Updated December 14, 2023
Use of Force in Cyberspace
Introduction
achieved rather than the means with which they are carried
There are no internationally accepted criteria yet for
out, this definition of cyber war arguably fits within
determining whether a nation state cyberattack is a use of
existing international legal frameworks. If an actor employs
force equivalent to an armed attack, which could trigger a
a cyber weapon to produce kinetic effects that might
military response. Likewise, no international, legally
replicate fire power under other circumstances, then the use
binding instruments have yet been drafted explicitly to
of that cyber weapon rises to the level of the use of force.
regulate inter-state relations in cyberspace. Self-defense and
However, the United States recognizes that cyberattacks
countermeasures for armed attacks are permitted in
without kinetic effects are also an element of armed conflict
international law when a belligerent violates international
under certain circumstances. Koh explained that
law during peacetime, or violates the law of armed conflict
cyberattacks on information networks in the course of an
during wartime. However, the term “armed attack” has no
ongoing armed conflict would be governed by the same
universally accepted definition and is still not well-settled
principles of proportionality that apply to other actions
with respect to cyberattacks. In addition to what constitutes
under the law of armed conflict. These principles include
an armed attack in cyberspace, questions remain over which
retaliation in response to a cyberattack with a proportional
provisions of existing international law govern the conduct
use of kinetic force. In addition, “computer network
of war in cyberspace.
activities that amount to an armed attack or imminent threat
thereof” may trigger a nation’s right to self-defense under
Relevant Treaty Provisions
Article 51 of the U.N. Charter. The 2011 International
Strategy for Cyberspace affirmed that “when warranted, the
North Atlantic Treaty Article 4: “The Parties wil consult
United States will respond to hostile acts in cyberspace as
together whenever, in the opinion of any of them, the
we would to any other threat to our country.” The
territorial integrity, political independence or security of any
International Strategy, which has not been updated, goes on
of the Parties is threatened.”
to say that the U.S. reserves the right to use all means
North Atlantic Treaty Article 5: “The Parties agree that
necessary—diplomatic, informational, military, and
an armed attack against one or more of them in Europe or
economic—as appropriate and consistent with applicable
North America shal be considered an attack against them all
law. One of the defense objectives of the International
and consequently they agree that, if such an armed attack
Strategy is to work internationally “to encourage
occurs, each of them, in exercise of the right of individual or
responsible behavior and oppose those who would seek to
col ective self-defence recognised by Article 51 of the Charter
disrupt networks and systems, dissuading and deterring
of the United Nations, wil assist the Party or Parties so
malicious actors, and reserving the right to defend national
attacked by taking forthwith, individually and in concert with
assets.” Chapter XVI of the Department of Defense Law of
the other Parties, such action as it deems necessary, including
War Manual notes that the United States strives to work
the use of armed force, to restore and maintain the security
with other states to clarify not whether international law
of the North Atlantic area.”
applies to cyberspace, but how.
United Nations Charter Article 51: “Nothing in the
NATO Doctrine
present Charter shall impair the inherent right of individual or
col ective self-defence if an armed attack occurs against a
In 2009, the North Atlantic Treaty Organization (NATO)
Member of the United Nations, until the Security Council has
Cooperative Cyber Defense Center convened an
taken measures necessary to maintain international peace and
international group of independent experts to draft a manual
security.”
on the law governing cyber conflict. The first Tallinn
Manual, as it is known, was published in 2013 and offers
95 “black letter rules” addressing sovereignty, state
United States Doctrine
responsibility, the law of armed conflict, humanitarian law,
In September 2012, the State Department took a public
and the law of neutrality. The Tallinn Manual is an
position—still in effect—on whether cyber activities could
academic text and as such nonbinding. Published in
constitute a use of force under Article 2(4) of the United
February 2017, Tallinn Manual 2.0 expands upon the first
Nations (U.N.) Charter and customary international law.
and offers 154 black letter rules governing cyber
According to State’s then-legal advisor, Harold Koh,
operations, including in peacetime. In the provisions of
“Cyber activities that proximately result in death, injury, or
Article 5 of the North Atlantic Treaty, an attack on one
significant destruction would likely be viewed as a use of
member is considered an attack on all, affording military
force.” Examples offered in Koh’s remarks included
assistance in accordance with Article 51 of the U.N.
triggering a meltdown at a nuclear plant, opening a dam and
Charter. However, NATO does not presently define
causing flood damage, and causing airplanes to crash by
cyberattacks as clear military action. The Tallinn Manual
interfering with air traffic control. By focusing on the ends
equates a use of force to those cyber operations whose
https://crsreports.congress.gov
Use of Force in Cyberspace
“effects ... were analogous to those that would result from
an action otherwise qualifying as a kinetic armed attack.”
have been affected. This is particularly challenging in a cyber
event where damage, economic or otherwise, is difficult to
Article 4 of the North Atlantic Treaty applies the principles
quantify. Economic coercion or hardship does not qualify
of collective consultation to any member state whose
under international law as an armed attack.
security and territorial integrity has been threatened;
however, it is unclear how this article would apply to the
Presumptive legitimacy: In international law, acts that are
various categories of cyberattacks, some of which may not
not forbidden are permitted; absent an explicit prohibition, an
have kinetic equivalents. Also unclear is the concept of
act is presumptively legitimate. For instance, it is generally
jurisdiction and what constitutes territorial integrity for
accepted that international law governing the use of force
those member states who view cyberspace as a global
does not prohibit propaganda, psychological warfare, or
domain or commons.
espionage. To the extent such activities are conducted
through cyber operations, they are presumptively legitimate.
International Law
Responsibility: The law of state responsibility governs when
The so-called “Law of War,” also known as the law of
a state wil be responsible for cyber operations. However,
armed conflict, embodied in the Geneva and Hague
that responsibility lies along a continuum from operations
Conventions and the U.N. Charter may, in some
conducted by a state itself to those in which it is merely
circumstances, apply to cyberattacks, but without specific
involved in some fashion. The closer the nexus between a
agreement on its applicability, its relevance remains
state and the operations, the more likely other states wil be
unclear. It is also complicated by difficulties in attribution,
inclined to characterize them as uses of force, for the greater
the potential use of remote computers, and possible harm to
the risk posed to international stability. Attributing the level of
third parties from cyber counterattacks, which may be
state involvement to a cyberattack can be particularly
difficult to contain. In addition, as with NATO doctrine,
challenging.
questions of territorial boundaries and what constitutes an
armed attack in cyberspace remain. The law’s application
The basic principles encompassed in the Hague
would appear clearest in situations where a cyberattack
Conventions regarding the application of Armed Forces are
causes physical damage, such as disruption of an electric
those of military necessity, proportionality, humanity, and
grid. As mentioned above, the Tallinn Manual addresses
chivalry. A nation whose military is conducting cyber
many of these questions. In the absence of a treaty-based
operations according to these principles may be said to be
definition for what constitutes an armed attack or use of
engaging in cyber war.
force in cyberspace, Tallinn Manual co-author Michael
Schmitt has proposed in his academic publications criteria
United Nations Norms
for analysis under international law.
A 2004 U.N. General Assembly resolution called for the
convening of and a report from an international group of
Schmitt Analysis
government experts (GGE) from 15 nations, including the
Severity: Consequences involving physical harm to
United States, to secure cyberspace by agreeing upon
individuals or property wil alone amount to a use of force
“norms, rules and principles of responsible behaviour by
while those generating only minor inconvenience or irritation
States.” Unlike the work done at Tallinn under the auspices
wil not. The more consequences impinge on critical national
of NATO, this U.S.-led process included both China and
interests, the more they wil contribute to the depiction of a
Russia. The 2015 GGE report achieved consensus on 11
cyber operation as a use of force.
norms for the use of cyberspace, to include, among others,
that nations (1) should not intentionally damage each
Immediacy: The sooner consequences manifest, the less
other’s critical infrastructure with cyberattacks, (2) should
opportunity states have to seek peaceful accommodation of a
not target each other’s cyber emergency responders, and (3)
dispute or to otherwise forestall their harmful effects.
should assist other nations investigating cyberattacks
Therefore, states harbor a greater concern about immediate
launched from their territories. A fourth norm, stating the
consequences than those that are delayed or build slowly over
United States will not use cyber surveillance to steal
time.
information about foreign companies to benefit U.S. firms,
Directness: The greater the attenuation between the initial
was articulated by then-Secretary of State John Kerry and
act and the resulting consequences, the less likely states wil
adopted as official U.S. government policy. While also
be to deem the actor responsible for violating the prohibition
nonbinding, U.N. Resolution 70/237 calls upon Member
on the use of force.
States to be guided by the norms set forth in the 2015 GGE
Invasiveness: The more secure a targeted system, the
report. The following 2016/2017 GGE failed to achieve
greater the concern as to its penetration. By way of
consensus, due in part to objections from some member
il ustration, economic coercion may involve no intrusion at all
countries on explicitly applying rules on the use of force
(trade with the target state is simply cut off), whereas in
under Article 51, which they argued would represent the
combat the forces of one state cross into another in violation
militarization of cyberspace. Yet the March 2021 report of
of its sovereignty. Although highly invasive, espionage does
the sixth and last GGE affirms the applicability of both
not constitute a use of force (or armed attack) under
international law and the U.N. Charter in its entirety. The
international law absent a nonconsensual physical penetration
2021 GGE report also notes that international humanitarian
of the target state’s territory.
law applies only in situations of armed conflict.
Measurability: The more quantifiable and identifiable a set of
consequences, the more a state’s interest wil be deemed to
Catherine A. Theohary, Specialist in National Security
Policy, Cyber and Information Operations
https://crsreports.congress.gov
Use of Force in Cyberspace
IF11995
Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.
https://crsreports.congress.gov | IF11995 · VERSION 3 · UPDATED