Is a cyber attack a use of force (formerly termed an act of war) under international law? Prof. Duncan Hollis, an expert in the field of international law and cybersecurity, explores the nuances of cyber attacks under the laws of war. According to Prof. Hollis, a case such as the attack in the SolarWinds operation attributed to Russian military intelligence would be unlikely to be deemed a use of force since the primary purpose was intelligence gathering, not causing harm. However, cyber operations with broader impact, such as disabling power grids or impacting water filtration facilities for extended periods, could be seen as a "use of force". The deciding factor lies in the sustained damage and disruption caused, not just the cyber intrusion.
Under international law, the term "use of force" is principally derived from the United Nations Charter, specifically Article 2(4) which states: "All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations."
The precise definition of "use of force" in this context has been a matter of some debate. However, traditionally, it has referred to kinetic military actions - i.e., physical violence or armed attacks. In the 1986 case of Nicaragua v. United States, the International Court of Justice (ICJ) provided some clarification, suggesting that a use of force must involve some level of gravity. It distinguished between the most serious forms of the use of force (those constituting an "armed attack") and other less grave forms. However, with the rise of new forms of non-kinetic attacks, such as cyber-attacks, the interpretation of "use of force" is expanding and evolving.
Duncan Hollis a professor at Temple Law School. He is one of the world's leading experts in public international law, the law of treaties, and global cybersecurity.
Interview with Cybersecurity Law Scholar – Professor Duncan Hollis
Is a Cyber Attack a Use of Force?
Joel Cohen (JC): Professor, given right now there's what many believe is an escalated risk of Russian cyber attack, I wonder if I could get your view, as a cyber security expert and law professor, would a cyber attack on U.S. infrastructure by the Russian government be considered a use of force, an attack on the United States?
Duncan Hollis (DH): It really will depend on the effects of that kind of attack. If it's like say the SolarWinds operation that we saw disclosed at the end of 2020, beginning of 2021, which targeted a lot of U.S. government entities and major U.S. firms and was attributed to Russian military intelligence, I don't think that will be a use of force, right. So, they got into these systems but what they appear to have been doing was surveillance, exfiltrating data, intelligence gathering. They weren't causing harm. I think that what you would need to see for the use of force is that, as I said, affecting the integrity of the infrastructure or its availability, so shutting down the power for more than a few minutes, and a couple of hours maybe, maybe not, a couple of days or weeks. It begins targeting a water filtration facility, targeting a civilian nuclear power plant in ways that are more than just surveillance. I think the U.S. has made it clear that it would regard those as a use of force and use all available lawful responses to deal with it.
Sources of International Law
JC: So, Professor, where would you look, where would legal scholars look, as a starting point in defining a use of force?
DH: Well, so first of all, it's encapsulated in the United Nations Charter. Article 2 paragraph4 of the U.N. Charter is where we find this prohibition, and I think at the time the charter was negotiated, it was pretty clearly limited to military force, the idea was the sort of force we'd seen deployed in World War II that was to be off limits. And then the questions become since well it was all about kind of kinetic force but what about a biological weapon or a chemical weapon that's not kinetic. It's not like you're breaking things, but it certainly spreads and cause harm. And so we've seen the expansion of the definition of force kind of evolved through other treaties and through practice. Unfortunately, we've had a fair number of conflicts since the second World War, and all of that precedent I think is available for us to think about in the cyber context. I think it's become much more a question of what we call the effects doctrine, and basically the idea is if the effects of what occurs via cyber means are analogous to the things that we thought were a use of force in previous kinetic conflicts, that's enough, that's how we're gonna measure it, by analogy.
JC: How about, we already see significant ransomware coming out of Russia, what if we just saw a significant spike in ransomware and if those ransomware attacks actually were on critical infrastructure, like many are today, such as hospitals or power plants?
DH: So, I think the challenge with ransomware is one, are you going to deal with it as kind of a public international law matter, are you going to bring in the law enforcement, transnational law enforcement kind of communities, interpol and the like, and try and deal with it that way? I think if it's a large enough spike, it absolutely becomes a matter for international discourse, I think the phone gets picked up and a call is made. I think there already have been calls made. I don't know that the ransomware itself, again unless we're starting to see people dying or the like, which we, by the way, we haven't really seen in the cyber context. We kind of assume that there may be risks to life or health when a power grid is targeted for long enough, that losing power will lead to more deaths. wWe kind of know that, you know, empirically and at a broad level, but to actually establish causation is really hard. So there was a ransomware attack in Dusseldorf, Germany, I think about a year ago or more, and they had to reroute a patient who was in an ambulance, who was coming in to a different hospital that was a further 10 or 15 minute drive, and the patient died on route to the second hospital. And there was a moment where I think the cyber security experts and journalists were like, “Is this our first kind of ransomware death?” And the German authorities ended up concluding no, that the person was already in such a physical state that 10 minutes would not have made the difference. But it's that sort of activity at a scale, right, that might, I think, lead to the U.S. kind of saying first, this violates international law, and then like beyond that, does it actually rise to the level of the use of force? But I think you have to look for the scale and effects in terms of kind of, you know, death and destruction, are kind of the benchmarks for it.
JC: Professor, thanks for taking the time and joining us today.
DH: Well again, thank you so much for having me.