Blog, Public International Law

Cyber-attacks and International Law: Reassessing the Use of Force and the Right to Self-Defence

Introduction

    In the digital age, the increasing prevalence of cyber-attacks has challenged the traditional understandings of international law, particularly the principles governing the use of force and self-defence. “A cyber attack is a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects.”  . Unlike conventional warfare, cyber-attacks present unique legal difficulties because they can be launched anonymously, cross borders instantly, and cause significant harm without the use of physical force. These characteristics make it difficult to apply existing international laws, which were primarily designed for traditional military conflicts.

    The ambiguity in applying UN Charter provisions such as the prohibition on the ‘use of force’ under Article 2(4) and the right to self defence against an ‘armed attack’ under Article 51– creates a critical gap in the legal framework. This legal uncertainty is significantly widened by the rise of non-state actors, such as ‘individuals, organised groups, and terrorist organisations,’ who have emerged as major threats to global security by disrupting critical infrastructure and threatening state sovereignty (rule 10). These actors directly challenge the traditional doctrine of state responsibility, which holds a state accountable for a non-state group’s actions only if it exercises “effective control” over that group’s operations. Cyber-attacks fundamentally disrupt this standard, as the inherent anonymity of cyberspace makes it exceptionally difficult to attribute an attack to a specific group, let alone prove a state was directly controlling it. This creates a dangerous accountability gap, allowing a host state to tolerate or provide passive support to malicious cyber activities originating from its territory while avoiding direct legal responsibility under this high legal threshold.

    Cyber-attacks are going to be one of the most dangerous weapons in the future. It can be used by one state against another state to disrupt their economy or their defence system. The Russia-Ukraine conflict provides a clear case study. For instance, in 2015, a sophisticated cyber-attack on Ukraine’s power grid successfully shut down electricity for hundreds of thousands of civilians in the middle of winter. Under the UN Charter, Ukraine clearly has the right to self-defence against a physical attack on its power grid, but in the case of a cyber-attack that achieves the exact same result, what are the remedies available?The issue becomes even more complex if Ukraine were attacked by a terrorist group operating in Russia; what actions could Ukraine take against it, considering that terrorist groups are not part of the United Nations?

    This piece will examine whether cyber-attacks by non-state actors can be classified as a use of force under Article 2(4) of the UN Charter (see here). It does so by first exploring the question of can a cyber-attack be classified as a use of force in International Law; second, examining the state’s Right to self-defence under Article 51 of the UN Charter. A central focus will be on the problem of attribution, which complicates the application of these traditional laws to anonymous, cross-border cyber threats. By addressing these aspects, the piece will explore the evolving discourse on cyber operations, state sovereignty, and international law.

    Cyber-Attack – a Use of Force?

      The question of whether cyber-attacks can be classified as ‘use of force’ under international law, particularly Article 2(4) of the UN Charter, is an evolving issue. To determine this question, first of all, we must consider what constitutes force. Since the UN Charter does not define the term, often relies on an ‘effects-based’ approach. This means an action is evaluated based on the severity of its consequences, rather than the specific instrument used, focusing on criteria such as the scale of disruption and whether it causes physical damage or injury.This includes actions that undermine a state’s territorial integrity, political independence or are otherwise inconsistent with the purposes of the United Nations.

      The historical interpretation of this provision focused primarily on armed attack. Nicholus Tsagourias, in his paper, argued that the determination of armed attack depends on the gravity of its effects rather than the means used to carry it out. This effects-based test considers criteria such as the severity of the disruption, its scale and duration, and whether it causes physical damage or injury (see here). This perspective is particularly relevant in the case of cyber-attacks, as they do not necessarily involve physical violence but may incur significant harm, such as the disruption of critical infrastructure, economic damage, or loss of life (see here). Although cyber-attacks can cause significant disruption, they may not always rise to the level of an armed attack as defined in Article 2(4) of the UN Charter. 

      To show the practicality, the case study of Estonia, in 2007, faced a massive cyberattack that crippled its government, banking, and media systems, by a directed denial of service (DDoS), causing widespread disruption. In this case, there was no human or material damage, and the disruption was tolerable and manageable (see here). Therefore, the Estonian cyberattacks in 2007 do not meet the criteria of an armed attack as they did not cause enough damage to be classified as a use of force. The absence of physical harm, along with the relatively controllable impact of such disruptions, means these attacks do not meet the gravity threshold necessary to invoke the legal framework for self-defence or justify a military response.

      In contrast, other incidents have demonstrated that cyber-attacks possess the potential to cause physical damage, bringing them much closer to the threshold for a use of force. The Stuxnet worm, discovered in 2010, is a prime example; it was specifically designed to cause physical destruction by manipulating industrial control systems at an Iranian nuclear facility, ultimately destroying roughly 1,000 centrifuges (see here). Similarly, the cyber-attacks on Ukraine’s power grid in 2015 used malware to remotely open circuit breakers, causing power outages for approximately 225,000 consumers in the middle of winter (see here).

      The above cases demonstrate how the effects-based approach has limited applications, particularly in cases involving cyber-attacks that do not escalate to the level required to meet the gravity threshold under Article 2(4). A significant limitation of this approach is that it fails to address repeated low-intensity cyber-attacks by non-state actors. When such attacks are conducted multiple times with small-scale effects, they may not individually qualify as a “use of force” under Article 2(4) but can cause harm to the state in the long run. This shows that the current legal focus on single, high damage events is not sufficient for cyber threats. This issue raises concerns regarding the effects-based approach and whether it is adequate in addressing the cyber threats under international law. 

      This raises an important question of whether a cyber-attack can constitute an ‘armed attack’ under international law, particularly Article 51 of the UN Charter. Armed attacks include not only single or discrete incidents but also a series of attacks that cumulatively cause significant harm (see here). It must have a trans-border element, meaning that its effects or origins extend across national boundaries. Cyber-attacks, as discussed earlier, can satisfy both criteria, as they may involve discrete or series of low-intensity incidents that collectively cause significant damage. Also, the International Group of Experts clarified that an armed attack does not necessarily require military force (rule 13). Cyber-attacks, despite their non-physical nature, can have effects comparable to conventional armed force and can, therefore, qualify as armed attacks. Therefore, cyber-attacks can be considered under armed attack.

      Right to Self-Defence

        Article 51 of the United Nations Charter explicitly recognizes the inherent right of states to exercise individual or collective self-defence in response to an armed attack. This right is not affected by the provisions of the Charter, ensuring that states retain the ability to protect their sovereignty in the event of an aggression. 

        Now the question is whether a state that has been the target of a cyber-attack can invoke Article 51 of the UN Charter and exercise its right to self-defence. As discussed earlier, a cyber-attack can be considered an armed attack depending on its effects. However, the problem arises when the attack is carried out by non-state actors. Since non-state actors are not members of the United Nations, the provisions of the UN Charter do not directly apply to them. 

        To address this issue, international law establishes a core principle that  a state must ensure that its territory is not used for activities that harm the rights of other states (see here), and more specifically, its territory is not to be used for military acts against another State (see here). This duty of due diligence imposes international responsibility on the state if it tolerates or fails to prevent such harmful acts (see here). In the case of Congo v Uganda, the ICJ held that toleration by a State of non-State actors who go on to mount an attack on another State can give rise to a right of self-defence. The two criterion must meet for the self-defence – necessity and proportionality (see here and here).  

        Applying the same reasoning to cyber-attacks, if a victim state can establish that a state had tolerated or failed to prevent a cyber-attack host by non-state actors from within its territory, it violates its international obligations and exposes itself to accountability. This legal standard is the status quo, but its application to cyberspace is profoundly difficult for a specific reason i.e. the problem of attribution. The anonymity of attackers makes it nearly impossible for a victim state to prove that a host government knowingly tolerated an attack, allowing that government to claim plausible deniability. Under international law, the principle of due diligence obliges a state to undertake reasonable steps to prevent its territory from being used to harm other states.

        In the case of cyberattacks, this includes monitoring, regulating, and preventing malicious activities conducted by non-state actors within its jurisdiction. If a state fails in this duty, it bears international responsibility for the harm caused. This is particularly important in cyber operations, where actors exploit the anonymity and global reach of cyberspace to inflict harm on other states. Therefore, the victim state, in its response, may invoke the right to self-defence under Article 51 of the UN Charter, following the principles of necessity and proportionality. 

        Conclusion

          Cyber-attacks are ways that can harm states without the use of any physical force. It poses unique challenge to the conventional framework i.e. UN Charter. The evolving nature of cyber threats, particularly when executed by non-state actors, raises significant and complex questions about the applicability of provisions of the UN Charter such as, Article 2(4) and Article 51. In the preceding sections, the limitations of the effects-based approach have been discussed. To sum up, the effects-based approach has limited application in addressing repeated low-intensity cyber-attacks by non-state actors. While an individual attack may not meet the threshold for a use of force, the cumulative effect of such a campaign can cause significant harm to a state in the long term.

          The possible solution for this issue can be a Cyber-attack Framework or a treaty in International Law that directly addresses the issue of cyber-attacks and their implications under international law. This is necessary because current doctrines struggle to address the unique challenges of attribution and non-physical harm. The framework could include the evaluation pattern for cumulative damages, which would address the current law’s failure to handle repeated, low intensity cyber attacks. It would also need to clarify the necessary conditions that may allow the victim state to invoke its right to self-defence, specifying that a major attack on critical infrastructure can meet the required gravity threshold. Most importantly, it must impose stronger obligations on states to prevent malicious cyber activities by moving beyond the high bar of the effective control test. Instead, it should establish a clear due diligence, holding a state responsible if it knowingly fails to act against hostile actors on its territory. This framework or treaty would provide victim states a clear legal mechanism to respond to cyber threats while accountability to the state from which cyber-threat has been launched.

          Another possible solution is that states could apply the principles of proportionality and necessity in cyber-attacks. This means taking into account not only the immediate impact of each cyber-attack but also assessing cumulative damage in the long term. This approach would enable a more flexible and effective response to cyber threats while temporarily addressing the drawbacks of the effects-based approach.

          Nishant Kumar is a third year B.A. LLB student at National Law School of India University, Bangalore with a keen interest in the Public and Private International law, Criminal justice, and socio-legal studies.

          Picture Credit: Mika Baumeister/Unsplash

          Leave a comment