New era

The massive expansion of information and communications technology has led to an ever-growing dependency on them in a modern society that is fully connected both in civilian and military terms. As a result of this considerable dependence, actions and security in cyberspace have become critical concerns for the international community, particularly for the most developed and digitalized states, given their significant dependence and thus greater vulnerability.

Cybersecurity is of vital importance for states because it is closely linked to the protection of their national interests. Professor Michael Schmitt posits that this dependency means states will progressively assign greater value to access and the ability to exploit cyberspace. Consequently, states have undoubtedly tended to employ their full cyber capabilities to defend their cybernetical infrastructure and the cyber activities they depend on (^{Schmitt Michael, 2014}, p. 273-274).

The world has entered a period where cyber warfare is replacing conventional warfare. Hence, a fundamental issue is how states respond to increased cyber threats. As argued by ^{Finlay and Payne (2019)}, the law has not kept pace with this reality. Cyberattacks have reached the same level of threat as kinetic attacks. However, sometimes the law, especially international law, has not explicitly addressed and regulated the situation due to its novelty and complexity (p. 202-206).

The increasing and constant peril of cyber-operations as a weapon has made it vital in the international law for a consistent and reasonable legal framework under jus ad bellum to be developed for this type of attack.

The final point, as elucidated by ^{Carr (2012)}, extensively details the modern usage and perception of jus ad bellu, asserting its origin from the United Nations Charter (UN Charter) and the corresponding customary international law (p. 49). Consequently, these foundations of international law serve as the initial driving force for future state practices in the cyber realm. A consensus exists regarding the fully applicability of existing international law to cyberspace, with the applicable laws stemming from 'the interpretation of longstanding rules of international law, primarily by states' (^{Schmitt, 2022}, p. 16).

This paper will be limited in scope to the right of self-defense under the jus ad bellum regime, especially for concerning cyber-attacks that could be considered armed attacks under the international law of self-defense. Towards the end of the paper, the focus will shift to the involvement of non-state actors' attacks in the cyber-realm and how and when offended states can respond.

Concept of self-defense

According to the jus ad bellum framework, the lawfulness and legitimacy of defensive use of force are determined by the law of self-defense. As general rule, the use of force is prohibited by Article 2(4) of the UN Charter in. The law of self-defense is established as an exception to the prohibition of Article 2, as outlined in Article 51. This article acknowledges that nothing shall impair the inherent right of individual or collective self-defense if an armed attack occurs against a member of the United Nations.

In addition to Article 51, the un Charter establishes another exception to Article 2(4). This exception is outlined in Articles 39-42 of the Charter. It includes scenario where the United Nations Security Council could authorize the use of force if any threat to peace or breach of the peace is determined.

Prohibition of use of force

Understanding the concept of the prohibition of the use of force is crucial in grasping how of self-defense unfolds. This prohibition stands as a central element in the un Charter framework and customary international law, recognized as jus cogens (^{Roscini, 2014}, p. 43).

There is no formal description of what constitutes the use of force under international law, and states differ in their agreement on a clear definition. However, the scale and the effect of an act are generally the criteria to be considered when assessing the threshold of the use of force (^{Gray, 2018}, pp. 601-618).

Regarding the Cyber-Realm, the Tallinn Manual 2.0 on International Law Applicable to Cyber Warfare (Tallinn Manual 2.0) asserts the same prohibition in its Rule 68: ''Cyber operations that are considered as 'threat or use of force against the territorial integrity or political independence of any State, or that is in any other manner inconsistent with the purposes of the United Nations, is unlawful."

The significance of this article is that it extends to all cyber operations, even if they do not violate the territorial integrity or political independence of a state. The importance lies in the fact that any type of cyber operation is prohibited if inconsistent with the framework provided in the un Charter.

Use of force in the cyber-context

In the advisory opinion on Legality of the Use by a State of Nuclear Weapons in Armed Conflict of 1996, the International Court of Justice indicated that the understanding of UN Charter Article 51 and Article 2(4) could apply to self-defense and the use of force, respectively, regardless of the weapons employed in the attack (^{International Court of Justice, 1996}, p. 39).

In cyber operations, as affirmed by the Tallinn Manual 2.0, it is not the technique or process employed that defines whether the "use of force" threshold has been breached.

Rather, as described in Rule 69 of the Manual, the effects of the operation and its specific considerations would aid in this assessment. The Manual asserts that the use of force in cyber-operations falls within the scope of application of Article 2(4) of the un Charter, and that the amount of force in cyber operations could be equivalent in effect and scale to kinetic operations. However, as stated by the Group of Experts, "the fact that a cyber operation fails to rise to the level of a use of force does not necessarily render it lawful under international law" (^{Schmitt, 2017}, p. 330-333).

One of the most important comments on Rule 69 is the one made by the Experts regarding the nature of the targeted cyber-infrastructure being definitive in the analysis of whether the cyber-operation qualifies as a "use of force." This is a significant understanding because it signifies it is noteworthy that almost all the targets in cyber-infrastructure could potentially meet the threshold established in Rule 69. The Tallinn Manual 2.0 (2017) Experts provide a non-exhaustive list of factors that should be considered in determining if an operation is considered "use of force":

Armed attack

One of the key concepts is what constitutes an attack. A general definition that can be used is the one offered by international humanitarian law, which is primarily significant in the context of armed conflict. In jus in Bello, the concept of attack signifies a specific military operation within the particular conflict. Additionally, the 1977 Additional Protocol I to the Geneva Conventions, in the Article 49(1), describes an attack as "acts of violence against the adversary, whether in offense or defense."

Article 51 of the un Charter does not provide a specific meaning for "armed attack," rendering its interpretation ambiguous. There are measures taken by states that are not considered attacks but may still be deemed as a "use of force." Therefore, there is a constant debate over the level of destruction necessary to categorize the effects of "use of force" as an armed attack.

The International Court of Justice (1986) delves further into this issue in the Nicaragua v. United States of America case. Nicaragua claimed a violation of the prohibition on the use of force and the principle of non-intervention by the United States against the Nicaraguan state due to the support provided to the armed opposition of the left-wing government (the contras) and the military activities performed by the us armed forces.

The Court ruled that not every violation of the prohibition on the use of force could be considered an armed attack in the interpretation of Article 51 of the un Charter. The Court (1986) specified that for an event to be classified as an attack, it must have certain "scale and effects" mentioning that, as in the events of the specific case, a "mere frontier incident" is insufficiently grave and "it will be necessary to distinguish the most grave forms of the use of force (those constituting an armed attack) from other less grave forms."

Similarly, the ICJ (2003) in the Islamic Republic of Iran v. United States of America case, where Iran argued that the us performed a "fundamental breach" of provisions of the Treaty of Amity, Economic Relations and Consular Rights between the United States and Iran of 1955 and violated international law by the destruction of three offshore oil production complexes, owned and operated for commercial purposes by the National Iranian Oil Company in retaliation for the damage one us warship suffered from striking a mine in international waters near Bahrain.

Nicaragua's understanding of an armed attack was reaffirmed in the judgment regarding the gravity requirement. The Court (2003) affirmed that in order to justify the attacks on the oil platforms, the us should have demonstrated that the attacks on the us warships were considered armed attacks under Article 51 of the un Charter and customary law. This also necessitates the distinction between of the gravest forms of the use of force and other less severe forms, with the former considered armed attacks.

This definition presents a dilemma for cyber operations and cyber-attacks, as it is challenging to determine when these operations can be deemed "attacks". Some cyber operation actions may not generate the same consequences as a kinetic attack, raising questions about where the threshold is drawn to classify cyber-attacks as an armed attack.

An interesting situation that would spark considerable debate is whether cyber intelligence gathering and theft or cyber operations involving a brief interruption of non-essential cyber services would constitute an armed attack. One significant solution to this debate is provided by the Tallinn Manual 2.0 (2017), which explicitly states that neither of these situations mentioned above could be considered an armed attack. This position, as assumed in the Tallinn Manual 2.0, would exclude many of the daily cyber operations from the armed attack spectrum.

However, is important to highlight in contrast that other notable scholars position themselves with the idea that "no tangible criteria have been defined for that purpose in international law" (^{Oorsprong et al., 2023}, p. 220).

Overall, cyber-attacks pose a significant challenge due to their diverse forms and varied nature and scope, necessitating a comprehensive examination of the fulfillment of the jus ad bellum analysis.

Right self-defense

The exception of self-defense allows a state, subject to an armed attack, to respond with the use of force. However, for such a response to be lawful, self-defense must meet the conditions imposed by international law, especially un law, particularly Article 51. As outlined in the Nicaragua Case by the International Court of Justice (1986), the "inherent right" is recognized by the UN Charter Article 51 as a pre-existing customary law right (p. 14).

Moreover, the right of self-defense extends beyond Article 51. As Professor Yoram ^{Dinstein correctly described (2011)}, the International Court of Justice acknowledged in the Nicaragua Case that the drafters of the Charter must have intended to declare the right even outside the Charter. They aimed to uphold it equally for both Member and non-Members, creating the obligation for both types of actors to refrain from using force and recognizing the self-defense right they possess (p. 181-182).

In addition, the self-defense action must be necessary and proportionate. These principles of the concept are currently part of customary international law.

Self-defense against armed attack in the cyber context

Under the aforementioned conditions, there is no doubt that a state facing under a cyber threat or an attack by non-state actors can respond with the understanding that the response is lawful within the jus ad bellum.

The Tallinn Manual 2.0 (2017) in Rule 71 embraces the "scale and effects" argument to determine if the cyber operation qualifies as an armed attack. Thus, if an armed attack is committed, the affected state has the right to self-defense. (p. 339) As stated by the Group of Experts, the "scale and effects" argument is borrowed from the Nicaragua judgment. Regarding non-state actors, the Group of Experts has commented on Rule 71 that "State practice has established a right of self-defense in the face of cyber operations at the armed attack level by non-state actors acting without the involvement of a State, such as terrorist or rebel groups" (p. 345).

Anticipatory self-defense

As mentioned above, states have a clear and undoubted right of self-defense. However, there have been developments in the concept for situations that could lead to anticipatory defense from states, even before an armed attack occurs in their territory. Scholars have theorized about the different types of self-defense, usually contemplated under the generic term of anticipatory self-defense. This term includes several other theories: interceptive self-defense, preventive self-defense, precautionary self-defense, and preemptive self-defense.

The first is interceptive self-defense, defined by Professor ^{Dinstein (2011)}, as the reaction from a state to an event that is already taking place, even if its consequences are not fully developed. This includes attacks that have been initiated but have not reached their first target. Dinstein clarifies how the determination of the beginning of an armed attack can be resolved, suggesting that one solution is when an actor has "committed itself to an armed attack in an ostensibly irrevocable way" (p. 205). ^{Dinstein (2011)} also theorizes that a state's response in these situations could be legal under Article 51 of the UN Charter (p. 204). He provides a detailed example in his book War, Aggression and Self-Defense: "if the radar of a Carpathian military aircraft locks on to - or illuminates (i.e. aims laser beams at) - an Apollonian target, although no missile has been fired (and no bomb has been dropped), an armed attack may be deemed to be in progress, and a timely response by Apollonia would constitute interceptive self-defense"(p. 203).

The concept of preventive self-defense can be understood as the use of force in response to non-imminent and not yet materialized attacks, as stated in the "Report of the Secretary-General's High-level Panel on Threats, Challenges and Change" of the United Nations (2004). This type of self-defense is invoked in The National Security Strategy of the United States of America of 2002 to legitimize the use of force. This is done to establish the right to counter threats before they evolve into concrete actions, as in the context of the Bush doctrine, the potential use of Weapons of Mass Destruction (WMD) against America or any of its allies.

Another self-defense classification is precautionary self-defense; according to ^{Byers (2003)}, it is the allegedly reasonable legitimate use of force that responds to a possible armed attack while there is no further evidence of the attack (p. 181).

Finally, the last concept of self-defense is preemptive self-defense, as described in the aforementioned un report of the Secretary-General. It is the presumably legitimate use of force in response to a real and imminent attack on a state that has not been launched yet, and the usage of armed force is pursued to prevent the attack from becoming a real one.

Preemptive self-defense is the only type that considers the real and objective imminence of an attack. In the Interceptive type, the threat of an attack has already begun, whereas at the opposite end of the spectrum, in the preventive type, the use of force anticipates a simply distant threat. To underscore the importance of the self-defense concept, it is essential to illustrate the requirements and principles of self-defense.

Requirements of self-defense

Imminence

Dinstein explains that this principle indicates that the attacked state's self-defense measures should be performed without any delay. ^{Dinstein (2002)} continues indicating that self-defense does not have to commence immediately from the initial attack, and states must have a reasonable response period (p. 110).

Regarding the Cyber-context, ^{Roscini (2014)} asserts that immediacy does not mean "instantaneous" and allows some room for flexibility for states. In this sense, a cyber-attack on a state's military cyber-infrastructure could lead to temporary complete incapacitation of the state infrastructure, making the responsive self-defense attack potentially delayed, whether it is cyber or kinetic. Furthermore, the immediacy of the self-defense can be affected in the cyber-context since assembling adequate and sufficient evidence to attribute the attack could be a monumental and time-consuming task (p. 91).

One interesting debate regarding anticipatory self-defense and the concept of imminence is raised in Tallinn Manual 2.0 (2017) Rule 73 comments. There is a controversy regarding the temporal threshold for self-defense, centering the discussion on whether anticipatory self-defense is lawful or not. The Group of Experts considers that "a state may act in anticipatory self-defense against an armed attack, whether cyber or kinetic, when the attacker is clearly committed to launching an armed attack, and the victim state will lose its opportunity to effectively defend itself unless it acts. In other words, it may only act during the last window of opportunity to defend itself against an armed attack that is forthcoming. This window may present itself immediately before the attack in question, or, in some cases, long before it occurs" (p. 351).

For instance, imagine that state X has received irrefutable information that state Y is preparing a cyber-attack that will destroy the electrical grid of one of the most populated cities in the country, causing damage similar to what kinetic weapons can achieve. State X only knows that the attack would be performed within a specific timeframe and from a specific location in state Y but, it cannot effectively mount an effective defense of the electrical grid. X state could be justified in assuming that an armed attack is imminent. and the use of force to defend its territory is necessary under Rule 72 of the Tallin Manual 2.0; therefore, an attack against state Y to prevent the attack would be lawful under the argument of proportionate anticipatory self-defense.

Attribution

Attribution is one of the most critical points in the concept of self-defense. The discussion encompasses who is responsible for the attack and, if the responsible party is a state or a non-state actor, who is the prospective target of the self-defense.

There are three primary interpretations to determine attribution and its requirements. The first one is the interpretation of the "effective control test" developed in the ICJ Nicaragua case (1986). This theory asserts that the state targeted by the self-defense response must have been in "effective control" of the individuals who carried out the initial attacks (p. 114).

The second theory is that although attribution is required, a lower threshold than "effective control" is needed to establish attribution. Therefore, the test is replaced by a threshold of support where harboring or acquiescence is enough (^{Proulx, 2005}, p. 615).

The final theory explores the possibility that attribution requirement is not necessary, and states can invoke self-defense against any attacking state within its territory, regardless of whether the state is in any way accountable for the attacks, thus providing almost ungovernable self-defense.

Most international lawyers concur with the ICJ'S effective control theory, viewed as the correct approach. In this sense, the ICJ (1986) argues that self-defense attacks are only permissible when an armed attack by a non-state group is attributed to a state (p. 194-196).

However, this theory has a significant flaw in practice. Some attacking states could use non-state individuals to perform the attack and excuse themselves with the argument of not having "effective control" over the individuals responsible for the attacks, even though they offer them some beneficial conditions such as sheltering and support.

In addition, the Tallinn Manual 2.0 (2017) presents an interesting scenario regarding attribution. The Manual offers two possible conditions to determine whether states are responsible for cyber operations performed by non-state actors (Rule 17): the first one is that the conduct is "engaged in pursuant to its instructions or under its direction or control", or when "the state acknowledges and adopts the operations as its own" (p. 94).

This idea continues to be very critical and controversial. The legitimacy and ability of an offended state to attribute the responsibility to non-state actors and the subsequent self-defense has been and continues to be controversial under international law due to the state of international law regarding this matter.

This point about attribution is extremely important. Suppose the ICJ "effective control" is applied, and the attacked state fails to determine the effective control. In that case, this could essentially preclude the right of lawful self-defense against cyber-armed attacks by non-state actors of offended states.

In short, as mentioned throughout this section, due to the legal and technical complexity of the definition of armed attacks in the cyber-realm, it is rare that one attack of this type could meet all the required conditions referred in Article 51 of the un Charter (^{Pangrazzi, 2021}, pp. 18-19).

Non-state actors

Classification of non-state actors in the cyber context

As mentioned earlier in the paper, the technical complexity of the cyber-realm makes the attribution element definition extremely problematic to the degree that even trying to identify the ultimate location of the parties involved in the attack may be extraordinarily challenging.

The cyber context introduces various types of actors who can pose significant threats to states through a cyber-attack. However, as mentioned in the sections before, even if there is no evidence or association between the non-state actors and the state where they operate, it is clear that an attack on them would fall under the classification of self-defense.

The current development of the cyber realm offers the possibility that a full range of actors participate within it. Professor Johan ^{Sigholm (2016)} presents a descriptive chart of the principal non-state actors within the cybersphere. He includes their motivations and methods in the field, along with the targets when an attack is conducted.

These classifications are extensively explained by the authors Jason ^{Andress and Steve Winterfeld (2011)}. In this section, we will analyze some of the important players concerning cyber-attacks: hacktivists, black-hat hackers, cyber-terrorists, and organized cyber- criminals (p. 193-206).

Firstly, there are hacktivists, defined by ^{Andress and Winterfeld (2011)} as hackers who utilize their skills to support a particular point of view. Their motivations are usually politically oriented, aiming to influence opinions or decisions on a specific issue. For instance, in February of 2010, a group known as Anonymous attacked the web pages of the Australian Parliament House to halt the approval of a law that introduced filtering to the internet service in the country (p. 196).

Next, we have black-hat hackers -groups with higher levels of expertise than hacktivist. They aim to exploit weakness in the system and perform attacks on critical networks or systems with no respect for the law or the potential effects of the attack (p. 197).

Organized cyber-criminals are groups within organized crime that use cybernetic tactics, such as cyberwarfare, to achieve financial goals and generate power. These groups are, as described by the authors as the most dangerous due to the potential effect their activities can have on various state areas, especially population stability (p. 201).

Finally, cyber-terrorists can be explained similarly to traditional terrorist group. These groups or individuals are mostly associated with selecting targets with highly disruptive significance and enormous publicity. As mentioned by ^{Andress and Winterfeld (2011)}, one of the most common supposed targets for cyber terrorism is large-scale electrical grids or water systems in various countries (p. 198-199).

Consequently, cyber-terrorism can be defined as "a range of very different actions, from the simple spread of publicity online, to the alteration or destruction of in-formation, and even to the planning and carrying out of terrorist attacks via the use of computer networks" (^{Mayer, 2018}).

These are just some actors that could intervene in the cyber context and that are capable of performing an attack on state infrastructure or valuable resources from the countries, potentially triggering anticipatory self-defense.

Conclusions

The advancements in technology have brough diverse new risks to the sovereignty and national security of the states in the cyber realm. This poses a challenge for the law on several levels, both domestic and the international. For instance, the international law has historically focused on covering kinetic operations rather than the challenges the cyber realm presents. How the current international legal system addresses this new environment is an enormous challenge that is evolving day by day.

The prognostication that cyber-attacks may reach the level of armed attacks is no longer unrealistic, and there is no doubt that self-defense could apply to cyber-realm. However, there is still uncertainty about applying the law in cyber operations, creating new legal challenges to be tackled.

As stated in Rule 72 (2017) of the Tallinn Manual 2.0, in the context of cyber operations, states are not bound to wait passively until an armed attack occurs. The cyber context offers speed as one of its advantages. Therefore, it is logical to assume that potential victims of cyber-attacks can use anticipatory but proportional forces to prevent any imminent and otherwise avoidable attack (p. 42).

Cyber uses of force and self-defense in the face of an armed attack must further meet the related requirements of attribution, necessity, proportionality, and imminency. Elements that would always limit the responses in anticipation of an attack or even sequent to an attack.

The lawfulness of self-defense against non-state attacks continues to be very problematic and mostly depends on the fulfillment of the attribution element. The attribution requirement is specifically challenging due to the prominent role of non-state actors in cyberspace conflicts and the complexities of attributing cyber-attacks to them because of the secrecy, boundlessness, and speed of cyber operations.

The cyber realm context offers the possibility that aggressions from non-state actors can generate consequences even deadlier than a kinetic attack. It is necessary for states to have the possibility and opportunity to exercise the right of self-defense and hold accountable a non-state actor that is attacking them, even within the territory of another state. However, to do so, the attribution factor must be, to some extent, fulfilled to avoid indiscriminate attacks.