The following is the June 25, 2024, Congressional Research Service In Focus report, Use of Force in Cyberspace.
From the report
Introduction
There are presently no internationally accepted criteria for determining whether a nation state cyberattack is a use of force equivalent to an armed attack, which could trigger a military response. Likewise, no international, legally binding instruments have yet been drafted explicitly to regulate inter-state relations in cyberspace. Self-defense and countermeasures for armed attacks are permitted in international law when a belligerent violates international law during peacetime, or violates the law of armed conflict (LOAC) during wartime. However, the term “armed attack” has no universally accepted definition with respect to cyberattacks. In addition to what constitutes an armed attack in cyberspace, questions remain over which provisions of existing international law govern the conduct of war in cyberspace.
United States Doctrine
In September 2012, the State Department took a public position on whether cyber activities could constitute a use of force under Article 2(4) of the United Nations (U.N.) Charter and customary international law. According to State’s then-legal advisor, Harold Koh, “Cyber activities that proximately result in death, injury, or significant destruction would likely be viewed as a use of force.” Examples included triggering a meltdown at a nuclear plant, opening a dam and causing flood damage, and causing airplanes to crash by interfering with air traffic control. By focusing on the ends achieved rather than the means with which they are carried out, this definition of cyber war arguably fits within existing international legal frameworks. If an actor employs a cyber weapon to produce kinetic effects that might replicate fire power under other circumstances, then the use of that cyber weapon rises to the level of the use of force. However, the United States recognizes that cyberattacks without kinetic effects are also an element of armed conflict under certain circumstances. Koh explained that cyberattacks on information networks in the course of an ongoing armed conflict would be governed by the same principles of proportionality that apply to other actions under the LOAC. These principles include retaliation in response to a cyberattack with a proportional use of kinetic force. In addition, “computer network activities that amount to an armed attack or imminent threat thereof” may trigger a nation’s right to self-defense under Article 51 of the U.N. Charter. The 2011 International Strategy for Cyberspace affirmed that “when warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country.” The 2024 International Cyberspace & Digital Policy Strategy states that the United States is working to advance responsible state behavior based on a U.N.-endorsed framework on “the applicability of existing international law, adherence to globally accepted and voluntary norms of state behavior in peacetime, development and implementation of confidence-building measures to reduce the risk of conflict in cyberspace.” It refers to the 2023 Department of Defense (DOD) Cyber Strategy goal “to reinforce responsible state behavior by encouraging adherence to international law and internationally recognized cyberspace norms.” Chapter XVI of the DOD Law of War Manual notes that the United States strives to work with other states to clarify not whether international law applies to cyberspace, but how. Both the Departments of State and Defense contend that cyberattacks rising to the level of an armed attack may trigger mutual defense treaty obligations, though an armed attack in cyberspace remains undefined.
NATO Doctrine
In 2009, the North Atlantic Treaty Organization (NATO) Cooperative Cyber Defense Center convened an international group of independent experts to draft a manual on the law governing cyber conflict. The first Tallinn Manual, as it is known, was published in 2013 and offers 95 “black letter rules” addressing sovereignty, state responsibility, the LOAC, humanitarian law, and the law of neutrality. The Tallinn Manual is an academic text and as such nonbinding. The February 2017 Tallinn Manual 2.0 expands upon the first and offers 154 black letter rules governing cyber operations, including in peacetime. In the provisions of Article 5 of the North Atlantic Treaty, an attack on one member is considered an attack on all, affording military assistance in accordance with Article 51 of the U.N. Charter.
Download the document here.