The Gray Area of Cyber Warfare: How International Law Grapples with Digital Conflict

By Anshika Patra

In an increasingly digital world, the battlefield has expanded much beyond traditional land, sea, and air domains to include cyberspace. This shift has sparked significant debate over how international law should apply to cyber operations, particularly when it comes to defining and classifying cyber-attacks as a serious crime. While there is a consensus that international law, including key principles from the United Nations Charter, applies to cyberspace, the application of these laws in the digital realm remains complex and, at times, ambiguous.

Cyberattacks refer to deliberate attempts by individuals, groups, or states to breach, damage, or disrupt information systems, networks, or devices. These attacks can range from relatively simple activities, such as phishing or denial-of-service (DoS) attacks, to highly sophisticated operations involving the infiltration of critical infrastructure, the deployment of advanced malware, or the theft of sensitive data. Cyberattacks can have a variety of objectives, including espionage, sabotage, financial gain, or political manipulation. In the context of state-sponsored actions, they can serve as tools of coercion or instruments of warfare.

International law provides a framework for state behavior, even in cyberspace. The UN Charter’s key principles of sovereignty, non-intervention, and the prohibition of the use of force are all recognized as applicable in the digital domain. Sovereignty ensures that no state may interfere with the internal affairs of another, including through cyber means. The principle of non-intervention prohibits states from coercing another state’s sovereignty through actions like cyber-attacks. The prohibition of the use of force, as outlined in Article 2(4) of the UN Charter, is central to the debate on whether a cyber-attack can be considered an act of war.

Despite these broad principles, the application of international law to specific cyber activities remains a challenging issue. One of the primary reasons for this complexity is the difficulty in determining the threshold at which a cyber operation transitions from being a hostile but non-warlike activity to an act of war.

The distinction between legitimate and illegitimate cyber activities during peacetime is often murky. States routinely engage in cyber activities such as intelligence collection and proactive defense, which are generally considered acceptable under international law. The United States, for instance, has formalized such actions under the U.S. Cyber Command’s doctrine of “defend forward/persistent engagement.” This doctrine allows for the continuous engagement of potential threats in cyberspace to preempt and prevent attacks on U.S. interests.

However, the line between defense and offense is not always clear. Major cyber powers have occasionally gone beyond mere intelligence gathering to conduct offensive cyber activities, such as hacking into foreign infrastructure or spreading malware. These actions often fall into a gray area—while they may be aggressive and damaging, they are not always classified as acts of war. The international community has largely paid little attention to these activities, often dismissing them as covert operations or acts of espionage, rather than open warfare.

The ongoing conflict between Ukraine and Russia serves as a prominent example of the challenges in classifying cyber-attacks. Since 2014, Ukraine has been the target of significant cyber operations, primarily attributed to Russian state actors. These cyber-attacks have included disruptive and destructive operations against critical Ukrainian infrastructure, such as energy generation and distribution systems.

Despite the severity and impact of these attacks, Western nations have not classified them as acts of war. Instead, they have been viewed as part of the broader conflict between the two countries, but not as actions that trigger the right of self-defense under Article 51 of the UN Charter. This reluctance to classify cyber-attacks as acts of war reflects the current uncertainty and lack of consensus in international law regarding what constitutes a cyber act of war.

One of the most contentious issues in the application of international law to cyberspace is determining when a cyber-attack constitutes an act of war. The traditional understanding of an act of war is based on the use of force that results in significant destruction, loss of life, or significant economic damage. In the cyber domain, however, attacks can be conducted without any physical damage, making it difficult to apply these traditional criteria.

For instance, a cyber-attack that disrupts a nation’s financial system or causes widespread power outages may not cause immediate physical damage or loss of life, but it could have long-term economic and social consequences that are just as severe. Should such an attack be classified as an act of war? The answer remains unclear, as international law has yet to fully address these scenarios.

NATO has taken steps to adapt its policies to the realities of cyber warfare, stating that a significant cyber-attack could be considered an act of war, triggering the collective defense provisions of Article 5 of the NATO treaty. However, this sets a high threshold, and it remains to be seen how and when such a decision might be made. The lack of clear criteria leaves states in a precarious position, uncertain of when a cyber-attack might justify a military response.

The evolving nature of cyber warfare highlights the urgent need for clearer guidelines in international law. While existing laws provide a foundation, they were developed in an era before the advent of cyberspace and are not fully equipped to address the unique challenges posed by digital conflict.

One approach could be the development of an international treaty specifically addressing cyber warfare, outlining clear definitions and thresholds for what constitutes an act of war in cyberspace. Such a treaty could also establish norms for state behavior in cyberspace, similar to existing treaties governing nuclear, chemical, and biological weapons.

Another possibility is the adaptation of existing laws to better fit the realities of cyber conflict. This could involve expanding the interpretation of “use of force” to include certain types of cyber attacks, or creating new legal categories for cyber operations that fall short of traditional acts of war but still warrant a strong response.

While there is broad agreement that international law applies to cyberspace, the specifics of how it should be applied, particularly in the context of cyber-attacks, remain unclear. The ambiguity surrounding what constitutes an act of war in cyberspace poses significant challenges for States and the international community. As cyber operations become increasingly integrated into modern warfare, the need for clearer legal guidelines is more urgent than ever. Only through international cooperation and dialogue can the global community hope to establish a more stable and predictable legal framework for cyberspace.

Disclaimer: All opinions expressed herein are the author's own. This blog post includes information and hyperlinks sourced from various agencies and authorities. Proper credit is given to these sources to acknowledge their contributions and ensure compliance with copyright regulations.