• Homepage
  • Blog
  • General
  • The Causal Question in the Application of the Law on the Use of Force to Cyber Operations

The Causal Question in the Application of the Law on the Use of Force to Cyber Operations

By Priya Urs
Published on 25 April 2023

[The research for this post was carried out as part of a project at the Oxford Institute for Ethics, Law and Armed Conflict funded by the Government of Japan. For a discussion of this topic in the context of cyber operations against the healthcare sector, see the forthcoming report ‘The International Law Protections against Cyber Operations Targeting the Healthcare Sector’. Thanks to Dapo Akande and Martins Paparinskis for their helpful comments.]

Multilateral discussions as to the international legal regulation of cyber operations evidence an emerging agreement amongst states that existing rules of international law apply to cyber operations. This principled agreement has variously materialised in reports of the UN Group of Governmental Experts, the UN Open-Ended Working Group and, somewhat exceptionally, in the national positions declared by some states. Yet there is no clear indication as to how existing rules of international law might apply to cyber operations, inviting deeper discussion of the substantive issues raised by the application of these rules to cyber operations.

Amongst others is the need for a suitable standard or standards of causation with which to determine the scope of application of relevant primary rules to cyber operations. Such a need arises whenever the determination as to the breach of a prohibitive primary rule by a cyber operation depends on the causing of relevant effects. When it comes to the application of the law on the use of force, for instance, the characterisation of a cyber operation as a use of force or an armed attack depends on the causing of effects comparable to those caused by conventional weapons, namely death, physical injury, or destruction. The remoteness of such effects to the cyber operation, and the choice of the standard of causation in this context, bear on the scope of applicability of these rules to cyber operations.

What follows is a discussion of the need for a standard or standards of causation in the application of the customary and treaty rules on the use of force to cyber operations. The post identifies relevant standards of causation and tentatively suggests the most suitable standard in this context. The discussion is by no means exhaustive; it simply suggests a structure for further exploration of an issue that affects the scope of applicability of the law on the use of force to cyber operations. The question may equally arise where the application of other rules of international law to cyber operations depends on the causing of relevant effects (see e.g. Tallinn Manual 2.0, 20–21). The focus being the applicability of primary rules of international law, causal questions that arise in the context of the law of state responsibility are not discussed. Standards of causation used to determine the fact of the responsibility of a state for the breach of a primary rule and the extent of its responsibility, including the valuation of any reparations owed by it, are not considered for anything more than analogical reference.

The Causal Question and the Effects of Cyber Operations

When assessing whether a cyber operation constitutes a use of force or an armed attack, the question arises whether there is a sufficient causal connection between the cyber operation and the ensuing effects with which the prohibition on the use of force and the right of self-defence respectively are concerned. To date, it is at least agreed that causing death, physical injury, or destruction—effects comparable to those caused by conventional weapons—qualifies a cyber operation as a use of force and, conditional on the satisfaction of the requirement of gravity articulated by the ICJ in its Nicaragua decision, as an armed attack. Conversely, it is less clear whether the causing of other effects, such as economic or political disruption, so qualifies; such effects are not discussed further.

An illustrative example is the now too common case of a ransomware operation against a hospital which, pending the payment of a ransom, disrupts the use of the hospital’s IT infrastructure, including access to patient medical history, and thereby interrupts the continued provision of medical care. In such cases, the information and communications technologies targeted by the cyber operation are not themselves destroyed. Yet such operations may lead to physical injury to patients whose treatments are suspended (see here) and, in some cases, to death (see here and here). Similar effects are conceivable where a cyber operation targets a state’s water or energy supply. Whether an operation of this kind constitutes a breach of the prohibition of the use of force or, subject to the requirement of gravity, is an armed attack, depends inter alia on the relevance of such effects to the assessment. Identifying the relevant effects, and thereby determining the scope of applicability of the rules on the use of force to cyber operations, requires the use of a suitable standard of causation. Beyond the desire for consistency and predictability in the application of relevant rules, clarity on the point is necessary given the far-reaching implications of the characterisation of conduct as a use of force and, even more so, as an armed attack.

Neither Article 2(4) of the UN Charter nor its customary counterpart specifies any standard of causation with which to identify the legally relevant effects of an alleged use of force. That is, the rules are silent as to which effects may be too indirect or remote or not sufficiently proximate as to be said to result, in legal terms, from the use of force. The same is true of Article 51 of the Charter and its customary counterpart. This silence is unproblematic in respect of force through the use of conventional weapons, in which context the causal chain or link between the use of such a weapon and any resulting death, physical injury, or destruction is usually clear. When it comes to the use of cyber operations, however, the matter is not as straightforward.

The helpful distinction drawn between the requirements of ‘factual’ and ‘legal’ causation in discussions of causation in the law of state responsibility may lend clarity too to the assessment in the context of primary rules. Factual causation involves the establishment in fact of a causal chain or link between the conduct in question and the effects with which the assessment is concerned. The exercise requires prior agreement in the form of general or scientific knowledge as to the effects of various forms of conduct, which in the cyber context may be limited by the technical and evolving nature of cyber operations. Various standards of factual causation are proposed in law and philosophy, including the ‘but for’ test or the conditio sine qua non, which has largely been substituted for other standards in other areas of law. Whichever standard of factual causation is preferred, the requirement of a causal chain or link may be more or less relevant to the final analysis. Legal causation accounts for policy, pragmatic or other normative considerations to ‘determine whether the causal chain or link should be severed at any intermediate point, because beyond that point the wrongdoer could not have foreseen the result of his acts, or the results were too remote and not proximate’ (Lanovoy). The standard of legal causation may even do away entirely with any requirement of factual causation, such as where the task of establishing the causal chain or link proves too difficult or where strict liability is preferred.

Similar considerations might be used to limit the legally relevant effects of cyber operations and thereby to circumscribe the scope of the primary rules on the use of force. The choice of the standard of causation in the cyber context depends on the purposes underlying the rules, in particular ensuring respect for the territorial integrity and political independence of states and the maintenance of international peace and security. These purposes may support the use of a standard of causation that accounts for all such effects, however remote they may be. Conversely, the choice of the applicable standard of causation must also be mindful of the consequences of the invocation of state responsibility for an alleged use of force and the risk of escalation, which militate against the use of too loose a requirement of causation.

Identifying Potential Standards of Causation

Broadly speaking, three standards of causation may be discussed in the context of the prohibition of the use of force and the right to self-defence, each relying to a greater or a lesser extent on a requirement of factual causation.

First, the ICJ in Bosnian Genocide articulated the requirement of a ‘sufficiently direct and certain causal nexus’ as the appropriate standard of legal causation in the context of a claim for reparation for loss resulting from a failure to prevent genocide. To be sure, that standard was proposed in the context of secondary rules to establish a causal chain or link between the breach of a primary rule and loss. A comparable standard of sufficient directness and certainty may nevertheless be envisioned in the context of primary rules. Were such a standard to be applied in relation to the prohibition on the use of force, only the ‘direct’ effects of cyber operations on targeted information and communications technologies—which tend not to include physical destruction, let alone death or physical injury—would be relevant to the assessment. A strict requirement as to the directness of the causal chain or link would tend to exclude from the scope of the prohibition cyber operations that cause death, physical injury, or destruction indirectly. Likewise, even those cyber operations that satisfy the requirement of gravity in relation to such effects would not constitute an armed attack.

Second, a more flexible standard of proximity includes in the assessment effects that are proximate in space and time but not necessarily limited to the ‘direct’ effects of the conduct in question. The standard of proximity admits of varied application, permitting the drawing of what are ultimately arbitrary distinctions between proximate and remote causes. The discretion involved in its application would leave the respective boundaries of the prohibition on the use of force and the right of self-defence unclear, bringing little predictability to the application of the law on the use of force to cyber operations. States require sufficiently clear guidance as to what conduct might constitute a use of force, thereby triggering the range of consequences arising under the law of state responsibility and perhaps also the law of armed conflict and international criminal law.

Third, a standard of reasonable foreseeability does away with any requirement of factual causation, calling instead for an objective assessment of the foreseeability in the ordinary course of events of relevant effects, in this context death, physical injury, or destruction. The two states that have addressed the question of causation in relation to the prohibition of the use of force, Australia and New Zealand, both support the use of this standard when assessing the effects of cyber operations. Australia asks ‘whether the cyber activity could reasonably be expected to cause serious or extensive … damage or destruction … to life, or injury or death to persons, or result in damage’ (Annex A, para 1), while New Zealand proposes to account, amongst others, for ‘reasonably expected consequential impacts’ (para 7). In relation specifically to the requirement of an armed attack, some commentators endorse the assessment of ‘all reasonably foreseeable consequences of the cyber operation’ (Tallinn Manual 2.0, 343).

On balance, the standard of reasonable foreseeability appears to be the most suitable in this context. On the one hand, it is not as restrictive as a requirement analogous to that of a ‘sufficiently direct and certain causal nexus’, which would not capture the ‘indirect’ but otherwise significant effects of cyber operations. Addressing such effects is presumably a desirable policy goal. On the other hand, the standard of reasonable foreseeability is not as arbitrary as the standard of proximity, giving states a clear and objective basis on which to carry out ex ante assessments of the lawfulness of proposed conduct and bringing greater consistency to ex post causal assessments. The objection may nevertheless be raised that the standard of reasonable foreseeability is itself unclear: how likely, not unlikely, probable, or possible must death, physical injury, or destruction be for a cyber operation to constitute a use of force or an armed attack? On one view, every eventuality is reasonably foreseeable, but the standard need not be so demanding as to call for infinite caution. Greater clarity as to the use of the standard of reasonable foreseeability will be lent by a detailed examination of its routine use in other areas of law. Nor is reasonable foreseeability unknown to primary rules of international law; notably, a state exercising self-defence in response to an inchoate armed attack must undertake the not dissimilar assessment ex ante of the likely effects of the conduct. If the assessment of the reasonable foreseeability of death, physical injury, or destruction when engaging in cyber operations is seen as excessively widening the scope of the prohibition of the use of force and the right of self-defence, it may even be combined with a requirement of directness or of proximity.

Whichever standard of causation is ultimately preferred, clarifying the applicable standard is indispensable to the task of delimiting the scope of applicability of the prohibition on the use of force and the right of self-defence respectively to cyber operations.