ICT4Peace is pleased to publish its latest Cyber Policy Brief by Sara Pangrazzi, Senior Advisor, ICT4Peace. Please find the full paper here.
“The question on how international law applies to cyberattacks is one of the most pressing issues the international community of states faces as threats emerging from cyberattacks are growing. Basic governmental, economic, and public services as well as critical infrastructure increasingly depend on digital systems, which makes states vulnerable to such attacks. Moreover, there is a growing complexity of state and non- state actors behind cyberattacks and within hybrid constellations of conflicts. These developments pose a fundamental challenge to regulatory issues in the modern system of collective security.
This article elaborates the question of when a cyberattack constitutes an armed attack according to Article 51 UN-Charter and allows a state to enact kinetic as well as active cyber defence measures.
Ultimately, in any concrete situation of an attack there remains an inherent need for an individual assessment of the respective (cyber and real-world) circumstances at hand. However, a military decision to enact a measure in self-defence should in the authors’ opinion not only be a strategic, but in its core also a legally compliant one.
Hence, – from an international legal point of view – the main focus of military cyber defence strategies should primarily be on de-escalation by protecting cyber infrastructure and networks, building up resilience as well as a focus on damage limitation and termination. This would in other words imply to primarily foster more passive defence measures while reserving digital or kinetic counterattacks only to the cases where there is not only an “instant and overwhelming necessity of self- defence, leaving no choice of means, and no moment for deliberation” but also the certainty as to the attacker behind the attack.
The main conclusions and recommendations of the report include the following:
“III. WHY ONLY RELUCTANTLY, IF AT ALL, OPEN UP THE SCOPE TO DIGITAL AND KINETIC SELF-DEFENCE
The above-mentioned challenges are all reasons to only restrictively make use of forceful self-defence according to Article 51 UN-Charter. This reluctance in doing so is generally not only recommendable for Switzerland as a neutral state, but also for the entire international community of states. All the aspects of an armed attack need to be given, ultimately also the certainty as to the responsible state behind the attack. There is an inherent danger that armed attacks will be affirmed too impulsively – a condition which does not at all align with the time needed to technically trace back a source of a cyberattack, and if tracing back is possible timely, the remaining of uncertainty.
All in all, in the authors’ opinion, the developments regarding the application and extension of Article 51 UN-Charter are not unproblematic in light of international law: On the one hand, they tend to expand the scope of self-defence to non-physical (e.g. economic) damage and on the other hand, by the tendency of opening up self-defence against non-state actors in cyberspace, they increase the circle of possible “war situations” and “war actors” probably too radically. Put simply, the entering into war would “more easily” be legally justified. This could even encompass cases like for example, private hackers launching economically motivated ransomware attacks against a hospital, which traditionally would need to be considered under (international) criminal law rather than being considered as military state conduct according to the UN-Charter.
These issues become especially relevant since cyberattacks with considerable economic consequences are on the rise, which – notwithstanding the importance of taking them seriously – should in the authors’ opinion rigorously not be equated with “acts of war”.
The doctrinal ambiguities in the interpretation of international law and (the thereby possible contribution to) the changing character of war should be taken into account before and while states make their active kinetic and cyber self-defence a military strategy. Ultimately, in any concrete situation of an attack there remains an inherent need for an individual assessment of the respective (cyber and real-world) circumstances at hand. However, a military decision to enact a measure in self-defence should in the authors’ opinion not only be a strategic, but in its core also a legally compliant one.
Hence, – from an international legal point of view – the main focus of military cyber defence strategies should primarily be on de-escalation by protecting cyber infrastructure and networks, building up resilience as well as a focus on damage limitation and termination. This would in other words imply to primarily foster more passive defence measures while reserving digital or kinetic counterattacks only to the cases where there is not only an “instant and overwhelming necessity of self- defence, leaving no choice of means, and no moment for deliberation” but also the certainty as to the attacker behind the attack.
Such a legal assessment would in its result ensure to be in line with the core legal meaning and purpose of Article 51 UN- Charta and still enable a state to exceptionally defend itself against an aggressor by repelling an unlawful armed attack. Additionally, due to the remaining uncertainties and ambiguities as to the attribution of cyberattacks to a state, states should also more intensively engage in clarifying the international standard of proof necessary for acts of self-defence.
In conclusion, expanding the right to war by widening the scope of Article 51 UN-Charter would run against the actual aim of the UN-Charter, which is to promote peace among nations. In fact, these developments could lead to fundamental alterations of the landscape of future conflicts. Therefore, from the perspective of international law, instead of launching forceful military counterattacks, states should rather enhance and engage in a dialogue about international forms and processes of cooperation and dispute settlement in the field of cybersecurity and remember that besides using military means, there are also possibilities of informing the Security Council or of enacting non-forceful countermeasures (sanctions).
Finally, if in a particular case the scope of an armed attack according to Article 51 UN-Charter would still be considered as given, the enacted measure itself needs to meet the essential legal requirement of proportionality. Therefore, whether the concrete digital and/or kinetic defence measure is proportional and hence itself compliant with international law needs an additional (legal) consideration. This however is subject to a further discussion.”
Sara Pangrazzi has also co-authored the following article in NZZ with Amb. Martin Dahinden, member of the ICT4Peace Foundation Board: