https://crsreports.congress.gov
December 10, 2021
Use of Force in Cyberspace
Introduction
There are no internationally accepted criteria yet for
determining whether a nation state cyberattack is a use of
force equivalent to an armed attack, which could trigger a
military response. Likewise, no international, legally
binding instruments have yet been drafted explicitly to
regulate inter-state relations in cyberspace. Self-defense and
countermeasures for armed attacks are permitted in
international law when a belligerent violates international
law during peacetime, or violates the law of armed conflict
during wartime. However, the term “armed attack” has no
universally accepted definition and is still not well-settled
with respect to cyberattacks. In addition to what constitutes
an armed attack in cyberspace, questions remain over which
provisions of existing international law govern the conduct
of war in cyberspace.
Relevant Treaty Provisions
North Atlantic Treaty Article 4: “The Parties will consult
together whenever, in the opinion of any of them, the
territorial integrity, political independence or security of any
of the Parties is threatened.”
North Atlantic Treaty Article 5: “The Parties agree that
an armed attack against one or more of them in Europe or
North America shall be considered an attack against them all
and consequently they agree that, if such an armed attack
occurs, each of them, in exercise of the right of individual or
collective self-defence recognised by Article 51 of the Charter
of the United Nations, will assist the Party or Parties so
attacked by taking forthwith, individually and in concert with
the other Parties, such action as it deems necessary, including
the use of armed force, to restore and maintain the security
of the North Atlantic area.”
United Nations Charter Article 51: “Nothing in the
present Charter shall impair the inherent right of individual or
collective self-defence if an armed attack occurs against a
Member of the United Nations, until the Security Council has
taken measures necessary to maintain international peace and
security.”
United States Doctrine
In September 2012, the State Department took a public
position—still in effect—on whether cyber activities could
constitute a use of force under Article 2(4) of the United
Nations (U.N.) Charter and customary international law.
According to State’s then-legal advisor, Harold Koh,
“Cyber activities that proximately result in death, injury, or
significant destruction would likely be viewed as a use of
force.” Examples offered in Koh’s remarks included
triggering a meltdown at a nuclear plant, opening a dam and
causing flood damage, and causing airplanes to crash by
interfering with air traffic control. By focusing on the ends
achieved rather than the means with which they are carried
out, this definition of cyber war arguably fits within
existing international legal frameworks. If an actor employs
a cyber weapon to produce kinetic effects that might
replicate fire power under other circumstances, then the use
of that cyber weapon rises to the level of the use of force.
However, the United States recognizes that cyberattacks
without kinetic effects are also an element of armed conflict
under certain circumstances. Koh explained that
cyberattacks on information networks in the course of an
ongoing armed conflict would be governed by the same
principles of proportionality that apply to other actions
under the law of armed conflict. These principles include
retaliation in response to a cyberattack with a proportional
use of kinetic force. In addition, “computer network
activities that amount to an armed attack or imminent threat
thereof” may trigger a nation’s right to self-defense under
Article 51 of the U.N. Charter. The 2011 International
Strategy for Cyberspace affirmed that “when warranted, the
United States will respond to hostile acts in cyberspace as
we would to any other threat to our country.” The
International Strategy, which has not been updated, goes on
to say that the U.S. reserves the right to use all means
necessary—diplomatic, informational, military, and
economic—as appropriate and consistent with applicable
law. One of the defense objectives of the International
Strategy is to work internationally “to encourage
responsible behavior and oppose those who would seek to
disrupt networks and systems, dissuading and deterring
malicious actors, and reserving the right to defend national
assets.” Chapter XVI of the Department of Defense Law of
War Manual notes that the United States strives to work
with other states to clarify not whether international law
applies to cyberspace, but how.
NATO Doctrine
In 2009, the North Atlantic Treaty Organization (NATO)
Cooperative Cyber Defense Center convened an
international group of independent experts to draft a manual
on the law governing cyber conflict. The first Tallinn
Manual, as it is known, was published in 2013 and offers
95 “black letter rules” addressing sovereignty, state
responsibility, the law of armed conflict, humanitarian law,
and the law of neutrality. The Tallinn Manual is an
academic text and as such nonbinding. Published in
February 2017, Tallinn Manual 2.0 expands upon the first
and offers 154 black letter rules governing cyber
operations, including in peacetime. In the provisions of
Article 5 of the North Atlantic Treaty, an attack on one
member is considered an attack on all, affording military
assistance in accordance with Article 51 of the U.N.
Charter. However, NATO does not presently define
cyberattacks as clear military action. The Tallinn Manual
equates a use of force to those cyber operations whose
