Oxford University Press's
Academic Insights for the Thinking World

Cyber War and International Law

By Dr. Russell Buchan and Nicholas Tsagourias


It seems both timely and necessary to question whether public international law adequately protects states from the threat of cyber attacks. This is because states have become increasingly dependent upon computer networks and the information that they hold in order to effectively regulate their societies. It is therefore unsurprising that hostile states, individuals and non state actors have sought to attack computer networks of target states with greater frequency and ferocity. This is exemplified by the much-discussed cyber attacks against Estonia (2007), Georgia (2008) and Iran (2010). Indeed, a day barely seems to pass without the media reporting that a state has been a victim of a cyber attack.

Cyber attacks can of course take many different forms. On the one hand, a cyber attack can cause physical damage comparable to that caused by conventional weapons. A cyber attack can corrupt the operating system of a power plant and cause a nuclear meltdown, for example, or shut down civil aviation systems thus causing civilian aircraft to crash.  On the other hand, a cyber attack may not cause any physical damage. Consider, for example, a cyber attack that appropriates sensitive data or causes key websites to cease functioning. However, this does not mean that cyber attacks causing non-physical damage does not affect adversely the security of a state. Indeed, the damage they can produce can be extremely serious. A good illustration would be a cyber attack that cripples a state’s financial sector or disables military defence systems.

The question then becomes whether international law is able to protect states against such cyber attacks that impact upon state security. Sure, international law has long sought to construct an international legal framework to protect states from hostile attacks from abroad: the jus ad bellum, as it is known. However, the jus ad bellum was created in the aftermath of the Second World War when the overwhelming threat to state security was represented by conventional weapons such as guns and bombs. An international legal framework, broadly represented by the United Nations (UN) Charter, was therefore constructed to address this type of threat: the threat of kinetic force. For example Article 2(4) UN Charter, which prohibits the threat or use of force among states, is generally regarded as encompassing only those acts that produce physical damage; namely, damage to physical property or death or injury to people. Similarly Article 51, which confirms a state’s inherent right to self-defence where an armed attack occurs, can only be engaged in those situations where there has been a grave use of force i.e. only where serious kinetic damage has been caused.

The conclusion, then, is that a cyber attack producing non-physical damage would seem to fall outside of the legal regime established by the UN Charter. The ability of the jus ad bellum to protect states from cyber attacks is therefore called into question. International lawyers must therefore dedicate attention to the application of the jus ad bellum to cyber attacks, seeking to reveal the deficiencies of the current legal framework and suggesting proposals for reform.

It is also important to consider the application of international humanitarian law (IHL) to cyber war. Crucially, IHL applies when there is an armed conflict. According to IHL, an armed conflict exists when there is exchange of hostilities between one or more parties. However, the question that arises is whether cyber hostilities that do not involve the use of kinetic force can give rise to an ‘armed conflict’ and, if they do, whether they need to reach a certain threshold. Even if cyber hostilities give rise to an armed conflict, the next question is whether the armed conflict is international or a non-international in character. This is because IHL maintains a firm distinction between these types of armed conflict and, more importantly, applies different legal regimes. The status of non-state entities or organisations and their links with states is also of paramount importance in this regard.

Cyber hostilities challenge many other established principles of IHL such as the principles of distinction and proportionality. These principles hold that civilians and civilian objectives should be distinguished from combatants and military objectives and that the action should be proportional to the military objective sought. However, in interconnected computer systems, adherence to these principles may prove difficult. For example, a cyber attack on a military computer system may incidentally but inevitably cause disproportionate damage to connected civilian systems and, consequently, may cause death or injury to civilians. A more intricate question is the status of those civilians who are involved in the design, installation or operation of cyber weapons. If it is concluded that they directly participate in hostilities they can be directly targeted. However, IHL’s definition of when an individual directly participates in hostilities was crafted in order to address situations such as when civilians chose to ‘farm by day, fight by night’ or provided ad hoc medical assistance to combatants. The point is that the application of this test to a qualitatively different scenario, such as those installing or operating computer systems, is very difficult.

These questions represent some of the most serious challenges that cyber war poses to IHL. As with the jus ad bellum, the role of the international lawyer is to question the adequacy of the application of IHL to cyber war and, where deficiencies are found, to postulate proposals for reform.

Dr. Russell Buchan is a lecturer in international law at the University of Sheffield and is an expert in the field of cyber war. Nicholas Tsagourias is Professor of International Law and Security at the University of Glasgow and has published widely in the area of international peace and security. Together they have worked on a special issue for the Journal of Conflict and Security Law. You can access the special issue, Cyber War and International Law, via Oxford Journals.

Subscribe to the OUPblog via email or RSS.
Subscribe to only politics and law articles on the OUPblog via email or RSS.

Image: information weapon, keyboard grenade. Photo by -antonio-, iStockphoto.

Recent Comments

  1. […] recent Oxford University Press blog titled Cyber War and International Law highlighted problems in applying two particular legal frameworks to cyber war: the law on use of […]

  2. […] law is able to protect states. Non-physical damage may be beyond the reach of the UN Charter . . . read more — summarized by JLCW. Please go to […]

  3. Ash Hunt

    Whilst this article raises the difficulties on dealing with the legal parameters of the ‘fifth domain’, it precedes an essential debate on forming an agreed consensus on cyber terminology. Currently, governments and institutions define their cyber policies using colloquial terminology or inchoate classifications. It is necessary for the international community to engage in transnational collaborative discussion to devise an explicit set of terminology for all sinister movements in the fifth domain. How can we engage in a meaningful debate on the legal aspects of the cyber domain when there is a great deal of disparity and ambiguity surrounding the terminology we are using? This article deals with this essential discussion that must first take place: http://www.cyberdefensemagazine.com/newsletters/november-2013/#p=24.

Comments are closed.