In the ever-evolving landscape of modern warfare, the significance of cyber operations has grown significantly. These operations provide nations with additional means to project power, exert influence, and secure strategic advantages in the global arena.
This article discusses recent cyber activities in Armenia, focusing on the prohibition of the use of force under the United Nations Charter. The analysis aims to shed light on the evolving nature of conflicts in the digital age and their adherence to the foundational principles established by the UN.
You Sometimes Get Notified
Recently Apple issued alerts to individuals in Armenia, cautioning them about potential targeting by state-sponsored hackers. A collaborative investigation involving various cybersecurity experts and laboratories has revealed a connection between these hacking incidents and the NSO Group’s Pegasus spyware.
Evidence suggests that Azerbaijan is among the clientele of Pegasus. The investigation identified at least two suspected Pegasus operators based in Azerbaijan. One operator appeared to focus on targets within Azerbaijan, while the other targeted a wider range of entities within Armenia. This discovery underscores the intricacies of potential geopolitical implications of state-sponsored cyber activities, particularly in the context of the Armenia-Azerbaijan conflict.
This backdrop highlights how nations are leveraging technological advancements to advance their interests, prompting a reassessment of legal considerations in the realm of cyber operations.
Defining and Contextualizing Cyber Operations
According to the US Department of Defense, a “cyberspace attack” refers to actions conducted in cyberspace that produce noticeable effects, such as degradation, disruption, or destruction within cyberspace, or manipulation causing denial of service that affects physical systems or operations.
The landscape of major cyber operations has witnessed pivotal events that have shaped the trajectory of cybersecurity and alleged state-sponsored activities.
- Denial-of-Service Attacks on Estonia (2007) and Georgia (2008): In 2007, Estonia faced a series of massive distributed denial-of-service (DDoS) attacks, primarily attributed to tensions with Russia. A Denial-of-Service (DoS) attack is a malicious attempt to disrupt the regular functioning of a targeted server, network, or service by overwhelming it with a flood of illegitimate traffic, rendering it temporarily or indefinitely unavailable to users. These attacks targeted essential government websites, banks, and media outlets, demonstrating the potential effects of cyber operations on a nation’s digital infrastructure. In 2008, during the conflict between Russia and Georgia, cyber attacks against Georgian websites and critical infrastructure marked a notable escalation in the use of cyber capabilities as a tool of warfare.
- Stuxnet Worm (2010): Stuxnet is a sophisticated computer worm that targeted Iran’s Natanz nuclear enrichment facility in June 2010. It is widely believed to be a joint creation of the United States and Israel. By exploiting vulnerabilities in industrial control systems, Stuxnet sabotaged Iran’s uranium enrichment efforts, demonstrating the potential of cyber weapons to physically damage critical infrastructure. The worm was introduced into computers at Iranian nuclear facilities via an infected USB device. Its specific mission was to locate its final target and inflict damage by rapidly altering the rotational speed of motors. By making precise adjustments to these speeds, the virus could cause the nuclear enrichment centrifuges to fail catastrophically.
- Mandiant Report on Chinese Cyber Operations (2013): The 2013 Mandiant report exposed a Chinese military unit’s involvement in cyber espionage against the United States. It detailed a pattern of targeted cyber intrusions aimed at stealing sensitive information from U.S. companies and government agencies. This revelation strained diplomatic relations between the U.S. and China and brought attention to the role of nation-states in cyber-espionage activities.
- Russian Cyber Operations in Ukraine (since 2014): Since the illegal annexation of Crimea in 2014, Russia has utilized cyber operations as a part of its broader strategy against Ukraine. Advanced persistent threat (APT) groups, such as Sandworm, were implicated in the 2015 BlackEnergy campaign that targeted Ukrainian power generation and distribution. On January 4, 2024, it was reported that Russian hackers had infiltrated the system of Ukraine’s leading telecoms company, Kyivstar,.The cyberattack began in May of the previous year, resulting in a prolonged service disruption for approximately 24 million users, and lasting for several days, starting from December 12, 2023. Sandworm was purportedly responsible for orchestrating this operation, further underscoring the persistent and impactful nature of state-sponsored cyber operations in the current geopolitical landscape.
The emerging question revolves around whether jus ad bellum, the legal framework governing the use of force, applies to cyber operations. Article 2(4) of the UN Charter is the cornerstone of contemporary international law, prohibiting the use of force, including cyber operations, in interstate relations. The provision states:
“All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any State, or in any other manner inconsistent with the Purposes of the United Nations.”
Drawing from the International Court of Justice’s (ICJ) Nuclear Weapons advisory opinion, which asserts that the law on the use of force governs “any use of force, regardless of the weapons employed,” it can be inferred that jus ad bellum extends to cyber operations launched against a state, whether in isolation or as part of a broader kinetic operation.[1]
This interpretation is supported by the International Group of Experts invited by the North Atlantic Treaty Organization (NATO) Cooperative Cyber Defense Center of Excellence in 2009. These experts delved into both the jus ad bellum and jus in bello (international humanitarian law) aspects of cyberspace. Their collaboration effort resulted in the Tallinn Manual on the International Law Applicable to Cyber Warfare,[2] further emphasizing the applicability of established legal principles to the realm of cyber conflict.
According to the United States, the establishment of norms for state conduct in cyberspace does not necessitate reinventing customary international law, nor does it render existing international norms obsolete. The U.S. contends that long-standing international norms, which guide state behavior in times of both peace and conflict, are equally applicable in the realm of cyberspace. This is a reasonable interpretation of international law.
State Responsibility
As Article 2(4) of the UN Charter specifically addresses “Members of the United Nations,” its scope pertains to cyber operations carried out by states or activities that can be attributed to them. Cyber operations conducted by individuals or entities empowered by domestic law to exercise governmental authority are also attributable to a state. A cyber operation carried out by a group or individuals can be linked to a state if those involved are acting on the instructions of, or under the direction or control of, that state.
The issue of attributability and subsequent responsibility becomes particularly pertinent as states increasingly engage the private sector to bolster their cyber capabilities. In cases where a state exercises effective control over the activities of a private actor, it assumes legal responsibility for the cyber operations conducted by that actor. This underscores the importance of assessing not only the actions of states directly but also their influence and control over non-state entities in the evolving landscape of cyber operations.
However, according to the ICJ, specific instances may arise where the use of force does not necessarily entail the direct application of armed force. In this context, supplying a group (or an individual) with destructive malware and training its members could qualify as a use of force.[3]
Cyber Operations as a Use of Force
The key question is when cyber operations constitute the use of force, as prohibited under Article 2(4) of the UN Charter, and how states can exercise their right to self-defense in response to such operations. The drafting of the Charter did not anticipate the evolution of computing science to its current capabilities. In the Nuclear Weapons advisory case, the International Court of Justice emphasized the importance of considering the unique characteristics of nuclear weapons when applying international law.[4] A comparable approach may be warranted in the case of cyber attacks, recognizing their distinct features.
Heather Harrison Dinniss distinguishes four characteristics of cyber attacks that set them apart from their conventional counterparts: indirectness, intangibility, locus, and result.[5] While there are direct computer network attacks, like infiltrations into an industrial facility’s control systems to disrupt manufacturing processes and damage machinery, many potential cyber attacks focus on manipulating one system to create a tangible effect on another.
When a cyber attack leads to a tangible outcome such as the destruction of physical property, injury, or loss of lives, it qualifies as a use of force under Article 2(4). If the outcome of a computer network attack is confined to the digital realm, impacting data only, or if its physical consequences are minimal or were not a foreseeable consequence of the act, the attack does not constitute a use of force under the conventional interpretation.
However, an operation that does not reach the threshold of a threat or use of force under Article 2(4) can still violate certain aspects of international law. Notably, the prohibition on intervention, stemming from the principle of sovereign equality articulated in Article 2(1) of the UN Charter, is particularly relevant in such cases.
The principle of non-intervention “forbids States or groups of States to intervene directly or indirectly in the internal or external affairs of other States.”[6] Cyberspace presents numerous avenues for engaging in intervention through coercive cyber operations. Examples include unauthorized access to a foreign government’s sensitive databases, interference in another state’s electoral processes through cyber means, or the disruption of critical infrastructure in a way that influences the internal affairs of a nation.
Each cyber operation must be evaluated on a case-by-case basis. For example, a cyber operation targeting a foreign government’s communication infrastructure to collect intelligence for national security may be considered non-intervention, given its non-coercive nature. However, if the same cyber operation manipulates the communication infrastructure to influence political decisions, it could be viewed as more coercive and violating the prohibition on intervention.
Ultimately, the more coercive an action is, and the more significant the interest involved, the higher the likelihood that the act will violate the prohibition on intervention.
Self-Defense
The right of self-defense is inherent to state sovereignty and is codified by Article 51 of the UN Charter. It states, “Nothing in the present Charter shall impair the inherent right of individual or collective self-defense if an armed attack occurs against a Member of the United Nations until the Security Council has taken the measures necessary to maintain international peace and security.”
This right hinges on a critical condition precedent – an “armed attack”. The challenge lies in determining when a cyber operation reaches the threshold of an armed attack. While all armed attacks are considered uses of force, not all uses of force constitute an armed attack.[7] This distinction prompts the need for a careful assessment of cyber operations to ascertain whether they meet the criteria for triggering the right of self-defense.
According to Tallinn Manual Rule 69, paragraph 6, a cyber operation that leads to significant death or injury to persons, or causes substantial damage to or destruction of property, could constitute an armed attack.
For example, if a cyber operation infiltrates the control systems of a nation’s critical infrastructure, like a nuclear power plant, and causes a catastrophic failure that results in widespread casualties or significant property damage, it could be considered an armed attack. The affected state might be justified in responding to the cyber operation with measures of self-defense.
The DoS attacks against Estonia in 2007, as disruptive as they were, did not escalate to the level of an armed attack. Similarly, the attacks against Georgia the following year also did not meet the threshold, unless considered in conjunction with Russia’s subsequent invasion. Needless to say, recent incidents against Armenian citizens also do not qualify as armed attack.
The 2010 Stuxnet worm, despite reportedly causing significant destruction of property, did not entirely halt the Iranian Centrifuge program at the Natanz plant. Despite causing delays, the enrichment of uranium continued. As such, while the Stuxnet worm would be classified as a use of force, the scale and effects of the attack may not be substantial enough to qualify as an armed attack.
Cyber operations are unique in their ability to inflict significant harm without physical injury or tangible damage. This characteristic prompts the question of whether cyber operations with severe consequences can be classified as armed attacks, despite the absence of physical effects. An example is a state-sponsored cyber operation that manipulates financial systems, causing widespread economic turmoil and substantial loss, without causing direct physical harm.
While Article 51 of the UN Charter refers to “armed attack” primarily in terms of physical harm or destruction, evolving interpretations could broaden this scope to include cyber operations that result in severe but non-physical consequences.
Furthermore, Tallinn Manual Rule 71, paragraph 11 reflects the “accumulation of effects” theory. This implies that multiple smaller-scale cyber incidents, each individually below the armed attack threshold, may be considered as a composite armed attack if they are interconnected and orchestrated by the same originator or coordinated originators. The cumulative impact’s scale and effects are the key determining factors.
Finally, Tallinn Manual Rule 71, paragraph 25 states that a state can legitimately engage in self-defense against an attacker not attributable to a state. This is applicable when the territorial state is either unable or unwilling to stop the cyberattacks, despite being legally obligated to do so.
Necessity and Proportionality in Self-Defense
Responses to attacks, whether kinetic or electronic, must adhere to principles of necessity and proportionality. The ICJ has consistently affirmed that self-defense, whether undertaken individually or collectively, should only involve measures that are proportionate to the armed attack and necessary to address it.[8]
The principle of necessity dictates that any self-defense measures must be genuinely required for that purpose. Force employed after an armed attack does not satisfy that requirement; rather, it must be deemed necessary to repel that attack. For instance, if a state’s firewalls and anti-malware are sufficient to thwart an attack, the use of kinetic or cyber force in response is prohibited. Each use of defensive force is contingent on the specific context. The response must not be retaliatory or punitive, and its legality is determined solely by its effectiveness in achieving the intended outcome.
The principle of necessity demands that any defensive measures must be genuinely required. It’s insufficient that force is used after an armed attack; it must be deemed necessary to counter that attack. For example, if a victim state’s firewalls and anti-malware successfully thwart an attack, using physical or cyber force in response is not allowed. The use of defensive force is context-specific. Actions should not be retaliatory or punitive; their legality is determined solely by their effectiveness in achieving the intended outcome.
For example, when a state is under a cyber-armed attack from a specific server in another state, a lawful defensive cyber operation would aim to target and neutralize that specific server. Unlawful action would involve a broader offensive against the entire cyber infrastructure of the attacking state when a precise and surgical cyber strike could eliminate the immediate threat posed by the specific server.
Nevertheless, the principle of proportionality should not be interpreted too rigidly. There may be cases where collateral damage is unavoidable. Defensive actions may cause incidental effects on systems beyond the immediate target due to their interconnected nature. The key is to strike a balance between effectively neutralizing the threat and minimizing unintended consequences to the extent feasible in the circumstances.
The proportionality principle does not restrict a defending state from using the same weapons or the same amount of armed forces as the attacking state. Therefore, it could be considered proportionate for a victim state to use traditional armed force against an electronic attack if such a response is necessary and commensurate with the severity of the cyber threat.
Temporal Scope of Self-defense Against Cyber Attacks
International law imposes temporal limitations on the exercise of the right of self-defense. According to Tallinn Manual Rule 73, the right to use force in self-defense arises if a cyber-armed attack occurs or is imminent. “Imminence” refers to a situation where a victim state’s window of opportunity to effectively defend itself is on the verge of closing. In other words, imminence applies when a state must choose between acting defensively or bearing the consequences of the imminent armed attack.
For example, if a state obtains credible intelligence indicating that a cyber actor is about to launch a large-scale cyber operation aimed at crippling the target state’s critical infrastructure, the state may invoke the right of anticipatory self-defense.
Cyber armed attacks are unique in that the victim state may not even be aware that it is being attacked. This was the situation with Stuxnet, which was designed to create the impression that technical flaws in the targeted cyber systems caused the damage. Another scenario is when the state knows it is being subjected to cyber operations of attack-level severity but cannot identify the source. Once it discovers the identity of the attacker, it may not use force in self-defense if the attacks have ended. The challenge in the cyber domain lies in the covert nature of some attacks, where attribution is difficult, and the victim state may only become aware of the cyber armed attack after the fact. This complicates the timely exercise of the right to self-defense.
Countermeasures
In cases where a cyber attack does not constitute an armed attack, states can still respond with proportionate countermeasures. Countermeasures are otherwise unlawful actions taken by one state in response to the unlawful actions of another. Countermeasures must be necessary in the sense that lawful actions would not suffice to put an end to the unlawful conduct. They must be proportionate to the unlawful conduct.
Cyber countermeasures may be employed to respond to non-cyber unlawful acts and vice versa. The sole aim of these countermeasures should be to convince the offending state to desist. The flexibility in the choice of countermeasures allows states to employ a diverse range of measures to address and deter unlawful conduct.
For example, in the event of cyber attacks on the financial sector by State A, State B adopts three strategic countermeasures:
- Direct Cyber Response: State B targets State A’s cyber infrastructure, neutralizing malicious tools and techniques used in the attacks.
- Financial Sector Measures: State B implements countermeasures directly affecting State A’s banking system. This could involve imposing economic sanctions on State A’s financial sector.
- Unrelated Infrastructure Action: State B disrupts unrelated cyber systems in State A, signaling consequences beyond the financial sector, aiming to dissuade further attacks.
In a 1998 attack on the Pentagon’s website, specialists from the US Department of Defense responded with electronic countermeasures. They developed a program that could identify and neutralize the attacking applet installed on computers attempting to access the site. Once detected, they sent a counter-program that shut down the web browser on the activist’s computer, thereby terminating the cyber threat.
If a state needs to respond to cyber operations conducted by an unknown attacker, neither countermeasures nor self-defense may be available. In such a case, under Article 25 of the International Law Commission’s Articles on State Responsibility, states can invoke the plea of necessity. This plea justifies the implementation of protective measures in extraordinary situations where there is a grave and imminent peril to an essential interest.
For example, in response to a hypothetical cyber threat to its national power grid, a state invoking the plea of necessity under Article 25 might implement protective measures such as:
- Temporary Network Isolation: The state could temporarily isolate critical components of its power grid (and even its entire cyber infrastructure) from international networks to prevent unauthorized access or potential cyber intrusions, even if it impacts other states’ power grids.
- Enhanced Monitoring and Selective Traffic Filtering: Intensified monitoring of critical infrastructure networks to detect and respond to any suspicious activities. Selective traffic filtering could inadvertently affect other states by disrupting international data flows and potentially impeding communication.
Takeaways
Cyberspace does not exist in a regulatory vacuum. International law regulates cyber operations, furnishing victim states with a spectrum of viable response options. This article focused on the international legal framework that regulates the use of force, emphasizing states’ inherent right of self-defense within the context of cyber operations. The unique challenge arises from the fact that cyber operations can yield disastrous results without causing physical harm or damage, complicating the determination of when the thresholds for the use of force and armed attacks are crossed.
Cyber attacks often emerge anonymously, adding complexity to attribution. The frequent use of Internet Protocol (IP) spoofing in these attacks, adds to this complexity. IP spoofing involves falsifying data in the header of a data packet to make it appear as though it originated from a different IP address, thereby directing any responses back to the falsified computer. This difficulty in pinpointing the attacker hampers a victim state’s ability to take forcible countermeasures in self-defense. These issues loom large in the context of cyber operations. They highlight the need for states to not only bolster their overall cyber capabilities but also focus on identifying the attacker as quickly as possible. This is an essential component to maintaining the viability of self-defense or countermeasure options.
Cyber operations have played a limited role in the Armenia-Azerbaijan conflict, with recent cyber attacks not meeting the threshold of an armed attack against Armenian citizens. While these cyber activities did not escalate to armed conflict, the main point of this analysis is that the field is rapidly expanding, requiring continuous improvement of cyber capabilities to ensure effective defense, security, and proactive operations.
Key insights emerge when examining realities where force is already being applied. This author is skeptical of the term “cyberwar.” The nature of modern armed conflicts, as exemplified in Russia’s invasion of Ukraine, the Azerbaijan-Armenia war, and the ongoing conflict between Israel and Hamas, reinforces this skepticism. Hostilities are led and determined through conventional weaponry, where cyber means serve as auxiliary components rather than primary determinants. The extent to which states have successfully integrated the use of malware may be better suited for espionage than battlefield toolkits.
Cyber operations are better suited for shaping strategic interactions than for determining tactical outcomes. Physical effects that are easier to measure, like those from artillery and missile strikes, remain the preferred methods on the battlefield. Battlefield pragmatism dictates that it is typically more effective to destroy something rather than attempt to hack it.
Hence, the bulk of cyber capacity development and its potential use falls under the purview of law enforcement and national security paradigms. This is where Armenia should primarily concentrate its efforts. Hostilities will continue to be led and dictated by conventional forces supported by cyber operations. This implies a straightforward takeaway: arm, train, and master the code in unison. A world where “cyber warfare” is the sole battleground is not a realistic scenario on the horizon.
Politics
Enclaves Enter Armenia-Azerbaijan Peace Talks
The issue of tiny but strategically placed Soviet-era enclaves in Armenia and Azerbaijan has come to the forefront of peace talks in recent months. Hovhannes Nazaretyan maps it out.
Read moreEU, U.S. Elections Could Test Armenia’s Resilience
As the geopolitical landscape in the South Caucasus remains precarious, potential changes in EU and U.S. leadership can pose additional challenges for Armenia. Amid these uncertainties, Armenia's diplomatic efforts become increasingly important and serve as a test of its resilience.
Read moreHypocrisy and Mystification: Azerbaijan in the Non-Aligned Movement
The Non-Aligned Movement is a diplomatic platform where Azerbaijan, as a major oil-producing nation, tries to exert influence by supporting ex-colonies that are purportedly fighting colonialism. Garren Jansezian explains.
Read moreBeyond India and France: Armenia’s Quest to Diversify Defense
In the past year, especially since the major Azerbaijani incursion into Armenia in September 2022, the Armenian government has made diversification of the country’s security, including arms procurement, a priority. Hovhannes Nazaretyan explains.
Read moreOpinion
Can Armenia Be Independent?
In a voluminous collection of texts, historian and former diplomat Jirair Libaridian examines the reasons behind the moral, military and intellectual defeat of the Armenian elite in the context of three issues: the contemporary history of the Republic of Armenia, the Nagorno-Karabakh conflict, and Armenian-Turkish relations.
Read moreAzerbaijan’s Snap Election: Aliyev’s “New Era”
Why did Aliyev call for snap presidential elections? What does this mean for the Armenia-Azerbaijan “peace process”? Tatevik Hayrapetyan writes that we may see a more aggressive and dangerous Azerbaijan, particularly if the West chooses to withdraw from the peace talks.
Read moreReflection
Magazine
Adjusting Our Sails
This was the year we were forced to confront our worst collective nightmare. One that fractured lives and shattered assumptions about ourselves. What is the path forward?
Read morePolitics
The general state of flux and lack of clarity following the collapse of Artsakh—including the peace process—has produced a great deal of uncertainty, precipitating important questions about nationhood, state-building, and how to move forward. Armenia must assess the challenges, threats and risks of its security environment and clarify a new architecture that reflects state and national interests.
Read moreOpinion
In anticipation of violence while discussing peace, in the face of loss and defeat, amid historical shifts in regional and international realities on one hand, and the imperative to be resilient on the other, perspective can emerge from lucid discourse and subject-specific insight.
Read moreLaw & Society
To be law-abiding, one must have a comprehensive understanding of the law, and to safeguard your rights, familiarity with current legal norms is essential. There are no set regulations on how frequently laws can be amended. However, in the dynamic landscape of politics and society, legislators should continually adjust regulations to align with current realities. The legitimacy of public expectations is jeopardized not by the quantity, but by the quality of changes.
Read moreRaw & Unfiltered
Not everything has its place and not everything’s function or dysfunction can be fine tuned for a description. Raw & Unfiltered is that space on EVN Report, where some of the most critical stories, some of our most dysfunctional, domestic and utilitarian elements coexist alongside narratives, history and the hypothetical much like a society, any society, a catch-all drawer of Armenia, its past, the Armenian diaspora, the histories of both.
Read moreCreative Tech
The IT sector in Armenia is a strategic direction for the development of the country thanks to the relatively high level of scientific and educational potential of the population. Creative Tech is an attempt to take a pragmatic look at the tech industry including the science and innovation landscape. To emerge as a serious player in the global tech sector, Armenia needs to foster an environment that allows technology companies to achieve their business goals.
Read moreEt Cetera
The articles in this section of EVN Report attempt to turn the tide and give a much-needed critical spotlight to the forgotten, ignored, misunderstood, unseen, silenced and even derided cultural phenomena that weave the fabric of our collective past and present. From the mundane to the extraordinary, the topics addressed here reveal the remarkable dynamism of both historical, as well as contemporary Armenian social practices.
Read moreFootnotes: