Computers represent a stark example of dual use technology as they can be used for peaceful and military purposes, such as espionage and cyber-attacks. Cyber-attacks are a new tool of coercion, which brings many advantages for potential perpetrators in comparison with conventional attacks. For example, the knowledge and equipment necessary to initiate a computer network attack are widely available. The response of international law to this problem has been slow, attempting to twist existing legal frameworks to fit the new challenge. The present essay considers whether the international community should view computerized network attacks as a prohibited use of force under Article 2(4) of the UN Charter.
The first section defines the parameters of cyber-attack and distinguishes it from other forms of computer crime. Several reasons for choosing cyber-attack over conventional weapons are identified. The second section discusses whether cyber-attack constitutes ‘armed force’. Cyber-attack is contrasted with other forms of coercion such as political and economic coercion as well as chemical and biological weapons. The final section poses the question whether cyber-attacks are prohibited by Article 2(4) of the UN Charter, particularly focusing on the issue of consequentiality.
2. The parameters of cyber-attack
The present era of Information Age society represents a significant improvement in technology in terms of computer networks used to facilitate human interactions, providing vital services such as power, medicine and public safety. However, the interconnectivity of the world’s computer networks poses threats for countries reliant upon them for vital everyday services and functions. Any intrusion, manipulation, sabotage, disruption or destruction on one of these networks will have devastating effects, particularly when attacks are directed towards Critical National Infrastructure (CNI) - systems essential to the state’s well-being and infrastructure. Various methods for disruption of computer networks are identified in the literature, which can be grouped in 3 main categories: malicious software delivered over the Internet, denial-of-service attacks and unauthorized remote instructions.
Different terminology has been used by scholars to define attacks on computer networks, such as cyber-attack, information warfare and computer network attack. Additionally, cyber-attacks are to be contrasted with other forms of cyber-crime such as ‘hactivism’, ‘information-age warfare’, ‘netwar’ and ‘computer crime’. The definition of cyber-attack has to be narrowed down to include only the attacks on computer systems conducted with state’s involvement, either directly or through imputed state responsibility for the actions of non-state actors. States and state-sponsored organizations are seen as the only actors who can engage in information warfare as they have both the motivation and the resources for this type of acts. Morth defines cyber-attacks as a ‘state activity which has an incapacitating effect on the ability of the owners of any information network to use or manage that network’.
Cyber-attacks bring several advantages over conventional force for computer networks perpetrators. Firstly, cyber-attacks stretch traditional notions of territorial integrity as they will not involve the crossing of political borders. Before the creation of computerised technology, the term ‘attack’ presupposed the use of kinetic force, whereas in the 21st century attacks can be nothing more than the transfer of cyber command from one computer to another. Thus, damage could be inflicted to another state anonymously as in some cases the attack can be directed from a third state and the identification of the origin of the attack may not correspond to the actual perpetrator, which is known as the ‘attribution problem’. Secondly, in contrast to conventional use of force, the technology required to attack information networks is simple to acquire and is considered relatively inexpensive for a weapons system. This opens the doors not only to hostile states, but also to non-state actors and other terrorist organisations. Thirdly, computer network attacks can be used for a spectrum of criminal acts, ranging from devastating an economy to injury and loss of life. The result of cyber-attack need not be physical destruction. The target may be to disrupt particular service or function. A vivid example is the Russian-Georgian incident, where the target was disruption in telecommunications. The attacks overloaded and shut down many of Georgia's computer servers, and impaired Georgia's ability to disseminate information to its citizens during its armed conflict with Russia. Cyber-attacks are also capable of inflicting the same damage as traditional force. However, they represent a new target category in terms of the fact that it is no longer necessary to physically destroy for a facility; instead the computer network that operates the system will represent a new and potentially an easier target. Finally, cyber-attacks can facilitate the reversal of power structure of military strong and weaker states. The more developed a country is, the more it depends on computer/ information systems. Thus, vulnerability lies predominantly on developed countries.
3. Cyber-attack as a use of force
Sometimes known as jus contra bellum, Article 2(4) of the UN Charter represents the principal embodiment of international law’s attempt to restrict the use of force. Article 2(4) is prohibitive rather than remedial in nature. Only two exceptions exist to this absolute use of force prohibition: actions authorised by the Security Council in terms of collective self-defence measures, expressed in Article 39 of the UN Charter as well as acts of self-defence, expressed in Article 51 of the UN Charter. Article 2(4) proclaims: ’All members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.’
There is a debate in the literature whether the term ‘force’ includes only armed force or it also encompasses other forms of coercion. Since the drafting of the UN Charter, the interpretation of the term force has proved contentious. The Vienna Convention on the Law of Treaties postulates the core interpretive principle that international agreements are to be interpreted ‘in accordance with the ordinary meaning to be given to the terms of the treaty in their context and in light of its object and scope.’ However, scholars frequently pose the question as to how to interpret the notion of force. According to Schmitt, the concept of the use of force is generally understood to mean ’armed force’. His analysis focus on the fact that in the Preamble of the UN Charter the term ‘armed force’ is used. Since all Charter’s Articles are drafted to effectuate the Preamble’s aspirations, it can be concluded that Article 2(4) allows only for restrictive interpretation to armed attacks. However, at the time of the drafting of the Article, the cyber-attack phenomenon was not envisioned. According to Schmitt: ’Until the advent of information operations, most coercions could be handily categorised into one of several boxes, for few coercive options existed that could not be typed as political, economic or armed in nature.’ Furthermore, the term force is seen not to encompass economic or political pressures. Economic coercion is an economic pressure exercises by one state against another, ‘threatening the basis of economic life, preventing another state from exploiting or nationalizing its own natural resources’. The legality of economic coercion was affirmed by Arbitral Tribunal in the ‘Case Concerning the Air Services Agreement’ – an aviation dispute between the United States and France. The permissibility of economic coercion stems from its ability to reduce violence in the international community as a mechanism for a state to signal its discontent towards another state and allows for a non-violent means of influence. Analogy between economic coercion and cyber-attack can be made as cyber-attack can also be directed towards economic targets, such as disrupting a banking system. Additionally, the non-kinetic nature of both economic coercion and cyber-attack can be seen as not violating Article 2(4). However, cyber-attacks differ fundamentally from economic and political pressure. According to Morth, several aspects distinguish cyber-attack from economic and political coercion. Firstly, the damage, a cyber-attack is capable to create, resembles more an attack by conventional weapons than economic coercion. An attack on computer system has the ability to physically destroy lives and property. The second aspect involves the issue of timing. The time it takes for cyber-attack to make its impact can be measured in minutes and hours, while an economic embargo takes weeks or months. Finally, disruption of computer network systems causes loss of control of fundamentally different nature that that which occurs when a state is targeted by economic coercion. Economic coercion involves the use of market forces against the victim, typically by decreasing supply of an important commodity. In contrast, a cyber-attack may cause the destruction of the marketplace. Another analogy can be made between chemical and biological weapons and cyber-attacks. Morth argues that chemical and biological weapons should be viewed as uses of force because these weapons are employed for the destruction of life and property. Cyber-attacks have also the potential to cause this same sort of widespread destruction. This comparison in terms of the ability of cyber-attack to destruct property and causes injury provides a clear rationale for viewing it as being prohibited by Article 2(4).
4. Are cyber-attacks prohibited by Article 2(4) of the UN Charter?
There is an agreement among scholars that the international legal framework is currently underequipped to deal with cyber-attacks. Computer network attacks are a relatively new tool of coercion. Until the late 1990s the issue was seen as hypothetical and abstract. The growing importance of the issue can be observed as to what states have been doing unilaterally to address the problem. For example, since 2009 the Obama administration created USCYBERCOM which ‘centralizes command of cyberspace operations, organizes existing cyber resources and synchronizes defence of U.S. military networks’. The first international agreement to deal with cybercrime is the European Convention on Cybercrime. However, there is a disagreement among scholars and experts as to how to address the underdeveloped legal framework of computer network attacks. Some scholars advocate new treaties to address this legal shortcoming. Other specialists, such as Morth, argue that a state’s use of information warfare against the information networks of another state should be viewed as violating Article 2(4) of the UN Charter.
Existing international law clearly prohibits the interfering of one state in another’s internal affairs via the use of physical force as expressed in Article 2(4) of the UN Charter. Graham puts forward three analytical models for assessment of cyber-attacks. Firstly, the ‘instrument-based approach’ provides a framework for assessment whether the damage caused by a cyber-attack could previously have been achieved only by a kinetic attack. If this is the case, then a cyber-attack clearly could be seen as an armed attack. Secondly, under the ‘consequence-based approach’, the consideration would be on the overall effect of the cyber -attack on the victim state. Thus, one type of cyber-attack definitely qualifies as an attack under Article 2 (4) when the consequences are kinetically manifest. It results in the same damage as kinetic attack. Thirdly, ‘the strict liability’ approach would automatically deem any interference in CNI to be an armed attack due to the grave consequences that could result from any attack on national infrastructure systems.
Schmitt argues that the prohibition of the use of force under Article 2(4) adopts an instrument-based approach because force represents ‘a consistently serious menace to intermediate and ultimate objectives. It eases the evaluative process by simply asking whether force has been used, rather than requiring a far more difficult assessment of consequences that have resulted.’ Since the promulgation of the Charter, the use of force paradigm has been instrument-based and determination of whether or not the standard has been breached depends on the type of the coercive instrument.
 Sklerov p.18
 Sklerov p.14
 Morth p.568
 Schmitt p.886
 Morth p.579
 Ibid. p.571
 Schmitt p.888
 Morth p.568
 Report of the Independent International Fact-Finding Mission on the Conflict in Georgia
 U.N. Charter art.2, para. 4
 Vienna Convention on the Law of Treaties, Art.31
 Schmitt p.908
 Schmitt p.909
 Ibid. p.908
 Morth p.593
 Case Concerning the Air Services of 27 March 1946 (U.S. v. Fr.)
 Morth p.594
 Ibid. p.596
 Flynn p.4
 European Convention on Cybercrime
 Sklerov p. 11
 Morth p.598
 Schmitt p.911
- Quote paper
- Veronika Minkova (Author), 2011, Is the use of technological force by one state against another – a so-called ‘cyber-attack’ – a breach of Article 2(4) of the UN Charter? , Munich, GRIN Verlag, https://www.grin.com/document/179303