Cyber-attacks or cyberwarfare is a new type of warfare that uses digital technology to distort, steal or erase critical information, which results in serious economic, political and social consequences. Many governments have come to appreciate the power of cyber warfare and are using it to attack other nations that they consider hostile.1 On April 27, 2007, Estonia came under a series of cyber-attacks, which targeted financial institutions, Estonian parliament, government departments and news agencies following the escalation of the dispute between the country and Russia.2 Investigations revealed that the attacks were planned and executed by Russian agents with the approval of the government. Georgia also suffered the same attack in 2008 following its strained relations with Russia.3 The fact that Russia made an attempt and partly succeeded in meddling with the United States’ Presidential election in 2016 was an indication that cyber warfare has become the new frontier of war.4 The sovereignty of a nation is entrenched in the ability of its people to elect their leaders. Breaching the electoral system of the United States is a direct attack on the country’s sovereignty.
When a legitimate government of one country compromises the sovereignty of another, it is only fair that the aggrieved country should respond appropriately. The United Nations Charter defines how a country should respond to an attack, including when to use force.5 However, some scholars argue that international laws are not adequate when it comes to responding to cyberwarfare. Most of the existing treaties, customary international law, cases and rules relating to cyberwarfare do not articulate how and when one country should use armed attack and threat to peace in case it is attacked by another legitimate government using information technology.
According to Henry and Brantly, some of the main questions that many countries face is if a cyber-attack happens, what treaties there are to respond to such attacks and how do these treaties and rules respond to it and how adequate are these laws and treaties.6 It is still unclear how a country can respond emphatically to such attacks other than having a stronger firewall and improving on the data security system. The goal of this study is to examine rules on force to determine whether they may be applied in instances of cyberwarfare and if so, to examine the adequacy of such rules as a response to cyber-attacks. Using data from various sources, the study will review several documents to understand the legal framework within which a country can respond to an attack and determine their adequacy in deterring governments from launching a cyber-attack on other nations. The study seeks to answer the research question below:
Is international law, relating to the use of force, adequate to respond to new types of warfare, specifically cyberwarfare?
Aim of the Study
Cyberwarfare is becoming the new approach of war that some countries are using against their perceived enemies. According to Henry and Brantly, the use of information technology to attack critical data of a foreign nation and cripple operations has become common over the past decade.7 However, the adequacy of the current laws has been questioned when it comes to how to respond to such attacks, as Henry and Brantly observe.8 The aim of this study is to examine the rules, which are in force to determine their effectiveness when it comes to responding to cyber-attacks. The study project focused on the current laws in force to establish if they can support the use of armed attack in cases of cyber-attack.
The United Nations Charter defines when a country has the legal right to use force and threat to peace when it is attacked by another nation.9 However, these international laws focus on the actual armed inversion of one country by another. The new strategy of cyberwarfare does not involve the use of any weapon. For instance, a malicious computer worm known as Stuxnet was used to attack the Iranian nuclear power plant with the aim of discouraging the country from continuing with its nuclear program. It is believed that the attack was planned and executed by the Israeli agents who worked closely with the United States government in an effort to minimize Iran’s nuclear capabilities.
The law remains unclear how the victim of such an attack should respond emphatically to deter the aggressor from making similar attempts. Denton explains that the international community has to examine the existing treaties and rules relating to cyberwarfare and the manner in which a country can deal with such threats.10 The study will offer an understanding of cyberwarfare, the manner in which it falls within the rules in force and whether the existing treaties and rules are adequate in responding to cyber threats. Essentially, the study will determine if a cyber-attack was to be planned and executed by one country to another, would it breach the existing rules in force and laws in place to help a country to respond to such attacks.
The study will need to determine if international law relating to the use of force is adequate in responding to new types of warfare, specifically the cyberwarfare. As such, it was necessary to collect reliable information that would help in answering the question. The researcher collected data from both primary and secondary data sources. Secondary data was obtained from books and journal articles. Information from reliable websites was also used. The main source of primary data was treaties, customary international laws, cases and rules. Using doctrinal research, the study reviewed the existing rules and laws from relevant archives, especially the rulings that have been made by various courts relating to the appropriate ways of responding to the threat of cyber-attack. Information from the United Nations Charter also helped in determining how the international community has responded to the threat and ways in which the United Nations Security Council can intervene in case one country request for its support. Applying both the primary and secondary data sources in addressing the research question will help in determining the level of adequacy of the current laws.
United Nations Laws
Does cyberwarfare breach international laws and treaties regarding the use of force, in particular, Article 2(4) of the Charter of the United Nations?
The fundamental goal of the United Nations is to avoid any armed conflict between nations around the world in an effort to limit the occurrence of events such as World War I and World War II.11 As such, most of its laws and rules limit the ability of one country to use force when it feels aggrieved by another. In most of the cases, such disputes would be addressed with the help of neutral member states or various United Nations organs to avoid the possibility of war. The chapter starts by focusing on the above question. The researcher was interested in determining if cyberwarfare breaches international laws and treaties regarding the use of force. The researcher focused on the United Nations Charter in article 2(4). The article reads as follows:
All members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state or in any other manner inconsistent with the purposes of the United Nations.12
The article strictly prohibits its member states from various practices that may be considered a threat to the sovereignty or political integrity of another state. It identifies factors such as the threat to peace, use of force against the territorial integrity and political integrity or any other practice that is inconsistent with the aim of the United Nations.13 A critical assessment of the nature of cyberwarfare goes against international laws and treaties, specifically when one focuses on Article 2(4) of the United Nations Charter. The article states that no country should engage in practices that would be considered a threat to peace against another nation. One such attack that is believed to be a threat to peace is OpIsrael. Since 2013, a group of well-coordinated cybercriminals, which is believed to be sponsored by governments hostile to Israel as a nation, has been organizing attacks on the eve of Holocaust Remembrance Day.14
The hackers often target different Israeli websites and social media platforms such as Facebook and YouTube and post abusive messages against all Israelis in a way that may breach the peace in the country. The timing of such attacks and the fact that it has the support of Hamas, the de facto governing authority of the disputed Gaza Strip creates tension in a region that has been at war for several decades.15 Such propaganda may have a serious impact on the relations between the Israelis and Palestinians living in this region. The fact that these hackers often target Israelis through various online platforms with hurtful messages at a time when they are remembering the Holocaust may motivate sporadic attacks that may stabilize the region.
In 2019, Indonesian General Elections Commission chief, Arief Budiman, reported that they had detected a wave of cyber incursion by agents believed to be sponsored by the Chinese government.16 The attacks focused manipulating or modifying the outcome of the country’s first election where the president, vice president, members of the legislative assembly and local legislative body members were to be elected on the same day.17 Soon after the election, which was conducted on April 17, 2019, there was unrest in the country as different political parties rejected the outcome. Article 2(4) of the Charter prohibits one country interfering with the political independence of another state. It means that the cyber-attacks that was planned and executed by the Chinese government to manipulate the outcome of the Indonesian election was a breach to that law. It compromised the political integrity of the aggrieved nation, making it impossible for its citizens to elect their leaders in a free, fair and credible election.
According to Brown G and Keira, the phrase ‘use of force’ in article 2(4) has traditionally been interpreted as the use of physical means to threaten peace, breach territorial integrity, manipulate elections or engage in similar practices.18 It involves sending troops into another country contrary to various rules and treaties enshrined in international laws. However, the capabilities of new war machines, especially the cyberwarfare, make it possible for a country to breach the law without the use of armed attack. One country can manipulate elections or threaten peace in another country without necessarily using a traditional army. As such, Maurer argues that when interpreting Article 2(4), it may be advisable to use other supportive articles or new treaties to define how one country can respond effectively.19 Article 51 states:
Nothing in the present Charter shall impair the inherent right to individual or collective self-defence if an armed attack occurs against a state.20
The above article gives express permission to a country or a group of countries to use force in self-defence when under attack by another nation. Just like article 2(4) of the Charter, this article uses the phrase ‘armed attack’. It means that the use of force would only be justifiable, in cases of self-defence, when a country can prove that it has come under armed attack by another country. It does not state, in clear terms, how to respond to a cyber-attack that may have similar or even worse consequences as armed attacks. In responding to the above question, it is apparent that cyberwarfare breaches international laws and treaties regarding the use of force, in particular, Article 2(4) of the Charter of the United Nations. However, these laws and rules do not stipulate how a country can respond effectively to respond or deter such attacks.
Definition and Types of Cyberwarfare
It is important to have a clear definition of the word cyberwarfare and understand its impact on modern society. Tsagourias and Buchan define cyberwarfare as “the use of computer technology to disrupt activities of a state or organization, especially the deliberate attacking of information systems for strategic or military purposes.”21 As shown in this definition, cyberwarfare primarily involves the use of computer technology to plan and execute a deliberate attack on a country by targeting its information system with the aim of crippling critical systems within the government. When a foreign government, Tsagourias, executes such an attack and Buchan explains that the primary goal is often to steal strategic or military information that may jeopardize a country’s security or its economic growth if effective counteractive measures are not taken within the right time.22
Cyber-attacks may take different forms, as Tsagourias and Buchan observe.23 Malware attack is one of the most common types of cyberwarfare that some governments are using against other states around the world. In this case, the attacker would use a virus to infiltrate the data management system for various purposes. The virus can help the hacker to access private data of the victim, manipulate information, erase critical information needed for the normal operations or simply wreak havoc in the database, making it almost impossible to undertake specific duties. The Iranian nuclear plant attack is a perfect example of a malware attack. Using a computer worm known as Stuxnet, the hackers penetrated the Iranian nuclear program to enable foreign states to monitor and even control activities at the nuclear plants.24 When authorities in Iran discovered the presence of the virus in its nuclear program system, the hackers issued a command to paralyze operations at the plant before the malware could be eliminated. The computer worm had affected more than 200,000 computers, out of which 1,000 were physically degraded by the time control measures were taken.25 The Iranian government blamed the Israeli and American governments for the attack.
Direct cyberspace attack, also known as the distributed denial-of-service (DDoS) and Denial-of-service (DoS) attacks is another form of cyberwarfare that specifically targets the use of the internet.26 In this case, hackers would target government websites and other important institutions and cause distortions that limit their ability to operate. In 2007, Estonia came under an intense attack by Russian hackers who were working under instruction from the government.27 They targeted the Estonian parliament, different governmental departments, news outlets and other critical institutions in the country. They redirected the traffic to servers in Moscow in Russia and parts of Turkey. It meant that the country’s critical information was accessible to a foreign and hostile state.
In 2008, Georgia came under similar attacks from hackers were believed to be in Russia. Numerous websites offering important information to members of the public were disabled, paralyzing government activities for several hours. The hackers also targeted South Ossetian, Azerbaijani and even Russian entities that were believed to be sympathizers of the nations under attack.28 Paralyzing government operations of a foreign country by another government is a direct attack that leads to loss of revenues and sometimes loss of lives when an institution such as a hospital is targeted. It goes against the international laws that define the nature of foreign relations that a country should have with other nations.
Cyber espionage is another type of cyberwarfare that is rapidly gaining popularity around the world. On October 30, 2018, the United States Department of Justice reported that it had uncovered a large cyber espionage scheme involving officials from China’s Ministry of State Security and Chinese intelligence officers.29 The Chinese government was accused of economically sabotaging the American and French economy by stealing critical data about a turbofan engine used in airplanes. The investigation led to the arrest of Mr. Yanjun Xu and Mr. Chaoqun Ji, who were believed to be top Chinese intelligence officers responsible for coordinating such attacks.30 Besides the theft of intellectual data, a Chinese government has also been accused of stealing critical military information that may compromise the national security of various countries.
Some of the favourite countries targeted by Chinese intelligence officers include neighbouring Japan, India, the Philippines and the United States. The giant Chinese technology company, Huawei, has been accused of helping its government to spy on specific American and European officials. During their manufacture, the Huawei phones would have a malware that helps the Chinese government to eavesdrop on the conversation and information sharing that users have with others.31 Although the company and the Chinese government have denied these claims, a critical inspection of these phones has shown the presence of malware allowing the company to have access to users’ data without their permission.
Rules on the Use of Force
The First World War had a profound economic, political and social impact on the global community and the creation of the League of Nations was meant to ensure that such catastrophic events would never happen again in the world. However, the Second World War that broke out in 1939 was a clear indication that the League of Nations had failed in achieving its primary goal of preventing an outbreak of another major war. The outcome of the second war was even more catastrophic than the first one. Millions of people lost their lives, properties worth billions of dollars destroyed and normal operations in different countries paralyzed. Many countries had to start political and economic reconstruction after the massive destruction. As such, the United Nations was founded on October 24, 1945, with a greater mandate and military power to ensure that such a global conflict would never be witnessed again.
The United Nations has since come up with treaties, rules and laws meant to limit the ability of one country to use force against another. Most of the chapters focus on how countries can co-exist to overcome common challenges such as diseases, poverty, illiteracy and other social vices. The treaties and rules have helped in restraining many nations from attacking others over the past several decades. However, the emergence of cyberwarfare is creating a new challenge that may threaten global peace in a way that had not been imagined by those who enacted these international laws.32 It is important to start by defining the use of force under the United Nations Charter and from other relevant sources.
What is exactly the use of force under the Charter?
The phrase ‘use of force’ has been used in different articles of the charter. In the United Nations Charter Chapter VII, Article 39 use of force is defined as “Armed aggression to deprive peoples of their right to self-determination, freedom and independence or to disrupt territorial Integrity.”33 In this context, the use of force involves armed aggression of one country against another in a way that disrupts territorial integrity, peace, stability, freedom, economic activities and any other normal activities of a sovereign state. It involves one country using its military might to achieve specific goals against another country.
The decision of the Saddam regime in Iraq to attack Kuwait is considered a use of force. Similarly, the decision by the United States to attack Afghanistan during the War on Terror is another example of the use of force. Russia used force to annex Crimea from Ukraine.34 When one country is using force, the affected country may choose to respond in a way it considers appropriate. Iraq, under the leadership of Saddam Hussein, responded with force when it came under attack from the United States. On the other hand, Ukraine did not make a significant military resistance when its territory was annexed, using force, by Russia.
In each of the above cases where one country used force against the other to achieve specific goals, they cited specific treaties and rules within the United Nations that validated their attack. The United States and its allies cited self-defence as the primary reason why they had to attack Afghanistan and eliminate its leadership that was believed to be hiding and aiding terrorists involved in the September 11, 2001 terrorists attack in the United States.35 Russia also cited the need to protect its citizens when it annexed Crimea. In this section, it is important to look at specific rules on the use of force and their relevance in addressing the concern of cyberwarfare.
As discussed above, United Nations Charter in Chapter 1 Article 2(4) emphasizes the need for all member states to refrain from the use of force in solving political disputes or any political and economic disagreements. On the other hand, Article 51 focuses on specific unique cases where a country may be permitted to use force when it is under threat. The analysis of how these rules react to the notion of cyberwarfare and whether they fall under these rules shows some major concerns. These two major clauses in the United Nations Charter only allow the use of force when a country is facing an armed attack from a foreign country. It does not identify cyber-attack as a major threat to national security and territorial integrity.
According to Eilstrup-Sangiovanni, cybercrime emerged as any other white-collar crime where individuals use their technological knowledge to gain personal goals.36 As such, some of the rules and treaties that were enacted treated it as organized crimes. However, Blacker explains that cyber-attack has become one of the best tools that many countries are using to sabotage hostile states.37 It is necessary to look at how these two articles in the United Nations Charter were applied in some of the recent cases of cyberwarfare around the world.
The Rule of Self-Defence
The United Nations Charter Article 51 strictly defines when one country can be allowed to use force and threat to peace against another state. The treaty states that a country must prove that it is under an armed attack from another country. In the past, some countries misused this rule to launch an offensive against states that they consider hostile. In 1979, Idi Amin Dada Oumee of Uganda sent his own soldiers dressed in the official military attire of neighbouring Tanzania, to attack his own Ugandan people as a proper justification to attack Tanzania. The Ugandan government claimed that the country was under attack and that it was justified to use force in self-defence as defined in Article 51 of the United Nations Charter.
The goal was to annex part of Tanzanian territory and to topple the rule of President Julius Nyerere. Unfortunately, for Amin, the Tanzanian forces were fully prepared and they acted on self-defence and made a swift counterattack against Uganda. They were able to topple the regime of Amin, who was forced to flee to Libya and later to Saudi Arabia.38 Such cases have been witnessed in various parts of the world where one country is compelled to use force because of an armed attack from a neighbouring country. However, cyberwarfare is significantly different from cases where one country is under an armed attack. It makes it necessary to start by addressing the following questions.
Is it possible and lawful respond to a cyber-attack?
Before focusing on whether it is appropriate to use force when responding to a cyber-attack, it is necessary to determine the possibility and legality of a response to such an attack under the United Nations laws. Under the current United Nations’ laws, there is no clear way through which a country can respond to a cyber-attack. According to Bertoli and Marvel, the international community has come to appreciate that cyberwarfare can no longer be ignored.39
On October 15, 2018, a team of experts from European Union met with officials from the United Nations to find effective ways of dealing with cyber threats in a forum titled The Application of International Law in Cyberspace: State of Play.40 Members of this forum noted that cyberwarfare was becoming a new platform through which some selfish governments were achieving their goals at the expense of other nations. When the current United Nations General Secretary took over office, he issued a statement titled From Nuclear Threat to Cyberwar, Unity Must Prevail over Division in Tackling Global Challenges.41 In the forum, he admitted that cyberwarfare was becoming as dangerous as nuclear weapons. Soon after this forum, the United Nations constituted the UN Group on Cybercrime and Cyber Security to help find effective ways of addressing this concern.
Despite the massive steps that have been taken by the United Nations to address the concern of cyber threats, there is no clear answer to the above question. The organization has not enacted new laws that prohibit or allow one country to respond to cyber-attacks. The possibility and legality of a response to cyber-attack remain unclear, specifically when a country intends to use the cyberspace in retaliation. The law is still prohibitive when a state intends to use force and threat to security to respond to cyber-attacks because of the requirement that the country must prove it has come under an armed attack. However, one can conclude that the vacuum created by the existing law makes it possible for one country to respond in any way it considers adequate, within the cyber space, to respond to any form of attack.
When elections of one country are compromised by actions of a foreign government through cybercrime, the aggrieved country can respond by using the same space to target government operations of the aggressor as a way of deterring similar events in future. In responding to the above question, existing laws are silent on this issue, giving a country the legal opportunity to respond to such attacks as long as it does not involve the use of force. Responses such as economic sanctions and retaliatory cyber-attacks would be possible.
Is self-defence an adequate way to respond to a cyber-attack?
Acting in self-defence is one of the most common reasons that many countries have given when invading others. However, the question above focuses on the legality of using the rule of self-defence in response to cyber-attack. As explained above, the legality of such actions remains controversial despite the fact that the United Nations has recognized cyberwarfare as a major threat to modern-day peace and security. It is important to review some of the rulings made on issues that may have some relationship with the current concern. The Nuremberg trials, which were conducted in Germany and Japan after the Second World War, focused on the legality of the actions taken by the top military officers in the two countries, which finally led to the war.42
During the hearing, the defence counsels argued that the generals and political leaders in the two countries were acting on self-defence. They stated that some of the rules set by the League of Nations and enforced by specific hostile countries sabotaged the economy of Germany and Japan. As such, their actions were meant to liberate their countries from economic slavery.43 However, judges in both tribunals rejected the claim of self-defence and held them responsible for a war that resulted in deaths of millions. Those who bore the greatest responsibilities in actions that led to the war and mass murders of civilians were sentenced to death. Others served long jail terms, while others died before completing their sentences. It is important to note that these trials happened soon after the creation of the United Nations. They formed some of the initial orders of business for the new body. As such, they may form a precedent in case a country uses force against another citing self-defence. If it cannot be proven that the country was under legitimate threat to peace and security, then those who authorize such actions and individual countries involved may be held individually and collectively responsible.
Such rulings have been a major deterrent to many countries that may be interested in the use of force against hostile states using cyberwarfare to achieve selfish gains. For instance, when Russia used its agents to manipulate the outcome of the United States general election in November 2016, there was a need for the country to respond to the deliberate attack on the country’s sovereignty. An attempt by a foreign hostile government to decide on the country’s top leader was viewed as a major insult to the country’s independence. The only other way that a foreign nation can achieve such a goal, as envisioned in the United Nations laws, is when there is a military inversion where the invader would install the preferred leader.44 In this case, Russia made such an attempt, that many investigators believed had a significant impact on the outcome, through the cyber space.45 In a normal circumstance, the United States would prefer acting in the same way. However, Russians were not due for a general election. The only action that the country could take as a response was to issue economic sanctions against Russia and launch its own cyber-attacks against some of the major infrastructures in Russia.
The current events in the cyberspace may make the United Nations rethink its strict policies relating to the use of force when responding to cyber-attacks. According to Kostyuk and others, “One may grant that the Charter restricts self-defence to cases of an armed attack, yet conclude that a strict application of that requirement does not satisfy present perceptions of necessary defence.”46 One of the sectors that are currently under massive cyber-attacks is the aviation industry. Cybercriminals have been hacking into systems of various airports and some are currently trying to take control of plans. With an increasingly automated aircraft used in the modern society that heavily relies on programmed data, there is the fear that soon it will be possible for government agents of a hostile state to take control of airplanes and use it as a weapon against another country.
The recent accident of Ethiopian Airline Flight 302 Lion Air Flight JT610 involving Boeing 737 Max was a clear proof that distortion of the software can make a plane uncontrollable.47 In both cases, the pilots could not understand what was happening and despite their concerted efforts to save their planes, they did not succeed. A few years ago, the aviation community did not believe that such events could occur. However, it is now clear that poor programming or distortion of the communication system can result in catastrophic accidents in the aviation sector. The problem is that as long as the United Nations embraces the restrictive rules on the use of force to counter cyber threats, some rogue governments may still be motivated to try such attacks. Iran and North Korea are some of the hostile nations to the western countries and it is still unclear what their cyberspace capabilities are.48 The following are some of the issues that the United Nations have to consider when examining rules on force relative to the cyberwarfare.
A credible threat of direct attack by hostile states using sophisticated technological systems is one of the main concerns of the international community that the United Nations is yet to address. Cyberwarfare is getting increasingly sophisticated as the global community becomes more reliant on information technology to a greater extent than in the past. According to Shakarian and others, South Korea has one of the most automated countries in the world where most of the systems of the government are programmed and rarely need human intervention.49 They include security inspection at airports and protection of the borders. The nation has come to trust information technology as the main source of protection and as a way of achieving efficiency. Any successful attempt to manipulate the system may have devastating consequences. It may have a direct impact on the national security of the country and the ability of its government to achieve specific goals. Such attacks may have worse consequences to a country than a case where only one part of the border is invaded by foreign forces.50 As such, the United Nations cannot continue to ignore the magnitude of the threat that cyberwarfare poses to the global community.51
Indirect aggression that may focus on overthrowing a legitimate regime of another country or compromising on its ability to protect its borders is one of the main concerns. Sometimes the aggression may not be direct, but the consequence may still be significant. The European Union has been more proactive than the United Nations in acknowledging the magnitude of the impact of such attacks and defining ways in which they can be addressed in an emphatic way. The issue will be discussed in details in chapter 2 when reviewing other laws and rules besides those enshrined in the United Nations Charter.
Foreign intervention in the civil strife of one country through direct engagement in the cyberspace is another major concern. Egypt and Libya had some of the strongest regimes that ensured stability in the region.52 Despite the growing instability in the Middle East and North Africa regions, the two countries remained stable. Without focusing on human rights abuses of the two regimes before Arab Spring, one can appreciate the fact that Hosni Mubarak of Egypt and Muammar Gaddafi of Libya managed to protect the two countries from inversion of terrorists such as ISIL and al Qaeda.53 However, they were both brought down through social media campaigns and city protests. Propagandists in the two countries used social media to appeal to the international community for military support and the two were finally forced out of power. Libya has never been peaceful since the death of Gaddafi. On the other hand, Egypt is emerging from years of civil strife. These two events demonstrate the power of the new media. It means that wrong usage or manipulation of social media may have a serious impact on a regime, stability and security of a country. The United Nations is not yet clear on how to respond to such threats when they are planned and executed by another state.
According to Harold and others, another emerging threat is the close coordination between a foreign state and a group of terrorists.54 Following the events of September 11, 2001, al Qaeda attacks, the United States launched an attack against Afghanistan in what it claimed to be in self-defence. The goal was to track down the terrorists, neutralize them and eliminate the Afghan regime that facilitated their operations.55 It was believed that the Afghan government provided security to the al Qaeda chief, Osama Bin Laden. It later emerged that Bin Laden was staying a few miles from a military training academy in Pakistan.56 Although most of the details about the operations that led to the murder of the terrorist remain classified, it is evident that he and his terror outfit received some support from the Pakistani government.
The alleged support system that he received made it impossible for the international community to capture him for close to one decade. Dinniss argues that it is possible the Pakistani government provided the intelligence that the group needed, making it impossible to track them down.57 Recently in East Africa, Rwanda accused Uganda of providing intelligence and direct military support to rebels and terrorists keen on overthrowing the current regime.58 When a foreign state gathers intelligence through its cyber capabilities and shares the same with terrorists, it directly compromises the safety and security of the affected country. When defining self-defence, the United Nations Charter fails to explain how one country can act effectively to such threats against the rogue state.
Steps Taken By the United Nations to Address the Current Inadequacies
The United Nations member states have come to appreciate the fact that the current laws do not provide an effective way of addressing the concern about cyber security. According to Dinniss, the process of developing and implementing new protocols often take time process and may sometimes require the approval of the Security Council.59 Cyberwarfare is a relatively new and sometimes controversial topic that the United Nations is yet to enact clear laws and rules that can be used in its regulation. However, different organs of the United Nations have taken significant steps to help address these inadequacies. The following are some of the actions that the body has taken in its effort to find a lasting solution for the problem.
The UN, Cyberspace and International Peace & Security-Side Event
In 2017, the United Nations Secretariat, under the directive of the General Assembly, initiated a fact-finding mission meant to address the major cyber security concerns affecting the member states.60 The team was tasked with reviewing complementary laws enacted by various regional and economic blocks such as the European Union and NATO relating to cyber security.61 The primary interest was to find ways in which some of these international laws could be incorporated in the United Nations’ policies and regulations. The Secretary-General had the responsibility of findings ways of addressing major inadequacies in laws and regulations relating to cyberwarfare. The findings made by the team shows that many countries around the world have made major strides in promoting economic growth and technological advancements. Technology has improved global integration, but it has also introduced a major problem in terms of the irresponsible use of cyber capabilities.
Hacking started as a criminal act planned and executed by individuals keen on stealing data or resources from specific companies.62 However, it became a major tool in cyberwarfare used by states against other countries. The team recommended the need for the General Assembly First Committee on Disarmament and International Security, which, through its successive Groups of Governmental Experts (GGEs) on Developments in the Field of Information and Telecommunications in the Context of International Security to develop globally binding laws on cyber security.63 In their study, the team reported that many countries are taking advantage of the existing legal gaps in laws relating to cyber security. During the Cold War, the United States and the Soviet Union developed nuclear weapons, often referred to as weapons of mass destruction.64 Other countries in Europe and Asia developed similar weapons as the only means of ensuring that they cannot be invaded by other countries.
Most of the treaties and rules relating to the use of force developed by the United Nations focused on preventing any attempt of one country using such deadly weapons against the other. As such, the law is articulate in defining an armed attack. There must be a proof that one country has used its military force (soldiers, military tanks, fighter jets and warships) to invade another country for the aggrieved country to use armed force as a means of self-defence.65 It makes it difficult to make an appropriate and decisive response when one country is attacked using information technologies. The team concluded that cyberwarfare is a major threat to international peace and security. If measures are not put in place to address the issue, such attacks may become more frequent and lethal.
The United Nations International Telecommunications Union Launch of the Global Cybersecurity Index
The United Nations International Telecommunication Union (UNITU) held its sixth World Telecommunications Development Conference (WTDC) in Dubai.66 It came in the wake of a heated debate over the cyber-attacks that had been executed by a Russian government against Estonia and Georgia a few years earlier.67 During the conference, representatives of various countries around the world noted that cyberwarfare had become the new weapon that some of the developed nations are using to achieve their goals at the expense of many years. After many years of improving nuclear weapon capabilities, the Superpowers came to realize that nuclear weapons would have devastating consequences on their targeted countries and the entire world.68
Chances of using such weapons were minimal. Cyberwarfare came as a perfect tool that they could use to achieve specific goals. Instead of using a weapon of mass destruction that would often have unintended consequences, the cyberspace offered the best alternative for these countries. They could target a specific organ within the targeted country and achieve a given aim. For instance, it would be possible for a hostile country to target and electoral system and define the person who becomes the president irrespective of the will of the people. Such actions compromise the sovereignty of a country and the ability of citizens to define the future of their nation.
The Global Cyber-security Index was developed during the conference with the specific goal of protecting the developed countries in Africa, parts of Asia and South America. According to Hall and Schultz, it was established that the speedy development of the cyberwarfare left most of these countries defenceless, as they were not adequately prepared for such eventualities.69 It explains why Russia has been able to attack most of its neighbours such as Ukraine, Estonia and Georgia without these victims responding effectively to deter such actions. Bertoli and Marvel explain that for a long time, the global community did not consider the cyberspace as a new warfront.70 Many countries did not believe that their sovereignty and security would be threatened by digital data manipulation. As such, most of these developing nations continued to invest in improving their military capacity and ignored the need to develop effective protection against a cyber-attack.
The index was developed to help identify the vulnerable states and determine the level of threat that they face from specific countries. For instance, they found out that Israel is one of the world’s most powerful nations in cyberwarfare.71 The country has developed its cyberspace to the country any form of attack by its neighbours or other countries around the world. At the same time, it has sharpened its capacity to attack other countries, especially its hostile neighbours. For a long time, Israel had been concerned about Iranian nuclear enrichment programs. The strained relationship between the two countries and the effort by Iran to eliminate Israel from the map of the Middle East was a major concern for authorities in Israel72. The inability of the international community to stop the nuclear programs in Iran meant that Israel had to find ways of protecting its citizens.
One of the steps that Israel took was to plant a malicious worm, Stuxnet, to enable the country to monitor actions taken in these nuclear plants and even control some of the actions.73 It meant that Israeli authorities would be aware of any planned attack and take adequate measures to protect its citizens. Although this action was justified as a defensive strategy meant to protect Israelis, the fact that the act went for several months before it was discovered shows the sophistication of Israeli authorities in the cyberspace. Such uncontrolled powers and major weaknesses exhibited by the developing countries may create an imbalance that may destabilize global peace and unity. This United Nation’s organ intends to come up with plans on how to address such concerns.
Developments in the Field of Information and Telecommunications in the Context of International Security
On June 23, 2013, the United Nations Secretary-General presented a report to the General Assembly on international security in the context of information technology.74 In the sixty-eighth session of the assembly, the item number 94, a group of governmental experts on development in the field of information and telecommunication were assigned the responsibility to conduct an investigation, in line with the General Assembly resolution 66/24 and report to the same organ on the best way forward.75 In their findings, these experts reported that malicious and intentional use of ICT by state-actors is becoming increasingly common and they operate with impunity, knowing that there will be no significant consequences to their actions. The current inadequacies have created an environment, which facilitates the abuse of ICT in sophisticated exploits. They noted that the past resolutions made by member states on how to address the problem are not conclusive and as such, incapable of dealing with the problem.
The experts concluded that the United Nations Charter is the only instrument through which the international community can deal with this problem. ICT is still critical in maintaining global peace, stability, openness and economic progress. It remains one of the most effective platforms for global integration and corporation. However, it should not be the platform through which the sovereignty of states is compromised by foreign regimes. The team of experts noted that it is necessary for the international community, under auspices of the United Nations, to hold regular dialogues to find legal ways of responding to cyberwarfare.76 The report emphasizes the need to have clear rules and regulations, under the United Nations Charter, that defines use of the cyberspace, possible breaches that can be committed by state and non-state actors, how such breaches should be investigated and the appropriate approach, including the use of force, which should be taken by the affected state or the Security Council. Creating such, a legal framework would deter governments from engaging in provocative cyberwarfare. It also eliminates excessive and sometimes unnecessary use of force as a response to cyber-attack.77 The experts believe that these laws and regulations would promote international peace and stability.
The International Multilateral Partnership against Cyber Threats (IMPACT)
The International Multilateral Partnership against Cyber Threats, often known as IMPACT, was founded in 2008 and remains one of the most active organizations affiliated to the United Nations focused on fighting cyber threats.78 The organization, which brings together private and public stakeholders in 152 member states around the world, transformed from an entity that focused on fighting cyber terrorism in 2008 to one that is fighting all forms of cyber threats. During the 15th World Congress on Information Technology which was help in 2006 in Austin, Texas, individual member states of the United Nations raised a concern about the growing threat of cybercrime and the fact that terrorists were focusing on this new technology to target organizations and governments around the world. A year after the conference in 2007, the Russian government used this technology to attack Estonia, as discussed above. When the General Assembly met in 2011, it was clear that cyber threat was not just posed by individuals and organized gangs but also by some government. As such, the organization broadened its scope beyond the narrow cyber terrorism to all forms of cyber threats.
Headquartered in Cyberjaya, Malaysia, IMPACT has a large laboratory and a team of experts that allow its member states to conduct research when they feel threatened. During the forum in 2011, the member states realized that some of its members in the developing world lack the capability to defend themselves in case of a deliberate and sophisticated attack by other foreign states. IMPACT did not focus on enacting rules and regulations meant to address the problem.79 Its focus was to increase the capacity of its members to defend themselves when they felt threatened by other nations. Like the Security Council, it was meant to protect the sovereignty of member states and the integrity of their borders against foreign inversion. However, it lacks the capacity to strike back at the enemy in any form in case of an attack. Its mandate is limited to defence and effective preparation of the members to identify pending attacks before they can even occur. The agency has been working closely with the ITU, which is also coordinated by the United Nations Secretariat.
Towards a Universal Legal Framework
The United Nations Security Council and ten leading cyber-superpowers from around the world came together in 2016 to enact rules and policies that can help regulate activities of state and non-state actors in the cyberspace.80 Singapore, Malaysia, Oman, Australia, Estonia and Canada joined member states in the Security Council to find ways of addressing the emerging concerns relating to cyberwarfare. According to Iheme, for the first time, a team of governmental experts, at the United Nations level, was able to agree on fundamental principles relating to the abuse of power in the cyberspace.81 They focused on principles of law relating to state responsibilities and state behaviour in the cyberspace.82
The team of experts noted that attempts to have universal laws that can deter irresponsible use of information technology have been futile in the past because of the inability of member states, especially those within the security council, to reach an agreement. As such, the best way of addressing the current inadequacies of laws relating to the cyberwarfare had to start from the source of the problem, the Security Council. As such, the General Assembly tasked the council and a team of experts to find the most effective approach of addressing the concern. This event was a significant step towards having a universal acceptance of a legal framework that would regulate activities of state agents in the digital environment.
One of the landmark decisions made in the report, as Iheme observes, was that the right, specified in Article 51 of the UN Charter, to self-defence including the use of force would apply if a cyber-attack reached the level of an armed attack.83 For the first time, the Security Council moved closer to considering the use of force in response to a cyber-attack, as defined in Article 51 of the United Nations Charter. The biggest challenge that the team faced was the appropriate definition of armed attack. The phrase ‘if a cyber-attack reached the level of an armed attack’ caused some form of ambiguity because it was open to different interpretations.84
The next question that the Security Council and the General Assembly had to answer was when such an attack would be considered to have reached a level of armed attack. A team of experts tasked with drafting these laws recommended having a lower threshold than an actual armed attack when dealing with cyberwarfare. They recommended that the United Nations should apply international humanitarian law to deal with the problem.85 It meant that if an act of one state has a significant humanitarian impact on another state through actions taken in the cyberspace, then the Security Council would have the permission to intervene, including the use of force.
The team faced two main challenges in its application of international humanitarian law.86 Although it was considered a major milestone when Russia accepted the proposal, it was a major setback when China expressed its concern, stating that it would be counterproductive to the aim of dealing with a rush to offensive cyber weapons. The second issue was the nature of the response. Article 51 of the UN Charter explains that when acting in self-defence, a state and its allies should focus on neutralizing the threat.87 It means that the response should target the invading foreign troops. However, in the case of a cyber-attack, there is no use of foot soldiers. It would mean that the response should target the systems and structures used to launch the attack. It is unclear how the force should be applied against the government involved. According to Kania and Costello, there is the fear that when a state uses force to respond to a cyber-attack, the other country would use the same law to launch a counter-attack.88 In such a case, the conflict would change from digital data wars to actual military combat that may have serious humanitarian consequences to both countries.
When developing a legal framework on how to use of force in response to a state-sponsored cyber-attack, opponents of such laws argue that the consequences of such actions may be counterproductive.89 The outcome of such an intervention may have serious unintended casualties in one or two countries.90 In some of the authoritarian regimes such as that of Russia and Iran, citizens may have limited ability to define decisions made by the government. However, they will be the worst affected group in case of an armed inversion. On the other hand, the proponents of the use of force as defined in Article 51 of the UN charter argue that this approach is the only way of deterring deliberate cyber-attacks sponsored by state-actors.91 It will be a reminder that every action that one country takes against another, there will be a significant response from the United Nations.
The recommendation made by the team of experts from the UN Security Council and other member states is also unclear on how to make such responses. Article 51 of the UN Charter explains that an invaded country can respond to an armed attack individually as a state or invite the Security Council to help counter the attack as a team. The current assumption is that when a decision has been made to use force against a state that has attacked another through the cyberspace, the same approach would be used. It would mean that the affected country could invite the Security Council or act alone if it has the capacity to do so. However, Kaplan suggests that such issues should be clarified to avoid misinterpretation or cases where the response made by the invaded country is considered illegal.92
The Current Capacity of the Security Council to Respond to Cyber-Attacks and Maintain International Peace
The primary mandate of the United Nations Security Council is to maintain international peace and security. The United Nations Charter gives the Security Council the mandate to use force in response to an unjustified inversion of one country by another. According to Rid, the response of the Security Council should be specific, to restore peace and security in the affected region without causing further instability or innocent loss of lives.93 Article 51 of the UN Charter explains when the Security Council should respond when intervening to such attacks. It stipulates that the response would be necessary when it is confirmed that there is a threat to peace and security caused by deliberate military activities of a foreign country in the affected state.
According to Henry and Brantly, all treaties and laws passed by the United Nations General Assembly or all other UN organs do not classify cyberwarfare as an ‘armed attack’.94 As such, it is unclear how the Security Council should act in response to a cyber-attack. Until the United Nations General Assembly enact the necessary laws relating to the cyberwarfare, the Security Council would have no legal ground to respond in any way to a cyber-attack launched by one country against another.
Building Transparency and Trust through the United Nation
In a report presented to the United Nations General Assembly in 2011 by the Secretariat, it was noted that the biggest challenge that the global society faces in the fight against cyber-related crimes, especially those sponsored by states, is lack of trust. During the period of the Cold War, the United States and the Soviet Union operated in great secrecy.95 Each of the two nations and their allies were keen on amassing weapons of mass destruction just in case there would be another world war. When the Cold War ended, the mistrust between Russia and the United States persisted. China moved closer to Russia while many countries in Western Europe joined the United States.
According to Duggan and Oren, the desire to protect the interest of one’s country has pushed many regimes to find new weapons, which are effective both in the offensive and in defence.96 As such, most of the economic and military powers are often keen to protect their actual military activities. China and Russia do not trust the United States and its allies who are members of NATO.97 There is the constant fear that the other group may act in a way that may compromise the sovereignty of the other just to emerge as the only superpower. The problem of operating in such an environment where there is constant suspicion among these nations is that each will try to find ways of countering any possible attack.
After the Second World War, it led to the arms race. However, the race is taking a completely new twist as the global society has come to realize that the real power in modern society lies in the digital platform. Shea explains that Israel would not need nuclear weapons if it can manipulate the control system of the Russian nuclear plants.98 The threat that the new war front poses to peace and security of a country is still as dire as was the case during the nuclear war race. The issue can therefore, be addressed by dealing with the primary source of the problem.
Shakarian and others argue that there is a need to build transparency and trust among the superpowers and other emerging economies.99 The United Nations should have the capacity to monitor the military-related actions of all the member states and assure the global community that there is nothing suspicious going on.100 Russia should be assured that the United States is not planning an attack that may compromise its regime. Similarly, China would need to be assured that alliances that Japan has with the West do not pose any security or economic threat to the nation. The transparency and trust will have a significant impact on the desire by one country to attack another through the cyberspace or any other means possible. When there is trust, member states will not have problems enacting laws that would approve the use of force as a response to a cyber-attack. They will be assured that the law will not be abused by some states to settle political scores.
The analysis of the above United Nation’s treaties and laws show that there is no clear legal framework on how a country should use force as a response to a cyber-attack. It is also evident that at an international level, no country has brought a case against another on matters relating to cyberwarfare. Estonia, Georgia, and Ukraine accused Russia for the attack, but they did not take legal actions against the aggressor. The United Nations need stronger laws that would define when and how to use force in cases of state-sponsored cyber-attacks.
Other International Laws
The previous chapter focused on international treaties and rules on force relating to the cyberspace at the United Nations level and what can be done to ensure that the United Nations Charter can focus on addressing this concern. On this chapter, the researcher will focus on rules and treaties that have been made by various economic blocks in North America, Europe, Africa, Asia and other parts of the world. According to Borghard and Lonergan, the United Nations has faced numerous challenges in its attempt to enact laws and regulations that can help in regulating state-sponsored cyber-attacks.101 Determining when a nation can respond, the relevance of the use of force in such response, what should be targeted in case the Security Council decides that force should be used and strategies that would ensure there is minimal civilian casualties in cases of a military response are some of the challenges that the United Nations is addressing. However, some economic and political blocks are coming up with measures that can be taken to deal with the problem. This chapter will focus on rules and treaties that have been enacted by non-United Nations bodies to help address the increasing concern of state-sponsored cyber-attacks, which have been witnessed in different countries around the world.
Council of Europe Treaties and Rules
The European Union, through its member states, have expressed their concerns about the growing threat posed by deliberate and irresponsible acts of aggression within the cyber space by state-sponsored and non-state cyber criminals.102 According to Dela, this economic block came to the realization that cyberwarfare cannot be women by a state acting independently.103 It requires a collecting effort by different countries to ensure that such acts are thwarted through various policies. One of the landmark conventions by this council was in 2001 when member states came up with various policies of fighting cybercrime committed by individuals against private and public entities. As the level of an attack became sophisticated and states came to realize that some governments are using the platform to launch attacks against other states, it became necessary to enact new stronger policies that would enable the council to respond emphatically to such provocations. In this section, the paper focuses on some of the treaties that the council has made to enable it to address the problem of cyber-attacks.
Convention on Cybercrime of 2001
The Council of Europe signed the Convention on Cybercrime, popularly known as the Budapest Convention on Cybercrime, on November 23, 2001.104 The United States, Japan, Canada, South Africa and the Philippines were the observer states during the signing of the treaty. In 2001, cybercrime was an emerging concern and many European countries in the convention focused on how to address the problem as a block. Hacking was at its inception stage and the experts involved in enacting these laws did not anticipate that cyberwarfare would become the new warfront. As such, most of the articles of the treaty explain what each state was expected to do in an attempt to address the problem at a national level. Cybercrime was considered to be like any other crime such as sexual molestation, theft or murder. As such, states were encouraged to be responsible for addressing such concerns emphatically.
During the convention, the experts noted that drug trafficking, human trafficking and child sexual molestation was becoming sophisticated organized crimes facilitated by the advancement of the internet. Several clauses of the treaty explain how countries were expected to cooperate to help fight the problem. Article 23, which is the general principles relating to international co-operation, emphasised the need for the member states to work as a unit in addressing the problem of cybercrime.105 Although the convention did not mention anything about the use of force in response to a state-sponsored cyber-attack, it was one of the initial treaties where member states acknowledged that cybercrime was a major issue that affected several countries around the world. It provided a platform for stronger laws that focused on the threat posed by hackers working under the directive of a foreign hostile country.
EU Cybersecurity Act of 2019
The European Union Act of 2019 is currently one of the strongest pieces of legislation that this economic block has made in the fight against cybercrime.106 According to Kostyuk and others, the EU has been struggling with the problem of state-sponsored cyber-attacks over the past decade and member states have been keen on enacting legislations that would help deal with the issue.107 The United Nations is supposed to help deter any foreign attack by providing ways of responding, including military intervention by the Security Council. However, the existing laws are inadequate and cannot guarantee member states any form of protection.108 As such, the European Union has been keen on drafting laws that would protect its members from similar attacks. The Act states that an individual, an organization or a state may be sanctioned if:
- They are proven to be responsible for cyber-attacks;
- They are responsible for attempted cyber-attacks;
- They provide any form of support, material or technical, to facilitate a cyber-attack;
- They are involved in any way in a cyber-attack.109
When responding to a state-sponsored cyber-attack, Kostyuk and others explain that a country or a regional block can use various strategies.110 The use of force, as enshrined in Article 51 of the United Nations Charter, is one of the most effective ways of deterring such irresponsible acts. However, Hubbard and Nystrom explain that when the European Union was exploring possible ways of responding to a cyber-attack, member states and the experts who were assigned the responsibility of drafting the laws were unable to reach a consensus on the issue.111
The proponents of the need to use force argued that having laws that would define how the organization, through its member states, could use the military in response to such a threat. They stated that it was the only way of warning other states that their provocations would be met with military force. Such laws would discourage cyber superpowers from misusing their digital technologies to jeopardize the sovereignty and economic progress of other nations.
The opponent of laws and rules on the use of force during the process of enacting the EU Cybersecurity Act also presented their argument on the issue. One of the main questions that the opponents of the use of force posed was the manner of response. When responding to a cyber-attack using force, it is still unclear what the target should be.112 Should they focus on toppling the regime responsible for the attack or should they focus on destroying the cyber-capabilities of the country. Another major concern was civilian casualties in cases of an attack. Edelson explains that during the meetings, experts agreed that it would not be possible to use force against another country without having civilian casualties, especially if the government of that country decides to use force to protect its sovereignty.113 In such a case, the effort to respond to a cyber-attack would have dire consequences, which were unintended by the member states.
The other major issue raised by member states when it comes to the use of force was lack of platform to launch such a military attack against any state that uses digital technology to attack any of EU member states. According to Kosseff, the United Nations has the Security Council that has a clear mandate allowing it to use force based on stated laws and rules.114 The founders of this organization never envisaged a situation where the Union would need to use force because they believed that the Security Council would adequately meet such needs. It means that even if member states make a decision to use force, it would be challenging implementing such a law. It would require the union to create a new organ that would be responsible for the use of force. Downes warns that when creating such a new organ, the economic block should ensure that it does contravene the UN laws that constituted the Security Council.115
The complex nature of enacting an appropriate law that would facilitate the use of force by the European Union against cyber-attack convinced the experts and the European Parliament that the best way to respond to a state-sponsored cyber-attack would be to use economic and other sanctions. Downes explains that they borrowed the model from the United States when the country realized that Russian hackers manipulated its 2016 Presidential Elections.116 The economic sanctions that were imposed on Russia as a country and Russian corporation operating in the global market were effective.117 The economic strain that the country went through during the period of the sanction was a major reminder that the international community and individual states would not ignore such levels of provocation. As such, the resolution of the parliament was that sanctions against state organizations or individuals involved in cyber-attacks would be sufficient.
North American Treaties and Rules
The North American countries, just like those in Europe, are also concerned about the emerging threat of cyberwarfare. The United States has particularly been keen on protecting its sovereignty and its people from any form of attack because of its socio-economic and political status in the world.118 The country has been under attack by organized gangs for the last several decades. Some of its foreign policies also put it in a collision course with other nations. Besides its own military might, the country has often considered it necessary to form alliances with other nations to boost its defence capabilities.119 In the wake of the new war front within the cyberspace, the country has been working with its allies to find effective ways of responding to the new threat. It is important to look at some of the treaties and rules enacted by socio-political and economic blocks in North America.
The North Atlantic Treaty Organization (NATO)
NATO has the best chance of using force in response to a cyber-attack that targets its member states. Founded in 1949 by the United States and its allies in Europe, the primary mandate of NATO is to respond to any attack on its members by external forces.120 From the initial membership of 12 countries, it has grown significantly and it currently has 29 members. The organization has remained active in protecting its members from any form of foreign inversion. Unlike most of the economic and political blocks around the world, NATO uses military force when intervening in self-defence of its members. Negotiations are often used when the conflicting parties are its members. Sayle explains that the military might of NATO has made it the organ that the United Nations Security Council often turn to whenever it is necessary to use force to respond to a specific threat.121 During the Bosnian War, NATO was invited by the Security Council to enforce the no-fly zone that helped in reducing civilian deaths. The Kosovo intervention also needed support from the organization.
Article 5 of the NATO Charter states that “an attack on one member of NATO is an attack on all of its members.”122 The article creates a platform for all member states to act as a unit in case any one of them is attacked. The possibility of using force by NATO members would be determined by the nature of the attack. According to Sayle, several NATO member states have been victims of cyber-attack over the recent past.123 The United States, Estonia, Slovakia and Croatia are some of the members that have suffered such attacks. In some cases, investigations revealed that these attacks were carefully planned and executed by Russian operatives, working under the directive of the government.124 As such, the organization has been under pressure to develop effective ways of responding to the growing threat of cyber-attacks.
During the Warsaw Summit in 2016, NATO member states created the NATO Cyber Defence. They declared the cyberspace as another domain of operation, just like the land, air and sea.125 The resolution had a major impact on the way this organization would respond to cyber-attacks on its member states. Article 5 of the NATO Charter states that an attack on any of its members would be considered a provocation of all the members and it allows the military wing to take the necessary measures. Traditionally, such an attack would happen on land, in air or at sea.126 A war started at sea would easily escalate to war on land or in the air to ensure that, the response to the attack is dealt with conclusively and within the shortest time possible.
The resolution meant that an attack within the cyberspace would justify a response by NATO military wing. It can opt to respond using counterattacks within the cyberspace. Although the resolution does not clearly state that the organization can consider using the land, air and sea attacks, the interpretation would mean that in case a counterattack within the cyberspace is not yielding the desired outcome, members may opt to use military force to resolve the issue effectively and within the shortest period possible. During the summit, NATO made the following commitments to its members, especially those that lack adequate cyber security capabilities:
- To share real-time data about cyber threats through its malware detection and information sharing platform and to exchange best practices on managing cyber threats;
- To maintain a rapid-response cyber defence unit that can help allies to respond to any emergencies relating to cyber-attack;
- To set targets for members with the aim of continuously improving cyber defence capabilities;
- To invest in training, education and exercises relating to cyber defence among members to enhance their capacity to respond to any form of attack.127
NATO, just like many other political and economic blocks discussed in this paper, are reluctant when it comes to enacting laws that would enable it to use force in responding to a cyber-attack on its members. However, its current laws and the decision to include the cyberspace into its domains of operations creates the opportunity to use force in case a foreign nation deliberately attacks its member in a way that may have devastating economic or political consequences. The resolution of 2016 means that the organization could be waiting for a perfect opportunity to use force as a means of protecting its member states from hostile states.
The United States as a country, has taken steps to convict individuals who have committed cybercrime against the country. In the case United States v. Seleznev, Roman Valerevich Seleznev, a Russian hacker, was sentenced to 27 years in prison for hacking into various servers in the United States to steal credit cards.128 Another similar judicial decision was the United States v. Senakh of 2017. Mr. Senakh, a Russian computer expert, was sentenced to 47 months imprisonment for his role in the global botnet conspiracy that led to loss of millions of dollars.129 These strict actions taken by the United States against Russian hackers shows commitment of the country to use any means possible to fight cybercrime. It shows that although the country and the region lacks the legal ground to use force against the state, the existing rules allow them to use force against individual hackers.
African Union Treaties and Rules
The African continent is considered vulnerable to cyber-attacks because most of the member states are ill-prepared to deal with such wars. According to Bitecofer, most of the African nations have been focused on maintaining the rule of law and meeting the basic needs of their citizens.130 As such, they spend limited resources on defence. The level of sophistication needed of country to become a cyber-superpower is still lacking on the continent. However, the threat of attack is growing as the region gain economic success over the past decades. Bitecofer explains that currently, the main concern of most of the African countries is cyber-attack that targets individual institutions such as banks, large companies and some government units.131 In 2014, member states met in Addis Ababa, Ethiopia, to come up with laws that would help the continent act as a unit in addressing this problem.
African Union Convention on Cyber Security and Personal Data Protection
The convention was the first major step that the African Union took to help member states in addressing the problem of cyberwarfare. Article 28(4) of the convention reads as follows, “State parties shall make use of the existing means for international cooperation with a view to responding to cyber threats, improving cyber security and stimulating dialogue between stakeholders through internal, intergovernmental or regional partnerships.”132 This clause gives member states permission to seek support from other states in case it is under any form of cyber-attack.133 The regional block should be capable of establishing when one of their member states is attacked and define the appropriate way of responding to the threat. The subsequent clauses show that the aim of this convention was to deter cases of cybercrime by punishing those who are involved. It explains why the mandate of punishing cybercriminals was left to the individual governments where such crime occurs. However, the convention also created a platform through which individuals who commit cybercrime in other states can be repatriated to those countries for appropriate punishment.
According to Gillies, the biggest shortcoming of this convention, which was critical in addressing the emerging concern of cyberwarfare, was that it focused on protecting personal, organizational and governmental data against individual cybercriminals.134 It was silent on the issue of state-sponsored cyber-attacks and the manner in which a country can respond emphatically. By the time of the convention in 2014, state-sponsored Russian hackers had already attacked Estonia, Georgia and Ukraine. The Iranian nuclear power plant had also been attacked by Bitecofer believe to be Israeli government’s hackers who worked closely with the United States’ government. It means that member states were aware of the sophistication of this new war front.135 However, it did not form any part of the discussions or laws that were enacted by the Union. It means that when a state attacks another in the cyberspace, the case would be considered a criminal offense and the focus would be to identify and prosecute individuals suspected to have been involved in the act. In such a case, the use of force would not be necessary as long as the two governments are willing to cooperate and prosecute the involved parties.
Article 34 of the convention reads, “Any dispute arising from this Convention shall be settled amicably through direct negotiation between state parties concerned.”136 The article eliminates any legal ground that would have existed for a country to use force in case of a cyber-attack planned and executed by a hostile state-actors. When agents of the state commit a cyber-attack, it is less likely that such a government would be willing to hand over their officers to face prosecution in a foreign state as required by the statute. In the case, United States v. Vartanyan of 2017, Mark Vartanyan, a Russian hacker, received a sentence of 5 years in prison for his involvement in the development of a malware used in stealing financial personal information.137 He was extradited to the United States to face the charges. The union wants similar actions taken among African countries.
Treaties and Rules in Asian Economic and Political Blocks
Countries in the Asian continent, just like those in other parts of the world, are concerned about the growing insecurity in the cyberspace. According to Kolton, China has been keen on improving its cyber security capabilities.138 The country has strained foreign relations with some of its neighbours, especially Japan, India and the Philippines. These countries are currently not only concerned about China’s nuclear capabilities but also its growing power in the cyberspace. The security threat that many of the Asian countries face is not only posed by China but also many other countries currently using their digital technology to compromise the sovereignty of regimes they consider unfriendly. ASEAN is one of the major political and economic blocks in this region that has been keen on finding a way of neutralizing the threat that member states face in the current digital society. In the Middle East and North Africa (MENA) region, the Gulf Cooperation Council (GCC) has also made major steps in fighting the threat posed by state and non-state actors in the cyberspace. It is necessary to look at some of the treaties that have been made by these political and economic blocks.
The 34th ASEAN Summit, Bangkok, 23 June 2019, Advancing Partnership for Sustainability
The 34th ASEAN Summit came at a time when the region was experiencing a cyber-arms race because of the need to protect themselves from attack.139 Prior to the summit, Beijing had been accused of deliberately planning and executing cyber-attacks on South Korea, Cambodia and Taiwan in a way that threatens national peace and cohesion. Some of the countries in the region realized that having defensive cyber abilities was not enough. As such, the number of states in the region with offensive cyber abilities increased significantly from the original four, China, India, North Korea and Pakistan, to more than fourteen. Denton defines offensive cyber abilities as “the ability to disrupt or damage systems and networks.”140
During the forum, member states were aware of the growing tension as many members continued to strengthen both their defensive and offensive cyber capabilities. It was a major indication that the region is preparing for catastrophic attacks and counterattacks within the cyberspace at a time when the society is becoming increasingly reliant on the digital economy. Denton explains that although the digital wars that have been witnessed in many parts of the world are yet to result into interstate-armed conflict, the trend in Asia where major powers are improving their offensive digital capabilities may be worrying.141 It may reach a level where states would be forced to use force to protect their digital systems.
The Chairman of the summit noted the growing tension in the region and the need to find measures of addressing the problem. One of the main resolutions of the summit read as follows, “We emphasised the importance of non-militarisation and self-restraint in the conduct of all activities by claimants and all other states, including those mentioned in the DOC that could further complicate the situation and escalate tensions in the South China Sea.”142 The meeting emphasized the need to find alternative means of addressing conflicts in the region. The committee of experts who were assigned to draft the document reported that most of the states were moving beyond the defensive capabilities in the cyber space because of the desire to retaliate as a way of restraining similar future attacks. However, the concern was that such retaliatory attacks may escalate very quickly to use of force, which may result in civilian casualties.
The 34th summit, which took place on June 23, 2019, is the latest ASEAN meeting of the heads of states in the region. It is important to note that although cyber security was one of the main topics of discussion, the member states did not mention anything related to the use of force as a means of responding to cyber provocations. Hoi explains that ASEAN had previously considered different ways of discouraging armed attacks, including the use of force and retaliatory cyber counterattacks.143 However, in this summit, the team of experts and heads of states agreed that such measures might only escalate the problem further. As such, they agreed to foster dialogue as a way of addressing the problem. It meant that when a country is attacked by state-actors of a foreign hostile nation, the only measure that this union of Asian states can take is to initiate a dialogue.
Hoi criticized such weak measures, stating that it encourages rogue regimes to continue with their attacks knowing that there will be no significant consequences.144 The committee did not even consider economic sanctions as a means of discouraging states from engaging in provocative cyber security activities within the region. It explains why many countries within the region are improving both their defensive and offensive cyber capabilities. These states feel that they have to protect themselves against their aggressive neighbours because the block does not offer any meaningful protection. They are putting individual measures in place to ensure that they respond to any form of cyber-attack.
Arab Treaty on Combating Cybercrime
The Arab League has also been committed to fighting cybercrime among its member states. According to Schmitt and Liis, the Arab Spring demonstrated the power of the digital platform.145 In Tunisia, Tarek el-Tayeb Mohamed Bouazizi, who was a street vendor of fruits, set himself ablaze, citing frustrations from government authorities. The incident was recorded live on Facebook and it resulted in massive protests in the country. The protests were coordinated through online platforms, especially Facebook. The president was unable to withstand the pressure of the revolt and soon he was forced out of power. The same trend was witnessed in the neighbouring countries of Egypt and Libya. Syria, Morocco and Bahrain soon felt the wave of the Arab Spring. As Schmitt and Liis explain, the successful revolution across the region that toppled some of the long-serving leaders such as Libyan Muammar Gaddafi and Hosni Mubarak would not have been a success were it not because of the coordination and sharing of information through the social media platforms.146
The region has come to realize that the cyberspace is the new battlefront and activities that happen online can be translated rapidly into physical events with serious repercussions. As such, the Arab Treaty on Combating Cybercrime focused on addressing threats posed by individuals’ entities to peace, security and stability of a country147. Like the ASEAN summit, Schmitt and Liis explain that this treaty emphasized on the role of individual countries in the fight against cybercrime.148 Member states noted that there was a need for them to cooperate in the fight against criminal activities conducted in the cyberspace. However, they felt that the best way of initiating such counterattacks to cybercrime would be at the national level. The region was expected to harmonize their laws and regulations regarding abuse of power and privileges in the digital environment.149
The treaty did not focus on state-sponsored cyber-attacks and the threat it poses to regional peace and stability. At the time of the summit in 2010, countries such as Georgia and Estonia had already suffered massive cyber-attacks by Russians working under the directive of the government.150 As such, members of the summit knew that there is even a greater threat to security when state actors are involved. However, the experts opted to focus on individuals and criminal gangs who misuse the cyberspace in a way that may jeopardize the security of the country. Faust believes that it is possible that the heads of state attending the forum were concerned about the growing threat of civil war that was facilitated by social media platforms, especially Facebook and YouTube.151 Since that last summit, the Arab League or members of the GCC has not come with laws and rules that can help combat state-sponsored cyber-attacks. The existing laws at the regional level provide no guidance on how individual states or the economic block can respond to foreign provocation in the cyberspace. It means that states have to find ways of defending themselves from such attacks or rely on the United Nations for protection.
Privacy and Cyber-security Developments in Latin America
In Latin America, member states have also made an effort to address the emerging concern of cyber-attack. Under the umbrella of the Union of South American Nations, these countries had a summit on June 28, 2018, to find ways of addressing the concern of the member states.152 The region has also witnessed a trend where some of its member states are improving both their offensive and defensive cyber capabilities. Brazil is one of the largest economies in South America and it is a member of BRICS (Brazil, Russia, India, China and South Africa) economic block. It has been improving its digital technologies to ensure that state data is protected. The country has also developed strong public-private partnerships to ensure that large corporations and state agencies in the country do not fall victims of cybercriminals. However, some of its regional neighbours are not as well equipped to deal with such problems. The Union has made steps towards developing laws that limit irresponsible and criminal use of the cyberspace.
According to Kosseff, the Union of South American Nations is an economic block that seeks to create a common market for all South American companies.153 In most of its legislative agendas, the focus is often to improve the regional business environment. However, the increasingly changing nature of cybercrime where state agents of foreign nations are involved in committing such crimes is a major concern to individual nations. Despite this concern, the current rules on force enacted by this economic block do not address how an individual country or the region as a block should respond to direct provocation by another state. It means that member states have to make individual decisions on the appropriate ways of responding to such concerns.
A critical examination of the rules on force relative to the cyberwarfare reveals that there is a serious gap in how the international community should address the problem. As shown in the paper, state-sponsored deliberate cyber-attack that target important government departments and business units are becoming common around the world. There is no country that can consider itself immune to such attacks. From the United States, which has the world largest economy and the most sophisticated military system, to Estonia, a small nation that is struggling to achieve economic growth in Eastern Europe, there is no country that has not experienced some form of cyber-related crime. The condition is getting dire, as hackers become increasingly sophisticated.
The fact that hackers working for a hostile nation could manipulate the electoral system of the world’s leading democracy is an indication that the problem can no longer be ignored. Measures should be taken to protect the sovereignty of nations and the integrity of their borders. Such measures should involve protecting the cyberspace from any acts of aggression that may be committed by state-sponsored actors. Regional and global economic blocks should remain committed to protecting the interest of their members, especially from attacks facilitated by digital technology. The problem is that actions of the United Nations or any other economic and political blocks must be anchored on treaties and rules.
In this study, the primary question for the researcher was to determine whether international law, relating to the use of force, is adequate to respond to new types of warfare, specifically cyberwarfare. In order to answer the question effectively, the researcher looked at the United Nations’ current laws and treaties made by other regional blocks around the world regarding cyber security to determine if they are to respond to the new type of warfare within the cyberspace. The researcher wanted to determine whether these rules and laws would permit and facilitate the use of force against a state that deliberately attacks another within the cyberspace. The use of force, such as a military inversion of the country responsible for the cyber-attack, was of special interest in the study because some scholars have argued that it is the only way of discouraging states from such aggressive acts.
The finding of the study shows that the current international laws, relating to the use of force, are too inadequate to respond to new types of warfare, specifically the cyberwarfare. The United Nations Charter in Article 2 encourages members to act with restraint when it comes to the use of force. Article 51 allows a state to use force against another only in case of self-defence when a state is under armed inversion. The laws and rules enacted by the United Nations relating to cyber security do not classify cyber-attacks as armed inversion. As such, it is not possible for the UN or its member states to use the clause as a justification for the use of force against another state when the conflict involves a cyber-attack.154
Other economic and political blocks such as the European Union, African Union, ASEAN, the GCC, the Arab League and the Union of South American Nations all lack clear mechanisms on how a country can use force to respond to a cyber-attack. The European Union made a major attempt to define economic sanctions as an appropriate response to such attacks. The study shows that only NATO has come closest to approving the use of force as a response to a state-sponsored cyber-attack. The NATO Cyber Defence treaty made during the Warsaw Summit in 2016 declared cyberspace NATO’s domain of operation, just the like land, air and sea. An attack on NATO members within any of these domains, which in this case is the cyberspace, would justify a retaliatory attack in any or all the domains.
Recommendation on Future Studies
State-sponsored cyber-attack is becoming a major concern around the world. The study shows that there is a transition from nuclear war to cyberwarfare and nations need to be protected from unjustified attacks that may have serious economic, social and political consequences. The United Nations is the best international institution that can come up with ways of responding to such attacks, including the use of force. However, the main challenge that this body has faced is how to execute an armed attack when responding to a cyber-attack in a way that would not escalate the problem or lead to the loss of civilian lives. Knowing when and how to use force has been the main challenge that experts have cited when trying to enact laws relating to cyber security. The researcher recommends that future scholars should focus on finding the best way through the United Nations can use force to address the problem. Studies should also be conducted that would define legal steps that the United Nations should take before using force against a given country. Future studies should also address how member states of the United Nations should be involved when enacting laws relating to the use of force when responding to a cyber-attack.
African Union Convention on Cyber Security and Personal Data Protection  African Union 25/1.
Andress J and Winterfeld S, Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners (Elsevier 2014).
Arab Treaty on Combating Cybercrime- Intellectual Property and Internet Law  The Arab League 12/1.
Aspinall E and Berenschot W, Democracy for sale: Elections, clientelism, and the state in Indonesia (Cornell University Press 2019).
Bertoli G and Marvel L, ‘Cyberspace Operations Collateral Damage – Reality or Misconception?’ (2017) 2 The Cyber Defence Review 53.
Bitecofer R, The Unprecedented 2016 Presidential Election (Palgrave Macmillan 2018).
Blacker N, ‘Winning the Cyberspace Long Game-Applying Collaboration and Education to Deepen the U.S. Bench’ (2017) 2 The Cyber Defence Review 21.
Borghard DE and Lonergan SW, ‘Confidence Building Measures for the Cyber Domain’ (2017) 3 Strategic Studies Quarterly 10.
Brantly FA, ‘The Violence of Hacking: State Violence and Cyberspace’ (2017) 2 The Cyber Defence Review 73.
Brown G and Keira P, ‘The Customary International Law of Cyberspace’ (2012) 6 Strategic Studies Quarterly 126.
Buchan R, International Law and the Construction of the Liberal Peace (Hart Publishing 2013).
Convention on Cybercrime  European Treaty Series 185/23.
The Council of Europe, Convention on Cybercrime, 23 November 2001, Council of Europe, European Treaty Series, vol. 185, p. 1.
Decker AC, In Idi Amin’s Shadow: Women, Gender, and Militarism in Uganda (Ohio University Press 2014).
Dela P, ‘Cyberspace as the Environment Affected by Organized Crime Activity’ (2016) 15 Connections 55.
Denton ER, The 2016 US Presidential Campaign: Political Communication and Practice (Springer International Publishing 2017).
Dinniss HH, Cyber Warfare and the Laws of the War (Cambridge University 2012).
Dobrin IS, Digital Environments (Transcript Verlag 2017).
Downes C, ‘Strategic Blind–Spots on Cyber Threats, Vectors and Campaigns’ (2018) 3 The Cyber Defence Review 79.
Duggan MP and Elizabeth O, ‘U.S. Special Operations Forces in Cyberspace’ (2016) 1 The Cyber Defence Review 73.
Edelson C, Power Without Constraint: The Post-9/11 Presidency and National Security (The University of Wisconsin Press 2016).
Egan JB, ‘International Law and Stability in Cyberspace’ (2017) 35 Berkley Journal of International Law 169.
Eilstrup-Sangiovanni M, ‘Why the World Needs an International Cyberwar Convention’ (2018) 31 Philos. Technol 379.
Elad Y and Edward GA, ‘The Role of Commercial End-to-End Secure Mobile Voice in Cyberspace’ (2018) 3 The Cyber Defence Review 57.
The EU Cybersecurity Act  The European Union Agency for Cybersecurity 32/1.
Faust D, Cybersecurity Expert (Rosen Publishing Group 2017).
Garneau M, Minister Garneau Statement Regarding Restricting Airspace to Boeing 737 MAX 8 and 9 Aircraft (Transport Canada 2019).
Gillies J, Political Marketing in the 2016 U.S. Presidential Election (Springer International Publishing 2018).
Hall OA and Schultz BM, ‘Direct Commission for Cyberspace Specialties’ (2017) 2 The Cyber Defence Review 111.
Harold SW, and others, Getting to Yes with China in Cyberspace (RAND Corporation 2016).
Henry S and Brantly AF, ‘Countering the Cyber Threat’, (2018), 3 The Cyber Defence Review 48.
Hoi D, ‘Chairman’s Statement of the 34th ASEAN Summit, Bangkok, 23 June 2019, Advancing Partnership for Sustainability’ (2019) 1 Association of Southeast Asian Nations 21.
Hubbard DK and Nystrom J, ‘Financial Stewardship in the Land of “1’s and 0’s”’ (2018) 3 The Cyber Defence Review 15.
Ianchovichina E, Eruptions of Popular Anger: The Economics of the Arab Spring and its Aftermath (World Bank Group 2018).
Iasiello E, ‘China’s Three Warfares Strategy Mitigates Fallout from Cyber Espionage Activities’ (2016) 9 Journal of Strategic Security 45.
Iheme C, Towards Reforming the Legal Framework for Secured Transactions in Nigeria: Perspectives from the United States and Canada (Springer International Publishing 2016).
Kania BE and Costello JK, ‘The Strategic Support Force and the Future of Chinese Information Operations’ (2018) 3 The Cyber Defence Review 79.
Kaplan F, Dark Territory: The Secret History of Cyber War (Simon & Schuster 2016).
Kolton M, ‘Interpreting China’s Pursuit of Cyber Sovereignty and its Views on Cyber Deterrence’ (2017) 2 The Cyber Defence Review 119.
Kosseff, J, Cybersecurity Law (Wiley 2017).
Kostyuk N, and others, ‘Determinants of the Cyber Escalation Ladder’ (2018) 3 The Cyber Defence Review 123.
Lysne O, The Huawei and Snowden questions: Can Electronic Equipment from Untrusted Vendors Be Verified? Can an Untrusted Vendor Build Trust Into Electronic Equipment (Springer Open 2018).
Macdonald A, The Nuremberg Trials: The Nazis Brought to Justice (Arcturus 2016).
Maurer T, Cyber Mercenaries (Cambridge University Press 2018).
McGhee EJ, ‘Liberating Cyber Offense’ (2016) 10 Strategic Studies Quarterly 46.
Nance M and Ackerman S, The Plot to Hack America: How Putin’s Cyberspies and Wikileaks Tried to Steal the 2016 Election (Skyhorse Publishing 2016).
Rid T, Cyber War Will Not Take Place (Oxford University Press 2017).
Roberts A, Is International Law International? (Oxford University Press 2017).
Roscini, M, Cyber Operations and the Use of Force in International Law (Oxford University Press 2014).
Sayle T, Enduring Alliance: A History of Nato and the Postwar Global Order (Cornell University Press 2019).
Schmitt NM and Liis V (eds), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (Cambridge University Press 2017).
Shea J, ‘How is NATO Meeting the Challenge of Cyberspace?’ (2017) 7 The Fifth Domain 18.
Tsagourias N and Buchan R (eds), Research Handbook on International Law and Cyberspace (Edward Elgar 2014).
United Nations, Chapter VII: Action with Respect to Threats to the Peace, Breaches of the Peace, and Acts of Aggression, 23 August 2016, United Nations Charter.
United Nations, Charter of the United Nations, 26 June 1945, United Nations.
United Nations, Cyberspace and International Peace and Security: Responding to Complexity in the 21st Century- United Nations Institute for Disarmament Research  UNIDIR 1/1.
United States v. Seleznev  United States District Court Western District of Washington at Seattle 3-1301,  USDCWDWS 1.
United States v. Senakh  United States District Court, in the District of Minnesota 5-1301,  USDCDM 1.
United States v. Vartanyan  United States District Court for the Northern District of Georgia 17-cr-00102,  USDCNDG 1.
Westad O, The Cold War: A World History (Basic Books 2017).
- Jamie Gillies, Political Marketing in the 2016 U.S. Presidential Election (Springer International Publishing, 2018) 45.
- Michael Schmitt and Vihul Liis (eds), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (Cambridge University Press, 2017) 31.
- Chris Edelson, Power Without Constraint: The Post-9/11 Presidency and National Security (The University of Wisconsin Press, 2016) 75.
- Mette Eilstrup-Sangiovanni, ‘Why the World Needs an International Cyberwar Convention’ (2018), 31 Philos. Technol 378.
- Brian Egan, ‘International Law and Stability in Cyberspace’ (2017) 167.
- Shawn Henry and Aaron F Brantly, ‘Countering the Cyber Threat’, (2018), 3 The Cyber Defense Review 48.
- Ibid 68.
- Ibid 75.
- United Nations, Charter of the United Nations, 26 June 1945, United Nations 9.
- Robert Denton, The 2016 US Presidential Campaign: Political Communication and Practice (Springer International Publishing 2017) 54.
- Henry and Brantly 47.
- Jamie Shea, ‘How is NATO Meeting the Challenge of Cyberspace?’ (2017) 7 The Fifth Domain 18.
- Piotr Dela, ‘Cyberspace as the Environment Affected by Organized Crime Activity’ (2016) 15 Connections 55.
- Edelson 32.
- Russell Buchan, International Law and the Construction of the Liberal Peace (Hart Publishing 2013) 64.
- Edward Aspinall and Ward Berenschot, Democracy for sale: Elections, clientelism and the state in Indonesia (Cornell University Press 2019) 65.
- Ibid 67.
- Gary Brown and Poellet Keira, ‘The Customary International Law of Cyberspace’ (2012) 6 Strategic Studies Quarterly 126.
- Tim Maurer, Cyber Mercenaries (Cambridge University Press 2018) 53.
- United Nations, Chapter VII: Action with Respect to Threats to the Peace, Breaches of the Peace and Acts of Aggression, 23August 2016, United Nations Charter 1.
- Nicholas Tsagourias and Russell Buchan (eds), Research Handbook on International Law and Cyberspace (Edward Elgar 2014) 42.
- Ibid 51.
- Shea 18.
- Paulo Shakarian and others. Introduction to Cyber-Warfare: A Multidisciplinary Approach (Morgan Kaufmann Publishers 2013) 53.
- Ibid 47.
- Marco Roscini, Cyber Operations and the Use of Force in International Law (Oxford University Press 2014) 53.
- Ibid 90.
- Ibid 95.
- Cathy Downes, ‘Strategic Blind–Spots on Cyber Threats, Vectors and Campaigns’ (2018) 3 The Cyber
- Eilstrup-Sangiovanni 379.
- Olav Lysne, The Huawei and Snowden questions: Can Electronic Equipment from Untrusted Vendors Be Verified? Can an Untrusted Vendor Build Trust Into Electronic Equipment (Springer Open 2018) 53.
- Malcolm Nance and Spencer Ackerman, The Plot to Hack America: How Putin’s Cyberspies and Wikileaks Tried to Steal the 2016 Election (Skyhorse Publishing 2016) 41.
- Dela 55.
- Denton 20.
- Edelson 42.
- Eilstrup-Sangiovanni 379.
- Nancy Blacker, ‘Winning the Cyberspace Long Game-Applying Collaboration and Education to Deepen the U.S. Bench’ (2017) 2 The Cyber Defense Review 21.
- Alicia Decker, In Idi Amin’s shadow: Women, gender and militarism in Uganda (Ohio University Press 2014) 32.
- Giorgio Bertoli and Lisa Marvel, ‘Cyberspace Operations Collateral Damage – Reality or Misconception?’ (2017) 2 The Cyber Defense Review 53.
- Henry and Brantly 47.
- Ibid 47.
- Alexander Macdonald, The Nuremberg Trials: The Nazis Brought to Justice (Arcturus 2016) 89.
- Ibid 56.
- Elsa Kania and John Costello, ‘The Strategic Support Force and the Future of Chinese Information Operations’ (2018) 3 The Cyber Defense Review 79.
- Ibid 79.
- Nadiya Kostyuk and others, ‘Determinants of the Cyber Escalation Ladder’ (2018) 3 The Cyber Defense Review 123.
- Marc Garneau, Minister Garneau statement regarding restricting airspace to Boeing 737 MAX 8 and 9 aircraft (Transport Canada 2019) 112.
- Ibid 71.
- Shakarian and others 41.
- Ibid 67.
- Ibid 78.
- Elena Ianchovichina, Eruptions of Popular Anger: The Economics of the Arab Spring and its Aftermath (Cengage 2018) 79.
- Ibid 59.
- Scott Harold and others, Getting to Yes with China in Cyberspace (RAND Corporation 2016) 54.
- Ibid 117.
- Ibid 119.
- Heather Dinniss, Cyber Warfare and the Laws of the War (Cambridge University 2012) 11.
- Ibid 68.
- Ibid 65.
- United Nations, Cyberspace and International Peace and Security: Responding to Complexity in the 21st Century- United Nations Institute for Disarmament Research  UNIDIR 1.
- Shea 18.
- Aaron Brantly, ‘The Violence of Hacking: State Violence and Cyberspace’ (2017) 2 The Cyber Defense Review 73.
- Roberts, Anthea. Is International Law International? (Oxford University Press 2017) 64.
- Emilio Iasiello, ‘China’s Three Warfares Strategy Mitigates Fallout From Cyber Espionage Activities’ (2016) 9 Journal of Strategic Security 67.
- Jason Andress and Steve Winterfeld, Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners (Elsevier 2014) 89.
- Brian Egan, ‘International Law and Stability in Cyberspace’ (2017) 35 Berkley Journal of International Law 168.
- Brantly 61.
- Blacker 21.
- Andrew Hall and Brian Schultz, ‘Direct Commission for Cyberspace Specialties’ (2017) 2 The Cyber Defense Review 111.
- Giorgio Bertoli and Lisa Marvel, ‘Cyberspace Operations Collateral Damage – Reality or Misconception?’ (2017) 2 The Cyber Defense Review 53.
- Russell Buchan, International Law and the Construction of the Liberal Peace (Hart Publishing 2013) 65.
- Ibid 46.
- Ibid 58.
- Schmitt and Liis 67.
- James McGhee, ‘Liberating Cyber Offense’ (2016) 10 Strategic Studies Quarterly 88.
- Ibid 88.
- Tim Maurer, Cyber Mercenaries (Cambridge University Press 2018) 78.
- Ianchovichina 85.
- Ibid 48.
- Chima Iheme, Towards Reforming the Legal Framework for Secured Transactions in Nigeria: Perspectives from the United States and Canada (Springer International Publishing, 2016) 54.
- Iheme 49.
- Roscini 56.
- Ibid 53.
- Michael Kolton, ‘Interpreting China’s Pursuit of Cyber Sovereignty and its Views on Cyber Deterrence’ (2017) 2 The Cyber Defense Review 97.
- Schmitt and Liis 65.
- Ibid 66.
- Ibid 90.
- Kania and Costello 85.
- Ibid 87.
- Tsagourias and Buchan 78.
- Fred Kaplan, Dark Territory: The Secret History of Cyber War (Simon & Schuster 2016) 43.
- Ibid 69.
- Thomas Rid, Cyber War Will Not Take Place (Oxford University Press 2017) 60.
- Henry and Brantly 47.
- Odd Westad, The Cold War: A World History (Basic Books 2017) 95.
- Patrick Duggan and Elizabeth Oren, ‘U.S. Special Operations Forces in Cyberspace’ (2016) 1 The Cyber Defense Review 73.
- Shea 18.
- Ibid 18.
- Shakarian and others 32.
- Eilstrup-Sangiovanni 379.
- Erica Borghard and Shawn Lonergan, ‘Confidence Building Measures for the Cyber Domain’ (2017) 3 Strategic Studies Quarterly 10.
- Convention on Cybercrime  European Treaty Series 185/23.
- Dela 71.
- The Council of Europe, Convention on Cybercrime, 23 November 2001, Council of Europe, European Treaty Series, vol. 185 1.
- Ibid 57.
- The EU Cybersecurity Act  The European Union Agency for Cybersecurity 32/1.
- Kostyuk and others 78.
- Harold 87
- Ibid 63.
- Kostyuk and others 123
- Kenneth Hubbard and Jared Nystrom, ‘Financial Stewardship in the Land of “1’s and 0’s”’ (2018) 3 The Cyber Defense Review 15.
- Ibid 41.
- Edelson 56.
- Kosseff 85.
- Downes 79.
- Ibid 64.
- Ibid 88.
- Ibid 92.
- Yoran Elad and Edward Amoroso, ‘The Role of Commercial End-to-End Secure Mobile Voice in Cyberspace’ (2018) 3 The Cyber Defence Review 57.
- Shea 18.
- Timothy Sayle, Enduring Alliance: A History of Nato and the Postwar Global Order (Cornell University Press 2019) 78.
- Ibid 45.
- Ibid 83.
- Ibid 51.
- Henry and Brantly 48.
- Sidney Dobrin, Digital Environments (Transcript Verlag 2017) 78.
- Ibid 36.
- United States v. Seleznev  United States District Court Western District of Washington at Seattle 3-1301,  USDCWDWS 1.
- United States v. Senakh  United States District Court, in the District of Minnesota 5-1301,  USDCDM 1.
- Rachel Bitecofer, The Unprecedented 2016 Presidential Election (Palgrave Macmillan 2018) 67.
- Ibid 45.
- Daniel Faust, Cybersecurity Expert (Rosen Publishing Group 2017) 94.
- African Union Convention on Cyber Security and Personal Data Protection  African Union 25/1.
- Gillies 59.
- Ibid 67.
- Ibid 54.
- United States v. Vartanyan  United States District Court for the Northern District of Georgia 17-cr-00102,  USDCNDG 1.
- Michael Kolton, ‘Interpreting China’s Pursuit of Cyber Sovereignty and its Views on Cyber Deterrence’ (2017) 2 The Cyber Defense Review 119.
- Dato Hoi, ‘Chairman’s Statement of the 34th ASEAN Summit, Bangkok, 23 June 2019, Advancing Partnership for Sustainability’ (2019) 1 Association of Southeast Asian Nations 21.
- Denton 45.
- Ibid 78.
- Hoi 21.
- Ibid 21.
- Ibid 21.
- Schmitt and Liis 23.
- Ibid 56.
- Ibid 81.
- Ibid 92.
- Arab Treaty on Combating Cybercrime- Intellectual Property and Internet Law  The Arab League 12/1.
- Faust 73.
- Ibid 28.
- Westad, 83.
- Kosseff 65.
- Ibid 42.