The Concept of Cyber Warfare

Introduction

Background

The emerging technologies in the field of communication and data management have had profound benefits to governments, companies and individuals. It is almost impossible for any large organisation and various governmental departments to avoid using data. According to Denton, some of the leading democracies in the world such as the United States, the United Kingdom, Canada, France, Australia and Belgium have embraced electronic voting system.¹ It means these countries have trusted the safety of digital data to the extent that they use it to allow citizens to exercise their rights of defining their leaders.

Governments all over the world currently have information regarding their citizens stored in digital data. Financial institutions, schools, religious institutions and many other institutions currently prefer storing and managing information in the digital format. It is easier to process, retrieve and share information stored in that format. Some institutions, including some government departments, are eliminating paper files in favour of the digital files.² Many scholars have emphasised the significance of digital data over the past decade. They came up with the concept of cyber security, which refers to the safety of digital data.

Managing the security of digital data has become as important as managing physical assets. Before the United Kingdom introduced the electronic voting system, the government had to deploy security officers to ensure that people exercised their constitutional right to vote without interference. It is understood that voting touches on the issue of a country’s sovereignty. In a democratic country, the ballot should determine the will of the people.

In the last United States presidential election of 2016, there was a major concern that Russians meddled in the country’s election.³ Preliminary investigation revealed that although it may not be easy to determine the extent of the impact of the interference, the allegations were true. It should be understood that the political tension between the two countries has existed since the days of Cold War, with each country arming itself with weapons of mass destruction in case the other attacks.

If a few individuals who are working for an enemy can influence such an important event such as electing the president of the country, then cyber-attack is just as bad as terror attack or even worse. It means that the will of the people does not matter anymore.

Cyber-attack has become a problem even to institutions irrespective of their size of financial capacity. According to Gillies, financial institutions around the world are losing billions of dollars every year to cybercriminals.⁴ In the past, armed robbers would storm a bank and steal the money. However, techno savvy criminals only need to access the target banks online servers and steal from them. In 2013, Yahoo reported that its database had been hacked and 3 billion user accounts compromised.⁵

It was the largest hacking to be reported. Three years later in 2016, Adult Friend Finder reported that more that 412.2 million accounts of its users were compromised. Other social networking sites such as Facebook, Twitter, Instagram and LinkedIn have not been spared either. It means that it is not only the security of various institutions, which is at risk, but also the privacy of individual citizens.

The advancements made in the field of communication and data management means that the global society cannot go back to using traditional methods such as paper files. However, cyber security is becoming bolder and with more profound consequences than was the case in the past. There is even a growing fear that terrorists may soon find ways of taking control of commercial planes remotely and using them as weapons, similar to what happened during the September 11, 2001 in the United States. The global society can no longer ignore the threat posed by cyber-attacks. As such, the concept of cyberwarfare has emerged as the attack and counterattack

Areas of Study

The primary focus of this study is to examine the rules on force relative to the cyberwarfare. In the international arena, laws have been enacted, such as the Geneva Convention, to ensure that sovereignty of a country is respected.⁶ The existence of these laws means that in case there is a breach, legal systems and structures exist where the aggrieved party can pursue justice. Individual countries have also put in place measures to protect their borders from attack or any form of interference. The United States of America, the United Kingdom, Russia, China and all other sovereign countries have the military capable of countering any foreign aggression.

Internally, within the United Kingdom, the government has enacted laws to ensure that its institutions, non-governmental entities, individual citizens and properties are protected. An armed robber can be sentenced to life under the existing laws in the country. Schmitt and Liis also explain that the law also exist that defines how transnational terrorism and international crime can be managed.⁷ But the same cannot be said about criminal and terror activities that happen in the cyberspace.

The existing laws are unable to deal with the amorphous nature of cybercrime, acts of terror and political interference in the cyberspace. Scholars and security experts have advocated for the creation of a ‘Digital Geneva Convention’ as one of the ways of protecting the cyberspace.⁸ Some have suggested the use of force, including armed attacks and threats to the peace as another possible strategy of dealing with the problem of cyber-threats.

The ability to use and relevance of armed attacks as a means of fighting cyber-attacks has always been put to question. For instance, some of the Russians who interfered with the United States’ last presidential elections were living in the United States. When the government realised about the interference, these criminals had fled back to Russia.⁹ Using an armed attack against them may not be possible based on various international laws and treaties, including the Geneva Convention. Any measure that involves a threat to peace goes against the Charter of the United Nation.¹⁰ The complex nature of this issue makes it a unique problem of the 21^st century.

The study will also examine whether the current rules on force can effectively be applied in cyberwarfare. Some treaties have been signed by several nations to help enhance cyberspace security. The EU General Data Protection Regulation (GDPR) was set up in 2016 to help deal with the problem of cyberspace insecurity in the region¹¹. In the same year, the European parliament established Directive on Security of Network and Information Systems (the NIS Directive) to help with the implantation of cyberspace laws.¹²

The main issue is the effectiveness of these laws. For instance, Edelson observe that Russia has been evasive when it comes to signing treaties meant to fight cyber-related crimes.¹³ It means that if a cyber-attack is executed in Russia, then some of the existing laws cannot be applied to deal with such criminals. Such issues further complicate cyberwarfare.

The precedent set by higher courts’ rulings such as the United States Supreme Court can also help in defining a clear legal path of dealing with the problem. In the United States, the Supreme Court has made several rulings that are directly related to cybercrime. The study will look at these rulings and their applicability in other countries around the world. Dinniss claims that some of these landmark rulings are often ignored in other countries depending on their constitution and legal structures.¹⁴

Methodology

Cyberwarfare is becoming an increasingly sensitive topic as people and corporate find themselves victims of cyber criminals. This study will play a significant role in defining an appropriate path of dealing with the problem. As such, the methodology used in data collection and analysis should be reliable. The doctrinal research will involve locating and applying primary sources of law. The researcher will identify treaties, customary international law, cases and rules that are currently in place to help fight the problem. Some of these rulings made may not directly refer to the concept of cyberwarfare, which is relatively new.

The specific words and spirit of the law used in the rulings can help to understand how to act within the law when fighting internet-related crime. Similarly, some of the treaties were signed without taking into consideration the threat posed by cybercriminals. For instance, the United Nations Convention against Transnational Organised Crime (Trafficking Protocol) defines what human trafficking is and the appropriate punishment for those found guilty.¹⁵

A new concept is emerging where criminals are now using the social media, especially Facebook, Instagram and Twitter to achieve the same sinister goals.¹⁶ The study will look at the relevance of these laws in fighting the same crime committed in a new platform. A critical analysis of the primary sources will help in determining their adequacy in managing cyberspace security concerns.

The researcher will also use secondary sources in this study. As Roscini observes, it is prudent for a researcher to review existing literatures to determine what other scholars have found out and research gaps that needs to be addressed.¹⁷

When one reviews secondary sources of information, he or she will avoid unnecessary repetition of existing information. Data will be collected from various legal journal articles published in the recent past. Books will also be used to understand views and proposals made by legal scholars on how the issue should be dealt with based on the emerging trends. The study will not involve collection of data from specific individuals such as lawyers, judges and other legal experts because of the limited time. The researcher believed that views of these experts are already available in their rulings and writings available in books and journal articles. The following research question will guide the process of data collection:

Is International Law, relating to force, adequate to respond to new types of warfare, especially cyberwarfare?

The United Nations Laws on Use of Force and Armed Attack in Cyberwarfare

The previous section of the report provided background information about rules on force relative to the cyberwarfare. In this chapter, the primary focus is to investigate the United Nations Laws on use of force and armed attack in cyberwarfare. As the threat posed by cybercriminals and terrorists using cyberspace to achieve their goal become serious, the need to use force become unavoidable. However, it the existing international laws limit such military actions, especially if the targeted group operates in a foreign country. The chapter seeks to answer the question below:

Does Cyberwarfare breach international laws regarding force, in particular article 2(4) of the Charter of the United Nations

Understanding Concept Warfare

Scholars and security experts have expressed concern over the inadequacy of the existing international laws to deal with the threat posed by cyberwarfare. Tsagourias and Buchan argue that it may be necessary to redefine the concept of warfare in light of the emerging threats.¹⁸ The new definition may help determine how to deal with the problem that has become a major concern to the United States government and many organisations around the world, especially the financial institutions. Tsagourias and Buchan define warfare simple as a military engagement between two or enemies.¹⁹ In this case, it is necessary to find definition of cyberwarfare.

Roscini defines the term as “the conduct of hostilities in armed conflict using cyber technologies.”²⁰ It may involve the use of cyberspace to sabotage the socio-economic and political environment of the enemy. In other cases, information technology may be used to launch direct-armed attack, which would result in physical harm of the target. For instance, when the data within a given airport is manipulated, it may result in a serious harm to people and damage to the infrastructure. The outcome would be equivalent to a terrorist who takes control of a plane and flies it into a building.

Types of Cyberwarfare and Cyber Attacks

Article 42 of the United Nations Charter identifies the appropriate action that can be taken by a country that has been attacked by another in order to protect its people and the national border. It states that when there is an absolute necessity to respond, enforcement action can be by air, land, or sea forces.²¹ It is important to note that in this case the type of national security threat that is defined is the armed attack by another state or a terror group.

The law acknowledges the need for the aggrieved state to use military force to counter such an attack. However, it is important to note that in this case of cyberwarfare, the aggressor may not necessarily use military force to attack the country of interest. The aggressor uses cyberspace to launch the attack. In some cases, the attack may be so bad that it can sabotage the economy or socio-political fabric of a country.

It may lead to internal armed conflicts that may be just as bad as a military attack by the enemy state. It means that a country may be forced to respond effectively to such threats to ensure that its socio-political and economic environment is protected. It is necessary to understand the types of cyberwarfare and attacks that every country should be ready to deal with and what the international laws say about them. Article 4 of the United Nations Draft Convention on Information Security identifies various types of security threats to national peace and stability.²² In this section, the focus will be to discuss some of them, which are relevant to this study.

The use of information technology to engage in hostile activities and aggressive acts was identified as one of the cyber-attacks that a country could supper.²³ It is possible for a state or organised criminal gangs to use information technology to act aggressively towards another state or individuals within a given region. According to Roscini, there is a new trend that terrorists are trying to use to achieve their evil ambitions, which primarily targets airplanes.²⁴

The increased security and surveillance at the airports has made it impossible for these groups to invade airports militarily or by conspiring with the airport officials. Instead, they are now trying to use information technology to take control of the planes remotely once they take off from a given airport. The mysterious disappearance of Malaysian Airline Flight 370 has led many investigators to believe that terrorists or criminal gangs might have taken control of the plane and intentionally made it disappear without a trace.²⁵ Efforts to find the debris have only led to the emergence of more questions and answers.

Although it is not confirmed that criminals or extremists might have taken control of the plane, the possibility of that happening is a major cause of concern. The draft convention acknowledges that in case that should happen, the affected country or entity should consider it a cyber-attack that justifies an appropriate answer. Every state has the right to protect its citizens from any form or attack. If actions of another state or criminal gangs put at risk the life of citizens, it would be justifiable to take appropriate corrective measures.

This proposal was made by Russia to the United Nation for a consideration and approval because of the increasing threat that states and large organisations continue to face as the threat posed by cybercriminals and terrorists continue to become more sophisticated. The definition of attack to a country’s sovereignty, as defined by the United Nations needs to be revised, as Schmitt and Liis observe, because it fails to consider the changing threat to homeland security.

Intentionally destructive behaviour in the cyberspace against critical infrastructures of another state is one of the threats. As explained above, information management is moving from the use of paper files to the digital data. The digital data makes it easy to process, store, retrieve and share relevant information within a given organisation. Some of these organisations rely on effective management and sharing of data for their normal operations such as airports, metro systems and many others. Taking an example of a nuclear management plan, engineers and operators are always under pressure to ensure that they follow strict guidelines to avoid a catastrophe.²⁶

When enemies of the state manipulate data and mistake committed because of the resulting misinformation, the entire plant may turn into a major security threat to the workers and people living around it. It is true that there is yet to be such an occurrence, but there is a possibility that the emerging technologies would facilitate such an attack.

Illegal use of data of another state without permission is another breach. Espionage is still considered a major security threat to homeland security. The United States and Russia have been engaging in acts of espionage for the past several decades to help in determining the strategies and security plans of other nations, especially those considered unfriendly.²⁷ Sometimes the stolen information may be classified because of its significance to national security.

Having access to such information without the direct permission from the government is considered an act of aggression. It compromises the ability of the state to protect its citizens. Eilstrup-Sangiovanni notes that it is common for intelligence agencies to collect information about all security threats that a country faces, common weaknesses that need to be addressed and the available resources to deal with the threats.²⁸

Such information should always remain confidential, especially the identified weaknesses in the security system. When the information is stolen and shared with terror groups, they can know how and when to attack the country. Eilstrup-Sangiovanni believes that illegal use of information of a given state should be considered a direct form of aggression.²⁹

Action in the cyberspace that directly undermines socio-political and economic system of another state is another issue. The United Nations Laws acknowledges that no country should interferer with another state’s socio-economic and political environment. However, the growing sophistication in the cyberspace has made it easy for rogue states and organised criminal gangs to manipulate events happening in other countries.

According to Jurich, there is an allegation that Russia directly meddled in the 2006 presidential election in the United States.³⁰ The proponents of this claim argue that there was a deliberate effort to ensure that one of the candidates does not win the elections. Such claims are worrying, even if they are yet to be proven, as explained above. This form of cyber-attack directly targets the sovereignty of the nation. Instead of allowing citizens to determine who they want their leaders to be, foreign players who have nothing to do with the country’s politics get the opportunity to decide who becomes a leader.

If such a powerful nation with highly sophisticated intelligence system suffered such attack, it means that no country is safe. The attackers may sometimes target a country’s economic sector. Financial institutions have lost billions of dollars to cybercriminals. Such thefts have direct impact on a country’s economy.

Use of the cyberspace to fuel national, religious, racist and xenophobic conflicts is another type of attack. According to Jurich, the growing popularity of internet-based communication has made it possible for people to use these platforms to spread hate and fear amongst a given group of people.³¹ Islamic State of Iraq and Levant is one of the terror organisations that has excelled in using the cyberspace to fuel hate and attacks. Jurich states that ISIL has often relied on Facebook to recruit people from all over the world to join their course.³² They often entice youths with financial rewards and other benefits to convince them to become their fighters. In South Africa, extremists have been using the social media to spread xenophobia. Egan notes that the Arab Spring also relied heavily on the social media.³³

Youths in Libya, Tunisia and Egypt used Facebook and YouTube to plan and coordinate their activities. Although many believe that internal uprising should not be considered an external aggression, when external players fuel it, it constitutes interference to a country’s political environment. Egan explains that elimination of Muammar Gaddafi was largely influenced by external forces.³⁴ The social media was used to motivate youths to take arms against the government. They then received the direct military support needed to eliminate Gaddafi from power.

Use of Force and Armed Attack

The use of force and armed attack have been used interchangeably in most of the existing international legal documents to refer to deploying military officers in a given region to achieve a specific purpose.³⁵ If there is an invasion at the border of a country, the military will be deployed to repel the attackers. In case there is a revolt within a given part of the country, the armed forces will be sent to address that specific security concern.

The United States and allied forces sent troops to Afghanistan during the War on Terror with the specific goal of neutralising insurgents in these specific region that posed threat to homeland security of the United States. In these instances, officers are expected to use force to neutralise the security threat.³⁶ However, cyberwarfare is different from the traditional threats that warranted the use of armed attack. It means that from the legal point of view, it is still not clear how a state should respond militarily to a cyber-attack. The United Nations acknowledges that sometimes it may be necessary to use force to neutralise a threat.

Article 44 of the United Nations Charter states, “When the Security Council has decided to use force it shall, before calling upon a member not represented on it to provide armed forces in fulfilment of the obligation assumed under Article 43, invite that member to participate.” The challenge that the United States and other countries have faced is the best approach that should be used to apply the needed force against the attackers.

Sometimes these individuals may be non-state actors. The Russian government admitted that it is possible a few Russian cyber experts who might have tried to interfere with the elections in the United States, but they were not acting on behalf of the government. It means that if the United States is to respond to such attack, it cannot use force against Russia even if the attackers came from that country. The following are some of the possible ways in which a country can use force to respond to a possible cyber-attack.

Coercion

Scholars and security experts have often questioned the effectiveness of the use of coercion in fighting terror. According to Yannakogeorgos, torture may not be the most appropriate approach of dealing with individuals who are posing threat to national security.³⁷ Other scholars and security experts have defended the use of this form of interrogation to gather facts about intended criminal activities.

Guantanamo Bay is one of the oldest overseas detention camps owned by the United States’ military. From 2002, it was majorly used to detain individuals suspected to be members or sympathisers of Al Qaeda or other entities considered a threat to the United States. In this camp, all forms of torture have been used to force the suspects to reveal the information they know regarding the plans and activities of the terror groups.

Yannakogeorgos notes that some of the suspects sent to this detention camp died soon after the arrival because of the extreme conditions.³⁸ Many others stayed in this camp for years before trial. Despite the controversy surrounding the use of this force, Kostyuk Powell and Skach note that it may be necessary when fighting cybercriminals and members of terror outfits using the cyberspace to achieve their goals.³⁹

In one of the recent interviews, the United States President Donald Trump stated that torture is effective when trying to force an enemy of the state to reveal plans of their organisation.⁴⁰ According to a report by Kania and Costello, many people fear pain and may consider revealing information they know about an issue if it would protect them from the torture.⁴¹ A person may not fear spending time in prison.

However, the physical and psychological torture that many people go through in some of these detention camps is unbearable. If a cybercriminal or terrorist is captured, it may be necessary to subject them to some form of pain so that they can reveal information critical to the security organs. The goal should be to determine the goal of the group when they collect such data, the potential of the threat they pose to the country, all the actors involved in the process, if they are getting any direct or indirect support from a foreign government agencies. The information will help in developing a proactive plan of dealing with the threat.

The legality of the approach based on the United Nations Charter may be questionable. However, Article 44 of the charter acknowledges that sometimes it may be necessary to use force to deal with security threat. Given that it may not be possible for the affected country to use the military to attack the country of origin of the individuals involved, coercing the arrested individuals may be one of the few available options.

Military Inversion

When considering the use of force against a threat posed by terrorists and criminal gangs using cyberwarfare, it may be necessary to look at some of the similar situations that occurred in the past. A perfect example is the armed attack that was organised by the Central Intelligence Agency, the United States Navy SEALs and a team of other security organs in Bilal Town, Abbottabad, in Pakistan. During the War on Terror in Iraq and Afghanistan, one of the primary goals of the American forces was to capture and neutralise Osama bin Laden and his associated who had organised one of the worst attacks in the modern history of the United States.

Unfortunately, bin Laden and most of his associates were never captured. Through years of intelligence gathering, it was established that he was living in Abbottabad, Pakistan. The fact that his residence was a located less than a mile from Pakistani’s Military Academy was a clear indication that he was receiving protection from high-ranking military officials in the country.⁴²

The unique characteristics of the compound such as the fortified walls and the compound being over eight times larger than that within the neighbourhood could not have eluded the country’s intelligence agency. Given that bin Laden was of great threat to United States’ homeland security, a decision was made to plan and execute the attack without informing the host government. Borghard and Lonergan explain that there was the fear that the top government officials responsible for his security would sneak him away from the building if they had the information prior to the attack.⁴³

The team went ahead and successfully neutralised bin Laden and arrested some of his associated. The incident is an example of a possible use of force when it becomes apparent that a country faces an imminent threat to its national security.

When the country is faced with the threat of terrorists or cybercriminals using information technology to sabotage the socio-economic and political environment, it may be necessary to use a similar inversion.

Hall and Schultz warn that care should be taken to avoid a case where the attack escalates to the point where it becomes an inter-state conflict.⁴⁴ During the Abbottabad raid, the United States avoided the use of military forces and instead used civilian agencies such as the Central Intelligence Agency to conduct the raid and neutralise the threat. It was a clear indication that the United States was not at war with Pakistan although it suspected that its top officers had been hiding the criminal. When targeting terrorists using the cyberspace to launch various forms of attack, the primary goal would be to neutralise the threat or arrest the suspect and confiscate their equipment for further analysis.

Cybercriminals and terrorists operate from a given base. They need to have access to internet-enabled devices to achieve their sinister goals. Borghard and Lonergan explain that some of the most dangerous groups have specific buildings, which acts as their bases.⁴⁵ These buildings host their databases where the stolen files and other important documents are stored. They also use these bases to plan and execute their attack.

In case there is a proof that such criminal gangs are operating within a given place and that their actions are intentionally meant to harm innocent citizens or to sabotage the democratically elected government, there would be a justification to launch an attack against the identified targets. In most of the cases, it may be necessary to involve the host government if the attackers are operating outside the borders of the country.⁴⁶ If the intelligence agencies feel that the host country is complicit and may not take the expected step of neutralising the attackers, then a rare case where an action is taken unilaterally by the affected state may be applicable, such as what happened in the Abbottabad raid.

When a country is dealing with state actors, as is the case in the on-going probe of Russia’s interference with the local 2016 Presidential Elections, then using a military action may not be as easy as when dealing with non-state actors. Most of the international laws, which are in force, limit the ability of a country to take military action against the aggressor in preference of other strategies of solving disputes⁴⁷.

It would be unadvisable for the United States to take a military action against Russia without starting a nuclear war. Such an eventuality would be catastrophic to the humanity. As such, many security experts have called for international laws that can help in dealing with the problem, especially when the attack is planned and executed by other powerful nations such as Russia and China.

Breach of Laws Regarding the Use of Force and Armed Attack

When using force, especially an armed attack to fight cybercriminals and terrorists, one of the most important factors that cannot be ignored is the need to act within the international laws. The country’s military agencies have to act as per the guidelines of the United Nation Charter when responding to an attack against its sovereignty and security of its citizens and their property. Henry and Brantly argue that one of the biggest challenges in using force to fight cybercriminals in foreign countries is the inadequacy of the existing international laws.⁴⁸

The existing definition of an attack by external forces against a country’s safety may not apply when dealing with the problem of cyber security. This new form of security threat is relatively new and its impact is becoming more devastating than many security experts had expected. The emerging concern that these extremists can take control of airplanes remotely makes it necessary to find legal ways of dealing with the problem. The United Nations is yet to come up with a proper legal structure to help individual member states deal with the threat.

Cyberwarfare and the Article 2(4) of the Charter of the United Nations

Cyberwarfare is becoming a real threat to homeland security in many countries. The United States and many other countries around the world have developed measures to help them deal with the threat. They have to ensure that their actions are within the law, especially when dealing with state actors in foreign countries. Article 2(4) of the United Nations Charter states, “All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.”⁴⁹

It means that before using force against a foreign state that is considered the aggressor, it would be necessary for the affected government to get the permission from the United Nations as stated in the subsequent articles. Many security experts view this specific article as a major hindrance to states trying to fight foreign cybercriminals and terrorists using the cyberspace to achieve their goals. Given that it was enacted at a time when cyber security was not considered a major concern, it is understandable that its application in dealing with this new threat is inappropriate.

In response to the question posed at the beginning of this chapter, use of force in response to cyber-threats may breach Article 2(4) of the United Nations Charter that emphasises the need to use other alternative methods to address conflicts. Unless this section is revised to reflect these current threats, it may not be easy to use armed attack without breaking the international laws.

Optional Protocol on the Sale of Children, Child Prostitution and Child Pornography

The use of force to fight emerging security threats must be done with a lot of caution. According to Downes, the affected state must ensure that its actions are backed by the existing international laws.⁵⁰ This protocol outlines the need to protect children from being forced into slavery, sex trade, or in the production of pornographic films. Article one of this protocol states that “parties to protect the rights and interests of child victims of trafficking, child prostitution and child pornography, child labour and especially the worst forms of child labour.”⁵¹

In this case, parties refer to states, which are expected to do everything within their powers to ensure that children are protected from criminal gangs who may want to take advantage of them because of economic or any other reason. It is expected that in case the criminal gangs operate in different countries, all the affected states will coordinate their effort to ensure that they protect children from such attacks.

In the past, the problem of child abduction, trafficking and sale into brothels around the world was believed to be a problem that only affects developing countries. That is no longer the case. A report by Federal Bureau of Investigation shows that over 100,000 underage girls are abducted every year, majority of who are often rescued before being sold into sex slaves.⁵² The United Kingdom, Germany, Canada, Australia and other developed economies are not spared either by this problem. In the past, the criminal gangs would abduct vulnerable targets in locations where adults do not protect them.

However, their strategy has changed. Dela explains that large syndicates are currently using the cyberspace to lure their targets into specific locations before they are abducted.⁵³ They use Facebook, Instagram and other popular social media platforms to achieve their goals. Some of them are enslaved within the country while others are trafficked to other nations where prostitution is legal.

The state has a responsibility to protect its citizens, including young girls and this protocol states in clear terms that all parties involved should work together to protect children. It means that if British girls are abducted and sold in North Korea, it is the responsibility of the two governments to work together to rescue them and facilitate their movement back home. The two states can use the necessary force to supress the criminals during the rescue mission.

If it is determined that the government of North Korea is working in cohort with the criminal gangs, then it would be upon the government of the United Kingdom to use the relevant force to rescue its citizens. If there is a proof that the girls are held in a foreign land without a proper justification, then it can inform the United Nation and if necessary seek support of other states, to ensure that the victims are rescued.

United Nations Convention against Transnational Organised Crime

The United Nations General Assembly realised that there was a need to come up with a way of dealing with the growing problem of transnational organised crime. In East Africa, Joseph Kony-led Lord Resistance Army (LRA) has been a major threat to the country national security. The ability of the Ugandan military to deal decisively with the group has been hampered by the fact that its soldiers can move easily from Uganda to Sudan. The gang is currently using the social media platform to lure young boys to join their military camps. They then are then taken through a process of indoctrination to ensure that they do not leave the camps.

Most of them are often killed during the raids by the government. The Ugandan government has complained that the Sudanese military officials are working closely with these insurgents, complicating the effort to neutralise the group. Such problems are not unique to Africa.⁵⁴ In Europe, insurgents operating East Ukraine have been getting military support from the government of Russia to sustain its war with the government of Ukraine. These insurgents are using modern military equipment and intelligence gathering techniques that is facilitated by Russia. They were blamed for the downing of the Malaysian Airline that was passing through a region they control.

In the past, organised criminal gangs, especially the extremists, had to send their troops or sympathisers to a specific location in order to launch an attack. They had to use that traditional strategy when they attack the United States during the September 11.⁵⁵ The emerging technologies make such strategies anymore. The more the cyberspace becomes increasingly sophisticated, the more the capacity of these criminals to attack a nation increases.

It was a major shock when it was revealed that a few criminals working in a given room were able to influence the United States presidential election, as discussed above. Soon, they may be able to use the same technology to launch serious attacks that may result in direct physical harm to innocent citizens.

These terrorists and criminal gangs cannot operate in the space. They have to operate within a given country. Henry and Brantly states that if these criminals are within the borders of a given country, it is the responsibility of the government to ensure that they are arrested to face the law.⁵⁶ The use of force may be necessary because they should be treated like common criminals. They are no different from armed robbers.

What separates the two is the method used to achieve the selfish goal. If the organised criminal group are operating outside the borders of a country, then the security organs of affected country will need to contact authorities in the host country to ensure that the problem is adequately addressed.⁵⁷ For instance, if the government of the United Kingdom feels that, the country is under a serious threat because of the activities of ISIS, which has its base in Syria and Iraq; it can coordinate with the governments of these countries to neutralise the threat. In case the host government is either unable or unwilling to deal with the threat, then it may force the affected country to use force against the group in the foreign country. Duggan and Oren warns that when using force to fight organised criminal gang in a foreign country, care should be taken to ensure that the specific goal of destroying the gang is achieved.⁵⁸

According to Duggan and Oren, although scholars and security experts are still insisting that the current laws governing the cyberspace are inadequate when it comes to dealing with cybercriminals and other terror groups, the nature of the attack will often define the approach that is taken.⁵⁹ Currently, most of the crimes committed in the cyberspace involve stealing money from banks, stealing data, or manipulating information within a company.

Currently, if an armed robber steals from a bank in the United Kingdom and flees to France, the British authorities can only request the French forces to make an arrest and extradite the criminal back to the United Kingdom to face the law. Other crimes such stealing or manipulating data of a company are not clearly defined in the law.

However, if it can be determined that a criminal gang, supported by another state, successfully launches an attack in a foreign country that leads to loss of lives and damage of property, such should be treated as a military invasion that deserves the use of force as an appropriate response. Iasiello suggests that the United Nations should review some of its protocols to ensure that this issue is captured in clear terms.⁶⁰ It will help in defining the appropriate response that a state should take against the other if it is established that information technology is used to plan and execute an attack.

Vienna Convention on the Law of Treaties

The Vienna Convention on the Law of Treaties, sometimes referred to as treaty on treaties, was signed in 1969 to ensure that all its members abide by all the laws and agreements set by the United Nations General Assembly. According to the convention, the treaty was signed because of the concern of some members that a few rogue states were coming up with strategies to avoid acting within the laws that were signed.⁶¹

As such, the treaty was meant to emphasise the need for every state to ensure that all the international laws are followed to avoid any conflict. Although this convention was signed about 50 years ago, it is still relevant today. It can help the global society to deal with the emerging problem of cyber insecurity. The following three principles of this convention may justify the need for a country to use force when dealing with foreign state and non-state actors that pose a threat to homeland security.

Pacta Sunt Servanda

The term Pacta Sunt Servanda is a Latin word, which means that agreements must be kept. It means that if an agreement is signed stating that every country must respect the sovereignty of other states, as enshrined in various clauses within the United Nations Charter, such an agreement must be respected.⁶² At no point should one state act in a way that would have direct or indirect negative consequences on another state unjustly.

If the Russian government deliberately sponsors information technology experts to interfere with the elections of the United States, that would be considered an interference. The United States would be justified to act in response to such an attack in a way it considers appropriate. Shea explains that the United States, under the leadership of President Barrack Obama, proposed that the country should respond by issuing economic sanctions against Russia.⁶³ It got the support from other NATO members who felt that it was a breach of international law for Russia to meddle in the United States’ election. If the United States can act by imposing economic sanctions, it means that when necessary, military force might be necessary in extreme cases.

Peremptory Norm

A peremptory norm is a fundamental principle of international law accepted by the international society as a norm that does not permit derogation.⁶⁴ It means that member states should not find a way of circumventing the law because of various reasons. The principle guides all international laws regarding maritime piracy, enslavement, genocide, torture, territorial aggrandisement and wars of aggression.⁶⁵

Under this principle, these laws are fundamental to global harmony and no state is expected to come up with national laws that contradict them. It is important to note that torture, enslavement, genocide and wars of aggression are crimes identified as unforgivable under this principle. State and non-state actors can commit these crimes using the cyberspace. As such, the affected states are expected to take appropriate actions to eliminate such threats. If the actor is a foreign entity, the affected state can use all means possible, including the use of force, to ensure that its citizens are not subjected to such criminal acts.

Clausula Rebus Sic Stantibus (Fundamental Change of Circumstance)

The United Nations General Assembly developed this principle because of the fundamental change in circumstances. It holds that sometimes a treaty may be applicable because of the changing circumstances.⁶⁶ For instance, many clauses within the United Nations Charter such as the Article 2(4) of the Charter of the United Nations prohibit a country from using force to address conflicts with another state unless it is militarily provoked. However, fundamental changes in the field of information technology make it possible for a state to attack another without necessarily deploying soldiers into the country of target.

The threat posed by such cyber-attacks may be worse than when the enemy uses troops. These changes make it necessary to reconsider the possible actions that a country can take in response to cyber-attack. A state may opt to ignore some of the treaties, which are silent about cyberwarfare and use force against another state or non-state actors operating in a foreign country to enhance safety of its citizens.

Additional Laws that Could Govern Response to the Cyber Attacks

The previous chapter looked at the United Nations Laws currently in force applicable in managing threats in the cyberspace. In this chapter, the focus will be to review additional laws, rules and cases relevant to the use of force in response to cyber-attack. The United Nations is yet to enact effective international laws that directly address the threat posed by cybercrime. Individual countries have developed laws that may help deal with the problem.

Kaplan argues there has been a need to have regional and international laws because of the nature of the study.⁶⁷ The fact that a cybercriminal in France can hack into banks in the United Kingdom and steal from the financial institution means that cyberwarfare cannot be won by an individual state. It requires a close coordination by states to ensure that the culprits are dealt with in accordance with the law irrespective of their geographic location. As McGhee put it, Russia should be willing to extradite its citizens to a foreign country if it is proven that they have been involved in cybercrime that affects that state.⁶⁸

International laws on cybercrime also eliminate chances that state actors would be involved in cyber-attacks against other member states. In the event that such an attack happens, there should be a clear response plan, including the use of force if necessary. The following are some of the international laws that directly address the issue of cybercrime and how states should respond to an attack.

Convention on Cybercrime

Europe is one of the regions, which are worst affected by the problem of cybercrime. The largest bank in France, BNP Paribas, was one of the biggest casualties of cyber criminals who were keen on stealing from the institution. Financial institutions in Russia, Germany, the United Kingdom and other countries in the region have not been spared. McGhee states that when criminals syphon money from the local financial institutions, it amounts to economic sabotage.⁶⁹ The important role that these institutions play in the local economy means that their failure may have devastating consequences.⁷⁰

Cyberwarfare is also causing security concerns. According to Bertoli and Marvel, security organs in every country often have to classify certain information critical in protecting the state.⁷¹ The information may be about the counterattack plans against a terror group or other enemies of the state. Making such critical information available to the enemy may leave the country vulnerable to an attack. The enemy will know the capacity of the security agents to respond to the threat, resources available, weaknesses identified when, and how it plans to respond. With such critical information, the enemy can redefine its strategy and strike when the security forces least expect. Such threats forced the European Union to come up with a treaty to help member states to fight the threat posed by possible cyber-attack that targets individual citizens, organisations and state agencies.

The European Union Convention on Cybercrime of 2001 seeks to provide a legal background to all member state upon which crimes committed in the cyberspace can be prosecuted.⁷² It identifies illegal access and interception of data, data and system interference, computer-based forgery fraud as major cyber offences that should be punished. Other offences include child pornography and related offences facilitated by computer or other hand-held devices. The convention holds that any attempt to abuse human rights and freedom with the help of information technology constitutes cybercrime. As such, it prohibits spreading of xenophobic sentiments through the social media or any other digital platforms.

The convention was important because it created an environment where all member states could work as a team to fight threats in their cyberspace. Although it acknowledges the independence of each state, there is a commitment by all states that in case there is an attack, all will act as one to address the threat. It means that there would be no safe havens for cybercriminals within the region. The relevance of this law in fighting cyber threats has attracted non-European Union members.

Canada, Japan, Australia, Israel, South Africa, Dominican Republic, Mauritius, Sri Lanka and Panama have signed the treaty. They understand that it is an effective instrument in the cyberwarfare. It is unfortunate that Russia has avoided the convention despite the concern that a significant number of cybercriminals are Russia operating within the Russian territory. China is another state that has a relatively large number of cyber criminals but is to sign the convention.

Additional Protocol to the Convention on Cybercrime

The changing face of cyberwarfare forced the European Union to enact additional laws to limit the ability of individual and groups to use the cyberspace to organise and execute attack on individuals within a given state. As Elad and Amoroso note, the additional protocol of 2006 focuses on criminalising xenophobic and racist materials shared through computer systems.⁷³ Article 6 Section 2 of the Protocol states that each of the member state has the mandate to come up with a system that would prosecute individuals who intentionally use the digital platform to spread hate, violence, or discrimination against another race or group of people within the society. It also emphasises the powers of the European Court of Human Rights to prosecute cases that relate to Holocaust and other related crimes.

In the past, politicians and extremists used the social media to spread hate against a section of the society for political and economic gains. In Germany, the mass murder of Jews was made possible because of the racists’ sentiments that were spread through various platforms. The outcome was the mass murder of over 6 million Jews. In fact, Elad and Amoroso reports that the actual estimates show that over 17 million people, mostly the minorities, lost their lives during the Holocaust.⁷⁴ Similar events happened in Rwanda. The local radio stations were used to spread hate against the Tutsis.

When the civil war broke, over 500,000 people lost their lives, most of who were the minority Tutsis.⁷⁵ It remains one of the worst genocides in the African continent. The same pattern of events that led to the Holocaust and Rwandan genocide is being witnessed in the modern society. While mass media was used then to spread hate, social media has now become the preferred platform. People are using Facebook, Instagram and Twitter to spread hate. The problem is that once violence breaks out, it may not be easy to use the national security instruments to protect the minority. The additional Protocol was largely considered a reminder to the European Union member states of the potential danger of having a cyberspace that is not strictly monitored in terms of the manner of usage.

African Union Convention on Cyber Security and Personal Data Protection

Africa is also concerned about the growing threat posed by cybercriminals and terrorists currently using the internet and other computer-based technologies to achieve their goal. The Convention on Cyber Security and Personal Data Protection of 2018 was a direct response to this threat.⁷⁶ It acknowledges that all the states are at risk of cyber-attack. Hubbard and Nystrom explain that in Africa, financial institutions are the biggest targets of cybercriminals.⁷⁷

They use sophisticated technologies to siphon money from these institutions. Government agencies are also targeted, especially those that have to combat terrorist organisation such as Nigeria in West Africa, Egypt in the north and Kenya and Somalia in East Africa. Sometimes data is stolen from the security organs, compromising the ability of the military to respond to terror threats. In January 2016, Al Shabaab militants were able to intercept an important communication meant for Kenya Defence Forces stationed in El Adde.⁷⁸ The Kenyan military officers were part of the African Union Mission in Somalia (AMISOM) sent to eliminate the Al Shabaab insurgency.

The information made possible for the terrorists to plan and execute an attack that destroyed the camp. About 200 soldiers were killed and others were taken captive.⁷⁹ A few who were not at the camp at the time of the attack managed to escape. It was a clear demonstration of the importance of keeping safe classified information meant to enhance security.

This convention acknowledges that individual member state cannot successfully fight the threat in the cyberspace. For instance, Nigerians have become notorious when it comes to cyber theft.⁸⁰ Using Facebook, e-mail address, or direct phone calls, they lure their unsuspecting victims into revealing important bank statements and pin. They then use the information to transfer funds from their victims’ bank accounts to their own. Their targets may not necessarily be in Nigeria. The syndicate is spread throughout Africa and other parts of the world. When fighting such criminal acts, it is not possible to do so without the direct support from the Nigerian government. The treaty was meant to ensure that every member state is committed to the fight against crimes based on the cyberspace.

Cases Relevant to the Use of Force in Cyberwarfare

The security forces still find it challenging dealing with the threat posed by local and foreign criminals and terrorists who are not using the cyberspace. According to Brantly, some of the existing laws limit the ability of the law enforcement agencies and the military to use force to restore security.⁸¹ It is necessary to look at some of the rulings made by higher courts in the United States, which relate to the fight against cyber threats and how security agents can respond appropriately. The following are some of the cases.

Smith v. Maryland [1979]

One of the best ways of fighting activities of cybercriminals and terrorists is to gather intelligence about their operations to determine when it is appropriate to plan and execute an armed attack. Some of these enemies of the state may need to be physically present in a country to execute their plans. In such cases, it is possible to use force to counter their activities. One of the biggest challenges that intelligence agencies face is the existence of the Fourth Amendment, which prohibits arbitrary search by officers without a warrant.⁸²

The warrant to search premises of a private citizen can only be granted when the judge is convinced that there is a reasonable cause to do so. The officers may not have time to get the warrant every time they suspect that an individual within the country is engaging in acts of espionage against the country or is planning an attack with the help of foreign state and non-state actors. The Fourth Amendment has been a major hurdle, but the ruling made in this case was a major reprieve to the intelligence agencies.

The United States Supreme Court ruled that the use of pen register does not constitute a search as defined in the Fourth Amendment.⁸³ The ruling meant that the United States’ security organs could use electronic devices to record phone numbers that are called by a particular telephone line. Before this ruling, security forces could not use evidence gathered in that manner in court because it would be viewed as information gathered illegally.

The ruling was a major benefit to the country’s law enforcement agencies because it gave them the opportunity to monitor communications of people they regarded as security threats. They could determine the people they were communicating with and the frequency of such communication. Understanding the web of such criminals makes it easy to crack down on their operations. If they are planning an attack, their movement can be monitored and countermeasures taken before members of the public can be subjected to harm.

Katz v. United States [1967]

The Smith v. Maryland ruling made it possible for the security agents to determine the other phone numbers that one was calling, but it was silent on the issue of eavesdropping on the actual conversation. However, knowing what a criminal or an enemy of state is planning is as important as knowing the other contacts, if not more important. The information passed by one criminal to another can help in determine when it is appropriate to use force against a suspected terrorist in time to save lives. Katz v. United States was a major ruling that also went in favour of the security agents.

In this case, Charles Katz argued that the decision by the Federal Bureau of Investigation agents to record his conversation in a public booth was a breach of his privacy rights as enshrined in the Fourth Amendment. The court ruled that right to privacy does not extend to public places, including public telephone booths.⁸⁴ The officers did not intrude into his private property to conduct the search. As such, the recorded conversation was admissible in court.

The ruling was made when cyber security was not an issue. Given the developments in the field of information technology, it cyber security has become a major legal base upon which intelligence agencies can fight cyberwarfare. In the modern society where information is critical when making decisions pertaining to security management, the CIA and FBI are often keen on gathering data about activities of criminal gangs and extremists. This ruling makes it possible to record their conversation in public places as long as the security agents do not intrude into their personal properties. A device can be planted in a public place frequented by the targeted criminals with the aim of understanding what they discuss when their meet or the message they pass when making phone calls.

United States v. Jones [2012]

Using force in the cyberwarfare require security agencies to track movements of criminals or terrorists to understand their activities. In most of the cases, it forces law enforcement agencies to track these enemies of state physically from one place to another. Such a strategy has so many disadvantages. First, it is physically demanding for the involved officers who have to move constantly from one place to another to determine areas where the suspect frequents. Secondly, it is expensive to trail suspects. In other cases, the suspect may realise that he or she is being followed, making them to change the course of action as a way of misleading the officers.

Most importantly, such a strategy may jeopardise the security of the officers involved. They may be lured to a region where they cannot defend themselves before being attacked. As such, the use of Global Positioning System has often been regarded as an easier way of tracking the criminals. In this case, the security forces hoped that the court would rule in their favour.⁸⁵ However, that was not the case.

The Supreme Court held that installing GPS on a vehicle and using information generated therein constitutes a breach of the Fourth Amendment. It was a major blow to the security organs keen on using emerging technological devices to counter threats posed by hostile states and non-state actors operating in the country. The decision meant that the security forces had to use other means in case it would be necessary to track down the physical movements of individuals of interest within the country. It is one of the laws that many consider a major hindrance to the fight against criminals operating within the country’s borders.

Riley v. California [2013]

Some of the worst attacks that the United States has suffered, such as the September 11, 2001 Al Qaeda attack, were coordinated and executed foreign terrorists and a few locals within the United States. Investigations revealed that one of the main weaknesses of the security identified that made it easy for the attack to succeed was the inability to gather timely intelligence about the specific plans of the terrorists.⁸⁶

The ruling made in Katz v. United States allowed security agencies to use recording devices to eavesdrop into the phone conversations made in public booths. Such booths are out-dated and are rarely used by majority of Americans, especially the criminals. Instead, they are using hand-held devices. In this case, Riley was found using a suspended driver’s license. It prompted the officers to conduct a regular search of the car because of the initial mistake of driving without a valid license. It was a regular policy in California. The officers found two short guns, which ballistic reports indicated that a criminal gang in the region had used them.

These events prompted the officers to mine the digital contents of the cell phones without his permission. The search confirmed that he was a member of the gang.⁸⁷ In court, Riley contested the use of contents of his cell phones in the case as his right under the Fourth Amendment was breached when obtaining the information. The hope of the state security agencies was that the court would.

In the ruling, the court held that seizure and search of digital contents of a mobile phone or any other personal hand-held device without a warrant or express permission by the owner is unconstitutional. The ruling is one of the most limiting factors in the country’s ability to win cyberwarfare.⁸⁸ Some scholars have argued that this ruling puts privacy over security. Although the privacy of every citizen is important and must be respected, security is paramount.

When it comes to choosing between the two, security should be given priority at all times. When lives of people are at risk, privacy becomes meaningless. Although the United States and many other countries have complained about the weaknesses of the international law in the fight against cyber threats, some of the national laws and rulings of the Supreme Court also limit the ability of the officers to fight this crime. When privacy is given priority over security, it gives criminals an edge over law enforcement agencies in this fight.

Self-Defence in International Law

In this chapter, the focus is to discuss the existing laws, which validate the use of force in self-defence. Self-defence is a probable cause for a country to use force when faced with a potential threat to national security. One of the cardinal responsibilities of the state is to ensure that its citizens are safe from any external aggression. It explains why every state has established military unit primarily meant to fight external aggression. The United Nations Charter, under Chapter VII focuses on the action that a state the Security Council should take in response to threats to peace and acts of aggression.⁸⁹ In this chapter, the member states appreciates the fact that although it is always necessary to avoid military action by one state against another, in some cases it may not be possible to avoid such actions.

Chapter VII, Article 51

Chapter VII, Article 51 gives an aggrieved member state an express authority to use force as self-defence in case it is attacked by another state or if actions of another state directly affects its sovereignty. The chapter has two clauses, which according to Kolton, should be understood by the state using force in self-defence against another.⁹⁰ The first clause states, “Nothing in the present Charter shall impair the inherent right of individual or collective self-defence if an armed attack occurs against a Member of the United Nations, until the Security Council has taken measures necessary to maintain international peace and security.”⁹¹

In this clause, it gives an express permission to its member states to use force individually or collectively in self-defence if it under an armed attack. It means that when the attack occurs, the affected country does not need to get an approval of the United Nations General Assembly or Security Council to act. The state or states affected should treat it as an emergency and all other United Nation Charter clauses will be suspended.

The second clause of the article states, “Measures taken by Members in the exercise of this right of self-defence shall be immediately reported to the Security Council and shall not in any way affect the authority and responsibility of the Security Council under the present Charter to take at any time such action as it deems necessary in order to maintain or restore international peace and security.”⁹² It means that while responding to the threat, the aggrieved state or states should report to the Security Council immediately about the decision.

The Security Council is expected to convene as soon as possible and consider the appropriate action that should be taken. The council may decide to let the counterattack proceed if it is convinced the action was taken in self-defence. It may decide to send its troops to help in the self-defence. It may decide to halt the response if it feels that the action taken was not in self-defence. The actors must respect the decision made by the Security Council.

Appling this article in cases of cyber-attacks may be challenging. The wording is very clear. The express authority to use force is given if one state attacks another. In this case, the word ‘attack’ is used in reference to a military offensive by the other state. The action taken by the self-defending state is meant to ensure that the aggressor is stopped before it is too late. However, that may not be the case in a cyber-attack.

The assumption of this law is that failure of the affected state to act may have irreparable consequences and that using armed force will help stop the attack. In cyberwarfare, the aggressor may not necessarily use the kind of force as defined in the article. It makes it difficult to determine the relevance of this law in response to a cyber-attack. Gray, Citron and Rinehart argue that when responding to a sensitive issue such as that which involves homeland security, it is important to understand the letter and spirit of the law.⁹³ A state is allowed to act in self-defence ‘if an armed attack’ occurs against it. That is the letter of the law.

If that is followed strictly, then it may not be easy to respond to a cyber-attack using force unless there is a direct proof that the cyber-attack also involve the use of weapons in one way or the other. The spirit of the law may be stretched beyond the current interpretation of actual use weapons by attackers. At the time when this law was developed, the drafters had not envisaged a situation where information technology may be used to launch an armed attack against a country. As that becomes a reality, it may be possible to use this clause to justify the use of force in the cyberwarfare. It may be a little complex for a state to convince other member states that the attack launched through the cyberspace is equivalent to an armed attack because of the impact on citizens or property of a country.

Chapter VII, Article 39

The United Nations Charter’s Chapter VII focuses on how to respond to threats to peace, possible cases where there is a breach of peace and any act of aggression against a state. Although Article 51 of the chapter gives express permission for the stated affected by the attack to respond using force as soon as possible, justifying the use of force as defined in that article may not be easy because of the phrase ‘if armed attack occurs’.⁹⁴

Cybercriminals and terrorists are no longer using armed attack to achieve their goals. They use the cyberspace. The outcome of their actions may be just as devastating as an enemy that uses force. It would be justifiable to use force, but the Article 51 may not be the best justification for such an action. Article 39 offers an alternative solution to the problem, especially if the attacker is another state. The article states, “The Security Council shall determine the existence of any threat to the peace, breach of the peace, or act of aggression and shall make recommendations, or decide what measures shall be taken in accordance with Articles 41 and 42, to maintain or restore international peace and security”.⁹⁵

The spirit and letter of this article is broad enough to justify the use of force against an enemy that uses the cyberspace to achieve selfish goals. It allows the Security Council to determine if a country is under a threat to the peace or if the enemy engages in acts of aggression. It important to note that in this article, there is no mention of the phrase ‘armed attack’ as was the case previously.

It means an acknowledgement is made that sometimes an attack may occur even if the aggressor is not using armed attack. The Security Council is tasked with the responsibility of reviewing the nature of the attack and determining the appropriate action that should be taken as outlined in Articles 41 and 42. In Article 41, it is stated that the Security Council may opt to use punitive strategies that do not involve the use of armed force. They may include economic sanctions to ensure that the state acting aggressively against the other is forced to respect the law.

Using article 39 and 42 together may be the best justification of the need to use force when responding to cyber-threats, especially if the perpetrator is a state. Article 42 states, “Should the Security Council consider that measures provided for in Article 41 would be inadequate or have proved to be inadequate, it may take such action by air, sea, or land forces as may be necessary to maintain or restore international peace and security.”⁹⁶

Article 39 stated that the Security Council should look into acts of aggression committed by one state against the other and determine whether the best response would be as enshrined in Article 41 or 42. In Article 42, the law states that it is possible to use land, air, or sea forces to respond to such acts of aggression. As stated in other clauses, the Security Council will help the aggressed in using force to respond to the threat by sending additional troops. Although it may take time to convince the council of the seriousness of the cyber-attack, if they are convinced that the use of force is justified, there will be a legal ground to send troops to the foreign country to neutralise the threat.

Chapter VII of the United Nations Chapter provides the legal ground upon which a country may use force in self-defense in case it is under attack by external forces. Blacker states that the entire chapter does not mention anything about terrorism and counter-terrorism.⁹⁷ Cyberspace has made it possible for terror organisations and organised criminal gangs to spread their operations beyond their national border.

A small group of information technology experts can plan and execute a devastating attack on a government department or an organisation in a foreign country. It may be necessary to respond to such threats in the best way possible, even if the use of force is necessary. The host state may be unwilling or unable to help the affected state to deal with the threat. This chapter, given that it talks about the direct use of force to respond to the threat, should have outlined the possible actions that a state should take when dealing with non-state actors. As it is currently, the international law is still unclear on how states should respond to cyber-attack committed by foreigners who are not living within the borders of the affected country.

Security Council

The Security Council has a responsibility to ensure that there is international peace. A deliberate decision of one state to compromise the sovereignty of another state through armed attack or other means is considered a security breach. While Chapter VII, Article 51 gives the aggrieved state the permission to use force in self-defence to stop the attack, the same chapter states that the Security Council should be informed immediately so that it can review the relevance of the use of force to respond to the attack.

It means that the council has the power to call off the use of force in self-defence if it is convinced that other better avenues exist in solving the problem or if it feels the state is not justified to use force in self-defence. Several clauses with Chapter VII of the Charter outline various responsibilities of the Security Council when dealing with the threat to peace and other acts of aggression.

Article 46 states, “Plans for the application of armed force shall be made by the Security Council with the assistance of the Military Staff Committee.”⁹⁸ It means that even if a country makes a decision to use force against a potential security threat in the cyberspace, the Security Council in consultation with the Military Staff Committee must determine the sustainability of such action. The decision of the Military Staff Committee is important because it is the body that is expected to give military assistance to the affected state when the council decides that the use of force is unavoidable. Blacker explains that it is always critical to ensure that if the use of force is chosen, it should be done successfully.⁹⁹

The aggressor should be suppressed with minimal force and shortest time possible and without casualty to civilians. In Article 47, the charter explains when the council should call upon member states to send their troops to help the affected state and how the armed attack should be organised.

The provisions of this chapter based on how it explains the relevance of use of force in self-defence lack clarity on how to deal with cyber-attack, which in most of the cases may not be defined as an armed attack but consequences can be devastating. Blacker notes that there is need for a Digital Geneva Convention that will protect the cyberspace.¹⁰⁰ The effort made by regional blocks such as the European Union and African Union to address this threat is an indication that the global society is acknowledging the threat posed by criminals and rogue states within the cyberspace. However, the problem is not regional in nature but global.

A Chinese cybercriminal may attack a Kenyan or South African government or private institution without having to travel to Africa. Without the assistance of the Chinese government, the African Union may not stop the attack even if the region has some of the best laws to deal with the problem. Legal structures set by the European Union only affect its member states. As such, there is a need to have a legal system at a global level that will remain binding to all the member states. The Digital Geneva Convention, which should be convened by the United Nations, is viewed as the best way of dealing with the growing threat to security and economic prosperity posed by cybercriminals.

The Digital Geneva Convention should be clear when it would be necessary to use force in self-defence when dealing with cyber-threats. Chapter VII of the United Nations Charter should be expanded to include the threat that member states face because of the growing sophistication in the cyber-space. As Blacker notes, the new law should address the steps that the offended state should take to avoid a possible escalation of the problem.¹⁰¹

Sometimes rogue state officials or other criminals who have no permission from the top government officials in the host country commit such security breaches. The assumption would be that if that is the case, then the state will take appropriate actions against the individuals and the issue would be resolved amicably between the two states. If that approach fails to work because of the interest of the host state in such acts of aggression, the digital charter should explain when the use of force would be justifiable in self-defence and how it should be executed. Its creation will help in addressing the challenge that many states face in the cyberwarfare.

Conclusion

The cyberspace has become the new battlefront for states and criminals gangs keen on demonstrating their dominance in the global arena. The United States and Russia may have the largest stockpile of nuclear weapons in the world, but chances are very low that the two states would use them. Civilisation, globalisation and improved international trade have all limited the likelihood of cases of armed conflict of one state against the other, especially in the developed economies. However, that does not mean one state cannot act aggressively towards another contrary to the international laws.

The decision by Russia to annex Crimea from Ukraine was an unprecedented and it was a reminder that every state should be willing and ready to use force against foreign powers. The study reveals that terrorists and rogue states are currently using the cyberspace to attack other states of specific organisations of interests. Financial institutions were the primary targets of cybercriminals who were interested in enriching themselves through information technology-based crime. The threat has become broad in scope and security agencies, especially the intelligence units, are currently facing constant threat of security breaches in the cyberspace. Some of these acts are sponsored by rogue states.

The existing international laws are inadequate to respond to new types of warfare, especially cyberwarfare. The United Nations is yet to enact laws that identify cyber-attacks as threats to national security that may need armed attack to address. The European Union and other international borders have tried to develop laws that can help states to coordinate their activities in fighting cyber-attacks.

The finding shows that there is no law that outlines how force can be used by one state against the other in cases where cyberspace is used to breach peace. The United Nations Charter Chapter VII, Article 51 gives express permission for a state to use force against armed attack that is committed by a hostile state or criminal gangs. Nevertheless, this law does not recognise cyber-attack as one that justifies the use of force. It does not mean the affected country cannot use force if it feels that the same is justified. The following proposal could be applied in case a state feels that there is need to use force to deal with the cyber-threat that is posed by a hostile state or an organised criminal gang:

• The affected state should launch a formal complaint to the aggressive state about the attack and issue the necessary warning. In case the attack is committed by an organised gang operating in a foreign land, the host government should be informed about the same and advised to take relevant corrective measures.
• If the warning is ignored and the attack persists, the affected state should file a complaint with the Security Council explaining the nature of the attack and the need to use force to address it.
• The Security Council, using United Nations Charter Chapter VII, Article 39, will determine whether the use of force, as explained in Article 42 of the chapter is necessary or if other measures discussed in Chapter 41 would be needed.
• In case a state is convinced that a cyber-attack by the hostile state or an organised criminal gang also involve the use of weapons to achieve a sinister motive, then Chapter VII, Article 51 grants it express permission to use force in self-defence.

Bibliography

Andress J and Winterfeld S, Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners (Elsevier 2014).

Bertoli G and Marvel L, ‘Cyberspace Operations Collateral Damage – Reality or Misconception?’ (2017) 2 The Cyber Defense Review 53.

Bitecofer R, The Unprecedented 2016 Presidential Election (Palgrave Macmillan 2018).

Blacker N, ‘Winning the Cyberspace Long Game-Applying Collaboration and Education to Deepen the U.S. Bench’ (2017) 2 The Cyber Defense Review 21.

Borghard DE and Lonergan SW, ‘Confidence Building Measures for the Cyber Domain’ (2017) 3 Strategic Studies Quarterly 10.

Brantly FA, ‘The Violence of Hacking: State Violence and Cyberspace’ (2017) 2 The Cyber Defense Review 73.

Brown G and Keira P, ‘The Customary International Law of Cyberspace’ (2012) 6 Strategic Studies Quarterly 126.

Buchan R, International Law and the Construction of the Liberal Peace (Hart Publishing 2013).

The Council of Europe, Additional Protocol to the Convention on Cybercrime, Concerning the Criminalisation of Acts of a Racist and Xenophobic Nature Committed Through Computer Systems, 2001, Council of Europe, European Treaty Series, vol. 189, p. 1.

The Council of Europe, Convention on Cybercrime, 2001, Council of Europe, European Treaty Series, vol. 185, p. 1.

Dela P, ‘Cyberspace as the Environment Affected by Organized Crime Activity’ (2016) 15 Connections 55.

Denton ER, The 2016 US Presidential Campaign: Political Communication and Practice (Springer International Publishing 2017).

Dinniss HH, Cyber Warfare and the Laws of the War (Cambridge University 2012).

Dobrin IS, Digital Environments (Transcript Verlag 2017).

Downes C, ‘Strategic Blind–Spots on Cyber Threats, Vectors and Campaigns’ (2018) 3 The Cyber Defense Review 79.

Duggan MP and Elizabeth O, ‘U.S. Special Operations Forces in Cyberspace’ (2016) 1 The Cyber Defense Review 73.

Edelson C, Power Without Constraint: The Post-9/11 Presidency and National Security (The University of Wisconsin Press 2016).

Egan JB, ‘International Law and Stability in Cyberspace’ (2017) 35 Berkley Journal of International Law 169.

Eilstrup-Sangiovanni M, ‘Why the World Needs an International Cyberwar Convention’ (2018) 31 Philos. Technol 379.

Elad Y and Edward GA, ‘The Role of Commercial End-to-End Secure Mobile Voice in Cyberspace’ (2018) 3 The Cyber Defense Review 57.

The General Assembly, Optional Protocol to the Convention on the Rights of the Child on the Involvement of Children in Armed Conflicts, 2000, United Nations, Treaty Series, vol. 54, p. 1.

The General Assembly, Resolution Adopted by the General Assembly, 31 January 2003, United Nation, Fifty-Seventh Session, Agenda item 84 (c).

Gillies J, Political Marketing in the 2016 U.S. Presidential Election (Springer International Publishing 2018).

Gray D, Citron DK, and Rinehart LC, ‘Fighting Cybercrime Afer United States v. Jones’ (2013) 103 Journal of Criminal Law and Criminology 745.

Hall OA, and Schultz BM, ‘Direct Commission for Cyberspace Specialties’ (2017) 2 The Cyber Defense Review 111.

Harold SW, Libicki MC and Cevallos AS, Getting to Yes with China in Cyberspace (RAND Corporation 2016).

Henry S and Brantly AF, ‘Countering the Cyber Threat’ (2018) 3 The Cyber Defense Review 47.

Hubbard DK and Nystrom J, ‘Financial Stewardship in the Land of “1’s and 0’s”’ (2018) 3 The Cyber Defense Review 15.

Iasiello E, ‘China’s Three Warfares Strategy Mitigates Fallout from Cyber Espionage Activities’ (2016) 9 Journal of Strategic Security 45.

Jurich PJ, ‘Cyberwar and Customary International Law: The Potential of a “Botom-up” Approach to an International Law of Information Operations’ (2008) 9 Chicago Journal of International Law 275.

Kania BE and Costello JK, ‘The Strategic Support Force and the Future of Chinese Information Operations’ (2018) 3 The Cyber Defense Review 79.

Kaplan F, Dark Territory: The Secret History of Cyber War (Simon & Schuster 2016).

Katz v. United States [1967] The United States Court of Appeals for The Ninth Circuit 389, [1975] 347 USCANC 1.

Kolton M, ‘Interpreting China’s Pursuit of Cyber Sovereignty and its Views on Cyber Deterrence’ (2017) 2 The Cyber Defense Review 119.

Kostyuk N, Powell S and Skach M, ‘Determinants of the Cyber Escalation Ladder’ (2018) 3 The Cyber Defense Review 123.

Maurer T, Cyber Mercenaries (Cambridge University Press 2018).

McGhee EJ, ‘Liberating Cyber Offense’ (2016) 10 Strategic Studies Quarterly 46.

Nance M, The Plot to Hack America: How Putin’s Cyberspies and Wikileaks Tried to Steal the 2016 Election (Skyhorse Publishing 2016).

Rid T, Cyber War Will Not Take Place (Oxford University Press 2017).

Riley v. California [2013] The Court of Appeal of California 13-132, [2014] 4 CAC 1.

Roscini, M, Cyber Operations and the Use of Force in International Law (Oxford University Press 2014).

Schmitt NM and Liis V (eds), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (Cambridge University Press 2017).

Shakarian P, Shakarian J and Ruef A. Introduction to Cyber-Warfare: A Multidisciplinary Approach (Morgan Kaufmann Publishers 2013).

Shea J, ‘How is NATO Meeting the Challenge of Cyberspace?’ (2017) 7 The Fifth Domain 18.

Smith v. Maryland [1979] The Court of Appeals of Maryland 78-5374, [1975] 442 CAM 735.

Tsagourias N and Buchan R (eds), Research Handbook on International Law and Cyberspace (Edward Elgar 2014).

United Nations, Chapter VII: Action with Respect to Threats to the Peace, Breaches of the Peace, and Acts of Aggression, 2016, United Nations Charter.

United Nations, Vienna Convention on the Law of Treaties, 1969, United Nations, Treaty Series, vol. 1155, p. 331.

United States v. Jones [2012] The United States Court of Appeals for the District of Columbia Circuit 10-1259, [2012] USCADCC 1.

Yannakogeorgos AP, ‘Internet Governance and National Security’ (2012) 6 Strategic Studies Quarterly 102.

Footnotes

1. Denton E Robert, The 2016 US Presidential Campaign: Political Communication and Practice (Springer International Publishing 2017) 21.
2. Ibid [38].
3. Ibid [57].
4. Gillies Jamie, Political Marketing in the 2016 U.S. Presidential Election (Springer International Publishing 2018) 34.
5. Ibid [44].
6. Ibid [78].
7. Schmitt N Michael and Vihul Liis (eds), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (Cambridge University Press 2017) 28.
8. Ibid [25].
9. Bitecofer Rachel, The Unprecedented 2016 Presidential Election (Palgrave Macmillan 2018) 67.
10. Ibid [69].
11. Ibid [70].
12. Ibid [72].
13. Edelson Chris, Power Without Constraint: The Post-9/11 Presidency and National Security (The University of Wisconsin Press 2016) 89.
14. Dinniss H Heather, Cyber Warfare and the Laws of the War (Cambridge University 2012) 25.
15. Tsagourias Nicholas and Russell Buchan (eds), Research Handbook on International Law and Cyberspace (Edward Elgar 2014) 18.
16. Ibid [23].
17. Roscini, Marco, Cyber Operations And the Use of Force in International Law (Oxford University Press 2014) 56.
18. Tsagourias Nicholas and Russell Buchan (eds), Research handbook on International Law and Cyberspace (Edward Elgar 2014).
19. Ibid [46].
20. Roscini, Marco, Cyber Operations and the Use of Force in International Law (Oxford University Press 2014) 11.
21. Ibid [67].
22. Shakarian Paulo, Jana Shakarian and Andrew Ruef. Introduction to Cyber-Warfare: A Multidisciplinary Approach (Morgan Kaufmann Publishers 2013).
23. Rid Thomas, Cyber War Will Not Take Place (Oxford University Press 2017) 24.
24. Ibid [98].
25. Schmitt N Michael and Vihul Liis (eds), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (Cambridge University Press 2017).
26. The General Assembly, Resolution Adopted by the General Assembly, 2003, United Nation, Fifty-Seventh Session, Agenda item 84 (c).
27. Ibid [2].
28. Eilstrup-Sangiovanni Mette, ‘Why the World Needs an International Cyberwar Convention’ (2018) 31 Philos. Technol 379.
29. Ibid [380].
30. Jurich P Jon, ‘Cyberwar and Customary International Law: The Potential of a “Botom-up” Approach to an International Law of Information Operations’ (2008) 9 Chicago Journal of International Law 275.
31. Ibid [276].
32. Ibid [278].
33. Egan J Brian, ‘International Law and Stability in Cyberspace’ (2017) 35 Berkley Journal of International Law 169.
34. Ibid [170].
35. Brown Gary and Keira Poellet, ‘The Customary International Law of Cyberspace’ (2012) 6 Strategic Studies Quarterly 126.
36. Andress Jason and Steve Winterfeld, Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners (Elsevier 2014) 54.
37. Yannakogeorgos A Panayotis, ‘Internet Governance and National Security’ (2012) 6 Strategic Studies Quarterly 102.
38. Ibid [103].
39. Kostyuk Nadiya, Scott Powell and Matt Skach, ‘Determinants of the Cyber Escalation Ladder’ (2018) 3 The Cyber Defense Review 123.
40. Ibid [123].
41. Kania B Elsa and John K Costello, ‘The Strategic Support Force and the Future of Chinese Information Operations’ (2018) 3 The Cyber Defense Review 79.
42. Hall O Andrew and Brian M Schultz, ‘Direct Commission for Cyberspace Specialties’ (2017) 2 The Cyber Defense Review [111].
43. Ibid [112].
44. Hall O Andrew and Brian M Schultz, ‘Direct Commission for Cyberspace Specialties’ (2017) 2 The Cyber Defense Review [111].
45. Borghard D Erica and Shawn W Lonergan, ‘Confidence Building Measures for the Cyber Domain’ (2017) 3 Strategic Studies Quarterly 10.
46. Maurer Tim, Cyber Mercenaries (Cambridge University Press 2018) 67.
47. Ibid [11].
48. Henry Shawn and Aaron F Brantly, ‘Countering the Cyber Threat’ (2018) 3 The Cyber Defense Review 47.
49. Ibid [48].
50. Downes Cathy, ‘Strategic Blind–Spots on Cyber Threats, Vectors and Campaigns’ (2018) 3 The Cyber Defense Review 79.
51. Ibid [80].
52. Ibid [80].
53. Dela Piotr, ‘Cyberspace as the Environment Affected by Organised Crime Activity’ (2016) 15 Connections 55.
54. Ibid [55].
55. Harold Scott, Libicki Martin and Cevallos Stuth, Getting to Yes with China in Cyberspace (RAND Corporation 2016) 19.
56. Ibid [58].
57. Buchan Russell, International Law and the Construction of the Liberal Peace (Hart Publishing 2013) 34.
58. Duggan M Patrick and Elizabeth Oren, ‘U.S. Special Operations Forces in Cyberspace’ (2016) 1 The Cyber Defense Review 73.
59. Ibid [73].
60. Iasiello Emilio, ‘China’s Three Warfares Strategy Mitigates Fallout From Cyber Espionage Activities’ (2016) 9 Journal of Strategic Security 45.
61. United Nations, Vienna Convention on the Law of Treaties, 1969, United Nations, Treaty Series, vol. 1155, p. 331.
62. United Nations, Vienna Convention on the Law of Treaties, 1969, United Nations, Treaty Series, vol. 1155, p. 331.
63. Shea Jamie, ‘How is NATO Meeting the Challenge of Cyberspace?’ (2017) 7 The Fifth Domain 18.
64. Ibid [19].
65. The General Assembly, Resolution Adopted by the General Assembly, 2003, United Nation, Fifty-Seventh Session, Agenda item 84 (c).
66. Ibid [84].
67. Kaplan Fred, Dark Territory: The Secret History of Cyber War (Simon & Schuster 2016) 23.
68. McGhee E James, ‘Liberating Cyber Offense’ (2016) 10 Strategic Studies Quarterly 46.
69. Ibid [47].
70. The Council of Europe, Convention on Cybercrime, 2001, Council of Europe, European Treaty Series, vol. 185, p. 1.
71. Bertoli Giorgio and Lisa Marvel, ‘Cyberspace Operations Collateral Damage – Reality or Misconception?’ (2017) 2 The Cyber Defense Review 53.
72. The Council of Europe, Additional Protocol to the Convention on Cybercrime, Concerning the Criminalisation of Acts of a Racist and Xenophobic Nature Committed Through Computer Systems, 23 November 2001, Council of Europe, European Treaty Series, vol. 189, p. 1.
73. Elad Yoran and Edward G Amoroso, ‘The Role of Commercial End-to-End Secure Mobile Voice in Cyberspace’ (2018) 3 The Cyber Defense Review 57.
74. Ibid [58].
75. Ibid [58].
76. Ibid [59].
77. Hubbard D Kenneth and Jared Nystrom, ‘Financial Stewardship in the Land of “1’s and 0’s”’ (2018) 3 The Cyber Defense Review 15.
78. Ibid [16].
79. Brantly F Aaron, ‘The Violence of Hacking: State Violence and Cyberspace’ (2017) 2 The Cyber Defense Review 73.
80. Ibid [74].
81. Ibid [74]
82. Smith v. Maryland [1979] The Court of Appeals of Maryland 78-5374, [1975] 442 CAM 735.
83. Ibid [736].
84. Katz v. United States [1967] The United States Court of Appeals For The Ninth Circuit 389, [1975] 347 USCANC 1.
85. United States v. Jones [2012] The United States Court of Appeals for the District of Columbia Circuit 10-1259, [2012] USCADCC 1.
86. Riley v. California [2013] The Court of Appeal of California 13-132, [2014] 4 CAC 1.
87. Ibid [1]
88. Ibid [2].
89. The General Assembly, Optional Protocol to the Convention on the Rights of the Child on the Involvement of Children in Armed Conflicts, 25 May 2000, United Nations, Treaty Series, vol. 54, p. 1.
90. Kolton Michael, ‘Interpreting China’s Pursuit of Cyber Sovereignty and its Views on Cyber Deterrence’ (2017) 2 The Cyber Defense Review 119.
91. United Nations, Chapter VII: Action With Respect To Threats to the Peace, Breaches of the Peace and Acts of Aggression, 23August 2016, United Nations Charter, 1.
92. Ibid [2].
93. Gray David, Danielle K Citron and Liz C Rinehart, ‘Fighting Cybercrime Afer United States v. Jones’ (2013) 103 Journal of Criminal Law and Criminology 745.
94. United Nations Charter [2].
95. Ibid [3].
96. Ibid [4].
97. Blacker Nancy, ‘Winning the Cyberspace Long Game-Applying Collaboration and Education to Deepen the U.S. Bench’ (2017) 2 The Cyber Defense Review 21.
98. United Nations Charter [2].
99. Blacker Nancy, ‘Winning the Cyberspace Long Game-Applying Collaboration and Education to Deepen the U.S. Bench’ (2017) 2 The Cyber Defense Review 21.
100. Ibid [22].
101. Ibid [23].