Classically, states and non-state actors were differentiated not only by disparities in legal status, but also by significant imbalances in resources and capabilities. Not surprisingly, international law developed a state-centric bias to account for these imbalances. Cyberspace and cyber operations, however, have closed a number of formerly significant gaps between states’ and non-state actors’ abilities to compromise international peace and security. In fact, some non-state actors now match, if not exceed, the cyber capabilities of many states in this respect. Where public international law had long proved chiefly relevant to states’ interactions with other states, cyber operations by non-state actors increase the frequency with which public international law provides relevant and binding legal rules. This article surveys existing public international law for norms relevant to the cyber interactions of cyber-empowered states and non-state actors. Specifically, the article illustrates how the principles of sovereignty, state responsibility and the jus ad bellum are particularly relevant to States engaged in struggles with non-state actors for security and supremacy in cyberspace.
Cyber operations challenge not only the physical and spatial assumptions that guided the formation of much of the public international law inherited from previous generations, they test fundamental premises respecting the identity and status of actors governed by that body of law. Classically, individuals and non-state actors proved relevant to international law only as the agents, proxies or chattel of states. Significant gaps in resources and capacity between states on the one hand and non-state actors on the other prevented their interactions from demanding significant attention from international law. And in those rare historical instances in which non-state actors could mount serious challenges to state hegemony, like cases of civil war, international law responded with significantly curtailed normative frameworks, such as that found applicable to armed conflicts not of an international character.1
Cyber operations, however, appear to present greatly increased opportunities for non-state actors to match, and in some cases even to surpass, state supremacy. Non-state actors capable of mounting cyber operations that profoundly affect states’ security, and circumstances in which non-state actors demand as much or more attention than other states, are no longer futuristic or far-fetched—they are the prevailing reality of cyberspace. In addition to constituting a new domain of warfare between states, cyberspace also appears to represent a significantly contested domain between states and non-state actors. As an example, a recent report reveals the USA has resorted to offensive cyber operation in its efforts against Islamic State forces operating in Syria and Iraq.2
Still, at present, public international law primarily governs the relationship between states. This is no less true when considering its application to cyber activities involving non-state actors, such as individuals, private companies, hacker groups, criminal groups or terrorists. Nevertheless, it would be inaccurate to suggest that the international law of cyber operations has no bearing on these activities. This article briefly surveys the intersection of public international law with cyber activities conducted by or against non-state actors. Drawing on the work of the International Group of Experts that prepared ‘The Tallinn Manual on the International Law Applicable to Cyber Warfare’,3 it addresses three topics of particular relevance in this regard that lie outside the normative framework of armed conflict: sovereignty, state responsibility and the jus ad bellum. The first two are presently being examined in much greater depth as part of the NATO Cooperative Cyber Defence Centre of Excellence’s Tallinn Manual 2.0 Project’s consideration of the peacetime law of cyber operations.4 These important international norms and their emerging cyber-minded applications constitute critical legal considerations for states engaged in contentious cyber operations with non-state actors.
The 1928 Island of Palmas arbitral award set forth the classic articulation of the principle of sovereignty: ‘Sovereignty in the relations between States signifies independence. Independence in regard to a portion of the globe is the right to exercise therein, to the exclusion of any other State, the functions of a State’.5 Pursuant to the principle, a state enjoys sovereign authority with respect all property, persons and activities, whether public or private, on its territory.
The Tallinn Manual expresses the principle of sovereignty in the cyber context: ‘A State may exercise control over cyber infrastructure and activities within its sovereign territory.’6 Today, this premise is relatively well accepted by the international community. For instance, in its 2013 Report, the United Nations Group of Governmental Experts (GGE) concluded ‘State sovereignty and international norms and principles that flow from sovereignty apply to State conduct of ICT-related activities, and to their jurisdiction over ICT infrastructure within their territory.’7 Members of the GGE include Russia and China, both of whom were initially sceptical as to application of international law to cyberspace.8
Non-state actors are fully subject to states’ exercises of sovereignty. For instance, a state may regulate Internet activities by setting the technical criteria according to which Internet service providers must operate; limit content posted on the Internet from its territory, as in the cases of child pornography or terrorist recruiting; and regulate access to the Internet by individuals, groups or private entities on its territory. A state’s sovereignty seldom extends beyond its territory, but the exercise of sovereignty thereon can affect non-state actors located abroad. In the exercise of its sovereign authority, a state may, for example, block or limit access to cyber infrastructure by individuals, groups or private entities located beyond its borders. A state would also be within its rights to regulate e-commerce on its territory, even if an affected private entity operates from another country.
The fact that cyber infrastructure is linked to a global communications network does not constitute a waiver of states’ sovereign rights over their cyber infrastructure. This is not to say that sovereignty may be exercised against non-state actors free from international legal limitations. The exercise of sovereignty is subject to other aspects of public international law. In particular, international human rights law regulates states’ cyber activities with respect to individuals.9
Sovereignty is also the source of states’ authority to protect private and public activities and infrastructure on their territory from harm, whether cyber or non-cyber in nature. This is so, irrespective of whether the source of a harmful cyber operation is a state or a non-state actor, and regardless of whether the entity conducting the operation is located in the state's territory or abroad. To illustrate, if a private company is the target of harmful cyber operations by either another state or private malicious hackers abroad, the state that hosts the affected company may take cyber or non-cyber measures to protect it. As will be discussed, in certain cases, the measures may involve cyber responses that would otherwise be unlawful, even, in extreme cases, a violation of the prohibition on the use of force.
Because states enjoy sovereignty over their territory to the exclusion of other states,10 a state’s cyber operations against private cyber infrastructure can amount to a violation of another state’s sovereignty. The Permanent Court of International Justice observed in the Lotus case, ‘the first and foremost restriction imposed by international law upon a State is that … it may not exercise its power in any form in the territory of another State’.11 Thus, in some cases the mere conduct of a cyber operation against non-state actors might violate the sovereignty of a state. These situations clearly include those involving cyber operations that usurp the governmental authority of the territorial state, as in law enforcement cyber operations by another state that target private companies without that state’s consent,12 and those directed at private cyber infrastructure that is located aboard a sovereign platform, such as a warship.13 However, beyond these exceptional cases, the law as to when an operation against a non-state actor violates the sovereignty of the state where that actor is located is unclear. Wherever the threshold of violation lies, it is the same for both private and public infrastructure.
Uncertainty attendant to the issue was well illustrated in the deliberations of the International Group of Experts that prepared the Tallinn Manual. The Group could only agree that a violation of sovereignty occurs when another state’s cyber operation ‘causes damage’. It achieved no consensus on the international legal significance of ‘placement of malware that causes no physical damage (as with malware used to monitor activities)’.14
The key issue is the characterization of remote operations directed against non-state actors that do not reach the physical damage threshold. In the view of the authors, the Tallinn Manual’s functionality test, developed to determine when a cyber operation qualifies as an ‘attack’ during armed conflict, can be applied by analogy.15 By this test, damage to cyber infrastructure includes losses of functionality of cyber infrastructure, or of items that rely on it, such that repair is required to restore functionality. In discussing this approach, the International Group of Experts disagreed over precisely what it means to require repair. However, in the authors’ view, the concept means that the cyber infrastructure, such as a SCADA system, requires physical repair, as in replacement of components, or the reinstallation of either the operating system or of data upon which a purpose-built system relies to perform its intended function.
Beyond loss of functionality, the authors concur that if a State gains unauthorized access to a system and manipulates, alters or destroys data, sovereignty is violated. This is an especially supportable position with respect to significantly deleterious cyber operations that are adverse to the interests of the state, compromise the state’s right to independence and exclusivity of control, and are unconsented to and carried out on the state’s territory, as in the case of cyber operations that appreciably disrupt commercial activities.16 Admittedly, this is a broad view of sovereignty, but surely the grant of sovereign authority over activities on a state’s territory includes those that manifest there. Some cases, however, remain subject to uncertainty, as with the mere placement of malware that has not been activated by a state into the cyber infrastructure of a private company overseas, extraction of the company’s data or a temporary distributed denial of service attacks against the company.
While cyber operations by a state may violate the sovereignty of the state where the non-state actors are located, cyber operations by non-state actors that are not attributable to a state as described below do not constitute a violation of sovereignty, no matter how destructive or injurious. Of course, cyber operations by non-state actors may well be in violation of the domestic law of numerous states, such as the state of nationality of the non-state actors and the states from which the operations were launched and where they culminated or otherwise had negative effects. But only states violate sovereignty as a matter of international law.17
The prohibition of intervention by a state into the internal or external affairs of other states derives directly from the principle of sovereignty. The prohibition consists of two elements. First, the activities in question must be coercive in the sense of compelling the target state to engage in an activity (including taking a decision) it would not otherwise engage in or refrain from activities that it would, but for the coercion, undertake. The International Court of Justice has characterized the element of coercion as ‘the very essence of prohibited intervention’.18 Thus, for instance, cyber espionage does not constitute intervention unless it clearly involves coercion. Second, acts in violation of the prohibition of intervention must be directed at the domaine réservé of the target state. The domaine réservé comprises matters that a state is permitted, as a matter of sovereignty, to decide upon freely, particularly its political, economic, social and cultural system.19 Examples include elections, legislative activities and providing for the social welfare of the population.
Generally, cyber operations directed at non-state actors such as companies, as in the case of the recent Sony hack,20 do not qualify as intervention because they are neither intended to coerce the state nor do they reach into the domaine réservé. If, however, another state conducts cyber operations against, for example, a state’s residents or companies to force their host state to take a particular decision on a matter falling within its domaine réservé the cyber operations will qualify as prohibited intervention. Similarly, intervention could involve cyber operations against private infrastructure that relates to the domaine réservé, as in the case of cyber operations used to block or alter the advertisements of a particular candidate during an election in another state.
In its Nicaragua judgment, the International Court of Justice concluded that indirect support for insurgents or terrorists in another state plainly qualifies as prohibited intervention.21 The Court specifically characterized as acts of intervention the arming and training of guerrilla forces, which, as discussed below, also constitute uses of force. The Court further cited the financing of guerrilla operations as prohibited interventions, although such activities do not rise to the level of the use of force.22 In the cyber context, therefore, a state that provides an insurgent group with malware and the training necessary to employ it against another state violates the prohibition on intervention. Financing the group’s cyber activities would likewise violate the prohibition. Any cyber operations the state itself conducts in support of the group, such as interfering with the other state’s command-and-control or collecting militarily useful information by cyber means and providing it to the group, are clearly encompassed in the prohibition.
Sovereignty is likewise the basis of the right of states to exercise jurisdiction with respect to certain cyber activities and cyber infrastructure. In this regard, the Tallinn Manual observes, ‘… a State may exercise its jurisdiction: (a) over persons engaged in cyber activities on its territory; (b) over cyber infrastructure located on its territory; and (c) extraterritorially, in accordance with international law.’23 Jurisdiction is the authority to prescribe laws and regulations, enforce them and adjudicate alleged breaches thereof.24 It is uncontested, as noted in lit. (a) and (b) of the Tallinn Manual’s rule, that states enjoy all three forms of jurisdiction over cyber activities by non-state actors located on their territory and over cyber infrastructure located there that is used or owned by non-state actors.
Lit. (c) of the Rule addresses jurisdiction over persons, cyber infrastructure and activities located or occurring beyond a state’s territorial jurisdictional reach. Numerous grounds of varying degrees of acceptance exist upon which a state may exercise its various jurisdictional prerogatives extraterritorially. States enjoy, for example, prescriptive authority over their nationals, including ‘legal persons’ such as companies, wherever they may be with respect to the cyber activities in which they engage.25 Additionally, a state may exercise jurisdiction pursuant to the passive personality principle when cyber activities harm its nationals, again including legal persons, whether those nationals are on its territory or abroad.26 By the principle, the state may, for example, adopt legislation proscribing cyber operations against its overseas companies and exercise enforcement and adjudicative jurisdiction when those responsible for operations are either present on the state's territory or the state has secured the consent of the state where the individuals are located to exercise its enforcement jurisdiction on the latter’s territory.
Pursuant to the protective principle, a state may also exercise jurisdiction with respect to cyber activities that threaten state security, solvency, or other key state interests.27 As an example, a state may criminalize the forgery of its currency or official documents by cyber means. Finally, the universality principal extends the jurisdiction of all states to certain international crimes, such as genocide and certain war crimes.28 Pursuant to universal jurisdiction, all states enjoy authority over cyber attacks that violate key international humanitarian law prohibitions, like those outlawing attacks against the civilian population and civilian objects during armed conflicts or with respect to the use of cyber means to launch or otherwise facilitate a genocide.29 This is so whether or not the enumerated crimes are engaged in by the organs of a state or non-state actors and irrespective of the nationality or location of the offences’ victims.
In international law, the rights of states as sovereigns are often accompanied by corresponding obligations. Many of these state obligations operate with respect to controlling the activities of non-state actors. The most significant obligation in the cyber context emanating from the principle of sovereignty is that of due diligence. Pursuant to the principle, restated in cyber terms by the Tallinn Manual, ‘a State shall not knowingly allow the cyber infrastructure located in its territory or under its exclusive governmental control to be used for acts that adversely and unlawfully affect other States’.30 This Tallinn Manual rule has since been affirmed by states participating in the UN Group of Governmental Experts process.31 The obligation applies to the use of both public and private cyber infrastructure on the territory.
Due diligence obligations arise in a number of circumstances. For instance, if non-state actors are conducting hostile cyber operations from a state's territory into another state, the former is obliged to terminate the operations.32 Similarly, if non-state actors in one state take control of cyber infrastructure in a second state and use it to mount cyber operations against a third state, the second state shoulders the same obligation. Due diligence obligations also attach in situations in which a state takes control, or otherwise uses, cyber infrastructure in another state to conduct cyber operations against non-state actors in a third state or in which a state’s agents operate from another state’s territory to mount the attacks. Finally, due diligence obligations can apply even to cyber operations by non-state actors against other non-state actors abroad.
Disagreement exists as to whether the obligation of due diligence imposes a requirement to prevent cyber infrastructure on a state’s territory from being used for purposes that violate obligations owed other states. The better position is that states are only obliged to terminate on-going or imminent cyber operations. In doing so, they need only take those measures that are reasonable in the circumstances. For instance, take the case of an activist group operating from State A that conducts destructive cyber operations against a company in State B using cyber infrastructure in State C. Suppose that to effectively stop the on-going operations, State C would have to shut down significant segments of its national cyber network. That state is entitled to take the severity of those effects into consideration when determining whether to put an end to the non-state actor’s use the cyber infrastructure.
2. State Responsibility
Addressing state responsibility in a cyber context, the Tallinn Manual observes, ‘A State bears international legal responsibility for a cyber operation attributable to it and which constitutes a breach of an international obligation.’33 The international obligation underlying responsibility may be based in either treaty or customary international law, while attribution refers to legal, as distinct from factual, attribution. When these two criteria are met, the state concerned is responsible for an ‘internationally wrongful act’.34 Internationally wrongful acts may consist of affirmative actions, such as damaging cyber operations against private infrastructure located on another state’s territory, or failure to comply with a duty like exercising reasonable due diligence to terminate harmful non-state cyber operations being conducted from the state’s territory against another state.
While it is self-evident that states are responsible for the cyber activities of their organs,35 especially the armed forces or security services, there are four situations in which a state bears responsibility for the cyber operations of non-state actors. First, a non-state actor is equated to a state organ when it has been empowered by the state’s domestic law to exercise elements of governmental authority,36 that is, engaging in an activity for the state that states typically perform. As an example, if a state's military contracts with a private company to conduct offensive cyber operations during an armed conflict, the state will be responsible for any of the company’s cyber activities that violate international law, such as breaches of neutrality by impermissible use of neutral cyber infrastructure.37 In these cases, the state will be responsible even for ultra vires acts so long as the private person or entity concerned was operating in its empowered capacity.38 To illustrate, the state would bear responsibility for the violation of neutrality in the previous example even if it had instructed the company not to conduct operations involving neutral cyber infrastructure.
Second, cyber activities of non-state actors are attributable to a state when the non-state actor operates on the instructions of the state.39 This basis for attribution differs from the previous bases in the sense that the non-state actors serve as an auxiliary to the state rather than take on a governmental function. Moreover, the activities may, but need not be, authorized by the law of the state concerned. For instance, if a state instructs a hacker group or a private company to probe for vulnerabilities in another state’s cyber infrastructure in the hope of subsequently exploiting any that are discovered, the company’s cyber operations are attributable to the state. In the event, they breach an obligation owed the target state by the instructing state, the latter will be responsible for any ensuing internationally wrongful act.
Third, non-state actor cyber operations conducted pursuant to the direction and control of a state are attributable to that state.40 Although the terms ‘direction’ and ‘control’ differ, they have been encompassed by the International Law Commission in its commentary to the Articles of State Responsibility in the expression ‘effective control’, which was coined by the International Court of Justice in its Nicaragua judgment.41 Broadly speaking, effective control means the state determines the specific cyber operations the non-state group will conduct and has the power and authority to approve or disapprove them. As noted by the Court in the non-cyber context, a state's assistance in the form of merely ‘financing, organizing, training, supplying, and equipping’ the non-state group in a manner that enables its operations does not rise to the level of effective control.42 Thus, for instance, providing malware to a non-state group for general use against another state does not result in attribution of the group’s cyber operations. Indeed, even the ‘planning of the whole of its operation’ does not suffice.43
Although a state’s involvement in a non-state group’s cyber operations against another state may not reach the effective control threshold, that involvement may nevertheless constitute an internationally wrongful act on its own accord. As noted above, financing a group’s cyber operations against another state or providing the training necessary to conduct them qualify as a prohibited intervention into the internal affairs of that state. The state will shoulder responsibility for the intervention, even though it is not responsible for the acts of the group.
Unlike cyber activities of non-state actors that are undertaken pursuant to a state's law and amount to the exercise of governmental authority, attribution on the basis of instructions or effective control does not extend to ultra vires acts.44 As an example, a non-state hacker group may be operating under the effective control of a state in conducting cyber operations targeting another state. If the group has been instructed by the state to refrain from particular types of operations or from targeting particular cyber infrastructure, and the group disregards those instructions, the state will not bear responsibility for the operations.
Finally, the cyber operations of non-state actors are attributable to a state when it acknowledges and adopts those operations.45 Attribution on this basis involves more than merely expressing support or encouragement for the non-state actor. Rather, the state must embrace the conduct as its own, especially by engaging in activities that perpetuate the actions.46 In the cyber context, a likely scenario would involve the state publicly approving of the cyber operations of a hacker group and then facilitating their continuance by, for example, providing further cyber capabilities to the group.
In addition to affixing responsibility, international law offers remedial measures to states that fall victim to internationally wrongful acts. States targeted by cyber operations that qualify as internationally wrongful acts are entitled to take, within strict parameters, ‘countermeasures’ in response.47 Countermeasures are cyber or non-cyber actions that would amount to an internationally wrongful act by the ‘injured’ state but for the fact that they are a response directed at the state conducting the initial wrongful act (the ‘responsible’ State).48 It is their qualification as a countermeasure that precludes their wrongfulness. Such measures must be designed solely to compel the latter to desist in its unlawful course of conduct,49 may not be punitive in purpose,50 must be proportionate,51 and may not breach and obligation a third state.52 Although it is a matter of some dispute, the most defensible view is that countermeasures may not involved cyber operations at the use of force level.53
Non-state actors may not take countermeasures; such measures are a response reserved to states. Recall, however, that internationally wrongful acts by states may involve cyber operations directed at non-state actors, as with a state’s cyber operations against a company in another state that breach the latter’s sovereignty. In such cases, the company must look to a state authorized to conduct countermeasures under the law of state responsibility. There is, however, no bar to the state in turn authorizing the company concerned, or another non-state actor, to conduct the countermeasure on its behalf.
Analogously, countermeasures may not be taken against a non-state actor unless that actor’s cyber operations are attributable to a state. This is because only states commit, as a matter of law, internationally wrongful acts. However, in such situations, the principle of due diligence may come into play. A State that fails to exercise due diligence with respect to non-state actor cyber operations from territory that are directed at cyber infrastructure in another state is in breach of its due diligence obligation to the target state. As such, it has committed an internationally wrongful act to which the target state is entitled to respond with countermeasures.
There is no requirement that the injured state react to another state’s internationally wrongful act with a countermeasure that involves the same obligation that the responsible state breached. This opens the door to the injured state responding to the breach of the due diligence obligation it was owed with a cyber countermeasure involving, inter alia, the principle of sovereignty. The paradigmatic example is a hack‐back against the non-state actor, for recall that a breach of sovereignty may involve cyber operations directed against private cyber infrastructure located on the state's territory. In that the hack-back qualifies as a countermeasure, its wrongfulness is precluded under the law of state responsibility. It must be cautioned in this regard that any such response must be proportionate to the responsible state’s due diligence obligation, rather than to the cyber operation of the non-state actor, since it is the former, not the latter, that gives rise to the right to engage in a countermeasure.54
In exceptional situations, states may resort to the plea of necessity to respond to cyber operations conducted by non-state actors. actions pursuant to the plea are available when cyber operations directed against the state constitute a ‘grave and imminent peril’ to the state’s ‘essential interest’.55 If the severity of the cyber operations faced by the state reach this threshold, the target state may take measures that would otherwise constitute an internationally wrongful act vis-à-vis other states.
Although the threshold for engaging in cyber operations pursuant to the plea of necessity is high, and while the plea is unavailable when the response would present an analogous threat to the essential interest of other states, the plea of necessity affords targeted states a great deal of flexibility. As an example, a state facing such a situation may respond by hacking back against the non-state actors themselves, or the cyber infrastructure being used by them, irrespective of any attribution of their conduct to a state. This is so, even if the state into which the targeted state is responding, or which is affected by the response, has not breached a due diligence (or any other) obligation owed the state invoking the plea.
A. The jus ad bellum
Article 2, paragraph (4) of the United Nations Charter, which is reflective of customary international law, prohibits the use of force by one state against another, except in situations of self-defence or when authorized by the UN Security Council.56 The Tallinn Manual articulates the prohibition in cyber terms: ‘A cyber operation that constitutes a threat or use of force against the territorial integrity or political independence of any State, or that is in any other manner inconsistent with the purposes of the United Nations, is unlawful.’57
Although cyber operations of non-state actors do not violate this prohibition unless they are attributable to a state (and in such circumstances responsibility rests with the state rather than the non-state actor in question), those conducted by states against non-state actors may implicate the prohibition. For instance, a state’s cyber operations directed at non-state actors in another state constitute a violation of the prohibition when sufficiently severe to cross the use of force threshold. In this regard, a violation of the use of force prohibition operates in a manner that is consistent with a breach of sovereignty on the basis of cyber operations targeting private cyber infrastructure.
Unfortunately, the threshold at which cyber operations qualify as a use of force is highly uncertain. Yet, clearly, any state cyber operation resulting in physical damage to private cyber infrastructure on another state’s territory would qualify. It is reasonable to extend the notion of damage to those cyber operations that result in a loss of functionality, as discussed above with respect to sovereignty, of cyber infrastructure or equipment or other items that rely on that infrastructure to operate.58
It is also well settled, as the International Court of Justice opined in the Nicaragua judgment, that arming and training guerrilla forces engaged in violence against another state qualifies as a use of force.59 By analogy, it would violate the prohibition of the use of force to provide cyber weapons and the training necessary to use it to insurgents, terrorists, hacker groups or individuals conducting cyber operations against another state at the use of force level, although financing would, as discussed, only qualify as intervention.
Beyond these clear-cut cases, it is unclear where the use of force threshold lies. In particular, the matter of non-destructive cyber operations having severe consequences remains unsettled. In the authors’ view, adoption of a severity of consequences approach by states, as distinct from one that focuses on the nature of the consequences (destructive or not), is inevitable. However, only further state practice and expressions of opinio juris will refine the threshold. Until that occurs, non-exhaustive factors, as explained in the Tallinn Manual, such as severity, immediacy, directness, invasiveness, measurability of effects, military character, state involvement and presumptive legitimacy, offer helpful indicators of when states are likely to characterize a cyber operation against a non-state entity as having crossed the use of force threshold.60
Pursuant to Article 51 of the UN Charter and customary international law, states faced with a use of force at the level of an ‘armed attack’ may respond with their own defensive use of force. The Tallinn Manual expresses the self-defence rule in cyber terms along with a measure of assessment: ‘A State that is the target of a cyber operation that rises to the level of an armed attack may exercise its inherent right of self-defence. Whether a cyber operation constitutes an armed attack depends on its scale and effects.’61
As with uses of forces, the precise point at which a cyber operation qualifies as an ‘armed attack’ is unclear. What is agreed is that all armed attacks are uses of force. In the view of the USA, which does not represent the prevailing interpretation, all uses of force are also armed attacks.62 Thus, in the eyes of the USA, any cyber operation crossing the use of force line authorizes a lawful, forceful response, by either cyber or non-cyber means.
Most other states, as well as a majority of academics, adopt the position of the International Court of Justice in the Nicaragua judgment, which regards an armed attack as an especially ‘grave’ type of use of force; hence, the so-called gap between cyber operations that qualify as uses of force and the smaller subset that rise to the level of a use of force.63 For instance, while the Tallinn Manual's International Group of Experts agreed that the 2010 Stuxnet operation was of sufficient scale and effects to qualify as a use of force, only some of its members regarded Stuxnet as grave enough to qualify as an armed attack.64 As with use of force, the authors are of the opinion that in the future, the international community will move towards an interpretation of armed attack that is focused on the severity of the consequences of a cyber operation.65
A key question in the context of this article is whether a state may respond forcefully to a non-state actor’s cyber operation pursuant to the law of self-defence. It is well settled that a state may do so when the non-state actor’s operations are, as noted by the International Court of Justice in its Nicaragua judgment, conducted ‘by or on behalf of a State’ or the state is substantially involved in them.66 The unsettled issue surrounds non-state actor operations, including cyber operations, at the armed attack level of gravity that are not conducted on behalf of a state.
The issue took centre stage in the aftermath of the 9/11 attacks by al Qaeda in 2001. Although al-Qaeda did not conduct the assaults on behalf of any state, the Security Council, regional organizations and many states treated the situation as one in which the USA, inter alia, could act in self-defence.67 When the International Court of Justice subsequently suggested that non-state actors are incapable of conducting armed attacks in the legal sense required for self-defence,68 its position was correctly criticized as ignoring recent history and as a failure to note that the text of Article 51 contains no limitation of armed attacks to actions by or on behalf of a state.69 Today, states are beginning to openly express the view that non-state actors can launch cyber armed attacks and that qualification of a forceful response as self-defence precludes the wrongfulness of that response.70 This was also the majority view of the authors of the Tallinn Manual.71
Assuming, arguendo, that non-state actors can mount armed attacks as a matter of law, the question becomes how to respond to cyber attacks launched by non-state actors from abroad when the state from which they are operating either cannot or will not terminate those operations. Responding with a cyber or non-cyber operation at the use of force level would violate the sovereignty of the state where such non-state actors are located, thereby bringing that right into conflict with the victim state’s right of self-defence. Some scholars are of the view that respect for the sovereignty of other states is such a foundational principle of international law that it cannot yield even to another state’s right of self-defence in such circumstances.72 Nevertheless, as one of the present authors has explained more fully elsewhere, when international law rights clash, the better approach is to balance those rights in a fashion that most effectively preserves the object and purpose of each.73 In this case, such a balance would allow for cyber or non-cyber operations at the use of force level against into the state from which the non-state actors are operating if that state is unwilling or unable to terminate the armed attack.74 It must be emphasized that the balancing requires the state to proceed cautiously and in a limited fashion. For instance, if feasible, it must first warn the state to take action to terminate the activities and its operation must not exceed what is required to put an end to them.
While the state-centric assumptions and foundations of the formative periods of public international law appear to be eroding in many contexts, and perhaps especially in the context of cyberspace, their legal legacy prevails in the extant law. The public international law principles and rules bequeathed by preceding sovereigns remain intently focused on the interactions of states. International law places states at the centre of its legal regimes, requiring in nearly all cases a state nexus to establish either an internationally wrongful act or an international legal obligation. In many respects, the state-centric legal regime of public international law may seem ill-suited or even inadequate to address the challenges the super-empowered non-state actors of cyberspace present.
Yet, as illustrated by this article, the actions of non-state actors implicate a wide range of long-standing public international law norms. In particular, norms associated with sovereignty, state responsibility, and the jus ad bellum offer critical legal limitations and justifications for cyber operations by states against non-state actors. To be certain, the precise contours of their operation in the context of cyberspace remain uncertain. However, their applicability, relevance and binding nature are subject to little debate. Despite lingering ambiguity and in some cases logical strain, states confronted with cyber operations by non-state actors, as well as states contemplating cyber operations against them, are well advised to carefully analyze and incorporate the existing tenets of public international law into their security planning and cyber operations.