Cyber-attacks have increased in frequency, presenting a difficult issue in modern international law. The effects of a cyber-attack have the capacity to cause widespread and significant damage. The relative novelty of these forms of attacks bring several challenges. On a global scale, nations are rapidly becoming more reliant on technology and related information.[1] Experts have struggled to establish an all-encompassing definition of what constitutes a “cyber-attack.” The means by which individuals carry out a cyber-attack may vary. However, to constitute a cyber-attack, it must “aim to undermine or disrupt the function of a computer network.”[2] This establishes an objective framework, focusing on the individual target or targets as opposed to the idealized long-term purpose of the attack.[3] A cyber-attack must also harm the overall function of a computer network.[4] Large, highly dangerous cyber-attacks must be distinguished from general cyber-crimes. Individuals who carry out cyber-attacks have “a political or national security purpose.”[5] In contrast, cyber-crimes are generally significantly less harmful.[6] There is not a requirement regarding the motive of the attached in terms of cyber-crimes; this makes cyber-crimes somewhat simpler for the law to approach.
Previously, cyberwarfare procedures existed as a way to alert people to the potential threat they posed and their ability to create significant turmoil.[7] However, legitimate cyber-attacks have created serious dangers to its victims. In 2008, the United States Department of Defense experienced a serious cyber-attack.[8] A United States military laptop was inserted with a flash drive that introduced dangerous software into the Central Command’s computer systems, endangering both classified and unclassified material.[9] In 2008, an action rendered the country of Georgia unable to connect to the internet while Russia invaded South Ossetia.[10] Given the unique nature of cyber-attacks and the potential harm caused, it would be difficult to immediately determine the ultimate impact of the attack. Both attacks had the potential to cause serious harm that would reasonably warrant a significant response from the respective countries.
Article 2(4) of the United Nations Charter states that “[a]ll Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.”[11] To fully establish a proper response, it is imperative to determine whether cyber-attacks rise to the level of “force” as specified in article 2(4).[12] Though cyber-attacks do not constitute the kinetic military force that has historically presented issues of international policy and national security, the Charter was likely drafted to protect the right of nations to remain safe from intervention.[13] Several American experts have argued that the terms “force” or “armed attack” should be “interpreted to cover attacks with features and consequences closely resembling conventional military attacks or kinetic force.”[14] Under this interpretation, cyber-attacks would fall under the definition of force as set forth in the Charter.
Similarly, Article 51 of the United Nations Charter states that “[n]othing in the present Charter shall impair the inherent right of individual or collective self-defence if an armed attack occurs against a Member of the United Nations.”[15] Since it is difficult to immediately determine the overall impacts of a cyber-attack, it is difficult to conclude whether the attack rises to the level of an “armed attack” under the Charter such that self-defense is justified.[16]
The first time a cyber-attack was responded to with physical force occurred when the Israeli Defence Forces bombed a building that was the home of the group responsible for the attack.[17] This response further raises the issue of how the relevant states should respond to cyber-attacks.[18] The law must consider both the proportionality of the response and who should be the responder.[19]
When considering how to respond to a cyber-attack, it is essential to consider the differences between attacks in cyberspace and physical attacks.[20] Cyberspace exists in a comparatively boundaryless platform.[21] This makes it difficult to identify who should have the responsibility to address attacks.[22] The intended target of a cyber-attack may not be the impacted target.[23] This creates issues in terms of who should respond to the attack – the actual or intended target.[24] As a jurisdictional matter, within its sovereign territory, a state has the right to “control access to its territory…the exclusive right to exercise jurisdiction and authority on its territory.”[25] Therefore, it would follow that the state of impact has the right to respond as they see fit under their accepted law.
The adoption of an objective approach to cyber-attacks would enable countries and individuals to seek justice following a dangerous attack. As an area of international law that has yet to be clearly defined, it is imperative that nations work together in a good faith effort to ensure they respond in a way guided by a focus on the pursuit of justice.
- Karagiannopoulos, Vasileios et. al., Cyber Attacks are Rewriting the ‘Rules’ of Modern Warfare – and We aren’t Prepared for the Consequences, The Conversation (May 16, 2019), https://theconversation.com/cyber-attacks-are-rewriting-the-rules-of-modern-warfare-and-we-arent-prepared-for-the-consequences-117043 (last visited Mar. 26, 2020). ↑
- Hathaway, Oona et. al, The Law of Cyber-Attack, 100 Cal. L. Rev. 819, 826 (2012). ↑
- Id. at 827. ↑
- Id. at 828. ↑
- Id. at 830. ↑
- Id. ↑
- The NATO Cooperative Cyber Deference Centre of Excellence, Tallin Manual on the International Law Applicable to Cyber Warfare 45 (Michael Schmitt, ed. 2013). ↑
- Waxman, Matthew, Columbia Law School, Cyber Attacks as “Force” Under UN Charter Article 2(4), 87 Int’l L. Stud. 43, 43 (2011). ↑
- Id. at 44. ↑
- Hathaway supra note 2, at 837. ↑
- U.N. Charter art. 2, ¶ 4. ↑
- Id. ↑
- Waxman supra note 8, at 46. ↑
- Id. at 47. ↑
- U.N. Charter art. 51. ↑
- Karagiannopoulos, supra note 1. ↑
- Id. ↑
- Id. ↑
- Id. ↑
- Melzer, Nils, UNIDIR Resources, Cyberwarfare and International Law, 5 (2011). ↑
- Id. at 22. ↑
- Id. at 11. ↑
- Id. at 20. ↑
- Id. ↑
- The NATO Cooperative supra note 7, at 25. ↑