The thesis reviews the issue of cyber attacks and international law in terms of jus ad bellum, the law concerning the recourse to force by states. The thesis takes the view that the existing rules on the use of force, namely Articles 2(4) and 51 of the United Nations Charter and the corresponding rules of customary international law apply to attacks regardless of the way they are carried out and thus, they apply to cyber attacks as well. Two central examples of different kinds of cyber attacks are presented to illustrate the issue: the attacks against Estonia in 2007 and Stuxnet, the malware that targeted Iranian nuclear facilities and was discovered in 2010.
Before covering the main question of if and when cyber attacks may constitute uses of force or armed attacks, the thesis takes a brief historical look at how the just war doctrine and the regulation of war have evolved to their current state. The thesis argues that while cyber attacks are a new phenomenon with certain unique aspects, they are a part of the evolution and continuum of armed conflict.
The thesis takes a look at the different approaches (instrument-based, target-based and effects-based) to assessing the question of whether or not a cyber attack crosses the threshold of a use of force or an armed attack. The effects-based view is found to be most appropriate one. It is argued that particularly cyber attacks that cause death, injury, damage or destruction qualify as uses of force. As cyber operations make it possible to cause severe economic consequences without the use of physical force, the question of economic force is discussed as well. The thesis argues that while the prevailing view is that Article 2(4) does not cover the use of economic force, the question may arise in the context of cyber attacks, and an attack with such consequences may result in a reappraisal of the issue in state practice.
Turning to armed attacks, the thesis argues that cyber operations may also qualify as armed attacks. Accepting the prevailing view that distinguishes between uses of force and armed attacks, the thesis claims that for a cyber operation to rise to the level of an armed attack, the consequences must be sufficiently grave. It is argued that for example a denial-of-service attack does not fulfil the criteria of an armed attack, but an attack that causes fatalities or severe damage or destruction would cross the threshold and justify self-defence. The thesis also discusses the question of anticipatory self-defence in the context of cyber attacks
