In the era of cyber operations, from influence campaigns to the destruction of critical civilian infrastructure, are the international laws governing self-defence and armed conflict sufficient?
With the growth of cyber interconnectedness between industries, cyber operations have become an increasingly attractive method for state-sponsored or state-based cyber threat actors to undermine the national resilience of their adversaries. Indeed, all industries are at risk. Whether it's a nation's defence force or defence industry, right through to critical civilian infrastructure like energy and water, the cyber space has provided an exploitable vector for threat actors to attack their adversaries with little risk of physical response.
One needs to look no further than the 2007 attacks on Estonia to understand the broad threat surfaces in which cyber wars can be waged. Throughout the allegedly Russian operation, the malicious actors targeted Estonia’s parliament, financial services industries and media outlets. A similar cyber campaign was observed in the lead-up to the Russian invasion of Georgia in 2008.
As a result of this broad threat surface, cyber-enabled information warfare has become a mainstay of international grey zone operations, where countries engage one another in a contest that falls below the legally defined threshold of an armed attack.
If Carl von Clausewitz’s notion that “everything in war is very simple”, ongoing cyber operations such as those leveraged in Estonia to undermine a nation’s national resilience and ability to defend itself is the most simple. Few can legally be held to account for the attacks, with the victim holding little legal recourse for compensation or indeed the right to self-defence.
In light of this notion, it is not unreasonable to suggest that cyber operations can become so destructive that nations ignore international law to undertake extra-judicial law enforcement against cyber threat actors. To avoid this, international law must reconcile cyber attacks and the threat of use of an armed attack - extending from the lessons of the Tallinn Manual.
When is a cyber incursion as deleterious as armed conflict?
International law provides distinct thresholds that enable a country to legally apply violence. Article 2(4) of the United Nations Charter provides comprehensive prohibition on the “threat of use of force” against other nations, typically read in tandem with Article 51 outlining the legal recourses to armed conflict and the right of self defence.
“All members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the purposes of the United Nations,” Article 2(4) of the United Nations Charter.
“Nothing in the present Charter shall impair the inherent right of individual or collective self-defence if an armed attack occurs against a Member of the United Nations, until the Security Council has taken measures necessary to maintain international peace and security. Measures taken by Members in the exercise of this right of self-defence shall be immediately reported to the Security Council and shall not in any way affect the authority and responsibility of the Security Council under the present Charter to take at any time such action as it deems necessary in order to maintain or restore international peace and security,” Article 51 of the United Nations Charter.
Subscribe to the Defence Connect daily newsletter.
Be the first to hear the latest developments in the defence industry.
Despite Article 51 providing recourse for self defence in the event of an armed attack, the International Court of Justice’s determination in Military and Paramilitary Activities in and against Nicaragua (Nicaragua v. United States of America) provide yet higher thresholds for the definition of “an armed attack” and thus a nation’s legal ability to retaliate. In such determinations, the ICJ required that state attribution be present in the event of an armed attack and even classified cross border raids in Nicaragua as just border incidents. Self defence is not easy to claim.
Despite some acceptance for the “unable or unwilling” doctrine, which allowed the US and its allies to overcome the difficulties presented by these legal documents, it remains remarkably unlikely that a nation would have recourse to self defence or extrajudicial law enforcement in the event of cyber war.
The cyber continuum
Like armed attacks, cyber-enabled operations have largescale impacts on the physical world – many of them as bad if not worse than the border incidents noted in the US v Nicaraguan ICJ determination. Simply, cyber operations leverage the entire digitally enabled continuum to exert competitive control over a nation’s adversaries. From hacking, influence campaigns, and using malware to physically destroy a nation’s infrastructure – the cyber world can cause widescale damage to a nation’s adversaries and thus require reconciliation with the UN’s nation’s definition of an armed attack to allow armed recourse.
Quest for competitive control over a nation’s polity
Already, the French Minister for the Armed Forces declared that “cyber warfare has begun”, observing that France already had to compete across “intelligence operations, influence operations [to] resilience”. Unsurprisingly, foreign interference has been detected in French, German and Spanish elections demonstrating that foreign governments and intelligence agencies are in the midst of competing for competitive control over Western polity.
In this manner, the US Navy Commander (Ret'd) Mike Dahm succinctly argued that “violent action is one way to accomplish a mission; it is not the objective” with cyber enabled information operations critical to control “foreign hearts and minds”. Nicholas Shallcross in the Journal of Information Warfare continued, arguing that “most decisive battles are fought in the multi-dimensional realm of cyber space”. He cites Russia’s information operations in Ukraine that supported the development of Ukrainian terrorist organisations to destroy national infrastructure as well as Hezbollah’s hacking of US-based media outlets that saw a rise in “moral, physical and financial support” to the terror organisation to demonstrate the impact of information at Phase 0 of kinetic conflict.
A threat to physical infrastructure
Unsurprisingly, over the last year, exploitable loopholes in the cyber continuum have resulted in widescale physical shutdowns of critical civilian infrastructure. To evidence this, one need look no further that the Colonial Pipeline hack in which 45 per cent of the United States’ east coast gas supply was shutdown in a ransomware incident.
Further, over recent months there has also been an increased blurring between cyber and SOF-intelligence led campaigns. This was evidenced with the Natanz nuclear reactor, when the Stuxnet worm was able to impact the operation of Iran’s Natanz-based nuclear centrifuges, with some analysts suggesting that up-to 1,000 centrifuges were forced offline. It is believed that the Stuxnet was uploaded by clandestine teams due to the “air gap” between the nuclear reactor and the internet.
Therefore, cyber capabilities are weapons that can swiftly and easily dismantle a nation’s war readiness.
Reclassifying cyber conflict
Many military theorists and international law experts have been hesitant to reclassify cyber warfare as armed conflict. Simply, it remains unlikely that a cyber campaign could cause the same loss of life as an armed invasion of a littoral urban landscape, and certainly doesn’t appear to be in violation of a nation’s territorial sovereignty. Such diminutive beliefs of cyber warfare appear to have high profile advocates, including Finnish Lieutenant Colonel Jyri Raitasalo, who argued in the Global Security Review that cyber operations are “at most a nuisance”.
Though it remains to be seen how destructive such targeted campaigns can be. Only hindsight will tell whether tolerance toward cyber operations will breed bad behaviour from rogue state actors who seek to get away with more and more. Such a light touch was evidenced by associate professor Joshua Rover’s article 'Why restraint in the real world encourages digital espionage' in War on the Rocks this week.
“Experimental studies find that victims of cyber attacks are less likely to demand retaliation, even when the damage is the same as in a physical strike. Early evidence from real-world incidents supports this insight. States, firms, and individuals have proven surprisingly tolerant of cyberspace operations, and eager to get back online,” Rovener argued.
Is the current definition of armed conflict in line with the United Nation’s concept of self-defence sufficient or should it be extended in line with modern grey zone activities?
Editor – Defence and Security, Momentum Media