THE JURISDICTIONAL CHALLENGES OF CYBER WARFARE ANDTHE JUS AD BELLUM

Abstract

The advent of cyber warfare has fundamentally challenged traditional international law frameworks governing the use of force. This article examines the jurisdictional complexities arising from cyber operations in the context of jus ad bellum principles. It explores how the borderless nature of cyberspace, attribution difficulties, and the ambiguity surrounding what constitutes an armed attack in the digital realm create significant legal uncertainties. Through analysis of existing international law, state practice, and scholarly discourse, this article argues that current legal frameworks are inadequate to address cyber warfare’s unique characteristics. The article proposes adaptations to traditional jus ad bellum principles while advocating for international consensus on cyber norms and cooperative frameworks to bridge jurisdictional gaps and prevent escalation of cyber conflicts.

Introduction

The twenty-first century has witnessed warfare’s evolution beyond conventional kinetic operations into the digital realm. Cyber warfare, characterized by state-sponsored attacks on computer networks and information systems, presents unprecedented challenges to the international legal order. The 2007 cyber-attacks on Estonia, the 2010 Stuxnet operation against Iranian nuclear facilities, and the 2017 Not Petya ransomware attack attributed to Russian actors demonstrate cyberspace’s transformation into a contested domain where state interests collide without traditional battlefield boundaries.

The legal framework governing resort to force, known as jus ad bellum, emerged from the horrors of World War II and crystallized in the United Nations Charter. Article 2(4) prohibits the threat or use of force against the territorial integrity or political independence of any state, while Article 51 preserves the inherent right of self-defence against armed attacks. [1]However, these provisions were drafted in an era when warfare involved tanks, aircraft, and soldiers crossing physical borders. The framers of the UN Charter could not have anticipated conflicts conducted through fibre-optic cables and server farms, where a state’s critical infrastructure could be paralyzed without a single shot fired.

The jurisdictional challenges of applying jus ad bellum to cyber operations stem from cyberspace’s unique characteristics: its transnational nature, the difficulty of attribution, the speed of attacks, the involvement of non-state actors, and fundamental definitional questions about what constitutes an “armed attack” in the digital context. These challenges create a legal vacuum that threatens international peace and security, as states struggle to determine when cyber operations justify forceful responses and which legal principles govern such situations.

This article examines these jurisdictional challenges by analysing the existing legal framework, exploring attribution difficulties, assessing the threshold question of armed attacks in cyberspace, and investigating the applicability of self-defence principles. It concludes by proposing reforms and cooperative mechanisms to address these gaps in international law.

Legal Framework

The UN Charter and Jus ad Bellum

The foundational principle of modern international law regarding the use of force is enshrined in Article 2(4) of the UN Charter, which prohibits member states from threatening or using force against the territorial integrity or political independence of any state. This prohibition represents a cornerstone of the post-World War II international order, establishing a presumptive ban on unilateral military action.[2]

Two primary exceptions to this prohibition exist. First, the UN Security Council may authorize the use of force under Chapter VII when determining the existence of threats to international peace and security. Second, Article 51 preserves states’ inherent right of individual or collective self-defence if an armed attack occurs. The right of self-defence is subject to requirements of necessity, proportionality, and immediacy, principles developed through customary international law and affirmed by the International Court of Justice in landmark cases such as the Nicaragua case.

Customary International Law and State Practice

Beyond treaty obligations, customary international law governs state conduct regarding the use of force. The International Court of Justice has confirmed that the prohibition on the use of force and the right of self-defence exist independently as customary international law, binding even non-parties to the UN Charter. State practice and opinion juris regarding cyber operations remain nascent and contested, creating uncertainty about whether existing norms translate seamlessly to cyberspace.

The Caroline incident of 1837 established foundational principles for anticipatory self-defence, requiring that the necessity be “instant, overwhelming, and leaving no choice of means, and no moment for deliberation.” Whether these criteria, developed in the context of an imminent cross-border military raid, apply meaningfully to cyber-attacks that can be executed in milliseconds remains highly debatable.

The Tallinn Manual Framework

Recognizing the legal ambiguity surrounding cyber warfare, NATO’s Cooperative Cyber Defence Centre of Excellence commissioned the Tallinn Manual on the International Law Applicable to Cyber Warfare, published in 2013 and updated as Tallinn Manual 2.0 in 2017. While not binding law, this expert compilation represents the most comprehensive attempt to apply existing international law to cyber operations.

The Tallinn Manual adopts an “effects-based approach” to determining whether cyber operations constitute uses of force, focusing on the scale and effects of operations rather than the means employed. This approach suggests that cyber operations causing destruction comparable to kinetic attacks should be treated similarly under international law. However, the Manual acknowledges significant disagreement among experts on critical threshold questions, particularly regarding cyber operations falling below the armed attack threshold.[3]

Jurisdictional Complexities in Cyberspace

The Problem of Attribution

Perhaps the most formidable jurisdictional challenge in cyber warfare concerns attribution—determining with sufficient certainty which state or actor is responsible for a cyber operation. Unlike conventional military operations where the attacking state’s identity is typically evident, cyber-attacks exploit the internet’s anonymity and can be routed through multiple jurisdictions, using compromised systems in third-party states, and employing sophisticated techniques to obscure their origin.

International law requires that attribution meet standards sufficient to justify responses, particularly forceful self-defence measures. The International Court of Justice, in the Nicaragua case, established that states must prove both conduct (the actual attack) and responsibility (that another state directed or controlled the attack). In cyberspace, meeting this evidentiary burden presents extraordinary difficulties.

Technical attribution through forensic analysis of malware, command-and-control infrastructure, and attack methodologies can identify likely perpetrators but rarely provides conclusive proof meeting international law standards. States possess varying technical capabilities for attribution, creating disparities in the ability to establish legal justifications for responses. Furthermore, states conducting offensive cyber operations have little incentive to share attribution methodologies that might reveal their own capabilities or intelligence sources.

The attribution problem is compounded by the prevalence of proxy actors. States frequently employ non-state hackers, cybercriminal organizations, or patriotic hacktivists to conduct operations, maintaining plausible deniability while achieving strategic objectives. Determining when such actions are attributable to states under international law requires applying agency principles developed for different contexts, creating significant uncertainty.

Territorial Jurisdiction and Cyberspace

Traditional jurisdictional principles in international law rest on territorial sovereignty—the concept that states exercise exclusive authority within their borders. Cyberspace fundamentally challenges this paradigm. A cyber operation might be initiated from servers in State A, routed through compromised computers in States B and C, and target critical infrastructure in State D, all within seconds.

This transnational character raises profound questions: Which state has jurisdiction to respond? Must the target state respect the sovereignty of transit states whose infrastructure was unwittingly used? Can responses traverse the territory or cyberspace of third-party states? International law provides limited guidance on these questions.

The principle of sovereignty extends to cyberspace, as confirmed by the Tallinn Manual and accepted by many states. However, the practical application of sovereignty principles in a domain lacking physical boundaries remains contested. Some scholars argue for a strict territorial approach, treating any unconsented cyber operation penetrating a state’s network infrastructure as a sovereignty violation. Others contend that only cyber operations producing significant effects violate sovereignty, allowing routine intelligence gathering and surveillance to fall outside prohibited conduct.

This disagreement has critical jurisdictional implications. If all non-consensual cyber intrusions violate sovereignty, target states might claim broad authority to respond, potentially escalating conflicts. Conversely, if sovereignty violations require threshold effects, states face a landscape where persistent low-level cyber operations undermine their security without triggering clear legal recourse.[4]

The Armed Attack Threshold

Perhaps the most contentious jurisdictional issue concerns determining when cyber operations constitute “armed attacks” triggering self-defence rights under Article 51. The UN Charter does not define “armed attack,” and applying this concept to non-kinetic cyber operations involves analogical reasoning that many find unsatisfying.

The International Court of Justice has distinguished between the gravest forms of force (armed attacks) and other less grave uses of force that do not justify self-defense. Applying this distinction to cyber operations requires determining where different types of cyber-attacks fall on this spectrum. The Tallinn Manual proposes that cyber operations causing death, injury, or significant physical damage to objects should qualify as armed attacks, embracing the “effects-based approach” mentioned earlier.

However, this approach struggles with cyber operations producing serious consequences without kinetic effects. Consider a cyber-attack that disables a nation’s electrical grid for extended periods, causing economic devastation, disrupting hospitals and emergency services, and potentially causing deaths from loss of life-support systems, but without directly destroying physical infrastructure. Does this constitute an armed attack? What about operations targeting financial systems, causing massive economic losses but no physical harm?

Some scholars advocate for an “instrument-based approach,” arguing that cyber operations should be evaluated based on whether they employ means comparable to traditional military weapons. Others propose a “target-based approach,” suggesting that attacks on military objectives or critical infrastructure should be treated as armed attacks regardless of means or immediate effects.

State practice provides limited clarity. Israel’s reported 2007 cyber operation against Syrian air defences preceding a kinetic strike suggests acceptance that cyber operations can constitute military force. The United States has asserted that cyber operations causing effects equivalent to kinetic attacks could trigger self-defence rights. However, no state has definitively exercised kinetic self-defence in response to a purely cyber-attack, leaving the question largely theoretical.[5]

Temporal Jurisdiction and Cyber Operations

Cyber warfare introduces unique temporal challenges. Traditional armed attacks have clear beginning and end points—the crossing of borders, the dropping of bombs, the cessation of hostilities. Cyber operations often lack such clarity. Malware might be implanted years before activation, creating “logic bombs” that detonate at predetermined times or under specific conditions. Advanced persistent threats involve long-term infiltration of networks, with data exfiltration and positioning for future attacks occurring continuously.

These characteristics complicate the temporal requirements for self-defence. Must a state respond immediately to a cyber intrusion, even if no harm has yet occurred? Can a state claim self-defence years after malware implantation when the code finally activates? The requirement that self-defence be immediate and necessary becomes difficult to apply when attacks unfold over extended timeframes or remain latent until triggered.

Furthermore, the speed of cyber operations challenges decision-making processes. A sophisticated cyber-attack can compromise critical systems in minutes or seconds, providing little time for consultation, verification of facts, or careful consideration of proportionate responses. This urgency creates pressure for automated defensive responses, raising questions about meaningful human control over uses of force and the ability to satisfy traditional legal requirements emphasizing deliberation and restraint.

Judicial Interpretation and State Practice

Limited Case Law

Unlike many areas of international law, cyber warfare jurisprudence remains remarkably sparse. No international tribunal has directly adjudicated a cyber warfare case, and domestic courts have provided limited guidance. The International Court of Justice, despite addressing use of force issues in numerous cases, has not confronted cyber operations in its contentious or advisory jurisdiction.

This absence of authoritative judicial interpretation means that legal principles remain largely theoretical, developed through scholarly analysis rather than binding precedent. States make claims about their rights and obligations in cyberspace, but these claims remain untested in adjudicative forums creating uncertainty about their legal validity.[6]

State Responses to Major Cyber Incidents

State practice provides some insight into emerging norms, though practice remains inconsistent and often opaque. The 2007 cyber-attacks on Estonia, which disabled government, media, and financial websites, prompted NATO consultation but not collective self-defence measures. Estonia invoked Article 4 of the NATO Treaty (consultation) rather than Article 5 (collective defence), suggesting uncertainty about whether the attacks qualified as armed attacks triggering collective defence obligations.

The Stuxnet operation against Iranian nuclear facilities represented a watershed moment. While neither Israel nor the United States officially acknowledged responsibility, the operation reportedly caused physical destruction of centrifuges through cyber means. Iran did not invoke self-defence rights or launch kinetic retaliation, though it developed enhanced cyber capabilities afterward. The international community’s muted response suggested possible acceptance that cyber operations against military or WMD-related targets might fall within existing use of force paradigms, at least when conducted against programs arguably violating international obligations.

The 2014 Sony Pictures hack, attributed to North Korea, prompted the United States to impose economic sanctions and vaguely referenced proportional responses The measured response to an attack on a private corporation suggested reluctance to treat such incidents as armed attacks justifying forcible response, even when attributed to a state actor.

Russia’s 2015 cyber-attack on Ukraine’s power grid, causing widespread blackouts, represented the first confirmed case of cyber-attack causing significant civilian infrastructure disruption. Ukraine did not invoke self-defence rights or respond with kinetic force, though this restraint might reflect power disparities rather than legal assessments. The international response emphasized diplomatic and economic measures rather than recognizing a use of force requiring collective security responses.

The Not Petya Incident and Attribution Statements

The 2017 Not Petya ransomware attack, which originated in Ukraine but spread globally, causing billions in damages, prompted unprecedented attribution statements. The United States, United Kingdom, Australia, Canada, and other states formally attributed the attack to Russia’s military intelligence service. While these states condemned the attack and imposed sanctions, none characterized it as an armed attack or suggested that self-defence responses would be appropriate.[7]

This restrained response to an operation causing massive economic damage, including effects on critical infrastructure and medical facilities, suggests states remain hesitant to lower the armed attack threshold even when attribution is relatively certain and effects are severe. The incident highlights the gap between technical attribution confidence and willingness to invoke legal justifications for forcible responses.

Critical Analysis

Inadequacy of Current Legal Framework

The application of jus ad bellum to cyber warfare reveals fundamental inadequacies in the current international legal framework. The UN Charter’s state-centric model, focused on territorial integrity and kinetic force, struggles to accommodate the realities of cyber conflict. Several critical gaps emerge from this analysis.

First, the binary distinction between armed attacks and lesser uses of force creates a stark threshold that fails to account for cyber operations’ diverse and graduated nature. Cyber-attacks causing severe disruption and economic damage but falling short of physical destruction exist in a legal grey zone where neither forcible self-defence nor lesser countermeasures provide adequate responses.

Second, the emphasis on state responsibility and attribution creates perverse incentives for states to employ proxy actors and maintain plausible deniability, undermining accountability. The evidentiary standards developed for conventional military operations are often impossible to meet in cyberspace, effectively granting immunity to sophisticated state actors capable of obscuring their involvement.

Third, the temporal requirements for self-defence—immediacy, necessity, and proportionality—rest on assumptions about attack patterns that do not hold in cyberspace. The ability to implant malware for later activation, conduct persistent low-level operations, and launch devastating attacks within seconds or minutes challenges traditional frameworks emphasizing measured, deliberate responses to clear aggression.

Sovereignty and Non-Intervention Principles

Beyond the armed attack threshold, cyber operations raise questions about lower-level violations of sovereignty and non-intervention principles. The Tallinn Manual 2.0 dedicates substantial attention to whether and when cyber operations below the use of force threshold violate international law. This issue has profound practical importance, as the vast majority of state cyber operations fall into this category—espionage, intellectual property theft, election interference, and infrastructure reconnaissance.

Some states, particularly those most vulnerable to cyber operations, advocate for broad interpretations of sovereignty violations, arguing that any non-consensual cyber operation penetrating another state’s networks violates sovereignty. This position would provide clearer rules and stronger protections but might prove unworkable given the pervasiveness of cyber operations and the difficulty of distinguishing between legitimate and illegitimate activities in cyberspace.[8]

Other states, particularly those with advanced cyber capabilities, prefer narrower interpretations requiring that cyber operations produce significant effects to violate sovereignty. This approach maintains states’ operational flexibility but provides less protection to potential targets and creates ambiguity about permissible conduct.

The Problem of Persistent Campaigns

Modern cyber warfare increasingly involves persistent campaigns—ongoing, coordinated series of operations that individually might not constitute armed attacks but cumulatively undermine a state’s security and sovereignty. Russia’s operations against Ukraine since 2014, China’s sustained economic espionage campaigns, and Iran’s regional cyber operations exemplify this approach.

Traditional jus ad bellum principles evaluate individual uses of force, but persistent campaigns create a “death by a thousand cuts” scenario that existing law inadequately addresses. Should such campaigns be evaluated cumulatively, with the accumulation of effects potentially crossing the armed attack threshold? Or must each operation be assessed independently, potentially allowing adversaries to wage devastating campaigns while remaining below the threshold triggering robust legal responses?

The principle of accumulation of events remains contested in international law. The International Court of Justice has suggested that a series of small-scale armed operations could cumulatively constitute an armed attack, but applying this principle to cyber operations presents additional complexity given difficulties in attribution, determining which operations form part of a coordinated campaign, and establishing appropriate response timeframes.

Recent Developments

Emerging Cyber Norms and Multilateral Initiatives

Recognition of legal inadequacies has prompted various multilateral initiatives to develop cyber norms. The United Nations Group of Governmental Experts (UN GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security has met periodically since 2004, producing reports in 2010, 2013, and 2015 that affirmed the applicability of international law to cyberspace and proposed voluntary, non-binding norms of responsible state behaviour.

The 2015 UN GGE report represented a high-water mark, achieving consensus among major cyber powers including the United States, Russia, and China that international law, including the UN Charter, applies to state behaviour in cyberspace. The report also recommended norms including that states should not conduct or knowingly support cyber-attacks against critical infrastructure, should cooperate in investigations of cyber incidents, and should not allow their territory to be used for internationally wrongful cyber operations.[9]

However, subsequent UN GGE processes collapsed without consensus in 2017, reflecting deepening divisions between Western states favouring application of existing international law and states like Russia and China preferring new treaty-based regimes⁴⁴ This impasse led to parallel processes, with the UN establishing both a reconvened GGE and an Open-Ended Working Group (OEWG) to address cyber security issues, resulting in duplication and continued disagreement over fundamental principles.

Regional and Bilateral Agreements

In the absence of global consensus, regional organizations and bilateral agreements have attempted to fill gaps. The Organization for Security and Co-operation in Europe (OSCE) has developed confidence-building measures for cyber security, including commitments to communication during cyber incidents and voluntary information sharing about national cyber strategies. The Shanghai Cooperation Organization, led by Russia and China, has promoted a competing vision emphasizing information security and state sovereignty over cyberspace.

Bilateral agreements between major powers remain limited. The United States and China reached an agreement in 2015 committing not to conduct or support cyber-enabled theft of intellectual property for commercial advantage, though enforcement and compliance remain problematic. Russia and the United States have engaged in limited dialogue on cyber issues but have not achieved significant bilateral agreements establishing operational constraints or dispute resolution mechanisms.

National Cyber Strategies and Declaratory Policies

Individual states have developed national cyber strategies articulating their positions on key legal issues, though these often maintain strategic ambiguity on critical questions. The United States’ 2018 National Cyber Strategy emphasized the doctrine of “defend forward” and “persistent engagement,” suggesting willingness to conduct operations in adversary networks to prevent attacks before they reach American systems. This approach raises questions about consistency with sovereignty principles and non-intervention norms.

France’s 2019 cyber strategy explicitly addressed international law issues, asserting France’s right to respond to cyber-attacks with all appropriate means and proposing that accumulation of cyber operations could cross the armed attack threshold. The United Kingdom’s National Cyber Security Strategy similarly emphasizes active cyber defence and reserves the right to respond to cyber-attacks, including with military means if necessary.

These declaratory policies provide insight into state views but lack the specificity necessary to generate clear legal rules. States maintain flexibility by avoiding precise definitions of key terms like “cyber-attack,” “critical infrastructure,” and “armed attack in cyberspace,” preferring case-by-case evaluation to preserve freedom of action.[10]

Suggestions and Way Forward

Adapting Jus ad Bellum Principles

Rather than abandoning established jus ad bellum principles, the international community should adapt their application to accommodate cyber warfare’s unique characteristics. Several reforms would enhance clarity while preserving core principles.

First, states should develop clearer consensus on the armed attack threshold in cyberspace. While absolute precision may be impossible, agreement on categories of cyber operations that presumptively do or do not constitute armed attacks would reduce uncertainty. Operations causing death, serious injury, or significant physical destruction should be recognized as armed attacks. Operations causing severe, sustained disruption to critical infrastructure systems—power grids, water treatment, transportation networks, financial systems—supporting civilian life and welfare should similarly qualify, even without kinetic effects.

Second, the principle of accumulation should be clarified and accepted for persistent cyber campaigns. When a series of cyber operations, even if individually below the armed attack threshold, cumulatively undermine a state’s security, sovereignty, or critical infrastructure, the target state should be entitled to invoke self-defence rights proportionate to the aggregate threat. This would prevent adversaries from exploiting the threshold to wage devastating campaigns through incremental operations.

Third, attribution standards must be adapted to cyber operations’ realities. While states need not conclusively prove attribution to the evidentiary standards required in criminal proceedings, they should be required to provide substantial evidence sufficient to justify their claims to the international community. A “clear and convincing evidence” standard, rather than “beyond reasonable doubt,” would balance the need for accountability against the practical difficulties of cyber attribution.

Strengthening International Cooperation

Jurisdictional challenges in cyber warfare cannot be solved through legal interpretation alone but require enhanced international cooperation and institutional development.[11]

The establishment of an international cyber incidents investigation mechanism, analogous to the International Atomic Energy Agency’s inspection regime or the Organisation for the Prohibition of Chemical Weapons’ fact-finding missions, would provide authoritative, neutral assessments of major cyber incidents. Such a body could investigate attribution, assess effects, and provide findings that states could rely upon when considering responses, reducing the unilateral and often politically motivated nature of current attribution processes.

States should negotiate a treaty addressing cyber warfare’s most dangerous manifestations. While comprehensive agreements may be unrealistic given current geopolitical tensions, more limited conventions prohibiting specific categories of cyber operations could achieve consensus. A treaty prohibiting cyber-attacks on nuclear facilities, medical systems, or civilian aviation infrastructure would address the most concerning scenarios while avoiding contentious definitional issues. 

Regional organizations should develop dispute resolution mechanisms for cyber incidents. Mandatory consultation procedures when states believe they have been targeted by cyber operations, similar to OSCE confidence-building measures but with stronger compliance mechanisms, would create opportunities for de-escalation and clarification before conflicts intensify.

Capacity Building and Technical Assistance

Jurisdictional challenges are exacerbated by vast disparities in states’ technical capabilities for defence, attribution, and response to cyber operations. Capacity building initiatives should be prioritized to enable all states to effectively participate in the cyber security regime.

Wealthier states and international organizations should provide technical assistance to developing countries for cybersecurity defence, incident response, and forensic analysis capabilities. This assistance would reduce vulnerabilities that sophisticated actors exploit and enhance collective attribution capabilities by building a broader network of competent investigators.

International organizations should facilitate information sharing about cyber threats, attack methodologies, and defensive best practices. While states legitimately protect sensitive intelligence sources and methods, establishing clearinghouses for actionable threat information that can be shared without compromising capabilities would enhance collective security.

Developing Cyber-Specific Legal Principles

Beyond adapting existing jus ad bellum principles, the international community should consider whether certain aspects of cyber warfare require novel legal approaches. The principle of “due diligence” in cyberspace, requiring states to prevent their territory and infrastructure from being used for cyber-attacks against other states, deserves explicit codification and elaboration. While based on general international law principles, due diligence’s application to the unique technical characteristics of internet infrastructure requires specific development.

The concept of “cyber sovereignty” also warrants careful consideration. While the principle that sovereignty extends to cyberspace has gained acceptance, its practical meaning remains contested. Developing clearer understanding of what sovereignty means in cyberspace—what activities constitute violations, what responses are permissible, and how sovereignty interacts with legitimate security concerns—would reduce ambiguity and potential for escalation.

Finally, the role of non-state actors in cyber warfare requires explicit legal framework development. The ICJ’s Nicaragua criteria for attributing non-state actor conduct to states may not adequately capture the relationships between states and cyber actors. Clearer rules about when states bear responsibility for hacktivist, cybercriminal, or patriotic hacker operations emanating from or transiting through their territory would enhance accountability.

Conclusion

The jurisdictional challenges of cyber warfare fundamentally test international law’s adaptability to technological change. The jus ad bellum regime, developed for a world of tanks and aircraft, struggles to regulate conflicts waged through computer code across borderless networks. Attribution difficulties, threshold ambiguities, temporal complexities, and sovereignty questions create a legal landscape characterized by uncertainty and potential for miscalculation.

Yet this analysis reveals not the obsolescence of international law but rather its resilience and potential for evolution. Core principles—prohibition on the use of force, right of self-defence, respect for sovereignty—remain valid and necessary. What requires development is their application to new factual contexts that the framers of the UN Charter could not have anticipated.[12]

The path forward requires balanced adaptation. Legal frameworks must be sufficiently clear to guide state conduct, provide predictability, and enable accountability, while remaining flexible enough to accommodate rapid technological change and unforeseen developments. This balance can be achieved through clarification of key thresholds, acceptance of adapted attribution standards, development of cooperative mechanisms for investigation and dispute resolution, and willingness to craft specific rules for the most dangerous categories of cyber operations.

The stakes could not be higher. Cyber warfare capabilities continue to proliferate, operations grow more sophisticated and potentially destructive, and the risk of miscalculation or escalation increases with each major incident. The international community’s failure to develop adequate legal frameworks governing cyber operations creates a vacuum that threatens not only cyber security but international peace more broadly. A major cyber incident triggering kinetic military responses could escalate rapidly in an environment of legal uncertainty and mutual suspicion.

The challenge of adapting jus ad bellum to cyber warfare ultimately reflects a broader question about international law’s future. Can a legal system root in Westphalian sovereignty and developed over centuries for conventional warfare evolve rapidly enough to regulate conflicts in cyberspace? The answer will significantly determine whether international law remains relevant to the most pressing security challenges of the twenty-first century. The jurisdictional challenges of cyber warfare demand not abandonment of established principles but creative adaptation, international cooperation, and sustained commitment to the rule of law even in the newest and most challenging domains of human conflict.

Reference(S):

1. [1] N. Charter art. 2, para. 4; art. 51. ↩
2. [2] 2. U.N. Charter art. 2, para.; 3. U.N. Charter art. 39, 42.; 4.  U.N. Charter art. 51.; 5. Military and Paramilitary Activities in and Against Nicaragua (Nicar. v. U.S.), Judgment, 1986 I.C.J. 14, para. 194 (June 27).; 6.       Id. at para. 188.
3. Letter from Daniel Webster, U.S. Sec’y of State, to Henry S. Fox, British Minister to the U.S. (Apr. 24, 1841), reprinted in 2 John Bassett Moore, A Digest of International Law 412 (1906).; 8. Michael N. Schmitt ed., Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (2d ed. 2017).
4. [3] 9. Id. at 329-330. ↩
5. Thomas Rid & Ben Buchanan, Attributing Cyber Attacks, 38 J. Strategic Stud. 4, 7-11 (2015). ↩
6. Nicaragua, 1986 I.C.J. at para. 115. ↩
7. Marco Roscini, Cyber Operations and the Use of Force in International Law 42-58 (2014). ↩
8. [4] 13. Duncan B. Hollis, An e-SOS for Cyberspace, 52 Harv. Int’l L.J. 373, 385-389 (2011).; 14. Schmitt, supra note 8, at 11-12.
9. Gary P. Corn & Robert Taylor, Sovereignty in the Age of Cyber, 111 AJIL Unbound 207, 208-209 (2017).; 16. Michael N. Schmitt, In Défense of Due Diligence in Cyberspace, 125 Yale L.J. F. 68, 72-75 (2015).; 17. Michael N. Schmitt, Computer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework, 37 Colum. J. Transnet’s L. 885, 915-920 (1999).; 18. Nicaragua, 1986 I.C.J. at para. 191.; 19. Schmitt, supra note 8, at 339).
10. [5] 20. Wolff Heintschel von Heinegg, Legal Implications of Territorial Sovereignty in Cyberspace, in 4 NATO Cooperative Cyber Defence Centre of Excellence, 4th International Conference on Cyber Conflict 7, 15-17 (Christian Czosseck et al. eds., 2012).
11. Matthew C. Waxman, Cyber-Attacks and the Use of Force: Back to the Future of Article 2(4), 36 Yale J. Int’l L. 421, 430-433 (2011).; 22. David E. Sanger, Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power 188-189 (2012).; 23. Harold Hongju Koh, Legal Adviser, U.S. Dep’t of State, International Law in Cyberspace, Address at the USCYBERCOM Inter-Agency Legal Conference (Sept. 18, 2012).; 24. Roscini, supra note 12, at 32-35; 25. Michael N. Schmitt, Cyber Operations and the Jus Ad Bellum Revisited, 56 Vill. L. Rev. 569, 595-598 (2011).; 26. Jeffrey S. Thurnher, Examining Autonomous Weapons from a Cybersecurity Perspective, in Research Handbook on International Law and Cyberspace 340, 348-351 (Nicholas Tsagourias & Russell Buchan eds., 2015). ↩
12. [6] 27. Mary Ellen O’Connell, Cyber Security Without Cyber War, 17 J. Conflict & Security L. 187, 195-197 (2012).; 28. Jason Richards, Denial-of-Service: The Estonian Cyberwar and Its Implications for U.S. National Security, 18 Int’l Aff. Rev. 1, 4-6 (2009).; 29. Kim Zetter, Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon 8-15 (2014).; 30. Ellen Nakashima, U.S. Decides Against Publicly Blaming China for Data Hack, Wash. Post (July 21, 2015).; 31. Kim Zetter, Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid, Wired (Mar. 3, 2016). ↩
13. [7] 32. White House, Statement from the Press Secretary (Feb. 15, 2018).
14. Sean Watts, Low-Intensity Cyber Operations and the Principle of Non-Intervention, in Peacetime Regime for State Activities in Cyberspace 249, 255-260 (Katharina Ziolkowski ed., 2013).
15. Rid & Buchanan, supra note 10, at 30-33.
16. Oona A. Hathaway et al., The Law of Cyber-Attack, 100 Calif. L. Rev. 817, 855-868 (2012).
17. Schmitt, supra note 8, at 16-18.
18. [8] 37. Corn & Taylor, supra note 15, at 210-211.
19. Schmitt, supra note 16, at 76-80.
20. Andy Greenberg, Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers 85-120 (2019).
21. Oil Platforms (Iran v. U.S.), Judgment, 2003 I.C.J. 161, para. 64 (Nov. 6)
22. [9] 41. U.N. Office for Disarmament Affairs, Developments in the Field of Information and Telecommunications in the Context of International Security (2021).
23. U.N. Secretary-General, Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, U.N. Doc. A/70/174 (July 22, 2015).
24. Id. at paras. 13(c), 13(e), 13(f).
25. Josephine Wolff, The U.N. Used to Protect the Internet. Now It’s Helping Dismantle It., Slate (Sept. 1, 2017).
26. U.N. Secretary-General, Open-Ended Working Group on Developments in the Field of Information and Telecommunications in the Context of International Security, U.N. Doc. A/75/816 (Mar. 12, 2021).
27. Organization for Security and Co-operation in Europe, OSCE Confidence-Building Measures to Reduce the Risks of Conflict Stemming from the Use of Information and Communication Technologies, OSCE Doc. PC.DEC/1106 (Dec. 3, 2013).
28. Shanghai Cooperation Organisation, Agreement Between the Governments of the Member States of the Shanghai Cooperation Organisation on Cooperation in the Field of International Information Security (June 16, 2009).
29. White House Office of the Press Secretary, Fact Sheet: President Xi Jinping’s State Visit to the United States (Sept. 25, 2015).
30. [10] 49. White House, National Cyber Strategy of the United States of America 20-21 (2018). ↩
31. Ministère des Armées, Éléments publics de doctrine militaire de lutte informatique d’influence 6-8 (2019). ↩
32. HM Government, National Cyber Security Strategy 2016-2021, at 39-41 (2016). ↩
33. Schmitt, supra note 25, at 585-590. ↩
34. Russell Buchan, Cyberwar: A General Theory of the Law of Cyberwarfare’s Application to Armed Conflict, in Research Handbook on International Law and Cyberspace 261, 272-275 (Nicholas Tsagourias & Russell Buchan eds., 2015).
35. [11] 54. David P. Fidler, Tinker, Tailor, Soldier, Duqu: Why Cyberspace is Not a New Domain of Warfare and What that Means, in Cyberspace and National Security: Threats, Opportunities, and Power in a Virtual World 85, 95-97 (Derek S. Reveron ed., 2012).; 55. Eneken Tikk & Mika Kerttunen, The Alleged Demise of the UN GGE: An Autopsy and Eulogy, 1 Cyber Pol’y J. 1, 8-10 (2017).; 56. Henning Wegener, Cyber Peace, in The Quest for Cyber Peace 77, 85-88 (Hamadoun I. Touré & The Permanent Monitoring Panel on Information Security eds., 2011).; 57. Marcel H. Van Herpen, Putin’s Propaganda Machine: Soft Power and Russian Foreign Policy 187-190 (2016).; 58. Jacqueline E. Wimer, The Role of the United States in Promoting Cybersecurity Norms Through Cyber Capacity Building, 10 Geo. J. Int’l Aff. 111, 115-118 (2009).
36. [12] 59. Schmitt, supra note 16, at 68-82.; 60. Kristen E. Eichensehr, The Cyber-Law of Nations, 103 Cornell L. Rev. 638, 685-692 (2018).; 61. Scott J. Shackelford et al., Toward a Global Cybersecurity Standard of Care?: Exploring the Implications of the 2014 NIST Cybersecurity Framework on Shaping Reasonable National and International Cybersecurity Practices, 50 Tex. Int’l L.J. 305, 330-335 (2015). ↩