The cornerstone of the prohibition of the use of force lies in article 2 (4) of the United Nations Charter, which declares that ‘All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.’
The abovementioned prohibition of the threat or use of force is binding not only the member-states of the UN as treaty law, but also the few non member-states because of its status as customary law, as asserted by the International Court of Justice.
The only applicable explicit exceptions are either with authorisation by the UN Security Council or within the concept of self-defence. The latter will be examined below.
A careful reading of article 2 (4) reveals certain thorny issues, which have been the object of a legal debate since the drafting of the Charter. Is the phrase ‘against the territorial integrity or political independence’ to be used as a further explanation or as a limitation? Why did the drafters choose the wording ‘use of force’ only in the specific article, as opposed to ‘armed force’, ‘armed attack’ or ‘act of aggression’, which are used in other parts of the Charter? Do economic and political sanctions constitute a ‘use of force’? And what exactly is a ‘use of force’? Is it to be understood as only military or armed force? Does a cyber force fall within this threshold?
The principal international documents used among international law scholars in order to find answers to the aforementioned questions are the 1970 Declaration on Principles of International Law and the 1987 Declaration on the Enhancement of the Effectiveness of the Principle of Refraining from the Threat or Use of Force in International Relations, but these instruments can provide no definite answers.
Benatar provides an extended analysis of whether article 2 (4) can be interpreted as to include cyber force, using as a ‘toolbox’ the interpretative techniques of the 1969 Vienna Convention on the Law of Treaties (VCLT).
On a first level, Benatar seeks answers performing a narrow interpretation of article 2 (4). After yielding no unambiguous results based on a textual exegesis, he proceeds to examine the travaux préparatoires of the drafting procedure and the subsequent practice, only to conclude that a use of force constitutes an a force of an armed nature in the technical sense.
Secondly, a broad interpretation is conducted, using the more expansive legal technique of analogy, using the so-called consequentiality approach.
The consequentiality approach, embraced by the majority of ‘cyber law’ scholars is based on the writings of the late Sir Ian Brownlie. Supporters of this approach go so far as to claim that ‘Brownlie established a new juridical basis for assimilating weapons to the use of force that would otherwise be left out’. Until then, the traditional analysis of determining whether an act is a use of force looked at whether there is kinetic impact, such as an explosion or a physical force. Brownlie moved towards a result-oriented approach in order to characterise chemical and biological weapons as use of force, arguing that modes of warfare bring about the ‘destruction of life and property’.
So, this effects-based approach dictates that if the same damage is caused by traditional –kinetic– uses of force, then cyber attacks also constitute a use of force. Wingfield mentions characteristically, ‘It should be immaterial whether a power transmission sub-station is destroyed by a 2000-lb bomb or by a line of malicious code inserted into the sub-station’s master control program because the amount of damage is equivalent.’
The majority of ‘cyber law’ scholars embrace this approach in order to equate cyber attacks to a traditional use of force.
However, the inherent flaw in this approach is that not all cyber attacks cause physical damage and human casualties. Shutting down –even for a limited amount of time– an entire country’s bandwidth and thus shutting down its communication with the outside world will not –at least not immediately- result to human deaths.
Heavily quoted Professor Michael Schmitt proposes a case-by-case analysis, considering both the qualitative and quantitative aspects of an operation, using the seven following criteria as indicators of the extent to which the international community is likely to judge an information operation a use of force: immediacy, directness, invasiveness, measurability, presumptive legitimacy and responsibility.
The problem with this approach is that all the above-mentioned factors are elements that are characterised by subjectivity, as they are not objectively-measurable variables.
However, a very interesting case study was effectuated in order to demonstrate the applicability of Schmitt analysis to the question of whether the attacks have risen to the level of a ‘use of force’ under international law. The said scenario involved an attack on the Washington metro at rush hour, using malicious code to strike the software-intensive automatic train protection (ATP) system, causing train collisions ending in thirty human casualties and destruction of property. Again, it is wildly unrealistic to quantify and measure the above-mentioned seven intangible factors in a one-to-ten scale, as the authors of the article did.
It derives from the aforementioned that it cannot be definitely concluded that all cyber warfare operations can be considered as ‘force’ in the traditional meaning of the term according to article 2 (4) of the UN Charter.