Res Communis Blog RSS

Cyber-warfare and the Use of Force

at 17:40 | Cyber Law | Comments Off on Cyber-warfare and the Use of Force


by Aaron Herrington

This post is part of the student blogger project from the summer session of International Telecommunications Law.

Aaron Herrington is a rising 2L at the University of Mississippi. He is currently pursuing a Certificate in Remote Sensing, Air, and Space Law.

Modern warfare creates problems for the Law of International Armed Conflict (LOIAC) if applied in a traditional manner. The LOIAC requires militaries to differentiate between individuals who are fighting and ones who are not. The problem is that traditional principles of the LOIAC do not explain how to do this in light of modern warfare. Modern warfare consists largely of information operations and cyber-space conflict. Types of modern warfare such as these make distinguishing between military and civilian operations practically impossible without a modern application of traditional LOIAC principles.

Article 51 of The United Nations Charter permits states to engage in individual or collective self-defense in the face of an “armed attack.” According to the International Court of Justice in the Nicaragua (para. 228) case there is a distinction between a “use of force” and an “armed attack,” the difference being that an armed attack has a higher threshold, one that requires direct causation of physical damage to property or injury to human life. This standard does not prevent states from responding to information operations that don’t reach the threshold, but simply excludes the use of military force as an appropriate response option.

That being said, it is the targeted state in an information operation which determines the meaning of “armed attack” and therefore something which may not actually cause physical harm, but is of such importance to the state that it still may cross the threshold.

Once and only when a state has deemed a cyber-attack to reach the threshold of an “armed attack” may a state respond with military force. For example, the United States, has concluded that any cyber sabotage originating from another country can in fact constitute an act of war, which permits the U.S. to respond using traditional military force. The question as to what level of sabotage must be present to constitute an act of war has been left unanswered, as well as if it is possible to ever truly distinguish an attack’s origin as cyber tracing can be unreliable.
Distinction is perhaps the most important principle of the LOIAC, distinguishing between those who are fighting and those who are not, and permits direct attacks only on those not fighting. Article 51 of AP1 emphasizes that civilian populations, as well as individuals, shall not be subject of attack.

A recent example of this problem was the development and deployment of the Stuxnet virus. Was it in fact an armed attack? Given the fact that the virus destroyed pieces of a centrifuge, under no reasonable interpretation of international law could Stuxnet not be found to be at the very least a use of force, if not an armed attack. Under international law, the use of weapons whose purpose is to have a destructive kinetic effect is likely to constitute an armed attack.

The question of distinction is problematic in cyber-warfare as well. Stuxnet, for example, was a worm which once it reached the target would sit for days or weeks before sending instructions to speed up or down the centrifuges so suddenly that the fragile parts self destructed. A problem with Stuxnet occurred, while they were still in control of it specifically affecting only the targeted computer, an error in the code resulted in it replicating and spreading to computers all over the world.

As Stuxnet shows there are many unknowns in the area of cyber-warfare and attempting to apply traditional standards of the LOIAC, such as distinguishing the target, are problematic. Either new standards need to be adopted or there must come a way to reliably apply the traditional standards of LOIAC to cyber-warfare.