December 10, 2021
Use of Force in Cyberspace
Introduction
achieved rather than the means with which they are carried
There are no internationally accepted criteria yet for
out, this definition of cyber war arguably fits within
determining whether a nation state cyberattack is a use of
existing international legal frameworks. If an actor employs
force equivalent to an armed attack, which could trigger a
a cyber weapon to produce kinetic effects that might
military response. Likewise, no international, legally
replicate fire power under other circumstances, then the use
binding instruments have yet been drafted explicitly to
of that cyber weapon rises to the level of the use of force.
regulate inter-state relations in cyberspace. Self-defense and
However, the United States recognizes that cyberattacks
countermeasures for armed attacks are permitted in
without kinetic effects are also an element of armed conflict
international law when a belligerent violates international
under certain circumstances. Koh explained that
law during peacetime, or violates the law of armed conflict
cyberattacks on information networks in the course of an
during wartime. However, the term “armed attack” has no
ongoing armed conflict would be governed by the same
universally accepted definition and is still not well-settled
principles of proportionality that apply to other actions
with respect to cyberattacks. In addition to what constitutes
under the law of armed conflict. These principles include
an armed attack in cyberspace, questions remain over which
retaliation in response to a cyberattack with a proportional
provisions of existing international law govern the conduct
use of kinetic force. In addition, “computer network
of war in cyberspace.
activities that amount to an armed attack or imminent threat
thereof” may trigger a nation’s right to self-defense under
Relevant Treaty Provisions
Article 51 of the U.N. Charter. The 2011 International
Strategy for Cyberspace affirmed that “when warranted, the
1. North Atlantic Treaty Article 4: “The Parties wil
United States will respond to hostile acts in cyberspace as
consult together whenever, in the opinion of any of
we would to any other threat to our country.” The
them, the territorial integrity, political independence or
International Strategy, which has not been updated, goes on
security of any of the Parties is threatened.”
to say that the U.S. reserves the right to use all means
2. North Atlantic Treaty Article 5: “The Parties agree
necessary—diplomatic, informational, military, and
that an armed attack against one or more of them in
economic—as appropriate and consistent with applicable
Europe or North America shall be considered an attack
law. One of the defense objectives of the International
against them all and consequently they agree that, if such
Strategy is to work internationally “to encourage
an armed attack occurs, each of them, in exercise of the
responsible behavior and oppose those who would seek to
right of individual or col ective self-defence recognised by
disrupt networks and systems, dissuading and deterring
Article 51 of the Charter of the United Nations, wil
malicious actors, and reserving the right to defend national
assist the Party or Parties so attacked by taking
assets.” Chapter XVI of the Department of Defense Law of
forthwith, individually and in concert with the other
War Manual notes that the United States strives to work
Parties, such action as it deems necessary, including the
with other states to clarify not whether international law
use of armed force, to restore and maintain the security
applies to cyberspace, but how.
of the North Atlantic area.”
3. United Nations Charter Article 51: “Nothing in the
NATO Doctrine
present Charter shall impair the inherent right of
In 2009, the North Atlantic Treaty Organization (NATO)
individual or col ective self-defence if an armed attack
Cooperative Cyber Defense Center convened an
occurs against a Member of the United Nations, until the
international group of independent experts to draft a manual
Security Council has taken measures necessary to
on the law governing cyber conflict. The first Tallinn
maintain international peace and security.”
Manual, as it is known, was published in 2013 and offers
95 “black letter rules” addressing sovereignty, state
United States Doctrine
responsibility, the law of armed conflict, humanitarian law,
and the law of neutrality. The Tallinn Manual is an
In September 2012, the State Department took a public
academic text and as such nonbinding. Published in
position—still in effect—on whether cyber activities could
February 2017, Tallinn Manual 2.0 expands upon the first
constitute a use of force under Article 2(4) of the United
and offers 154 black letter rules governing cyber
Nations (U.N.) Charter and customary international law.
According to State’s then
operations, including in peacetime. In the provisions of
-legal advisor, Harold Koh,
“Cyber
Article 5 of the North Atlantic Treaty, an attack on one
activities that proximately result in death, injury, or
member is considered an attack on all, affording military
significant destruction would likely be viewed as a use of
force.”
assistance in accordance with Article 51 of the U.N.
Examples offered in Koh’s remarks included
Charter. However, NATO does not presently define
triggering a meltdown at a nuclear plant, opening a dam and
cyberattacks as clear military action. The Tallinn Manual
causing flood damage, and causing airplanes to crash by
equates a use of force to those cyber operations whose
interfering with air traffic control. By focusing on the ends
https://crsreports.congress.gov
Use of Force in Cyberspace
“effects ... were analogous to those that would result from
an action otherwise qualifying as a kinetic armed attack.”
have been affected. This is particularly challenging in a cyber
event where damage, economic or otherwise, is difficult to
Article 4 of the North Atlantic Treaty applies the principles
quantify. Economic coercion or hardship does not qualify
of collective consultation to any member state whose
under international law as an armed attack.
security and territorial integrity has been threatened;
however, it is unclear how this article would apply to the
Presumptive legitimacy: In international law, acts that are
various categories of cyberattacks, some of which may not
not forbidden are permitted; absent an explicit prohibition, an
have kinetic equivalents. Also unclear is the concept of
act is presumptively legitimate. For instance, it is generally
jurisdiction and what constitutes territorial integrity for
accepted that international law governing the use of force
those member states who view cyberspace as a global
does not prohibit propaganda, psychological warfare, or
domain or commons.
espionage. To the extent such activities are conducted
through cyber operations, they are presumptively legitimate.
International Law
Responsibility: The law of state responsibility governs when
The so-called “Law of War,” also known as the law of
a state wil be responsible for cyber operations. However,
armed conflict, embodied in the Geneva and Hague
that responsibility lies along a continuum from operations
Conventions and the U.N. Charter may, in some
conducted by a state itself to those in which it is merely
circumstances, apply to cyberattacks, but without specific
involved in some fashion. The closer the nexus between a
agreement on its applicability, its relevance remains
state and the operations, the more likely other states wil be
unclear. It is also complicated by difficulties in attribution,
inclined to characterize them as uses of force, for the greater
the potential use of remote computers, and possible harm to
the risk posed to international stability. Attributing the level of
third parties from cyber counterattacks, which may be
state involvement to a cyberattack can be particularly
difficult to contain. In addition, as with NATO doctrine,
challenging.
questions of territorial boundaries and what constitutes an
armed attack in cyberspace remain. The law’s application
The basic principles encompassed in the Hague
would appear clearest in situations where a cyberattack
Conventions regarding the application of Armed Forces are
causes physical damage, such as disruption of an electric
those of military necessity, proportionality, humanity, and
grid. As mentioned above, the Tallinn Manual addresses
chivalry. A nation whose military is conducting cyber
many of these questions. In the absence of a treaty-based
operations according to these principles may be said to be
definition for what constitutes an armed attack or use of
engaging in cyber war.
force in cyberspace, Tallinn Manual co-author Michael
Schmitt has proposed in his academic publications criteria
United Nations Norms
for analysis under international law.
A 2004 U.N. General Assembly resolution called for the
convening of and a report from an international group of
Schmitt Analysis
government experts (GGE) from 15 nations, including the
United States, to secure cyberspace by agreeing upon
Severity: Consequences involving physical harm to
“norms, rules and principles of responsible behaviour by
individuals or property wil alone amount to a use of force
States.” Unlike the work done at Tallinn under the auspices
while those generating only minor inconvenience or irritation
of NATO, this U.S.-led process included both China and
wil not. The more consequences impinge on critical national
Russia. The 2015 GGE report achieved consensus on 11
interests, the more they wil contribute to the depiction of a
norms for the use of cyberspace, to include, among others,
cyber operation as a use of force.
that nations (1) should not intentionally damage each
Immediacy: The sooner consequences manifest, the less
other’s critical infrastructure with cyberattacks, (2) should
opportunity states have to seek peaceful accommodation of a
not target each other’s cyber emergency responders, and (3)
dispute or to otherwise forestall their harmful effects.
should assist other nations investigating cyberattacks
Therefore, states harbor a greater concern about immediate
launched from their territories. A fourth norm, stating the
consequences than those that are delayed or build slowly over
United States will not use cyber surveillance to steal
time.
information about foreign companies to benefit U.S. firms,
Directness: The greater the attenuation between the initial
was articulated by then-Secretary of State John Kerry and
act and the resulting consequences, the less likely states wil
adopted as official U.S. government policy. While also
be to deem the actor responsible for violating the prohibition
nonbinding, U.N. Resolution 70/237 calls upon Member
on the use of force.
States to be guided by the norms set forth in the 2015 GGE
report. The following 2016/2017 GGE failed to achieve
Invasiveness: The more secure a targeted system, the
consensus, due in part to objections from some member
greater the concern as to its penetration. By way of
countries on explicitly applying rules on the use of force
il ustration, economic coercion may involve no intrusion at all
under Article 51, which they argued would represent the
(trade with the target state is simply cut off), whereas in
militarization of cyberspace. Yet the recent 2019/2021 GGE
combat the forces of one state cross into another in violation
affirms the applicability of both international law and the
of its sovereignty. Although highly invasive, espionage does
U.N. Charter in its entirety. The GGE 2019/2021 also notes
not constitute a use of force (or armed attack) under
that international humanitarian law applies only in
international law absent a nonconsensual physical penetration
situations of armed conflict.
of the target state’s territory.
Measurability: The more quantifiable and identifiable a set of
Catherine A. Theohary, Specialist in National Security
consequences, the more a state’s interest wil be deemed to
Policy, Cyber and Information Operations
https://crsreports.congress.gov
Use of Force in Cyberspace
IF11995
Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.
https://crsreports.congress.gov | IF11995 · VERSION 1 · NEW