The following is the Dec. 10, 2021, Congressional Research Service In Focus report, Use of Force in Cyberspace.
From the report
There are no internationally accepted criteria yet for determining whether a nation state cyberattack is a use of force equivalent to an armed attack, which could trigger a military response. Likewise, no international, legally binding instruments have yet been drafted explicitly to regulate inter-state relations in cyberspace. Self-defense and countermeasures for armed attacks are permitted in international law when a belligerent violates international law during peacetime, or violates the law of armed conflict during wartime. However, the term “armed attack” has no universally accepted definition and is still not well-settled with respect to cyberattacks. In addition to what constitutes an armed attack in cyberspace, questions remain over which provisions of existing international law govern the conduct of war in cyberspace.
United States Doctrine
In September 2012, the State Department took a public position—still in effect—on whether cyber activities could constitute a use of force under Article 2(4) of the United Nations (U.N.) Charter and customary international law. According to State’s then-legal advisor, Harold Koh, “Cyber activities that proximately result in death, injury, or significant destruction would likely be viewed as a use of force.” Examples offered in Koh’s remarks included triggering a meltdown at a nuclear plant, opening a dam and causing flood damage, and causing airplanes to crash by interfering with air traffic control. By focusing on the ends achieved rather than the means with which they are carried out, this definition of cyber war arguably fits within existing international legal frameworks. If an actor employs a cyber weapon to produce kinetic effects that might replicate fire power under other circumstances, then the use of that cyber weapon rises to the level of the use of force. However, the United States recognizes that cyberattacks without kinetic effects are also an element of armed conflict under certain circumstances. Koh explained that cyberattacks on information networks in the course of an ongoing armed conflict would be governed by the same principles of proportionality that apply to other actions under the law of armed conflict. These principles include retaliation in response to a cyberattack with a proportional use of kinetic force. In addition, “computer network activities that amount to an armed attack or imminent threat thereof” may trigger a nation’s right to self-defense under Article 51 of the U.N. Charter. The 2011 International Strategy for Cyberspace affirmed that “when warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country.” The International Strategy, which has not been updated, goes on to say that the U.S. reserves the right to use all means necessary—diplomatic, informational, military, and economic—as appropriate and consistent with applicable law. One of the defense objectives of the International Strategy is to work internationally “to encourage responsible behavior and oppose those who would seek to disrupt networks and systems, dissuading and deterring malicious actors, and reserving the right to defend national assets.” Chapter XVI of the Department of Defense Law of War Manual notes that the United States strives to work with other states to clarify not whether international law applies to cyberspace, but how.
Download document here.