Right to Self-Defense in Cyber Warfare
With the sudden proliferation of cyber-attacks at global level, the absence of
particular legal structure in order to curb the menace of cyberspace render the
netizens in digital gulag. Moreover, the international organizations, so far,
have failed to formulate a robust legal structure for analyzing cyberspace. Many
scholars, however, construed current international framework in terms of modern
cyber conflicts. Particularly, Article 2(4) and Article 51 of the United Nations
Charter of Rights and Freedoms (UN Charter) regulating the prohibition on the
use of force
and right to self-defense
respectively are central point of
This article will examine the position of cyber-attacks within the ambit of jus
ad bellum. Initially, in attempting to classify that cyber-attack qualifies as a
force. The second part analyses the relationship between an armed attack and a
cyber-attack focusing on the right to self-defense. Lastly, examining the
possible application of the Caroline doctrine in international cyber conflicts.
The solution lies in the drafting of a new international treaty based on the
principles of the manual drafted by NATO members.
Generally, cyber-attacks between two states are known as cyber warfare. Cyber-war
refers to an attack by a state through computer system in order to drastically
destroy another state's computer systems and/or information networks. This
definition of cyber warfare should not be seen as conclusive, as it is made by
the amalgamation of various definitions and primarily for the purpose to use in
this article. Moreover, the expression cyberwar and cyber operation are
interchangeably used to denote cyber warfare in the article.
Use of force in cyberwarfare
In terms of Article 2(4) the member states shall refrain
'to use of force' in
international conflict. But whether the expression 'force' is readable in the
context of cyber-attack? In this regard, Sir Ian Brownlie, a British barrister,
propounded consequentiality or result-oriented approach and argue that the use
of chemical and biological weapons falls under the definition of force, since
they are the 'modes of warfare' causing destruction of life and property
way of analogy, computer systems are also used to launch egregious cyber-attacks
which begets astronomical physical as well as virtual (stored information data
in computer) destruction, therefore, it is one of the modes of warfare in
cyberspace. For instance, in 2015 Russian intelligence hackers
attacked Ukraine's regional energy utilities which resulted in a long power
outage for six hours which affected about 225,000 civilians, this gross
destruction was the first full-blown real cyber operation the world had
Per contra, Wingfield, a defense researcher, emphasizes
on effect-based approach and said:
It should be immaterial whether a power
transmission substation is destroyed by a 2000-lb bomb or by a line of malicious
code inserted into the substation's master control program because the amount of
damage is equivalent.
This approach appears to be erroneous, though, not every cyber-attack causes
physical destruction: 2016 Presidential election in the US, the Russian
government was accused of tampering with the voter databases via cyber-attack
causing no physical destruction. Notably, the International Court of Justice (ICJ) also held that prohibition on the use of force Applies to
any use of force, regardless of the weapons employed
Apparently, the force use
shall cause some physical destruction. All cyber-attacks, however, does not
necessarily cause physical destruction as majority of cyber-attack merely used
for espionage, therefore, it cannot be patently argued that it complies with
article 2(4). Although, those cyber-attacks which causes physical deterioration
should be consistent with article 2(4) and thus it will potentially qualify as a
Contrasting armed attack and cyber attack
Article 2(4) prohibit the use of force in conflict; on the contrary, Article 51
of the UN Charter preserves the right of self-defense in such conflicts. It
[N]othing in the present Charter shall impair the inherent right of
individual or collective self-defense if an armed attack occurs against a Member
of the United Nations, until the Security Council has taken measures necessary
to maintain international peace and security.
The expression if an armed
suggests that the right to self-defense can be exercised only if
an armed attack takes place. An armed attack, however, is nowhere defined under
the jus ad bellum, therefore it's upon the discretion of the courts to interpret
Given that ICJ in Nicaragua v. USA
case ruled that:
A definition of
the "armed attack" which, if found to exist, authorizes the exercise of the
of self-defense, is not provided in the Charter, and is not
part of treaty law.
Additionally, the ICJ distinguished armed attack from armed force and succinctly
held that the former requires a minimum level of gravity to constitute as a use
of force, such as a mere frontier incident
on the basis of the scale and effects
involved in force. Thus, in cyber context it implies
that those state-sponsored cyber-attacks may be considered equivalent to an
armed attack if it causes death, injury, or physical destruction which impinges
on the sovereignty of the victim-state. Consequently, the liberal interpretation
of an armed attack potentially encompasses the state-sponsored cyber-attack,
thus triggering Article 51 and offshoots the right of self-defense.
The notion of self-defense empowers the defending state to take countermeasures
or protect itself with justified use of force against the attacking state. Under
international law, self-defense has been used in order to balance the rights of
the assailant state against the defending state. Interestingly, the anonymous
feature of cyber-attack ruled out the existing self-defense doctrine and
hardened the fault lines.
The Caroline doctrine:
confirmed as a customary law
– provides a framework to govern the right to self-defense. The
doctrine comprises the principle of necessity, proportionality, and immediacy.
The principle of necessity aims to repel or avert the armed attack by use of
force when it is overwhelmingly imperative and other alternative remedies have
The principle of proportionality determines the balanced
response of defending state against the attacking state: the harm caused by
defending state in self-defense must be proportional to the harm caused by the
attacking state. Lastly, the principle of immediacy implies that the
victim-state can only defend itself when there is an imminent or ongoing attack
Applying the said doctrine in cyberwar, it's blisteringly difficult for
the victim-state to detect the assailant and, in turn, take countermeasure on
the ongoing attack since they could be designed and timed to show its harmful
effects only months after the attacker's intrusion. Thus, necessity and
immediacy become untenable in cyber conflicts.
As regards proportionality, for, gigantic interconnectivity of information
networks the effect of cyber-attack is imponderable: the disproportionate,
collateral damage and 'reverberating effects' indiscriminately enmesh anyone. In
effect, the Caroline doctrine is lackadaisical and inapt in terms of cyber
warfare due to the unambiguous and eccentric nature of cyberspace.
Article 51bis provides for anticipatory self-defense
in warfare-it implies that a victim-state may attack
on another state allegedly planning to attack. The thorny issue is the
application of anticipatory self-defense criteria to cyber operations.
cyber-attacks are a virtual attack, therefore, prior intuition of attack is
arduous to predetermine. So, what portends the victim-state to intrude into
another's state computer system. Eventually, it ends up as pre-emptive
self-defense rather than anticipatory which is violative of international law.
Hence, the Caroline doctrine and Article 51 are outdated and incompatible with
regard to emerging cyber warfare and the issue still persists whether a
victim-state, as self-defense, can attack back and intrude into foreign
computers legitimately to deter cyber-attacks.
A Way Forward
The above analysis, after all, shows that the existing international legal
framework becomes redundant and inept. Self-defense in cyber warfare seems to
begets harrowing consequences because of the anonymous and untoward behavior of
cyberspace. However, the NATO Cooperative Cyber Defense Centre of Excellence, an
international group, has formulated a Tallinn Manual - a non-binding
international work applicable to cyber conflicts.
Tallinn Manual is a shining
development that accurately examines the lacune in lex lata and astutely
envisages a lex ferenda for cyber policy. Of late, it has been updated to 2.0
version. Rule 71 to 75 of the Tallinn Manual 2.0 deals with self-defense in
cyber conflicts which also covers the abovementioned principles. It is merely a
blueprint to legislate an international treaty. Moreover, it can also use to
update the 2001 Council of Europe Convention on Cybercrime which implicate
minuscule cybercrimes such as child pornography, fraud etc. thus ineffective in
dealing with large-scale cyber warfare operations.
Cyber warfare has evolved as an emerging global threat. Therefore, a robust
international framework formulated on global consensus could only water down the
cyberspace menace and decide the rights and liability of the state.
- Divyanshi Dwivedi, 4th year pursuing B.A.
LL.B. (Hons.) from University of Allahabad and National Law University, Lucknow and
- Aviral Chandraa, 4th year pursuing B.A.
LL.B. (Hons.) from University of Allahabad and National Law University, Lucknow.