[Janos Ferencz, LL.M., is a Visiting Research Fellow at The Minerva Center for the Rule of Law under Extreme Conditions at the Faculty of Law and Department of Geography and Environmental Studies, University of Haifa and a Legal consultant at Panteia, the Netherlands.]
The rapid proliferation of malicious cyber operations in recent years has underlined a growing concern about the risks presented by cyber space to international peace and security. The UN General Assembly noted in Resolution 69/28 (2014) the increasing concerns about the use of information technologies “for purposes that are inconsistent with the objectives of maintaining international stability and security” (UN Doc. A/Res/69/28, 2 December 2014, preambular para. 9). The importance of understanding when cyber operations represent a threat to international peace and security lies in the Security Council’s Chapter VII powers. Under Article 39 of the Charter, its powers to adopt non-forceful and forceful measures can only be activated once there is a determination that a cyber operation is a “threat to the peace, breach of the peace, or act of aggression.” The academia has paid only limited attention so far to analysing the conditions under which cyber operations can reach this level. This post aims to fill this gap by assessing whether, and if so, under what conditions can cyber operations trigger the applicability of Article 39 of the Charter.
Cyber operations and the threshold of Article 39
A cyber operation must be understood as a broad concept, incorporating “the employment of cyber capabilities with the primary purpose of achieving objectives in or by the use of cyberspace” (Tallinn Manual, para. 2, p. 15). The Tallinn Manual experts unanimously agreed that the Security Council possesses the authority to determine that a cyber operation constitutes a threat to the peace, breach of the peace, or act of aggression (Tallinn Manual, Rule 18). The question remains, however, what are the prerequisite circumstances for such an operation to attain the level of gravity required by Article 39?
A breach of the peace is generally characterized by armed hostilities between States, while an act of aggression manifests through the direct or indirect use of force. The concept of “threat to the peace” is the broadest and most frequently used one by the Security Council. From a cyber perspective, the two former scenarios, although theoretically possible, remain less likely to occur in practice since the Security Council has yet to make a determination that an event amounted to an act of aggression, and only a handful of situations were found to have breached the peace (e.g. the invasion of South Korea or Kuwait). For this reason (and taking into account also spatial limitations) this post focuses on the circumstances qualifying cyber operations as a threat to international peace and security.
The Security Council has broad discretion under Article 39 to conclude that any kind of conduct or situation amounts to a threat to international peace. Finding the lowest common denominator across the Council’s past practice falls beyond the scope of this post but suffice it to say that a “threat to the peace” is deemed a political concept (Tadić Decision on Interlocutory Appeal on Jurisdiction, 2 October 1995, para. 29) that builds on the Council’s interpretation of the concept of “peace”. Although the early practice of the Council has shown a narrow interpretation of this concept, viewing “peace” as the absence of use of force between States (J. Frowein, ‘Article 39’ in B. Simma (ed.) The Charter of the United Nations: A Commentary (2nd edn., OUP, 2002), at p. 720), the recent practice of the Council indicates its willingness to broaden that interpretation. This is best evidenced by the Council’s acknowledgement that the HIV/AIDS pandemic can pose a security threat (SC Res. 1308, 17 July 2000) as well as the determination on the existence of a threat to international peace and security in West-Africa due to the outbreak of Ebola (SC Res. 2177, 18 September 2014). Nonetheless, the Council has always been careful to consider the impact of an internal situation upon regional or international stability. This criterion is common across all Article 39 determinations, and entails that any event or phenomena that undermines regional or international stability by creating a risk for unrest or hostilities in the short or medium term could fall within the purview of Article 39.
Thus, a cyber operation will amount to a threat to peace within the meaning of Article 39 when it creates the threat of jeopardizing regional or international stability. Cyber operations targeting the critical infrastructure of a State will likely fulfill this threshold. Similarly, the US DoD concluded that "computer network attacks that caused widespread damage, economic disruption, and loss of life could well precipitate action by the Security Council” under Article 39 (US DoD, An Assessment of International Legal Issues in Information Operations, May 1999, p. 15).
The cyber operation itself need not be a violation of international law per se for it to fall within the ambit of Article 39. This raises interesting questions about the exploitation of cyberspace for the purposes of espionage, which is, in principle, not prohibited by international law. This question is particularly relevant in the aftermath of Edward Snowden’s revelations regarding the NSA’s surveillance programme in 2013.
In my view, there are two main approaches to assessing cyber espionage under Article 39. Firstly, relying on the threshold set out above, cyber espionage could represent a threat to international peace and security when it creates destabilizing effects on regional or international stability to the extent that a potential risk of unrest and hostilities between States will arise. One example would be recourse to dual-use malwares that not only steal information but also produce widespread destructive or disruptive effects. However, it is unlikely that data breaches on their own would fall within the scope of Article 39 unless there is a prospect for hostilities as a result of the breaches. Furthermore, due to the threat of veto by any permanent member of the Security Council, it remains unlikely that in the near future cyber espionage incidents will be formally declared a threat to international security.
The alternative approach is to