C
YBER
C
OERCION AND THE
G
ENERAL
P
RINCIPLES OF
I
NTERNATIONAL
L
AW
Reinout Stap
Master’s thesis Public International Law
A
MSTERDAML
AWS
CHOOLUnder the supervision of
Prof. Dr. Terry D. Gill
Abstract
Russian cyber operations against Ukraine have shown a variety of possibilities in which cyber can be used to achieve political and military objectives. Cyber can be used as a tool of coercion to compel another State to take action it would otherwise not take. These cyber operations can range from information campaigns to cyber attacks rising to the use of force. General principles of international law regulate State conduct in the realm of cyberspace. On the basis of the principle of sovereignty, the principle of non-intervention and the prohibition of the use of force it can be determined whether an act of cyber coercion is lawful. Generally, the degree of infringement with the sovereign rights of a State will decide whether an act is lawful. Cyber operations, which are not coercive in nature can still violate international law, but when cyber activities become coercive towards another State, they are usually prohibited under international law.
Table of Contents
1. Introduction ... 4 2. Coercion ... 7 2.1 Coercive Strategies ... 7 2.1.1 Deterrence ... 7 2.1.2 Compellence ... 7 2.1.3 Coercive Diplomacy ... 8 2.1.4 Military Coercion ... 8 2.2 Instruments of Coercion ... 9 3. Cyber Coercion ... 10 3.1 Cyberspace ... 10 3.2 Actors in Cyberspace ... 113.3 Cyber Operations Short of Force ... 12
3.4 Cyber Warfare ... 14
3.5 Cyber as a Coercive Tool ... 15
4. Cyber Operations and International law ... 17
4.1 Sovereignty ... 17
4.2 Non-Intervention ... 19
4.2.1 Legal Nature and Scope ... 19
4.2.2 Elements of the Principle of Non-Intervention ... 20
4.2.3 Other Legal Questions Concerning Non-Intervention ... 22
4.3 Prohibition on the Use of Force and Self-Defense ... 23
4.3.1 Use of Force ... 23
4.3.2 Self-Defense ... 23
4.4 Application of International Law to Cyber Operations ... 24
5. Synthesis: Cyber Coercion used in Ukraine ... 27
5.1 Introduction ... 27
5.2 Russia’s Information Campaign ... 28
5.3 The 2014 Presidential Elections ... 29
5.4 December 2015 Power Grid Cyber Attack ... 30
5.5 NotPetya ... 31
5.6 Summary ... 32
6. Legal Consequences of Cyber Coercion ... 33
6.1 Attribution ... 33
6.2 Legal Remedies ... 34
7. Conclusion ... 36
1.
Introduction
Since 2014, Russia has consistently been attacking Ukraine in the realm of cyberspace as part of its new strategy of conducting hybrid warfare. This strategy blends conventional warfare with diverse non-military tactics, such as espionage, information and disinformation operations via mainstream and social media, psychological warfare and cyber attacks.1 Over time, cyber
attacks have become more important as it serves both military and strategic objectives.
Deficiencies in the performance of Russia’s armed forces during the Georgian War in 2008, made the Kremlin decide to revise its strategy.2 General Gerasimov became the face of
this new ‘hybrid war’ approach, which heavily relies on information warfare.3 Information
warfare consists of a deliberate disinformation campaign designed to confuse the enemy and achieve strategic advantage at minimal cost. Cyber is then used to manipulate data, knowledge and opinion in order to achieve political or psychological effects.4 The aim of this strategy is
to diminish the opponent’s will or capacity to resist by means of coercive cyber operations. Besides information warfare, also more destructive cyber operations are being conducted by Russia. Such operations are capable of producing effects similar to kinetic weapons and are for that reason rarer. Examples of more intrusive operations conducted against Ukraine are the use of infecting malware on governmental computers5, cyber operations against
Ukraine’s powerplants6 and the disruption of 2014 Ukrainian presidential election caused by a
series of cyber attacks.7 Cyber operations have the advantage of creating operational space for
coercive action while avoiding many of the political risks of traditional (kinetic) warfare. In particular the characteristic of covertness and legal uncertainty in certain areas of international law makes it an attractive tool.8 So cyber operations can be used for a range of goals, from
manipulating public opinion to physical destruction and disruption.
Developments in cyberspace have posed a challenge for States on how to retain their power monopoly in this new realm. The rise of the internet in the nineties to a global, borderless and to certain extent, lawless network of interconnected networks created an immense power to its
1 B. Renz, ‘Russia and ‘hybrid warfare’’, in Contemporary Politics, Vol. 22, No. 3, 2016, p. 294.
2 M. Smegovaya, ‘Putin’s Information Warfare in Ukraine’ in Institute for the Study of War, Russia Report 1,
2015, p. 10.
3 M. Galeotti, ‘I’m sorry for creating the ‘Gerasimov Doctrine’’, Foreign Policy, 5 March 2018,
<https://foreignpolicy.com/2018/03/05/im-sorry-for-creating-the-gerasimov-doctrine/> (last accessed on 3 December 2018).
4 J. Andrew Lewis, ‘‘Compelling Opponents to Our Will’: The Role of Cyber Warfare in Ukraine’, in K. Geers
(ed.), Cyber War in Perspective: Russian Aggression against Ukraine, Tallinn, NATO CCD COE 2015, p. 40.
5 ‘Cyber Snake plagues Ukraine networks’, Financial Times, 7 March 2014,
<https://www.ft.com/content/615c29ba-a614-11e3-8a2a-00144feab7de> (last accessed on 16 October 2018).
6 ‘U.S. government concludes cyber attack caused Ukraine power outage’, Reuters, 26 February 2016,
<https://www.reuters.com/article/us-ukraine-cybersecurity-idUSKCN0VY30K> (last accessed on 16 October 2018).
7 ‘Ukraine election narrowly avoided 'wanton destruction' from hackers’, The Christian Science Monitor, 17
June 2014, <https://www.csmonitor.com/World/Passcode/2014/0617/Ukraine-election-narrowly-avoided-wanton-destruction-from-hackers> (last accessed on 16 October 2018).
users.9 Cyber attacks could now be launched from every place in the world with devastating
consequences. Geographical distance and international borders had become in some respects irrelevant in the cyber context. Some non-State actors even acquired a level of cyber power that could challenge States in cyberspace.10
At the beginning of the 21th century, States started strengthening their national cyber capabilities for both military and civil purposes. Especially during the 2007 cyber attacks on Estonia the concept and effects of ‘cyber war’ became apparent. The potential for using cyber means as a coercive tool to change behavior in a certain direction was new at the time.11 This
event acted as a catalyst in the development of a legal framework for cyber warfare. In 2009, at the invitation of NATO Cooperative Cyber Defence Centre of Excellence, an International Group of Experts started a non-binding, academic study on international law governing cyber operations. This resulted in the publication of the Tallinn Manual on the International Law
Applicable to Cyber Warfare in 2013 and its revision in 2017, adding rules on peacetime cyber
operations. The International Group of Experts (IGE) unanimously concluded that general principles of international law also apply to cyberspace.12 The Group of Governmental Experts
on Developments in the Field of Information and Telecommunications had drawn the same conclusion in their report and emphasized on the applicability of the UN Charter. Furthermore, they added that “common understandings on how such norms shall apply to State behavior and
the use of ICTs by States requires further study”.13 The question of legality of (coercive) cyber
operations is therefore relevant.
In this thesis I will concentrate on State action towards another State, whereby the main question will be:
When does cyber, used as a tool of coercion, violate principles of international law?
The focus of these principles will predominantly be on non-intervention, but also on sovereignty and the use of force. To answer this main question, I will use the following five sub questions: (1) What does coercion mean and what does it consist of? (2) What does cyber entail and how can it be used as a tool of coercion? (3) What are the general principles of international law applicable to cyberspace are and how do they apply in the cyber context? (4) Are the cyber operations, launched by Russia against Ukraine lawful under the general principles of international law? (5) What are the legal consequences of unlawful cyber coercion? Every chapter of this thesis deals with one of the aforementioned sub questions. This thesis will primarily be a traditional legal study, whereby cyber and the concept of coercion will be analyzed through international legal principles, case law and existing legislation. Because no specific treaty is dealing with this topic of cyber coercion, the work of academics in this field of law will also be used extensively to interpret existing law in different
9 C. Czosseck, “State Actors and their Proxies in Cyberspace”, in K. Ziolkowski (ed.), Peacetime Regime for State Activities in Cyberspace, International Law, International Relations and Diplomacy, Tallinn: NATO CCD
COE 2013, p. 1-2.
10 Czosseck 2013, p. 2. 11 Andrew Lewis 2015, p. 39.
12 M. Schmitt, Tallinn Manual on the International Law Applicable to Cyber Warfare, New York: Cambridge
University Press 2013 [hereinafter: Tallinn Manual], p. 24.
13 United Nations General Assembly, Developments in the field of information and telecommunications in the context of international security, A//68/98, 2013, p. 8.
cases. The methodology is thus primarily based on a positivist approach: describing the current legal system and finding a conclusion derived from the law as it is.
This thesis also contains some multidisciplinary elements. For describing the term coercion, which is not defined in international law, political science studies will be used to shape a better understanding of the term. The theory of realism in international relations can best be used to grasp coercion. Realism focuses on States: States use power to secure their core national interests, which is survival.14 States calculate rationally the most appropriate steps that
should be taken in order to survive in a hostile and threatening environment.
In order to understand the characteristics of cyber, military doctrine and literature on cyber technology will be used.
The situation in Ukraine will be used as a case study to outline the different applications of cyber as a coercive tool. Even though in most cases it has been proven that the Russian Federation was behind these operations, it is not always absolutely clear who was behind an attack. For purposes of this thesis, Russia shall be presumed to be the originator, since this thesis is about State actions towards another State.
14 T. Dunne & B. Schmidt, ‘Realism’, in J. Baylis, S. Smith & P. Owens, The Globalization of World Politics,
2.
Coercion
Coercion is an often-used term, but it lacks a broadly shared definition. One can define coercion as the use of threatened force, and at times the limited use of actual force to back up the threat,
to induce an adversary to behave differently than it otherwise would.15 Coercion is about
manipulating an adversary’s policy choices and decision making. In this chapter the different strategies of coercion will be set forth and its different instruments. It will also briefly comment on its meaning in international law.
2.1 Coercive Strategies
The threat of the use of force is a distinctive practice in international politics for over centuries. Traditionally, coercion can be divided in deterrence and compellence. Thomas Schelling argues in his book Arms and Influence that the use of military force usually comes with high military costs, both economic and emotional. States can, therefore, use this fear of suffering as a tool for political persuasion, coercive diplomacy, as opposed to traditional warfare, which he calls brute force.16 Rob de Wijk finds it useful to make a distinction between coercive
diplomacy and military coercion. The latter form of coercion introduces the use of military
force, possibly on a large scale.17 To have a better understanding how cyber action can be used
in a coercive way, it is helpful to set forth briefly different strategies concerning coercion.
2.1.1 Deterrence
The strategy of deterrence became well known during the Cold War, most notably during the nuclear arms race.18 The main idea behind the concept of deterrence is that a State employs the
threat of the use of force, which is intended to dissuade an adversary from doing something. Deterrence seeks to get the opponent not to change its behavior; to continue “not doing what it is not doing”.19 The strategy of deterrence is passive: the initiative lies with the opponent to
take first action, which would trigger a response from the coercer.20
2.1.2 Compellence
During the Cold War, Schelling expanded the concept of coercion beyond deterrence by introducing the term ‘compellence’. The concept of compellence is active: the initiative for the first action lies with the coercer, whereas deterrence is waiting in hope of not seeing a
15 D. Byman & M. Waxman, The Dynamics of Coercion, American Foreign Policy and the Limits of Military Might, Cambridge: Cambridge University Press 2002, p. 30.
16 Schelling 1966, p. 3.
17 R. de Wijk, The Art of Military Coercion, Amsterdam: Amsterdam University Press, 2014, p. 17. 18 M. Sperandei, Bridging Deterrence and Compellence: An Alternative Approach to the Study of Coercive Diplomacy, International Studies Review 2006, p. 253.
19 R. Art & P. Cronin, The United States and Coercive Diplomacy, Washington DC: United States Institute of
Peace 2003, p. 8.
response.21 In other words, with deterrence, the coercer is drawing a line, which would only
result in war if the opponent tries to cross it, while with compellence the coercer is forcing the opponent out of a position that it is currently holding.22 The change in behavior sought by
compellence can be: either the opponent starts doing something it is not doing now, or, the opponent stops doing something that it is doing now. Either way, the opponent changes its behavior.
Coercive strategies used offensively to persuade an opponent to give up something of value without putting up resistance are generally described by the term “blackmail strategy”.23
The concept of compellence includes both offensive and defensive uses of coercive threats.
2.1.3 Coercive Diplomacy
Coercive diplomacy is restricted to defensive use: it aims to persuade an opponent to stop and/or undo an action he is already embarked upon.24 Coercive diplomacy can best be
described as the attempt to get a target to change its behavior through either the threat to use force or the actual use of limited force. This force should demonstrate what an opponent could expect and build up credibility of the coercer’s determination to use more force if necessary. Alexander George describes coercive diplomacy as a strategy that seeks to persuade an opponent to cease his aggression rather than bludgeon him into stopping.25
Coercive diplomacy can be an attractive strategy, because it offers the possibility of achieving a certain objective, with little or no bloodshed, fewer political and psychological costs and often with less risk of unwanted escalation than traditional military strategies. Especially powerful States are tempted to intimidate weaker opponents to give up their gains and objectives, but this might be risky if a weaker State is highly motivated by what is at stake and refuses to back down.26 If a State is calling the bluff, the coercer has to decide whether to
back off, to accept a comprise settlement, or to escalate to the use of military force.
2.1.4 Military Coercion
De Wijk uses the term military coercion, as a form of coercion where the use of force, even on a massive scale, is being used to compel the adversary to change its position.27 The aim of
military coercion is to eliminate the adversary’s options, not to occupy or destroy a country and its people. Schelling calls this strategy coercive warfare and argues that the coercer must not use force against all targets. By keeping some in reserve, the threat of further violence can be used to make the enemy behave.28 While coercion uses suffering as a tool to persuade an
21 Schelling 1966, p. 80.
22 W. Petersen, ‘Deterrence and Compellence: A Critical Assessment of Conventional Wisdom’, in International Studies Quarterly, Vol. 30, No. 3, 1986, p. 282.
23 A. George, Forceful Persuasion: Coercive Diplomacy as an Alternative to War, Washington DC: United
States Institute of Peace 1991, p. 5.
24 Idem.
25 George 1991, p. 5. 26 Idem, p. 6.
27 De Wijk 2014, p. 18. 28 Schelling 1966, p. 170-174.
adversary to adhere to the demands, brute force seeks to overcome the enemies’ strength. Schelling compares this with taking what you want and making someone give it to you.29
So military coercion begins, where coercive diplomacy ends, and military coercion ends where all-out war begins.
2.2 Instruments of Coercion
Generally, three different coercive instruments can be distinguished:30
1. Political measures aim to isolate or punish a regime. This involves forms of political protest such as diplomatic demarches, withdrawal of ambassadors, UN resolutions, cultural and travel boycotts. In legal terms, such measures can generally be qualified as retorsions, which do not interfere with the target State’s rights under international law but are considered unfriendly.
2. Economic measures, such as sanctions, blockades, trade embargoes, freezing of assets. Such measures are usually part of countermeasures, which in principle violates international law, but are justified as a response. However, not every economic measure is coercive since States are in principle free to decide who trade with.
3. Military force to advance and defend one’s interest. Successful application of military force requires recognition of the connection between the interest at stake and the level of force being used. The use of force is generally prohibited under international law, but there are some recognized exceptions.
The successfulness of coercion can be hard to determine. One tends to say that if the adversary concedes to the demands, coercion worked, but it is misleading to just look at the behavioral response and correlate that response to particular events.31 Analysts must also take other
pressures into account, because they can have contributory effects. Engaging as many pressure
points as possible will benefit the intervening State in succeeding.32 These pressure points
differ from State to State and are dependent upon a variety of factors. Successful coercion requires discovering and threatening the opponent’s pressure points, which are not just areas sensitive to the adversary, they are also areas that the adversary cannot impenetrably guard.33
In democracies, such pressure point focus on a large part of the population, since the number of people who influence decision making is vast. For example, a pressure point can be one that is focused on the opinion of the majority or the economic situation. Information campaigns are making use of this concept of pressure points in order to be effective.
With authoritarian regimes different pressure points can be used. Against them successful coercion must be focused on the elite instead of the people. General sanctions, infrastructure strikes or other pressures that affect the entire country might fail because the elite is not (specially) affected. 34
29 Schelling 1966, p. 2. 30 De Wijk 2014, p. 22-23. 31 Idem, p. 31-32.
32 P. Regan, ‘Conditions of Successful Third-Party Intervention in Intrastate Conflicts’, in Journal of Conflict Resolution, Vol. 40, No. 2, 1996, p. 353.
33 Byman & Waxman 2002, p. 30. 34 Idem, p. 44-45.
3. Cyber Coercion
Having distinguished the different strategies of coercion and its instruments, it is now necessary to determine how cyber can be used as a tool of coercion. To do so, it is useful to start with defining ‘cyber’. Subsequently I will discuss what cyber operations are and what it entails. Then I will explain how cyber operations can become part of cyberwarfare and I will conclude this chapter by combining the theory of coercion and its application in cyber.
3.1 Cyberspace
Different terms are being used when one speaks of ‘cyber’. Cyber force, cyber attacks, cyber operations, and cyber warfare are all used in different contexts and have different meanings.35
What they have in common is that all of these actions take place in cyberspace.
Cyberspace lacks an internationally agreed definition, but the International Group of Experts has defined cyberspace in the authoritative Tallinn Manual as: “The environment
formed by physical and non-physical components, characterized by the use of computers and electro-magnetic spectrum, to store, modify and exchange data using computer networks”.36
Although comprehensive, it is useful to acknowledge the personal component when defining cyberspace. After all, it is the human users that interact with the interconnected information systems.37 Nowadays 3.8 billion people have access to internet and can watch clips on
YouTube, have profiles on Social Media, such as Facebook, Twitter and Instagram, send emails, play games, shop online and so on.38
By acknowledging a social layer, cyberspace then consists of three main elements:39
- The physical layer of tangible ICT infrastructure constituted by the network of computer linked via cables and routers, which enables communication and data storage. Servers, satellites, but also facilities that are controlled by those networks are part of the physical layer.
- The logical layer, which focuses on data and software. These elements of the network are based on the logic programming (code) and drive network components. It contains the internet, that virtually connects the nodes and allows us to navigate and communicate. It also includes the operating software of microchips and the memory capacity, such as clouds.
- The social layer, which interacts with the physical and the logical layer. It is here where data gets it meaning. This is the place where humans become part of the cyber space.
35 P. Ducheine, ‘Military Cyber Operations’, in T. Gill & D. Fleck, The Handbook of the International Law of Military Operations, Oxford: Oxford University Press 2015, p. 456.
36 M. Schmitt, Tallinn Manual 2.0 on the international Law Applicable to Cyber Operations, Cambridge:
Cambridge University Press 2017 [hereinafter: Tallinn Manual 2.0], p. 564.
37 R. Ottis & P. Lorents, ‘Cyberspace: Definition and Implications’, in Proceedings of the 5th International
Conference on Information Warfare and Security, Dayton, OH, US, 8-9 April. Academic Publishing Limited 2010, p. 267-270.
38 Broadband Commission for Sustainable Development, The State of Broadband 2018: Broadband catalyzing sustainable development, Geneva: International Telecommunication Union 2018, p. 8-9.
39 F. Osinga, ‘Introducing Cyber Warfare’, in P. Ducheine, F. Osinga, J. Soeters (ed.), Cyberwarfare: Critical Perspectives, The Hague: TMC Asser Press 2012, p. 7-8.
The cyber-persona layer is a sublayer and consists of IT user accounts, driven by humans or automated. A person can have several personas, but single cyber-persona can on the other hand also have multiple users. Attributing responsibility for actions in cyberspace can be very difficult because of the use of these cyber-personas.40
Due to the extensive scope of cyberspace, both physical and virtual, cyber has become a substantive domain, next to the conventional physical domains of air, land, sea and outer space. Just as in the conventional domains, States try to control actions in cyberspace, even though that is much harder to exert, if not impossible.41
3.2 Actors in Cyberspace
Both State and non-State actors conduct operations in cyberspace. The Tallinn Manual defines cyber operations as: “The employment of cyber capabilities with the primary purpose of
achieving objectives in or by the use of cyberspace”.42 A primary aim of most State’s is to
guarantee security to their inhabitants and safeguard their (other vital) national interest, which can be set out in a national security strategy. Most non-State actors, however, usually do not have an explicitly formulated strategy, but merely an implicit (corporate) goal.43 Therefore, the
aim of a cyber operation varies based on the actor that is performing the cyber operation. Both governmental and private entities conduct operations in cyberspace. Especially the number of private corporations that are digitally collecting and providing information is growing steadily.44 These actors use cyber to gather information, including (industrial)
espionage. The enormous amount of data that companies have at their disposal, together with the power flowing from it, makes these companies vulnerable to cybercrime. These malicious cyber operations can include theft, but can also deleting, altering, or corrupting software and data.45 Such operations no longer originate only from young hackers, who break into computer
systems primarily out of curiosity and the thrill of the challenge, but from a variety of more professional actors.46
Organized cybercrime moved into cyberspace at the end of the nineties, due to high profits, a lack of attribution and limited cyber law enforcement. Another group of actors are
hacktivists; instead of hacking for financial reasons this group of people conduct cyber
operations for political reasons. Perhaps the best-known group in this matter is ‘Anonymous’, who is fighting for the freedom of access to information and attacks those who are challenging this right.47 Finally, also terrorists are becoming a more important actor in cyberspace because
cyber technologies and expertise is relatively easy and cheap to acquire. The Internet can then
40 US Department of Defense, Joint Publication 3-12, Cyberspace Operations, 8 June 2018, I-3 &I-4.
<https://fas.org/irp/doddir/dod/jp3_12.pdf>
41 Osinga 2012, p. 9.
42 Tallinn Manual 2.0, p. 564.
43 P. Ducheine, ‘The Notion of Cyber Operations’, in N. Tsagourias & R. Buchan, The Research Handbook on the International Law and Cyberspace, Cheltenham: Edward Elgar Publishing 2015, p. 215.
44 Idem, p. 211.
45 M. Roscini, Cyber Operations and the Use of Force in International Law, Oxford: Oxford University Press
2018, p. 2.
46 Czosseck 2013, p. 4. 47 Idem, p. 8-9.
serve as a powerful, global tool for terrorist, which is hard to control and can be easily exploited.48 As we will see, the ‘NotPetya’ cyber attack was relatively cheap to launch, while
it resulted in billions of dollars in damages.49
As mentioned, cyber operations can take different forms. In extreme scenarios, a cyber operation could potentially go as far as disrupting banking systems, disabling power generators, derailing trains, crashing airplanes, causing nuclear reactors to melt down, causing pipelines to explode or weapons to malfunction. The advent of cloud computing also created huge potential security risks. By breaking the defenses of the remote server, an intruder can get access to an enormous amount of information of users.50
As one can imagine, cyberspace also features and supports warfare. This can include interference, sabotage and taking control of the military command, control and communication systems. Besides this more “traditional” form (directly aimed at military objects) of waging war, cyberspace can also be the scene of information warfare, whereby social media and the internet are used for an information campaign. Strategies of information warfare use strategic narratives, involving disinformation and propaganda to shape perceptions, manipulate cognitions, and direct behavior to achieve a response that furthers the desired object of the propagandist.51
When actual warfare takes place in the realm of cyberspace, the military will normally be involved. The employment by the armed forces of cyber capabilities with the primary purpose of achieving military goals in or by the use of cyberspace is called Military Cyber Operations.52 These operations may vary from information gathering, deception, and
deterrence, to disruption and destruction and can be used both offensively and defensively.53
3.3 Cyber Operations Short of Force
In order to determine when cyber operation is taking place below the use of force, it is useful to first set forth the legal framework of the jus ad bellum, after which one can find what cyber operations fall short of the use of force.
The ICJ concluded that the law on the use of force, including cases of self-defense applies to “any use of force, regardless of the weapons employed”.54 This means that the same legal
framework also governs cyber operations. Cyber can be used as a weapon if they are in ‘scale and effects’ comparable to those of non-cyber operations.55 Yet, it is hard to determine what
the use of force and the threat of the use of force means as there is no authoritative definition. The UN Charter sets the prohibition on the use of force: “All Members shall refrain in their
48 B. Saul & K. Heath, ‘Cyber Terrorism’, in N. Tsagourias & R. Buchan, The Research Handbook on the International Law and Cyberspace, Cheltenham: Edward Elgar Publishing 2015, p. 147.
49 ‘The 'NotPetya' Cyber Attack Was Likely Very Cheap To Deploy’, Foxtrot Alpha, 28 June 2017, <
https://foxtrotalpha.jalopnik.com/the-notpetya-cyber-attack-was-likely-very-cheap-to-depl-1796496099> (last accessed on 13 November 2018)
50 Roscini 2014, p. 14.
51 M. Hellman & C. Wagnsson, ‘How can European states respond to Russian information warfare? An
analytical framework’, in European Security, Vol. 26, No. 2, 2017, p. 153-155.
52 Ducheine 2015, p. 457. 53 Idem, p. 459
54 ICJ, Legality of the Threat or Use of Nuclear Weapons, Advisory opinion of 8 July 1996, para. 39. 55 Tallinn Manual, p. 331.
international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations”.56 Different opinions emerge in determining the meaning of the word
‘force’. Is force merely armed violence, as the US and its major allies view it, or can force be read as coercion, which broadens the definition to other forms of pressure, such as political and economic coercion threatening State autonomy.57 Some even argued that force can be read as
interference; they tied concept of force to improper interference with the rights of other States.58
At the San Francisco Conference in 1945, several rounds of discussion took place on the text of the prohibition of the use of force. Some States wanted to expand the prohibition to types of force other than armed force, such as economic force59, moral or physical force60 and
political force.61 However, none of these proposals were adopted.
So, force is armed force. Non-destructive cyber psychological operations with the aim of undermining confidence in a government are, therefore, not included.62 The Tallinn Manual
provides a non-exhaustive list of indicating factors to assess whether a cyber operation reaches the threshold of the use of force: severity, immediacy, directness, invasiveness, measurability of effects, military character, State involvement and presumptive legality.63 By setting these
factors the IGE acknowledged the fact that decisions, whether an act can be qualified as a use of force, are often political, as well as normative in nature.64 Until there is more State practice,
this remains inevitable.
Now that we have seen what cyber operations can be considered as a use of force, we can also determine which cyber operations are below the level of force as laid down in Article 2(4) of the UN Charter. These operations can interfere with the domestic affairs of other States and even potentially causing an intervention, but do not (in principle) constitute a use of force. The legal consequences of such cyber operations will be discussed in the following chapter, but it is useful to set out what kind of operations one should think of. First of all, a lot of States conduct cyber espionage operations and cyber exploitations operations. These actions are considered to be pure interference and lack a coercive element. But States may also conduct more intrusive cyber operation which may be coercive at a certain level. An indicative list of cyber operations, varying in form and intensity, has been composed which helps to determine the intrusiveness of an operation:
I. misinformation and propaganda aimed at weakening a foreign government’s legitimacy and amounting to promotion and coordinating of subversion, thus boosting civil unrest or regime change;
II. (mis)use of social media, email, and digital (telephone) communications in spurring or supporting opposition to an unfriendly regime (especially in instable States);
56 Article 2, paragraph 4 of the Charter of the United Nations.
57 M. Waxman, ‘Cyber Attacks and the Use of Force’ in The Yale Journal of International Law, Vol. 36, No. 421, 2011, p. 427-428
58 Idem, p. 429.
59 Documents of the United Nations Conference on International Organization San Francisco, 1945, New York:
United Nations Information Organizations Vol. 6, 1945 [hereinafter: UNCIO], p. 559.
60 UNCIO, Vol. 6, p. 561. 61 UNCIO, Vol. 6, p. 563. 62 Tallinn Manual 2.0, p. 331. 63 Tallinn Manual 2.0, p. 334-336.
64 M. Schmitt, ‘The Use of Cyber Force and International Law’, in M. Weller, The Oxford Handbook of the Use of Force in International Law, Oxford: Oxford University Press 2015, p. 1114.
III. manipulating or influencing the outcome of digitally supported elections;
IV. the compromising of confidential governmental and other critical websites with the aim of interfering with governmental communications, manipulating key economic and financial activities; or
V. planting malware designed to degrade or shut down essential governmental and other key services at a moment of the intervening State’s choosing, resulting in the undermining of public and corporate confidence in a State’s ability to secure vital interests (inter alia, the maintenance essential services, economic stability, and public order);
VI. massive and coordinated distributed denial of services (DDoS) operations against governmental and other key economic or financial websites, aimed at hampering or crippling governmental activity for a period of time;
VII. cyber sabotage (or cybotage) resulting in physical damage, of e.g. defence communications, a nuclear research facility, or a particular weapon system, in which case it would approach or cross the threshold of a use of force and, in some cases, could potentially amount to an armed attack65
One can see that these operations range from being intrusive until being completely coercive. Number I, II, III can be considered part of information warfare as they are aimed at directing a behavior. Such operations might even seek to overthrow a government and achieve regime change. Depending on the character of the cyber operation, the legal consequences will differ.
3.4 Cyber Warfare
Although the term ‘cyber war’ is often used in an indiscriminate manner to refer to all sorts of malicious activities in cyberspace, this explanation ignores the meaning of the term ‘war’.66 As
Von Clausewitz wrote it: “War is […] an act of force to compel our enemy to do our will”.67
Although the term war is frequently used in a metaphorical manner, a real act of war is always (potentially) lethal. “Force—that is, physical force, for moral force has no existence save as
expressed in the state and the law—is thus the means of war […]”68 So, a key element in
warfare remains the use of force.69 This also applies to cyber warfare. The International
Tribunal for the Former Yugoslavia (ICTY) found that that “an armed conflict exists whenever
there is a resort to armed force between States”.70 State practice still has to decide what ‘armed
force’ in the cyber context exactly entails, but it is clear that cyber operations resulting in injury or death of persons or damage or destruction of property would cross the threshold of an armed conflict.71 Such cyber operations would then trigger the application of International
Humanitarian Law (IHL), even though States do no often acknowledge it as such.72
65 Ducheine 2015, p. 468-469 66 Czosseck 2013, p. 14.
67 C. Von Clausewitz, On War, Princeton: Princeton University Press 1976, p. 75. 68 Idem.
69 T. Rid, ‘Cyber War will not take place’, in P. Ducheine, F. Osinga, J. Soeters (ed.), Cyberwarfare: Critical Perspectives, The Hague: TMC Asser Press 2012, p. 76-77.
70 ICTY, Prosecutor v. Tadic, Decision on the Defence Motion for Interlocutory Appeal on Jurisdiction, 2
October 1995, para 70.
71 M. Schmitt, ‘Classification of Cyber Conflict’, in Journal of Conflict and Security Law, Vol. 17, No. 2, 2012,
p. 251-252.
72 L. Arimatsu, ‘Classifying Cyber Warfare’, in N. Tsagourias & R. Buchan, The Research Handbook on the International Law and Cyberspace, Cheltenham: Edward Elgar Publishing 2015, p. 330.
The definition of ‘an armed attack’ in the context of jus ad bellum is different, because these are two distinct parts of International law. In latter context, the meaning serves as a condition precedent to the resort to force in self-defense pursuant to Article 51 of the UN Charter.73 Not every use of force rises to the level of an armed attack and can entitle a State to
respond with force in self-defense. The Tallinn Manual refers to the ‘scale and effects’ of a cyber operation, whether it constituted an armed attack.74 This means that the attack must be
part of “the most grave forms of the use of force”.75 The IGE were divided whether a cyber
operation, that causes no death, damage, or destruction, but that otherwise have extensive negative effects could constitute an armed attack.76
So, when one speaks of cyber warfare, it consists of the most disruptive and destructive cyber operations.77
3.5 Cyber as a Coercive Tool
As has become clear, cyber can be used in numerous ways against an adversary, amongst others to coerce it into doing or abstaining from a particular course of action. As defined in the second chapter, coercion is the use of threatened force, and at times the limited use of actual force to back up the threat, to induce an adversary to behave differently than it otherwise would.
The IGE found that coercion is not limited to the physical force only, but rather an affirmative act designed to deprive the target State of choice.78 It must, furthermore, be
distinguished from persuasion, criticism, public diplomacy or propaganda, because these forms of influencing lack the potential for compelling the State to engage in an action that it would otherwise not take.79 At the same time, it is hard to determine in advance whether a particular
cyber act would qualify as coercive. The coercive character depends on the specific context and consequences of the act, and therefore, in certain occasions a case-by-case analysis is required.
The theory and practice of coercion, especially in the cyber domain, can diverge. The theoretical idea of coercion consists of a clear threat, by an actor who claims responsibility, and who demands an explicit desired behavior. Yet, the observed practice is often different and is not a clear combination of these three elements. In practice, threats can be vague, the actor may be unknown, and the desired outcome is not completely clear.80 It is also possible that the
coercer and the coerced may not perceive the messages in the same way, which will damage the success of a cyber operation and might cause unintended responses.
When a cyber operation against another State amounts to use of force, it is clear that such action is coercive.81 But cyber operations can also be launched to deter (passive) an opponent to not
73 M. Schmitt, ‘“Attack” as a Term of Art in International Law: The Cyber Operations Context’, in C. Czosseck,
R. Ottis, K. Ziolkowski (ed.), 2012 4th International Conference on Cyber Conflict, Tallinn: NATO CCD COE Publications 2012, p. 283.
74 Tallinn Manual 2.0, p. 341.
75 ICJ, Military and Paramilitary Activities in and against Nicaragua, Judgment of 27 June 1986, para. 191. 76 Tallinn Manual 2.0, p. 343.
77 Ducheine 2015, p. 461. 78 Tallinn Manual 2.0, p. 317. 79 Tallinn Manual 2.0, p. 319.
80 Q. Hodgson, ‘Understanding Cyber Coercion’, 2018 10th International Conference on Cyber Conflict, Tallinn: NATO CCD COE Publications 2018, p. 76.
change its behavior or to compel (active) an opponent to change its behavior. The object of such an operation either defensive (coercive diplomacy: stop doing what you were doing) or
offensive (military coercion). This outline is more of a continuum, as States often combine
compelling actions with the threat of more devasting consequences to accomplish their ends.82
Interference in a State’s domestic affairs can therefore start with mere intrusion and end with brute force to completely overcome a State’s strength by armed force on a full scale (see figure 1).
Figure 1. Spectrum of interference
Cyber can then be used as a tool in this whole spectrum of coercion. Coercion, in the cyber context, can then best be described as: cyber operations that are designed to compel another State to take action it would otherwise not take, or to refrain from taking action it would otherwise engage in.83 This level of coercion is required to establish a prohibited intervention.
Lower forms of interference, which do not directly meet the definition of coercion, can thus not be viewed as intervention. As mentioned, cyber espionage in itself lacks the coercive element. It can, however, be argued that under certain circumstances, cyber espionage operations can also be seen as a form of coercion. This was the case with the Russian hacks of the Democratic National Committee in the United States, whereby thousands of emails were released. It was coercive in a sense that the cyber operation manipulated the process of elections and therefore caused them to unfold in a way that they otherwise would not have.84
So, cyber can be used as a tool of coercion in a broad sense and even thought the definition stated in this paragraph is comprehensive, a case-by-case assessment must determine whether a cyber operation is coercive or merely a form of interference.
82 Hodgson 2018, p. 75.
83 M. Schmitt, ‘Grey Zones in the International Law of Cyberspace’, in The Yale Journal of International Law,
Vol 42, No. 2, 2017, p. 8.
4.
Cyber Operations and International law
As stated in the introduction and also touched upon in the previous chapter, international law applies in cyberspace. The most relevant fields of law when it comes to cyber operations are: sovereignty, non-intervention, respect for territorial integrity, State responsibility, the use of force, humanitarian law. Other fields of law, such as international (law enforcement) operations, jurisdiction, immunities, international human rights law, international economic law, the law of intellectual property and international telecommunications law are also relevant in the cyber context, but for the purpose of this thesis less so.85
In this chapter I will set out the legal framework in which cyber operations take place when being used to coerce or when it interferes. I will start with the principle of sovereignty and subsequently the principle of non-intervention, and end with the use of force and self-defense. After that I will apply these general principles to the list of seven cyber operations as mentioned in the previous chapter.
4.1 Sovereignty
The current paradigm of sovereign States as the most important actor in the international system, finds its origin in the Peace of Westphalia (1648). 86 The principle of sovereignty flows
directly from the notion that States are highest authority in the international order. This most fundamental principle includes that all States are legally independent and formally equal.87
Sovereign equality is explicitly laid down in Article 2(1) of the UN Charter.88
As seen in the previous chapter, cyberspace consists of different layers (physical, logical and social) which are encompassed in the principle of sovereignty. Although cyberspace has been described as ‘global domain’ or even a ‘global common’ (res communis), cyber activities occur on territory and involve objects and are conducted by persons or entities over which a State has jurisdiction.89
The principle of sovereignty has two distinct but related elements: internal and external sovereignty. The internal aspect of sovereignty means that the State has the power to wield authority over all the individuals living in its territory.90 This aspect of sovereignty also applies
to the cyber infrastructure, persons, and cyber activities within its territory. States can thus exercise jurisdiction over cyber infrastructure and activities that are located in, or take place on, its territory.91
85 Ducheine 2015, p. 461.
86 A. Cassese, International Law, Oxford: Oxford University Press 2005, p. 22-24.
87 A. Nollkaemper, Kern van Internationaal Publiekrecht, Den Haag: Boom Juridisch Uitgevers 2014, p. 59-62. 88 Article 2, paragraph 1 of the Charter of the United Nations.
89 Tallinn Manual 2.0, p. 12. 90 Casesse 2005, p. 49. 91 Ducheine 2015, p. 466.
The external aspect on the other hand, refers to the right of a State to act on the international plane, to engage in international relations and to have the freedom, for example, to opt into specific cyber treaty regimes.92
The ICJ noted in its first case that “respect for territorial sovereignty is an essential
foundation of international relations”.93 Cyber operations must, therefore, not violate the
sovereignty of a State. The IGE concluded that: “cyber operations that prevent or disregard
another State’s exercise of its sovereign prerogatives constitute a violation of such sovereignty and are prohibited by international law”.94 This is of course without prejudice that
international law in certain situations permits or envisages exceptions to this rule.
So, a cyber operation that, without consent, physically cross into the territory of another State violates the sovereignty of that State. One could then think of a violation of territorial sovereignty when a State agent infects malware in the cyber infrastructure of another State, while being physically on the target’s territory.
Remote operations are legally more complex, and their lawfulness depend on two considerations:
(i) the degree of infringement upon the target State’s territory;
(ii) whether there has been interference with inherently governmental functions or the usurpation thereof.95
The rationales of these two considerations are that a State has the authority to decide who can access its territory and secondly its sole right to exercise its functions within its territory. Regarding the first consideration concerning the degree of infringement, the IGE distinguished three different levels, based on the notion that the principle of sovereignty protects territorial integrity against any physical violation:96
1) Physical damage: physical consequences on the territory by remote means constitute a violation.
2) Loss of functionality: this loss might constitute a violation, at least if repair or replacement of physical components is required.
3) Infringement upon territorial integrity falling below the threshold of loss of
functionality: the IGE could not come to a general agreement whether a cyber operation
that does not result in the first two levels, such as deleting or altering data, emplacing malware, installing backdoors or causing a temporary loss of functionality. Those experts in favor of a violation based their argument on the fact that States must have the full control over access to and activities on their territory.97 Although they could
not set precise criteria for a violation, the consequence of regarding operations that are not destructive or not injurious is that they are not a violation.98
92 Tallinn Manual 2.0, p. 17
93 ICJ, Corfu Channel, Judgment of 9 April 1949, p. 35. 94 Tallin Manual 2.0, p. 17.
95 Idem, p. 20.
96 Tallinn Manual 2.0, p. 20. 97 Idem, p. 20.
The second consideration of when a remote cyber operation might violate a State’s sovereignty depends on the interference with the ‘inherently governmental functions’. The Experts agreed that inference with data and services of such functions is prohibited. One might think of changing or deleting data relating to social services, the conduct of elections, the collection of taxes, the effective conduct of diplomacy and the performance of key national defense activities.99 In case of usurpation, such governmental functions may not be taken over and
controlled by another State. The usurpation of an inherently governmental function is different from intervention, but it may overlap.100
As follows from the foregoing, sovereignty can be considered a rule of international law. Some scholars, however, disagree with notion that sovereignty is itself a binding rule of international law. Such a rule precludes virtually any action by one State on the territory of another that would violate the domestic law of that other State, absent of their consent. They argue that sovereignty serves as a principle that guides interaction between States and does not set a rule, that dictates results under international law.101 This approach, however, contradicts extensive
State practice and opinio juris, which treat the prohibition as a rule. The better view is that sovereignty is the basis for a primary rule, which can be violated. This is approach is also followed by judgments of the ICJ.102
4.2 Non-Intervention
4.2.1 Legal Nature and Scope
Derived from the concept of respect for the territorial sovereignty is the principle of non-intervention.103 The principle is part of customary law and is related to the principles of respect
for political independence and territorial integrity and inviolability. The recognition of the principle can, inter alia, be found in the Montevideo Convention,104 in judgments of the ICJ,105
and by the Draft Declaration of the International Law Commission.106 In general, States have
a duty to refrain from intervention in the internal or external affairs of any other State. Especially in the Nicaragua case the ICJ dealt with this principle and confirmed its status: “the
principle of non-intervention involves the right of every sovereign State to conduct its affairs without outside interference though examples of trespass against this principle are not infrequent, the Court considers that it is part and parcel of customary international law”.107
The Court also concluded that despite frequent breaches of the principle in State practice, expressions of opinio juris concerning the existence of the principle as customary law “are
numerous and not difficult to find”.108
99 Tallinn Manual 2.0, p. 22. 100 Idem, p. 24.
101 G. Corn & R. Taylor, ‘Sovereignty in the Age of Cyber’, in American Journal of International Law, Vol.
111, 2017, p. 208-209
102 ICJ, Corfu Channel, Judgment of 9 April 1949, p. 29.
103 M. Shaw, International Law, Cambridge: Cambridge University Press 2017, p. 874. 104 Article 8 of the Montevideo Convention on the Rights and Duties of States 1933.
105 ICJ, Case Concerning Armed Activities on the Territory of the Congo, Judgment of 19 December 2005, para
162.
106 Article 3 of the Draft Declaration on Rights and Duties of States with commentaries 1949.
107 ICJ, Military and Paramilitary Activities in and against Nicaragua, Judgment of 27 June 1986, para. 202. 108 Idem.
As mentioned, this prohibition applies primarily to States, but may also apply to intergovernmental organizations, like the UN, in so far as they have the same obligation. Even though they possess (limited) legal personality and can enjoy immunities and some privileges, intergovernmental organizations do not have a reciprocal right not to be intervened, since they do not have the same notion of ‘internal affairs’ under international law.109 Non-State actors,
such as transnational corporations, armed groups or individuals may also conduct hostile cyber operations in a manner that would otherwise meet the criteria of a prohibited intervention, are not in violation of this rule.110 This would be different if the acts of these actors could be
attributed to a State. A foreign State can also be held international responsible for failure to act to prevent such harmful activities conducted from their territory. The ICJ articulated this principle of due diligence in the Corfu Channel case: “every State’s obligation not to allow
knowingly its territory to be used for acts contrary to the rights of other States”.111 The IGE
also acknowledged this rule for prejudicial cyber operation.112 It is worth noting that this
obligation is one of conduct and not result.113
Although, some cyber operations cannot be considered a violation of the principle of non-intervention, it may very well be a violation of a State’s domestic law. States can, for example, exercise criminal jurisdiction over individuals, terrorists or criminal organizations, who engage in cyber operations that threatens their national security. So, in principle, these actors can be prosecuted, however, exercising jurisdiction can be problematic in practice.
4.2.2 Elements of the Principle of Non-Intervention
The principle of non-intervention consists of two elements. First, an act must relate to matters that involve the internal or external affairs of the target State. Secondly, the act must be coercive in nature.114 The ‘internal affairs’ relate to the notion of domestic jurisdiction, or the
so called domaine réservé, under which States are allowed, within the limits posed by international law, to regulate their own affairs.115 The ICJ stated that “A prohibited intervention
must accordingly be one bearing on matters in which each State is permitted, by the principle of State sovereignty, to decide freely. One of these is the choice of a political, economic, social and cultural system, and the formulation of foreign policy.” Cyber operations directed to
frustrate national elections fall within this domaine réservé and could constitute a violation of the principle, while purely commercial activities in cyberspace do not.116 So, an act must be
directed at the State’s sovereign prerogative, or, more importantly, designed to undermine the State’s authority over their domaine réservé. The choice of both the political system and its organization lies at the heart of sovereignty and are considered the most manifest part of the State’s domaine réservé. So, it is prohibited to use coercive cyber operations to alter or suborn modification of foreign State’s governmental or social structure or being.117 Cyber operations
109 Gill 2013, p. 222.
110 Tallinn Manual 2.0, p. 313-314.
111 ICJ, Corfu Channel, Judgment of 9 April 1949, p. 22. 112 Tallinn Manual 2.0, Rule 7, p. 43.
113 Schmitt 2017, p. 12. 114 Tallinn Manual, 2.0, p. 314. 115 Gill 2013, p. 217.
116 Schmitt 2017, p. 7. 117 Tallinn Manual 2.0, p. 315.
should, furthermore, not be directed at the undermining of the State’s authority over their
domaine réservé.
As mentioned, a constituent element of intervention is coercion. As the ICJ noted: “intervention
is wrongful when it uses methods of coercion in regard to such choices, which must remain free ones”.118 The element of coercion forms the very essence of prohibited intervention.
Armed force, for example, is the highest form of coercion, but also lower forms of interference can be coercive as we have seen. The Friendly Relations Declaration also emphasized “the
duty of States to refrain in their international relations from military, political, economic or any other form of coercion aimed against the political independence or territorial integrity of any State”.119 Preventing a State to exercise its sovereign rights would be unlawful. Because
coercion is thus a crucial element when it comes to intervention, Gill defines intervention as ‘coercive interference’.120 Determining the coercive character is, however, difficult and is
sometimes referred to as ‘the grey zones of international law’.121 The majority if the IGE finds
that a coercive act must at least be designed to influence outcomes in, or conduct with respect to, a prerogative of a target State.122 Deploying a cyber operation against a private company in
another State would not qualify as coercion, because it is not intended to change any outcome in the conduct of the target State.
The ICJ concluded that States must ‘decide freely’, but how freely must a State exactly be? The Friendly Relations Declaration states: “no State shall organize, assist, foment, finance,
incite or tolerate subversive, terrorist or armed activities directed towards the violent overthrow of the regime of another State, or interfere in civil strife in another State” and that
“Every State has an inalienable right to choose its political, economic, social and cultural
systems, without interference in any form by another State”. This freedom is, however, not an
unlimited right.123 International law can deviate from this freedom, for example, when there is
a threat to the peace and security. Furthermore, it is completely accepted for States to influence and use some pressure to negotiate a better agreement, such as more favorable trade and economic relations. Verbal criticism of another State’s policy, moral or even political support for opposition movements are likewise not coercive and therefore do not constitute intervention. This changes when such support involves incitements aimed at overthrowing or undermining the authority of a government of foreign State, or when a State is assisting armed revolt, terrorist acts or any other similar acts directed at causing domestic unrest or civil strife.124
The most crucial question in this matter is when does an action become coercive and when is it merely interference. The IGE also acknowledged that the distinction is not always clear.125 The transition area usually starts with the ‘borderline’ activity of espionage, which
under certain circumstances could constitute intervention. This obtaining of information is
118 ICJ, Military and Paramilitary Activities in and against Nicaragua, Judgment of 27 June 1986, para. 204. 119 Declaration on Principles of International Law concerning Friendly Relations and Co-operation among States in accordance with the Charter of the United Nations, A/Res/25/2625 (XXV), adopted on 24 October
1970. 120 Gill 2013, p. 217. 121 Schmitt 2017, p. 8. 122 Tallinn Manual 2.0, p. 318. 123 Gill 2013, p. 221. 124 Idem, p. 222-223. 125 Tallinn Manual 2.0, p. 319.
most of the times prohibited under domestic criminal law, but in principle not under international law. The reason of this is that such action in itself fall short of notion of coercion.126 This might be different when governmental offices or diplomatic premises are
violated, or diplomatically protected communications are intercepted and stored. It then depends on how such data is being used to interfere with the target State’s conduct. Such data could for example be used to blackmail a government to act in a certain manner which it would otherwise not engage in. Publishing such data might also violate the principle of non-intervention if it is intended to manipulate the process of elections and cause it to go in a direction which it otherwise would not have. Such action would then become coercive.127
Subversive interference, such as propaganda and disinformation, intended to influence the situation in another State does not generally violate other rules of international law. These acts used to be conducted through radio or television shows but are now taking place in realm of cyber.128 However, cyber operations used to conduct a propaganda campaign are prohibited
if they are designed to foment revolt or civil strife in another State or are devoted to assisting illegal and violent activities.129
Usually diplomacy, albeit intended to cause a State to act in a certain manner, do not qualify as intervention, because the target state retains the ability to choose. The decisions are meant to be affected but remain voluntary even though they may now be suboptimal.
4.2.3 Other Legal Questions Concerning Non-Intervention
When it comes to the principle of non-intervention regarding cyber operations, the Tallinn Manual lists a few other legal questions which are worth noting.
First of all, the requisite of causality: does there have to be a casual nexus between the act and the infringement on the internal or external affairs of the target state in order to be coercive? The majority of experts view that an act is coercive if a State, albeit indirectly, had the purpose to cause the target State to take a decision that it otherwise would not have taken.130
Then there is the knowledge requirement: should a target State have knowledge of a cyber operations constitution intervention. The majority concluded that such knowledge is not a precondition of the prohibition and that a forceful covert cyber operation does constitute a prohibited intervention even though the target State is unaware. The minority, however, claims that if a target State is unaware of a cyber operation, their will has not been coerced.131
Next is the question of intent: is the intent of a State necessary to constitute intervention. The IGE answered this question affirmatively. Cyber activities having a de facto coercive effect on a State, does not necessarily violate the principle of non-intervention.
Finally, if the outcome of a cyber operation fails to produce a desired outcome, it does not affect the offensive character of the operation. In certain circumstances the threat is already enough to violate the principle.132
126 Gill 2013, p. 225. 127 Schmitt 2017, p. 8.
128 P. Kunig, ‘Intervention, Prohibition of’, in Max Planck Encyclopedia of Public International Law, 2008,
para. 24.
129 Tallinn Manual 2.0, p. 26. 130 Idem, p. 320.
131 Tallinn Manual 2.0, p. 321. 132 Idem, p. 322.
4.3 Prohibition on the Use of Force and Self-Defense
4.3.1 Use of Force
It is clear that most cyber operations do not amount to the use of force as defined in Article 2(4) of the UN Charter. The threshold for the use of force in cyber operations can be equated with amount of force used with traditional weapons. Generally, it is agreed that a cyber operation which causes physical damage or injury is considered a violation of the use of force.133 This is the traditional approach of classical kinetic hostilities. As seen in previous
chapter, the Tallinn Manual provides indicative factors to determine whether the use of force can be established.
Some acts that do not cause physical harm or injury may rise to the use of force. First of all, the ICJ acknowledged that the arming and training of the armed group to fight against another State can certainly amount to the use of force.134 By analogy, training and arming cyber
activist to target another State, could then also be viewed as a prohibited use of force. The nature of a cyber operation’s consequences then becomes highly relevant. 135 In particular, the
severity of consequences will determine whether a cyber operation qualify as a use of force.
This is the only factor that on itself is suffices to qualify as a use of force. Between acts causing physical harm and acts causing inconvenience or irritation is a whole scale of activities. As the Tallinn Manual explains: “the more consequences impinge on critical national interest, the
more they will contribute to the depiction of a cyber operation as a use of force”.136 The scope,
duration and intensity of the consequences will influence the assessment of severity. Besides severity, the immediacy of consequences, directness of consequences, invasiveness of the
operation and other factors together will determine whether a cyber operation is more likely to
be considered a use of force.137
States may very well not use force but threatening to use force is also prohibited under the Charter. Cyber can be used to threaten in two situations: either when cyber is used to communicate a threat to use force, or when the threatened force will be carried out through a cyber operation that will rise to use of force. Threats are lawful if the threatened action is itself lawful.138 Generally, this is not the case with the use of force, which makes the threat also
unlawful. Threats do not necessarily require a demand accompanying the threat, but since a threat is intended to be coercive in effect, it usually has.139
4.3.2 Self-Defense
An armed attack requires a somewhat higher threshold than the use of force, since it gives rise to the right of self-defense. Cyber operations that rises to the level of an armed attack are those whose ‘scale and effects’ in terms of significant death of or injury to persons, or damage to or
133 Schmitt 2017, p. 14.
134 ICJ, Military and Paramilitary Activities in and against Nicaragua, Judgment of 27 June 1986, para. 228. 135 Schmitt 2015, p. 1114.
136 Tallinn Manual 2.0, p. 334. 137 Idem, p. 334-336.
138 ICJ, Legality of the Threat or Use of Nuclear Weapons, Advisory opinion of 8 July 1996, para. 47. 139 Tallinn Manual 2.0, p. 338.
