The Russian invasion of the Ukraine has placed the world into a state of flux. Rarely in modern times has a United Nations member-state blatantly disregarded the sovereignty of another member-state to the extent that Russia has regarding the Ukraine. This conflict has the traditional aspects of warfare; soldiers and tanks fighting on the ground, the conscription of all Ukrainian men, etc. However, it also has an aspect that may not have existed the last time there was a war on European soil, cyber warfare. Cyber warfare includes methods of warfare that consists of cyber operations amounting to, or conducted in the context of, an armed conflict, within the meaning of International Humanitarian Law (“IHL”).[1] In diving deeper on that definition, the key aspect is the “amounting to” provision. An increasing number of States have acknowledged that IHL applies to cyber operations during armed conflict,[2] but could a cyberattack be the catalyst to an armed conflict, therefore triggering self defence by the State? To answer this question, one must review Tallin Manual 2.0 on the International Law Applicable to Cyber Warfare (“Tallin Manual”), the current academic authority on International Cyber Warfare.
Background on the Tallin Manual
It is important to note that the Tallin Manual is not a legally binding document on the rules of international law, but rather an aggregation of rules, guidelines, and procedures built by a group of international law advisors, referred to as the International Group of Experts, to provide guidance to states and scholars in assessing the applicability of modern cyber warfare operations to the traditional rules of war.
Starting with the Tallin Manual Rule 68, the threat or use of force […] is unlawful.[3] In defining when a cyber operation can constitute a use of force, Rule 69 states that a cyber operation constitutes the use of force when its scale and effects are comparable to non-cyber operations rising to the level of a use of force.[4] Further to this, the International Court of Justice in the Nicaragua case has ruled that any cyber operation that rises to the level of an “armed attack” in terms of scale and effect pursuant to Rule 71, and that is conducted by or otherwise attributable to a State, qualifies as a “use of force”.[5] Rule 71, the provision of self-defense against an armed attack, highlights that when a cyber operation rises to the level of an armed attack, the State in which was attacked may exercise its inherent right of self-defense; whether a cyber operation that constitutes a use of force rises to the level of an armed attack depends on it scale and effects.[6]Factors to assess the scale and effects of a cyber operation, originally articulated by Michael Schmitt,[7] was reaffirmed by the International Group of Experts following the Nicaragua case; they are severity, immediacy, directness, invasiveness, measurability of effects, military character, state involvement, and presumptive illegality. This a non-exhaustive list and other factors may be considered. For this article, I will look at severity, state involvement, the nature of the target, and the incidental effects of the operation.
For severity to be satisfied, the operation must either damage property to the extent that a missile or other type of ammunition would, or in other words, cause damage akin to that of kinetic warfare, or cause a chain of events that put human life in danger or caused death itself. Severity is a crucial component of this analysis and therefore whenever the threat of or damage to the life or property of an individual in another state is engaged, a cyber operation makes a strong case to be classified as a use of force. For state involvement to be satisfied, the government in which the attack was purported against must have certainty that the cyber operation was conducted by either state officials of another government or non-State officials who have taken an order from the State to engage in the cyber operation. Mere affiliation or physical location within a State may not be enough to satisfy this factor as “spoofing”, one actor masquerading as another, must always be a consideration. The nature of the target and incidental effects somewhat blend in deciphering where the line is to engage the use of force. This consideration, as well as state involvement, are problematic as they are hard to determine with certainty. When the nature of the target is that of which life-support measures are engaged such as a hospital or medical transportation, there would be a stronger case.
As technological advancements continue to alter the landscape of international warfare, understanding the existing guidelines for whether a physical response to cyberattack will be crucial for international law courts to rule in these areas in the future. The major issue remains identifying exactly who commissioned and directed the cyberattack itself and will continue to be the biggest impediment to determining if a cyberoperation could justifiably trigger a physical response under the guidelines of the Tallin Manual.
[1] Cyberwarfare and international humanitarian law: The ICRC’s position (2013), online (pdf) <https://www.icrc.org/en/doc/assets/files/2013/130621-cyberwarfare-q-and-a-eng.pdf>.
[2] International Committee of the Red Cross: International Humanitarian Law and the Challenges of Contemporary Armed Conflicts (2015) online (pdf): <https://www.icrc.org/en/download/file/15061/32ic-report-on-ihl-and-challenges-of-armed-conflicts.pdf>.
[3] Michael Schmitt and the International Group of Experts, Tallin Manual 2.0 on the International Law Applicable to Cyber Operations, (Cambridge University Press, 2017), DOI: <10.1017/9781316822524>.
[4] ibid at Rule 69.
[5] ibid at Rule 69, commentary 1.
[6] ibid at Rule 71.
[7] Computer Network and the Use of Force in International Law: Thoughts on a Normative Framework, Michael N Schmitt, 885, 914 (1999).
UCalgary Technology and Law Club 