LawyersForPeace.Online

The discourse surrounding “cyberwar” is complex, with legal scholars and states often preferring the broader term “cyber operations” to encompass a wide spectrum of activities, from espionage to disruptive attacks. The legal implications of these operations vary significantly depending on their nature, scale, and effects. A fundamental challenge in regulating these activities stems from the inherent dual-use nature of cyber technologies, which makes it difficult to define what precisely constitutes a “cyberweapon” or an act of “cyberwarfare” in a manner consistent with traditional arms control concepts.¹

Despite the definitional complexities, a broad consensus exists among states: existing international law, including the United Nations Charter, applies to state conduct in cyberspace.² This principle, often referred to as “tech-neutrality,” signifies that entirely new legal frameworks are not necessarily required. Instead, the focus is on interpreting and applying established rules to the unique characteristics of the cyber domain.² This agreement, while seemingly straightforward, is profoundly significant. It eliminates the need to “reinvent the wheel of international law” for every new technological advancement, allowing the international community to build upon existing legal foundations.²

However, this broad consensus on applicability does not translate into uniform understanding. A critical aspect of the ongoing international dialogue is that the debate is not about whether international law applies, but how it applies. The interpretation and practical application of these existing laws to specific cyber activities remain highly contentious and represent the primary source of legal ambiguity. This nuanced distinction means that diplomatic efforts are largely concentrated on clarifying the scope and content of established norms and principles, rather than embarking on the arduous task of drafting entirely new treaties from scratch. This approach, while still challenging, is considered a more achievable path towards establishing a predictable legal environment in cyberspace.

The application of established international legal principles to the cyber domain presents both clarity and significant interpretive challenges. Understanding these core principles is essential for comprehending the current legal landscape of cyber operations.

Sovereignty stands as a foundational principle of international law, granting states exclusive control over their territory and internal affairs.⁸ In the context of cyberspace, this principle implies a state's inherent right to control its cyber infrastructure located within its territorial boundaries.³ Consequently, a cyber operation that infringes upon a state's territorial integrity or its exclusive control over its cyber infrastructure can constitute a violation of its sovereignty.¹⁰ This includes hostile cyber operations directed against a state's cyber infrastructure or those that produce effects on its territory.¹¹

While physical damage unequivocally signifies a violation of sovereignty, the threshold for non-physical intrusions or disruptions remains a subject of ongoing debate. For instance, France asserts that a hostile cyber operation violates its sovereignty if launched by another state's organs or proxies and if it causes “effects” on French territory.¹⁰ The gravity of such a sovereignty breach is typically assessed on a case-by-case basis by the affected state.¹⁰

Despite the general acceptance of sovereignty's applicability in cyberspace, its precise meaning and scope are contested. The United Kingdom, for example, maintains a “contested understanding” of sovereignty in cyberspace, which, in its interpretation, allows it to engage in certain cyber operations that it deems do not violate other states' sovereignty.¹² This perspective contrasts sharply with states like France ¹⁰ and Germany ⁶, which advocate for a more traditional and robust application of the principle. This divergence in interpretation creates legal grey zones, where what one state considers permissible, another might view as a violation. Such differing views inherently increase the risk of miscalculation and unintended escalation in the cyber domain. If states adopt interpretations that maximize their operational flexibility, it could lead to a downward spiral in terms of permissible cyber behavior, undermining efforts to establish a stable and predictable international order in cyberspace.

Article 2(4) of the UN Charter prohibits the threat or use of force against the territorial integrity or political independence of any state.⁸ In the cyber context, states generally agree that a cyber operation qualifies as a “use of force” if its effects are comparable to those of a conventional (kinetic) act covered by this prohibition.² This typically implies that the operation must cause “significant death or injury to persons, or substantial material damage or destruction”.¹⁴

However, the precise threshold for what constitutes a “use of force” in cyberspace is a major point of contention among states.² Some states suggest that even the “loss of functionality of cyber infrastructure without causing material damage” could qualify as a use of force, while others argue that “cyber operations causing purely economic harm” might also violate the prohibition.² France, for example, considers operations that penetrate military systems to weaken defensive capabilities or the financing and training of groups to conduct cyber attacks as examples of the use of force.¹¹ This ongoing debate over whether non-kinetic effects, such as functional disruption or economic harm, cross the use-of-force threshold is critical because it directly impacts the legitimacy of a state's response, including the right to self-defense. If a cyber operation causing only functional disruption or economic harm is deemed a “use of force,” it significantly broadens the scope of permissible responses, potentially including kinetic retaliation. This lower threshold could lead to unintended escalation, as states might feel justified in responding more aggressively to incidents that, in a traditional context, would not warrant military action. The absence of a clear, universally agreed-upon threshold creates strategic instability and increases the risk of miscalculation in a crisis.

Article 51 of the UN Charter codifies the inherent right of individual or collective self-defense if an “armed attack” occurs against a UN Member State.⁸ This right is recognized as customary international law.¹⁴ For a cyber operation to constitute an “armed attack” under this provision, its scale and effects must be comparable to those of a kinetic armed attack, resulting in significant death or injury to persons or substantial material damage or destruction.¹⁴ It is important to note that not every use of force, whether kinetic or cyber, automatically constitutes an armed attack that triggers the right to self-defense.¹⁴

Any measure taken in self-defense, whether through cyber means or traditional armed forces, must adhere to the principles of necessity and proportionality.⁸ A response does not necessarily need to involve the same means through which the armed attack was inflicted.¹⁴ The right of collective self-defense also extends to cyberspace.¹⁴ NATO, for instance, affirmed in 2014 that a cyberattack could reach a threshold threatening national and Euro-Atlantic security, potentially triggering collective defense.¹⁴ Furthermore, the right of self-defense may apply to cyberattacks reaching the threshold of an armed attack inflicted by non-state actors.¹⁴

While the right to self-defense is affirmed for cyber operations that meet the “armed attack” threshold, the application of the “necessity and proportionality” principles to cyber responses presents particular challenges. Although states can respond with kinetic means to a cyber armed attack ¹⁴, the inherent ambiguity in attributing cyberattacks ⁸ and the difficulty in assessing the precise impact of a cyber operation complicate the determination of a proportionate response. If a state cannot definitively attribute a cyber armed attack to another state, or if the “damage” is primarily functional rather than physical, it becomes difficult to legally justify a kinetic response as “proportionate.” This situation creates a dilemma for victim states: respond inadequately and appear weak, or respond disproportionately and risk violating international law and escalating the conflict. This legal uncertainty can significantly constrain a victim state's options, especially when facing sophisticated adversaries who exploit these ambiguities.

The obligation of non-intervention is a well-established norm of customary international law, prohibiting states from coercively intervening in the internal or external affairs of other states.⁹ This principle is a natural consequence of state sovereignty.⁹ To constitute a breach of this principle, an intervention must include an element of “coercion” aimed at influencing a state's decisions within its domaine réservé—areas of state activity that remain its exclusive competence.⁹ The use of force is an unambiguous example of a prohibited intervention.⁹

In the cyber domain, operations that adversely affect the functioning and security of a state's political, economic, military, or social system, potentially leading to the state's conduct that would not occur otherwise, may be considered prohibited interventions.⁹ Specific examples include preventing the online filing of tax returns, interfering with the reliable and timely conduct of democratic elections, modifying the outcome of online voting, or wide-scale and targeted disinformation campaigns that result in civil unrest requiring specific state responses.⁹

The “element of coercion” in cyberspace, however, remains a key interpretive challenge.⁹ While some examples, such as direct election interference, are relatively clear, the line between permissible information operations (e.g., public diplomacy) and prohibited coercive intervention (e.g., wide-scale disinformation causing civil unrest) is often blurry. This ambiguity provides states with a “grey zone” for conducting operations that fall below the use-of-force threshold but still possess significant disruptive potential. The difficulty in defining “coercion” in the digital realm allows states to push the boundaries of acceptable behavior. A state might argue its actions are merely “influence” or “information gathering,” while the target state perceives them as “coercive intervention.” This lack of a clear threshold for non-forcible intervention means that many malicious cyber activities, such as sophisticated influence operations, may not trigger clear legal responses, creating a gap in accountability and fostering instability in the international system.

Legal attribution is a fundamental element of an internationally wrongful act, serving to attach a given action or omission to a state.¹⁶ It is a prerequisite for invoking state responsibility.¹⁶ Under the customary international law rules on attribution, as reflected in the International Law Commission's Articles on the Responsibility of States for Internationally Wrongful Acts (ARSIWA), a state is responsible for the conduct of:

• Its organs, regardless of their function or position within the state organization.¹⁶
• Persons or entities empowered by the state's law to exercise elements of governmental authority, provided they act in that capacity.¹⁶
• Non-state actors acting on the instructions of, or under the direction or control of, that state.¹⁶ This criterion typically requires “effective control” by the state over the specific operation, a threshold that is generally considered high.¹⁶ A less restrictive approach, the “overall control” test, is also debated in legal scholarship.¹⁶
• Conduct that the state acknowledges and adopts as its own.¹⁶

The technical difficulties inherent in tracing cyber operations and determining their authorship significantly complicate legal attribution.¹⁶ While any allegation of a wrongful act by another state should be substantiated, international law does not impose an obligation to publicly provide the evidence upon which an attribution is based.¹⁶ The standard for a state considering a response to an internationally wrongful act is “reasonableness,” meaning states should act as reasonable states would in similar circumstances.¹⁶ Many states, including Australia, Estonia, France, Germany, Italy, Switzerland, the US, and the UK, affirm that publicizing attribution decisions is a national prerogative, not a legal obligation.¹⁶

The high legal threshold for attributing non-state actor conduct to a state, requiring “effective control” over the specific operation ¹⁶, combined with the inherent technical difficulties of tracing cyber operations ¹⁶, creates a significant accountability gap. This situation can incentivize states to use proxies to conduct malicious cyber activities, allowing them to evade direct responsibility and complicate responses by victim states. If states can plausibly deny involvement by operating through non-state actors, and the legal standard for proving state control is exceptionally high, it becomes very difficult for victim states to legally justify countermeasures or self-defense against the sponsoring state. This structural challenge in attribution undermines the deterrent effect of international law and can lead to a proliferation of state-sponsored cyberattacks, as perpetrators face reduced legal consequences. Although the “reasonableness” standard for a responding state attempts to provide some flexibility, it still relies on internal assessments that may not be universally accepted, further contributing to legal uncertainty.

International Humanitarian Law (IHL), also known as jus in bello, applies in situations of armed conflict, whether international or non-international in character.¹⁹ Its primary objective is to limit the effects of armed conflicts and protect those who do not, or no longer, participate in hostilities, particularly civilians.¹⁹ IHL applies to a particular cyber activity if there is a “sufficient nexus” with an armed conflict, meaning the activity is undertaken by one party to the conflict against another and contributes to the former party's military effort.¹⁹ This applies whether cyber activities are carried out as part of ongoing conventional operations or if the cyber activities themselves cross the threshold of violence to be characterized as an armed conflict.¹⁹

Key IHL principles, namely distinction, proportionality, necessity, and precaution, are considered applicable to cyber conflicts:

• Distinction: Requires that cyberattacks must target military objectives and must not be indiscriminate. In cases of doubt, a cyber infrastructure normally dedicated to civilian purposes is presumed not to be used for military action.¹⁹
• Proportionality: Prohibits the launching of an attack expected to cause incidental loss of civilian life, injury to civilians, or damage to civilian objects that would be excessive in relation to the concrete and direct military advantage anticipated.¹⁹ This principle is understood to include “non-kinetic, disruptive cyber-attacks against civilian infrastructure” within the meaning of 'incidental harm'.²⁰
• Necessity: Justifies the use of all measures needed to defeat the enemy as quickly and efficiently as possible, provided they are not prohibited by the law of war.²⁰
• Precaution: Requires parties to take into consideration the particularities of cyberspace, such as the interconnectivity between military and civilian networks, when making assessments related to targeting.¹⁹

Critical civilian infrastructure that enables the delivery of essential services is increasingly dependent on digitized systems. The preservation of such infrastructure and services from cyber operations or incidental damage is vital to protecting the civilian population.¹⁹

While IHL is affirmed as applicable to cyber operations during armed conflict, aiming to protect civilians and civilian objects, the application of its principles, particularly distinction and proportionality, to non-kinetic cyber effects (e.g., data manipulation, functional disruption) presents a significant challenge.²⁰ The prevailing interpretation of IHL in the cyber domain sometimes favors military necessity considerations over the principle of humanity, potentially allowing belligerents to engage in disruptive cyberattacks against civilian infrastructure without being fully limited by traditional targeting rules.²⁰ If non-kinetic effects are not fully accounted for in proportionality assessments, belligerents might exploit this loophole to conduct disruptive cyberattacks on civilian infrastructure (e.g., power grids, hospitals) without causing direct physical damage, thereby arguing they are not violating IHL. This could lead to severe humanitarian consequences, as essential civilian services are disrupted, and undermines the protective purpose of IHL. The inherent interconnectivity of civilian and military networks in cyberspace further complicates the application of distinction and proportionality, making it difficult to avoid incidental harm to civilians and civilian objects.

Table 1: Key International Legal Principles and their Application to Cyber Operations

The regulation of cyber warfare is characterized by a fundamental tension: a broad international consensus on the applicability of existing international law to cyberspace, juxtaposed with deep disagreements on its interpretation and practical application. While states widely agree that the UN Charter and other foundational legal principles apply to cyber operations, the precise thresholds for “use of force,” the definition of “coercion” in non-intervention, and the standards for attribution remain subjects of intense debate.

The Tallinn Manuals serve as pivotal academic efforts, providing comprehensive interpretations that, despite being non-binding, significantly influence national legal doctrines and international discourse. Simultaneously, the United Nations processes, particularly the GGE and OEWG, have established a foundational normative framework through voluntary norms of responsible state behavior. These UN initiatives, while sometimes reflecting geopolitical tensions through their dual-track approach, are crucial for fostering common understandings and promoting cooperation. The recent UN Convention against Cybercrime represents a significant step in addressing specific cybercriminal acts, though its narrow focus on “cyber-dependent” crimes highlights the ongoing challenge of balancing international cooperation with the protection of human rights against potential misuse by authoritarian regimes.

National positions further underscore the fragmentation in interpretation. States like the United States and the United Kingdom adopt more proactive stances, seeking to operate effectively in the “grey zone” below the traditional armed attack threshold, while others, such as Germany and Estonia, emphasize a more conservative, rules-based application of international law. The state-centric, control-oriented approaches of China and Russia, prioritizing national security and information sovereignty, fundamentally clash with Western ideals of a free and open internet, creating deep ideological divides that impede the development of universal norms.

Given the immense practical and definitional challenges, particularly the dual-use nature of cyber technologies and the difficulty in defining and verifying “cyberweapons,” traditional arms control treaties are largely unworkable. Consequently, the international community has shifted its focus from controlling the means of cyber warfare to regulating the conduct of states. In this context, non-binding norms and Confidence-Building Measures (CBMs) have emerged as pragmatic and crucial tools for enhancing stability and reducing the risk of escalation. These measures, which prioritize transparency, communication, and information sharing, aim to build trust and manage incidents even in the absence of comprehensive, legally binding agreements.

Ultimately, the regulation of cyber warfare remains a dynamic and evolving field. It necessitates continuous dialogue, further clarification of state practice, and innovative approaches to address the unique characteristics of the cyber domain. Ensuring international peace and security in the digital realm will depend on the international community's ability to navigate these complexities, bridge interpretive divides, and foster greater cooperation to prevent miscalculation and unintended conflict.

Created with Google Gemini and subject to further review.