Updated June 25, 2024
Use of Force in Cyberspace
Introduction
means with which they are carried out, this definition of
There are presently no internationally accepted criteria for
cyber war arguably fits within existing international legal
determining whether a nation state cyberattack is a use of
frameworks. If an actor employs a cyber weapon to produce
force equivalent to an armed attack, which could trigger a
kinetic effects that might replicate fire power under other
military response. Likewise, no international, legally
circumstances, then the use of that cyber weapon rises to
binding instruments have yet been drafted explicitly to
the level of the use of force. However, the United States
regulate inter-state relations in cyberspace. Self-defense and
recognizes that cyberattacks without kinetic effects are also
countermeasures for armed attacks are permitted in
an element of armed conflict under certain circumstances.
international law when a belligerent violates international
Koh explained that cyberattacks on information networks in
law during peacetime, or violates the law of armed conflict
the course of an ongoing armed conflict would be governed
(LOAC) during wartime. However, the term “armed attack”
by the same principles of proportionality that apply to other
has no universally accepted definition with respect to
actions under the LOAC. These principles include
cyberattacks. In addition to what constitutes an armed
retaliation in response to a cyberattack with a proportional
attack in cyberspace, questions remain over which
use of kinetic force. In addition, “computer network
provisions of existing international law govern the conduct
activities that amount to an armed attack or imminent threat
of war in cyberspace.
thereof” may trigger a nation’s right to self-defense under
Article 51 of the U.N. Charter. The 2011 International
Relevant Treaty Provisions
Strategy for Cyberspace affirmed that “when warranted, the
United States will respond to hostile acts in cyberspace as
North Atlantic Treaty Article 4: “The Parties wil consult
we would to any other threat to our country.” The 2024
together whenever, in the opinion of any of them, the
International Cyberspace & Digital Policy Strategy states
territorial integrity, political independence or security of any
that the United States is working to advance responsible
of the Parties is threatened.”
state behavior based on a U.N.-endorsed framework on “the
North Atlantic Treaty Article 5: “The Parties agree that
applicability of existing international law, adherence to
an armed attack against one or more of them in Europe or
globally accepted and voluntary norms of state behavior in
North America shall be considered an attack against them all
peacetime, development and implementation of confidence-
and consequently they agree that, if such an armed attack
building measures to reduce the risk of conflict in
occurs, each of them, in exercise of the right of individual or
cyberspace.” It refers to the 2023 Department of Defense
col ective self-defence recognised by Article 51 of the Charter
(DOD) Cyber Strategy goal “to reinforce responsible state
of the United Nations, wil assist the Party or Parties so
behavior by encouraging adherence to international law and
attacked by taking forthwith, individually and in concert with
internationally recognized cyberspace norms.” Chapter XVI
the other Parties, such action as it deems necessary, including
of the DOD Law of War Manual notes that the United
the use of armed force, to restore and maintain the security
States strives to work with other states to clarify not
of the North Atlantic area.”
whether international law applies to cyberspace, but how.
United Nations Charter Article 51: “Nothing in the
Both the Departments of State and Defense contend that
present Charter shall impair the inherent right of individual or
cyberattacks rising to the level of an armed attack may
col ective self-defence if an armed attack occurs against a
trigger mutual defense treaty obligations, though an armed
Member of the United Nations, until the Security Council has
attack in cyberspace remains undefined.
taken measures necessary to maintain international peace and
NATO Doctrine
security.”
In 2009, the North Atlantic Treaty Organization (NATO)
Cooperative Cyber Defense Center convened an
United States Doctrine
international group of independent experts to draft a manual
In September 2012, the State Department took a public
on the law governing cyber conflict. The first Tallinn
position on whether cyber activities could constitute a use
Manual, as it is known, was published in 2013 and offers
of force under Article 2(4) of the United Nations (U.N.)
95 “black letter rules” addressing sovereignty, state
Charter and customary international law. According to
responsibility, the LOAC, humanitarian law, and the law of
State’s then-legal advisor, Harold Koh, “Cyber activities
neutrality. The Tallinn Manual is an academic text and as
that proximately result in death, injury, or significant
such nonbinding. The February 2017 Tallinn Manual 2.0
destruction would likely be viewed as a use of force.”
expands upon the first and offers 154 black letter rules
Examples included triggering a meltdown at a nuclear
governing cyber operations, including in peacetime. In the
plant, opening a dam and causing flood damage, and
provisions of Article 5 of the North Atlantic Treaty, an
causing airplanes to crash by interfering with air traffic
attack on one member is considered an attack on all,
control. By focusing on the ends achieved rather than the
affording military assistance in accordance with Article 51
https://crsreports.congress.gov
Use of Force in Cyberspace
of the U.N. Charter. However, NATO does not presently
Measurability: The more quantifiable and identifiable a set of
define cyberattacks as clear military action. The Tallinn
consequences, the more a state’s interest wil be deemed to
Manual equates a use of force to those cyber operations
whose “effects ... were analogous
have been affected. This is particularly challenging in a cyber
to those that would result
event where damage, economic or otherwise, is difficult to
from an action otherwise qualifying as a kinetic armed
attack.” Article 4
quantify. Economic coercion or hardship does not qualify
of the North Atlantic Treaty applies the
under international law as an armed attack.
principles of collective consultation to any member state
whose security and territorial integrity has been threatened;
Presumptive legitimacy: In international law, acts that are
however, it is unclear how this article would apply to the
not forbidden are permitted; absent an explicit prohibition, an
various categories of cyberattacks, some of which may not
act is presumptively legitimate. For instance, it is generally
have kinetic equivalents. Also unclear is the concept of
accepted that international law governing the use of force
jurisdiction and what constitutes territorial integrity for
does not prohibit propaganda, psychological warfare, or
those member states who view cyberspace as a global
espionage. To the extent such activities are conducted
domain or commons.
through cyber operations, they are presumptively legitimate.
Responsibility: The law of state responsibility governs when
International Law
a state wil be responsible for cyber operations. However,
The so-called “Law of War,” also known as the LOAC,
that responsibility lies along a continuum from operations
embodied in the Geneva and Hague Conventions and the
conducted by a state itself to those in which it is merely
U.N. Charter may apply to cyberattacks, but lacks specific
involved in some fashion. The closer the nexus between a
agreement on its applicability. Complicating factors include
state and the operations, the more likely other states wil be
difficulties in attribution, the potential use of remote
inclined to characterize them as uses of force, for the greater
computers, and possible harm to third parties from cyber
the risk posed to international stability. Attributing the level of
counterattacks, which may be difficult to contain. In
state involvement to a cyberattack can be particularly
addition, as with NATO doctrine, questions of territorial
challenging.
boundaries and what constitutes an armed attack in
cyberspace remain. The law’s application would appear
The basic principles encompassed in the Hague
clearest in situations where a cyberattack causes physical
Conventions regarding the application of Armed Forces are
damage, such as disruption of an electric grid. As
those of military necessity, proportionality, humanity, and
mentioned above, the Tallinn Manual addresses many of
chivalry. A nation whose military is conducting cyber
these questions. In the absence of a treaty-based definition
operations according to these principles may be said to be
for what constitutes an armed attack or use of force in
engaging in cyber war.
cyberspace, Tallinn Manual co-author Michael Schmitt has
proposed in his academic publications criteria for analysis
United Nations Norms
under international law.
A 2004 U.N. General Assembly resolution called for the
convening of and a report from an international group of
Schmitt Analysis
government experts (GGE) from 15 nations, including the
Severity: Consequences involving physical harm to
United States, to secure cyberspace by agreeing upon
individuals or property wil alone amount to a use of force
“norms, rules and principles of responsible behaviour by
while those generating only minor inconvenience or irritation
States.” Unlike the work done at Tallinn under the auspices
wil not. The more consequences impinge on critical national
of NATO, this U.S.-led process included both China and
interests, the more they wil contribute to the depiction of a
Russia. The 2015 GGE report achieved consensus on 11
cyber operation as a use of force.
norms for the use of cyberspace, to include, among others,
that nations (1) should not intentionally damage each
Immediacy: The sooner consequences manifest, the less
other’s critical infrastructure with cyberattacks, (2) should
opportunity states have to seek peaceful accommodation of a
not target each other’s cyber emergency responders, and (3)
dispute or to otherwise forestall their harmful effects.
should assist other nations investigating cyberattacks
Therefore, states harbor a greater concern about immediate
launched from their territories. A fourth norm, stating the
consequences than those that are delayed or build slowly over
United States will not use cyber surveillance to steal
time.
information about foreign companies to benefit U.S. firms,
Directness: The greater the attenuation between the initial
was articulated by then-Secretary of State John Kerry and
act and the resulting consequences, the less likely states wil
adopted as official U.S. government policy. While also
be to deem the actor responsible for violating the prohibition
nonbinding, U.N. Resolution 70/237 calls upon Member
on the use of force.
States to be guided by the norms set forth in the 2015 GGE
Invasiveness: The more secure a targeted system, the
report. The following 2016/2017 GGE failed to achieve
greater the concern as to its penetration. By way of
consensus, due in part to objections from some member
il ustration, economic coercion may involve no intrusion at all
countries on explicitly applying rules on the use of force
(trade with the target state is simply cut off), whereas in
under Article 51, which they argued would represent the
combat the forces of one state cross into another in violation
militarization of cyberspace. The March 2021 final GGE
of its sovereignty. Although highly invasive, espionage does
report affirms the applicability of both international law and
not constitute a use of force (or armed attack) under
the U.N. Charter in its entirety. The 2021 GGE report also
international law absent a nonconsensual physical penetration
notes that international humanitarian law applies only in
of the target state’s territory.
situations of armed conflict.
https://crsreports.congress.gov
Use of Force in Cyberspace
IF11995
Catherine A. Theohary, Specialist in National Security
Policy, Cyber and Information Operations
Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.
https://crsreports.congress.gov | IF11995 · VERSION 4 · UPDATED