Skip Navigation

Self-Defense and Reprisals in an Era of Cyber Conflict

Self-Defense and Reprisals in an Era of Cyber Conflict

05-01-2018 | Eric A. Heinze

The use of malicious cyber operations by state and non-state actors in international affairs has sparked a vigorous debate over how international law governs the use of so-called “cyber force” by states. A critical contribution to this debate is the 2017 Tallinn Manual 2.0, the follow-up to the original Tallinn Manual in 2013, both authored by the International Group of Experts and commissioned by the NATO Cooperative Cyber Defence Centre of Excellence (CCD COE).1 With a charge to “examine how international law governs the use of cyber-force by States and the employment of cyber-operations during armed conflict,” as well as cyber activities during peacetime, the Tallinn Manual, provides crucial insight into the current status, and possible future trajectory, of international law on the use of force. While the Manual generally offers a conservative interpretation of international law, it appears to leave room for certain uses of force broadly believed to have been outlawed by the UN Charter, which, in light of evolving state practice, may lead states to interpret more latitude concerning when they may resort to force to defend against hostile acts.

The crux of the matter concerns what states who have been the victim of a cyber use of force are lawfully permitted to do in response. Under existing international law, states are prohibited from using force unless they are acting in self-defense of an “armed attack,” under the authority of Article 51 of the UN Charter. It is well understood in international law that not all uses of force rise to the level of an armed attack; “only the most grave uses of force” are grounds for invoking the right to self-defense, whereas lower-level military actions that do not meet the “scale and severity” threshold of an armed attack are not legal grounds for resorting to self-defensive force.2 Where this threshold lies in terms of the scale and severity is subject to some debate, but the important point is that not all uses of force rise to the level that would allow the victim state to invoke its right to self-defense as the basis for resorting to forcible defensive measures.

When it comes to cyber uses of force, the Tallinn Manual indicates in no uncertain terms that it makes no distinction whether a use of force is carried out with a computer or with a traditional weapon in concluding whether the operation amounts to a use of force, as well as an “armed attack” for the purposes of Article 51. What matters is whether the “scale and effects” of a malicious cyber operation are comparable to kinetic operations that would normally be considered a use of force or an armed attack.3 Assuming that a cyber-operation is of a scale and effect that is comparable to that what would normally be considered an armed attack, the victim of such an attack could lawfully resort to the use of force under the right of self-defense. And, importantly, the victim state would be entitled to use kinetic force in self-defense of a cyber armed attack (and vice versa), given the Tallinn Manual deliberately does not distinguish between cyber and kinetic uses of force.

A more contentious issue is what a state may do that is the victim of a cyber use of force that does not reach the scale and effects of an armed attack. The conventional view on this question is that the victim state is not entitled to resort to the use of force, since an “armed attack” did not occur, and since the use of force is therefore understood to be prohibited.4 But assuming that the original use of force entailed a breach of a legal obligation owed by the offending state to the victim state (e.g. to refrain from the use of force), then the victim state would be entitled to impose countermeasures against the offending state by suspending a legal obligation owed to that state until such time as the offending state complies with its legal obligations. But, importantly, the victim state in such a case would be prohibited from responding with even a proportionate use of force, as evidenced by both the International Court of Justice (ICJ) and The International Law Commission’s (ILC) conclusions that states must refrain from the use of force when conducting countermeasures.5 Such “forcible countermeasures,” or what used to be known as “armed reprisals” are thus broadly thought to have been outlawed by the UN Charter when it outlawed the use of force, save for in self-defense of an armed attack.6

The Tallinn Manual does not go as far, as the Experts could not agree whether a state’s cyber countermeasure in response to a wrongful use of force that does not qualify as an armed attack may itself entail the use of force (cyber or otherwise). In fact, several of the Experts agreed that forcible countermeasures are indeed a lawful response in such a situation on the basis that depriving a victim state of the ability to respond with its own forcible operations would be to deprive it of even a proportionate response.7 In light of this disagreement, the Tallinn Manual leaves this question open and does not impose the limitation that countermeasures must always refrain from the use of force—at least when the original wrongful act entailed a use of force.

This omission is significant for a couple reasons. First, while it seems to upend a broad consensus about the illegality of armed reprisals, which seems well-established under UN Charter rules, examined in light of state practice and the evolution of the UN system, such a prohibition makes less sense. Consider that that UN Charter rules have been interpreted by states more loosely due to developments in world affairs since 1945, most notably the fact that the political conditions necessary to allow the Council to consistently and effectively enforce a collective security system never materialized, leading states to rely more on self-help than the framers of this system had intended.8 For instance, the UN Charter originally envisaged the right of self-defense as a temporary measure that was only available to the victim state until the collective security machinery of the UN Security Council could kick into action. Such a rule is broadly ignored by states, and self-defense today remains the exclusive purview of states. Likewise, in situations like those discussed above involving a use of force short of an armed attack, the UN system sought to replace individual judgment and forcible self-help with collective judgment and enforcement, which never developed in any reliable way. As a result, the fact that the Tallinn Manual is leaving open the question of the legality of armed reprisals is consistent with the trend in state practice of interpreting international law in a way that reflects the limitations of the collective enforcement mechanisms of the UN system, and could be welcomed as a more reasonable way to interpret international law in light of global political realities.

On the other hand, such a “relaxed” interpretation of the law on armed reprisals may result in a lowering of the bar for what is considered the lawful use of force in international relations, giving rise to an increased incidence of the use of force, both cyber and kinetic. It is perhaps telling that the context in which some experts on international law concluded that forcible countermeasures may be lawful is in a discussion of the legality of specifically cyber operations. While it is true that the Tallinn Manual is at pains to not distinguish between cyber and kinetic uses of force, instead focusing on the scale and effects of such operations, there is perhaps something intuitively easier about countenancing a cyber use of force versus a kinetic one, since the former does not necessarily entail visible and obvious violations of sovereignty, whereby the physical assets (i.e. militaries, missiles) of one state literally cross a border and cause destruction in another. In short, cyber uses of force generally do not entail the telltale activities of traditional kinetic uses of force that make them so disquieting (air strikes, artillery fire, combat casualties), and thus especially prone to escalation (hence, the attractiveness of operations like Stuxnet). This discussion in the Tallinn Manual itself is framed as a discussion over “whether cyber countermeasures crossing the use of force threshold, but not reaching that of an armed attack, are lawful,”9 suggesting it is primarily cyber uses of force that the Experts had in mind when discussing this rule.

The problem is that while the Experts may have had cyber operations in mind when leaving open the question of the legality of forcible countermeasures, by their own reckoning there is no distinction between cyber and kinetic operations. So whatever they conclude about cyber operations also holds true for kinetic ones, meaning that states may infer the right to resort to force in situations where they were heretofore prohibited from doing so, and may also respond to a cyber use of force against it with kinetic one. This is highly problematic if one takes seriously the argument that kinetic uses of force are more prone to retaliation and escalation, and therefore entail higher risks than cyber-attacks.

In sum, this discussion in the Tallinn Manual indicates that in the cyber-era, the rule prohibiting the use of force when countries engage in countermeasures—that is, armed reprisals—is not as settled as conventionally thought. There indeed seems to be room for states to resort to forcible means—whether cyber or kinetic—in response to a use of force against them, even if that original use of force does not rise to the level of an “armed attack.” Whether this is an overall positive or negative development in an era of cyber conflict remains to be seen, but the more states tolerate such activity and the more it becomes normalized, the more it will affect how states interpret their obligations under international law.

 

____________________________

 

1 Tallinn Manual on the International Law Applicable to Cyber Warfare (Cambridge: Cambridge University Press 2013). Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (Cambridge: Cambridge University Press 2017).

2 See especially Military and Paramilitary Activities in Nicaragua (Nicaragua v. USA), 1986 ICJ 14, paras. 191, 195.

3 Tallinn Manual 2.0, 330.

4 See Yoram Dinstein, War, Aggression, and Self-Defence, 4th edition (Cambridge: Cambridge University Press, 2005), 182.

5 See International Law Commission, Draft Articles on Responsibility of States for Internationally Wrongful Acts, GA Res. 56/83 annex, UN Doc. A/RES/56/83, 21 December 2001, art, 50(1)(a). Nicaragua v. USA, para. 249

6 Derek Bowett, “Reprisals Involving Recourse to Armed Force,” American Journal of International Law 66 (1972): 1.

7 Tallinn Manual 2.0, 125, 126.

8 James Larry Taulbee and John Anderson, “Reprisal Redux,” Case Western Reserve Journal of International Law 16 (1984), 316.

9 Tallinn Manual 2.0, 125.

Eric A. Heinze is a Professor in the Department of International and Area Studies at the University of Oklahoma.