Emerging Voices: Cyber Operations and the Prohibition of the Threat of Force

[François Delerue is Ph.D. researcher in International Law at the European University Institute (EUI – Florence, Italy) and visiting scholar at Columbia University (fall term 2014)]

Article 2(4) of the UN Charter was revolutionary in its extension to the explicit prohibition of the threat of force, alongside the prohibition of the use of force. No cyber operation has ever been qualified as a threat or use of force by any States or international organizations; commentators are more nuanced and some consider certain cyber operations as likely to qualify as actual uses of force (see generally: Tallinn Manual p. 45; Marco Roscini pp. 53-55; Duncan Hollis). Most of the literature applying Article 2(4) to cyber operations focuses on the use of force and, therefore, the threat of cyber force remains understudied.

In this blog post I endeavor to fill this gap by analyzing inter-state cyber operations according to the prohibition of threat of force. My main argument is that for most inter-state cyber operations the qualification as the threat of force is arguably more suitable than trying to qualify them as an actual use of force at any cost. I will develop successively the two main forms of threat of force: open threat of prohibited force and demonstration of force.

A Threat of Prohibited Cyber Force As a Prohibited Threat of Force

The International Court of Justice, in its Advisory Opinion on the Legality of the Threat or Use of Nuclear Weapons, confined the prohibition of the threat of force to the prohibition of the threat of the use of the prohibited force (para. 47). In other words, an unlawful threat is a conditional promise to resort to force in circumstances in which use of force would itself be unlawful. This form of threat of force is the most obvious one and can be implied directly from the wording of the UN Charter. Formulated by Ian Brownlie in 1963 (p. 364), this approach is nowadays the prevailing one on the threat of force.

Applied to cyber operations, a threat of cyber force will violate the prohibition of Article 2(4) only if the threatened cyber force amounts to an unlawful use of force in the same circumstances. This is the contemporary leading approach among scholars and is, for instance, the approach followed by rule 12 of the Tallinn Manual:

A cyber operation, or threatened cyber operation, constitutes an unlawful threat of force when the threatened action, if carried out, would be an unlawful use of force.

Is a general threat to resort to force enough to constitute a violation of the prohibition of Article 2(4)? The answer is unequivocally yes. Most verbal or written threats of force constitute a general threat of force, without specification on which kind of force might be use. It seems most likely that threat of force will remain mainly general, and cyber force will be one of the possible options to be used by the threatening State.

Demonstration of Cyber Force As a Prohibited Threat of Force

Demonstration of cyber force constitutes the second form of threat of force. In contrast to an open threat of force, a demonstration of force is constituted by acts instead of words performed by a State. Force may be demonstrated in many ways: notably in military acts – such as deployment of troops, manoeuvres, nuclear arms build-ups or testing – showing the readiness of a State to resort to force against another. In the literature on the threat of cyber force, demonstration of force is sometimes analyzed but remains for the most part neglected and understudied.

Most cyber operations fail to qualify as an actual use of force; however, could they constitute a demonstration of force amounting to a prohibited threat of force? I will use recent examples of cyber operations to answer this question.

Large-Scale Distributed Denial of Service Attacks As a Demonstration of Force

A distributed denial of service (DDoS) attack is a cyber attack, which aims to make a machine or network resource unavailable by flooding it with requests from compromised systems. Could such a large-scale DDoS attack amount to a demonstration of force? The answer seems to be positive under certain conditions.

In April 2007, Estonia faced violent street protests by a minority group of Russian descent objecting to the removal of World War II bronze statue of a Soviet soldier. Simultaneously, the country experienced multiple cyber operations, notably large-scale DDoS attacks on the websites and servers of private and public institutions. The Estonian government accused Russia of the cyber attacks; Russia, however, denied any involvement. As Estonia is highly connected and extremely dependent on its computer infrastructure, these cyber operations were able to paralyze a large part of the Estonian economy, media and government. Could these cyber operations constitute a use of force? Estonia explored initially the possibility to invoke Article 5 of the North Atlantic Treaty and thus to treat these cyber operations as an ‘armed attack’[1] triggering ‘the right of individual or collective self-defence’; however, this solution was quickly ruled out (see e.g. Mary E. O’Connell pp. 192-193; see also: here and here).

While neither Estonia nor other States considered those cyber operations as a use or threat of force, could these cyber operations constitute a credible threat of force? Their consequences resulted in the partial paralysis of the State, limiting the ability of the country to respond in case of military action. Moreover, they occurred in fractured relations between the targeted State and the presumed threatening State, rendering any threat of force more credible. It seems, as a result, that those cyber operations could be considered as potential preluding measures to a use of force. They could thus be considered as a demonstration of force violating the prohibition of threat of force of Article 2(4).

The Estonian example demonstrates that a large-scale DDoS attack against an Internet-dependent State could constitute a threat of force. However, not all DDoS attacks might be that easy to qualify as a demonstration of force. In the case of similar cyber operations faced by Georgia before the 2008 Russo-Georgian War, the conclusion might be more nuanced. Unlike Estonia, Georgia is not highly dependent on the Internet; therefore the consequences of cyber operations were limited and resulted mainly in the inability for the Georgian Government to access its websites and use them to communicate. As a result, the qualification of a threat of force seems difficult and probably excessive for this situation.

A Computer Worm As a Demonstration of Force

A computer worm may physically affect the targeted system. The question thus becomes: can a cyber operation generating physical damage be considered a prohibited demonstration of force? I believe it can. The only example of a cyber operation having generated damage is Stuxnet; a computer worm that infected several computer systems around the world and produced physical damage on centrifuges in an Iranian nuclear plant. Even though it produced physical damage, Stuxnet has not been definitely identified as a use of force by any State and seems unlikely to be; conversely, the Tallinn Manual (p.45) considers it as amounting to a use of force. Could it be qualified as a threat of force?

Stuxnet produced physical damages to an Iranian nuclear plant, and thus violated the principle of non-intervention and the sovereignty of the targeted State. Nothing prohibits qualifying as a threat of force an action crossing the border of the threatened State. For example, in 1996 a North Korean submarine ran aground on a South Korean beach, and the former denounced it as an act of war (ICB – crisis n°420). This situation can qualify as a threat of force, even if it occurred on the territory of the victim State (See Nikolas Stürchler, pp. 245-9).

Could Stuxnet be considered a demonstration of force showing the readiness of its authors to resort to force against Iran? The answer may be yes in some circumstances that are difficult to characterize in the actual case. Firstly, was Stuxnet created and used by a State? The answer seems to be yes, as the United States and Israel are generally believed to be the creators of Stuxnet. Both shared the same objective: preventing Iran from acquiring nuclear weapons capability; where they differ is in the method: Israel considers that ‘diplomacy has failed’ and expressed its readiness to resort to force against the Iranian nuclear program; while the US seems more cautious on the necessity to act militarily (see e.g. here, here and here).

Secondly, what was the purpose of Stuxnet? It was designed precisely as an attempt to affect and slow down the Iranian nuclear program. This goal was achieved, but a question remains: was it conducted as a demonstration of force or a cyber operation aiming to degrade the Iran nuclear program without promising any further military action? It is impossible to categorically separate the two options, due to the lack evidence available. It seems thus very difficult to conclude whether Stuxnet was a demonstration of force amounting to an unlawful threat of force; even if the circumstantial evidence renders this hypothesis plausible.

To conclude from a theoretical point of view, the Stuxnet case proves that a cyber operation producing physical damage conducted with the attempt to show the readiness of its perpetrator to resort to force is most likely to qualify as an unlawful threat of force.

Conclusion

My argument in this blog post was that the qualification as the threat of force might be more suitable for most inter-state cyber operations rather than the qualification as an actual use of force. The case study developed corroborates this assertion, as several examples presented are likely to qualify as unlawful threat of force. However, it also showed the difficulty to deliver a definitive qualification to these cases due to the lack of evidence and the difficulty of attribution. Lastly, the qualification as demonstration of cyber force amounting to a threat of force appears to be the most suitable regime for several types of inter-state cyber operations.

[1] Article 5 of the North Atlantic Treaty refers expressly to Article 51 of the UN Charter. The notion of ‘armed attack’ used in both articles has been considered as encompassing only the “most grave forms of the use of force” by the International Court of Justice in the Nicaragua Judgment (para. 191); while the Tallinn Manual (p. 47) differs from this approach and considers the notion of ‘armed attack’ and ‘use of force’ as equivalent.