Article 42. Accordingly, this means that states could use force in self-defense and in accordance with the UNSC Resolution to protect their civilians and property from cyber conflict.
The ad bellum threshold to use force legally under Article 51 in order to protect civilians and their property require state to prove that:
(1) the cyber-attack(s) meets the standards of an armed attack;
(2) the cyber-attack is attributable to the state where the self-defense is being carried out
(3) the use of force carried in self-defense is “necessary” and “proportional”
Furthermore, the victim state must attribute the illegal cyber-attack(s) directly and conclusively to another state or agents under that state’s direct control.
In bello and cyber conflict
Four Geneva Conventions of 1949, their Additional protocols I (June 8, 1977), II (June 8, 1977) and an Additional protocol III of 2005 and customary principles build the ius in bello.
The ius in bello is a part of the international law that regulates how parties engaged in conflict should behave. It means that once that ius ad bellum threshold is met, the ius in bello starts to apply. Four Geneva Conventions of 1949, their Additional protocols I (June 8, 1977), II (June 8, 1977) and an Additional protocol III of 2005 and customary principles build the ius in bello. These documents distinguish between the two forms of armed conflict, international and non-international.
The recent practice showed that attacks against civilians and their property could be:
(1) state-mounted attacks;
(2) state-sponsored attacks using non-state actors;
(3) state-tolerated attacks using non-state actors;
(4) attacks by non-state actors with no state involvement.
Regardless of whether these attacks will take place independently or as part of the future hybrid conflict, ius in bello will apply in protecting civilians and their property. In this context, confronting parties are entitled to try to win. However, they do not have unlimited liberty to do anything that is, or seems, necessary to achieve a victory, which is important for civilians and their property protection[11]. The limitations start once the conflict begins and are predetermined by the provisions, standards and principles of the ius in bello.
There are four fundamental principles that underlie ius in bello. These principles that protect civilians and their properties (or draw the framework for such protection) are:
- the principle of military necessity (military operations must be intended to assist in the military defeat of the enemy and must serve a concrete military purpose);
- the principle of humanity (prohibits violence to life and person - including cruel treatment and torture, the taking of hostages, humiliating and degrading treatment, and execution without regular trial against non-combatants, including persons hors de combat or outside of combat who are wounded, sick and shipwrecked);
- the principle of distinction (military operations may be conducted only against ‘military objectives’ and not against civilian targets);
- the principle of proportionality (the expected incidental loss of civilian life, injury to civilians or damage to civilian objects must not be disproportionate to the anticipated military advantage).
Post bellum of cyber conflict
The victim state must attribute the illegal cyber-attack(s) directly and conclusively to another state or agents under that state’s direct control.
The very idea of the principles that entrenched the ius post bellum protection of civilians and their property is based on the so0called “Conservation Principle”. This principle prohibits major changes in the legal, political, economic, or social institutions of the occupied territory. If hypothetically, cyber conflict occurs, then all the regulations, principles and standards of the law of occupation will apply.
Conclusion
So far there are no principles and standards developed exclusively to regulate potential cyber conflict. This is why the International Community should take serious efforts to enhance existing regulations with regards to the use of force and protection of the civilian populace.
[1] Henry Kissinger, The World Order, Penguin Books, 2014
[2] Aapo Cederberg, Future Challenges in Cyberspace, GCSP Policy Paper 2015/4 - April 2015, p.1, accessed March 18, 2018 at:
[3] Daniel R. Coats, World threat assessment of the US Intelligence community, Statement for the record, The US National Intelligence, February 15, 2018,
[4] The term was first used by Jeremy Bentham in his "Introduction to the Principles of Morals and Legislation" in 1780. See: Jeremy Bentham, Introduction to the Principles of Morals and Legislation, London: T. Payne, p. 6, accessed 18.03.2018 at: http://gallica.bnf.fr/ark:/12148/bpt6k93974k/f40.image.r=.langEN
[5] William Slomanson, Fundamental Perspectives on International Law, Boston, (2011), USA: Wadsworth. pp. 4–5.
[6] Raphael Van Steenberghe, “The Law against War or Jus contra Bellum: A New Terminology for a Conservative View on the Use of Force?”, Leiden Journal of International Law, 2011, Vol 24 Issue 3, pp.747-788). Retrieved March 18, 2018 from: https://www.cambridge.org/core/journals/leiden-journal-of-international-law/article/law-against-war-or-jus-contra-bellum-a-new-terminology-for-a-conservative-view-on-the-use-of-force/4A208739690A4E283095CB29587EC279
[7] Joint Chiefs of Staff, Joint Operations, Joint publication, 3-0, IV28-IV29
[8] Koskenniemi M., (2006), Fragmentation of International Law: Difficulties Arising from the Diversification and Expansion of International Law (Report of the Study Group of the International Law Commission, UN Doc No A/CN.4/L.682, 13 April 2006ILC (n 76), p 140
[9] According to her study these are the principles that could be applicable in protecting civilians and their properties while preventing cyber conflicts: equal sovereignty, independence, jurisdiction, non-intervention, refrain from (threat or) use of force, self-defence (also in the broader term of self-preservation), peaceful settlement of disputes, mutual respect of the rights of all, immunity of ambassadors, pacta sunt servanda, good faith, (respect for human rights and fundamental freedoms). See more in: Katharina Ziolkowski, (ed.), (2013), Peacetime Regime for State Activities in Cyberspace: International Law, International Relations and Diplomacy, NATO CCD COE Publication, pp 153
[10] Carbone M S. and Schiano de P. L., (2008 ), States, Fundamental Rights and Duties, The Max Planck Encyclopedia of Public International Law, Oxford University Press, online edition [www.mpepil.com]
[11] Michael Walzer, (1997), Just and Unjust Wars: A Moral Argument with Historical Illustrations, 2nd Edition. (New York: Basic Books), 4th Edition (2006)