Right to Self-Defense in Cyber Warfare

With the sudden proliferation of cyber-attacks at global level, the absence of particular legal structure in order to curb the menace of cyberspace render the netizens in digital gulag. Moreover, the international organizations, so far, have failed to formulate a robust legal structure for analyzing cyberspace. Many scholars, however, construed current international framework in terms of modern cyber conflicts. Particularly, Article 2(4) and Article 51 of the United Nations Charter of Rights and Freedoms (UN Charter) regulating the prohibition on the use of force and right to self-defense respectively are central point of debate.

This article will examine the position of cyber-attacks within the ambit of jus ad bellum. Initially, in attempting to classify that cyber-attack qualifies as a force. The second part analyses the relationship between an armed attack and a cyber-attack focusing on the right to self-defense. Lastly, examining the possible application of the Caroline doctrine in international cyber conflicts. The solution lies in the drafting of a new international treaty based on the principles of the manual drafted by NATO members.

Generally, cyber-attacks between two states are known as cyber warfare. Cyber-war refers to an attack by a state through computer system in order to drastically destroy another state's computer systems and/or information networks. This definition of cyber warfare should not be seen as conclusive, as it is made by the amalgamation of various definitions and primarily for the purpose to use in this article. Moreover, the expression cyberwar and cyber operation are interchangeably used to denote cyber warfare in the article.

Use of force in cyberwarfare

In terms of Article 2(4) the member states shall refrain 'to use of force' in international conflict. But whether the expression 'force' is readable in the context of cyber-attack? In this regard, Sir Ian Brownlie, a British barrister, propounded consequentiality or result-oriented approach and argue that the use of chemical and biological weapons falls under the definition of force, since they are the 'modes of warfare' causing destruction of life and property.

By way of analogy, computer systems are also used to launch egregious cyber-attacks which begets astronomical physical as well as virtual (stored information data in computer) destruction, therefore, it is one of the modes of warfare in cyberspace. For instance, in 2015 Russian intelligence hackers attacked Ukraine's regional energy utilities which resulted in a long power outage for six hours which affected about 225,000 civilians, this gross destruction was the first full-blown real cyber operation the world had encountered.

Per contra, Wingfield, a defense researcher, emphasizes on effect-based approach and said:
It should be immaterial whether a power transmission substation is destroyed by a 2000-lb bomb or by a line of malicious code inserted into the substation's master control program because the amount of damage is equivalent.

This approach appears to be erroneous, though, not every cyber-attack causes physical destruction: 2016 Presidential election in the US, the Russian government was accused of tampering with the voter databases via cyber-attack causing no physical destruction. Notably, the International Court of Justice (ICJ) also held that prohibition on the use of force Applies to any use of force, regardless of the weapons employed.

Apparently, the force use shall cause some physical destruction. All cyber-attacks, however, does not necessarily cause physical destruction as majority of cyber-attack merely used for espionage, therefore, it cannot be patently argued that it complies with article 2(4). Although, those cyber-attacks which causes physical deterioration should be consistent with article 2(4) and thus it will potentially qualify as a force.
Contrasting armed attack and cyber attack

Article 2(4) prohibit the use of force in conflict; on the contrary, Article 51 of the UN Charter preserves the right of self-defense in such conflicts. It defines as:
[N]othing in the present Charter shall impair the inherent right of individual or collective self-defense if an armed attack occurs against a Member of the United Nations, until the Security Council has taken measures necessary to maintain international peace and security.

The expression if an armed attack occurs suggests that the right to self-defense can be exercised only if an armed attack takes place. An armed attack, however, is nowhere defined under the jus ad bellum, therefore it's upon the discretion of the courts to interpret accordingly.

Given that ICJ in Nicaragua v. USA case ruled that:
A definition of the "armed attack" which, if found to exist, authorizes the exercise of the inherent right of self-defense, is not provided in the Charter, and is not part of treaty law.

Additionally, the ICJ distinguished armed attack from armed force and succinctly held that the former requires a minimum level of gravity to constitute as a use of force, such as a mere frontier incident on the basis of the scale and effects involved in force. Thus, in cyber context it implies that those state-sponsored cyber-attacks may be considered equivalent to an armed attack if it causes death, injury, or physical destruction which impinges on the sovereignty of the victim-state. Consequently, the liberal interpretation of an armed attack potentially encompasses the state-sponsored cyber-attack, thus triggering Article 51 and offshoots the right of self-defense.

The notion of self-defense empowers the defending state to take countermeasures or protect itself with justified use of force against the attacking state. Under international law, self-defense has been used in order to balance the rights of the assailant state against the defending state. Interestingly, the anonymous feature of cyber-attack ruled out the existing self-defense doctrine and hardened the fault lines.

The Caroline doctrine:
confirmed as a customary law – provides a framework to govern the right to self-defense. The doctrine comprises the principle of necessity, proportionality, and immediacy. The principle of necessity aims to repel or avert the armed attack by use of force when it is overwhelmingly imperative and other alternative remedies have been exhausted.

The principle of proportionality determines the balanced response of defending state against the attacking state: the harm caused by defending state in self-defense must be proportional to the harm caused by the attacking state. Lastly, the principle of immediacy implies that the victim-state can only defend itself when there is an imminent or ongoing attack persist.

Applying the said doctrine in cyberwar, it's blisteringly difficult for the victim-state to detect the assailant and, in turn, take countermeasure on the ongoing attack since they could be designed and timed to show its harmful effects only months after the attacker's intrusion. Thus, necessity and immediacy become untenable in cyber conflicts.

As regards proportionality, for, gigantic interconnectivity of information networks the effect of cyber-attack is imponderable: the disproportionate, collateral damage and 'reverberating effects' indiscriminately enmesh anyone. In effect, the Caroline doctrine is lackadaisical and inapt in terms of cyber warfare due to the unambiguous and eccentric nature of cyberspace.

Furthermore, Article 51bis provides for anticipatory self-defense in warfare-it implies that a victim-state may attack on another state allegedly planning to attack. The thorny issue is the application of anticipatory self-defense criteria to cyber operations.

As cyber-attacks are a virtual attack, therefore, prior intuition of attack is arduous to predetermine. So, what portends the victim-state to intrude into another's state computer system. Eventually, it ends up as pre-emptive self-defense rather than anticipatory which is violative of international law.

Hence, the Caroline doctrine and Article 51 are outdated and incompatible with regard to emerging cyber warfare and the issue still persists whether a victim-state, as self-defense, can attack back and intrude into foreign computers legitimately to deter cyber-attacks.

A Way Forward
The above analysis, after all, shows that the existing international legal framework becomes redundant and inept. Self-defense in cyber warfare seems to begets harrowing consequences because of the anonymous and untoward behavior of cyberspace. However, the NATO Cooperative Cyber Defense Centre of Excellence, an international group, has formulated a Tallinn Manual - a non-binding international work applicable to cyber conflicts.

Tallinn Manual is a shining development that accurately examines the lacune in lex lata and astutely envisages a lex ferenda for cyber policy. Of late, it has been updated to 2.0 version. Rule 71 to 75 of the Tallinn Manual 2.0 deals with self-defense in cyber conflicts which also covers the abovementioned principles. It is merely a blueprint to legislate an international treaty. Moreover, it can also use to update the 2001 Council of Europe Convention on Cybercrime which implicate minuscule cybercrimes such as child pornography, fraud etc. thus ineffective in dealing with large-scale cyber warfare operations.

Cyber warfare has evolved as an emerging global threat. Therefore, a robust international framework formulated on global consensus could only water down the cyberspace menace and decide the rights and liability of the state.

Written By:

1. Divyanshi Dwivedi, 4th year pursuing B.A. LL.B. (Hons.) from University of Allahabad and National Law University, Lucknow and
2. Aviral Chandraa, 4th year pursuing B.A. LL.B. (Hons.) from University of Allahabad and National Law University, Lucknow.