CYBERSECURITY AND INTERNATIONAL LAW REGULATING WARFARE IN CYBERSPACE

ARTICLE WRITTEN BY: GABRIELLE M. SALEE

Student at the Cuttington University Graduate School of Global Affairs and Policy

 Introduction

Cyberspace has emerged as the fifth domain of warfare alongside land, sea, air, and space. Governments, businesses, and societies rely heavily on digital infrastructure, making them vulnerable to cyber-attacks. Modern cyber operations can disrupt power grids, manipulate financial systems, steal sensitive data, influence elections, and even cripple national defense systems. (Example: Liberia 2011 election was mark by fraud).

In response, the international community has grappled with the question: Can existing international law regulate warfare in cyberspace?
The answer is complex. While traditional legal principles broadly apply, their interpretation in cyberspace remains contested.

UNDERSTANDING CYBER-SECURITY IN THE INTERNATIONAL CONTEXT

Cyber-security refers to the protection of digital systems, networks, data, and critical infrastructure from unauthorized access, attacks, or damage.
It aims to safeguard:

• Confidentiality (protecting data),
• Integrity (preventing tampering), and
• Availability (ensuring systems function properly). (O’Connell, 2012). 

Key Legal Frameworks and Norms: focus on core security principles Confidentiality, Integrity, Availability – CIA Triad, Authentication, Non-repudiation, emphasizing data privacy, incident response, risk management, and building operational resilience through robust controls and employee training.

1. Tallinn Manual on the International Law Applicable to Cyber Warfare

• This is a leading, through non-binding, scholarly work that seeks to translate traditional international law principles into the cyber context.
• It explores how doctrines like jus ad bellum (when is use of force permissible) and international humanitarian Law (IHL)/ law of armed conflict apply if states deploy cyber-attacks.
• The Manual lays out black-letter rules” and accompanying commentary effectively a guide for lawyers’ military planners and policymakers when considering cyber operations under international law.

2. Core Cyber-security:

• CIA Triad: Deals with the Confidentiality authorized access, Integrity, Availability to access when necessary.
• Authentication & Non-Repudiation: Verifying identities information and ensuring actions can’t be accepted.
• Data Privacy: Mainly discuss on consent, data minimization, and individual rights to access data portability.
• Risk Management: function is to be identifying, assessing, and mitigating cyber risks through plans and controls.

Though not legally binding, the Tallinn Manual provides the most authoritative and widely accepted interpretive framework today. (Schmitt, 2013, 2017).

PRINCIPLES OF STATE SOVEREIGNTY, NON-INTERVENTION AND STATE RESPONSIBILITY

• Core principles of traditional international law remain relevant in cyberspace:A state’s Sovereignty over its digital infrastructure, the principle of non-intervention for example: no coercive interference in another state’s domestic affairs, including via cyber means), and state responsibility of wrongful acts.
• Under these principles, a cyber-operation that violates another state’s sovereignty or constitutes unwarranted interference, for example:Liberia just ended elections that brought President Boakai to power or disrupting critical infrastructure could be considered illegal.
• If a cyber-attack is attributable to a state that state could face diplomatic legal or countermeasures through attribution remains one of the biggest practical challenges. (Goldsmith, 2010).

 INTERNATIONAL HUMANITARIAN LAW (IHL) AND LAW OF ARMED CONFLICT

• When a cyber-operation occurs in the context of armed conflict (Ex: A war), IHL – the body of law regulating conduct, of hostilities, protection of civilians, proportionality, distinction applies equally to cyber warfare.
• That means cyber-attacks must respect the principles of distinction, combatants vs. civilians, civilian infrastructure, proportionality, necessary, and humanity just as kinetic attacks must.
• Some scholars argue for a full adaption of traditional war law to cyberspace even proposing a cyber-version of the Geneva Conventions (sometimes dubbed “Cyber Geneva Conventions”) to account for digital era threats to civilian infrastructure and data. (Convention on Cybercrime, 2001), (O’Connell, 2012).

CYBERCRIME & CYBER SECURITY TREATIES: PEACETIME LEGAL INSTRUMENTS

• Parallel to laws of war, there are treaties and legal instruments aimed at regulating cyber-crime and cyber security in peacetime. For example, Budapest Convention on Cybercrime (2001) is the first multilateral binding agreement to harmonize national laws, facilitate cooperation and punish cybercrimes.
• On a regional level, for Africa the Malabo Convention (2014), also known as the AU convention on Cyber Security and Personal Data Protection aims to criminalize various cyber offences, promote national cyberseurity strategies, and foster cooperation among states.
• These treaties focus more on crime, data protection, cyber-infrastructure security and governance rather than warfare, but they form part of the broader international legal architecture governing cyberspace. (Buchan, 2015), (Tsagourias, 2015)

CHALLENGES & LEGAL GAPS

While international law offers many tools to regulate cyber operations adapting them to cyberspace raises serious theoretical and practical challenges:

• Attributing problems: Cyber-attacks often exploit multiple jurisdictions, proxy’s anonymization making it difficult to attribute responsibility to a state. Without reliable attribution, applying state responsibility or retaliation norms becomes tricky.
• Thresholds for use of Force and Armed Attack: It remains legally and doctrinally contested when a cyber-attack rises to the level of use of force or armed attack under the United Nations Charter (Eg: Article 2(4)). The lack of clarity complicates states’ ability to respond with force or self-defense.
• Applying IHL to Digital Infrastructure: Traditional IHL was developed with physical warfare in mind land, sea air, etc. Translating principles like proportionality and distinction into digital impacts data loss power grid outages, cascading systemic failures) is legally complex and debated. cyberlawconsulting.com, (Hongju Koh, 2012).

 RECENT DEVELOPMENTS & CALLS FOR REFORM

• Some legal scholars argue for a dedicated set of rules sometimes called “Cyber Geneva Conventions” updating IHL for the digital age: covering protection of critical infrastructure civilian data and setting limits on cyber operations.
• Debates continue about how to enforce international law in cyberspace especially around attribution, accountability and how to penalize wrongful cyber-attacks when origin is obfuscated.

In 2022, a comprehensive legal analysis argued that while IHL and law of armed conflict apply to cyber warfare significant gray zones remain particularly regarding proportionality dual use infrastructure and civilian harm in digital operations. (Carr, 2010), (Rid, 2013)

WHAT THIS MEANS IN PRACTICE

• States and militaries planning cyber operations should assume existing international law especially IHL applies when an armed conflict or hostilities occur.
• Civilian protection must remain a priority hacking hospitals power grids water systems or other civilian infrastructure can constitute violence’s under humanitarian law. cyberlawconsulting.com, (Carr, 2010).

 CONCLUSION

The rise of cyber warfare challenges many assumptions of traditional international law, yet the legal architecture already in place state sovereignty nonintervention state responsibility that law of armed conflict provides a solid foundation. The Tallinn Manual remains the most authoritative guidance translating these norms into the cyber domain.

But the rapid evolution of technology, coupled with difficulties in attribution and ambiguities in traditional legal categories, means significant legal grey zones persist. Scholars, states and international organizations continue to debate the need for clearer, binding norms perhaps even a dedicated cyber warfare treaty to protect civilians’ critical infrastructure and ensure accountability in digital conflicts.

For now: Cyber operations during conflict cannot be assumed to exist outside international and states that conduct them remain or should remain bound by many of the same obligations that govern traditional warfare.

NOTE: This essay was part of the international Law Course’s activities taught by Dr. Mory Sumaworo (Ph.D) Professor at Cuttington University Graduate School of Global Affairs and Policy.

REFERENCE:

• Harvard International Law Journal, 60(2), 1-40. International Law & Cyber Conflict Hatthaway, O.A., Crootof, R. Levitz, P., Nix H.,
• Nowlan, A., Perdue, W., & Spiegel, J., (2012). The law of cyber-attack. California Law Review, 100(4), 817-885.Kello, L. (2017).
• The virtual weapon and international order. Yale University Press. Tikk, E. Kaska, K., & Vihul, L. (2010). International cyber incidents: Legal.