INTERNATIONAL LAWS APPLICABLE TO CYBER-WARFARE

by
Heather Kingsbury

A Capstone Project Submitted to the Faculty of

Utica College

December 2014

in Partial Fulfillment of the Requirements for the Degree of

Master of Science in
Cybersecurity

UMI Number: 1571360

All rights reserved

INFORMATION TO ALL USERS
The quality of this reproduction is dependent upon the quality of the copy submitted.
In the unlikely event that the author did not send a complete manuscript
and there are missing pages, these will be noted. Also, if material had to be removed,
a note will indicate the deletion.

UMI 1571360
Published by ProQuest LLC (2014). Copyright in the Dissertation held by the Author.
Microform Edition ProQuest LLC.
All rights reserved. This work is protected against
unauthorized copying under Title 17, United States Code

ProQuest LLC.
789 East Eisenhower Parkway
P.O. Box 1346
Ann Arbor, MI 48106 - 1346

 Copyright 2014 by Heather Kingsbury

All Rights Reserved

ii

Abstract
With the creation of a new domain of warfare comes the daunting task of regulating the actions
that are taken within this domain. Cyber-warfare, while still new in its development, has been
undefined and unregulated since it first came about in 2007. Many attempts have been made to
regulate cyber-warfare and create guidelines for nation-states to take while engaging in activities
within this domain however, all have seemingly fallen short. This body of research explores why
it is critical that nation-states work together to construct a universal set of international laws
applicable to cyber-warfare. The research examines attempts of regulating the cyber-domain and
possible cyber-attacks that can occur in the cyber-domain as acts of war. The research culminates
in a recommendation of detailed steps that could be taken in order to provide a basis for a
universal set of laws applicable to cyber-warfare. This body of research will allow others to
examine international laws applicable to cyber-warfare and conduct further research.
Keywords: Cybersecurity, Cynthia Gonnella, International Laws, Cyber-Warfare, CyberDomain, Cyber-Attacks, Legal Framework

iii

Acknowledgements
I would like to thank Professor Cynthia Gonnella, Jesus Lopez, and Harry Cooper for he lping me
during the writing process of this paper. I would also like to thank my family for all of their
support.

iv

Table of Contents
International Laws Applicable to Cyber-Warfare............................................................................... 1
Definition of the Problem ................................................................................................................ 2
Deficiencies in Current Research .................................................................................................... 4
Literature Review ................................................................................................................................. 7
Cyber-Attacks and the Use of Force: Back to the Future of Article 2(4) ..................................... 8
The Tallinn Manual ........................................................................................................................ 12
The use of force.......................................................................................................................... 15
International Humanitarian Law.................................................................................................... 17
IHL and the challenges of contemporary armed conflicts. ...................................................... 18
Revisiting the Estonian Cyber Attacks ......................................................................................... 21
Discussion of the Findings ................................................................................................................. 24
The International Legal Framework.............................................................................................. 24
Measured Responses in the Cyber Domain .................................................................................. 26
The Use of Force ............................................................................................................................ 29
Lessons Learned from Estonia....................................................................................................... 32
Limitations of the Study ..................................................................................................................... 35
Recommendations for Further Research ........................................................................................... 36
Conclusion........................................................................................................................................... 38
References ........................................................................................................................................... 41

International Laws Applicable to Cyber-Warfare

In 2010, United States President Barack Obama declared that war had officially entered a
fifth domain- cyberspace (The Economist, 2010). Unlike the threats that lay within the domains
of land, air, sea, and space, war within cyberspace uses constantly evolving computerized
weapons, and it does not always come with the markings of the enemy. The digital footprints of
the enemy can disintegrate within seconds, leaving the victim of the attack unable to determine
who was responsible and how to respond to the attack at hand. Due to the new and constantly
evolving cyber-domain, the lines between war, terrorism, and espionage are blurred, and
attempts to govern international actions within cyberspace have been few and far between. The
purpose of this research was to examine international laws applicable to cyber-warfare. How
equipped is the international legal framework to handle state sponsored cyber-warfare? What
lessons can be learned from the 2007 Estonia attack? How does the United Nations charter on
use of force govern response to cyber attacks? What is considered a measured response in
cyber as opposed to conventional warfare?
Existing laws, including the law of war, cover only a very small portion of cyber-attacks,
including those that amount to an armed attack, or those that take place in the context of an
ongoing armed conflict (Crootof, Hallaway, Levitz, Nix, Nolan, Perdue, & Spiegel, 2012). Laws
such as this provide a slightly useful legal framework, however other existing domestic and
international laws also try to offer equally fragmented assistance in addressing cyber-attacks.
Even though some basic fragmentary laws exist, there is a lack of clarity on how these fragments
of international law apply to cyber-warfare. The truth is that the majority of the treaties, accords,
and other international agreements that currently govern international politics are out of date and
out of touch with regards to this new transnational arena of cyber-war. It is only after recent

cyber-attacks, such as the crippling attacks on Estonia in 2007, which have nations reconsidering
the idea of cyber-war and the laws that surround these attacks.
Definition of the Problem
A new set of detailed laws applicable to cyber-warfare are needed for a variety of
reasons. According to Scheherazade Rehman, the Director of the European Union Research
Center (EURC) and Professor at George Washington University, cyber-attacks were not elevated
to warfare status until 2007. This took place only after the nation of Estonia let the world know
that they were under a cyber-attack from the Russians. The Russians launched massive
coordinated cyber-attacks on the Estonian public and private sectors, bringing down Estonian
banks, parliament, ministries, newspapers, and television (Rehman, 2013). Due to the origin of
the attacks, the domain in which the attacks surfaced, and the fact that the attacks were state
sponsored, this was newly categorized as being cyber-warfare.
The ability of cyber-weapons and the way in which the cyber-domain can be used as a
war zone is currently unknown. Nam Nguyen, a student at the Australian Defense Force
Academy wrote that, significant debate is required over the scope of cyber capabilities and how
they might be used in future armed conflicts and in international relations (Nguyen, 2013, p. 1,
para. 18). In addition, Anna-Maria Talihrm, a Senior Analyst of the Legal and Policy Branch,
North Atlantic Treaty Organization (NATO) Cooperative Cyber Defense Centre of Excellence,
wrote that, For years, malicious cyber-activities have been affecting individuals, private entities,
and governmental organizations (Talihrm, 2013, p. 1, para. 3). These activities have been the
actions of both individuals acting for a cause, and the actions of nation-states carrying out large
scale incidents such as those that hit Estonia. To date, when these malicious activities occur,

there have been few laws to govern the attacks and the corresponding countermeasures.
Therefore, significant debate is in fact required over cyber capabilities and how they can be used.
While it is unknown how cyber weapons may be used in future conflicts and in war, the
tools of cyber-warfare are easily acquired and used. Due to the relative ease of acquiring such
tools, ruthless nations who, until this point, were considered unthreatening due to their lack of
conventional forces, become threatening in the cyber domain (Chatterjee, 2014). With more and
more nations growing in power due to cyber-weapons and cyber-attack capabilities, it is
important that governments ensure that their critical infrastructure is protected against different
types of cyber-threats, and that their legal and policy frameworks allow effective ways to deter,
defend, and mitigate cyber-attacks (Talihrm, 2013).
When attempting to determine how cyber capabilities may be used and how to govern
their use, the examination of existing laws concludes that a new legal framework is needed to
address cyber-attacks and cyber-warfare. Not only should this framework exist domestically
within each nation, the framework should also be extended into the international arena where it
can become a critical part of an international solution. While examining these laws in relation to
cyber capabilities and future armed conflicts, there may be value in determining how equipped
the international legal framework is to handle state sponsored cyber-warfare. Looking back, what
lessons can be learned from the 2007 Estonia cyber-attacks, and what is considered a measured
response in cyber-warfare as opposed to conventional warfare? Finally, how does the United
Nations charter on the use of force govern response to cyber-attacks?
While determining proper laws and responses to cyber-attacks, nation-states will need to
consider the impact of this new form of warfare on their civilians. According to Yoram Dinstein
(2012), Professor Emeritus at Tel Aviv University and a prominent authority on the laws of war,

many conventional weapons are incapable of distinguishing between civilian and military
targets. When related to cyber-war, cyber-weapons take on similar qualities (Dinstein, 2012).
These weapons and/or attacks cannot distinguish between military and civilian networks, which
may in turn spread and cause loss of innocent civilian life. Even if it were possible to distinguish
between military and civilian networks, the next challenge for regulating the actions of
individuals arises. Unfortunately, while a treaty may regulate the behavior of nation-states so that
they do not harm civilians, they may not necessarily prevent non-state actors from breaching the
principles of the treaty (Dinstein, 2012). Once a cyber-attack leads to a cyber-war, it is extremely
possible that civilians will see the consequences. Since the cyber-war is likely to impact
civilians, it is necessary that nation-states have a legal framework in place to handle not only
state sponsored cyber-warfare, but also the effects that it may have on their innocent civilians.
Deficiencies in Current Research
While the cyber domain is still new, it is rapidly evolving and increasingly being looked
at as a new way to conduct attacks. Because the cyber-domain is newly emerging, there have
been minimal attempts to regulate actions within the domain and the ways in which it is used as
an attack vector. Several reasons exist for the deficiencies in examining cyberspace, cyberwarfare, and any type of governance within this domain. The most critical reason that laws have
not been determined for cyberspace, is that the internationally accepted definitions of cyberattack, cyber-warfare, and cyber-crime are either vague or non-existent (Crootof et al.,
2012). In fact, any type of threat relating to cyber-security is not mentioned as being part of a
weapon of mass destruction. Without proper definitions of these terms, it is impossible to attempt
to regulate them.

To date, there have been two government-led efforts to define the scope of the threat
posed by cyber-attacks, and the definitions of cyber-attack and cyber-warfare (Crootof et al.,
2012). One of these efforts was led by the United States Government, while the other was led by
the Russia- and China-led Shanghai Cooperation Organization. The definitions and the
understanding of the problem were very different between these two efforts. While the United
States National Research Council defined cyber-attacks as, deliberate actions to alter, disrupt,
deceive, degrade, or destroy computer systems or networks or the information and/or programs
resident in or transiting these systems or networks, the Russia- and China-led Shanghai
Cooperation Organization took to defining information war as, mass psychologic[al]
brainwashing to destabilize society and state, as well as to force the state to take decisions in the
interest of an opposing party (Crootof et al., 2012, p. 9, para. 1-2). The lack of uniformity
between these two definitions causes a problem when attempting to combat cyber-warfare and
create a legal document to govern the cyber-domain. While the United States might approach
cyber-warfare in one way, Russia and China may not agree and approach cyber-warfare in a
completely different way. Therefore, defining these terms is crucial to creating and adapting the
proper laws and legal responses.
Cyber-warfare is very subjective at this point. In order to properly govern cyberspace and
cyber-warfare, it is necessary to determine what constitutes as cyber-warfare regardless of the
parties involved. History has shown that conventional weapons of mass destruction bring about
detrimental and widespread effects. This leads governing bodies to imagine the possible impacts
of a real cyber-attack and cyber-warfare. According to Crootof et al (2012):
For well over a decade, analysts have speculated about the potential consequences
of a cyber-attack. The scenariosranging from a virus that scrambles financial

records or incapacitates the stock market, to a false message that causes a nuclear
reactor to shut off or a dam to open, to a blackout of the air traffic control system
that results in airplane crashesanticipate severe and widespread economic or
physical damage. (Crootof et al., 2012, p. 7, para. 1)
Regardless of these speculations, none of these scenarios have transpired. Instead, smaller
incidents such as denial-of-service (DOS) attacks, the Stuxnet worm, etc. have occurred, and
have only been categorized as cyber-nuisances instead of acts of cyber-war. Therefore, without
solid examples of actual cyber-attacks that can be categorized as cyber-warfare, it is impossible
to regulate an undefined body of warfare. Should a cyber-attack be considered a weapon of mass
destruction, or simply one of distraction and inconvenience? Not only is it difficult to define and
regulate, it is also difficult to determine what a measured response would be when a nation is
faced with a cyber-attack.
It is necessary to examine international cyber-warfare laws for more reasons than to
define specific terminology or speculate possible attacks. To begin with, if cyber-warfare is the
undeniable future of war, then nation-states are going to want to know whether or not cyberoffensives will come under the rules of international law (Chatterjee, 2014). These nation-states
will be interested in knowing if there are any limits that are applied to cyber-war, and what
action can be taken in response within the law (Chaterjee, 2014). If and/or when an actual cyberwar has begun, states will also want know the rules that apply to the conduct of cyber-war, if any
rules on neutrality apply, what a measured response to an attack would be, and what cyberweapons and targets are permissible.
When debating upon what targets are permissible within cyber-warfare, any nation-state
with a critical infrastructure is also in a position to be interested in international laws applicable

to cyber-warfare. Because cyber-weapons are so easily obtainable, and because the attack may
spread to networks other than the intended target, anyones critical infrastructures are prone to
being hit. Any attack against a nation-states critical infrastructure, including their energy and
transport networks, financial markets, and hospitals can have immediate and devastating effects
(Chatterjee, 2014). Would international laws applicable to cyber-warfare take on similar qualities
as laws surrounding armed conflict and the strict ban on attacking critical infrastructures?
Finally, one of the most interested parties of any laws applicable to cyber-warfare would
be those who are potential victims of a cyber-attack. For example, a specific subset of machines
within an Iranian nuclear plant fell victim to a cyber-attack when the Stuxnet worm was
deployed into the Natanz power plants computer systems in 2010. This worm infected and
manipulated 1,000 centrifuges being used by the Iranians to enrich uranium, altering the
centrifuges programming with a programmed instruction set. In turn the devices remained in
what looked like a functional state, but were actually rendering the byproduct useless (Kelley,
2013). After being hit with this attack, Iran was stuck in the position of determining their
response. Does a cyber-attack such as this potentially authorize Iran to respond with a physical
attack? When other nations are hit with cyber-attacks, do they hold a legal right to carry out a
physical attack? These questions along with several others are extremely important to take into
consideration when creating an international set of laws applicable to cyber-warfare.
Literature Review
In order to properly examine the international laws applicable to cyber-warfare, it is
important to review relevant pieces of literature that cover the topic in question. This would
include proposed laws, pre-existing laws and articles relating to previous attacks. The below

pieces of literature delve into the topics of international law in relation to cyb er-warfare, the
proper use of force, and lessons learned from previous cyber-attacks.
Cyber-Attacks and the Use of Force: Back to the Future of Article 2(4)
The article Cyber-Attacks and the Use of Force: Back to the Future of Article 2(4)
(2011) was written by Matt Waxman, Associate Professor at Columbia Law School, Adjunct
Senior Fellow at the Council on Foreign Relations, and member of the Hoover Institution Task
Force on National Security and Law. This article, which appeared in the Yale Journal of
International Law, examines the United Nations Charters Article 2(4) which relates to the use of
force in conflicts, and attempts to apply it to the cyber-domain and cyber-warfare. For the sake of
his argument, Waxman defines cyber-attacks as efforts to alter, disrupt, or destroy computer
systems or networks or the information or programs on them (Waxman, 2011). Waxman also
mentions that throughout his discussion, he is concerned with jus ad bellum issues which
includes whether cyber-attacks constitute an act of aggression or would justify resort to armed
force in response. Therefore, he is not necessarily concerned with jus in bello issues which
relates to how the laws of war would govern the use of cyber-attacks during an ongoing armed
conflict (Waxman, 2011).
In the article, Waxman brought up four scenarios that may be possible attacks. All of
these attacks are said to have the same impact on Irans financial system, and similar effects on
the economy and population of Iran. These scenarios are as follows:
(1) Military air strikes against key Iranian banking facilities to destroy some of
the financial systems physical infrastructure;
(2) A regulatory cut-off of Iranian banks from the U.S. financial system, making it
difficult for Iran to conduct dollarized transactions;

(3) Covert flooding of the Iranian economy with counterfeit currency and other
financial instruments;
(4) Scrambling Iranian banking data by infiltrating and corrupting its financial
sectors computer networks. (Waxman, 2011, p. 421, para. 2)
Upon laying out these scenarios, Waxman asked the question of, Which of these options
constitute uses of force, subject to the United Nations Charters prohibitions and self-defense
provisions (Waxman, 2011, p. 421, para. 2)? Waxman answers this question by examining the
different ways in which force is used, and examining the above scenarios in relation to each type
of force.
As it stands now, the definition of force is not agreed upon. When it comes to defining
the use of force, Waxman wrote that defining the use of force and the modes of conflict have
distributive effects on power. Therefore, these things will most likely be shaped by power
relations. Nation-states with more power will have an influence over what constitutes as force.
Waxman examines the use of force and the ways in which it can be used by nation-states in three
different ways force as armed violence, force as coercion, and force as interference.
Historically speaking, the United States and its major allies have believed that Article
2(4) and Article 51of the United Nations Charter apply only to military attacks or armed
violence. Article 2(4) states that, [a]ll Members shall refrain in their international relations from
the threat or use of force against the territorial integrity or political independence of any state, or
in any other manner inconsistent with the Purposes of the United Nations (Waxman, 2011, p.
426, para. 5). On the other hand, Article 51 reads that, [n]othing in the present Charter shall
impair the inherent right of individual or collective self-defense if an armed attack occurs against

a Member of the United Nations (Waxman, 2011, p. 426, para. 5). Generally speaking, it has
been agreed that Article 51 creates an exception to Article 2(4)s strict prohibition of force.
Force as armed violence has historically prevailed over alternative interpretations such as
coercion or interference (Waxman, 2011). Waxman brings to light the fact that the preamble of
the United Nations Charter sets out the goal that, armed force not be used save in the
common interest (Waxman, 2011, p. 428, para. 1). Furthermore, Articles 41 and 42 of the
Charter specifically authorize the United Nations Security Council to take actions not involving
armed force. However, if the previously attempted actions prove inadequate, the Security
Council can escalate their actions to include armed force (Waxman, 2011).
Article 51 of the United Nations Charter speaks directly to the idea of self-defense
against armed attacks (Waxman, 2011). Waxman suggests that because this Article directly
focuses on counter-arguments to force as armed violence, that those who created the Charter had
the intention of regulating armed force differently and more strictly than other coercive
instruments (Waxman, 2011). In other words, those who drafted the Charter envisioned force
as armed violence. With all of these things taken into consideration, the first scenario that
Waxman listed above regarding the possible attacks on Irans financial network would be said to
violate the United Nations Charters Article 2(4) or could give itself rise to a right of armed selfdefense (Waxman, 2011). This is because the first scenario is the only attack that involves an
attack with military violence.
Article 2(4) of the United Nations Charter also looks at the general effect of an attack,
and prohibits coercion. Armed force is not the only instrument of coercion, however it is the
easiest to identify. Throughout history, some nation-states, especially those of the developing
world, argue that force includes other types of pressure. These types of pressure would include

10

political and economic coercion which threatens a nation-states autonomy (Waxman, 2011).
Because coercion is more than military pressure, debates have been had over the definition of
aggression. The United States and its allies have focused on military attacks defining
aggression, and developing states pushed for a definition that included other forms of coercion
and economic pressure (Waxman, 2011).
If Article 2(4) is interpreted in this way, than Waxman writes that all four of his scenarios
regarding attacks on Irans financial network would constitute as prohibited force. This is due
to the fact that all four of these scenarios are intended to, exert coercive pressure on Iran to
forego its nuclear ambitions by exacting or threatening crippling costs to its financial sector
(Waxman, 2011, p. 429, para. 2). Under the idea of coercion as force, military action is not the
only approach that would justify as coercion. Under Article 2(4), some nations have argued that
economic coercion could be so intense that it could justify armed force in self-defense under
Article 51. This approach is difficult however, and raises more questions, as it is not easy to
distinguish unlawful coercion from lawful pressure (Waxman, 2011).
Finally, force as interference is another way in which Article 2(4) and Article 51 of the
United Nations Charter can be interpreted. This approach focuses on the violation and defense of
rights, including a nation-states right of sovereign dominion (Waxman, 2011). Force as
interference brings together the concept of force and improper interference with the rights of
other nation-states. This approach focuses on the object and character of the actions of a nation
state instead of a narrow set of means or their coercive effect (Waxman, 2011). The idea of
subversive intervention or interference with other nation-states political systems has been a
concern throughout history. Some nation-states have advocated for expansive interpretations of
prohibited force, including subversion. These nation-states want to protect their systems from

11

outside interference while still participating in the broader international political community
(Waxman, 2011). On the other hand, some nation-states want the benefits that stem from
international informational connectivity, while also securing their computer and communication
networks from outside hostile or undermining influences and intrusions (Waxman, 2011).
Taking the above argument into consideration, Waxman states that the first, third, and
fourth scenarios regarding Irans financial network would be considered a use of force. This
would be due to these three scenarios being defined as an intrusion into another sovereigns
domain (Waxman, 2011). The second scenario which is characterized by financial sanctions
would be excluded because a nation state has a right to determine who it wants to conduct
commerce with.
The Tallinn Manual
The Tallinn Manual is the product of a three year effort by twenty renowned international
law scholars and practitioners at the invitation of the NATO Cooperative Cyber Defense Centre
of Excellence. This document follows in the footsteps of previous attemp ts to govern cyberwarfare, including documents such as the International Institute of Humanitarian Laws San
Remo Manual on International Law Applicable to Armed Conflicts at Sea and the Harvard
Program on Humanitarian Policy and Conflict Researchs (HPCRs) Manual on International Law
Applicable to Air and Missile Warfare (Schmitt, 2013). By taking these policies into account, the
Tallinn Manual identifies international law applicable to cyber-war by laying out ninety-five
black letter rules that should be applicable when conducting operations within the newly formed
cyber-domain. While the Tallinn Manual works hard to address international laws applicable to
cyber-warfare, it is not an official document and it does not represent the view of NATO
(Schmitt, 2013).

12

The Tallinn Manual addresses the threshold questions of whether or not existing law
applies to cyber issues at all, and if so, how. This is done by examining international law
governing cyber-warfare, including both, the jus ad bellum, the international law governing the
resort to force by nation-states as an instrument of their national policy, and the jus in bello, the
international law regulating the conduct of armed conflict (Schmitt, 2013, p. 18, para. 3). The
emphasis of the Tallinn Manual is on cyber-to-cyber operations, including the launch of a cyberoperation against a nation-states critical infrastructure, or a cyber-attack targeting enemy
command and control systems (Schmitt, 2013). Therefore, this manual does not take into
consideration anything relating to physical warfare or simple cyber-nuisances such as hacking or
jamming (Schmitt, 2013).
One of the main points that the Tallinn Manual makes, is that under International law,
nation-states may be responsible for the cyber-operations that are conducted by parties within
that nation state. This includes both government entities and non -State actors (Schmitt, 2013).
Regardless of the party that carries out the attack, the Tallinn Manual also laid out guidelines for
proper countermeasures in the event of a cyber-attack, and while an individual may carry out an
attack against a nation-state, countermeasures may not be directed against individuals or violate
peremptory norms or international law (Schmitt, 2013). According to the Tallinn Manual, a
cyber-attack is, an offensive or defensive cyber-operation that is reasonably expected to cause
injury or death to persons or damage or destruction to objects (Schmitt, 2013, p. 106, para. 2).
This definition is important to take into consideration when determining if the Tallinn Manual is
applicable in a situation; both in terms of the original attack and any proposed countermeasure.
Rule nine of the Tallinn Manual specifically states that, A State injured by an
internationally wrongful act may resort to proportionate countermeasures, including cyber

13

countermeasures, against the responsible State (Schmitt, 2013, p.36, para 1). These
countermeasures may only be resorted to by a nation-state after the nation-state under attack has
called on the attacking nation-state to cease their internationally wrongful act (Schmitt, 2013).
The Tallinn Manual states that if the internationally wrongful act in question has ceased, the
victim State is no longer entitled to initiate or to persist in, countermeasures, including cyber
countermeasures (Schmitt, 2013) If the attacking nation-state has been called on to cease their
attack and they fail to do so, the sole purpose of countermeasures that follow is to induce the
responsible state to resume compliance with its international legal obligations or to achieve
compliance directly (Schmitt, 2013).
Under this rule, the countermeasures that a nation-state takes must be proportionate and
necessary, as the actions that a victim nation-state takes would most likely be unlawful and a
violation of international law had it not been for the original attack. Two tests of proportionality
have been created to determine what countermeasures are acceptable. The first states that
countermeasures should be proportionate to the gravity of the original breach, and the second
states that countermeasures must be commensurate with the injury suffered (Schmitt, 2013). A
proportionate attack under this rule lie in the form of State A lawfully responding with cyber
operations against State Bs irrigation control system in response to State B launching a
cyber-operation against an electrical generating facility at a dam in State A in order to coerce
State A into increasing the flow of water into a river running through the two States (Schmitt,
2013).
While the countermeasures that a nation-state chooses to carry out should be
proportionate, they should consist of measures that have temporary or reversible effects.
Countermeasures that involve the permanent disruption of cyber functions should not be engaged

14

in circumstances where it is possible for a nation-state to temporarily disrupt a cyber-function

and achieve the necessary effect (Schmitt, 2013). If the nation-state does engage in
countermeasures that may have an effect on another nation-state, the countermeasures that are
chosen may not seriously impair the essential interests of the nation-states that are affected by
them (Schmitt, 2013). In some cases, a nation-state has to engage in countermeasures that are not
necessarily against another nation-state, but instead taken internally. For instance, a nation-state
may choose to shut off certain cyber infrastructures of their own, even if doing so affects systems
in other nation-states. When doing this, a nation-state must make sure that this is the only way
available to safeguard the systems in question, and their actions must not seriously impair the
essential interests of other States or of the international community (Schmitt, 2013).
When a nation-state is determining the appropriate countermeasures to carry out, the
cyber countermeasures that they choose may not rise to the level of an armed attack. However,
the Tallinn Manual states that proportionate countermeasures could involve a limited degree of
military force in response to circumstances below the Article 51 threshold of armed att ack
(Schmitt, 2013). Furthermore, these countermeasures may also not involve the threat or use of
force (Schmitt, 2013). The Tallinn Manual does however address the use force and when force
can be used when dealing with cyber-warfare.
The use of force. The Tallinn Manual addresses the issue of the use of force by laying
out ten distinct rules. These rules were based off pre-existing laws regarding the use of force,
both relating to cyber-conflicts and non-cyber conflicts. Article 2(4) of the United Nations

15

Charter provided a basis for several of these rules. Article 2(4) of the United Nations Charter
states that:
All members of the United Nations shall refrain in their international relations
from the threat or use of force against eh territorial integrity or political
independence of any State, or in any other manner inconsistent with the purposes
of the United Nations. (Schmitt, 2013, p. 45, para. 4)
This Article applies only to members of the United Nations, and to non -member states by
virtue of customary international law (Schmitt, 2013). On the other hand, Article 2(4)
does not apply to the acts of non-state actors, which includes individuals, organized
groups, and terrorist organizations, unless they are attributable to a state pursuant to the
law of state responsibility (Schmitt, 2013).
While the United Nations Charter does not apply to non-state actors, the Tallinn Manual
specifically states that, A state that is the target of a cyber-operation that rises to the level of an
armed attack may exercise its inherent right of self-defense. Whether a cyber-operation
constitutes an armed attack depends on its scale and effort (Schmitt, 2013, p. 43, para. 1). In
order to address the use of force, the Tallinn Manual references Article 51 of the United Nations
Charter which recognizes the right of self defense. The Tallinn Manual does this by stating that
nothing within the United Nations Charted should impair the inherent right of an individual or
collect self-defense if an armed attack occurs against a member of the United Nations (Schmitt,
2013). In this case, self-defense extends beyond kinetic armed attacks, and includes attacks that
are carried out solely through cyber-operations. Any action that is taken in self-defense by a
nation state that involves cyber-operations pursuant to Article 51 must immediately be reported
to the United Nations Security Council (Schmitt, 2013).

16

Force can only be used if two sets of criteria are met. First, the Tallinn Manual mentions
that force can only be used if the scale and effects of a cyber-operation are comparable to the
scale and effects of a non-cyber operation. Secondly, the force that is used must be necessary and
appropriate (Schmitt, 2013). The force that is used should not simply be economic or political
coercion. The Tallinn Manual specifically states that, non-destructive cyber psychological
operations intended solely to undermine confidence in a government or economy do not qualify
as uses of force (Schmitt, 2013, p. 46, para. 3). Instead, the International Court of Justice held in
the Nicaragua case found that arming and training guerilla forces that engage in hostilities
against another state was a use of force (Schmitt, 2013). In terms of cyber-warfare, force would
include, providing an organized group with malware and the training necessary to use it to carry
out cyber-attacks against another state (Schmitt, 2013, p. 45, para. 4). Furthermore, the
International Court of Justice also found that while the use of malware may constitute as force in
a cyber-operation, an armed attack may be carried out as a use of force if the cyber-operation
rises to that level (Schmitt, 2013). Its important to take into consideration that when determining
the use of force and an appropriate response to a cyber-attack, any cyber-operation that carries
out a threatened unlawful use of force, is itself considered an unlawful use of force (Schmitt,
2013).
International Humanitarian Law
International Humanitarian Law (IHL) is a set of rules which seek to limit the effects of
armed conflict (Red Cross, 2011). This law, otherwise known as the Law of Armed Conflict, is
based around Geneva Law and Hague Law. The Geneva Law resulted from the Geneva
Convention and seeks to protect the wounded and sick on land and at sea, prisoners of war and
civilians (Red Cross, 2011). Hague Law is also known as the Soldiers Law and provides rules

17

which, limit the destructive effects of combat exceeding what is really necessary to achieve the
military aim or mission (Red Cross, 2011, p. 37, para. 2). The IHL takes these two laws into
consideration, and lays down practical rules for the conduct of military operations and the
protection of victims.
IHL is part of international law, which governs relations between States (Red Cross,
2011). This law is contained in treaties, conventions, agreements, and customary rules between
nation-states. Nearly every nation-state in the world has agreed to be bound by them (Red Cross,
2011). Any members of the profession of arms are legally obliged to comply, as these laws are
considered legally binding. While almost every nation-state has agreed to these legally binding
laws, history has shown that there have been countless violations of IHL. Regardless of the
violations and the fact that these laws are not always adhered to, the International Conference of
the Red Cross (ICRC) and Red Crescent has attempted to apply these laws to the cyber-domain.
IHL and the challenges of contemporary armed conflicts. Due to the emergence of
cyber-space and the potential for cyber-warfare, the ICRC and Red Crescent have addressed
these issues with the 2011 publication of International Humanitarian Law and the Challenges of
Contemporary Armed Conflicts. Currently, cyber-warfare has not yet been regulated. However,
the ICRC stated that, The fact that a particular military activity is not specifically regulated does
not mean that it can be used without restrictions (Red Cross, 2011, p. 36, para. 5). This new
publication takes into consideration the possibility of cyber-warfare, and attempted to apply the
IHL and determine if it were possible for this law to govern cyber-warfare.
According to the ICRC, means and methods of warfare that resort to cyber technology
should be subject to IHL (Red Cross, 2011). This would mean that any cyber-warfare tactics
used by nation-states as an act of war must adhere to IHL. This is similar to any other weapon or

18

weapon delivery system that has been used in armed conflict in any of the other domains of war.
For example, the ICRC states that if a cyber-operation such as the manipulation of an air traffic
control system that causes the crash of civilian aircraft, is used in order to caused damage, than it
is a method of warfare and should be subject to prohibitions under IHL (Red Cross, 2011).
Therefore, the ICRC believes that IHL is applicable to warfare that takes place within
cyberspace.
Integrating cyberspace as a new war-fighting domain with the legal framework governing
armed conflict is a challenging task (Red Cross, 2011).When determining if cyber-warfare can
be governed by IHL, it is important to take into consideration all of the possible challenges. The
ICRC worked to determine the challenges to governing cyber-warfare, and how these challenges
would be addressed. Anonymity, cyber-attacks, a lack of cyber based definitions, and the
accuracy of cyber-weapons are just a few of the thing that must be addressed before applying
IHL to cyber-warfare.
Today, cyber-space is built on digitalization, which ensures anonymity and therefore
makes it difficult to identify where an attack is coming from. In order for the IHL to take effect,
the IHL relies on individuals and parties to take responsibility for what their actions. If the attack
comes from an anonymous attacker, the challenge of how to enforce the law arises. More
importantly, if the party who created the attack cannot be identified, it is difficult to determine
whether IHL is applicable to the operation (Red Cross, 2011).
Properly defining attack is important when it comes to applying various rules and the
IHL principle of distinction. Additional Protocol I and IHL contain a definition of attack,
however the definition is not identical to subsequent definition in other branches of law. Article
49(1) of Additional Protocol I to the Geneva Conventions cites that attacks means acts of

19

violence against the adversary whether in offense or defense, and the term acts of violence
denotes physical force (Red Cross, 2011). Taking these interpretations into consideration, the
ICRC states that:
Cyber operations by means of worms, viruses, etc. that result in physical damage
to persons, or damage to objects that goes beyond the computer program or data
attacked could be qualified as acts of violence, i.e. as an attack in the sense of
IHL (Red Cross, 2011, p. 37, para. 5).
The issue with the term attack not properly being defined once again arises with IHL. The
ICRC states that cyber-operations do not fall within the definition of attack, if they do not
result in physical destruction, or if the effects of a cyber-operation are reversible. Attacks against
civilian objects may therefore be considered lawful in some scenarios, and therefore they are
technically not covered by existing law according to the ICRC. IHL states that attacks can only
be directed at military objectives. Anything that does not fall within this definition is civilian and
may not be attacked (Red Cross, 2011).
The ICRC brings to light that when cyber-operations constitute as an attack, they may
affect more than the intended target. These operations may not be accurately aimed, and
therefore a cyber-attack could affect civilian infrastructure. This would be due to military and
civilian computer networks being connected. Additional Protocol I of the Geneva Conventions
touches on this subject by stating that:
i) the obligation to direct attacks only against "military objectives" and not to
attack civilians or civilian objects, ii) the prohibition of indiscriminate attacks, as
well as of attacks that may be expected to cause excessive incidental civilian
casualties or damages, and iii) the requirement to take the necessary precautions

20

to ensure that the previous two rules are respected (in particular the requirement
to minimize incidental civilian damage and the obligation to abstain from attacks
if such damage is likely to be excessive to the value of the military objective to be
attacked). (Red Cross, 2011, p. 38, para. 1)
Whether an attack is carried out using traditional weapons or using cyber means, the rules should
operate in the same way (Red Cross, 2011). Furthermore, ICRC believes that it is the obligation
of the attacker to take any possible precautions, regardless of the means and methods, to attempt
to minimize civilian casualties and damages (Red Cross, 2011). Even though there is no IHL
provision that bans cyber-operations, cyber-operations when used in armed conflict should only
be used to the extent in which they respect existing law. Regardless of new technologies, legal
constraints should apply to all means and methods of warfare which resort to cyber technology.
Revisiting the Estonian Cyber Attacks
Stephen Herzog, a research associate with the Strategic Security Program at the
Federation of American Scientists, researched the cyber-attacks on Estonia in 2007 and the
takeaways from these attacks. His findings were published in an article entitled Revisiting the
Estonian Cyber Attacks: Digital Threats and Multinational Responses. Herzog examines the
cyber-attacks on Estonia and reports on the most important takeaways from these attacks.
In April 2007, the Estonian government moved a memorial commemorating the Soviet
liberation of the country from the Nazis to a less prominent and visible location in Tallinn
(Herzog, 2011). This caused uproar by the Russian-speaking minorities. In addition to violent
rioting, cyber-attacks in the form of distributed denial-of-service (DDoS) attacks took place
against Estonias systems. These attacks targeted the countrys infrastructure, shutting down the
websites of all government ministries, major banks, and major political parties. The DDoS

21

attacks also disabled the parliament email server (Herzog, 2011). As a result of these attacks,
Estonian officials were quick to accuse Russia of the attacks, and for the first time cyber-attacks
were categorized a form of cyber-warfare. These attacks made governments around the world
realize that future cyber-attacks could disrupt a countrys critical infrastructure, including its
water and electricity supplies, telecommunications, and national defenses (Herzog, 2011).
During and after these attacks, Estonia had few cyber-defense preparations outside of its
framework for combating against traditional acts of war. Herzog wrote that a high level of
intelligence sharing took place among western countries during the attacks (Herzog, 2011). The
nation of Estonia was so unprepared that the government Computer Emergency Response Team
(CERT) required assistance from outside nations to help the nation get back to its normal
network operations (Herzog, 2011). Not only did other nations assist, but NATO CERTs and the
European Unions Network and Information Security Agency (ENISA) offered assistance and
technical assessments.
Apart from offering its assistance when the attacks on Estonia occurred, ENISA released
its Internal Security Strategy directly after the attacks. This strategy called for integrated
responses to cyber-security threats, and it called for an expansion of its then current duties
(Herzog, 2011). Herzog reported that both NATO CERT and ENISA came up with a set of longterm plans that were designed to counter cyber-attacks. NATO came up with the Strategic
Concept in Lisbon in November 2011. This stated that the alliance would work to develop
strong, integrated Internet defense capabilities. ENISA released the Digital Agenda for Europe
which revealed its plans to establish CERTS for all European Union members, hold
multinational cyber-dense simulations, and it created a joint European cyber-crime platform
(Herzog, 2011).

22

While European Commission and NATO technical experts were unable to find credible
evidence that the Russians were responsible for these cyber-attacks, several lessons were takealways from this small act of cyber-warfare. After the events of Estonia unfolded, other groups
of hackers may have been tempted to engage in similar cyber-attacks. Due to the severity of the
DDoS cyber-attacks on Estonia, it became clear to the rest of the world that any future attacks by
these hackers could cause possible devastating effects and target and destroy the critical
infrastructures of even the most technically sophisticated nation-states (Herzog, 2011). Not only
could the attacks by unaffiliated hackers be of concern, but nation-states may also begin to
develop and improve their own cyber-warfare capabilities. Countries such as Russia and China
immediately analyzed the situation that Estonia was faced with, and they then assessed the
vulnerabilities of the nation and the western responses (Herzog, 2011). From there, both Russia
and China improved their own cyber-warfare capabilities and strategies.
The Estonian cyber-attacks demonstrated that laws such as NATO Article 5 and the
United States nuclear umbrella guarantees cannot protect a nation-states sovereignty in cyberspace. Therefore, in a time of technology driven attacks, new laws are needed to govern warfare.
As the capabilities of nation-states to participate in cyber-attacks grew, many countries were led
to include cyber-attacks as an area of concern in their national security doctrines (Herzog, 2011).
For instance, the United States listed cyberspace as a threat alongside traditional warfare,
weapons of mass destruction and transnational crime (Herzog, 2011). This then challenges
countries such as the United States and other independent nations to find ways to allow Internet
freedom while also maintaining early warning and monitoring systems (Herzog, 2011). Herzog
notes that these systems will play an important part in detecting suspicious cyber-activities, and
countering cyber-warfare and cyber-terrorism attempts (Herzog, 2011). Future endeavors will

23

most likely focus on cyber-security and multinational strategies and institutions to counter
electronic threats to nation-states.
Discussion of the Findings
The literature review was conducted to examine international laws applicable to cyberwarfare. The review of available literature provided a better understanding of how equipped the
international legal framework is to handle state sponsored cyber-warfare, and what is considered
a measured response in cyber-warfare as opposed to conventional warfare. Furthermore, it was
necessary to conduct a literature review in attempts to determine how the United Nations Charter
on use of force governs response to cyber attacks, and the lessons that were learned from the
2007 Estonia attacks.
The International Legal Framework
When examining the international laws applicable to cyber-warfare, it is important to
determine whether or not the current international legal framework is equipped to handle state
sponsored cyber-warfare. This may be the most important piece of any law that exists, as it is
extremely important to have a proper response in place for if and/or when cyber-warfare occurs.
Unfortunately, there are more problems that exist than there are answers. All of the reviewed
pieces of literature offer their own approach to an international legal framework by offering up a
specific component that is necessary when attempting to deal with cyber-warfare. Several pieces
offered approaches to the use of force, countermeasures when attacked, and how to handle an
attack in general. Each of these things are crucial when creating an international legal
framework.
While documents such as the Tallinn Manual and the IHL attempt to lay out the proper
frameworks for cyber-warfare, it is extremely important to note that these documents hold no

24

legal standing. In fact, the Tallinn Manual was created by twenty subject matter experts, however
it does not reflect the views of NATO, and is therefore not backed by NATO. The IHL related to
warfare in the four other domains, however the article IHL and the Challenges of Contemporary
Armed Conflicts by the Red Cross only attempted to apply it to the cyber-domain. The ICRC
stated that means and methods of warfare that resort to cyber technology should be subject to
IHL, however that does not mean that they actually are. While the IHL itself is legally binding
for most states, it has not been updated to include cyber-warfare. The document specifically
stated that there are challenges to applying this rule set to cyber-warfare. Finally, even the United
Nations Charter is unable to properly govern the cyber-domain and cyber-warfare. The article
Cyber-Attacks and the Use of Force: Back to the Future of Article 2(4) took a look at the use
of force in relation to cyber-warfare, but only attempted to apply Article 2(4) to cyber-warfare.
Again, this document holds no legal standing. There are too many challenges that exist for a
document to be binding.
Upon reviewing the above literature, it seems as though there is a slight framework that
exists, however current and proposed laws lay out slightly different ideas of who should handle
what once an attack occurs, and how things should be dealt with. In the event of an actual cyberattack occurring, this would make it difficult to determine what to do. Take into account the
Tallinn Manual. The Tallinn Manual states that nation-states may be responsible for the cyberoperations that are conducted by parties within that nation state. This includes both government
entities and non-state actors (Schmitt, 2013). On the other hand, the Red Cross IHL deals
specifically with military and state-sponsored attacks. While it may sometimes be difficult to
determine the origin of an attack, who would handle each type of attack? If a devastating attack
was to come at the hands of an unaffiliated hacker, why would the ICRC not step in to help,

25

especially if the attack affected innocent civilians? Furthermore, if an attack was to be carried out
by a military and/or nation-state, how is it decided which rules are followed? Would the ICRC
take precedent or would the Tallinn Manual take affect? While the rules laid out in the Tallinn
Manual and the laws of the IHL address the attacks differently, it is also important to take into
consideration other governing bodies that have laid out rules to follow in the wake of a cyberattack. Which is the correct set of rules to follow?
While the article entitled Revisiting the Estonian Cyber Attacks: Digital Threats and
Multinational Responses by Stephen Herzog was more directed to the 2007 cyber-attacks
against Estonia and not necessarily a legal framework as a whole, this article gave the reader a
good insight into what needs to happen if an attack occurs. More specifically, this article
reinforced the idea that regardless of the attack or the attack vector, it is important for nation states to work together and share information in order to quickly and efficiently handle an attack
and prevent others from occurring. Not only is it crucial to be able to immediately handle an
attack, it is necessary to have organizations, both international and domestic, in place to
specifically deal with cyber-attacks before they happen, and when they happen. This is crucial
when attempting to create an international legal framework, and is discussed in more detail later
in the paper.
Measured Responses in the Cyber Domain
The reviewed pieces of literature take into account previous cyber-attacks and attempt to
provide a basis for measured responses to cyber-attacks. When determining the proper response
for a cyber-attack, it seems as though there is still confusion relating to whether the response
should be a cyber-related attack in the cyber domain, or a physical attack carried out in any of

26

the other four domains of war. For the most part, a response within the cyber-domain is the most
widely agreed upon response. It is also the most logical.
When it comes to determining the proper measured responses in the cyber-domain, the
Tallinn Manual laid out the best course of action. Included in the Tallinn Manual is a section
specifically relating to proper countermeasures, and when/if a nation -state can engage in
countermeasures to an attack. While the Tallinn Manual seems better than the rest of the laws
when it comes to this subject, there are still loopholes in what a measured response is, and when
a nation-state can engage in a response.
Regardless of any law that attempts to regulate measured responses in the cyber domain,
including the Tallinn Manual, the challenge will always remain that it is most often difficult to
determine the origin of cyber-attacks. This is due to proxies and other forms of masking tools
that exist to hide the origins of attacks. Because of this, the originator of the cyber-attack is
difficult to determine, leaving the targeted nation unaware of who is sending attacks. Therefore,
laws that attempt to regulate countermeasures will pose no importance as it is difficult to
determine where to target the counter-attack. This is where all attempts to govern cyber-warfare
have agreed. The IHL stated that the ICRC relies on individuals and parties to take responsibility
for what occurs. If the author of an attack is unknown, the IHL does not apply (Red Cross, 2011).
The Tallinn Manual is to be carried out in a similar manner, and if the originator of an attack
cannot be identified, a counter-attack should technically not take place.
Since it is difficult to determine the origin of the attack, it is also difficult to determine
where to target a counter-attack. In fact, serious issues could occur if an attack is carried out
against an innocent nation-state. A victim nation-state cannot just speculate or guess who the
initial attacker was. For instance, the 2007 cyber-attacks on Estonia were believed to have come

27

from Russia. This was speculated because the initial argument was over the moving of the
memorial commemorating the Soviet liberation of the country from the Nazis to a less prominent
and visible location in Tallinn, which in turn caused uproar by the Russian speaking minorities.
After the attacks, the European Commission and NATO technical experts were unable to find
credible evidence that the Russians were responsible for these cyber-attacks. Had Estonia had the
means and determination to carry out a counter-attack against Russia, and Russia was not in fact
the originator of the attacks, this would have created large scale problems. What would happen if
a counter-attack was carried out against a nation-state that did not carry out the initial attack?
This could cause serious problems, and create a larger cyber-war than what is already occurring.
When the originator of an attack is in fact known, and a counter-attack is carried out, it is
difficult to determine what a proportionate attack is. Take into account the types of
countermeasures that the Tallinn Manual offers. According to the Tallinn Manual a proportionate
attack is as follows; State A lawfully responds with cyber operations against State Bs
irrigation control system in response to State B launching a cyber-operation against an
electrical generating facility at a dam in State A in order to coerce State A into increasing
the flow of water into a river running through the two States (Schmitt, 2013). This
countermeasure is very specific in nature, however there is no specific rules stating what types of
attacks can be countered, and what types of countermeasures can be used. For instance, if a
nation-state attacks another nation-states systems with a virus, does the affected nation-state also
react with a virus? What if the virus targets the nation-states critical infrastructure? Is the
counterattack also supposed to target a critical infrastructure system? Because cyber-attacks
between nation-states as an act of war have been so sparse in history, it seems as though it is
difficult to determine exactly what is allowed when it comes to counterattacks.

28

Even if nation-states are able to determine exact proportionate attacks for every possible
cyber-attack that is carried out, the question still remains as to when it is appropriate for a
counter-measure to occur. The Tallinn Manual stated that countermeasures are possible when
they are proportionate, when the originator of the attack has first been asked to cease the attack,
and only if the counter-attack has temporary or reversible effects (Schmitt, 2013). The issue here
still seems to be that the word cyber-attack has still not been properly defined. In fact, the IHL
defined cyber-attack as a worm or virus that results in, physical damage to persons or damage to
objects that goes beyond the computer program or data attacked could be qualified as , acts of
violence, i.e. as an attack in the sense of IHL (Red Cross, 2011, p. 37, para. 5). On the other
hand, the Tallinn Manual defined a cyber-attack as, an offensive or defensive cyber-operation
that is reasonably expected to cause injury or death to persons or damage or destruction to
objects (Schmitt, 2013, p. 106, para 2). The IHL mentions the specific things that constitutes as
cyber-attacks while the Tallinn Manual was more generalized. With differences in definitions it
is difficult to determine when a counter-attack can take place, if every nation-state can provide
their own definition of cyber-attack and determine any technical mishap to be an act of cyberwar. Until it is internationally determined exactly what constitutes as a cyber-attack and what
an act of cyber-war is, should counter-measures be carried out against all cyber-nuisances,
whether it is a simple virus, or a devastating blow to a nation-states critical infrastructure?
The Use of Force
The debate surrounding the proper use of force seems to be one of the leading topics in
most pieces of literature regarding international laws applicable to cyber-warfare. Regardless of
the attempted laws that are written, most seem to base their idea of the use of force around the
United Nations Charter Article 2(4). This is similar to most laws that surround the other four

29

domains of war as well. The Tallinn Manual and the article entitled Cyber-Attacks and the Use
of Force: Back to the Future of Article 2(4) offered ways to approach the use of force and
defined when the use of force was acceptable. While these approaches are similar, they do
conflict in their strategies making it difficult to understand how force should be used in cyberwarfare.
The Tallinn Manual seemed to offer a better approach to handling the use of force when
it comes to cyber-warfare. This is because it takes into account several different pre-existing
laws and cases that help to shape the ways in which force should be used. For instance, Articles
from the United Nations Charter and the Nicaragua case, tried by the International Court of
Justice, are just a few of the things that shape the Tallinn Manuals approach to force. On the
other hand, the article Cyber-Attacks and the Use of Force: Back to the Future of Article 2(4)
focused only on the United Nations Charters Article 2(4) and applied this to the cyber domain
and cyber-warfare. The Tallinn Manual also focused on cyber-warfare and was not a pre-existing
rule shaped to include the cyber-domain like the United Nations Charter Article 2(4).
While the Tallinn Manual takes into account the pre-existing law, Article 2(4), it alters its
approach on the use of force to include a wider range of parties and attacks. For instance, Article
2(4) only applies to the actions of nation-states, and therefore it only allows for the use of force
to be used when retaliating against the actions of nation-states. The Tallinn Manual has
broadened the parties in which it covers, and allows for the use of force in retaliation to both
nation-states and non-state actors. Not only does the Tallinn Manual cover the actions of both
nation-states and non-state actors, it also allows for the use of force in response to attacks carried
out through the use of physical means and through the sole use of cyber means. On the other
hand, Article 2(4) states that the use of force is carried out through military measures, political or

30

economical coercion, or interference. This applies mainly to warfare on land, in sea, in space, or
in air, and offers little assistance to cyber-warfare.
The article Cyber-Attacks and the Use of Force: Back to the Future of Article 2(4)
showed that force can be determined to be three different things; force as armed violence, force
as coercion, and force as self-defense. Article 2(4) clearly states that before using force, the
reason must fall into one of the three categories. Under Article 2(4), force can only be used as
force as armed violence, force as coercion, or force as interference. On the other hand, the
Tallinn Manual stated that the use of force can only be used if two sets of criteria are met. First,
the Tallinn Manual mentions that force can only be used if the scale and effects of a cyberoperation are comparable to the scale and effects of a non-cyber operation. Secondly, the force
that is used must be necessary and appropriate (Schmitt, 2013). Unfortunately it seems that while
both laws offer an explanation of the use force, they dont offer similar definitions or scenarios.
Instead, both laws can be interpreted in very different ways.
While the scenarios that are offered in the article Cyber-Attacks and the Use of Force:
Back to the Future of Article 2(4) are not legally binding, they do offer nation-states with a
better of understanding of when force can be used, and how it can b used. For instance, the
author of the article wrote that force as interference can be seen in a scenario where there is a
covert flooding of the Iranian economy with counterfeit currency and other financial instruments
(Waxman, 2011). The Tallinn Manual offers a more generalized definition of force. The best
attempt that lies within the Tallinn Manual to show what constitutes as force states that in terms
of cyber-warfare, force would include providing an organized group with malware and the
training necessary to use it to carry out cyber-attacks against another state. This vague idea of
force is completely different than the more generalized scenarios that the United Nations

31

Charters Article 2(4) covers. Going forward, the use of force will have to be looked into more
and laid out in specific details when creating a set of universal laws.
Regardless of the document that is attempting to address the use of force, the definition of
force and the ways in which it can be used is something that is still under consideration. Without
an actual, agreed upon definition, it is almost impossible to determine what force is and when it
can be used. Although Article 2(4) of the United Nations Charter offers a good basis for the use
of force and when it is appropriate, the Tallinn Manual, regardless of how much standing it
currently has, offers a more specific and detailed approach to the use of force and should
therefore be referenced when attempting to create a universal set of international laws applicable
to cyber-warfare.
Lessons Learned from Estonia
The 2007 cyber-attacks on Estonia may have been the first declaration of cyber-warfare,
but after reviewing the available literature, the question remains as to whether or not this was in
fact an act of war. Estonia declared the cyber-attacks from Russia as being cyber-warfare, instead
of a larger presence such as the United Nations. After reviewing the United Nations take on
cyber-warfare and all of the necessary components that must be reviewed before determining the
status of warfare, it may not have been as catastrophic as an actual act of cyber-warfare. These
attacks simply took down email servers, websites, banking and political servers. The review of
the above literature showed that this could be categorized simply as a cyber-nuisance. An act of
cyber-warfare would seemingly include something more devastating, such as attacks on a
nations most critical infrastructure, including their power supply, food supply, military, etc.
The attacks on Estonia proved to have provided the world with many lessons regarding
the attacks and the proper response. The article entitled Revisiting the Estonian Cyber Attacks

32

by Stephen Herzog gave the reader an overview of the attacks and the responses that were taken
both domestically and internationally. The biggest takeaways from these attacks are what should
be protected and what needs to happen once an attack occurs.
The Estonia cyber-attacks showed the world the types of things that could be affected
through the use of technology. In this case, websites and email servers were the main targets of
the DDoS attacks, however it is important to note that as small as these attacks may be, they
did cause a decent amount of disruption. It is even more important to realize that the attacks on
Estonia could have been much more detrimental. Had the nations critical infrastructure been
impacted, the nation would have been in much worse shape. While the attacks on Estonia did not
necessarily touch the nations' critical infrastructure, it is important to note that t hese attacks made
governments around the world realize that future cyber-attacks could disrupt a countrys critical
infrastructure, including its water and electricity supplies, telecommunications, and national
defenses (Herzog, 2011). This in turn forced government entities, both domestic and
international, to include cyber-attacks and cyber-warfare in their policy and procedure
documents.
The response that took place as a result of the Estonia attacks was not necessarily
unorganized, however it was not as organized as it could have been. This may have been due to
the lack of a legal framework when attempting to react against the attacks. There was not a
specific structure relating to what organization should head the response, or how the response
should have been handled. When the attacks on Estonia occurred, outside nations and
organizations immediately took to sharing information regarding the attacks and the proper
response (Herzog, 2011). This seems to be crucial in the wake of an attack of any type. By
sharing information, nations are able to identify the source of the issue and how to resolve it

33

through means that they may not have had if they work on their own. Going forward, an
information sharing database may be the key to battling future attacks.
Apart from information sharing, global organizations such as ENISA and NATO CERT
worked to help Estonia. The most important thing to understand is not how ENISA and NATO
CERT assisted Estonia during the attacks, but what the organizations did afterwards. Directly
after the attacks ENISA released its Internal Security Strategy. This strategy called for integrated
responses to cyber-security threats and for an expansion of its then current duties. Furthermore,
both NATO CERT and ENISA came up with a set of long-term plans that were designed to
counter cyber-attacks. NATO came up with the Strategic Concept in Lisbon in November 2011.
This stated that the alliance would work to develop strong, integrated Internet defense
capabilities. ENISA released the Digital Agenda for Europe which revealed its plans to establish
CERTS for all European Union members, hold multinational cyber-dense simulations, and it
created a joint European cyber-crime platform (Herzog, 2011). These strategies are crucial to
take into account when similar attacks happen in the future. These strategies finally help to
provide light on cyber-attacks and responses similar to how the above literature pieces do.
At the nation-state level, these attacks showed governments that nations must have a plan
in place for responding to cyber-warfare. This is evident, as Estonia was so unprepared, that they
had to call on outside nations and organizations to help them in their response (Herzog, 2011).
Nation-states should be aware that technology is growing and the possibility for cyber-attacks is
growing more and more. Each of these nation-states should have an idea of what needs to happen
once an attack occurs. This should include identifying the origin of the attack, the organizations
that would help, and the proper response for each attack type.

34

Limitations of the Study

While the cyber-domain may have been declared the fifth domain of war in 2010, little
has been done to govern actions within the new domain. The cyber-domain is still a relatively
new area that is being explored every day. Furthermore, because this domain is based around
technology, the attacks and attack vectors are constantly changing, making it difficult to properly
govern the domain. The relative newness of this domain is one of the largest limitations of this
study.
Attempts to govern the cyber-domain are scattered amongst nations and organizations.
Upon reviewing several of the proposed laws surrounding cyber-warfare, it seems as though each
nation and organization is proposing their own set of rules, and taking their own stance on this
issue. Because of this, the proposed laws and frameworks that exist are conflicting in their
definitions and strategies. This makes it difficult to properly examine the international laws
applicable to cyber-warfare, and even more difficult to determine whether or not these rules will
be sufficient in the face of cyber-warfare.
Apart from conflicting laws, another issue that exists when attempting to study the
international laws applicable to cyber-warfare is that few attacks have occurred in the domain.
The 2007 Estonia attacks caused the first declaration of cyber-warfare, however this is the only
actual instance of cyber-warfare to date. Therefore, it is difficult to create laws off speculations
and things that have yet to happen. Furthermore, the existing laws that attempt to govern cyberwarfare are based off pre-existing laws such as the United Nations Charter that are aimed at
regulating land, air, space, and sea. These laws are sufficient in their use, however they do not
relate to the cyber-domain or technology at all.

35

Recommendations for Further Research

The purpose of this research was to examine international laws applicable to cyberwarfare. Unfortunately this is difficult to do as there are few constants that have been defined in
the cyber-realm. The lack of definitions and factual data has led to inconsistencies within preexisting laws. It has been previously stated that, significant debate is required over the scope of
cyber capabilities and how they might be used in future armed conflicts and in intern ational
relations (Nguyen, 2013, p. 1, para. 18). Further research in several different areas relating to
cyber-warfare should be conducted in order to better produce a universal and standardized set of
international laws applicable to cyber-warfare.
Further research should be conducted to officially define cyber-attack. While there
have been several attempts, there has been no official definition of attack when referring to an
attack on land, in air, in space, or at sea to date. Therefore, the definition of cyber-attack is also
not officially defined. When attempting to create a framework and laws to govern the cyberdomain, it is important that cyber-attack be properly defined in order to properly create a set of
rules around the types of attacks that can take place against a nation-states computerized
systems. If the term remains undefined, nation-states and international governing bodies could
each determine cyber-attack to mean something different, and therefore each law that is
created may be attempting to govern different things. Furthermore, if cyber-attack remains
undefined, laws that contain this term may only apply to certain things, and not others. In other
words, there will always be ways around laws that contain an undefined term.
Upon defining cyber-attack, the meaning of cyber-warfare should also be
determined. Without knowing what constitutes a cyber-attack, it is impossible to determine
what cyber-warfare is. When a possible cyber-attack occurs, it will be difficult to determine

36

if that attack is a simple cyber-nuisance or if it is full-blown cyber-warfare. This is important

to determine before creating laws that govern cyber-warfare. Laws and frameworks that are
created would essentially treat cyber-nuisances and cyber-warfare completely differently.
Therefore, there would be different responses in the case of cyber-warfare, than there would be
in the case of a simple cyber-nuisance.
Based on previous research regarding cyber-attacks and the laws surrounding them,
further collaboration is recommended in determining the types of attacks that could occur within
the cyber-domain. This study was limited by the fact that there have been few actual cyberattacks that have occurred in the cyber-domain. Due to the lack of attacks, there is little to base
cyber-warfare laws off of, as it is not known what can actually take place through the use of
computerized weapons. Therefore, it is recommended that nation-states put forth effort to
determine the types of attacks that could occur within the cyber-domain, and the type of damage
that these attacks could have. These attacks could range from simple cyber-nuisances to full out
cyber-warfare. It is also recommended that future research analyze how attacks could be given
risk ratings to determine which may be the most detrimental, and the types of effects that these
attacks may have. This research would allow international laws applicable to cyber-warfare to be
based around actual attacks that could occur in future conflicts.
Along with determining all of the possible attacks that could occur within the cyberdomain, it is further recommended that nation-states develop policies relating to what types of
countermeasures are appropriate for each type of cyber-attack. As it has been previously
determined, most if not all, cyber-attacks do not rise to the level of an armed attack. The only
time in which an armed attack is a proper response to a cyber-attack, is in self-defense. It is
important to determine the proper responses to each and every type of cyber-attack before

37

attempting to piece together a universal set of international laws applicable to cyber-warfare.

These measured responses would help when the idea of armed conflict arose by strategically
laying out specific grounds for armed warfare. Furthermore, this would help nation-states to
decipher if they should react to a cyber-nuisance such as a DDoS attack, or if they are restricted
to only respond if something larger such as an act of warfare occurs. It would also let nationstates know if they should use physical, technological, or a combination of both types of
responses. By researching different responses and preparing the groundwork for a set of laws,
whenever an act of cyber-warfare was to occur, the proper responses and what is allowed would
be laid out, allowing for no nation-state to diverge from these responses.
Additional research could also be done to determine how effective international laws
have been in the past. These laws may not necessarily relate to technology or the cyber-domain.
Past laws that have tried to regulate international events should be researched to determine how
effective they have been at creating a response framework, regulating conflict, and responding in
a proper way. By researching the way that these laws attempt to regulate conflict, and whether or
not they have been effective, inferences can be drawn about what has worked in the past, and
what needs to be bettered in order to successfully create and apply laws to the international
community. In other words, cyber-laws can be created from the previously existing international
laws, and the ways in which those laws need to be altered.
Conclusion
As the cyber domain gains more attention and becomes more of an option when it comes
to cyber-warfare, the need for international laws applicable to cyber-warfare increases. Ever
since war entered the fifth domain, cyber-space, there have been few successful attempts to
create international laws applicable to cyber-warfare. The attempts that have been made have

38

been few and far between, and have faced nothing but challenge upon challenge when creating
applicable laws. The purpose of this research was to examine international laws applicable to
cyber-warfare. How equipped is the international legal framework to handle state sponsored
cyber-warfare? What lessons can be learned from the 2007 Estonia attack? How does the United
Nations charter on use of force govern response to cyber attacks? What is considered a
measured response in cyber as opposed to conventional warfare?
Existing laws, including the law of war, cover only a very small portion of cyber-attacks,
including those that amount to an armed attack, or those that take place in the context of an
ongoing armed conflict (Crootof, et. al, 2012). Laws such as this do provide a slightly useful
legal framework, however other existing domestic and international laws also try to offer equally
fragmented assistance in addressing cyber-attacks. Even though some basic fragmentary laws
exist, there is a lack of clarity on how these fragments of international law apply to cyberwarfare. The truth is that the majority of the treaties, accords, and other international agreements
that currently govern international politics are out of date and out of touch with regards to this
new transnational arena of cyber-war. It is only after recent cyber-attacks, such as the massive
attacks on Estonia in 2007, which have nations reconsidering cyber-war and the laws that
surround these attacks.
While greater attempts need to be made to create international laws applicable to cyberwarfare, past attacks and attempts at governing the cyber-domain have brought to light the need
for a universal governing law. Not only did the Estonia attacks show the world that cyber-attacks
and cyber-warfare was possible, they showed nation-states that they would need to come up with
a plan for preventing cyber-warfare, and for responding to cyber-warfare if it ever occurred.

39

Furthermore, previous attempts at governing cyber-warfare have opened the door for a universal
plan to be made, as they show what needs to be addressed in the future.

40

References
Chatterjee, B. (2014, August 21). Ready, aim, click: We need new laws to govern cyberwarfare.
Retrieved from http://theconversation.com/ready-aim-click-we-need-new-laws-togovern-cyberwarfare-30734
Crootof, R., Hathaway, O., Levitz, P., Nolan, A., Perdue, W., & Spiegel, J. (2011, November
16). THE LAW OF CYBER-ATTACK. Retrieved from
http://www.law.yale.edu/documents/pdf/cglc/LawOfCyberAttack.pdf
Dinstein, Y., The Principle of Distinction and Cyber War in International Armed
Conflicts, Journal of Conflict & Security Law, Vol. 17, No. 2, 2012, p. 261-277.
Herzog, Stephen. "Revisiting the Estonian Cyber Attacks: Digital Threats and Multinational
Responses." Journal of Strategic Security 4, no. 2 (2011): 49-60.
International Humanitarian Law and the challenges of contemporary armed conflicts. (2011).
Geneva: The International Committee of the Red Cross.
Kelley, M. (2013, November 20). The Stuxnet Attack On Iran's Nuclear Plant Was 'Far More
Dangerous' Than Previously Thought Retrieved from http://www.businessinsider.com/
stuxnet-was-far-more-dangerous-than-previous-thought-2013-11
Nguyen, N. (2014, February 12). The International Humanitarian Law Implications of the
Tallinn Manual. Retrieved from http://www.e-ir.info/2014/02/12/the-internationalhumanitarian-law-implications-of-the-tallinn-manual/
Rehman, S. (2013, January 14). Estonia's Lessons in Cyberwarfare. Retrieved from
http://www.usnews.com/opinion/blogs/world-report/2013/01/14/estonia-shows-how-tobuild-a-defense-against-cyberwarfare
Schmitt, M. (2013). Tallinn Manual on the International Laws Applicable to Cyber Warfare.

41

Cambridge: Cambridge University Press.

Talihrm, A. (2013, August 1). Towards Cyberpeace: Managing Cyberwar Through International
Cooperation. Retrieved from http://unchronicle.un.org/article/towards-cyberpeacemanaging-cyberwar-through-international-cooperation/
War in the fifth domain. (2010, July 1). Retrieved from
http://www.economist.com/node/16478792
Waxman, M. (2011). Cyber-Attacks and the Use of Force: Back to the Future of Article 2(4).The
Yale Journal of International Law, 36, 421-459.

42