Author: Rimjhim Maurya, NMIMS

State sponsored cyber operations as a mode of inter-state geopolitical contestation have revealed fundamental deficiencies in the existing framework of public international law. The paper inquiries into the applicability of norms established for kinetic warfare to increasingly complex cyber warfare. Relying on the study of treaty and customary international law, and leading authoritative scholarly statements on the topic, the paper analyses three regimes, i.e. Jus ad bellum (UN Charter); international humanitarian law (Geneva Conventions, Additional Protocols); and treaty-based regimes including the Budapest Convention on Cybercrime (2001). It determines three structural normative deficiencies with reference to the armed attack threshold, state attribution, and protection of critical civilian infrastructure in light of the Tallinn Manual 2.0 (2017) and landmark UN Group of Governmental Experts reports of 2013, 2015, and 2021. The paper makes suggestions as to legal reform, including the conclusion of a treaty-based legally binding instrument governing inter-state cyber conflict. 

Keywords: Cyber Warfare, International Humanitarian Law, Jus Ad Bellum, Tallinn Manual, State Responsibility, UN GGE

When computer scientists first identified the Stuxnet worm in June 2010, they encountered something without precedent in the history of armed conflict: a weapon composed entirely of code, yet capable of inflicting physical destruction thousands of miles from its operators. The worm—subsequently revealed to be the product of a covert joint operation between the United States and Israel, codenamed Operation Olympic Games had found its way inside the industrial control systems running uranium enrichment centrifuges at Iran's Natanz nuclear complex, triggering the disintegration from within about 1,000 centrifuges while the operators of the machines looked on their screens seeing nothing unusual. No missile had been fired. No border had been breached. But serious and lasting physical damage had been delivered to a foreign government's infrastructure.

The Stuxnet episode crystallized a set of legal questions that had been building throughout the preceding decade but which the international community had conspicuously failed to resolve. Does the prohibition on the threat or use of force enshrined in Article 2(4) of the United Nations Charter Such operations in reach? When can cyber-attack against another state's infrastructure be defined as 'armed attack' under Article 51 that justifies self-defence either individual or collective? How is cyber warfare conducted after the commencement of an armed conflict? These are not abstract questions in nature, since States are expanding huge resources in cyber offense, and critical infrastructures more and more rely on the network, the answer is of crucial relevance to the peace and security of all the world.

The paper makes three related arguments about international law as applied to cyberspace: existing international law applies, in principle, to cyber warfare, but is not suited to dealing with its specific characteristics. It analyses each in turn: the problematic threshold for what amounts to an armed attack; the practical difficulty of meeting the legal requirement of attribution; and the challenges of applying international humanitarian law to cyber warfare. The paper concludes with specific recommendations for law reform: a legally binding instrument is necessary. Multilateral treaty to govern inter-state cyber conflict. The primary legal instruments examined include the UN Charter, the Geneva Conventions and their Additional Protocols, the Budapest Convention on Cybercrime, and the authoritative scholarly restatements in the Tallinn Manual series.

The most methodical and scholarly attempt to transpose current international law to cyberspace, is the Tallinn Manual, under the direction of the NATO Cooperative Cyber Defense Centre of Excellence. The original edition, published in 2013, identified ninety-five rules restating the applicable jus ad bellum and international humanitarian law as applied to the most severe cyber operations. Its successor, the Tallinn Manual 2.0 of 2017, subsequently expanded this to the context of common cyber operations below the use of force, discussing sovereignty, due diligence, State responsibility and other specialized areas of law applicable to cyber. Together the two Manuals are a fundamental scholarly source on issues of cyber law for practitioners and policy makers.

The academic debate on the jus ad bellum dimension has been shaped significantly by the ICJ's 1986 judgment in Nicaragua v. United States, Establishing the primary separation between prohibited use of force and the more serious armed attack that triggers self-defence rights. Much scholarship has focused on what these divisions mean in the context of cyber operations. Professor Matthew C. Waxman traced the evolution of US executive and scholarly thinking about the reach of the Art. 2(4) prohibition and showed a clear trajectory toward an effects-based approach which could cover the kinetic equivalent of cyber-attack harm. Professor Eric Talbot Jensen has provided the most detailed exegesis of the Tallinn Manual 2.0, illuminating in particular the Schmitt Criteria—a multi-factor analytical framework for situating a given cyber operation on the spectrum between lawful espionage and unlawful force.

On the treaty front, the Budapest Convention on Cybercrime (2001) established the first binding multilateral framework for harmonising domestic cybercrime laws and facilitating international law enforcement cooperation. However, as already noted, its criminal justice orientation and its deliberate exclusion of military actions by the drafters, combined with the non-ratification by the key state actors engaged in cyber conflict, mean that it is of limited use in governing aggressive inter-state cyber action. The normative void is being progressively filled through the UN GGE process which has published a series of agreed reports (in 2013, 2015, 2021) confirming the application of international law in cyberspace and setting out principles of voluntary responsible state behaviour. Moreover, the ICRC has published a well-received study on principles of IHL applicable to cyber-attacks in the context of armed conflict. In response, recent academic works have discussed actual cases – specifically the 2020 SolarWinds intrusion and the simultaneously occurring cyber offensive by the Russian Federation in Ukraine beginning in 2022 – which test the usability of current legal categories in the heat of an ongoing context. In the literature surveyed there is near-universal agreement about one conclusion alone: that the existing body of law is both applicable and inadequate, and that the most significant omission is the lack of a treaty obliging States to regulate inter-state cyber warfare. This point warrants particular attention because, although the Tallinn Manual provides a thoroughly comprehensive analysis, its authors are explicitly not claiming that their work has legally binding authority (which, indeed, their individual positions can hardly be construed to have). It simply represents "the personal opinions of the experts composing the team of authors", and this persuasive authority is no substitute for a treaty regime. There is also a consistent tension between methods apparent in the literature. Those that adopt a positivist position - such as the Tallinn Manual's identification of existing rules - naturally lean toward the conclusion that law is sufficient and only needs some interpretative clarification (as opposed to the necessity for new treaties). The critical literature strongly contests this conclusion, with the argument being that this methodology gives technology-savvy states far too much power to decide the legality of their own actions, thereby effectively crafting a set of rules that benefits the powers disproportionately. Professor Heather Harrison Dinniss is a key proponent of the idea that without clear, agreed definitions to fundamental terms such as 'cyber weapon' and 'cyber-attack' existing IHL is woefully deficient in terms of civilian protection. The GGE has been criticized on the ground that its efforts to establish norms were limited to voluntary and non-binding principles that could not be enforced and which states readily assented to in principle (while engaging in conduct contradictory to their spirit). Such disagreements prove that this is not merely a debate over interpretation, but one over the fundamental suitability of the existing regime itself.

This paper adopts a doctrinal method; it requires that "the primary source of law be subjected to rigorous interpretive analysis, to the end of establishing what the law is and whether it is sufficient". Primary sources in this case include both treaty text, particularly the UN Charter, the Geneva Conventions and their Additional Protocols, and the Budapest Convention on Cybercrime, and international judicial decisions and advisory opinions, in addition to the ILC Articles on State Responsibility (ARSIWA), and official UN documents such as GGE and OEWG reports. Secondary sources like monographs, articles, and governmental position papers presented to UN cyber processes are used to clarify debated interpretive issues and to illustrate the extent of state practice.

The analysis is structured chronologically around the three relevant regimes: jus ad bellum, International Humanitarian Law (IHL), and the treaty-based regime. The reasoning is simple; this is the logical order of the operation of international law. It is, first and foremost, law concerning the legitimacy of the resort to force, and thereafter, laws relating to how war should be fought. The Tallinn Manual 2.0 is considered the main scholarly restatement of applicable international law; however, the non-binding nature of the Manual is always considered throughout. State practice is examined through the positions expressed by important States in their national legal reports to the UN GGE and OEWG proceedings as evidence of evolving custom. It is argued that the use of the doctrinal method is particularly suitable for this topic, given that the central issue, of whether existing international law covers cyber warfare, raises questions of legal interpretation and of identifying and analysing gaps. By systematic identification of applicable law, analysis of its scope and consideration of its application to cyber operations, the law's extent and limitations are mapped more precisely than with the use of policy-oriented approaches. The comparative dimension also plays an additional role; different state positions and different opinions are significant as evidence of disputed or emerging customary law. Unanimity implies existing rule, divergence of positions suggest that the area requires treaty clarification. This method has a further obvious weakness: because most state cyber operations are not public and attribution findings are not public, a substantial portion of state practice is not observable, thereby possibly underestimating the frequency with which norms are broken in practice.

A. Jus Ad Bellum and the Problem of the Use-of-Force Threshold

Article 2(4) of the UN Charter Lays down the core prohibition against the threat or use of force in international relations-a norm that has achieved the status of jus cogens, which permits no derogation. That this prohibition applies in cyberspace is no longer seriously disputed: France, Germany, Estonia, the Netherlands and the UK have all explicitly stated that the Charter applies in cyberspace whole and in part and that actions producing effects equivalent to those of conventional armed forces fall within the scope of Article 2(4). It is application, rather than principle that presents problems. Where precisely, on the operational spectrum, do cyber operations transition from acceptable espionage or economic competition into the proscribed area of the use of force? The law offers no immediate, easy answer.

In the Tallinn Manual 2.0, this problem is addressed by what has come to be referred to as the Schmitt Criteria - a complex, multi-factor, context-dependent analytical model which analyzes the magnitude and recoverability of the consequences of the operation, the temporal and spatial proximity of the effects, the nature and extent of state involvement in the planning and execution of the operation, and the extent to which the operation is an armed forces function. Although the usefulness of this framework in analysis is large, due to its fundamentally discretionary nature, it seems that different, reasonable judges will be able to apply the same facts and still arrive at different answers. Take the Stuxnet case: the targeting of a physical infrastructure with the intent to destroy it and the state sponsorship both suggest it was a 'use of force', but not a sufficiently aggressive attack to be considered an 'armed attack' within the meaning of Art 51 (at least in the absence of an international adjudicative instance deciding the case.

The difference between the two thresholds-use of force and armed attack- is therefore of great practical importance. It will be recalled from the ICJ’s judgment in Nicaragua that the two categories are not interchangeable, so that something may be an impermissible use of force without necessarily constituting an armed attack. Only the latter may justify a response under Article 51. Within the cyber domain, this discrepancy allows for the emergence of an operationally meaningful space of licit aggression. A state that launches a harmful cyber operation that has significant effect, potentially damaging infrastructure, but does not amount to a traditional armed attack does not establish its victim's right to kinetic force, since its own measures are constrained by similarly difficult legal standards. This space is one of vulnerability to be abused and presents one of the most significant unanswered questions of cyber ops and jus ad bellum.

B. State Responsibility and the Attribution Deficit

Under international law, only state actions are attributed to states. ARSIWA of ILC establishes that a cyber operation is attributable to a state if it is carried out by the organs of the state or by a person who acts on behalf of or under the instruction and under the control of the state. In reality this requirement is exceptionally difficult to fulfil. Sophisticated state cyber capabilities are designed to lack deniability through their use of intermediary servers, criminal proxies, and forensics unpickable techniques. As a result, even where a cyber operation is thought, within intelligence circles, to be state-directed, and there has been a significant destructive effect resulting, it will seldom be possible to meet the threshold required to attribute the action legally and have the subsequent legal implications:

Tallinn Manual 2.0 complements this by adding due diligence, the notion that States cannot 'knowingly allow their territory or infrastructures to be used as a base from which the cyber operations of a third State or non-State Actor with significant negative effects may be conducted'. While this rule may require even a territorial state to undertake certain obligations not in direct management of an illegal cyber operation, its effectiveness can be checked by the same problem of evidence: information proving a territorial state knew and condoned subversive actions from within its borders is information usually kept secret, or, almost never admissible as international evidence.

This problem was diplomatically hinted at in the 2015 GGE Report, which stated that 'attribution necessarily required careful consideration of all relevant information, including the context of the incident. The bargain struck here is that the leading cyber states, who are most capable of executing-and most vulnerable to accusations of executing--offensive cyber operations have a structural incentive to maintain attribution standards that are impossible to satisfy in practice. The result is a regime where the perpetrator of state-sponsored cyber aggression is virtually immune to legal accountability, and the deterrent effect of international law in the cyber realm is minimal. Even when the U.S. Government identified the Russian SVR as the perpetrator of the SolarWinds compromise in 2021, the attribution was based on classified intelligence that would be inadmissible in a tribunal, thus further highlighting that the problem is the lack of legally sufficient attribution, not a lack of intelligence.

C. International Humanitarian Law and the Conduct of Cyber Hostilities

International humanitarian law, the rules to be observed by belligerents after the initiation of an armed conflict, may be applied to cyber operations carried out in armed conflict. This reasoning is based on both treaty law (states which have ratified the Geneva Conventions and AP I are bound to respect its rules irrespective of the means employed) and on the Advisory Opinion on Nuclear Weapons, by which the ICJ established that customary IHL applies 'to all forms of warfare and to all kinds of weapons, those of the past, those of the present and those of the future. Critically, the 2021 GGE Report gave this proposition multilateral intergovernmental endorsement for the first time, confirming by consensus that IHL applies in situations of armed conflict involving cyber operations.

The principle of distinction-described by the ICJ as one of the 'intransgressible' norms which constitute the basis of IHL-requires belligerents to attack only military objectives, and never to direct their attacks against civilians or civilian objects. This principle has a new, immediate relevance in cyber conflict given the ubiquitous nature of shared civilian and military networks and infrastructure. A cyber operation against a military command network may easily disrupt emergency services and malicious software may spread across networks to hospital systems. Article 52(2) of AP I define military objectives as any objects that may in actual fact constitute a contribution to military action and the destruction of which would at the same time constitute an advantage of a similar order to that obtained- this definition is helpful, but is necessarily imprecise when the object is a dual use digital system.

The principle of proportionality states that attacks cannot be made if they cause unintended civilian loss which is excessive when compared to the military benefit gained. As has been noted by the ICRC, the use of proportionality requires commanders in cyber-attacks to consider the direct and indirect consequences of the action, including cascades in interconnected civilian systems, which may be unforeseeable. The related obligation of precaution, codified in Article 57 of AP I, further requires parties to take all feasible steps to minimise civilian harm, including cancelling or suspending an attack when its collateral consequences become apparent.

A second, hotly debated doctrinal question is how to interpret "attack" in the context of IHL. Article 49 of AP I defines "attack" as "acts of violence against the enemy," a broad formulation that has seen two very different state positions in the cyber context. France has adopted a more expansive interpretation, whereby a cyber operation that disables a system from functioning as it was intended to function as an attack even if no physical damage occurs and no human life is harmed; this position has been most authoritatively laid out in the French Ministry of the Armed Forces' 2019 paper on the application of IHL to cyberspace operations. The United States, on the other hand, has stuck closer to concrete, kinetic equivalent effects; it considers such effects to be the lower bound for an IHL attack, an approach outlined in the U.S. Dept. Of Defense Law of War Manual (2015, rev. 2023) and broadly accepted by the group of experts on the Tallinn Manual. This dispute has immediate and urgent practical implications: if cyber operations that only disable systems are not "attacks," then huge swaths of inherently destructive cyber operations (like incapacitating hospital systems or air traffic control systems) do not benefit from IHL's protective framework at all. Russia's combined kinetic and cyber operations in Ukraine since February 2022 provide a vivid case of the issue at hand.

D. The Treaty Regime and the UN GGE Process

The Budapest Convention on Cybercrime occupies a structurally anomalous position in the governance landscape of cyberspace. The only widely accepted binding multilateral treaty governing the use of the Internet, it has proved an effective tool for domestic criminal law harmonization and cross-border law enforcement cooperation. It is designed- focusing on the criminalisation of illegal access, data interference and system interference, and providing for mutual legal assistance- appropriately to govern cybercriminal activity. However, its structure is poorly suited to governing the actions of states using cyber capacity as a tool of foreign policy and warfare; major actors in state-sponsored cyber operations such as Russia, China, Brazil and India are reluctant to become parties to the Convention. The UN GGE process has been the main vehicle for creating norms applicable to states' conduct in cyberspace. Four sessions of the experts- concluding in 2010, 2013, 2015 and 2021- have developed consensus reports gradually moving forward the normative regime. The 2013 Report was the first to affirm multilateral consensus that international law applies to cyberspace. The 2015 Report went further, articulating eleven voluntary norms of responsible state behaviour—including prohibitions on operations targeting critical infrastructure and on the use of proxies for internationally wrongful acts—and was subsequently endorsed by the UN General Assembly through Resolution 70/237. The 2021 Report reaffirmed the whole UN Charter applies to state activities in cyberspace and confirmed-for the first time at the intergovernmental level-the application of IHL to cyber operations in armed conflict.

From the foregoing analysis, it becomes clear that although the law is both relevant and applicable to cyber warfare, three structural deficiencies prevent it from being an adequate regime: It provides no sufficient barriers in the environment, within the system and among its actors. And as will be explained hereafter these deficiencies make it possible to conduct extremely damaging cyber operations without facing effective consequences and render civilians quite defenseless.

The first, and perhaps most elementary gap is the lack of clarity on what defines the threshold for an armed attack. As long as doctrinal ambiguity exists as to whether cyber-attacks causing widespread economic or functional harm (without causing a destruction of property comparable to conventional warfare) constitute armed attacks, there will remain no reliable deterrent framework for malicious state activity on a wide range of issues in the international system. Ukraine itself represents an instance of this gap; Russia's pre-conflict cyber-attacks against Ukraine's infrastructure were widely characterized as preliminary aggression but their classification as armed attacks under Article 51 was legally contested throughout the crisis. An answer requires moving beyond a non-binding, voluntary guidance document like the Tallinn Manual to established, treaty-based standards that clearly set out what constitutes the armed attack threshold. Sufficient diplomatic momentum has been achieved through GGE and OEWG processes for such a step; only political will remains the problematic constraint.

The attribution deficit is the second important gap. The SolarWinds compromise (2020) and the U.S. Government's attribution in April 2021 to Russia's SVR exemplify the deficit: The United States may make formal government attribution to another state in cyberspace, but no proceedings under international law will commence if attribution rests on classified material. For Russia's cyber campaign against Ukraine – beginning with Not Petya (2017), but also involving attacks against the Ukrainian power grid in 2015-2016, as well as attacks since February 2022 – official government attribution to the United Kingdom, the European Union, and the United States has been forthright throughout, and yet has failed to produce international legal consequences. The establishment of an international independent technical attribution mechanism, perhaps on par with the investigatory functions of the OPCW to determine state responsibility for the use of chemical weapons, would provide the forensically sound and politically legitimate basis for official attribution. It would not necessarily negate the need for classified intelligence, but would provide a forum in which the evidence for attributing particular actions to states could be assessed in relation to predetermined evidentiary standards.

The third gap is that no treaty on inter-state cyber war exists. A framework comprising a mixture of general international law, non-binding expert compilations and political soft-law will not suffice for this new threat of weapons in cyberspace. Any specific international instrument will need to tackle: classifications of forbidden cyber weapons and attacks; protection of civilian infrastructure; rules of attribution and liability for breaches; dispute resolution mechanisms; and verification mechanisms. Whilst the initiation of the Tallinn Manual 3.0 process in 2011 is a valuable academic effort to close this gap, treaty negotiation requires states, a service no academic effort can replace.

In this paper, we have investigated the international legal regime for cyber warfare under three primary legal paradigms-jus ad bellum, international humanitarian law, and the treaty-based regime-and found where the law's actual normative force begins and where its structural weaknesses start. Existing international law is hardly irrelevant in cyberspace, yet its application is hampered by precisely the traits which make cyber-attacks so tempting: they are scalable, deniable, can cause damage cheaply and unpredictably across interconnected systems through cascading effect. International law, particularly UN Charter Article 2(4), is capable of governing the use of force in cyberspace; the principles of distinction, proportionality and precaution bind belligerents who use cyber means when conducting armed conflict; and the law of state responsibility offers a framework for legal liability, at least in principle. However, the threshold for an armed attack continues to be frighteningly ambiguous; attribution for purposes of a legally justifiable standard under ARSIWA remains impossibly difficult except in rare circumstances (as evinced in the controversy over the legal ramifications of both the SolarWinds breach and Russia's continued cyber-attack on Ukraine); and the international community lacks a binding treaty which specifically sets out particular, enforceable obligations that take the special attributes of cyber warfare into account. Closing these gaps will require continued academic endeavor (such as that carried out in the ongoing Tallinn Manual 3.0 process) and a determined effort by states, who will need to find the political will to agree to and adhere to binding obligations to curtail their cyber capabilities in exchange for a more humane and predictable global environment.

• Herbert Lin & Amy Zegart (eds.), Bytes, Bombs, and Spies: The Strategic Dimensions of Offensive Cyber Operations (Brookings Institution Press 2019).

• UN General Assembly, Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, UN Doc. A/68/98 (June 24, 2013) [hereinafter 2013 GGE Report].

  
  

• UN General Assembly Res. 70/237, UN Doc. A/RES/70/237 (Dec. 23, 2015).

  
  

• Legality of the Threat or Use of nuclear weapons, Advisory Opinion, 1996 I.C.J. Rep. 226, para. 78 (July 8) [hereinafter nuclear weapons Advisory Opinion].

  
  

• UN General Assembly, Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, UN Doc. A/70/174 (July 22, 2015) [hereinafter 2015 GGE Report].

  
  

• International Law Commission, Draft Articles on Responsibility of States for Internationally Wrongful Acts, UN Doc. A/56/10 (2001) [hereinafter ARSIWA], arts. 4, 8.

  
  

• John Richard, Stuxnet as Cyberwarfare: Applying the Law of War to the Virtual Battlefield, 29 J. Marshall J. Computer & Info. L. 1 (2011).