On July 8, Michael Schmitt, a law professor and former judge advocate in the US Air Force, posted a perplexing tweet about changing his mind on the “status of cyber capabilities as ‘weapons.’” He followed it up with the link to a recent paper he coauthored for the International Law Studies journal of the US Naval War College.
Schmitt is one of the key architects of the guiding document on international norms of cyber conflict, widely known as the Tallinn Manual. His latest paper severely curtails the legal logic that is the heart of the manual, which, even prior to Schmitt’s admission, was thought to be shaky at best. In fact, the newer set of assumptions proposed by Schmitt may also not stand up to scrutiny, further limiting the manual’s applicability to real-world scenarios.
A decade after it was initiated, the most prominent project that sought to define responsible state behavior in cyberspace has developed cracks.
In the aftermath of the Russian cyberattack against Estonia in 2007, which severed it from the internet, a group of legal luminaries was convened by a new cyber defense center in Tallinn to formulate the ground rules of “cyberwar.”
Under the direction of NATO, it tried importing the taxonomy of international humanitarian law (IHL)—a set of rules governing the predominantly physical conflicts of the past that had widespread “kinetic” effects. The result was the legally nonbinding Tallinn Manual released in 2013, with its iteration 2.0 coming out in 2017.
In his recent paper, Schmitt has come to the forgone conclusion that cyber capabilities are neither “weapons” nor “means,” but “methods” of warfare. Or in other words, cause and effect in cyber operations are not analogous to the use of the conventional munitions and weapon systems which IHL is habituated to.
He also conceded that the luminaries behind the Tallinn Manual were too quick to apply the legal shortcut of “reasoning by analogy”—with the unfounded hope that the parameters of cyber conflict would eventually be in accordance with the law of armed conflict, much like the emerging military technologies of the past. The obvious blind spots in that theory have become gaping holes now.
The Tallinn Manual belongs to a growing list of global initiatives—founded in an ambitious bid to claim some semblance of order in the wild west of cyberspace—which have done a volte-face.
The Wassenaar Arrangement—which in 2013 proposed an arms control treaty for “cyberweapons”—met a similar fate. The deliberations of the United Nations’ Group of Governmental Experts stretching over a period of thirteen years—aiming to calm the growing cyber hostilities between the United States, Russia, and China—fell flat in 2016.
The Tallinn Manual has fostered a global academic subculture of strategic thought that unquestionably proceeded with its flawed baseline assumptions. It is not as if technically minded cybersecurity professionals remained oblivious to its structural weaknesses. They had long seen the collapse coming.
Dave Aitel, who was the first to flag the obvious loopholes in the process, has called the Tallinn Manual the “Bowling Green Massacre” and the “Talmud of cyberwar.” Its esoteric wording and hurried consensus did not stand up to technical logic. Aitel is a former exploitation engineer of the National Security Agency and leading voice on the offensive aspects of cybersecurity.
The important details brushed over by the broad strokes in the Tallinn Manual are far too many to be cited: from how territory manifests in cyberspace and how cyber operations reflexively mutate to the haziness around intent and impact and the manual’s assumptions that certain blanket restrictions are enforceable.
The legal experts mistakenly assumed that cyberattacks have calculable and—most importantly—controllable effects. Any cyber operator worth her salt knows that even mission-driven, militaristic hacking thrives under great, terrifying ambiguity.
The military interpretation of an “armed attack” is derived from a clear understanding of cause and effect, or intent and impact. In the case of a tank, a cruise missile, or a bunker-buster bomb, those could be reasonably derived; this is not the case with a “cyberweapon.”
Col. Gary Brown, a former staff judge advocate of the US Cyber Command, believes that “both quantitatively and qualitatively, espionage and warfighting in cyberspace can be indistinguishable until the denouement.”
Brown adds that “policymakers have tended to view cyber operations as strictly delineated: offence or defence; espionage or military operations.” In his view, reality defies such stark categorization—“Determining when one type of cyber operation ends, and another begins, is challenging.”
This has had real-world consequences. While Stuxnet could be construed as an armed attack, it is reasonable to argue that the reconnaissance malware Flame that preceded it may have warned cyber operators of an imminent attack (“anticipatory self-defence” is a contestable but reasonably valid concept under the international law). Stuxnet could very well be a pre-emptive counteraction, much like the “Left of Launch” cyber strategy of the United States manifesting in Iran and North Korea.
Or if one deconstructs the Department of Justice’s indictments against the Russian hackers who interfered with the 2016 US elections, it is amply clear that the United States or its allies had pre-positioned cyber implants within Russia’s military networks. The espionage malware could have conveniently been repurposed or even reinterpreted as an act of aggression. That hypothetically provides a legal cover to the Russian act. It was a mode of retaliation to defend Russia’s own sovereignty, guaranteed by the law of armed conflict.
In fact, defending its disruptive action in a lawsuit filed by the Democratic National Convention in a New York court, the Russian government issued a “Statement of Immunity” in November 2018, claiming that the “military attack” was a “quintessential sovereign act.” Amusingly, the submission even went to the extent of invoking the provisions of the US Foreign Sovereign Immunities Act to bolster its argument. The Russian government, the statement argued, is fully justified in keeping the qualitative reasons behind that “sovereign act” to itself.
The ambiguity of cyberattacks is not just limited to the legal or operational interpretations but goes on to challenge the very fundamentals of computer science. A “cyberweapon” is a tool-chain which alters the behavior of targeted computers and networks using, what is generally called, exploitation. It throws the targeted system into a state that, however unpredictable, is intrinsic and not alien to its functionality.
Sergey Bratus, an associate professor at Darthmouth, believes that “advanced exploitation is rapidly becoming synonymous with the system operating exactly as designed—and yet getting manipulated by attackers.” Bratus even has a term for exploited systems that enter previously unknown states not part of their intended design: weird machines.
The crux of the matter is that a cyberattack battles extreme uncertainty and not the adversary to achieve its mission objectives. It is impossible to document its impact as malicious or unintended as it manifests over adversarial computing infrastructure—which are nothing but millions of layers of abstractions.
Despite the hundreds of millions of dollars, months of rehearsal, and a full-blown nuclear centrifuge testbed at their disposal, the operators behind Stuxnet could not foresee it going out of control. Should India, the third most infected country, have interpreted it as an armed attack?
Jason Healey, a senior research scholar at Columbia’s School for International and Public Affairs, enunciated in his book A Fierce Domain: “Cyber incidents have so far tended to have effects that are either widespread but fleeting, or persistent but narrowly focused. No attacks, thus far, have been both widespread and persistent.” Such a boundary condition is the direct result of the ambiguity of the operating environment.
The intent of a “cyberweapon” is not hardcoded in the machine instructions but is derived from an overwhelming set of probabilities, which throws proportional response into a complete tizzy. It is exactly why the hacking of a mere film studio like Sony Pictures or an accounting firm like ME Docs gets labeled as an act of war.
Cyberattacks rely on creating a potent, indiscernible mix of effects and perceptions. And they are massively cascading in terms of their effects, which could cause extreme but invisible damage to national security and sovereignty.
In Bytes, Bombs and Spies, Herbert Lin, a senior research scholar for cyber policy and security at Stanford’s Centre for International Security and Cooperation, exhorts that “offensive cyber operations act most directly on intangibles—information, knowledge, and confidence.” It is indeed a fallacy of the Tallinn Manual to measure the damage of cyberattacks with some kind of kinetic equivalent.
The version 2.0 of the Tallinn Manual also inserted 154 “black letter rules”—the thou-shalt-nots of cyber. It ridiculously bars states from hacking first responders like the computer emergency response teams (CERT) of the adversary. In fact, for a military keen on maintaining good operational security, hacking CERTs would be a mandatory prerequisite.
Schmitt’s raison d’etre for shifting his stance is that “operating instructions are a type of data known as computer, or program code.” Aitel believes that Schmitt is reframing the “entire conception of cyber capabilities as ‘communications of code,’ hence, indirect actions.” And indirect actions have unexpected consequences, a far cry from our understanding of munitions and weapons that formed the basis of the Tallinn Manual.
Moreover, the Tallinn Manual’s staunch insistence that the Westphalian precept of territoriality is somehow applicable to cyberspace is bizarre and regressive. The recently adopted “Defend Forward” strategy of Cyber Command emerged from decades of painful realization that the complex, tangled sinews of cyberspace make it a globally contested territory. It further espouses the concept of constant adversarial contact where a firm calculation of redlines becomes nearly impossible.
Richard Danzig, former secretary of the US Navy, is of the following opinion: “Successful strategies must proceed from the premise that cyberspace is continuously contested territory in which we can control memory and operating capabilities some of the time but cannot be assured of complete control all of the time or even of any control at any particular time.”
Thomas Dullien, a malware reverse engineer formerly employed by Google, stated at the 2018 NATO CyCon conference that “ownership,” “possession,” and “control” of data and assets in cyberspace necessarily do not overlap.
So, the pre-emptive hacking of supposedly “foreign” networks is not a modicum of dominance and aggression but order and control. It is the reason why Aitel argues that offense-defense is a misleading dichotomy, better replaced with “control and non-control.”
Another common theme in Schmitt’s paper and the Tallinn Manual is that “customary law” applies to new means of warfare before they are fielded.
As is evident, customary law is that facet of IHL that evolves from the innate customs and practices of nations. Brown’s counterpoint is that customary law for cyber operations can only emerge when nations expressly define their limits and capabilities for the domain.
Since cyber operations offer a perfect cover of plausible deniability, governments have shied away from even owning up to attacks—like Wannacry, Fancy Bear, Shamoon, and Stuxnet—that have been attributed with high confidence.
Moreover, the declaratory aspects of cyber capabilities suffers from the paradoxical “cyber commitment problem.” Precise declarations may give away cyber implants that are generally target-specific, while also disrupting the balance of power on which strategic deterrence rests (in cases where cyberattacks may act as covert counterforce).
Schmitt summarizes the paper with the takeaway that cyber operations or capabilities are indeed methods of warfare. While the terms “weapons,” “means,” and “methods” remain undefined in IHL, he largely implies that cyberattacks are a component of military’s overarching but legally vague TTPs—tactics, techniques, and procedures.
As innovative research by the Misinfosec Working Group of the Credibility Coalition suggests, cyber-enabled information operations also violate the foundational triad of cybersecurity: confidentiality, integrity, and availability. Or in other words, every cyber operation could be deemed as an information operation even after full denouement. It is not amply clear whether an information operation forms a means or a method of warfare.
A paper by Heather Harrison Dinniss of the Swedish Defence University (coauthored with Schmitt) cites caselaw like Nicaragua v. United States to deduce that an information operation is noticeably below the threshold of an armed attack necessary to invoke IHL. That may bestow another garb of impunity upon rogue cyberattacks.
There is also the subliminal geostrategic narrative that often gets overlooked. Aitel draws upon Clausewitz to state that “policy is just cyber war by other means.”
Contrary to how it appears, cyber policy is a convenient indulgence for nation-states to keep cyber offense fully potentiated. Like the occasional eruption of a geyser, it distracts us from the volcano that simmers deep underground.
While repeatedly snubbing Russia at the UN Group of Governmental Experts by watering down or vetoing proposals during the initial deliberations, the United States built a massive global dragnet on the sidelines. It was only after the breach of some redlines by Russia in cyberspace that the United States was seriously drawn into the discussion, but it was too late by then.
The Tallinn Manual’s schizoid assertions only add to the unstable nature of the domain. The damning indictment is that it is impossible to apply its statutes to any past cyber incident with full confidence; and that the thresholds of war may need to be recalibrated beyond the tested parameters of an armed attack to make sense of persistent, ongoing, and imperceptible cyber conflict.
The March 2018 Command Vision of Cyber Command readily admits that cyber operations are conventionally below the thresholds of armed attack or use of force. This suggests a remarkable devolution of its thresholds of war, options of proportional response, and rules of engagement.
Cyber Command has started uploading malware samples of foreign adversaries to public forums, comparable to an age-old hacker tactic called doxing. It even went to the extent of warning Russian trolls by sending direct messages. None of these actions would find a mention in the US military doctrine.
Cyber Command’s recent actions in Russia and Iran mark the explicit signaling of its cyber capabilities, much in line with the playbook that goes all the way to the philosophy posited by Gen. James Cartwright in the early 2000s. An early proponent of Cyber Command, Cartwright once said, “We’ve got to talk about our offensive capabilities and train for them; to make them credible so that people know that there’s a penalty.”
Gen. Michael Hayden, who led the strategic reposturing of the National Security Agency after 9/11 has admitted that the cyber domain remains “hideously over-classified.” Customary law for cyberspace may only emerge when militaries buck the trend of over-classification. Until then, much like targeted assassinations and other forms of irregular warfare, norm-violation may remain the only practical form of norm-setting.
The road to responsible state behavior in cyberspace is paved with bad intentions. Cyber power projection may keep on following the Thucydidean paradigm, “The strong do what they can, and the weak suffer what they must.”
Pukhraj Singh is a cyber intelligence analyst and has worked with the Indian government and security response teams of global companies. He blogs at www.pukhraj.me. The views expressed are those of the author and do not reflect the official position of the United States Military Academy, Department of the Army, or Department of Defense.
Image credit: Ryan Adams (Homedust)
The over 30 members of the International Group of Experts, 70 peer reviewers, and 50 governments and international organizations who participated over seven years in preparing Tallinn Manual 2.0 hoped that the project would generate objective, sophisticated discussion among states and scholars regarding the many uncertainties as to how international law applied in cyberspace. Although we identified 154 broad "rules" of law in that context, we highlighted even more issues about which interpretive discretion remained; we assiduously worked to identify all reasonable options for governments and academics to consider in assessing their own stance. Our efforts have been rewarded, with mature debates now surrounding such issues as whether sovereignty is a rule of international law, whether the notion of armed attack (the condition precedent to acting in self-defense) extends to cyber operations having non-physical effects, and whether data is an object such that civilian data may not be destroyed or altered during an armed conflict.
Unfortunately, this piece contributes in no way to this important process. The author badly mischaracterizes the meaning and significance of the conclusions in my recent article on cyber weapons, grasps neither the purpose nor approach of Tallinn Manual 2.0, misunderstands basic tenets of international law, and stumbles on the dynamic of international law development and interpretation. To take one example, his comments on the application of existing customary law to new means and methods of warfare fly in the face of many decades of consensus practice by states, certain treaty rules requiring that assessment, case law of the International Court of Justice, and agreement among serious scholars. In another, he seems to believe my change of heart on the characterization of weapons undercuts broad swaths of the Manual. It does not. Rather, the only direct result is on the requirement to review weapons before they are fielded (1 of 154 rules); even then, as I point out, their actual use on the battlefield must still be assessed for compliance with the law of armed conflict. Beyond that there is no effect whatsoever on any area of international law beyond LOAC (we surveyed over 15).
And inaccurately characterizes the current state of play. The effort to identify and understand binding and non-binding norms for cyberspace is alive and well. He notes the failure of the 2015-2016 UN GGE to issue a report on the subject., but fails to acknowledge the important 2013 and 2015 reports on the subject, the fact that the UN has launched a new GGE and an Open Ended Working Group, the increasing willingness of states to publicly articulate their legal positions (as in the May 2018 speech by the UK Attorney General, important speeches by the Dutch Ministers of Foreign Affairs and Defence, and the US submission to the GGE), the centrality of international law in the national cyber security strategies of many states, and support for capacity-building in the field of international cyber law by states like the Netherlands, Singapore, Australia, United States, United Kingdom, Canada, and organizations like NATO, the OSCE, and the OAS.
As my mentor once famously said about a speaker, "I agree with everything he said…except for the facts and the law." The topic of norms in cyberspace deserves better.
Prof. Mike Schmitt
Francis Lieber Distinguished Scholar
United States Military Academy at West Point
Prof Schmitt was kind enough to comment on my essay. It's a given that international law isn't my forte; I didn't profess such claims in the piece. I think, Prof Schmitt's point is that the deliberative process itself — its evolution — affirms and upholds the viability and sanctity of cyber norms. That's true only to a certain extent. Yet, it's also valid that the deliberative process is completely divorced from the 'physics' of the domain. Maybe I missed it, but his latest paper didn't mention how his "change of heart" would impact the Manual. He clarifies that now.
My bigger worry is that this process discounts the growing disintermediation between states whose power dynamics are being replaced by corporations. Their capabilities outwit that of most SIGINT agencies. What's the normative state of play there — as it most crucially impacts life and liberty than any imagined cyber instability emanating from governments — is a question where such discussions ought to begin. That's where I am planning to extend the conversation in my subsequent research.
To quote Selmer Bringsjord and John Licato, "Augustine and Aquinas (and their predecessors) had a stunningly long run, but today’s world, based as it is on digital information and increasingly intelligent information-processing, points the way to a beast so big and so radically different, that the core of this duo’s insights needs to be radically extended."
This is just in: France does not accept the definitions used in Tallinn Manual 2.0 https://twitter.com/lukOlejnik/status/1171099053331034112.
This piece would be more compelling if it didn't start with several errors. Wassenaar was able to agree to control spyware. Stuxnet did not spin out of control. The UN GGE failed to reach complete consensus on a report in 2017 (not 2016), but this was the fourth round of a series of talks; three reached consensus and the next round starts in December. It is a common error not to see GGEs as a sequence of talks rather than as individual episodes. The norms debate is much more complex and involves questions of whether additional norms are needed, how to implement the norms agreed in 2015 (and endorsed by all UN member states) and how to proceed with implementation of norms and CBMs at a regional level, where there has been real progress.
The Tallinn Manual, while a great academic effort and a very useful guide to thinking about cyber conflict, was not a political document and never had the support of Russia, China and the US. Its conclusions will be reshaped as we gain more experience with cyber conflict and if there is any criticism, it might be that the Manuals were premature, written before we had sufficient experience with the use of cyber operations in interstate conflict. Perhaps this suggests the need for a Tallinn III some years hence.
States prefer to leave the definition of "use of force" and "armed attack" open to allow their political masters the flexibility to decide when a cyber action justifies a response, what kind of response it should be, and how compelled they feel to justify it using law. Note that neither "use of force" and "armed attack" are defined in the UN Charter. Exploiting the "area" below the threshold of armed attack is now a normal feature of interstate conflict and probably reflects constraints created by nuclear weapons, which have significantly changed State calculations of the cost and risk of open military conflict. Cyber is one of the better tools for coercive action in this constrained space. Cyber attacks used to offer deniability,, but this might now be better called "implausible deniability," since both repeated actions or major incidents are increasingly attributable by major powers.
The key problem is not in deciding what is a hostile action or identifying who is responsible, but how a nation should respond. The decision by the US to take a more active posture and respond (or retaliate) to opponent cyber actions, whether we call it persistent engagement, defend forward, or active defense, is a valuable first step in defining the contours of cyber conflict (previous administrations seemed to prefer "inactive defense," and this helps explain why the situation now appears so dire). If victim states can get over their timidity, engagement and better attribution will change the nature of cyber conflict and bring it more in line with state practice in other areas of conflict.
Cyber is not sui generis. States use it as a tool to advance their interests and they make the same calculation of risk and benefit they use with any other tool. Some are guided by law in their decisions, other are not. Cyber operations do have some unique features (the most important of which being that there are few adequate defenses), but the course of this debate over how to use cyber operations and how to defend against them will be shaped by the larger conflict among major powers that is reshaping international relations.
Thanks for your comment, Jim. I think, this debate is boiling down to matters of perception. And that the chasm of perception is only widening between the operators and lawyers/policymakers. I want to add on a couple of things you said:
1. Stuxnet didn't go out of control? It would have been great if you had substantiated that. I heard similar arguments that Stuxnet was a declaration and an announcement of cyber power; an attempt at deterrence. If I remember correctly, Gen Michael Hayden also toed that line. I think, that makes no sense, especially with the way the malware went out of control. I handled its incident response for India: its infection matrix was accidental, if not bizarre. It does sound like a post-facto justification to me.
2. On UN GGE being a mix of positives and negatives: If you go through US State Department envoy Michel Markoff's statements after the talks ended in 2017, it becomes amply clear that the US's approach was half-hearted, bound by many domestic constraints. While she seemed to have understood the underlying issues, she couldn't fully exercise her mind. After the talks fell apart, she recommended “interleaving strategies” like defence, declaratory policies, alliance activities, and norms of behaviour. These traits were never fully exhibited in the American discourse.
Note: I had initially mentioned 14 years for the UN GGE, but since the Guardian article I referred to mentioned 13, I had to edit it. The error is regretted.
I think, we have merely stumbled on the paradox of cyber operations as an instrument of war. We at least had some unanimity on the effects of nuclear weapons and CBMs, etc., but that may never happen for cyber operations. Russia and China may only exercise them in the cognitive dimension, whereas the Western allies like to visualise them in the cyber-physical space. This dichotomy emerges from their very civilisational ethos. While KGB's "reflexive control" was fine and dandy, when that happens at scale and speed, and in an autonomous way, we are talking about a whole different ballgame. Which international norm-building process has touched upon that? Again, the Western allies are bound by domestic constraints as to how they envision information operations.
You also add that below-threshold warfare is the natural outcome in the nuclear era. I can point out that a paradox exists even there. Latest commentary by policymakers close to the US establishment hints that the government is heavily betting on CEMA. It could possibly be the most potent tool in the American arsenal; imagine projects even more lethal and effective than Canopy Wing. You could then reasonably assume that cyber operations may actually disturb the thresholds of conflict in an unprecedented way, even crisscrossing the nuclear dimension.
Marshall McLuhan wrote: With telephone and TV it is not so much the message as the sender that is “sent.”
From McLuhan's book – “The Medium is the Message” – each medium, independent of the content it mediates, has its own intrinsic effects which are its unique message. The message of any medium or technology is the change of scale or pace or pattern that it introduces into human affairs. The railway did not introduce movement or transportation or wheel or road into human society, but it accelerated and enlarged the scale of previous human functions, creating totally new kinds of cities and new kinds of work and leisure. This happened whether the railway functioned in a tropical or northern environment, and is quite independent of the freight or content of the railway medium. (Understanding Media, NY, 1964, p. 8)
The railroad comparison applied with equal validity to the media of print and television, and then to computers, the internet, and consequently, this discussion. “The medium is the message” because it is the “medium that shapes and controls the scale and form of human association and action.” (Understanding Media, NY, 1964, p. 9)
What is that observation-abstraction worth? TBD. However, I agree with the Author, I think this will hold: “The strong do what they can, and the weak suffer what they must.” Be strong.
Very interesting piece.Wanted to use this space to point out a few critical legal and factual errors in this piece. Will respond to the important substantive commentary in this piece soon
In his critique, claims that the efforts at the United Nations Group of Governmental Experts (UNGGE) “fell flat in 2016.” This is only partially accurate. While the fifth UN-GGE failed to arrive at a consensus in 2016 on the applicability of specific International Law questions to cyberspace, the report of the fourth UN-GGE recognised that international law applies to cyberspace even though the specifics were not yet worked out. Further, the norms formulation process was resurrected in November 2018 at the United Nations through two resolutions — sponsored by the United States and Russia respectively — which set up a sixth UN-GGE and a more inclusive for Open-Ended Working Group (OEWG) to take the discussions forward from 2019-2021.
The author ignores several other norms formulation efforts that are in the works. Private sector efforts, such as the Microsoft driven Cyber Security Tech Accords and Siemens’ Charter of Trust, multi-stakeholder efforts such as the Global Commission on the Stability of Cyberspace and the Paris Call on Trust and Security in Cyberspace are examples of pots that are brewing in this space. They are,by no means perfect processes bSingh wrongly interprets established standards and jurisprudence in International Law. He cites a 2004 paper by Schmitt and Dinniss, which he takes to “cite case law like Nicaragua v. United States deduce that an information operation is noticeably below the threshold of an armed attack necessary to invoke IHL.”
Dinniss and Schmitt do no such thing because the ICJ largely avoided questions of IHL in Nicaragua v United States. Their only definitive conclusion (in Paragraph 220) was that “the US was under an obligation not to encourage persons or groups engaged in the conflict in Nicaragua to act in violation of the provisions of Article 3 common to the four 1949 Geneva Conventions.” In other words, the ICJ stated that the US should not encourage individuals to violate IHL, but made no pronouncements — definitive or otherwise — on the thresholds of applicability of IHL to a conflict.
More importantly, the author problematically conflates two separate bodies of law that regulate warfare. Jus ad bellum (“right to war”) refers to the set of parameters under which States may legitimately resort to the use of armed force. The prohibition against the use of force captured in Article 2(4) and the exceptions to it (self-defence captured in Article 51, and the UN Security Council authorization for the use of force), set out in the United Nations Charter of 1945, are the core rules that make up this corpus of law. Jus in bello, on the other hand (“the law in waging war”), defines the standards to which a country must adhere to when engaging in warfare. This body of law, known as International Humanitarian Law (IHL) is captured in the 1949 Geneva Conventions and its Additional Protocols.
An action that complies with the standards of IHL may be entirely unjustified under jus ad bellum and vice-versa. The threshold of ‘armed attack’ which stems from the text of Article 51 of the UN Charter — which the author refers to — is a jus ad bellum threshold that is still yet to be crystallised. In Nicaragua, the ICJ stated that the ‘scale and effects’ required for an act to be characterised as an armed attack necessarily exceeds those qualifying the act as a use of force prohibited under Article 2(4) and includes the ‘most grave’ forms of the use of force. It allows states to engage in the use of armed force in response to an armed attack (or arguably in anticipation of one) for the purpose of self-defense.
However, crucially it has no bearing on whether the rules of IHL can be applied to decide the legality of the use of armed force in a certain instance. In fact, in the paper the author refers to [cite] clearly state that “humanitarian law … covers any dispute between two states involving the use of their armed forces.” Dinnis and Schmitt go on to state that a rigid application of this threshold would allow states to avoid the application of IHL by deploying forces other than the military to engage in violent attacks. Therefore, they understand the reference to armed forces as the application of force resulting in human injury or physical damage. Unlike in the case of the ‘armed attack’ threshold under jus ad bellum, the ‘scale and effects’ test has no weightage in IHL. Therefore, any action that involves the application of force would need to comply with the restraints of IHL.
The legitimacy of the operation and its compliance with the red lines of IHL rightfully form two separate parts of the regulatory architecture for cyber operations. Before engaging in an operation, a cyber operator must decide (a) If the operation might meet the jus ad bellum threshold of use of force and if so, whether said use of force is justified and (b) even if (a) is satisfied, whether the obligations to prevent unnecessary suffering and collateral damage to civilians have been met.