The Right of Self-Defence after a Cyber-Attack

(1)

Name: Isabelle Vogel

E-mail: isabellevogel@outlook.com

Student number: 12830151

Master track: Public International Law

Name of supervisor: Mr. dr. N. Nedeski

Date of submission: 22 July 2020

Words: 12359 (incl. annotations, excl. abstract,

index, bibliography, and appendices)

The Right of

Self-Defence

after a

Cyber-Attack

“Under which circumstances is the use of self-defence

against a cyber-attack justified?”

(2)

1

Abstract

The last few years, cyber-attacks can have more impact. It is important to analyse if States can defend themselves after a cyber-attack. This thesis aims to investigate under which circumstances the use of self-defence against a cyber-attack is justified. The requirements of self-defence are described and explained in light of a cyber-attack, mostly focussing on the threshold of an armed attack. Besides, it is analysed in which cases it can or cannot be used against a State or non-State actor after a cyber-attack. In this thesis the scope of cyber-attacks is limited to cyber-attacks against State initiated by both State or non-State actors.

If a State is the victim of a attack, it is possible the State wants to react on the cyber-attack by using force against the cyber-attacking State. Self-defence is a far-going measure because a State uses force against another State while the use of force is in principle forbidden. It therefore has strict requirements. First of all, the cyber-attack must meet the threshold of an armed attack. An armed attack is described as grave forms of the use of force, while the use of force can also entail less grave forms of force. Cyber warfare is a rapidly changing area but based on different examples, it seems that cyber-attacks as they occur now do not meet the threshold of an armed attack. However, there are hypothetical cases which do meet the threshold such as a cyber-attack on the computers regulating the waterworks or dams. There is still unclarity about the indirect effects of a cyber-attack. The difficulty of other requirements as necessity, proportionality and immediacy are not helping either to use self-defence.

In the hypothetical case a State can use self-defence, it is important to investigate against whom a State can use self-defence. The State should identify the source of the cyber-attack, which seems problematic. It is possible to attribute the cyber-attack to a State on the basis of ARSIWA, but it seems difficult to attribute cyber-attacks of non-State actors to a State. Even more difficult is the debate on self-defence against non-State actors. In other jurisdictions, the unwilling and unable doctrine is cautiously applied. States should control their cyber infrastructure whilst also providing some room for privacy and toleration. There are initiatives taken on how to change attribution related to cyber warfare, but it is still a fragile terrain.

Cyber-attacks as they occur these days do not meet the requirements of self-defence. If the attacker can be identified, it is uncertain if it can be used against the attacking State or non-State actor. The future will show if cyber-attacks are becoming worse which will lead to the use of self-defence or if the law will adapt to cyber-attacks so a State can defend itself in a certain way.

(3)

2

1.2 Methodology ... 6 1.3 Structure ... 6 2 Cyber-attacks ... 8 2.1 Definition of cyber-attacks ... 8 2.2 Examples of cyber-attacks ... 9 2.2.1 Estonia 2007 ... 9 2.2.2 Georgia 2008 ... 10 2.2.3 Iran 2010 (Stuxnet) ... 10 2.2.4 Netherlands 2018 ... 11 2.2.5 Georgia 2019 ... 11 3 Self-defence ... 12

3.1 Cyber-attack as an armed attack ... 12

3.1.1 Use of force ≠ armed attack ... 13

3.1.2 Armed attack ... 15

3.2 Necessity, proportionality and immediacy ... 19

3.3 Conclusion ... 20

4 Self-defence against who? ... 21

4.1 States ... 21

4.1.1 Organs of the State ... 21

4.1.2 Governmental authority ... 23

4.1.3 Direction and control ... 24

(4)

3 4.3 Problem of attribution ... 28 4.4 Conclusion ... 30 5 Conclusion ... 31 6 Bibliography ... 33 6.1 Articles ... 33 6.2 Books ... 34 6.3 Cases ... 35

6.4 Documents of different institutions ... 36

6.5 Documents of the UN & NATO ... 36

6.6 Governmental documents or websites ... 37

6.7 Newspapers ... 39

6.8 Treaties ... 39

(5)

4

List of Abbreviations

ACSC Australian Cyber Security Centre

ARSIWA ILC Draft Articles on the Responsibility of States for

Internationally Wrongful Acts

ASD Australian Signals Directorate

CNA Computer network attack

CND Computer network defence

CNO Computer network operation

CSOC Cyber Security Operations Centre

DDoS Distributed Denial of Service

ICJ International Court of Justice

ICJ Statute Statute of the International Court of Justice

ICTY International Criminal Tribunal for the former Yugoslavia

NATO North Atlantic Treaty Organization

UK United Kingdom

UN United Nations

UN Charter Charter of the United Nations

UNGA United Nations General Assembly

UNSC United Nations Security Council

USA United States of America

(6)

5

1 Introduction

1.1 Aim of the Thesis

Cyber-attacks are an important topic these days. It is even argued by the World Economic Forum that cyber threats must be regarded as one of the most important global risks these days.1 Cyber-attacks are dangerous for both private entities and (non-)governmental organizations, making cybersecurity more important. The possible threats of cyber-attacks on sensitive information are becoming a real fear because it can jeopardize national security. For example, think about a cyber-attack on the Ministry of Defence2 or cyber-attacks on companies for basic needs, such as Energy companies or water suppliers. Different attacks already took place, for example in Estonia (2007), Georgia (2008) and Iran (2010).3 Iran was recently attacked by the USA (2019).4

The use of force is prohibited in article 2(4) UN Charter.5 Self-defence implies that a State uses force against a State to defend itself.6 Although it seems impossible to use force against a State that uses cyber-attacks, self-defence is an exception on the use of force in article 51 UN Charter. Self-defence is possible in case of an armed attack, and the other legal requirements of self-defence.7_{There is unclarity on the use of defence and cyber-attacks. Can a State use}

self-defence after a cyber-attack, and against whom can it be justified? In this thesis these problems will be discussed and hopefully answer some of the questions which raise when thinking about cyber-attacks.

It must be investigated if a cyber-attack amounts to an armed attack. A cyber-attack which is unlawful under article 2(4) UN Charter alone cannot fulfil the requirements of self-defence. Besides, there is a question of the possibility to use self-defence against a State or non-State actors. The first option will be investigated via the rules of attribution in ARSIWA, and the 1_{World Economic Forum, ‘Global Future Council on Cybersecurity’ (WE Forum, Communities: Global Future}

Councils on Cybersecurity, date unknown) < https://www.weforum.org/communities/the-future-of-cybersecurity> accessed 28 June 2020

2_{T. Johnson, Cybersecurity: Protecting Critical Infrastructures from Cyber Attack and Cyber Warfare (Boca}

Raton: CRC Press/Taylor & Francis Group 2015), p ix

3_{M. Hadji-Janev and S. Aleksoski, ‘Use of Force in Self-Defense Against Cyber-Attacks and the Shockwaves in}

the Legal Community: One more Reason for Holistic Legal Approach to Cyberspace’ (2013) 4.14 Mediterranean Journal of Social Sciences 115, p 115

4_{J. Barnes, ‘U.S. Cyberattack Hurt Iran’s Ability to Target Oil Tankers, Officials Say’ The New York Times}

(City of publication unknown, 28 August 2019) < https://www.nytimes.com/2019/08/28/us/politics/us-iran-cyber-attack.html> accessed 30 March 2020

5_{Charter of the United Nations (entered into force 24 October 1945) 1 UNTS XVI (UN Charter), Article 2(4)} 6_{G. Hernandez, International law (OUP 2019), p 352}

7_{UN Charter (n 5), Article 51; G. Nolte and A. Randelzhofer, ‘Action with Respect to Threats to the Peace,}

Breaches of the Peace and Acts of Aggression’ in B. Simma (ed), The Charter of the United Nations: A

(7)

6

second one by scholars and State practice. Eventually, it is the aim of the thesis to answer if self-defence can be justified after a cyber-attack. Therefore, the question which will be answered in this thesis is:

“Under which circumstances is the use of self-defence against a cyber-attack justified?”

1.2 Methodology

This thesis is written from an internal perspective because it is focussed on legal research. It is a practical-based research by way of describing and explaining self-defence in light of cyber-attacks. It also analyses in which cases it can or cannot be used against a State or non-State actor after a cyber-attack.

To answer the research question, both primary and secondary sources are applied. Looking at article 38 ICJ Statute, this thesis uses international conventions as the UN Charter and VCLT and decisions of courts. The articles of the use of force and self-defence can also be seen as international custom.8 Lastly, the Tallinn Manual 2.0 examined legal norms and how they apply to cyber warfare. It does not have legal authority, but it is an attempt to rewrite the law for cyber warfare.9 Therefore, it is included in the examination of this thesis. Secondary sources are also applied because it is a changing area. For the interpretation of examples and the law, the secondary sources will give a greater overview of the topic. These secondary sources are mostly written by Americans from an American perspective; however, this thesis aims to give a broader focus than just the USA.

1.3 Structure

To answer the research question, this thesis includes 5 Chapters. To answer the question, different aspects of the law will be discussed.

Chapter 2 will give a short introduction on cyber-attacks. It wants to give the thesis a scope before legally analysing the further questions. It describes what a cyber-attack is and how they can take place by introducing 5 examples. There are also other hypothetical cases discussed in this thesis, but they do not need any further introduction.

Chapter 3 focusses on self-defence. Self-defence in article 51 UN Charter is an exception of the use of force in article 2(4) UN Charter. The concept of self-defence will be defined, and the different requirements are discussed. One of the requirements is an ‘armed attack’. The use of 8_{G. Hernandez (n 6), p 348, 352}

9_{M. Schmitt, Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (2}nd_Edition,

(8)

7

cyber force must be defined as an ‘armed attack’ before a State is allowed to invoke the right of self-defence.10 The requirements will be discussed considering examples, to find out if the exception of the prohibition of the use of force can be accepted. Besides, there is a normative analysis if the threshold of an armed attack should be changed.

Chapter 4 examines the possibilities of self-defence against a State and non-State actor. It will be discussed if a cyber-attack can be attributed to a State if it is executed by an organ, entity or a person of the State. Besides that, it will look at the possibility of self-defence against a non-State actor. Lastly, there is an evaluation of the way of attribution.

Chapter 5 will summarize the foregoing information to eventually answer the research question as defined under Chapter 1.1.

(9)

8

2 Cyber-attacks

As mentioned before, cyber-attacks are jeopardizing national security.11 Different countries and institutions stressed there is a need to make rules against cyber-attacks. For example, in 2009, the NATO recognised that cyber-attacks are becoming a real risk. Their opinion was that policies were necessary, so they developed the NATO Policy on Cyber Defence.12_However,

national legal frameworks were mostly outdated or did not even exist, and international legal frameworks on cyber-attack did not exist either. Therefore, it was unclear how to react on the attack, or how to punish the attack. Besides, it was not possible to monitor, record or co-operate between different countries.13 President Donald Trump published the National Cyber Strategy of the USA in September 2018. In the strategy, the USA stressed the need of creating rules against countries or other actors who used cyber-attacks against the USA, and if necessary, include the possibility of using military force.14 Clearly, there is a need of rules on cyber warfare.

2.1 Definition of cyber-attacks

Cyber-attacks must be defined to further understand the scope of the thesis. The Tallinn Manual 2.0 defines a cyber attacks as “a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects.”15 This definition applies to both international and non-international armed conflicts, and it excludes non-violent operations. A cyber-attack can be specified based on its effects and consequences. It is thereby also looking at the foreseeable effect rather than just the direct effect of the cyber-attack. The Experts mention that the cyber-attack does not necessarily need to have a destructive effect. Besides, in the case a cyber-attack is intercepted, it can still be defined as a cyber-attack.16

There are also other documents defining a cyber-attack. For example, the 2006 United States National Military Strategy for Cyberspace Operations described cyber-attacks as “computer network operations (CNO)”, which among others includes a “computer network attack (CNA)”

11_{T. Johnson (n 2), p ix}

12_{Rapporteur S. Myrli, ‘NATO and Cyber Defence’ (Sub-Committee on Future Security and Defence}

Capabilities: Defence and Security, 173 DSCFC 09 E bis, NATO Parliamentary Assembly 2009), para 1-3

13_{Ibid, para 17}

14_{The White House, ‘National Cyber Strategy of the United States of America’ (Washington DC, The White}

House 2018) <https://www.whitehouse.gov/wp-content/uploads/2018/09/National-Cyber-Strategy.pdf> accessed 30 March 2020, p 2, 21

15_{M. Schmitt (n 9), Rule 92 and p 415} 16_{Ibid, p 415-420}

(10)

9

and a “computer network defence (CND)”. CNA is described as an attack whereby computer network is disrupted, denied, degraded or destroyed, and CND sees on a State defending itself against cyber-attacks.17 The UK National Cyber Security Centre defines cyber-attacks as “attempts to damage, disrupt or gain unauthorised access to computer systems, networks or devices”.18_{They are sub-defined as targeted and untargeted cyber-attacks, and there are}

different stages of attacks.19 Another definition is given by Cisco, an international network company, which describes cyber-attacks as a breach of information systems.20 The Cambridge Dictionary defines it as “an illegal attempt to harm someone's computer system or the information on it, using the internet.”21_{Despite all the different definitions, it is clear that}

cyber-attacks take place on local, national, international and national security level. Cyber-cyber-attacks are using software, openness of networks, the Internet itself and the weak cybersecurity, and they can use, for example, trojans, viruses, e-mail attacks and phishing.22

For the purpose of this thesis, cyber-attacks (or cyber warfare) must be defined as the illegal form of cyber, whereby information systems or computers are being harmed. It only sees on a cyber-attack against a State, and it is thereby excluding attacks against individuals, entities or groups. It can be initiated by both States and non-State actors.

2.2 Examples of cyber-attacks

The thesis makes use of examples of State cyber-attacks. The first three examples are old because defining and investigating a cyber-attack takes time. These examples are fully investigated and therefore useful examples. The other two examples are more recent, but that does mean that it is not fully investigated yet.

2.2.1 Estonia 2007

After the removal of a Soviet-era WWII statute of a Russian soldier, political riots had broken out. A large Russian population living in Tallinn disagreed with the decision to remove the

17_{Chairman of the Joint Chiefs of Staff, ‘The National Military Strategy for Cyberspace Operations (U)’}

(Washington DC, United States Department of Defense 2006) <https://www.hsdl.org/?view&did=35693> accessed 11 June 2020, p GL-1

18_{National Cyber Security Centre, ‘Search Results: term cyber attack’ (NCSC, Search results: term, date}

unknown)

<https://www.ncsc.gov.uk/search?q=cyber+attack&start=0&rows=20&articleType=information&topics=Cyber+ attack> accessed 11 June 2020

19_{National Cyber Security Centre, ‘How cyber attack work’ (NSCS, Information, date unknown)}

<https://www.ncsc.gov.uk/information/how-cyber-attacks-work> accessed 11 June 2020

20_{CISCO, ‘What are the Most Common Cyber Attacks?’ (CISCO, Security, date unknown)}

<https://www.cisco.com/c/en/us/products/security/common-cyberattacks.html> accessed 11 June 2020

21_{Cambridge Dictionary, ‘Meaning of cyberattack in English’ (Cambridge, Dictionary, date unknown)}

<https://dictionary.cambridge.org/dictionary/english/cyberattack> accessed 11 June 2020

(11)

10

statute. It eventually turned into rioting by cyber-means when the web pages of the Estonian government, news portals and private companies were attacked. The cyber-attack lasted more than three weeks. The cyber-attacks were done by Distributed Denial of Service attacks (DDoS), whereby the legitimate users could not use the webpage anymore resulting from the overload of the server. Eventually, strong DDoS attacks caused 85.000 computers to crash. The origin of the attack is still unknown; however, it was suspected that Russia was the attacker even though they denied any involvement.23

2.2.2 Georgia 2008

South Ossetia was an autonomous region in Georgia on the border with Russia. It became de

facto independent from Georgia, but it was mostly recognized as a region of Georgia. After the

decision of its de facto independency, tensions between Russia and Georgia about the region remained. Although multiple States tried to help solving the dispute, it did not help. Georgia eventually launched an unexpected military intervention, and Russia responded with military operations on Georgia’s territory to protect their citizens within the de facto region. Shortly before the invasion of Russia, cyber-attacks against Georgia occurred. Websites of the president, government, Ministries, news portals and banks were attacked by a DDoS attack. Again, there is no proof of the involvement of Russia; the evidence is circumstantial and does not provide any proof or official support.24 However, there seems consensus on their involvement by the Project Grey Goose, who investigated the attack in Georgia.25

2.2.3 Iran 2010 (Stuxnet)

Iran found a computer malware in their systems, which is known as Stuxnet. It was found in their system of the nuclear plant which regulates uranium. Stuxnet wanted to regulate the enrichment of uranium, without being detected by Iran. There is unclarity on what the effect of the attack was; Iran did not want to give information on the effects. However, based on calculations, the effect must have been significant now the nuclear plant was not able to produce nuclear products.26

23_{E. Tikk, K. Kaska and L. Vihul, International Cyber Incidents: Legal considerations (Cooperative Cyber}

Defence Centre of Excellence (CCD COE) 2010)

<https://ccdcoe.org/uploads/2018/10/legalconsiderations_0.pdf> accessed 16 June 2020, p 15, 16, 18-21, 23

24_{Ibid, accessed 16 June 2020, p 67-71, 74, 75}

25_{Project Grey Goose, ‘Project Grey Goose Phase I Report’ (Georgian Research and Educational Networking}

Association and Georgia CERT 2008) < https://www.scribd.com/doc/6967393/Project-Grey-Goose-Phase-I-Report> accessed 24 June 2020

26_{R. Buchan, ‘Cyber Attacks: Unlawful Uses of Force or Prohibited Interventions?’ (2012) 17.2 Journal of}

(12)

11

2.2.4 Netherlands 2018

In 2018, the Netherlands General Intelligence and Security Service, the UK and the Netherlands Defence Intelligence and Security Service (DISS) traced a cyber-attack exercised by the Russian military intelligence (GRU). Four officers of the GRU travelled on diplomatic passports and set up equipment to hack and infiltrate in the Organisation for the Prohibition of Chemical Weapons (OPCW) in The Hague. One of the agents was also linked to an investigation in Malaysia for the MH17 crash. The Intelligence Services in the Netherlands deflected the threat.27

2.2.5 Georgia 2019

In the end of 2019, Georgia was attacked again whereby different governmental agencies, courts assemblies and private website and organizations were shut down and significantly damaged.28_{In the beginning of 2020, the UK}29_{and multiple other States claimed that it was}

planned and carried out by the GRU.30

27_{Ministry of Defence, ‘Netherlands Defence Intelligence and Security Service disrupts Russian cyber operation}

targeting OPCW’ (Government of the Netherlands, News, 4 October 2018)

< https://www.government.nl/latest/news/2018/10/04/netherlands-defence-intelligence-and-security-service-disrupts-russian-cyber-operation-targeting-opcw> accessed 28 June 2020

28_{G. Nakashidze, ‘Cyberattack against Georgia and International Response: emerging normative paradigm of}

‘responsible state behavior in cyberspace’?’ (EJIL:Talk!, 28 February 2020)

< https://www.ejiltalk.org/cyberattack-against-georgia-and-international-response-emerging-normative-paradigm-of-responsible-state-behavior-in-cyberspace/> accessed 28 June 2020

29_{Foreign & Commonwealth Office, National Cyber Security Centre and The Rt Hon Dominic Raab MP, ‘UK}

condemns Russia's GRU over Georgia cyber-attacks’ (GOV.UK, Government: Cyber Security, 20 February 2020) <https://www.gov.uk/government/news/uk-condemns-russias-gru-over-georgia-cyber-attacks> accessed 28 June 2020

30_{For example, see the Netherlands: Ministry of Foreign Affairs, ‘The Netherlands considers Russia’s GRU}

responsible for cyber attacks against Georgia’ (Government, Documents, 20 February 2020)

< https://www.government.nl/documents/diplomatic-statements/2020/02/20/the-netherlands-considers-russia%E2%80%99s-gru-responsible-for-cyber-attacks-against-georgia> accessed 28 June 2020

(13)

12

3 Self-defence

Article 51 UN Charter mentions the possibility of self-defence:

“[N]othing in the present Charter shall impair the inherent right of … self-defence if an armed

attack occurs ….”31

Self-defence is binding upon all States because it can also be seen as customary international law.32_{Self-defence must be seen as the last response available to an injured State. It is not used}

to justify the use of force, but rather as a political pressure to stop the use of force by the other State.33_{It gives the right to an injured State to react with force on the armed attack by another}

State.34 Therefore, the requirement of an armed attack should be further analysed. Besides that, there are three other requirements, namely necessity, proportionality35 and immediacy36. The requirements will be discussed in light of examples because self-defence depends on the circumstances of the case. Self-defence is an old concept, which was first explained in the

Caroline Case in 1813. The Court argued there must be “necessity of self-defence, instant,

overwhelming, leaving no choice of means, and no moment for deliberation”.37_{As seen above,}

most requirements are still used for the examination of self-defence.

In this thesis, only the individual form of self-defence is important. Individual self-defence means that an individual State, which can be seen as the injured State, reacts on the armed attack by the other State.38 The injured State must report their intention of self-defence to the UNSC. It will determine if self-defence is necessary to restore the peace and security as described in article 39 UN Charter. After it decides it is necessary to use self-defence in order to stop the armed attack, the State can use self-defence. However, in practice it does not always happen.39 3.1 Cyber-attack as an armed attack

The first requirement is that of an armed attack. In the ICJ Nicaragua v USA, the Court decided that the right to self-defence is one of customary international law and it is depending on the

31_{UN Charter (n 5), Article 51}

32_{O. Corten and B. Simma, The Law Against War: The Prohibition on the Use of Force in Contemporary}

International Law (French Studies in International Law Volume 4, Hart Publishing 2010), p 401

33_{F. Berman, ‘The UN Charter and the Use of Force’ (2006) 10.3 Singapore Year Book of International Law and}

Contributors 9 <http://www.commonlii.org/sg/journals/SGYrBkIntLaw/2006/3.pdf> accessed 5 June 2020, p 12

34_{A. Orakhelashvili, Collective Security (OUP 2011), p 277} 35_{G. Nolte (n 7), p 1425}

36_{G. Hernandez (n 6), p 359}

37_{All documents are reproduced in R. Jennings, ‘The Caroline and McLeod Cases’ (1938) 32 American Journal}

of International Law 82

38_{A. Orakhelashvili (n 34), p 277} 39_{Ibid, p 280}

(14)

13

criteria of necessity and proportionality. The injured State is only allowed to use self-defence as a justification for the use of force when there is an armed attack.40 This was confirmed in both the ICJ 1996 Advisory Opinion on the Threat or Use of Nuclear Weapons41 and ICJ Oil

Platforms42. Important for a cyber-attack is that the ICJ Oil Platforms stated that an attack does not need to be the invasion of the territory to be considered as an armed attack.43

Self-defence thus requires an armed attack. The concept of an armed attack must be compared to the use of force in article 2(4) UN Charter. The gap between both definitions should be analysed. Both concepts will be discussed, starting with the use of force. It will be examined if a cyber-attack can be defined as the use of force. If we can establish it is the use of force, it will be examined if it can meet the requirement of an armed attack.

3.1.1 Use of force ≠ armed attack

Article 2(4) UN Charter prohibits two forms of the use of force. The first one is the threat of the use of force. Relating to cyber-attacks, it would mean there is a threat of cyber-attacks.44

The ICJ defined the threat of the use of force in the ICJ 1996 Advisory Opinion on the Legality

of the Threat or Use of Nuclear Weapons.45 The Court argued that the legality of the threat relates to the legality of the use of force.46 It means that the threat of the use of force must be regarded as the actual use of force, which is unlawful. Article 2(4) UN Charter does not specify the means of how the threat is carried out, meaning that a threat through the internet could be the same as a threat which is normally used.47 The other possibility of the use of force would be the actual use of force, meaning there is an actual attack.48 The Tallinn Manual 2.0 also prohibits both the threat or actual use of force.49

To interpret ‘force’ in article 2(4) UN Charter, it is helpful to look at the interpretation methods as explained in the VCLT. Following article 31 VCLT, a treaty must be interpreted in good faith within the context and the object and purpose of the treaty. Besides, it should consider the

40_{Military and Paramilitary Activities in and against Nicaragua (Nicaragua v. United States of America)}

(Merits) [1986] ICJ Rep 14, para 193-195, 211

41_{Legality of the Threat or Use of Nuclear Weapons (Advisory Opinion) [1996] ICJ Rep 226, para 40, 41} 42_{Case concerning Oil Platforms (Islamic Republic of Iran v United States of America) (Merits) [2003] ICJ Rep}

161, para 43

43_{Ibid, para 161, 183}

44_{M. Roscini, ‘World Wide Warfare – Jus ad bellum and the Use of Cyber Force’ (2010) 14.1 Max Planck}

Yearbook of United Nations Law 85, p 104

45_{Legality of the Threat or Use of Nuclear Weapons (Advisory Opinion) (n 41)} 46_{Ibid, para 47}

47_{R. Aldrich, ‘How do you know you are at War in the Information Age?’ (1999) 22.2 Houston Journal of}

International Law 223, p 237

48_{M. Roscini (n 44), p 103, 104} 49_{M. Schmitt (n 9), Rule 68, 69 and 70}

(15)

14

preamble and annexes, any agreements between the parties, practice in the application and the relevant rules.50 Therefore, one should consider ‘force’ as mentioned in dictionaries, but it should also refer to articles in treaties, such as the UN Charter itself. Looking at article 41 and 46 UN Charter, the use of force is described as armed force. It is possible to argue that article 2(4) UN Charter therefore calls for an interpretation of the use of armed force.51 However, it could also be said that the drafters could have added armed force if they wanted to, as done in article 41 and 46 UN Charter.52 On the other hand, the Friendly Relations Declaration argues that the threat or the actual use of force must refrain against the territorial integrity and political independence, and urges for the interpretation of the use of force as military or armed force.53 Based on the UN Charter and the Friendly Relations Declaration, it can be concluded that article 2(4) UN Charter should be interpreted as armed force.

If article 2(4) UN Charter is interpreted as armed force, it should be examined if a cyber-attack can be regarded as armed force. Based on the ICJ Advisory Opinion mentioned above, it is irrelevant that cyber-attacks takes place through cyber means.54_{The Tallinn Manual 2.0 also}

bases its examination on the scale and effects of the cyber-attack, and it uses different factors to determine whether it can be seen as the use of force.55_{This seems a similar reasoning as seen}

in the ICJ Armed Activities, where it bases its examination on whether it is the use of force or not on the magnitude and duration of the attack.56 Others also argue that the effect of the attack is more important, for example, attacking the life and property of people with a cyber-attack can be seen as the use of force.57

Another option to interpret the use of force in article 2(4) UN Charter is to look at State practice by investigating if States adopted cyber-attacks within their armed forces.58 State practice is important for the formation and identification of rules of customary international law and it helps with the interpretation of a treaty.59 Different States adopted cyber-attacks within their 50_{Vienna Convention on the Law of Treaties (adopted 23 May 1969, entered into force 27 January 1980) 1155}

UNTS 331 (VCLT), Article 31

51_{G. Hernandez (n 6), p 349} 52_{M. Roscini (n 44), p 105}

53_{Declaration on Principles of International Law concerning Friendly Relations and Cooperation among States}

in accordance with the Charter of the United Nations, UNGA Res 26625 (XXV) (24 Oct 1970)

54_{Legality of the Threat or Use of Nuclear Weapons (Advisory Opinion) (n 41), para 39} 55_{M. Schmitt (n 9), Rule 69 and p 333-337}

56_{Armed Activities on the Territory of the Congo (Democratic Republic of the Congo v. Uganda) (Merits) [2005]}

ICJ Rep 168, para 164 and 165

57_{I. Brownlie, International Law and the Use of Force by States (OUP 1963), p 362}

58_{D. Silver, ‘Computer Network Attack as a Use of Force under article 2(4) of the United Nations Charter’}

(2001) 76 International Law Studies 73, p 84

59_{M. Wood and O. Sender, State Practice (Max Planck Encyclopaedia of Public International Law, OUP 2017),}

(16)

15

strategies to fight against cyber-attacks. For example, think about Israel60 and the USA61. This means that States identify a cyber-attack as the use of force as explained in article 2(4) UN Charter.

The general opinions of States might also help to interpret the prohibition of the use of force by State practice.62 Multiple States claimed that cyber-attacks can be regarded as armed force. For example, the USA defines cyber-attacks as cyber weapons and in their opinion it is critical for the economy, democracy and intellectual property.63 The UK Chief of the Defence Staff said that the UK is in war every day because of the different cyber-attacks. He argues cyber warfare is a new kind of war, with new power competition and cyber-threats every day.64 Germany’s intelligence service was attacked in the beginning of 2020 and it called the cyber-attack a “strategy of hybrid warfare”.65_{These statements show that cyber-attacks are seen as a form of}

the use of armed force by States. 3.1.2 Armed attack

If a cyber-attack is interpreted as the use of (armed) force, it does not mean that a cyber-attack entitles the injured State the right of self-defence. The cyber-attack must be interpreted as an armed attack before a State can invoke self-defence.66 The differences will be discussed below but one of the differences between both definitions is that the use of force does not imply the loss of life while an armed attack requires the loss of life or an attack on property. Only the latter entitles the injured State to the right of self-defence.67

A cyber-attack must be considered as an armed attack and not as the use of force. An armed attack is the use of force, but the use of force is not an armed attack. This is also confirmed in

60_{J. Reed, ‘Unit 8200: Israel’s cyber spy agency’ Financial Times (Jerusalem, 10 July 2015)}

<https://www.ft.com/content/69f150da-25b8-11e5-bd83-71cb60e8f08c> accessed 28 May 2020; J. O’Malley,

‘Israeli ex-agent’s thriller reflects hi-tech spy world where enemies never meet’ The Times of Israel (Israel, 25 May 2019) < https://www.timesofisrael.com/israeli-ex-agents-thriller-reflects-hi-tech-spy-world-where-enemies-never-meet/> accessed 28 May 2020

61_{U.S. Cyber Command, ‘About us’ (Cybercom, About, date unknown) <}_{https://www.cybercom.mil/About/}_>

accessed 28 May 2020

62_{M. Wood (n 59), p 4}

63_{The White House (n 14), accessed 15 May 2020, p 2, 3}

64_{D. Nicholls, ‘Britain is ‘at war every day’ due to constant cyber attacks, Chief of the Defence Staff says’ The}

Telegraph (City of publication unknown, 29 September 2019)

< https://www.telegraph.co.uk/news/2019/09/29/britain-war-every-day-due-constant-cyber-attacks-chief-defence/?WT.mc_id=tmg_share_tw> accessed 19 May 2020

65_{K. Bennhold, ‘Merkel is ‘Outraged’ by Russian Hack but struggling to respond’ The New York Times (Berlin,}

13 May 2020) <https://www.nytimes.com/2020/05/13/world/europe/merkel-russia-cyberattack.html> accessed 19 May 2020

66_{UN Charter (n 5), Article 51}

67_{Y. Dinstein, ‘Cyber War and International Law: Concluding Remarks at the 2012 Naval War College}

(17)

16

the ICJ Nicaragua v USA, where the Court argued there are most grave forms of the use of force and less grave forms of the use of force. This is based on the scale and effects of the attack.68 Less grave forms do not give rise to the right of self-defence. This was also confirmed in the ICJ Oil Platforms, where the ICJ concluded that a missile attack could not meet the threshold of an armed attack because there was no series of attack.69 The ICJ also mentioned that the choice of weapon is not decisive, but it rather sees on the effect of the attack.70 The Tallinn Manual 2.0 Rule 71 has a similar reasoning. Besides, the Experts concluded that cyber-attacks could meet the threshold of an armed attack based on the scale of effects. Self-defence is only possible when it reaches the threshold of an armed attack. On top of that, it must have a trans-border element, which is the case when the cyber-attack is executed by a State towards another State.71 If it is executed by a non-State actor against a State this might also be the case, but the concept of a cyber-attack by a non-State actor is further analysed in Chapter 4.2. Lastly, the UN Charter Commentary on self-defence also emphasised that cyber-attacks can be regarded as an armed attack if you look at the effects and the ability of a State to act and the destructive effect of the attack.72_{Concluding from this examination, the scale and effects of a}

cyber-attack are important factors.

It still must be examined if cyber-attacks are indeed an armed attack and in which cases it is not. There are three approaches. The first one is the instrument-based approach and examines if a cyber-attack has a similar effect as an actual attack, however, it is less adaptive so it will not be used in this examination. The second approach is the consequence-based approach and focusses on the effects of the attack. This approach is helpful in the discussion on whether a cyber-attack can be an armed attack. A third approach is the target-based approach; however, this is not supported by a majority of States so it will not be discussed.73

Cyber-attacks can cause human losses or injuries or destruction of property, and such an attack would classify as an armed attack. Cyber-attacks can be seen as a new type of warfare. It is important to look at the consequences of the cyber-attack. Dinstein gives multiple examples of attacks which cause damage to property and human lives, for example, aircraft crashes, the

68_{Military and Paramilitary Activities in and against Nicaragua (Nicaragua v. United States of America) (n 40),}

para 191, 195

69_{Case concerning Oil Platforms (Islamic Republic of Iran v United States of America) (n 42) para 50, 62-64} 70_{Legality of the Threat or Use of Nuclear Weapons (Advisory Opinion) (n 41), para 39}

71_{M. Schmitt (n 9), p 339, 340} 72_{G. Nolte (n 7), p 1419, 1420}

73_{I. Couizigou, ‘The Challenges Posed by Cyber Attacks to the Law on Self-Defence’ (2014) 4.16 European}

(18)

17

shutdown of essential systems in society and the hacking of military forces. One could also think about the hacking of systems which regulate nuclear weapons.74 He also mentions other (hypothetical) examples in an earlier book, such as a cyber-attack on computers regulating waterworks or dams which is leading to floods, a attack on the electricity or a cyber-attack on the reactor of a nuclear power plant.75 Other scholars are sharing this view.76 However, Roscini argues that a DDoS attack only causing disruptions of the system is significant but cannot be seen as an armed attack based on its effects.77 This is causing a debate on whether cyber-attacks which do not lead to the loss of life or an attack on property can be considered an armed attack, especially when they do have far-reaching negative effects.78 There are scholars arguing for lowering the threshold for an armed-attack relating to a cyber-attack. The views on how to lower this threshold are divided. There are scholars arguing that a cyber-attack against the critical infrastructure of a State must be considered an armed attack and others argue that cyber-attacks which are leading to effects as caused by ‘real’ attacks constitute an armed attack. However, there cannot be reached a consensus.79_{Lahmann gives two examples of the latter}

situation. If a DDoS attack against a hospital system leads to deaths, it can be considered an armed attack. On the other hand, if the stock market crashes because of a cyber-attack, it is not clear if this would entail an armed attack.80 The Experts of the Tallinn Manual 2.0 discussed a similar attack on a stock market and they could not agree on whether it was an armed attack. One side argued that defining the cyber-attack on a stock market as an armed attack was too far-reaching, and others argued it was not because a cyber-attack on a stock market would have catastrophic effects.81

The opinions of scholars are divided; therefore, State practice is helpful to interpret the law.82 State practice confirms that cyber-attacks can be seen as an armed attack. For example, the UK announced to consider cyber-attacks as an armed attack if it has serious consequences83 and the NATO declared in their Wales Summit Declaration that cyber-attacks can reach the threshold

74_{Y. Dinstein (n 67), p 280, 281}

75_{Y. Dinstein, ‘Computer Network Attacks and Self-Defense’ (2001) 76 International Law Studies 99, p 105} 76_{M. Schmitt (n 9), p 341; I. Couizigou (n 73), p 9}

77_{M. Roscini, Cyber Operations and the Use of Force in International Law (OUP 2014), p 73} 78_{M. Schmitt (n 9), p 342, 343}

79_{H. Lahmann, Unilateral Remedies to Cyber Operations: Self-defence, Countermeasures, Necessity, and the}

Question of Attribution (Cambridge University Press 2020), p 57, 58

80_{Ibid, p 58}

81_{M. Schmitt (n 9), p 343}

82_{H. Lahmann (n 79), p 58; M. Wood (n 59), p 1}

83_{Attorney General's Office and The Rt Hon Jeremy Wright QC MP, ‘Cyber and International Law in the 21st}

Century’ (GOV.UK, Speech, 23 May 2018) < https://www.gov.uk/government/speeches/cyber-and-international-law-in-the-21st-century> accessed 8 July 2020

(19)

18

of an armed attack if it has the same effects as an actual attack.84 Unfortunately, it remains unclear when this situation actually occurs.

On top of that, there is a debate if indirect effects of a cyber-attack can meet the threshold of an armed attack. It is possible that the direct effects of a cyber-attack do not lead to an armed attack based on the scale and effects, but the indirect effect do. Again, the opinions are divided. There are scholars arguing that an armed attack only sees on the direct effects of the attack, meaning that the intention and the outcome of the cyber-attack must be in line with each other.85 It thereby excludes indirect effects of the cyber-attack. However, the Experts from the Tallinn Manual 2.0 did not agree on this point. They argued that all foreseeable consequences qualify to consider the examination of an armed attack, but they did not reach consensus on whether the effects needed to be intended. However, most Experts agreed that only the scale and effects matter, also taking account the requirements of necessity and proportionality.86 It seems that scholars do not agree on this point, and it remains uncertain if indirect effects can be taken into account.

If we apply the examples from Chapter 2 on the requirement of an armed attack, it seems that the requirement of an armed attack as it is known thus far is not applicable in cyber warfare. Take for example the Stuxnet cyber-attack in Iran, where a malware was installed within the nuclear plant of Iran.87 The Experts from the Tallinn Manual 2.0 did not agree whether this would amount to an armed attack. However, they all agreed that it was the use of force.88 Another scholar argued there was a destruction of property because the cyber-attack led to the replacement of thousands of centrifuges for the nuclear plant. However, the effect on the nuclear programme seemed not that effective.89 Therefore, the scale and effects will not amount to an armed attack. The other two examples of Estonia in 2007 and Georgia in 2008 could also not meet the threshold of an armed attack. There was no loss of life or the destruction of property90, as described in Chapter 2.2. It was indeed a major cyber-attack because the State was hacked, and essential systems were shutdown. Not only governmental sites were offline but also

84_{NATO, ‘Wales Summit Declaration of the North Atlantic Council’ (Issued on 5 September 2014 by the Heads}

of State and Government participating in the meeting of the North Atlantic Council in Wales, NATO 2014) <https://www.nato.int/cps/en/natohq/official_texts_112964.htm> accessed 8 July 2020, para 72

85_{D. Silver (n 58), p 90; H. Lahmann (n 79), p 60} 86_{M. Schmitt (n 9), p 343, 344}

87_{See Chapter 2.2} 88_{M. Schmitt (n 9), p 342}

89_{H. Harrison Dinniss, Cyber Warfare and the Laws of War (Cambridge University Press 2012), p 81, 82} 90_{Ibid, p 81}

(20)

19

websites of banks.91 However, relating to their scale and effects it did not constitute an armed attack. There is a similar reasoning for the attack in Georgia in 2019. Again, the cyber-attack could not be seen as an armed cyber-attack based on its scale and effects because there were no casualties or the destruction of property. If the cyber-attack in the Netherlands was not interrupted by the Netherlands and the UK, it would probably not have met the requirement of an armed attack because it would not lead to casualties or destructive property. However, it would have been a heavy breach of integrity because the OPCW is an organisation against chemical weapons.92

It is hard to apply the definition of an armed attack on a cyber-attack. The question is if the threshold of an armed attack relating to cyber-attacks must be replaced. However, self-defence is a far-reaching measure. It is a remedy for an injured State which justifies the use of force against unlawful force.93 It gives the injured State the opportunity to protect their sovereignty and political independence.94_{However, the purpose of self-defence is not the punishment of the}

attacking State or non-State actor, but it wants to stop the cyber-attack from happening.95_Given

the fact that the threshold of an armed attack for cyber-attacks does not fit (yet), it seems that States must turn to other remedies than self-defence. As already seen in the Netherlands, States are looking for appropriate ways to react on cyber-attacks. The Netherlands exposed an operation of the GRU so the agents cannot operate internationally anymore.96

3.2 Necessity, proportionality and immediacy

As mentioned before, there are three requirements besides an armed attack for invoking self-defence. In the ICJ Nicaragua v USA, the Court affirmed the importance of necessity and proportionality, both coming from customary international law.97_{Necessity means there is no}

other option and proportionality means that it must be necessary to stop the armed attack in the proposed way.98_{The last criteria, the one of immediacy, means that the act of self-defence takes}

91_{See Chapter 2.2}

92_{Ministry of Defence (n 27), accessed 11 July 2020}

93_{Y. Dinstein, War, Aggression and Self-Defence (3}rd_{Edition, Cambridge University Press 2001), p 159, 161} 94_{R. Khdir, ‘The right to self-defence in international law as a justification for crossing borders: The}

Turkey-PKK case within the borders of Iraq’ (2016) 4.4 Russian Law Journal 62, p 63; See also UN Charter (n 5), Article 2(4)

95_{M. Roscini (n 44), p 120}

96_{Ministry of Defence (n 27), accessed 14 July 2020}

97_{Military and Paramilitary Activities in and against Nicaragua (Nicaragua v. United States of America) (n 40),}

para 193-195, 211; C. Gray (n 77), p 254

(21)

20

place right after the armed attack triggering the right to self-defence. However, there is some flexibility.99 All three requirements can also be found in the Tallinn Manual 2.0.100

Looking at the requirement of necessity, there can be other appropriate ways to defend itself. For example, if firewalls are good enough to protect itself, the use of force would not be necessary. Besides, if cyber-attacks cannot be seen as an armed attack because it does not meet the threshold, self-defence by using force is again not necessary.101 Therefore, many scholars argue that the requirement of necessity cannot be met. Most of the time, less grave forms of force can be used against a cyber-attack.102 Proportionality can entail that the act of self-defence is by electronic means, and not by weapons causing physical damage. However, this must also be based on a case-by-case basis and is depending on the State who wants to use self-defence.103 It can depend on the scale, scope, duration, and intensity.104 There are scholars arguing that a cyber-attack back is a sufficient measure, meaning that self-defence is not proportional.105 Looking at the criteria of immediacy, it takes time to identify the location of the attacker and it can be hard to establish if the attack is still ongoing, which makes it hard to use self-defence.106

Although the criteria of immediacy is flexible, it will probably not fulfil the criteria.107

3.3 Conclusion

Self-defence is used as pressure to stop the use of force by the cyber-attacking State. The injured State can react with the use of force on the attack of the attacking State, as long as it fulfils the requirements of self-defence. An armed attack is different from the use of force because it requires the loss of life or the attack on property. An armed attack is the use of force, but the use of force is not an armed attack. There are examples of cyber-attacks which can, hypothetically, fulfil the requirement of an armed attack. However, it has not happened in the real world yet based on its scale and effect. The requirements of necessity, proportionality and immediacy are not promising either. States probably have to think about other measures after a cyber-attack.

99_{Y. Dinstein (n 93), p 194 and 212; M. Schmitt (n 9), Rule 73} 100_{M. Schmitt (n 9), Rule 72, 73} 101_{Ibid, p 349} 102_{H. Lahmann (n 79), p 63} 103_{Ibid, p 1420} 104_{M. Schmitt (n 9), p 349} 105_{H. Lahmann (n 79), p 64} 106_{G. Nolte (n 7), p 1420} 107_{M. Roscini (n 44), p 96, 97}

(22)

21

4 Self-defence against who?

It can be hard to identify the offender of the cyber-attack. In fact, the advantage of cyber-attacks is mostly the anonymity of the offender. However, it can sometimes be traced back to a State because, for example, the technology has developed over time to identify the source of the cyber-attack.108_{Take the example of the Netherlands, where the Netherlands Defence}

Intelligence and Security Service (DISS), General Intelligence and Security Service and the UK disrupted a cyber-attack by the Russian intelligence service (GRU).109_{However, it is still seen}

that it can be hard to attribute cyber-attacks to a State. Identifying the attacker can be hard but it is not impossible. If the source is identified, it is possible to use self-defence against a State or non-State actor. The possibilities of acts by States are examined in light of ARSIWA. The possibility of non-State actors is examined in light of scholars and an example of Syria. Due to the complexity of the situation in Syria, this will be shortened to the relevant facts for the purpose of this thesis. Lastly, attribution seems problematic, therefore it is analysed how this could be changed.

4.1 States

Whenever the source of the cyber-attack is identified, it must be investigated if the cyber-attack can be attributed to a State by one of the articles in ARSIWA.110 The Tallinn Manual 2.0 attributes any cyber operation exercised by organs of a State or persons or entities empowered by the law to exercise governmental authority to a State.111 Not every article will be discussed because of the applicability of attribution of the cyber-attacks. The articles which are being discussed are provided with examples to show how it relates to a State.

4.1.1 Organs of the State

Article 4 ARSIWA deals with the attribution of a conduct of organs of a State. It does not matter which level or function the organ has. It must exercise functions of the government and it is not depending on a level of hierarchy.112 There are two types of organs, de jure, and de facto organs.

De jure organs are determined by internal law, as described in article 4(2) ARSIWA. De facto

organs are determined by international law, meaning it does not have a status under the internal

108_{Ibid, p 96, 97}

109_{Ministry of Defence (n 27), accessed 18 June 2020}

110_{ILC Draft Articles on the Responsibility of States for Internationally Wrongful Acts, United Nations}

International Law Commission, Report on the Work of its Fifty-Third Session (2001), UN Doc A/56/10

111_{M. Schmitt (n 9), Rule 15}

112_{ILC Draft Articles on the Responsibility of States for Internationally Wrongful Acts (n 110), Commentary p}

(23)

22

law, but it can still be considered as an organ of the State under international law.113 Whether it can be recognized as an organ of the State is determined by the ‘strict control test’ as specified in the ICJ Nicaragua v USA, which relies on the relationship between the dependence and control. The control must be analysed and proven on the potential and actual control.114 The threshold for the evidence is high, and therefore it is hard to prove the potential for control and the actual exercise of control, and to establish the complete dependence.115 The test was also used in the ICJ Genocide Convention Case, but in both cases, the persons and/or entities were not established as organs of the State.116

Cyber-attacks occur in many ways. It would be conceivable to have a cyber-attack which is executed by an organ of a State, which can therefore be attributed to the State. The Tallinn Manual 2.0 also stressed that cyber-attacks by intelligence, military or any other State agency is binding upon the State.117 One could think of organs developed and created by Ministries or the Government. For example, military cyber organs can be established by the Ministry of Defence. Different countries already established such cyber departments or -units.118_However,

these documents on the development or creation are most of the time classified. It is known that Israel has one of the best high-tech agency, including intelligence analysts with hacking skills (Unit 8200).119 Besides, the USA also has a cybersecurity unit called the USCYBERCOM which has the mission to “direct, synchronize, and coordinate cyberspace planning and operations to defend and advance national interests”.120_{In the case of Estonia in 2007 there was}

a suspicion of the involvement of Russian State organs, even though Russia denied any involvement in the cyber-attack.121 One could also think about the example of the cyber-attack by the GRU in the Netherlands. The agents travelled on diplomatic passports and the agents

113_{D. Momtaz, ‘Attribution of Conduct to the State: State Organs and Entities Empowered to Exercise Elements}

of Governmental Authority’ in J. Crawford, A. Pellet and S. Olleson (eds), The Law of International

Responsibility (OUP 2010), p 239

114_{Military and Paramilitary Activities in and against Nicaragua (Nicaragua v. United States of America) (n}

40), para 109; S. Talmon, ‘The Responsibility of Outside Powers for Acts of Secessionist Entities’ (2009) 58.3 International and Comparative Law Quarterly 493, p 497, 498

115_{E. Ortega, ‘The attribution of international responsibility to a State for conduct of private individuals within}

the territory of another State’ (2015) 1 Indret: Revista para el Análisis del Derecho < https://indret.com/wp-content/themes/indret/pdf/1116_es.pdf> accessed 26 May 2020, p 10

116_{Application of the Convention on the Prevention and Punishment of the Crime of Genocide}

(Bosnia-Herzegovina v Serbia and Montenegro) (Merits) [2007] ICJ Rep 43, para 391-394; Military and Paramilitary Activities in and against Nicaragua (Nicaragua v. United States of America) (n 40), para 110

117_{M. Schmitt (n 9), p 87} 118_{M. Roscini (n 44), p 97}

119_{J. Reed (n 60), accessed 28 May 2020; J. O’Malley (n 60), accessed 28 May 2020} 120_{U.S. Cyber Command (n 61), accessed 28 May 2020}

(24)

23

were located in front of the OPCW in The Hague, where they tried to hack into the network.122 The UK Minister for Europe stated after the attack that the attack can be traced back to a specific Unit of the Russian Military, therefore the cyber-attack can be attributed to the Russian State.123 In the Georgia 2019 cyber-attack, the UK was for more than 95% certain that the GRU was behind the attack, meaning that it would lead to the responsibility of the Russian State.124 Another example is the cyber-attack by the USA against Iran in 2010, run by intelligence agencies which also made use of computer controllers used in military programs.125 These organs are de jure organs of the State, now their roles and acts are determined by internal law. However, there could also be de facto organs. If such organs are executing a cyber-attack, this can be attributed to the State. There are no examples of de facto organs yet.

4.1.2 Governmental authority

Article 5 ARSIWA deals with the conduct of persons or entities which are not organs of the State, but they are authorized to exercise governmental authority. It sees on the parastatal entities and the privatized companies with public functions.126_{It is empowered by the internal}

law of the State to exercise that specific governmental authority. It can therefore be limited to a certain or specific act; however, it is not the purpose of article 5 ARSIWA to identify governmental authority.127

There are examples relating to article 5 ARSIWA, such as the Cyber Unit of the Estonian Defence League. It is a “voluntary national defence organisation operating in the area of government of the Estonian Ministry of Defence”.128_{It wants to protect Estonia and it supports}

the objectives of national defence.129 The organization is part of the Estonian Defence League,

122_{Ministry of Defence (n 27), accessed 18 June 2020}

123_{Foreign & Commonwealth Office and Peter Wilson CMG, ‘Minister for Europe statement: attempted hacking}

of the OPCW by Russian military intelligence’ (GOV.UK, Cyber Security, 4 October 2018)

< https://www.gov.uk/government/speeches/minister-for-europe-statement-attempted-hacking-of-the-opcw-by-russian-military-intelligence> accessed 28 June 2020

124_{Foreign & Commonwealth Office, National Cyber Security Centre and The Rt Hon Dominic Raab MP (n 29),}

accessed 28 June 2020

125_{D. Sanger, ‘U.S. Blames China’s Military Directly for Cyberattacks’ The New York Times (New York, 6 May}

2013) <https://www.nytimes.com/2013/05/07/world/asia/us-accuses-chinas-military-in-cyberattacks.html> accessed 28 June 2020

42

127_{Ibid, Commentary p 43}

128_{Kaitseliit, ‘Estonian Defence League’ (Kaitseliit, EDL: Estonian Defence League, date unknown)}

<https://www.kaitseliit.ee/en/edl> accessed 28 June 2020

129_{Kaitseliit, ‘Estonian Defence League’s Cyber Unit’ (Kaitseliit, District: Cyber Unit, date unknown)}

(25)

24

which is empowered by the law of the Republic of Estonia.130 Therefore, it fulfils the requirements of article 5 ARSIWA, because it is empowered by the internal law of Estonia to exercise governmental support on the terrain of cyber security. It means that cyber-attacks of the Cyber Unit of the Estonian Defence League can be attributed to Estonia. Another example was Australia, which had its own Australian Cyber Security Centre (ACSC).131 It now falls under the Australian Signals Directorate (ASD). Before that, the ASD supported the government and defence force, defended Australia and it helped in its national interest.132 The ASD is part of the Ministry of Defence.133 Before it became part of the ASD, the ACSC was falling under the requirements of article 5 ARSIWA. It was exercising governmental authority as an independent organization, defending Australia and improving cyber security.134 Similar to the Cyber Unit in Estonia, cyber-attacks by the ASCS could be attributed to Australia. However, in the case of ASCS it is not possible anymore under article 5 ARSIWA because it is now part of the Government.

So, the Cyber Unit in Estonia and the ASCS in Australia are examples of cyber companies which are parastatal or privatized exercising public functions It means that if they execute a cyber-attack on another State, the State where they are located can be responsible.

4.1.3 Direction and control

Article 8 ARSIWA looks at the conduct acting on instructions or under the direction of control by the State.135 The Tallinn Manual 2.0 has a similar rule in Rule 17(a).136

Normally, acts by non-State actors are not attributable to the State, but there is an exception if there is a factual relationship between the person or entity and the State. This can be established through the instructions of the State or the direction of control of a State over a specific act.137 The specific act which resulted in the wrongful act has to relate to the instruction, direction or

130_{Kaitseliit, ‘Frequently Asked Questions’ (Kaitseliit, EDL: District, Cyber Unit Frequently Asked Questions,}

date unknown) <https://www.kaitseliit.ee/en/frequently-asked-questions> accessed 28 June 2020

131_{Australian Government: Australian Signals Directorate, ‘Cyber Security’ (Australian Government, Cyber,}

date unknown) <https://www.asd.gov.au/cyber> accessed 28 May 2020

132_{Australian Government: Australian Signals Directorate, ‘About ASD’ (Australian Government, About, date}

unknown) <https://www.asd.gov.au/about> accessed 28 May 2020

133_{Australian Government: Australian Signals Directorate, ‘About the ACSC’ (Australian Government, Cyber:}

About the ACSC, date unknown) <https://www.cyber.gov.au/acsc> accessed 28 June 2020

134_{Ibid, accessed 28 June 2020}

47

136_{M. Schmitt (n 9), p 94}

(26)

25

control.138 To establish the degree of control, one should look at the ‘effective control test’ as decided in the ICJ Nicaragua v USA. It needed to be proved that the USA had effective control over the military operations. However, the USA was not responsible because there was no effective control over the specific act.139 In the ICJ Genocide Convention Case the ICJ underlined the difference between the ‘effective control test’ and the ‘strict control test’. For the ‘effective control test’ it is not necessary to identify complete dependence over the whole act or general operation, but there must only be effective control relating to a specific act.140 The ICTY Appeals Chamber developed their own test in the ICTY Tadic Case, the ‘overall control test’.141_{However, this test was rejected by the ICJ Genocide Convention Case because}

the ICJ argues it is too far reaching.142 Therefore, the ‘effective control test’ is still the leading test. Relating to cyber-attacks, the effective control test is preferable because the ‘strict control test’ is applied in organised and structured groups, which is not necessarily the case in cyber-attack actors.143_{This was also confirmed by for example Azerbaijan in a letter to the UN after}

they had been attacked.144

The Tallinn Manual 2.0 gives an example whereby attribution is possible in their opinion. If a State does not have a cyber defence organisation, and the State makes use of private persons or groups, the State is responsible for the acts of these persons or groups.145

Another example is the cyber-attacks in Georgia. The cyber-attack in Georgia in 2008 was a DDoS against public and private targets.146 Similar to the attack of Estonia in 2007, it was not known what the origin of the attack was. In the case of Georgia, Russia was suspected of directing or controlling the attack, namely via the organization RBN (Russian Business Network). However, it was not enough to confirm the involvement of the RBN.147 Still, it is consented by multiple sources that Russia coordinated and instructed the attack, and it was also confirmed by multiple investigations. The coordination and support can be traced back to 138_{Ibid, Commentary p 48}

40), para 109, 114, 115

(Bosnia-Herzegovina v Serbia and Montenegro) (n 116), para 400

141_{Tadic Case (Judgment) ICTY-94-1 (26 January 2000)}

(Bosnia-Herzegovina v Serbia and Montenegro) (n 116), para 406

143_{M. Roscini (n 77), p 38; Tadic Case (n 141), para 120}

144_{UNGA and UNSC, ‘Letter dated 6 September 2012 from the Chargé d’affaires a.i. of the Permanent Mission}

of Azerbaijan to the United Nations addressed to the Secretary-General’ (2012) UN Doc A/66/897 and UN Doc S/2012/687

145_{M. Schmitt (n 9), p 95}

146_{E. Tikk (n 22), accessed 28 May 2020, p 71} 147_{Ibid, accessed 28 June 2020, p 75}

(27)

26

Russia and it could be tied back to Russian forums. However, the evidence is circumstantial, and it was too far reaching to held Russia responsible.148

It needed to be proven that Russia or Russian organs were involved and if they had direction or control over the attack on Georgia to establish attribution under the ‘effective control test’. Unfortunately, attribution for a cyber-attack under article 8 ARSIWA is hard. Therefore, it is unlikely this situation will occur.

4.2 Non-State actors

Most of the cyber-attacks are committed by non-State actors. Unfortunately, the UN Charter does not clarify whether self-defence against a non-State actor is allowed. As seen in Chapter 4.1.3 self-defence against a non-State actor is possible if the conduct can be attributed to a State. The statement that self-defence against a non-State actor is impossible came under pressure.149 The ICJ always argued that it was impossible to use self-defence against a non-State actor. For example in the case of ICJ Nicaragua v USA, where the USA used self-defence to help El Salvador against non-State actors in Nicaragua.150 In the ICJ Armed Activities the ICJ argued that the acts of the non-State actors in the Congo against Uganda cannot be attributed to the Congo and therefore, Uganda cannot use self-defence.151

However, there are also indicators that self-defence against non-State actors is possible in the territory of a State. After the 9/11 attacks in the USA, the UNSC adopted two Resolutions that gave the right to the USA to use self-defence against the non-State actors.152 The USA started their self-defence attacks shortly after, and it was accepted by the majority of States.153_The

international practice after the 9/11 attacks show that States do make a link between the territorial State and the non-State actor to invoke their right to self-defence.154_{Take for example}

the situations in Israel against Hezbollah (2006), Turkey against Kurdish Workers’ Party in Iraq (2008) and Kenya against Al-Shabaab in Somalia (2011).155 The Tallinn Manual 2.0 states that

148_{Ibid, accessed 28 May 2020, p 74, 75} 149_{H. Lahmann (n 79), p 51, 52}

40), para 105, 113, 154-156

151_{Armed Activities on the Territory of the Congo (Democratic Republic of the Congo v. Uganda) (n 56), para}

146 and 147

152_{G. Hernandez (n 6), p 355; UNSC Res 1363 (12 September 2001) UN Doc S/RES/1363; UNSC Res 1373 (28}

September 2001) UN Doc S/RES/1373

153_{C. Greenwood, Self-Defence (Max Planck Encyclopaedia of Public International Law, OUP 2012), para 17} 154_{C. Tams, ‘The use of force against terrorists’ (2009) 20.2 The European Journal of International Law 359, p}

385