General security

Invoking Article 51 (self-defense) of the UN Charter in Response to Cyber Attacks – II

Dimitar Kostadinov
January 28, 2013 by
Dimitar Kostadinov

Cyber attacks through the perspective of the armed attack notion

A cyber attack cannot rise to the level of an armed attack as prescribed in Article 51 "because it lacks the physical characteristics traditionally associated with military coercion" (Holis 2007: 1041). In short, it's because the belligerents don't use standard military arms. Thus, the instrument-based approach requires the warring parties to utilize conventional military means and anything other than that is excluded from its scope. Some scholars argue that Article 41 of the UN Charter more or less confirms this standpoint, characterizing as a "measure not involving the use of armed force" the "partial or complete interruption…of…telegraphic, radio, and other means of communication."

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Another opinion on that matter is that a weapon does not necessarily need to possess explosive capabilities to be deemed a feasible tool in the sense of Article 51's armed attack. The ICJ, in its Advisory Opinion on the Legality of the Use of Nuclear Weapons, clarified this controversial issue by declaring that Articles 4, 42, and 51 of the UN Charter "do not refer to specific weapons. They apply to any use of force, regardless of the weapons employed." (ICJ, 1996).

Even when there are employed kinetic weapons with a dual-use application, for example, chemical or biological substances, this act certainly would fall in the range of the use of force category. Undoubtedly, these forms of waging war destroy life and property, so they should be banned by the prohibition of use of force (Roscini,2010). There is one remark with respect to the weapons used in cyber warfare—"it is neither the designation of a device, nor its normal use, which make it a weapon but the intent with which it is used and its effect. The use of any device or number of devices, which results in a considerable loss of life and/or extensive destruction of property must therefore be deemed to fulfill the conditions of an 'armed attack'."(Zemanek 2010: para. 21)

While the" use of force" term can be interpreted more freely so that to include under its coverage other destructive methods than kinetic force or conventional attack, the notion of "armed attack" provides little chance for a leeway analysis. It is self-explanatory that armed attack encompasses classic cases of kinetic military force. Schmitt (2011) suggests that the term "armed" should be understood in terms of the effects typically associated with it—these consequences are death or injury to individuals and destruction or damage of tangible objects and property.

Even when these consequences are not caused by conventional means and weapons, if the results are the same as those fore-mentioned, then the event might fall under the category of an "armed attack". Hence, when a cyber attack may cause the same consequences like these typical of armed attacks, it definitely should fit in the scope of Article 51. In case such a cyber attack is not associated with bringing any grave impact, then it may well constitute only an unlawful use of force.

Schmitt (2011: 588) defines this interpretation as "unsatisfactory" because some of the cyber attacks, even though they may not directly lead to the death/injury or destruction/damage effects, may cause serious negative consequences, like those suffered by the Estonian government in 2007. Perhaps the main reason for this fact is that Article 51 and even the UN Charter security system may lose its cohesion if states initiate forceful responses every time they suffer massive cyber attacks.

When there is a case in which a cyber attack is not a part of a conventional military operation, resorting to self-defense would be just if the cyber attack reaches the threshold of an armed attack (i.e. an act whose purpose is to cause physical destruction or injury). On the contrary, if the cyber attack does not constitute an armed attack, a state can invoke the Security Council to declare the hostile act a threat to the peace. Usually the states attacked interpret how to respond to a cyber attack that is short of armed attack (Schmitt, 1999).

Other cases of cyber operations are those that accompany conventional military strikes. In such situations, the gravity lies on the type of conventional attack. If it is an armed attack, then the secondary cyber threat can be treated with forceful measures at full extent. Furthermore, cyber attacks, which are integral part of lawful forceful armed response, are absolutely permissible as long as they abide by the principles of International Humanitarian Law (Schmitt, 2011).

However, Schmitt makes a remark that is not the cyber attack that invokes the right of self-defense, but the overall armed attack, in which the information attack has a significant part. Moreover, the preemptive attack must be directed against the conventional strike, not the facilities used for the conduct of information operations. In addition, since the main threat is posed by the armed attack itself, the principle of proportionality must be adjusted to it, not to the cyber attack (Schmitt, 1999).

The type and the level of response to cyber attack. self-defense measures, and responses other than Article 51 of the UN Charter

Usually, the level and type of response to the use of force is determined more or less by the extent of the impact of the initial strike. For instance, a cyber attack that is directed against a minor target that is not meant to cause grave consequences, such as death/injury or destruction/damage, would normally not be viewed as armed attack. It is perfectly clear that such an attack does not give permission to lawful self-defense measures. Besides, the states prerogative to respond to the use of force in self-defense is regulated by the necessity and proportionality tenets.

The punitive and retaliatory acts like reprisals are forbidden by the Geneva Conventions. "A response in kind by the United States, such as the release of virus in China could be viewed as a retaliatory or punitive use of force (Creekman, 2002: 667)." International law prohibits such attacks because they are not equivalent to an armed attack. In this example, United States may address this issue to the Security Council, hoping to get permission for a forceful response not related to armed attack under Article 39 of the Chapter. The unilateral responses are restricted without authorization from the Security Council.

In the case the United States passive defensive measures prove themselves as incapable of preventing the aggressive act conducted by Chinese officials, and then the US government has the right to receive reparations for the damages suffered. Of course, in accordance with the current international law, such a claim would be only possible if there is an actual agreement on cyber attacks between the United States and China (Creekman, 2002).

Turning our attention again to the ambit of preemption, Prof. Yoram Dinstein distinguishes between a preventive use of force and an interceptive one. He argues that while the former kind aims at adversary attacks that are simply in a way more or less predictable, the later type has the purpose to withstand against attacks that are not only imminent, but also in an irrevocable phase and somewhat unavoidable.

Before concluding that there is in fact a "necessity of self-defense that is instant, overwhelming, and leaving no moment for deliberation" the decision-maker is restricted to non-forceful measures as a form of response (Schmitt, 2011).

Following a similar line of logic, the conclusion to which Barkham had, an attorney from Harvard Law School (2001: 84), arrives at is that "even if the victim were to detect the attack in progress, its ability to respond under traditional international law principles would be limited…The problem is that, at the moment of detection, the target would not know the severity of the penetration. If the penetration caused little damage, then the victim might not be permitted to take defensive action. If the intrusion were the equivalent of a minor border breach, that would not be an armed attack. The target's only legal recourse to minor incursion might be an act of retortion."

The right of self-defense is contingent on the existence of one specific circumstance only of use of force as set out in Article 2(4), namely an armed attack. With regard to the self-defense option, often the question asked in each particular case is whether it is a legal to resort to it. This issue, viewed under the scope of a cyber attack, is valid only for the active defense, because all passive cyber defense measures have the purpose to merely repel or avert the opponent's cyber offensive strike (Schmitt, 2011).

Active defensive measures usually include an in-kind response, which is somewhat similar, if not equivalent, to this taken by the aggressor. The principle is clear: "Fight fire with fire". On the other hand, the passive defensive measures are very diverse—firewalls, antivirus and anti malware programs, encryption, automated detection, etc… (Condron, 2007).

Not exactly clear is the situation when the uses of force do not reach the threshold of an armed attack. A unilateral attack and collective self-defense is not allowed. Nonetheless, although reprisals infringe international law, acts like retortion have become increasingly popular in this case. Barkham (2001: 77) enumerates them: limiting diplomatic relations, suspending treaty obligations, seizing assets, withholding benefits such as financial aid, imposing trade barriers, making political decisions adverse to the state aggressor, or denying ships access to ports. Despite the fact that these acts are coercive in kind, they do not constitute the use of force.

In the opinion of the internationally-recognized English lawyer Ian Brownlie (1963), low-level attacks are permissible as long as they are localized around the border. He notes that "in certain cases technical means of countering the instrument of aggression will not adequately ensure protection if action is only taken when the object enters the territorial domain." Brownlie (1963: 367) recognizes that technological innovations may require a new way of interpretation of the beginning phase of an attack and the cyber attack may require more comprehensive examination of the use of force analysis.

Graphical layout of the legal responses at disposal against cyber attacks:


The subject of self-defense has brought about a number of controversial issues: the exact meaning of the term armed attack, the moment when armed attack begins, the scope and proper application of the anticipatory self-defense concept, etc. The emergence of cyber attacks makes the debates even more ferocious. The Stuxnet virus and the following events in the cyber security realm proclaim the advent of new warfare era. In spite of these newly-formed threats, the international legal framework ensuring security remains unchanged. In situations like this, interpreting the old rules and doctrines appears to be the only sensible approach to overcoming the issues.

It should be taken into account, however, that Article 51 of the UN Charter is the exception to the general prohibition on the use of force in international relations and as such that it should be resorted to in a careful way, when all other options are exhausted. Stretching the self-defense framework even a little bit may give rise to the superfluous use of force, leading to disturbances in world peace.


Barkham, J. (2001). Information warfare and international law on the use of force. N.Y.U.J. INT'L L. & POL 57, 34.

Brownlie, I. (1963). International law and the use of force. Clarendon Press.

Creekman, D. (2002). A helpless America? An examination of the legal options available to the United States in responding to varying types of cyber attacks. Am. U. Int'L L. Rev, 3, 641-681.

Condron, S. (2007). Getting it right: Protecting American critical infrastructure in cyber space.Harvard Law Review, 20, 403-422.

Dinstein, Y. (2002). Computer network attacks and self-defence. In Schmitt, M. & O'Donnell, B. (Ed.), Computer network attack and international law (pp. 99-111). Naval War College.

Hollis, D.(2007). Why States Need an International Law for Information Operations. Lewis & Clark Law Review, 11, 1023.

International Court of Justice (1996). The legality of the threat or use of nuclear weapons. Retrieved on 23/01/2013 from

International Court of Justice (2003). Oil Platforms (Iran vs. United States of America). Retrieved on 23/01/2013 from

Roscini, M. (2010). World Wide Warfare - Jus ad bellum and the Use of Cyber Force,

Max Plank Yearbook of United Nations Law, 14, 85-130.

Schmitt, M. (1999). Computer network attack and use of force in international law.Columbia Journal of Transnational Law, 37, 885-937.

Schmitt, M. (2011). Cyber operations and the jus ad bellum revisited. Villanova Law Review,

56, 569-606.

United Nations (1945). United Nations Charter. Retrieved on 23/01/2013 from

Webster, D. (1906). Letter from Daniel Webster, U.S. Sec'y of State, to Lord Ashbuton, British Special Minister.Reprinted in John Bassett Moore, A Diegest of International Law.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Zemanek, K. (2010). Armed attack.In Wolfrum R. (Ed.), Max Planck Encyclopedia of Public International Law. UK: Oxford University Press.

Dimitar Kostadinov
Dimitar Kostadinov

Dimitar Kostadinov applied for a 6-year Master’s program in Bulgarian and European Law at the University of Ruse, and was enrolled in 2002 following high school. He obtained a Master degree in 2009. From 2008-2012, Dimitar held a job as data entry & research for the American company Law Seminars International and its Bulgarian-Slovenian business partner DATA LAB. In 2011, he was admitted Law and Politics of International Security to Vrije Universiteit Amsterdam, the Netherlands, graduating in August of 2012. Dimitar also holds an LL.M. diploma in Intellectual Property Rights & ICT Law from KU Leuven (Brussels, Belgium). Besides legal studies, he is particularly interested in Internet of Things, Big Data, privacy & data protection, electronic contracts, electronic business, electronic media, telecoms, and cybercrime. Dimitar attended the 6th Annual Internet of Things European summit organized by Forum Europe in Brussels.