Stay networked. Get informed. Broadcast your projects.
A few years ago the Economist recognised cyber space as the 5th domain of international warfare and such recognition indeed seem to open the door to infinite possibilities. Today NATO elaborates the rules for state-sponsored cyber attacks.
Cyber attacks becomes a common practise in international warfare. More than 30 countries have already worked out the policies and announced cyber warfare programs. That does not mean the states have an absolute freedom to launch cyber attacks during the war and respond with armed force against computer network attacks. There is no specific and internationally recognised regulation which would govern the use of cyber in international warfare yet. There is also no certainty about how to apply already existing international law provisions. Many authors call that new legislation is required whereas the others argue that passing new laws is not necessary as the flexible nature of the already existing rules allows them to resolve the case using ilmo. The most extensive document in this area is perhaps aforementioned NATO’s Cyber Security Policy Manual.
Uncertainty in terms, rules and legal regimes poses the number of problems. One of the most prominent ones is whether action in the digital domain constitute a use of force in the sense of Article 2(4) UN Charter and if so, what are the criteria for determining whether an act qualifies as armed force.
"Cyber warfare - maliscious manipulation of cyber systems (smartphones, computers, home intertainment, control/automation systems) supporting or substitution the conventional act of war where the impact that you are achieving or trying to achieve is equivalent to conventional attack." Ralf Langner
In order to assimilate a cyber attack to the use of force, it must be regarded through the lens of an armed attack. The damages and injuries resulted from cyber attack must be of the of the same scale or even higher then damages from armed attack. In this case the cyber attack will be recognised as use of force and consequently constitute a violation of Article 2(4) of the UN Charter.
In my point of view, the most important elements with regards to determination of cyber attack as a use of force is the result-based and instrument-based approach. Result-based test refers to the consequences of the attack occurred.
Result test means determines whether the damage resulted from a cyber attack could have been achieved by physical use of force. The notion of the result test is greatly supported by many writers. M. Schmitt says that cyber attack ‘spans the spectrum of the consequentiality’, Y.Dinstein agrees that determination of the use of force depends on violent consequences. Effects of cyber attack may be worse than economic crisis, riots or kinetic attacks. Although not all cyber attacks constitute violation of Act 2(4). Only those actions, which resulted in property loss and factual injury, and damages/injuries were of the same character as the one caused by the traditional weapons and constituted the part of a military campaign.
From the instrument-based prospective computer, program code, or any other asset used in the performance of the cyber attack is used as a weapon and operates the techniques of physical attacks. Here attention must be drawn to whether cyber was used as a tool of warfare. There are computer programs, which may be used as a weapon of war and programs, which are specifically designed to achieve a military objective. A computer itself is not a weapon, but if employed to achieve military goals, may be considered as a part of military asset. Computer data is not a weapon itself, even though offensive use may cause extensive damage. However if the program was elaborated specifically for the military purposes it becomes a tool of warfare. Famous Stuxnet was developed solely to disrupt industrial control system of power plants. Programs operating military aircrafts or missile launches are originally created for facilitation of operational means.
Due to the lack of specific legislation and case studies the states will determine whether cyber attack constituted the use of force according to the factual circumstances. Consequences and methods of the use of cyber will be primary determinatives to be taken into account.