This article is authored by Amisha Singla, second year student pursuing B.A.LLB. from Rajiv Gandhi National University of Law, Patiala, Punjab
In 2021, there were several sophisticated and serious cyber-attacks, the most of which were blamed on nation-state espionage groups looking to steal important data. This March, several zero- day vulnerabilities were detected in the Exchange mail server service of Microsoft. A conservative estimate states that the attack began in early January and more than 60,000 private companies and nine government agencies in US alone have fallen victim to it since then. A Chinese cyber espionage team has been blamed for the attack, which took advantage of flaws in Microsoft's email system to acquire data from the victims organization. In late May, even Belgium’s interior ministry announced that an intruder had accessed their entire computer system. Over the past many years, many countries have been the victim of such attacks. Cyber-attacks have increased in complexity and resiliency as a result of advances in information technology.
Use of Force under Cyber Attack
How cyberspace can be used to transfer threat of force? Stuxnet, considered world’s first cyberweapon and malware with the ability to infect Industrial Control Systems (ICS), was reportedly used by United States and Israel to target centrifuges at Iran’s uranium enrichment facilities outside Natanz. Launched in late June, 2009 via infected USB drives, Stuxnet resulted in loss of approximately 1000 centrifuges within five months. Regardless of how the malware is qualified, it is important to analyze the relation of such acts with the International Law Rules. Following the incident, it was discovered that the virus had propagated unintentionally and had infected more machines than had been anticipated. Considering the recent upsurge in cyber-attacks, it becomes a noteworthy point here that if malwares can be capable of causing physical destructions and functionality losses, can their presence be seen as a threat? Can a cyber operation, which does not itself use force, be considered a threat?
Do states have the authority to employ military action in the event of a cyber-attack? The United Nations Charter, Article 2(4), restricts member nations from threatening or using force against one another. However, it is widely assumed that it only restricts the use of armed force and not economic or political compulsion. In addition, the force must be unlawful (The International Court of Justice determined this in its Nuclear Weapons Advisory Opinion), and the threat may be implicit or explicit. In Nicaragua v. United States, the International Court of Justice (ICJ) found that the customary international law principle of non-intervention is coterminous with article 2(4) of the United Nations Charter, if involvement takes the form of "threat" or "use" of armed force. The scope of article 2(4) needs to be reinterpreted, with stronger states demanding expansive reading of the article because of the reason that cyber-attacks may act as a weapon of the weak, as cyber-attack could be much inexpensive and easy to launch than a conventional attack along with the added advantage of heavy reliance on computer networks by developed countries.
There are two exceptions to article 2(4)'s restriction on non-consensual "use" of force. Article 39 of the UN Charter empowers the Security Council to conduct collective security actions to reinstate international peace and security in the event of a "breach of peace" or "act of aggression." Article 51, which guarantees the right to justifiable self-defense against an armed attack, is another exception. A critical component is that the cyber-attack must be equal to an armed attack for a state to respond lawfully.
Cyber Attack as ‘Armed Attack’
The question of when a cyber-strike becomes an armed attack has been a source of debate among academicians. Certain violations of article 2(4) have not been considered ‘Armed Attacks’, and even the International Court of Justice has stated that modest invasions may be regarded as "frontier incidents," without triggering the right to self-defense. Only “most grave forms of use of force” shall be considered armed attacks.
Three points of view have developed from disputes about when a cyber-strike becomes an armed attack, allowing a state to use the principles of jus ad bellum for self-defense. The last technique, among the three techniques of the instrument-based, the target-based and the effects-based approach, is the most popular. This concept suggests that if a cyber-strike causes damage comparable to that of a kinetic attack, it is more likely to qualify the threshold.
One of the most prominent proponents of the effects-based theory is Professor Michael Schmitt (author of Tallin Manual), who proposed a legal framework (The Schmitt Analysis) in 1999 for determining when a state’s involvement in a cyber-attack be considered use of force. The model that he proposed consists of seven criteria representing major distinction between permissible (economic and political) and impermissible (armed) instruments of coercion. Though illuminating, the evaluation of these factors an imprecise and subjective. Such a wide-ranging enquiry is required for them, that they may not provide sufficient guidance to the analysts. Moreover, though these factors are treated as exhaustive, this was never intended by Schmitt.
Problems in Application of Jus Ad Bellum
When responding to a cyber-attack, a state must follow the standards of jus ad bellum. The concept of necessity dictates that force can only be used in self-defense if no diplomatic solution can be achieved via peaceful means, while the principle of proportionality dictates that force cannot be employed if its scope and intensity are greater than the state's immediate danger. Applying these principles in the context of cyber-attack can be challenging as cyber-attacks are often unpredictable in terms of both, the time taken to implement them as well as the damage that they can inflict upon the state. A small proportion of cyber-attacks can indeed be considered as armed attacks, giving rise to Article 51 self-defense. As a result, anticipatory self-defense is either impossible or extremely rare in this situation.
The International Court of Justice has held in Oil Platforms (Islamic Republic of Iran v. United States of America) that for a state to have the right to trigger self-defense, it is important that not only has an armed attack occurred but that the attack was done by another state. In case of a non- state actor, the “effective control test” shall be utilized which states that “if the insurgent group is so reliant on the State that the State has effective control over it, then it can be classified as an actor of the State.” It can be really challenging to establish a link between the state and the non-state actors. Also, there remains a possibility that the states can use such non- state actors to mask their own involvement in such operations.
As we have seen, the current laws are not adequate to meet the growing threat of cyber- attacks and legal reform at both international and domestic level is the need of the hour. A treaty at the international level to provide an exhaustive definition of cyber-attacks as well as the states should be empowered to self-defence in case of anticipation of a cyber-attack. Also, an agreement between states should be built under which they could share access to cyber related information with other member states.
The origin of cyber-attacks can also be difficult to determine and in most of the cases the source of a cyber-attack is impossible to trace. Therefore, it is also important that states should collectively work on developing technical capacities in this field. International Community should work together for the solution of this problem by designing new and more comprehensive laws.