Decoding The Cyberwarfare Regulatory Framework and Fault-Lines

Sub Title : Often a complicated and less understood regulatory framework made easy to comprehend

Issues Details : Vol 16 Issue 4 Sep – Oct 2022

Author : Keerti Surana

Page No. : 58

Category : Military Affairs

: October 14, 2022

The rules of international law can only provisionally serve present needs but are not well suited to the challenges posed by the cyber domain, primarily because extant law was not designed with concepts like anonymity, heightened interconnectivity, and cohabitation of military civilian and non-state objects in the same space. This notwithstanding, efforts are ongoing to see  how established laws of war can be applied in the cyber context and to iron out the creases therein.


War has historically been the manifestation of human desire to dominate and establish superiority. Domination through disruptions has been a strategy for long – a strategy aimed at curbing the rise of adversaries. That war and conflict is as old as mankind is not an understatement. What has changed with time and technology is the mode of engaging in war.

Norms that govern rules of engagement in war, much like ‘honour among thieves’ have existed for much of human history, with references found in mythical folklore and religious texts such as the Mahabharat, the Old Testament and the Quran, and entire movements such as the ‘Peace and Truce of God’ in the medieval ages.

The ‘Treaty of Armistice and Regularisation of War’ between the forces of the Republic of Columbia and the Spanish Kingdom in 1820 is one of the earliest known instances of the crystallization of such norms as rules between two warring factions and is considered by many as the antecedent to modern International Humanitarian Law. Since then, there have been multiple bilateral and multilateral treaties where countries including global powers have resolved to respect certain basic rules of war, to uphold and preserve humanity, and minimise destruction.

Every domain unlocked through innovation in technology has been accompanied with a certain degree of uninvited weaponization. The cyber frontier is the latest in this line, the earlier ones being land, water, undersea, air and space respectively. The single trait that differentiates the cyber domain from all other domains before it, is its virtual nature. This article seeks to explore the possibility of applying the law of warfare that developed in the 20th century (something that was informed predominantly by the capabilities and possibilities of kinetic warfare) to 21st century cyber capabilities.

Existing Rules of War

Before embarking upon how these may fare when applied to warfare in the virtual word, I shall outline the existing laws of just warfare.

The law of warfare can be broadly understood under two heads- (1) Jus ad bellum, and (2) Jus in bello. These are Latin terms and respectively stand for ‘the right to war’ and ‘the rights in battle’, i.e., the rules that govern whether war is legally justified and, the rights and duties each warring party enjoys and is bound by during war.

Principles of jus ad bellum govern whether war is justified. It lays out that a war is only just if it is called properly by the proper authority. This is what differentiates war from murder. In addition to this, it must be waged for proper purpose, such as to create or preserve peace, or in self-defence. It must be entered into only as matter of last resort and, only if the instigator believes that there is a decent probability of achieving the sought objectives. Parties must also restrict their use of force to the minimum, in both offence and defence. Customary and codified principles of non-intervention and prohibition against the use of force such as Article 2(4) of the UN Charter are examples of jus ad bellum.

Principles of jus in bello lay out the rights enjoyed by and duties that bind participants in war (for the purposes of this paper, I shall focus on the a few cherrypicked duties). Actors are foremost obliged to distinguish between combatants and non-combatants (or civilians) and use force only against the former (the principle of distinction). Actors have the duty to use only that much force that is necessary for military objectives and must minimise fallout loss to civilian life and property (the principles of necessity and proportionality, being similar principles in different context, i.e., offence and defence respectively, go hand in glove).

The Cyber ‘Pandora’ Box

The virtual nature of the cyber domain endows it with fundamentally different characteristics than the other realms. Firstly, it is virtual or intangible. Secondly, it has no defined physical location or boundaries. Thirdly, it is (increasingly becoming) all pervasive, driven by the ease of smart interconnected devices. Fourthly, it is inhabited and (variably) controlled by various players – state and non-state entities such as individuals and corporations, and even rogue and violent non-state actors. Fifthly, operators can successfully assume any identity of their choice to conceal and even mislead. Sixthly, it has very low entry barriers – the mere requirement of a computer and an internet connection. Seventhly, attacks are not apparent, and may not be known to have occurred until discovered.

These issues are neither distant nor imminent. The cyber ‘pandora’ box has been opened. Some 15-20 Countries have invested in developing various offensive and defensive cyber capabilities and 47 countries have included cyber-projects in their military budgets. To think about issues and legal-regulatory framework that applies to the cyber domain is a need of the hour.  Scholars have noted that development of such law through treaties is an unlikely proposition, while also being unenthusiastic that customary norms will crystalise to accommodate these new challenges.

Experimenting a Transpose

In recognising the abovementioned challenges, an International Group of Experts (IGE) under the aegis of NATO Cooperative Cyber Defence Centre of Excellence (NATO CCDCOE), attempted to chart out the how established laws of war apply in the cyber context. A follow-up exercise was held after the success of the first. The outcome of these exercises was a compilation of 95 and 154 non-binding “black-letter rules” in the form of two handbooks – the ‘Tallinn Manual’ and ‘Tallinn Manual 2.0’ respectively. A few areas where there is lack of convergence are examined hereunder.

State Responsibility

Article 2(4) of the UN Charter prohibits use of force and has been accepted as a jus cogen. While instances of use of force have dramatically decreased, the number of offensive cyber operations has gone up. The remote and inconspicuous origin of these operations and the added difficulty in establishing a nexus between the perpetrator and a state have fuelled this. Thus, there are very few instances of states claiming responsibility.

The ICJ in Corfu Channel noted that when States exercise exclusive control over territory, they become responsible for acts committed from that area. Cyberspace has been recognised as an “imperfect global commons”, i.e., it is not exclusive territory of any state, yet states can exercise sovereignty over it. Unlike the physical realm, the cyber domain is constantly expanding, and it cannot be reasonably expected of states to have knowledge of all that originates or passes through its cyber-infrastructure. It is unlikely that states will accept such surveillance responsibilities.

In the few instances that origins of a cyber operation are traced, the standard applicable for attributing responsibility, remains to be seen – whether it will be the “effective control” test or the “overall control” test.

 “Use of force” vs “Armed attack”

The foremost question that arises is how offensive cyber operations are to be classified. The ICJ in Nicaragua distinguished between ordinary “use of force” and graver forms of use of force that constitute an “armed attack”. The Additional Protocol to the Geneva Convention defines “attack” as “acts of violence against the adversary, whether in offence or in defence”. This categorisation bears upon the legally permissible manner of exercising ones right to self-defence, as states must respond proportionally. In an official statement to the General Assembly, Panama noted that the cyber-realm could become a tool of a “new form of violence”. Therefore, understanding the threshold becomes important.

Traditionally only militarily powerful states (with neo-imperialist motives) have maintained that there was no difference between the two. This allowed them to respond in self-defence as though it was an armed attack and served as deterrent to the rest. However, the logic for this distinction fails in the cyber-context because of the lack of entry barriers. In the cyber-context, the distinction would provide safe opportunities to states to carry out cyber-operations without forceful responses.

The question then is deciding a threshold. While it is conceivable that death and destruction of property may rise to the level of an armed attack, it is unclear whether non-injurious and non-destructive operation with severe consequences would also rise to that level. The Group of Experts and scholars are divided on this issue, with some preferring the “physical consequences” test, while others preferring the severity/functionality test (whether the object of attack functions as intended). Prof. Schmitt seems to suggest that these tests are bound to fall into disuse because neither account for the overwhelming central role of the cyberspace in the modern world. He expects a new norm to develop that protects “essential civilian functions” and operations that disrupt it as attacks, while drawing support from US and Dutch statements on in this regard. In the modern world, where economic might triumphs military might, whether cyber operations by corporations/businesses against corporations/businesses (the economic backbone of states) constitutes as use of force is a question that remains to be answered.


This principle originated with an attempt to minimise effect of wars on civilian population. Weapons which do not make this distinguishment have been prohibited (nuclear weapons, weapons of mass destruction, etc.). Adherence to rule becomes challenging in the case of people and objects that serve both purposes. The extent of dual use issue is immaterial.

There is consensus that civilians and civilian objects are only those that are exclusively civilian in nature; and when such person or object is employed to further a military objective, it from there on takes the character of a military objective. The lines between civilian and military objective are blurred in the cyber domain as much of existing infrastructure is also used by the military, and militaries are increasingly beginning to use “off the shelf” equipment. If a traditional understanding is employed, it opens critical national infrastructure [for eg. electricity grids, stock markets, financial and banking infrastructure, national communications systems (satellites, positioning systems, etc.)] and civilian manufacturers of such equipment to being legal targets in war.

Although the previously noted “essential civilian function” provides a solution to this absurd outcome, the test is not yet a norm. The Group of Experts suggested that this absurdity can be avoided if one were to classify an attack on the entire infrastructure as disproportional to object sought to be achieved. States in offence are likely to defend their actions by employing the traditional view, while they are likely to rely on proportionality when on the backfoot. This is a grey area of law and is a classic case of “military necessity vs humanity”.


The right to self-defence must be exercised only proportionally, and only within the timeframe of the attack. In recent years, threats such as that of terrorists has made the latter condition ineffectual, i.e., states might have suffered damage without getting enough opportunity to exercise their right of self-defence. Thus, in this context, a new customary norm developed – that of pre-emptive self-defence. The manner in which certain states have exercised this right has been subject to wide criticism from the international community. The nature of cyber-attacks is similar to terrorism. Thus, one wonders if states may take advantage of this doctrine in the cyber-realm if the source of attacks is discovered in advance. While states claim so, the answer to this question is anyone’s guess in the absence of an authoritative advisory ruling on the legality of pre-emptive self-defence.

Another question that looms is whether self-defence, limitation in the cyber-realm, could include counter offensive operations. States have till date limited their defensive counter operations in the cyber-realm. However, Israel has recently demonstrated otherwise. It destroyed a building of Hamas that housed the cyber operations cell. While this may be ignored as a one off when seen against the background of long-standing conflict, it also suggests that crossing domains is a question of ‘when’ rather than ‘can’.

Concluding Comments

Cyberwarfare is an asymmetric form of warfare. The present rules of international law can provisionally serve present needs but are not well suited to the challenges posed by the cyber domain, primarily because extant law was not designed with concepts like anonymity, heightened interconnectivity, and cohabitation of military civilian and non-state objects in the same space.

While I have discussed some preliminary fault lines that exist and how present law may provisionally (although unsatisfactorily) accommodate them, larger issues like cyber-espionage and cyber-based terrorism in the form of viruses looms imminently. The next few decades will be particularly crucial when it comes to the evolution of law in this regard. State practice is expected to become apparent as states will have to deal with cyber operations.

Keerti Surana is a final year Law student from Jindal Global Law School