[François Delerue is Ph.D. researcher in International Law at the European University Institute (EUI - Florence, Italy) and visiting scholar at Columbia University (fall term 2014)]
Article 2(4) of the UN Charter was revolutionary in its extension to the explicit prohibition of the threat of force, alongside the prohibition of the use of force. No cyber operation has ever been qualified as a threat or use of force by any States or international organizations; commentators are more nuanced and some consider certain cyber operations as likely to qualify as actual uses of force (see generally:
Tallinn Manual p. 45;
Marco Roscini pp. 53-55;
Duncan Hollis). Most of the literature applying Article 2(4) to cyber operations focuses on the use of force and, therefore, the threat of cyber force remains understudied.
In this blog post I endeavor to fill this gap by analyzing inter-state cyber operations according to the prohibition of threat of force. My main argument is that for most inter-state cyber operations the qualification as the threat of force is arguably more suitable than trying to qualify them as an actual use of force at any cost. I will develop successively the two main forms of threat of force: open threat of prohibited force and demonstration of force.
A Threat of Prohibited Cyber Force As a Prohibited Threat of Force
The International Court of Justice, in its Advisory Opinion on the
Legality of the Threat or Use of Nuclear Weapons, confined the prohibition of the threat of force to the prohibition of the threat of the use of the prohibited force (
para. 47). In other words, an unlawful threat is a conditional promise to resort to force in circumstances in which use of force would itself be unlawful. This form of threat of force is the most obvious one and can be implied directly from the wording of the UN Charter. Formulated by
Ian Brownlie in 1963 (p. 364), this approach is nowadays the prevailing one on the threat of force.
Applied to cyber operations, a threat of cyber force will violate the prohibition of Article 2(4) only if the threatened cyber force amounts to an unlawful use of force in the same circumstances. This is the contemporary leading approach among scholars and is, for instance, the approach followed by
rule 12 of the Tallinn Manual:
A cyber operation, or threatened cyber operation, constitutes an unlawful threat of force when the threatened action, if carried out, would be an unlawful use of force.
Is a general threat to resort to force enough to constitute a violation of the prohibition of Article 2(4)? The answer is unequivocally yes. Most verbal or written threats of force constitute a general threat of force, without specification on which kind of force might be use. It seems most likely that threat of force will remain mainly general, and cyber force will be one of the possible options to be used by the threatening State.
Demonstration of Cyber Force As a Prohibited Threat of Force
Demonstration of cyber force constitutes the second form of threat of force. In contrast to an open threat of force, a demonstration of force is constituted by acts instead of words performed by a State. Force may be demonstrated in many ways: notably in military acts – such as deployment of troops, manoeuvres, nuclear arms build-ups or testing – showing the readiness of a State to resort to force against another. In the literature on the threat of cyber force, demonstration of force is sometimes analyzed but remains for the most part neglected and understudied.
Most cyber operations fail to qualify as an actual use of force; however, could they constitute a demonstration of force amounting to a prohibited threat of force? I will use recent examples of cyber operations to answer this question.
Large-Scale Distributed Denial of Service Attacks As a Demonstration of Force
A
distributed denial of service (DDoS) attack is a cyber attack, which aims to make a machine or network resource unavailable by flooding it with requests from compromised systems. Could such a large-scale DDoS attack amount to a demonstration of force? The answer seems to be positive under certain conditions.
In April 2007,
Estonia faced violent street protests by a minority group of Russian descent objecting to the removal of World War II bronze statue of a
Soviet soldier. Simultaneously, the country experienced
multiple cyber operations, notably large-scale DDoS attacks on the websites and servers of private and public institutions.
The Estonian government accused Russia of the cyber attacks; Russia, however, denied any involvement. As Estonia is highly connected and extremely dependent on its computer infrastructure, these cyber operations were able to paralyze a large part of the Estonian economy, media and government. Could these cyber operations constitute a use of force? Estonia explored initially the possibility to invoke Article 5 of the
North Atlantic Treaty and thus to treat these cyber operations as an ‘armed attack’[1] triggering ‘the right of individual or collective self-defence’; however, this solution was quickly ruled out (see e.g.
Mary E. O’Connell pp. 192-193; see also:
here and
here).
While neither Estonia nor other States considered those cyber operations as a use or threat of force, could these cyber operations constitute a credible threat of force? Their consequences resulted in the partial paralysis of the State, limiting the ability of the country to respond in case of military action. Moreover, they occurred in fractured relations between the targeted State and the presumed threatening State, rendering any threat of force more credible. It seems, as a result, that those cyber operations could be considered as potential preluding measures to a use of force. They could thus be considered as a demonstration of force violating the prohibition of threat of force of Article 2(4).
The Estonian example demonstrates that a large-scale DDoS attack against an Internet-dependent State could constitute a threat of force. However, not all DDoS attacks might be that easy to qualify as a demonstration of force. In the case of similar cyber operations faced by
Georgia before the
2008 Russo-Georgian War, the conclusion might be more nuanced. Unlike Estonia, Georgia is not highly dependent on the Internet; therefore the consequences of cyber operations were limited and resulted mainly in the inability for the Georgian Government to access its
websites and use them to communicate. As a result, the qualification of a threat of force seems difficult and probably excessive for this situation.