A cyber attack is not a war
In 2018, the UN General Assembly concluded that international law applies in cyberspace just as much as outside it, and that with respect to information technology should be applied "appropriately". This is a statement accepted without objection by the vast majority of countries in the world. However, we wonder what it means in practice. How to "appropriately" apply norms regarding, for example, state responsibility for actions contrary to international law, human rights, determining the threshold of an armed attack that justifies a defensive war, and how to distinguish it from the threat of the use of force or interference in the sovereignty of the state, which do not justify such an armed response. Since then, many countries, including Poland (2022), have decided to publish their positions regarding the application of international law in cyberspace, meeting the needs of peaceful international dialogue.
Based on these declarations, the interpretation of the use of force in cyberspace is clear – states decide on their own whether to classify a cyber attack as possibly violating the norm of international law indicated by them. For example, Article 2(4) of the United Nations Charter requires states to refrain from the threat or use of force in international relations, including the use of conventional weapons and cyber operations, when their effects would be comparable. The International Court of Justice has repeatedly confirmed that the prohibition applies to all use of force, regardless of the means. Although no country has yet recognized any cyber operation without physical consequences as a use of force, countries such as France, the Netherlands and Norway allow this option, provided that certain criteria are met, such as the scale and scope of the operation's harmful effects. According to the authors of the first Tallinn NATO manual, the closest to this threshold was the attack using the Stuxnet malware, developed by Israeli and American intelligence, which effectively slowed down the Iranian nuclear programme in 2010, although Iran did not declare it to be an act of war. This was also not done in response to later (2016), similar, although more severe, Russian attacks carried out against European countries using the Petya malware.
The use of force, in cyberspace and beyond, is therefore always illegal unless authorized by the UN Security Council, exercised within the framework of the right of self-defence, or carried out with the consent of the territorial state. Even though cyber operations without physical consequences are not recognized as the use of force, they may still violate other principles of international law, such as the prohibition of interference in the internal affairs of another state or the obligation to respect its sovereignty. At the same time, so far, no country has decided to respond militarily to an attack in cyberspace, consciously deciding that they do not reach the level of an armed attack.
Poland speaks out
Over the last eight years, 28 countries (and one international organisation – the African Union in 2024) have published their positions on how they understand the appropriate application of international law norms regarding aggression, self-defence, state responsibility and due diligence in cyberspace. Volumes of scientific and training publications have been devoted to discussions around the threshold of cyberwar, including NATO's "Tallinn Manual" in its two versions. All these positions and studies confirm that the recognition of interference with state sovereignty as exceeding the threshold of armed aggression and justifying an armed response remains within the sovereign competence of states, as an expression of their independence.
Hypothetically, Poland could believe that increased Russian activity in its IT networks justifies retaliatory military action. However, while remaining a part of the North Atlantic Treaty Organisation, it would certainly like to convince NATO partners to this view. This could prove more difficult - the risk of the conflict escalation in cyberspace has so far prevented countries from such an interpretation and appropriate attribution of even the most harmful cyber attacks. The first country to try to convince people to evaluate a cyberattack this way – as an act of cyberwar – was Estonia in 2007, the victim of a DDoS attack directed against its critical infrastructure by the Russian pro-Kremlin youth organisation "Nasi". Russia, informed about the ongoing incident, refused to help, pointing to the citizen's right to express opposition to Tallinn's policy, which was exercised by the perpetrators. The Estonians called on their NATO partners for assistance, but after reflection, they refused to help. Thus, by 2024, none of the countries exposed to cyberattacks has considered them to have reached the level of war in cyberspace, for fear of escalating the conflict.
The situation of cyberattacks accompanying an ongoing armed invasion is slightly different, as in the case of Ukraine, the Gaza Strip or, earlier, e.g. Georgia. However, here the interpretation of the legal status is beyond doubt – a proportional military response is justified during the conflict. However, the principle of proportionality may pose difficulties in interpretation, also for the Polish cyber army. Here, too, the answer to the question about a proportional response will depend on the assessment and capabilities of the victim state and the circumstances of the case. It has the right to defend itself effectively – depending on the type of attack, the strength of the response will be proportional to it. Therefore, one can hypothetically imagine the use of a counter-cyber attack of proportional strength, to which the French and Dutch mentioned above have declared their readiness.
How to measure a cyber attack?
How to measure the "strength" of a cyber attack? Do we have effective tools for this? This is where international law researchers and political scientists come to the rescue. In the recently completed by the University of Lodz "Cybersecurity Data" project, the Lodz Cyber Hub has prepared an operational panel for measuring cyberattacks in Polish, which is based on an interdisciplinary methodology. We can therefore measure a cyber attack and evaluate it in comparison to other similar incidents. On the Polish website of the Eurepoc project, you can find descriptions and indicators of individual cyber incidents, including those carried out during the war in Ukraine, including those carried out by the leading Kremlin group APT28, composed of GRU officers. The repository also includes numerous publications that help answer dogmatic and practical questions about the threshold of war in cyberspace. So far, however, they all clearly recommend de-escalating the conflict and viewing cyberattacks as a possible violation of state sovereignty, resulting in international responsibility rather than a military response.
"Responsible behaviour of states in cyberspace", understood as the behaviour of states in accordance with international norms, is also one of the priorities of the European Union's external policy. To implement it, the European Commission and the European External Service have developed the "EU Cyberdiplomacy Toolkit", which translates the instruments of international law into the language of general cybersecurity policy. European cyberdiplomacy allows for proportionate responses to cyber incidents in accordance with international law, preceded by international attribution – attributing responsibility to the groups behind them or to states that at least accept the actions of such groups. Poland is an active participant in this international dialogue, and international law is an indispensable instrument for conducting it.
Tekst: Dr Joanna Kulesza – Lodz Cyber Hub