Cyber Warfare and International Law: Navigating the Grey Zone

Abstract

Cyber operations by state or state-sponsored actors increasingly strain the boundaries of peace and war. This article examines how existing international law, especially the UN Charter and International Humanitarian Law (IHL), governs cyber activities and the unresolved grey-zone issues they raise. We argue that traditional rules (Article 2(4) of the UN Charter, IHL principles of distinction and proportionality, etc.) do apply to cyberspace. Still, ambiguities remain about thresholds, violations of sovereignty, and attribution.

Using a doctrinal and comparative methodology, we review the legal framework, judicial precedents, and national and scholarly positions to highlight gaps. Recent state practice shows a growing consensus that international law applies, but also reveals divergent views on key points. We conclude with suggestions to strengthen the legal order, such as clearer norms, international mechanisms for attribution and accountability, and possibly a new treaty on critical infrastructure to govern state behavior in cyberspace.

Introduction

As digital networks become integral to national infrastructure, cyber operations carry strategic effects that were once achieved only through kinetic force. Incidents like the 2007 cyber campaign against Estonia and Russian cyber warfare in Ukraine have demonstrated that cyberattacks can disrupt civilian life and may constitute hostile acts. These developments challenge existing international law, raising the question: when does a cyber operation cross from peacetime espionage or crime into an international armed attack or conflict?

The concept of a “grey zone” between armed conflict and peace captures the uncertainty. Yet international law provides criteria to decide: Article 2(4) of the UN Charter bans “the threat or use of force” against any state; the International Court of Justice (ICJ) has held that even non-violent support to armed rebels can be a use of force. If a cyber operation is an “armed attack” under Article 51, a state may lawfully self-defend.

Otherwise, harmful cyber acts may violate sovereignty or non‑intervention but fall short of justifying force. This article is about how, despite gaps in existing law, the UN Charter, IHL, customary rules, and writings like the Tallinn Manual do apply to cyber warfare. However, key ambiguities in definition and enforcement must be addressed to avoid dangerous misunderstandings.

Research Methodology

This article uses doctrinal legal research and comparative analysis. We examine primary sources (treaties, ICJ case law, and UN resolutions) and secondary sources (academic commentaries, state submissions, and expert manuals). We review UN documents, ICRC publications, and EU official statements. Scholarly interpretations, notably the Tallinn Manual 2.0, are used to clarify legal principles. And analyzed how international law is currently understood and applied to cyber operations.

Legal Framework

UN Charter, Use of Force

The bedrock is the UN Charter: Article 2(4) prohibits “the threat or use of force” against the territorial integrity or political independence of any state. The Charter makes no weapon-type distinction: “use of force” need not be “armed” or kinetic. Thus, in principle, a cyberattack that exerts coercion or damage could violate Article 2(4). The ICJ has long recognized this as a customary rule binding all states.

Article 51 preserves a state’s right of self-defense if an armed attack occurs. The UN Charter offers both a general prohibition and the self-defense exception, but it leaves open what threshold a cyber-act must reach to qualify as a use of force or armed attack. However, states often hesitate to label cyber operations as uses of force to avoid escalation. There is no separate treaty rule for cyber; only customary law applies.

International Humanitarian Law (IHL)

IHL applies once an “armed conflict” exists. Common Article 2 of the 1949 Geneva Conventions provides that they cover “all cases of declared war or of any other armed conflict which may arise between two or more of the High Contracting Parties.” Additional Protocol I (1977) similarly defines international armed conflict to include any resort to armed force between states. In cyber terms, if a cyber incident rises to an armed conflict, IHL’s rules constrain conduct.

The Tallinn Manual observes that cyber-operations can trigger IHL only if they meet the armed conflict threshold. For example, a cyber-operation targeting and destroying another state’s power grid during a hot war would invoke IHL, whereas peacetime espionage or minor attacks would not. Common Article 3, which can exist if a cyberattack involves an organized non-state group in hostilities. IHL thus applies to cyber means during conflicts, but its scope depends on how “armed conflict” is characterized.

Customary International Law

The principle of sovereignty means a state has exclusive authority over the digital infrastructure within its territory. Tallinn Manual Rule 4 makes clear that cyber operations by one state into another’s networks breach sovereignty. France states that any cyberattack by a state organ (or someone “under the direction or control” of a state) on French systems is a sovereignty violation. The UK likewise affirms its sovereignty over its territory but refrains from inventing new rules for itself.

It treats sovereignty breaches under traditional law of state responsibility and the related rule of non-intervention. Russia and China emphasize “cyberspace sovereignty,” meaning each state controls its national internet. The GGE 2021 affirmed that states must meet their obligations regarding internationally wrongful acts, must not use proxies for cyberattacks, and must prevent their territory from being used for malicious cyber acts. 

Specialized Instruments (Tallinn Manual)

No binding cyber-specific treaty exists. Instead, a leading academic source is the Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (2017, OUP), produced by experts. Though non-binding, it reflects a broad consensus on key points. For instance, it affirms that sovereignty and territorial jurisdiction extend to cyberspace.

Rule 2 of Tallinn 2.0 holds that “a state enjoys sovereign authority about the cyber infrastructure…located within its territory.” Violations (e.g., introducing malware to another state’s computers) are illegal acts. The manual also treats cyber use of force under UN Charter principles and applies IHL rules in armed conflict. The Tallinn Manual has influenced state thinking. 

Judicial and Doctrinal Interpretation

ICJ Jurisprudence

The International Court of Justice has not had a cyber case, but its rulings on the use of force and sovereignty are instructive. In Nicaragua v. United States (1986), the ICJ found that US support to Contra rebels violated Article 2(4) even though the acts were largely non-kinetic. The Court famously held that Article 2(4) prohibits any use of force by states.

It thus implicitly supports the idea that a sufficiently damaging cyber operation could qualify as a use of force. The ICJ’s Advisory Opinion on Nuclear Weapons (1996) added that IHL rules “apply also in the context of the threat or use of nuclear weapons” (para. 79), which supports the broader principle that IHL governs “all means of warfare,” a logic that extends to cyber in armed conflict.

National Doctrines and Policies

Several states have formally stated how they view these laws. The United Kingdom affirms that “international law applies to States’ conduct in cyberspace” on the same basis as in other domains. The UK explicitly ties Article 2(4) to cyber: a cyber operation can be a threat or use of force depending on its effects, and it reserves the right to self-defend under Article 51 if a cyberattack amounts to an armed attack by scale and effects.

Importantly, the UK does not recognize a separate “cyber sovereignty” rule; instead, breaches are treated as violations of sovereignty or non-intervention under traditional law. By contrast, France’s 2019 cyber law position affirms robust rules: it declares that any cyberattack on French digital systems by a state organ (or entity under a state’s direction) breaches sovereignty, and that the most serious such violations may also violate the UN Charter’s ban on force.

France does not exclude the possibility that even non‑destructive cyber operations could be used as a force under Article 2(4); it lists criteria for evaluating whether a cyber act qualifies. Both the UK and France positions reaffirm that cyber operations must respect customary law and IHL in conflict.

Scholarly Views (Tallinn Manual)

Tallinn Manual 2.0, by over 100 expert jurists, offers a comprehensive restatement of cyber law. For example, it spells out that sovereignty extends to cyber infrastructure and that violating another state’s networks is internationally wrongful. The Tallinn Manual and experts have largely concluded that existing law applies in cyberspace but urge refinement and clarity.

Critical Analysis of Gaps and Ambiguities

Despite the consensus that “the law applies” to cyberspace, several gray areas persist:

Defining “Use of Force” and “Armed Attack”

What level of cyber activity amounts to a use of force under Article 2(4) or an armed attack under Article 51? The Charter itself does not define “force,” and case law suggests that only significant damage triggers armed attack. Thus, a sophisticated intrusion causing large-scale blackouts or physical destruction might qualify, whereas a stealth espionage hack would not. France suggests that any cyberattack causing effects “comparable” to a conventional armed attack could be treated as such. But others worry that declaring too many attacks to be “use of force” would make self-defense ubiquitous and unstable. This strategic ambiguity may deter adversaries, but it leaves victims uncertain about when a forceful response is lawful.

Sovereignty Violations and Non‑intervention

The principle that states must not violate others’ sovereignty is clear in theory, yet harder to apply to borderless data. The Tallinn Manual asserts that intrusions into networks or data count as a sovereignty breach. France’s position exemplifies this strict view. The UK, while upholding sovereignty, focuses on traditional non-intervention and is reluctant to create new cyber-specific sovereignty rules.

Technology complicates matters: Does sending malware through a third country’s server violate that third country’s sovereignty? Ambiguity remains. States have not uniformly defined “cyber territory.” Until clarified, nearly any hostile cyber act could be framed as a wrongful intrusion, but not all such acts are coercive enough to be “force.” This gap undermines predictability.

State Responsibility and Attribution

Cyber operations often lack clear state signatures. Traditional attribution applies. If a state’s military directly conducts an operation, the state is responsible. States agree they must not let proxies or non‑state hackers attack from their soil. But establishing legal responsibility is hard. Without clear rules on due diligence, states can plausibly deny involvement.

The Tallinn Manual suggests a due diligence obligation (Rule 6), e.g., not knowingly allowing one’s networks to be used for harm, but this norm is not universally accepted. The lack of an enforcement mechanism means victims often respond with public attribution, sanctions, or countermeasures on an ad hoc basis. This reinforces the grey zone: low-risk actors perceive they can attack anonymously with impunity.

Applicability of IHL Principles

Applying IHL in cyber settings yields challenges. IHL’s core principles of distinction and proportionality assume clearly identifiable targets and effects. In practice, a cyberweapon may disable both military and civilian systems, making prior discrimination hard. Proportionality analysis is similarly vexed: a virus unleashed for a limited goal can spread uncontrollably.

Another issue is timing. IHL applies only once conflict has begun. But cyber campaigns often precede or accompany conventional war. States debate when exactly an armed conflict starts in cyber terms and how to regulate peacetime cyber campaigns. This clarifies the grey zone: many hostile acts violate international law but not the law of war.

Grey Zone Label and Legal Certainty

The very notion of a “grey zone” is contested. Some politicians use it to describe a spectrum of coercive tactics below armed conflict. But legal commentators caution that creating a new legal category would be unnecessary or dangerous. Calling something a hybrid threat or grey-zone attack should not imply it is outside the law. The persistent ambiguity lies not in the absence of law, but in applying old legal tests to new cyber facts. Until states articulate and perhaps codify clearer rules. For example, how to measure a cyber “weapon” or how to attribute ambiguous acts. International law’s gaps will remain politically exploited.

Recent Developments

International Norm Processes

The UN has been the main forum for cyber law dialogue. UN GGE reports (2013, 2015, 2021) and OEWG reports have consistently affirmed that international law applies to cyberspace. The 2015 GGE first explicitly linked IHL principles to cyber operations. The 2021 GGE consensus reaffirmed Articles 2(4) and 51 for cyber (paras. 71–77) and acknowledged that IHL applies in armed conflict. It also urged states to avoid using cyber proxies and to build confidence-building measures. Parallel to the GGE, the Open-ended Working Group (2019–21) produced a substantive report and set of normative recommendations that align with GGE findings, emphasizing sovereignty and non-intervention norms.

Regional and National Initiatives

At the regional level, notable recent steps include the EU’s 18 November 2024 declaration “on a common understanding of the application of international law to cyberspace.” The EU Council explicitly reaffirmed that international law, including the UN Charter, human rights, and IHL, fully applies to cyber activities. The United States published a National Cyber Strategy (2023), underscoring defensive measures and affirming in international forums that existing law applies to cyber.

Notable State Practice and Incidents

State practice in cybersecurity shows patterns. Many governments now publicly attribute major cyber incidents to states and impose sanctions or prosecutions. For example, in 2020–2021, the US publicly blamed Russian, Iranian, and Chinese groups for election interference, disinformation, and network intrusions, supporting the view that such acts violate UN principles, though they do not justify war.

Perhaps most consequentially, the Russia‑Ukraine war (2022–present) has demonstrated large-scale cyber warfare. Ukraine reports thousands of cyber incidents by Russian proxies. Ukraine has taken retaliatory cyber actions. These real-world cases demonstrate that states treat serious cyberattacks as hostile acts, even if no universal legal rule has yet been triggered.

Norm Building and Accountability

The UN, EU, and other bodies have championed confidence-building measures (CBMs) like notification of exercises or dialogues. In October 2024, for the first time, the UN General Assembly adopted a resolution (87/296) on “The role of regional and sub-regional arrangements in preventing and combating ICT threats,” encouraging norm implementation. Courts and international bodies have begun to grapple tangentially with cyber issues. In parallel, industry-led efforts underscore the urgent demand for governance.

Suggestions/Way Forward

To bridge the grey zone, several measures are advocated:

• Clarify Legal Thresholds: States and experts should work to clarify what cyber operations constitute uses of force or armed attacks. This could be done through an international conference or treaty that sets concrete thresholds (e.g., “destruction of critical infrastructure causing casualties” or “taking control of another state’s military system” as examples of armed attack). The EU proposal for a UN Program of Action could develop guidelines or case studies to elucidate these thresholds.
• Norms for Critical Infrastructure: As suggested by recent scholarship, a dedicated treaty on protecting critical infrastructure could fill a gap. Such a treaty would impose positive obligations. For example, requiring states to secure key civilian networks against state-sponsored attacks and ban cyberattacks on nuclear, energy, health, and transportation systems.  
• Strengthen Attribution and Accountability Mechanisms: Improving attribution certainty is crucial. One idea is an international technical assistance or investigation mechanism to help identify perpetrators of large cyberattacks. Another is universalizing the obligation of due diligence. States should refrain from knowingly allowing their networks to be used for harm. Bluebook law already suggests states must take “all measures to prevent” their territory from being used offensively. This could be restated in a global norm or soft law instrument.
• Expand Confidence-building and Transparency: We should encourage broader adoption of CBMs. The EU and NATO models of supporting capacity-building (training smaller states on international law in cyberspace) can be expanded globally. Transparency about cyber doctrines and rules of engagement would also reduce misperceptions.
• Update IHL and Call Out Cyber-unique Challenges: While the core IHL treaties may not be easily amendable for cyber specifics, the ICRC and experts could work on additional commentaries or guidelines on applying IHL to cyber. States might negotiate a protocol or declaration affirming how IHL principles apply to the cyber context. Similarly, new rules on weapons restrictions could be considered.
• Promote Enforcement and Consequences: Finally, the international community should make clear that serious cyber aggression invites legal and political consequences. Security Council action (sanctions resolutions for cyberattacks) and domestic laws enabling the prosecution of state hackers. The US, EU, and like-minded states already impose sanctions for interference and attacks. Codifying “cyber countermeasures” under international law, carefully balancing them with IHL, could give states clearer legal sanctioning tools.

Together, these approaches recognize that mere affirmation of existing law is insufficient. Concrete rules, accountability systems, and dialogue are needed to govern the digital conflict domain effectively.

Conclusion

Cyber conflict operates in a legal limbo: it is neither fully war nor lawless peace. However, international law does reach into cyberspace. The UN Charter’s prohibitions, principles of sovereignty and non-intervention, IHL’s protections, and state responsibility rules all apply to cyber operations, although their precise application is contested. Judicial precedents and modern doctrines show a common understanding that serious cyberattacks can amount to force or armed attack, but trivial or covert acts do not automatically trigger war.

The grey zone acts below the armed conflict threshold and is governed by existing peacetime law, not a new legal regime. This article finds that ambiguity remains about thresholds and sovereignty. Yet states have begun to build consensus, like recent UN GGE and EU declarations, reaffirming the full applicability of IL to cyberspace. Going forward, it is imperative to translate these promises into practice. Strengthening legal clarity, improving accountability, and fostering cooperation can reduce the grey zone. In an era when cyber tools can paralyze societies, closing the gaps in the law is not optional but essential.

---

If you want to submit your articles and/or research papers, please visit the Submissions page.

To stay updated with the latest jobs, CSS news, internships, scholarships, and current affairs articles, join our Community Forum!

The views and opinions expressed in this article/paper are the author’s own and do not necessarily reflect the editorial position of Paradigm Shift.