War in Ukraine: Do Cyber-Operations Amount to Use of Force?

In 2015, following the Russian invasion of Crimea, the Ukrainian power grid experienced spontaneous power outages, which affected large areas of Ukraine. More than 200,000 customers suffered a blackout for several hours. These outages were later judged as well-organized and coordinated cyber-operations, attributed to Russian hackers, as part of an ongoing conflict between the two states. According to press reports, additional cyber-operations have been targeted at Ukraine in the past decade. As of today, the most notorious is NotPetya, which started in Ukraine and eventually had worldwide effects.

Although not as massive, in February 2022, not long before the Russian invasion of Ukraine, several cyber-operations (unattributed, yet), directed against Ukraine, were detected and disrupted in a collaboration with Microsoft and other anti-malware companies. The concern is that a successful cyber-operation on the financial, health care or energy sectors, especially these days, has potential catastrophic consequences. While the legal ramifications of the horrific destruction and humanitarian crisis in Ukraine are undisputed, the question arises as to whether cyber-operations, which have become more integrated into kinetic operations, amount to use of force under international law.

The prohibition of the use of force, stipulated in Article 2(4) of the United Nations Charter, is a solid legal pillar in International Law. Over the years, Article 2(4) of the United Nations Charter has endured as a dynamic legal norm which can be adjusted and amended through (and according to) the change of times, mainly through geo-political changes in our world, such as decolonization, the diplomatic struggle of the Cold War, introduction of nuclear weapons, and international terrorism, which challenged the application and relevance of the prohibition of the use of force.[1] In recent years, it faces another challenge – application to cyberspace, which is a man-made space, and unlike other dimensions, i.e. land, sea, air and space, is not a part of our natural surroundings.[2] In addition, cyberspace has unique characteristics (e.g. accessibility and anonymity), which derive from being a virtual sphere. These features have turned cyberspace to an appealing domain of activities, both for individuals and States,[3] and generated great dependency on it. The growing dependency on cyberspace has resulted in cyber-users having become exposed and vulnerable to any disruption in its regular activities.

Despite that cyber-operations are more frequent than ever, current legal interpretation does not consider these as use-of-force, since do not entail any physical consequences. The prevailing legal approach,[4] called the "effects-based approach", was introduced in the Tallinn Manual,[5] which was drafted by a group of international experts, who had embarked on academic cooperation, due to the failed efforts of the international community to form an agreement to regulate international law in cyberspace.[6] Such an influential attempt to describe the current state of international law applicable to cyber-operations, has turned[7] the Tallinn Manual widely accepted by Western States,[8] both in academic and governmental fields. 

Rule 69 of the Tallinn Manual stipulates that article 2(4) of the United Nations Charter applies to a cyber-operation which resembles in its effects a kinetic attack.[9] Thus, the Rule compares between the consequences of a cyber-operation to those of a kinetic one, and determines that any cyber-operation which results in casualties or physical damages can constitute a use of force. Other cyber-operations, which do not result in any physical element thereto, but nonetheless create considerable harm and havoc, may fall short of being considered a use of force.

Indeed, on the surface of things, it seems that cyber-operations cannot amount to the use-of-force threshold since are not violent by nature, or in other words – do not entail physical consequences. Therefore, the obvious conclusion would be that since certain (if not most) cyber-operations do not always inflict violent results, thus these do not entail the main characteristic of force. Nevertheless, by applying the use-of-force threshold solely to cyber-operations which entail physical consequences, states may use cyber means to conduct wrongful acts without being detected and could thereby evade attribution of responsibility to use of force (of course, other international norms, such as non-intervention, might be applicable to cyber-operations undertaken below the use-of-force threshold).

In my opinion, this may eventually undermine the long-lasting international stability of the prohibition of the use of force: As technology continues to advance rapidly, the legal interpretation fails to adapt itself, and therefore, might gradually turn Article 2(4) of the United Nations Charter irrelevant (or, inapplicable) in cyberspace. Subsequently, due to this inadequate legal framework, states may avoid the shaming and accountability related to their actions according to the United Nations Charter and Customary International Law,[10] and resort instead to a clandestine counter-action outside the international legal framework.

I believe that accepting cyberspace as a new (fifth) dimension[11] of military operations would allow for a more flexible interpretation in cyber terminology: since kinetic and cyber-operations exist in parallel dimensions, they should not be directly compared to one another, but rather analyzed separately according to the unique characteristics of each dimension. Cyber-operations (much like many other legal aspects) are not just a legal challenge, but also a political one. Thus, since the objectives of cyber-operations are generally different than those of kinetic-ones, then the magnitude of the operation should be considered according to the relevant domain. To better understand it, and to better protect states from its hazards – we should face it with a 'virtual state-of-mind', and consequently eliminate the physical legal requirements usually associated with the use of force doctrine.

Arguably, any other legal approach shall preserve obsolete legal perceptions (which may no longer be suitable for the various challenges of 21st Century), and thus preclude the future relevance of Article 2(4) of the United Nations Charter to threats imposed, among others, in cyberspace, by preventing its continuance interpretative development.

[1] Mary Ellen O’Connell, The Prohibition of the Use of Force, in Research Handbook on International Conflict and Security Law (Nigel D. White & Christian Henderson, eds.), Edward Elgar (2013), 90

[2] Lior Tabansky, Basic Concepts in Cyber Warfare, 3(1) Military and Strategic Affairs 75 (2011), 77

[3] Ido Kilovaty, Cyber Warfare and the Jus Ad Bellum Challenges: Evaluation in the Light of the Tallinn Manual on the International Law Applicable to Cyber Warfare, 5 (1) National Security Law Brief (2014), 94-95

[4] Michael N. Schmitt, Computer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework, 37 Columbia Journal of Transnational Law (1998-1999), 910-915, available at https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1603800

[5] Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, (Michael N. Schmitt ed.), Cambridge University Press (2nd edition - 2017). This project was initiated and conducted upon the request of NATO Cooperative Cyber Defence Centre of Excellence (NATO CCD COE). First edition was published in 2013, Tallinn Manual on the International Law Applicable to Cyber Warfare, (M. Schmitt, ed.), Cambridge University Press (1st edition - 2013). The 2017 second edition was re-edited, revised and includes new rules. The most significant change is set in the Manual’s title, where the term ‘cyber-operations’ was replaced by ‘cyber warfare’

[7] The Tallinn Manual “has served as an invaluable resource for government legal advisors and scholars since its publication”, ibid, FN 5 (Tallinn Manual), 1

[8] For instance, the official position of the Russian government rejects the Manual all together (i.e. both editions), its context and essence since it “legitimize[s] cyberwar”, see “Russia warns against NATO document legitimizing cyberwars”, by Elena Chernenko, Russia Beyond, May 29, 2013, available at https://www.rbth.com/international/2013/05/29/russia_warns_against_nato_document_legitimizing_cyberwars_26483.html

[9] Ibid, FN 5 (Tallinn Manual), 330: "A cyber operation constitutes a use of force when its scale and effects are comparable to non-cyber operations rising to the level of a use of force"

[10]Michael N. Schmitt, Grey Zones in the International Law of Cyberspace, The Yale Journal of International Law Online, Vol. 42:2 (2017), available at https://cpb-us-w2.wpmucdn.com/campuspress.yale.edu/dist/8/1581/files/2017/08/Schmitt_Grey-Areas-in-the-International-Law-of-Cyberspace-1cab8kj.pdf, 2; Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, (Michael N. Schmitt ed.), Cambridge University Press (2nd edition - 2017),  337

[11] The notion of a new operational dimension is based on the 2011, and later the 2015 US DoD report, recognizing cyberspace as an additional “operational domain”, The Department of Defense Strategy for Operating in Cyberspace, July 2011, p. 5, available at https://csrc.nist.gov/CSRC/media/Projects/ISPAB/documents/DOD-Strategy-for-Operating-in-Cyberspace.pdf. This was further addressed in The Department of Defense Cyber strategy, April 2015, p. 4, available at http://archive.defense.gov/home/features/2015/0415_cyber-strategy/final_2015_dod_cyber_strategy_for_web.pdf. Also see, the interpretation of the Polish Ministry of National Defense, which stated that “[a]part from traditional geo- spaces, such as land, sea, air (including outer space), spheres unprovided with geographical parameters, immeasurable and unlimited, such as virtual cyberspace or information sphere, will be used as a battleground”, Ministry of National Defence, Department of Transformation, Vision of the Polish Armed Forces 2030, May 2008, p. 13, available at http://archiwalny.mon.gov.pl/pliki/File/vision_of_paf_2030.pdf; The Netherlands Ministry of Defence, Defence Cyber Strategy, 2012, p. 4, available at https://www.ccdcoe.org/strategies/Defence_Cyber_Strategy_NDL.pdf; NATO 2016 Warsaw Summit Communique, 9 July 2016, para. 70, available at https://www.nato.int/cps/en/natohq/official_texts_133169.htm. The joint Chief of Staff have recently considered cyberspace to be "part of the information environment, [though] is still dependent on the physical domains of air, land, maritime and space". Therefore, by creating such dependency, the Joint Chief of Staff has actually referred to cyberspace as a separate domain (from the other four domains, of air, sea, land and space), and part of an additional (fifth) domain (called "environment"), Joint Chief of Staff, Cyber Operations, Joint Publication 3-12, June 2018, 7, available at https://fas.org/irp/doddir/dod/jp3_12.pdf