While most part of the world is under a lockdown trying to deal with the Act of God in the form of a pandemic, it seems like hackers have found an opportunity to expand. The continuance of the lockdown has resulted in unprecedented increase in dependency on digital means by many folds, resulting in many operations that may fall under remote monitoring mode. It laid a heavy reliance over work from home trend and cyber criminals are trying to take leverage of the situation by creating a web of “phishing” scams. The Union Home Ministry of India issued an advisory regarding the cyber vulnerability of the popular video conferencing app Zoom and laid down the safety measures for both the operator and the users.
This article seeks to examine the legitimacy of anticipatory self-defense against cyber-attacks under the international law and what constitutes of an armed attack under the United Nations Charter. The term “armed attack” has not been clearly defined in any of the conventions and hence has given rise to different interpretations by the states. We will try to evaluate if cyber-attacks fall within the pigeonhole of armed attacks where in a state is legally authorized to use force in its defense. It will show different analytical theories that are applied to determine what is an “imminent” act. In providing this analysis the article would also reflect upon the idea whether the prospective cyber-attacks are detectable or not in order to give the decisionmaker the final authority to take adequate actions between war and peace.
The concept of international cyber-attacks has been proliferating and are of particular relevance as it leaves the targeted state with a little window of reaction and speculation- determining when can one use the guard of coercion in anticipation of a cyber-attack under legal mechanisms as per international standards. Article 51 of the United Nations Charter authorizes a state to use force as a legal right if the prospective attack is classified as an armed attack, as expounded in Caroline Doctrine which sanctions the use of anticipatory self-defence against the opponent if the act is “imminent”. There is a need to distinguish between anticipatory self-defence and interceptive self- defence to determine whether the attack is foreseeable or imminent. There has been a divided opinion about the threshold of the attack to be termed as an armed attack but a broad agreement when it comes to the fact that cyber-attacks satisfies the desideratum of Article 51 in most the of the cases.
There have been varied competing school of thoughts about the attack being imminent and giving rise to another important consideration regarding the determination of the fact if “last probable window” to cease the prospective attack has already surpassed- leaving it to be the necessary action to thwart potentially destructive attacks. It is a highly believable fact that the states will often be able to detect a cyber-armed attack against them justifying the use of anticipatory self-defence.
The debate still prevails whether the resultant effect of the attack causing death and physical destruction suffices Article 51 of the UN Charter, justifying the anticipatory use of force or not. The article does not explicitly mention the scope of anticipatory self-defence under international law but is considered to be an inbuilt proposition. Tallinn Manual’s expert group attempts restating two divergent views about the inclusion of cyber-attacks based on the effect rather than the means, both of which are International Court of Justice’s asseveration. A context stressing on the said issue is a cyber operation leading to the crash of New York stock exchange causing no physical damage or casualty but only economic crisis.
WHAT CONSTITUTES OF AN ARMED ATTACK?
In assessing whether a state’s action would constitute a use of force, it is paramount to determine whether the act would insight a response from the victim state that is not in violation of Article 2(4) prohibition. In the case of Nicaragua v United States, the International Court of Justice emphasized clearly that states do not have the right for armed response if the pre-requisites of the provocation do not fall under the ambit of Article 51 of the UN Charter. In situations to determine the severity of cyber-attacks, a consequence-based approach needs to be observed in order to distinguish between a cyber-attack and an attack carried out by traditional military forces. If a cyber-attack does not have the same devasting consequences as that of an armed attack such as damage to life and property, then it would fail the test of self-defense under Article 51 of the UN charter. The Stuxnet Cyber-attack on the Iranian Nuclear Facility in Natanz would fail to constitute an armed attack since the result of the operation caused the malfunctioning of Centrifuges without any harm to property or life. This does give us the notion that cyber-attacks are an evolved categorization under armed attack which requires a modern interpretation for future reference.
Scholars have advanced several analytical models to classify cyber-attacks based on scope, duration and intensity analysis which helps straddle the fine line between criminal activity and armed warfare. The instrument-based approach deals with the damage caused by the cyber-attack while comparing previous kinetic attack. Secondly, the effects-based approach focuses not on the kinetic relevance but on the effects of the cyber-attack on victim state. Thirdly, a strict liability approach which states that cyber-attacks against critical infrastructure are automatically treated as armed attacks due to the severe consequences of the disabling of the system. Of the three approaches, the effects-based approach is the best analytical model when it comes to dealing with cyber-attacks. It covers all the aspects of an instrument-based approach but also provides essential analytical framework for situations that do not involve the traditional kinetic engagement. An effects-based analysis is superior to the strict liability approach as it conforms with internationally accepted legal norms and customs.The most advanced effects-based model is advocated by Michael N. Schmitt. His seminal article “Computer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework,”. In this article, Schmitt talks about six major sub categories:
- Severity: determines the scope and intensity of the act which examines the number of casualties, size of the area attacked, estimation of damage to property. The greater the damage, the stronger the argument towards an armed attack.
- Immediacy: looks at the duration of the Cyber-attack. The longer the duration of the attack and the time until which the effects were felt, the stronger the contention of an armed attack is presumed.
- Directness: if the attack was the proximate cause of the harm, it strengthens the argument that cyber-attack was an armed attack.
- Invasiveness: looks at the locus of the cyber-attack. An invasive attack physically crosses state borders or electronically crosses borders and causes harm within the state of the victim. With the increased invasiveness comes the more reasonable conclusion of an armed attack.
- Measurability: Quantifiable harm is treated with more sternness amongst the international community. A speculative case generally harms the credibility of an armed attack on a particular state.
- Presumptive Legitimacy: Focus on state practice and the accepted norms of behavior in the international community. Certain actions gain legitimacy under the law when the international community accepts certain behavior as legitimate.
Cyber threats are the greatest threats to international peace and securing it is an absolute and indispensable task. The unprotected usage of the digital application can make it vulnerable to cyber-attacks, and can even lead to leakage of sensitive office information to cyber criminals. In the world of Cyberspace, Attacks can be from individuals or neutral states or individuals working in neutral states. The possibilities are endless and the risk is increasing as the world goes into the era of modernization. The UN Charter does not provide complete answers to the extent of retaliation against cyber-attacks or any limitation on the extent of retaliation during defending one’s state. Under anticipatory self-defense, it was essential for the threat of attack to be imminent before the right of self-defense could be availed.
In cyberspace, attacks can happen in milliseconds without time to prevent the attack from taking place nor with the anticipation of future attacks. Cyber-attacks pose a serious threat to transportation industries which involves technologically advanced systems for data integration of passengers. Cyber-attacks are still in its development phase as it is currently active towards the financial and intelligence sectors. As time goes by and man gets more inclined towards artificial intelligence, we can expect more stringent laws on cybersecurity as the dependency of man on a machine will increase exponentially. Thus, rather than constituting a sui generis category of attack that will necessarily take effect without warning, “armed” cyber- attacks will lend themselves toward detection and the ensuing opportunity for decisionmakers to determine if and when it is the right time to act preemptively.
Measures of active defense may develop through state practice which will further strengthen the area of international law concerning self-defense.
Endnotes EVALUATING THE “IMMINENCE” OF A CYBER ATTACK FOR PURPOSES OF ANTICIPATORY SELF-DEFENSE Ryan J. Hayward- Columbia Law Review Vol. 117, No. 2  Cyber Operations: Conflict Under International Law by Catharine Lotrionte. Ibid.  Inside Cyber Warfare, 2nd edition by Jeffery Carr.  Ibid  Ibid  Ibid  Schmitt, supra note 16, 913-15  Ageis Research Corp. 124-127 (examining Schmitts use of force analysis)
Author Details: Arushi Gupta and Rishabh Bhardwaj (O.P. Jindal Global University)
The views of the author are personal only. (if any)