Use of force
Definition
CollapseUse of force |
---|
Article 2(4) of the UN Charter prescribes States to “refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the purposes of the United Nations”.[1] This prohibition is reflective of customary international law[2] and it is frequently described as a peremptory norm of international law.[3]
This rule applies between States; therefore the conduct needs to be attributable to a State and against another State ‘in their international relations’, thus excluding non-State actors unless their conduct is attributable to a State.[4] As stated by the International Court of Justice, the prohibition applies to any use of force, regardless of the means employed.[5] However, the notion of “force” in this context is limited to armed force[6], and to operations whose scale and effects are comparable to the use of armed force.[7] As stressed by several States, each situation has to be analysed on a case-by-case basis.[8] Undoubtedly, one of the purposes of the prohibition of force under international law is to safeguard the national security of the potentially affected States.[9] However, many forms of outside interference including various forms of political and economic coercion may affect the national security of the victim State. And yet, the drafters of the UN Charter had expressly rejected the proposal to extend the prohibition of force beyond the strict confines of military (or armed) force.[10] This is reflected also in the preamble, which explicitly stipulates that the drafters sought “to ensure, by the acceptance of principles and the institution of methods, that armed force shall not be used, save in the common interest”.[11] In principle, it could be argued that the notion of “force”, like other generic terms in treaties of unlimited duration, should be presumed to have an evolving meaning.[12] Regarding its application to cyber operations, an “effects-based approach” has been mostly followed.[13] In this sense, there is emerging consensus that “a cyber attack that causes or is reasonably likely to cause physical damage to property, loss of life or injury to persons would fall under the prohibition contained in Article 2(4) of the UN Charter”,[14] including both direct and indirect consequences. At present, there is a debate as to whether cyber operations with no physical effects may amount to a prohibited use of force. It has been argued that disruptive cyber operations of this kind fall under the scope of Article 2(4) if the resulting disruption is “significant enough to affect state security”.[15] As of 2022, there is limited State practice supporting the claim that the meaning of “force” has evolved to include non-destructive cyber operations against critical national infrastructure[16] and no victim State of an operation of this kind has suggested that the operation would have amounted to a use of force.[17] However, States have begun addressing this question. In particular, France,[18] the Netherlands[19] and Norway[20] allow for the possibility of cyber operations, which do not produce physical effects, to qualify as uses of force, if certain criteria are met. These qualitative and quantitative non-exhaustive criteria include the seriousness and reach of a given cyber operation’s consequences and its military nature,[21] as well as “the circumstances prevailing at the time of the operation, such as the origin of the operation and the nature of the instigator (military or not), the extent of intrusion, the actual or intended effects of the operation or the nature of the intended target”.[22] Several of these criteria are also reflected in the Tallinn Manual 2.0.[23] Other States, such as Italy, did not rule out the possibility of considering operations causing the interruption of essential services without physical damage within the scope of the prohibition of the use of force.[24] A use of force is unlawful under international law, unless it is authorized by the UN Security Council under Chapter VII of the UN Charter,[25] conducted in the exercise of the inherent right to self-defence,[26] or consented to by the territorial State.[27] Even if an operation does not meet the threshold of the use of force, it may still be considered a violation of other rules of international law.[28] In this regard, the prohibition of intervention, the obligation to respect the sovereignty of other States, and the possible obligation to refrain from launching cyber operations against other States’ critical infrastructure are all of potential relevance. Publicly available national positions that address this issue include: 2020, 2021, 2022, 2023, 2023, 2020, 2019, 2021, 2023, 2020, 2021, 2021, 2019, 2021, 2023, 2022, 2021, 2022, 2021, 2012, 2020, 2021. |
National positions
Australia 2020
“In determining whether a cyber activity constitutes a use of force, States should consider whether the activity’s scale and effects are comparable to traditional kinetic operations that rise to the level of use of force under international law. This involves a consideration of the intended or reasonably expected direct and indirect consequences of the cyber activity, including for example whether the activity could reasonably be expected to cause serious or extensive (‘scale’) damage or destruction (‘effects’) to life, or injury or death to persons, or result in damage to the victim State’s objects, critical infrastructure and/or functioning.
A use of force will be lawful when the territorial State consents, when it is authorised by the Security Council under Chapter VII of the UN Charter, or when it is taken pursuant to a State’s inherent right of individual or collective self-defence in response to an armed attack, as recognised in Article 51 of the Charter.”[29]
Brazil 2021
“As stated in previous reports of the United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, international law is applicable to the use of ICTs by States. This includes the legal prohibition of the use of force in international relations, which is enshrined in the UN Charter and is also part of customary international law. It is a peremptory norm, to which only two exceptions are permitted: self-defense and authorization under Chapter VII of the Charter.
The United Nations Charter does not refer to specific weapons or other means of use of force, and therefore the legal prohibition applies to all of them. Cyber operations may amount to an illegal use of force if they are attributable to a State and if their impact is similar to the impact of a kinetic attack. It is generally understood that, to date, no state has claimed that the rule prohibiting the use of force was violated due to the conduction of a cyberattack. The lack of such a precedent only reinforces the need for caution when making analogies between cyber and kinetic actions in assessments related to jus ad bellum.
General Assembly Resolution 3314(XXIX), which contains the definition of aggression, enumerates a series of acts that qualify as such: invasion of territory by armed forces, military occupation, bombardments or the use of any weapons against the territory of another state, blockade of the ports or coasts by the armed forces, among others. Although it is not binding, GA Res 3314(XXIX) has been considered highly authoritative and has guided the ICJ in its caselaw. In many instances, it might prove difficult to establish a direct analogy between the acts listed in GA Res 3314 (XXIX) and cyber operations, due to their unique characteristics. Therefore, it is advisable to update the multilateral understanding of which acts amount to the use of force and aggression, so as to include instances of cyberattacks. While it might be challenging to find consensus on grey areas, such as the characterization of digital attacks with no direct physical effects, there are points of convergence that should be consolidated multilaterally to provide more clarity and legal certainty.”[30]
Canada 2022
“44. Article 2(4) of the UN Charter requires that States refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any State, or in any other manner inconsistent with the purposes of the UN. This also applies in cyberspace. In general, cyber activities that amount to such a threat or use of force are unlawful, with recognised exceptions under international law.
45. In Canada’s view, cyber activities may amount to such a threat or use of force where the scale and effects are comparable to those from other operations that constitute the use of force at international law. Canada will assess cyber activities that may amount to a threat or use of force on a case-by-case basis.”[31]
Costa Rica 2023
“35. Under Article 2(4) of the UN Charter and its customary counterpart, States ‘shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state’. In Costa Rica’s view, a State uses force against another State if it causes damage to persons or property in the territory of another State. This is true whether or not the military or other armed forces are involved, and regardless of the level of intensity of any hostilities between the States involved.
36. As noted earlier, the prohibition on the use of force applies irrespective of the type of weapon employed by a State. Thus, a cyber operation may amount to a prohibited use of force if it can cause harm or destruction analogous to a conventional weapon. In Costa Rica’s view, this assessment is to be carried out on the basis of a comparison between the effects of a cyber operation and those of an operation carried out by conventional weapons that would constitute a prohibited use of force. Although this assessment can only be carried out on a case-by-case basis, examples of cyber operations likely amounting to a prohibited use of force include those causing physical harm to individuals or significant destruction of property, as well as those permanently disabling operating systems controlling critical infrastructure, such as an electrical grid or a water and sanitation station.
37. A prohibited threat or use of force must be distinguished from an armed attack. In accordance with Article 51 of the UN Charter and customary international law, an armed attack triggers the right of States to exercise individual or collective self-defense. In Costa Rica’s view, to give rise to the right of self-defense, an armed attack must be attributable to a State, in cyberspace as in any other context. As noted by the ICJ, armed attacks are the ‘most grave’ forms of use of force. For Costa Rica, this assessment is to be carried out on the basis of a comparison between the scale and effects of a cyber operation and those of an operation by conventional weapons that would constitute an armed attack. Examples of cyber operations potentially constituting armed attacks are those causing significant loss of life and destruction of critical infrastructure.[32]
Denmark 2023
“Cyber operations may violate the prohibition on the threat or use of force, which primarily depends on the physical scale and effects of the cyber operation in question. It requires an individual assessment of the specific circumstances in each case to determine whether the scale and effects of a cyber operation correspond to what would qualify as use of force had they resulted from conventional weapons.
Article 2(4) of the UN Charter sets out that all Member States shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any State, or in any other manner inconsistent with the purposes of the United Nations. Numerous other international documents and State practice contribute to the understanding of the principle of the non-use of force. It is, however, fair to assert that there are still significant grey areas and divergent views among States as to the precise content of the law.
Generally, Denmark subscribes to the notion that where a cyber operation results in injury, death, or significant physical damage, this prima facie qualifies as use of force.
With regard to the precise interpretation of the term force and the question as to whether economic or political coercion can qualify as use of force, Denmark considers that it generally cannot be ruled out that acts of economic or political coercion can fall within the purview of Article 2(4) of the UN Charter if, for example, a cyber operation resulting in the malfunctioning of a State’s financial system leads to significant economic damage.
It has been suggested that States should apply the following non-exhaustive factors for determining if a cyber operation reaches the level of use of force: Severity, immediacy, directness, invasiveness, measurability of effects, military character, State involvement, presumptive legality.[5] While few States in their public positions have endorsed these particular factors, Denmark is of the view that these factors are useful reference points for further understanding and discussing the definition of use of force in cyberspace.”[33]
Estonia 2021
States must refrain in their international relations from carrying out cyber operations which, based on their scale and effect, would constitute a threat or use of force against the territorial integrity or a political independence of any state, or in any other manner inconsistent with the purposes of the UN. |
“While taking measures in cyberspace, states must comply with the obligations and constraints enshrined in international law, including the UN Charter and customary international law. The threat or use of force in international relations is prohibited; however, the UN Charter foresees concrete situations where it could be allowed (in response to an armed attack, as self-defence or in accordance with chapter VII of the UN Charter).
The prohibition of the threat or use of force in cyberspace was also acknowledged and highlighted in the 2015 GGE report, endorsed by the UN General Assembly. Notably, the report states that “in considering the application of international law to State use of ICTs, the GGE identified as of central importance the commitments of States to the following principles of the Charter and other international law […] refraining in their international relations from the threat or use of force against the territorial integrity or political independence of any State […].”
A cyber operation that targets critical infrastructure and results in serious damage, injury or death, or a threat of such an operation, would be an example of use of force.”[34]
Finland 2020
“While there is currently no established definition of a cyberattack that would pass the threshold of “use of force” in the sense of article 2(4) of the UN Charter, or “armed attack” in the sense of article 51, it is widely recognized that such a qualification depends on the consequences of a cyberattack. For a cyberattack to be comparable to use of force, it must be sufficiently serious and have impacts in the territory of the target State, or in areas within its jurisdiction, that are similar to those of the use of force. A threat of such a cyberattack could also violate Article 2(4) of the Charter, if the threat is sufficiently precise and directed against another State. Similarly, most commentators agree that when the scale and effects of a cyberattack correspond to those of an armed attack responding to the cyberattack is justifiable as self-defence. It is obvious that the attack must have caused death, injury or substantial material damage, but it is impossible to set a precise quantitative threshold for the effects, and other circumstantial factors must be taken into account in the analysis, as well.”
“A question has also been raised, whether a cyberattack producing significant economic effects such as the collapse of a State’s financial system or parts of its economy should be equated to an armed attack. This question merits further consideration. Any interpretation of the use of force in cyberspace should respect the UN Charter and not just the letter of the Charter but also its object and purpose, which is to prevent the escalation of armed activities. This would mean, for instance, that the distinction between armed attack as a particularly serious violation of the Charter, on the one hand, and any lesser uses of force, on the other, is preserved. Similarly, the conditions for the exercise of the right of self-defence apply in cyberspace as they do with regard to the use of armed force. The right of self-defence arises if a cyberattack comparable to an armed attack occurs and can be attributed to a particular State. It is reasonable to think that a State victim to such an attack can respond with either cyber means or armed action. At the same time, the use of force must not be disproportionate or excessive.”[35]
France 2019
“Some cyberoperations may violate the prohibition of the threat or use of force. The most serious violations of sovereignty, especially those that infringe France’s territorial integrity or political independence, may violate the prohibition of the threat or use of force, which applies to any use of force, regardless of the weapons employed. In digital space, crossing the threshold of the use of force depends not on the digital means employed but on the effects of the cyberoperation. A cyberoperation carried out by one State against another State violates the prohibition of the use of force if its effects are similar to those that result from the use of conventional weapons. However, France does not rule out the possibility that a cyberoperation without physical effects may also be characterised as a use of force. In the absence of physical damage, a cyberoperation may be deemed a use of force against the yardstick of several criteria, including the circumstances prevailing at the time of the operation, such as the origin of the operation and the nature of the instigator (military or not), the extent of intrusion, the actual or intended effects of the operation or the nature of the intended target. This is of course not an exhaustive list. For example, penetrating military systems in order to compromise French defence capabilities, or financing or even training individuals to carry out cyberattacks against France, could also be deemed uses of force.
However, not every use of force is an armed attack within the meaning of Article 51 of the United Nations Charter, especially if its effects are limited or reversible or do not attain a certain level of gravity.
The prohibition of the use of force enshrined in the United Nations Charter applies to cyberspace. Certain cyberoperations may constitute a use of armed force within the meaning of Article 2, para. 4 of the United Nations Charter.”[36]
Germany 2021
“So far, the vast majority of malicious cyber operations fall outside the scope of ‘force’. However, cyber operations might in extremis fall within the scope of the prohibition of the use of force and thus constitute a breach of art. 2 para. 4 UN Charter.
The ICJ has stated in its Nuclear Weapons opinion that Charter provisions ‘apply to any use of force, regardless of the weapons employed.’ Germany shares the view that with regard to the definition of ‘use of force’, emphasis needs to be put on the effects rather than on the means used.
Cyber operations can cross the threshold into use of force and cause significant damage in two ways. Firstly, they can be part of a wider kinetic attack. In such cases they are one component of a wider operation clearly involving the use of physical force, and can be assessed within the examination of the wider incident. Secondly, outside the wider context of a kinetic military operation, cyber operations can by themselves cause serious harm and may result in massive casualties.
With regard to the latter case, Germany shares the view expressed in the Tallinn Manual 2.0: the threshold of use of force in cyber operations is defined, in analogy to the ICJ’s Nicaragua judgement, by the scale and effects of such a cyber operation. Whenever scale and effects of a cyber operation are comparable to those of a traditional kinetic use of force, it would constitute a breach of art. 2 para. 4 UN Charter.
The determination of a cyber operation as having crossed the threshold of a prohibited use of force is a decision to be taken on a case-by-case basis. Based on the assessment of the scale and effects of the operation, the broader context of the situation and the significance of the malicious cyber operation will have to be taken into account. Qualitative criteria which may play a role in the assessment are, inter alia, the severity of the interference, the immediacy of its effects, the degree of intrusion into a foreign cyber infrastructure and the degree of organization and coordination of the malicious cyber operation.”[37]
Ireland 2023
“16. Article 2(4) of the Charter of the United Nations prohibits the threat or use of force by states against the territorial integrity or political independence of any other state. The Charter sets out two exceptions to this prohibition, namely when force is authorised by the UN Security Council and when it is used in the exercise of individual or collective self-defence. At the OEWG, states reaffirmed that “international law, and in particular the Charter of the United Nations, is applicable and essential to maintaining peace and stability and promoting an open, secure, stable, accessible and peaceful ICT environment”.[11]
17. The prohibition on the use of force applies regardless of the means or weapons employed.[12] In the Nicaragua case, looking at the notion of “force”, the ICJ determined that assistance to rebels in the form of the provision of weapons or logistical or other support may be regarded as a threat or use of force.[13] The Court further determined that “scale and effects” are to be considered when determining whether particular actions amount to an “armed attack”.[14]
18. In Ireland’s view, a cyber-operation attributable to a state will amount to a use of force if its scale and effects correspond to those of a physical use of force. This may include instances where a cyber-operation does not cause physical damage, such as where there is significant impairment of functionality of critical infrastructure. It is recalled that treaties, including the UN Charter, must be interpreted in the light of their object and purpose.[15] Although present day technology and our heavily digitised world may not have been contemplated at the time of the adoption of the Charter, it is appropriate to interpret Article 2(4) as applying to force emanating from cyber operations, notwithstanding the fact that the traditional physical or kinetic element may be lacking in terms of both means and impact.
19. For completeness, it is noted that a cyber-operation that falls below the threshold of use of force might nonetheless constitute an unlawful intervention in the internal affairs of a state or a violation of its sovereignty. Moreover, not every use of force contrary to Article 2(4) will amount to an “armed attack” within the meaning of Article 51 of the UN Charter (this is considered further under the heading of self-defence, below).”[38]
Israel 2020
“First — and this has already been acknowledged by many others— the customary prohibition set out in Article 2(4) of the Charter of the United Nations, on “the threat or use of force” in international relations, is clearly applicable in the cyber domain.
We share the support among States for the view that a cyber operation can amount to use of force if it is expected to cause physical damage, injury, or death, which would establish the use of force if caused by kinetic means. For example, hacking into the computers of the railroad network of another State and programming the controls in a manner that is expected to cause a collision between trains can amount to use of force. As with any legal assessment relating to the cyber domain, as practice in this field continues to evolve, there may be room to further examine whether operations not causing physical damage could also amount to use of force.
Second, when the use of force in the cyber domain, by either a State or non-State actor, can be considered as an actual or imminent armed attack, the State under attack may act in accordance with its inherent right to self-defense, as enshrined in Article 51 of the U.N. Charter. Of course, the exercise of this right is subject to the customary principles of necessity and proportionality.
Finally, the use of force in accordance with the right of self-defense, against an armed attack conducted through cyber means, may be carried out by either cyber or kinetic means; just as use of force in self-defense against a kinetic armed attack may be conducted by kinetic or cyber means.”[39]
Italy 2021
“There is no established definition or threshold of hostile cyber operations falling within the scope of the prohibition of the ‘use of force’ in the sense of article 2(4) of the UN Charter. Such assessment will be determined on a case-by-case basis depending on the consequences of any given cyber operation.
Italy considers a cyber operation conducted by a State against another State as a use of force, when its scale and effects are comparable to those of a conventional use of force, resulting in physical damage of property, human injury or loss of life.
While it is generally accepted that cyber operations resulting in material damage can constitute a use of force, we consider the qualification of cyber operations which merely cause loss of functionality a controversial one. The inclusion of such operations in the scope of the prohibition of the use of force, however, could be justified if one considers that, because of the reliance of modern societies on computers, computer systems and networks, cyber technologies have enabled States to cause the interruption of essential services without the need of physical damage.”[40]
Japan 2021
“Under certain circumstances, a cyber operation may constitute the threat or use of force prohibited by Article 2(4) of the UN Charter. Pursuant to this article, all States shall refrain in their international relations from the threat or use of force. The Government of Japan presumes that as a general rule the threat of force refers to a State’s act of threatening another State by indicating its intention or attitude of using force, without actually using force, unless its arguments or demands are accepted. The obligation to refrain from the threat or use of force in international relations is an important obligation relating to cyber operations.”[41]
Netherlands 2019
“Article 2(4) of the UN Charter lays down a prohibition on the threat or use of force. It reads as follows: ‘All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state.’ This prohibition applies to the use of force in any form, regardless of the weapons or means employed.
The prohibition of the use of force is virtually absolute. There are only three situations in which the threat or use of force does not contravene international law. One is in the case of self-defence against an armed attack (article 51 of the UN Charter). Another concerns certain actions implementing a UN Security Council resolution under Chapter 7 of the Charter.7 The final exception is when the use of force takes place with the agreement of the state in whose territory that force will be used.
When applying this prohibition in the context of cyberspace, the question arises: when can cyber operations be considered ‘use of force’, given that no use is made of ‘weapons’ in the usual (physical) sense of the word? The government believes that cyber operations can fall within the scope of the prohibition of the use of force, particularly when the effects of the operation are comparable to those of a conventional act of violence covered by the prohibition. In other words, the effects of the operation determine whether the prohibition applies, not the manner in which those effects are achieved. This position is supported by the case law of the International Court of Justice, which has ruled that the scale and effects of an operation must be considered when assessing whether an armed attack in the context of the right of self-defence has taken place (see below). There is no reason not to take the same approach when assessing whether an act may be deemed a use of force within the meaning of article 2 (4) of the UN Charter. A cyber operation would therefore in any case be qualified as a use of force if its scale and effects reached the same level as those of the use of force in non-cyber operations.
International law does not provide a clear definition of ‘use of force’. The government endorses the generally accepted position that each case must be examined individually to establish whether the ‘scale and effects’ are such that an operation may be deemed a violation of the prohibition of use of force. In their 2011 advisory report ‘Cyber Warfare’, the Advisory Council on International Affairs (AIV) and the Advisory Committee on Issues of Public International Law (CAVV) noted that, ‘The customary interpretation of this provision is that all forms of armed force are prohibited. Purely economic, diplomatic and political pressure or coercion is not defined as force under article 2, paragraph 4. Suspending trade relations or freezing assets, for example, can be very disadvantageous to the state affected but has not to date been considered a prohibited form of force within the meaning of the Charter. Armed force that has a real or potential physical impact on the target state is prohibited.’ In the view of the government, at this time it cannot be ruled out that a cyber operation with a very serious financial or economic impact may qualify as the use of force.
It is necessary, when assessing the scale and effects of a cyber operation, to examine both qualitative and quantitative factors. The Tallinn Manual 2.0 refers to a number of factors that could play a role in this regard, including how serious and far-reaching the cyber operation’s consequences are, whether the operation is military in nature and whether it is carried out by a state. These are not binding legal criteria. They are factors that could provide an indication that a cyber operation may be deemed a use of force, and the government endorses this approach. It should be noted in this regard that a cyber operation that falls below the threshold of use of force may nonetheless be qualified as a prohibited intervention or a violation of sovereignty.”[42]
Norway 2021
Key message |
---|
A cyber operation may, depending on its scale and effects, violate the prohibition on the threat or use of force in Article 2(4) of the UN Charter.
A cyber operation that is in violation of the prohibition on the threat or use of force may, depending on its scale and effects, constitute an armed attack under international law. An armed attack is the gravest form of the use of force. |
Article 2(4) of the UN Charter prohibits the threat or use of force by a State against the territorial integrity or political independence of another State, or in any other manner inconsistent with the purposes of the UN. The prohibition is a norm of customary international law. It applies to any use of force, regardless of the weapons or means employed.
There are only three exceptions to the prohibition on the use of force in the sense that using force would not be in violation of international law: if the state on whose territory the use of force takes place consents; if it is authorised by the Security Council under Chapter VII of the UN Charter; or in the case of self-defence, in response to an armed attack as recognised in Article 51 of the UN Charter.
Whether a cyber operation violates the prohibition on the threat or use of force in Article 2(4) of the UN Charter depends on its scale and effects, physical or otherwise. Depending on its gravity, a cyber operation may also constitute an armed attack under international law. In accordance with the case law of the International Court of Justice (ICJ), an armed attack is the gravest form of the use of force.
A cyber operation may constitute use of force or even an armed attack if its scale and effects are comparable to those of the use of force or an armed attack by conventional means. This must be determined based on a case-by-case assessment having regard to the specific circumstances. A number of factors may be taken into consideration, such as the severity of the consequences (the level of harm inflicted), immediacy, directness, invasiveness, measurability, military character, State involvement, the nature of the target (such as critical infrastructure) and whether this category of action has generally been characterised as the use of force. This list is not exhaustive.
Cyber operations that cause death or injury to persons or physical damage to or the destruction of objects could clearly amount to the use of force. Likewise, a cyber operation causing severe disruption to the functioning of the State such as the use of crypto viruses or other forms of digital sabotage against governmental or private power grid- or telecommunications infrastructure, or cyber operations leading to the destruction of stockpiles of Covid-19 vaccines, could amount to the use of force in violation of Article 2(4). Similarly, the use of crypto viruses or other forms of digital sabotage against a State’s financial and banking system, or other operations that cause widespread economic effects and destabilisation, may amount to the use of force in violation of Article 2(4).
A cyber operation that severely damages or disables a State’s critical infrastructure or functions may furthermore be considered as amounting to an armed attack under international law. Depending on its scale and effect, this may include a cyber operation that causes an aircraft crash.[43]
“A State that is the victim of a cyber operation that qualifies as an armed attack under international law, may exercise its inherent right of individual or collective self-defence under Article 51 of the UN Charter The right of self-defence as reflected in Article 51 is a norm of customary international law. It must be exercised subject to the requirements of necessity and proportionality, and may involve both digital and conventional means.[44]
Pakistan 2023
“6. Pakistan believes that the principles of non-use of force, sovereign equality of all nations, non-interventionism, and peaceful settlement of disputes, as enshrined in the UN Charter, continue to apply in cyberspace as in the physical world.”[45]
Poland 2022
4. In certain circumstances actions in cyberspace may constitute a violation of the prohibition of the use of force |
“The prohibition on the threat or use of force is laid down in Article 2(4) of the Charter of the United Nations and customary international law. According to the Advisory Opinion of the International Court of Justice on the legality of the threat or use of nuclear weapons, an action may be considered the use of force irrespective of the means used. What matters are the effects of the actions taken. As a result, it cannot be ruled out that in some circumstances a cyberattack will reach such a threshold that it will be deemed the use of force. Perceiving a cyberattack as the use of force is supported by the possibility of it causing similar effects to those caused by a classic armed attack executed with the use of conventional weapons. When assessing whether or not a cyber operation reaches the threshold of the use of force, the situation must be analysed individually, taking into consideration the circumstances of actions taken in accordance with the requirements of international law. An action in cyberspace that leads to: a permanent and significant damage of a power plant, a missile defence system deactivation or taking control over an aircraft or a passenger ship and causing an accident with significant effects may be considered the use of force. This list is not exhaustive – the legal qualification will always depend on the circumstances of a specific attack.
A cyberattack that does not reach the threshold of the prohibited use of force may be deemed a prohibited intervention or an action that violates the principle of sovereignty.”[46]
Romania 2021
“The prohibition of the threat or use of force is a well-established principle of international law, being included in art. 2(4) of the UN Charter. There are only three (well determined) exceptions to this prohibition: self-defense in the event of armed aggression, UNSC Chapter VII authorization of the use of force and consent of the State on whose territory the operation takes place.
In order to ascertain whether a cyber operation represents a threat or use of force and whether it even amounts to a cyberattack, a case-by-case analysis must be carried out to determine the circumstance in which the attack occurred, the nature of the operation (military or not) and the scale and the effects of the operation (by comparison against the scale and severity of a conventional (non-cyber) act of violence covered by the prohibition).
The elements of such an analysis, from the “scale and effects” perspective, are well established in the ICJ’s relevant jurisprudence.
It is also worth noting that not all cyber operations reach the threshold of use of force and even less operations reach the threshold of an armed attack; nevertheless such operations could still be in violation of international law (being a prohibited intervention or an otherwise violation of the principle of sovereignty).”[47]
Sweden 2022
“The prohibition of the use of force is a cardinal rule of customary international law, also applicable in relation to cyber operations. In the UN Charter, Article 2(4) stipulates a prohibition of the threat or use of force. The only exceptions in the UN Charter are the inherent right of individual or collective self-defence if an armed attack occurs, or acts taken pursuant to a decision of the UN Security Council authorising the use of force.
Acts that constitute the use of force are not clearly defined in international law. The ICJ has declared that the provisions on the use of force are not dependent on the choice of means, but rather apply to any use of force regardless of the weapons employed. The Court has furthermore distinguished the most grave forms of the use of force (those constituting an armed attack) from other less grave forms based on scale and effects. A similar assessment of scale and effects may be made in relation to whether an act constitutes a breach of the prohibition of the use of force. While most cyber operations would not constitute use of force, such operations would be considered as such if comparable to the scale and effects of kinetic use of force. An assessment needs to made on a case-by-case basis.”[48]
United Kingdom 2021
“Article 2(4) of the UN Charter prohibits the threat or use of force against the territorial integrity or political independence of any State or in any other manner inconsistent with the purposes of the United Nations. Depending on the facts and circumstances in each case, conduct by States carried out in cyberspace is capable of constituting a threat or use of force if the actual or threatened conduct has or would have the same or similar effects of conduct using kinetic means. The circumstances in which the threat or use of force is not unlawful under international law are the same irrespective of whether the conduct is by kinetic or cyber means.”[49]
United States 2012
“Cyber activities may in certain circumstances constitute uses of force within the meaning of Article 2(4) of the UN Charter and customary international law. In analyzing whether a cyber operation would constitute a use of force, most commentators focus on whether the direct physical injury and property damage resulting from the cyber event looks like that which would be considered a use of force if produced by kinetic weapons. For example, cyber activities that proximately result in death, injury, or significant destruction would likely be viewed as a use of force. In assessing whether an event constituted a use of force in or through cyberspace, we must evaluate factors including the context of the event, the actor perpetrating the action (recognizing challenging issues of attribution in cyberspace), the target and location, effects and intent, among other possible issues. Commonly cited examples of cyber activity that would constitute a use of force include, for example, (1) operations that trigger a nuclear plant meltdown, (2) operations that open a dam above a populated area causing destruction, or (3) operations that disable air traffic control resulting in airplane crashes. Only a moment’s reflection makes you realize that this is common sense: if the physical consequences of a cyber attack work the kind of physical damage that dropping a bomb or firing a missile would, that cyber attack should equally be considered a use of force.”[50]
United States 2020
“Article 2(4) of the Charter of the United Nations provides that “All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.” At the same time, international law recognizes that there are exceptions to this rule. For example, in the exercise of its inherent right of self-defense a State may use force that is necessary and proportionate to respond to an actual or imminent armed attack. This is true in the cyber context just as in any other context.
Depending on the circumstances, a military cyber operation may constitute a use of force within the meaning of Article 2(4) of the U.N. Charter and customary international law. In assessing whether a particular cyber operation—conducted by or against the United States—constitutes a use of force, DoD lawyers consider whether the operation causes physical injury or damage that would be considered a use of force if caused solely by traditional means like a missile or a mine. Even if a particular cyber operation does not constitute a use of force, it is important to keep in mind that the State or States targeted by the operation may disagree, or at least have a different perception of what the operation entailed.”[51]
United States of America 2021
“Cyber activities may in certain circumstances constitute uses of force within the meaning of Article 2(4) of the UN Charter and customary international law. In determining whether a cyber activity constitutes a use of force prohibited by Article 2(4) of the UN Charter and customary international law or an armed attack sufficient to trigger a State’s inherent right of self defense, States should consider the nature and extent of injury or death to persons and the destruction of, or damage to, property. Although this is necessarily a case-by-case, fact-specific inquiry, cyber activities that proximately result in death, injury, or significant destruction, or represent an imminent threat thereof, would likely be viewed as a use of force / armed attack. If the physical consequences of a cyber activity result in the kind of damage that dropping a bomb or firing a missile would, that cyber activity should equally be considered a use of force / armed attack.
Some of the factors States should evaluate in assessing whether an event constitutes an actual or imminent use of force / armed attack in or through cyberspace include the context of the event, the actor perpetrating the action (recognizing the challenge of attribution in cyberspace, including the ability of an attacker to masquerade as another person/entity or manipulate transmission data to make it appear as if the cyber activity was launched from a different location or by a different person), the target and its location, the effects of the cyber activity, and the intent of the actor (recognizing that intent, like the identity of the attacker, may be difficult to discern, but that hostile intent may be inferred from the particular circumstances of a cyber activity), among other factors.”[52]
Appendixes
See also
- Scenario 03: Cyber operation against the power grid
- Scenario 14: Ransomware campaign
- Scenario 16: Cyber attacks against ships on the high seas
- Scenario 17: Collective responses to cyber operations
- Scenario 20: Cyber operations against medical facilities
- Scenario 23: Vaccine research and testing
Notes and references
- ↑ Charter of the United Nations (adopted 26 June 1945, entered into force 24 October 1945) 1 UNTS 16 (UN Charter) art. 2(4).
- ↑ Legal Consequences of the Construction of a Wall in the Occupied Palestinian Territory (Advisory Opinion) [2004] ICJ Rep 136, para 87; Military and Paramilitary Activities in and against Nicaragua (Nicaragua v United States of America) (Merits) [1986] ICJ Rep 14, paras 187–190. See also, the national positions of Brazil, Israel, Sweden, and the United States.
- ↑ See, for example,The International Law Commission, ‘Document A/6309/ Rev.1: Reports of the International Law Commission on the second part of its seventeenth and on its eighteenth session’ Yearbook of the International Law Commission Vol. II (1966) 247 (“The law of the Charter concerning the prohibition of the use of force in itself constitutes a conspicuous example of a rule in international law having the character of jus cogens”); Christine Gray, International Law and the use of force (OUP 2018) 32; Oliver Corten, The Law against War. The Prohibition on the Use of Force in Contemporary International Law (Hart Pub. 2021) 44; Oliver Dörr and Albrecgr Randelzhofer, ‘Article 2(4)’ in Bruno Simma et al (eds), The Charter of the United Nations: A Commentary Vol I (OUP 2012), 231, para 67 (“the prohibition of the use of force laid down in Art. 2 (4) is usually acknowledged in State practice and legal doctrine to have a peremptory character, and thus to be part of the international ius cogens”).
- ↑ Marco Roscini, Cyber Operations and the Use of Force in International Law (Oxford University Press 2014) 44.
- ↑ Legality of the Threat or Use of Nuclear Weapons, Advisory Opinion, 1. C.J. Reports 1996, 226; see also the national positions of Brazil, Germany, France, the Netherlands and Sweden.
- ↑ Oliver Dörr and Albrecht Randelzhofer, ‘Article 2(4)’ in Bruno Simma et al (eds), The Charter of the United Nations: A Commentary Vol I (OUP 2012) 208 para 16 (“The term [‘force’] does not cover any possible kind of force, but is, according to the correct and prevailing view, limited to armed force.”).
- ↑ Cf. Ian Brownlie, International Law and the Use of Force by States (OUP 1963) 362 (“[Art 2(4)] applies to force other than armed force”); Tallinn Manual 2.0, rule 69 (“A cyber operation constitutes a use of force when its scale and effects are comparable to non-cyber operations rising to the level of a use of force.”). This is also embodied in the national positions of several States, including Australia, Canada, Germany, Italy, the Netherlands, Romania and Sweden.
- ↑ See the national positions of Canada, Germany, Italy, the Netherlands, Romania, Sweden and the United States.
- ↑ Cf. Charter of the United Nations (adopted 26 June 1945, entered into force 24 October 1945) 1 UNTS 16 (UN Charter) art. 2(4) (expressly prohibiting the use of force against the “political independence” of any State).
- ↑ Documents of the United Nations Conference on International Organization (1945), vol VI, 334. See also the national position of the Netherlands.
- ↑ Charter of the United Nations (adopted 26 June 1945, entered into force 24 October 1945) 1 UNTS 16 (UN Charter) preamble.
- ↑ Cf. Dispute regarding Navigational and Related Rights (Costa Rica v Nicaragua) Judgment, 2009 ICJ Rep 213 [66] (“[W]here the parties have used generic terms in a treaty, the parties necessarily having been aware that the meaning of the terms was likely to evolve over time, and where the treaty has been entered into for a very long period or is ‘of continuing duration’, the parties must be presumed, as a general rule, to have intended those terms to have an evolving meaning”).
- ↑ Marco Roscini, Cyber Operations and the Use of Force in International Law (Oxford University Press 2014) 46-47. See the national positions of Australia, Germany, France, the Netherlands, Sweden, the United Kingdom and the United States. As highlighted by Roscini, other analytic approaches include an ‘instrument-based approach’ which focuses on the means used, and the ‘target-based approach’ which ‘argues that cyber operations reach the threshold of the use of armed force when they are conducted against national critical infrastructure’. On the latter, see for example Estonia’s national position, combining the target and the effects-based approaches in its assessment.
- ↑ Marco Roscini, Cyber Operations and the Use of Force in International Law (Oxford University Press 2014) 53. See also the national positions of Australia, Brazil, Estonia, Italy, Israel and the United States. Further, it has been argued that there is a minimum threshold of intensity or gravity in the use of force, for it to fall under Article 2(4) of the UN Charter. See Roscini, 53-54. See also in this regard, Tallinn Manual 2.0., commentary to rule 69, para 9(a).
- ↑ Marco Roscini, Cyber Operations and the Use of Force in International Law (OUP 2014) 55. See also ibid, 48 (noting that ‘the dependency of modern societies on computers, computer systems, and networks has made it possible to achieve analogous prejudicial results through other, non-destructive means’)
- ↑ However, such claims are occasionally made in the scholarship: see, for example, Marco Roscini, Cyber Operations and the Use of Force in International Law (OUP 2014) 59; Nicholas Tsagourias ‘Cyber Attacks, Self-Defence and the Problem of Attribution’ 2012 17 (2) Journal of Conflict and Security Law 23; Gary Brown and Keira Poellet, ‘The Customary International Law of Cyberspace’ 2012 Strategic Studies Quarterly 137.
- ↑ Dan Efrony and Yuval Shany, ‘A Rule Book on the Shelf? Tallinn Manual 2.0 on Cyberoperations and Subsequent State Practice’ 2018 112 AJIL 583, 638.
- ↑ French Ministry of the Armies, ‘International Law Applied to Operations in Cyberspace’ (9 September 2019) 7, stating that ‘France does not rule out the possibility that a cyberoperation without physical effects may also be characterised as a use of force’.
- ↑ Dutch Ministry of Foreign Affairs, ‘Letter to the parliament on the international legal order in cyberspace’ (5 July 2019) 4, stating that ‘in the view of the government, at this time it cannot be ruled out that a cyber operation with a very serious financial or economic impact may qualify as the use of force’.
- ↑ Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 69-70, stating that ‘Likewise, a cyber operation causing severe disruption to the functioning of the State such as the use of crypto viruses or other forms of digital sabotage against governmental or private power grid- or telecommunications infrastructure, or cyber operations leading to the destruction of stockpiles of Covid-19 vaccines, could amount to the use of force in violation of Article 2(4). Similarly, the use of crypto viruses or other forms of digital sabotage against a State’s financial and banking system, or other operations that cause widespread economic effects and destabilisation, may amount to the use of force in violation of Article 2(4)’.
- ↑ Dutch Ministry of Foreign Affairs, ‘Letter to the parliament on the international legal order in cyberspace’ (5 July 2019) at p. 4.
- ↑ French Ministry of the Armies, ‘International Law Applied to Operations in Cyberspace’ (9 September 2019) 7.
- ↑ Tallinn Manual 2.0, commentary to rule 69, para 9. The indicative factors highlighted by the Manual are: (i) severity; (ii) immediacy; (iii) directness; (iv) invasiveness; (v) measurability of effects; (vi) military character; (vii) State involvement; and (viii) presumptive legality.
- ↑ Italian Ministry for Foreign Affairs and International Cooperation, ‘Italian position paper on “International law and cyberspace”’ 2021 8. See also the national position of Israel, stating that ‘As with any legal assessment relating to the cyber domain, as practice in this field continues to evolve, there may be room to further examine whether operations not causing physical damage could also amount to use of force’.
- ↑ See Articles 39–42 of the UN Charter.
- ↑ See Article 51 of the UN Charter.
- ↑ See in this regard the national positions of Australia, the Netherlands and Romania.
- ↑ Cf. US, State Department Legal Advisor Brian Egan, International Law and Stability in Cyberspace, Speech at Berkeley Law School (10 November 2016), 13 (“In certain circumstances, one State’s non-consensual cyber operation in another State’s territory could violate international law, even if it falls below the threshold of a use of force.”) (emphasis original); UK, Attorney General Jeremy Wright QC MP, Cyber and International Law in the 21st Century, Speech (23 May 2018) (“In certain circumstances, cyber operations which do not meet the threshold of the use of force but are undertaken by one state against the territory of another state without that state’s consent will be considered a breach of international law.”); Government of the Kingdom of the Netherlands, Appendix: International law in cyberspace (26 September 2019) 4; Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 77.
- ↑ Australian Government, Australia’s position on how international law applies to State conduct in cyberspace
- ↑ Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 19.
- ↑ Government of Canada, International Law applicable in cyberspace, April 2022
- ↑ Ministry of Foreign Affairs of Costa Rica, “Costa Rica’s Position on the Application of International Law in Cyberspace” (21 July 2023) 9-10 (footnotes omitted).
- ↑ Government of Denmark, “Denmark’s Position Paper on the Application of International Law in Cyberspace“(4 July 2023) 5-6. See footnote [5]: M. N. Schmitt (ed.), Tallinn Manual 2.0 on the International Law Applicable To Cyber Operations, (Cambridge University Press, 2017), pp. 334-336.
- ↑ Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 25-26.
- ↑ International law and cyberspace – Finland’s national position
- ↑ Ministry of Defense of France, International Law Applied to Operations in Cyberspace, 9 September 2019, 7.
- ↑ Federal Government of Germany, ‘On the Application of International Law in Cyberspace’, Position Paper (March 2021) 6.
- ↑ Irish Department of Foreign Affairs, Position Paper on the Application of International Law in Cyberspace (6 July 2023) 4-5. See Footnote [11]: A/AC.290/2021/CRP.2, Open-Ended Working Group on Developments in the Field of Information and Telecommunications in the Context of International Security, Final Substantive Report (10 March 2021), [34]; See Footnote [12]: Legality of the Threat or Use of Nuclear Weapons, Advisory Opinion, International Court of Justice (ICJ), 8 July 1996, para. 39; See Footnote [13]: Military and Paramilitary Activities in and against Nicaragua (Nicaragua v United States of America) Merits Judgment, ICJ Reports 1986, p. 14 [228]; See Footnote [14]: Military and Paramilitary Activities in and against Nicaragua (Nicaragua v United States of America) Merits Judgment, ICJ Reports 1986, p. 14, [195]; See Footnote [15]: 1969 Vienna Convention on the Law of Treaties, Article 31.
- ↑ Roy Schöndorf, Israel’s Perspective on Key Legal and Practical Issues Concerning the Application of International Law to Cyber Operations, 8 December 2020.
- ↑ Italian position paper on “International law and cyberspace”, Italian Ministry for Foreign Affairs and International Cooperation.,8.
- ↑ Ministry of Foreign Affairs of Japan, Basic Position of the Government of Japan on International Law Applicable to Cyber Operations, 16 June 2021, 6
- ↑ Government of the Kingdom of the Netherlands, Appendix: International law in cyberspace, 26 September 2019 , 3-4.
- ↑ Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 69-70.
- ↑ Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 73-74.
- ↑ UNODA, ‘Pakistan’s Position on the Application of International Law in Cyberspace’ (3 March 2023), para. 6.
- ↑ The Republic of Poland’s position on the application of international law in cyberspace, Ministry of Foreign Affairs of Poland, 29 December 2022, 5.
- ↑ Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 77.
- ↑ Government Offices of Sweden, Position Paper on the Application of International Law in Cyberspace, July 2022,3-4
- ↑ United Kingdom Foreign, Commonwealth & Development Office, Application of international law to states’ conduct in cyberspace: UK statement, 3 June 2021
- ↑ Harold Hongju Koh, International Law in Cyberspace, 18 September 2012, 3-4
- ↑ Hon. Paul C. Ney, Jr., DOD General Counsel Remarks at U.S. Cyber Command Legal Conference, 2 March, 2020
- ↑ Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 137.
I was looking through some of your blog posts on this site and
I conceive this internet site is really informative! Continue putting
up