Skip to main content

Proceedings of a Workshop on Deterring Cyberattacks Informing Strategies and Developing Options for U.S. Policy (2010) / Chapter Skim
Currently Skimming:

Cyber Operations in International Law: The Use of Force, Collective Security, Self-Defense, and Armed Conflicts--Michael N. Schmitt
Pages 151-178

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.


From page 151...
... 1 The incident began with rioting incited by ethnic Russian cyber agitators in response to the government's decision to move a Soviet war memorial from the center of Tallinn to a military cemetery on the outskirts of the capital. Subsequent actions included direct cyber attacks against Estonian targets, including government and commercial Internet infrastructure and information systems such as the those of the President, Prime Minister, Parliament, State Audit Office, ministries, political parties, banks, news agencies, and Internet service providers.
Read the entire page →
From page 152...
... This article explores the contemporary international law governing cyber operations. In particular, it asks four questions, which together have supplanted the previous notion of "war": (1)
Read the entire page →
From page 153...
... Of course, only those threats of a use of force that would otherwise be unlawful qualify.10 For instance, threatening destructive defensive cyber attacks against another State's military infrastructure if that State unlawfully mounts unlawful crossborder operations would not breach the norm. However, threats of destructive cyber operations against another State's critical infrastructure unless that State cedes territory would do so.
Read the entire page →
From page 154...
... Accordingly, cyber operations that directly result (or are likely to result) in physical harm to individuals or tangible objects equate to armed force, and are therefore "uses of force." For instance, those targeting an air traffic control system or a water treatment facility clearly endanger individuals and property.
Read the entire page →
From page 155...
... Therefore, one can only speculate as to future State practice regarding the characterization of cyber operations. Over a decade ago, this author identified a number of factors that would likely influence assess ments by States as to whether particular cyber operations amounted to a use of force.
Read the entire page →
From page 156...
... In other words, acts which are not forbidden are permitted; absent an express prohibition, an act is presumptively legitimate.25 For instance, it is well accepted that the international law governing the use of force does not prohibit propaganda, psychological warfare or espionage. To the extent such activities are conducted through cyber operations, they are presumptively legitimate.
Read the entire page →
From page 157...
... The criteria are admittedly imprecise, thereby permitting States significant latitude in characterizing a cyber operation as a use of force, or not. In light of the increasing frequency and severity of cyber operations, a tendency towards resolving grey areas in favor of finding a use of force can be expected to emerge.
Read the entire page →
From page 158...
... took a different tack in the tadic case, where it held that the authority of the government of the Federal Republic of Yugoslavia over the Bosnia Serb armed groups "required by international law for consid ering the armed conflict to be international was oerall control going beyond the mere financing and equipping of such forces and involving also participation in the planning and supervision of military operations."32 It is essential to note that although the Tribunal expressly rejected the higher nicaragua threshold of effective control, the technical legal issue was not State responsibility, but rather the nature of the armed conflict. Thus, while tadic brings nicaragua into question by proffering a lower threshold, it does not necessarily supplant the effective control test.
Read the entire page →
From page 159...
... In the absence of any specific requirement of a mental element in terms of the primary obligation, it is only the act of a State that matters, independently of any intention. 39 Remedies for violation In the event of State responsibility for an unlawful act, the victim-State is entitled to reparation, which can take the form of restitution, compensation, or satisfaction.40 With regard to cyber operations amounting to a use of force, compensation could be claimed for any reasonably foreseeable physical or financial losses.
Read the entire page →
From page 160...
... The scope of the phrase "threat to the peace, breach of the peace or act of aggression" has been the subject of much attention in international law. Breach of the peace would seemingly require the outbreak of violence; cyber operations harming individuals or property would reasonably qualify, but whether those falling short of this level would do so is uncertain.
Read the entire page →
From page 161...
... Given the qualifier "armed force," opera tions resulting in physical harm to persons or objects could not be authorized pursuant to Article 41. Should the Council determine that Article 41 measures are proving ineffective, or if before autho rizing them it decides that such measures would be fruitless, it may, pursuant to Article 42, "take such action by air, sea, or land forces as may be necessary to maintain or restore international peace and security." The reference to operations by "air, sea, or land forces" plainly contemplates forceful military action, although a Security Council resolution authorizing the use of force will typically be framed in terms of taking "all necessary measures." To the extent that military force can be authorized, it is selfevident that cyber operations may be as well.
Read the entire page →
From page 162...
... Therefore, if the Council were to endorse specific defensive or offensive cyber operations under Article 42, it would be wholly dependent on the willingness of States to provide the necessary cyber assets and forces to execute them. Finally, it must be recalled that the entire UN collective security system depends on the readiness of the five Permanent Members of the Security Council (P5)
Read the entire page →
From page 163...
... In light of the difficulties of identifying the source of a cyber operation, this cautious two-tiered system is especially appropriate in the cyber context. It is important to emphasize, however, that once it is established that an armed attack has occurred, no authorization from the Security Council is necessary before defensive actions, including those involving destructive cyber operations, may be mounted.
Read the entire page →
From page 164...
... Cyber operations that accompany military action otherwise constituting an armed attack have no bearing on the nature of the attack. For instance, cyber attacks would likely be conducted against enemy command and control or air defense systems as an element of a broader military operation.
Read the entire page →
From page 165...
... 65Acceptance of the standard is not universal. For instance, Professor Yoram Dinstein argues against its existence, suggesting instead that such actions are better seen as "interceptive self-defense." He notes that "an interceptive strike counters an armed attack which is in progress, even if it is still incipient: the blow is ‘imminent' and practically ‘unavoidable.' " Dinstein, supra note 62, at 191.
Read the entire page →
From page 166...
... The decision may be evidenced by, for example, prepara tory cyber operations amounting to a demonstration of "hostile intent." 73 Moreover, the circumstances must be such that the pending attack has to be responded to immediately if the victim-State is to have any reasonable hope of fending it off. Consider a State's introduction of cyber vulnerabilities into another State's critical infrastructure.
Read the entire page →
From page 167...
... Similarly, if active cyber operations not rising to the level of force are adequate to deter armed attacks (prospective or ongoing) , forceful alternatives, whether cyber or kinetic, would be barred.
Read the entire page →
From page 168...
... An analogous standard of reasonableness would apply in the case of anticipatory self-defense against an imminent cyber attack. International law does not require either certainty or absolute preci sion in anticipating another State's (or non-State actor's)
Read the entire page →
From page 169...
... 81 Nicaragua, supra note 12, ¶ 199; The Court reiterated this position in the Oil Platforms case of 2003. Oil Platforms, supra note 48, ¶ 55.
Read the entire page →
From page 170...
... However, the issue of State sponsorship in the self-defense context is much more momentous. It asks when may forceful defensive actions, even kinetic ones, be taken against a State which has not engaged in cyber operations, but which has "sponsored" them?
Read the entire page →
From page 171...
... Armed Attacks by Non-State Actors Although most cyber operations are launched by individuals such as the anti-Estonian "hacktivists," concern is mounting about the prospect that transnational terrorist organizations and other non-State groups will turn to cyber operations as a means of attacking States.89 The concern is well-founded. Al Qaeda computers have been seized that contain hacker tools, the membership of such groups is increas ingly computer-literate, and the technology to conduct cyber operations is readily available.
Read the entire page →
From page 172...
... For instance, significant concerns have been raised regarding counterterrorist operations occurring outside an armed conflict mounted in States which do not consent to them. Such concerns are likely to be even more acute in relation to cyber operations, which are conducted not by armed members of groups resembling classic military forces, but rather by cyber experts equipped with computers.
Read the entire page →
From page 173...
... , or direct participation (the loss by civilians of their protections when they take a direct part in hostilities) apply to cyber operations, the threshold question is whether an armed conflict is underway.100 97 Definition of Aggression Resolution, supra note 50, art.
Read the entire page →
From page 174...
... . ., even if said occupation meets with no armed resistance."106 And it is equally accepted that there is an armed conflict if the forces of one State detain individuals protected by IHL, such as combatants.107 It is irrelevant whether the parties to the armed conflict con sider themselves to be "at war." This leads to two alternative conclusions with regard to cyber operations standing alone.
Read the entire page →
From page 175...
... .108 The law defines attacks as "acts of violence,"109 leading one school of thought to argue that only operations resulting in injury, death, damage or destruction are attacks to which the prohibitions apply.110 Advocates would therefore likely accept the aforementioned limitation. A second school argues that the essence of such prohibitions is directing military operations against protected persons and places.111 If this is so, then IHL would apply to certain non-destructive cyber operations against protected persons and objects, and, by extension, an international armed conflict would commence once a State or those under its control launched them.
Read the entire page →
From page 176...
... Whatever the correct characterization, it would apply equally to groups conducting cyber operations of the intensity required to constitute an armed conflict. 113AP II, supra note 99, art.
Read the entire page →
From page 177...
... The greatest obstacle is that those States which are most vulnerable to cyber operations tend to be those which are also most capable of conducting them. Such tension will cause 121 Technology, Policy, Law, and Ethics, supra note 63, at 254-55.
Read the entire page →
From page 178...
... In this regard, the seven criteria proffered above in the use of force context can serve as useful indicators of whether States are likely to characterize particular cyber operations as armed attacks (or as initiating an armed conflict) , and thus suggest the probable vector of the law.
Read the entire page →

Key Terms

  • cyber operations
  • supra note
  • international law
  • armed conflict
  • security council

  • armed attacks
  • cyber operation
  • cyber attacks
  • customary international
  • state responsibility

  • oil platforms
  • international armed
  • armed conflicts
  • security strategy
  • cyber armed

  • armed forces
  • draft articles
  • customary law
  • geneva conventions
  • international criminal

  • military operations
  • state practice
  • computer network
  • armed force
  • cyber attack

  • particular cyber
  • destructive cyber
  • forceful defensive
  • defensive actions
  • common article


    • This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
    More information on Chapter Skim is available.