‘The new [cyber security] strategy is built on three core pillars: defend, deter and develop, underpinned by £1.9 billion of transformational investment […],’ said British Chancellor of the Exchequer in a speech in October 2016. Since his speech, Britain has launched the National Cyber Security Strategy 2016 to 2021 report, detailing how the British Government seeks to be, ‘one of the most secure places in the world to do business in cyberspace.’ The Presidential Commission on Enhancing National Cyber Security, established by former US President Obama, has similarly urged current US President Trump to elect a ‘Cyber Security Ambassador.’ The Ambassador would be mandated to guard against national and civil cyber attacks in coordination with the Department for Homeland Security.
Should states invest in these defensive strategies to protect themselves from cyber attacks? Or does international law, including the United Nations Charter, provide them with warrants to combat perpetrators with offensive responses? The emerging and evolving nature of the threats posed by cyber attacks means that the answer isn’t so clear-cut.
Article 2(4) of the UN Charter reads:
All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.
The application of these articles to cyber attacks tests the elasticity and endurance of the UN Charter. Do cyber attacks amount to ‘the threat of force’ or ‘the use of force?’ Do they strike against the ‘territorial integrity or political independence’ of states? What can states do in response? How can the proportionality of these responses be measured? These questions will be explored in what follows.
Cyber attacks as involving the “use of force” or “threat of force”
What are cyber attacks? As opposed to conventional attacks, which occur across sovereign territories, skies or open waters, cyber attacks occur in ‘cyberspace.’ This domain can be defined as the, ‘electronic medium of digital networks used to store, modify and communicate information. It includes the Internet but also other information systems that support businesses, infrastructure and services.’ A cyber attack is an attack on this domain, which can include but is not limited to, hacking for the purposes of identity theft, access to classified information, fraud and sabotage.
Do cyber attacks involve the ‘use of force’?
In the absence of a definition of the ‘use of force,’ the Vienna Convention on the Law of Treaties provides guidance on how to interpret terms in treaties. According to Article 31(1), ‘the use of force’ must be interpreted (a) in good faith and in accordance with the ordinary meaning given to it in context, and (b) in light of its object and purpose. There are two approaches one could take from here.
First, while ‘the use of force’ can refer to aggressive but unarmed conduct as well as aggressive and armed conduct, the ‘ordinary’ meaning of the term typically relates to the latter. Second, it is highly unlikely that, when the UN Charter was signed in 1945, signatories intended for it to capture cyber attacks. Thus, at least at first, these attacks may not constitute ‘the use of force’ and may not be subject to the prohibition in Article 2(4).
Second, the status quo is not static, and the Vienna Convention recognises this. Thus, according to Article 31(3), if there are any subsequent agreements on how certain terms in a treaty should be interpreted, the ‘ordinary’ meaning referred to by Article 31(1) can be amended. Thus, there could be space to argue that cyber attacks do amount to ‘the use of force.’
Here, it is important to note two details about Article 2(4). First, Article 2(4) prohibits both ‘the use of force’ and ‘the threat of force.’ There may be a higher threshold that needs to be met before cyber attacks can constitute ‘the use of force,’ but this threshold would certainly be lower if they could constitute ‘the threat of force.’ Second, in accordance with guidance provided in the Vienna Convention, isolating certain terms from a treaty – such as ‘the use of force’ or ‘the threat of force’ – can misconstrue meaning. Thus, it is ‘the use of force’ or ‘threat of force’ that is targeted ‘against the territorial integrity or political independence of any state’ that is in question.
Most states would indeed concur that cyber attacks constitute a real threat in the ways outlined by Article 2(4). The alleged Russian hacking of the US Democratic National Committee during the most recent US elections – a direct infringement of US ‘political independence’ – is a case in point. The Chief Executive of the UK National Cyber Security Centre has also reported 188 high-level cyber attacks in the last three months, many of which ‘threatened national security’ and by implication perhaps even ‘territorial integrity.’ Thus, there would be some grounds to argue that a cyber attack involved at least ‘the threat of force’ and thus violated the prohibition in Article 2(4).
State responses to cyber attacks
While determining whether cyber attacks constitute ‘the use of force’ or ‘the threat of force’ is important for classification, and thus setting further international legal precedents on how to respond to them, making this determination is not necessary to warrant state action in response. That is, the UN Charter makes two provisions for states to respond to threats or attacks, such as cyber attacks, regardless of whether they constitute ‘the use of force’ or ‘the threat of force.’
First, Chapter VII of the UN Charter empowers the Security Council (UNSC) with a licence to make determinations on threats to the peace, breaches of the peace or acts of aggression. If cyber attacks satisfy one of these, then there are two responses states could adopt. These include (1) non-military coercive measures, such as economic sanctions or (2) military coercive measures, such as action by air, sea or land forces. Either of these, however, would need prior authorisation from the UNSC and would be subject to review in relation to their proportionality and principles of jus in bello.
Second, Article 51 of the UN Charter enables states to seek avenues for self-defence alongside any UNSC resolution. It reads:
Nothing in the present Charter shall impair the inherent right of individual or collective self- defense if an armed attack occurs against a Member of the United Nations, until the Security Council has taken the measures necessary to maintain international peace and security […].
To appeal to Article 51, however, states would need to demonstrate that ‘armed attack’ can be interpreted to mean ‘cyber attack’ – as per the guidelines of interpretation in the Vienna Convention. Again, this would be difficult unless there was subsequent agreement on expanding the meaning of ‘armed attack.’
While state responses can be targeted (individuals) or non-targeted (state-wide) in magnitude, the nature of cyber attacks and cyber crimes more generally makes it difficult to identify perpetrators. Unless a state’s response was targeted specifically against the perpetrator, any response provided by the UN Charter would mean widespread collateral damage, most likely on innocent civilians. This is in direct conflict with the principle of proportionality and those of jus in bello.
What this has shown is that international law, whether lacking in precedent or substance, cannot support offensive responses to cyber attacks, at least not so neatly. Any offensive and tit-for-tat approach to cyber attacks also perpetuates the problem and facilitates the opportunity to make cyber attacks more resilient. Thus, how should states respond to cyber attacks? Is investing in defensive strategies a long-term solution? This threat is very much a part of the international society, and states and international law will have to adapt to deal with it.