Open PDF in Browser: Colleen Garcia,* Cyberattacks, Modern Sovereignty Violations, and the Disadvantage to Developing States
Globalization continues to result in an ever‑increasing connectedness and interdependence of world economies, cultures, and populations. This connectedness has come to include interdependency on the cybersphere. As most other aspects of economy, culture, health, government, and security have moved to cyberspace, so too has espionage, crime, warfare, and interference with other states. State‑sponsored cyberattacks or cyber operations—aimed at using technology and cyber capabilities to disrupt, disable, and hack the systems of other states and individuals—are an increasingly popular tool to further geopolitical goals and violate the sovereignty of other countries. Moreover, these operations have significant consequences for developing states with weaker cybersecurity infrastructure and less geopolitical power. Analysis of such attacks under modern international law is lacking in its consideration of developing states, and the principles of non‑intervention, use of force, and state responsibility leave gaps in the current conversation that exclude cyber operations.
This Note focuses on cyber operations falling just below the threshold that would qualify them as violations of state sovereignty under international law. Specifically, this Note examines the aspects of the non‑intervention principle, prohibition on the use of force doctrine, and rules of state responsibility that require adaptation to account for the global reality of cyberattacks. As these principles only focus on the physical attributes and impacts of actions toward another state, this Note argues that such analyses should expand to include nonphysical harms and state funding of private actors. Further, this Note seeks to acknowledge and consider the disproportionate consequences of cyberattacks on developing states and their sovereignty in their exclusion from the aforementioned doctrines under international law.
Introduction
The global technology infrastructure stemming from digitization is a product of advances in the past twenty years,[1] and one does not have to go far to see how fragile these systems are. In April 2025, Spain experienced a significant power outage, losing the equivalent of 60 percent of demand for the entire country and causing a blackout for millions of people even in Portugal and parts of France.[2] Transportation came to a halt across the Iberian Peninsula—traffic lights went dark, flights were grounded, and metro systems were quite literally stopped in their tracks.[3] The economy suffered as well, with mobile communications disabled and ATMs inaccessible.[4] The outage highlighted how fragile and vulnerable critical infrastructure is in the digitized era. Despite an investigation concluding the blackout was a mere malfunction, it does shed light on the grave possible consequences if an actor were to do such a thing intentionally.[5]
Today, many states turn to cyberattacks—deliberately entering into a computer system with malicious intent[6]—to exert physical, economic, and political influence over other states without violating modern rules of international law. In 2023 alone, there were 123 state‑sponsored cyber operations;[7] since 2005, thirty‑four countries have been suspected of sponsoring cyber operations in pursuit of their foreign policy interests.[8] When combined with increasing global reliance on technology for critical infrastructure, financial systems, and safeguarding democracy, a cyberattack has the potential to incapacitate a state. Most cyberattacks are treated as falling in the gray area under the threshold of war, which leaves victimized states without recourse under international law. This Note examines the vast majority of cyberattacks that fall short of the definition of “armed attacks” yet have significant consequences. It focuses on the current shortcomings of related doctrines of international law that inadvertently and disproportionately impact developing states.
The advances of the technological age necessitate a change in perspective on state sovereignty. States can influence and weaken others with impacts that, until the late twentieth century, could only be achieved via covert operations, invasion, and acts of war. Another oddity of this development is the ability of private actors to do damage akin to that of a country’s military capabilities at the behest of a state, while hiding behind the nature of the cybersphere to avoid making a state responsible for these acts.[9] Currently, only the most egregious of cyberattacks that have the physical impacts of war—such as injury, death, or destruction—would be considered violations of a state’s sovereignty under international law.[10] However, most cyber operations fall under that threshold and have disastrous impacts on states, especially developing countries with weaker cybersecurity infrastructure.[11] The best defense to level the playing field for the developing world is to expand the analyses underpinning the principles of non‑intervention, use of force, and state responsibility to account for the cyberattacks that have similarly grave consequences.
This Note argues that cyberattacks should be considered violations of state sovereignty under international law. This would address the disproportionate position of developing states, which are currently disadvantaged by the structure of international law and disparities in geopolitical power and cyber infrastructure. To do so, international law should expand the use of force and non‑intervention principles while simultaneously relaxing state responsibility tests. An expanded use of force doctrine would analyze the nonphysical nature of cyber operations by (1) considering the targeting or damaging of critical infrastructure and the domestic necessity of those systems and (2) expanding the use of force doctrine and, if necessary, also broadening the scope of the non‑intervention principle to recognize economic harm. In addition, the control tests to determine state responsibility for cyberattacks should be relaxed. Instead of solely focusing on whether a state issued specific directions to carry out an attack, this test should consider the various other, less obvious ways that states can be responsible for such harm.
To lay the foundation for this approach, Part I examines the taxonomy for different subcategories of cyberattacks. Part II then turns to the principles of state sovereignty and its role in a modern, interconnected landscape. It further discusses the non‑intervention principle, the use of force doctrine, and state responsibility principles, which serve as the current analytical framework for the international consequences of a cyberattack. Part III turns to the potential biases in international law that exacerbate the analytical shortcomings of these doctrines for developing states, the disparities in cybersecurity infrastructure that leave developing states vulnerable, and the current efforts to address cyber operations. This Note will then examine a recent cyberattack on Costa Rica to exemplify these issues in practice. Finally, to account for the reality of significant cyberattacks and the involvement of private, state‑sponsored cyber actors, Part IV sets forward the argument for broadening key doctrines. First, it argues for the expansion of use of force analysis to heavily weigh impacts to critical infrastructure by including economic harms. Second, it articulates the need to relax the control tests for state attribution by including mere financing to carry out a cyberattack as sufficient to hold states responsible.
Cyber Operations Defined
Cyberattacks and cyber operations refer to a breadth of cyber acts that any type of actor can perpetrate toward any target.[12] Section I.A discusses cybercrime, which provides context for how state‑sponsored cyber operations differ from cyberattacks for financial gain and can produce significant consequences when left unchecked. On the other hand, Section I.B discusses state‑sponsored cyber operations, which covers a range of conduct that have political or military motive. Specifically, cyber warfare, addressed in Section I.B.1, refers to cyber operations specifically carried out during warfare or combined with armed means. While cyber warfare is recognized as the use of force, there are two kinds of state‑sponsored cyber operations in a gray area beneath the threshold of cyber warfare yet deemed more serious than a financially motivated cybercrime. Section I.B.2 examines cyber espionage, which are cyber operations aimed at infiltrating systems and gathering information. Section I.B.3 examines cyber sabotage, which targets infrastructure and computer systems to disrupt or damage their functioning. This Note primarily analyzes cyber espionage and cyber sabotage as the cyberattacks that, despite their potential for significant consequences in damage and scope, are not currently considered violations of international law.
Cybercrime
Cybercrime is often used as an umbrella term to refer to any crime carried out over the internet, whether that be the type of multinational cyber schemes relevant to this analysis or smaller internet‑specific situations such as online harassment.[13] However, in this Note, cybercrime refers to situations where actors are engaging in criminal activity purely for financial gain.[14] The four most common types of cybercrime are phishing, financial fraud, cyber harassment and extortion, and identity theft.[15] While usually the lowest‑risk category of operations, cybercrime can sometimes rise to the level of cyber warfare if the breadth of the attack is substantial enough.[16] An elderly person falling for a phishing email or a person getting their social security number stolen, while unfortunate, would not be cause for national concern. However, when an employee of a large firm or corporation falls for a phishing email on their work computer, that could have more substantial consequences. For example, financial institutions handle large amounts of sensitive data and transactions, making them targets for cybercrime that would disrupt economic activity via smaller schemes.[17] Therefore, while banks are often targeted with attempts of low‑level financial theft that do not disrupt their functioning, more large‑scale cyberattacks may have resounding impacts when they completely disable banks’ functioning. This risk is even more pronounced for developing countries that have less cybersecurity in place and more to lose.[18]
The COVID‑19 pandemic was a critical accelerant that made these types of cyberattacks increasingly impactful since the early 2020s.[19] As a result of the pandemic, the demand for online financial services skyrocketed.[20] This caused an explosion of banking activity as banks adapted their businesses to stay competitive in cyberspace, which led to a digital transformation of global financial systems.[21] Today, hacking groups and other actors are taking advantage of this digitization, which poses an ongoing risk for new systems and offers a new pool of victims to target as more necessary services move online.[22] The Financial Stability Board—an organization that monitors the global financial system and makes recommendations to maintain it[23]—cautioned that a cyberattack could trigger a global financial crisis, as an incident could “seriously disrupt financial systems, including critical financial infrastructure, leading to broader financial stability implications.”[24]
Issues in other sectors echo those common in the financial sector, leading to an uptick in the targeting of other necessary services through cyber operations.[25] One example is the health care sector, where a similar need to digitize many medical services in the wake of the pandemic motivates cyber actors to increasingly target health care organizations through ransomware attacks.[26] Not only does this prevent health care professionals from administering care to patients, but it also prevents public health officials from monitoring data and trends that inform public health decisions.[27] More than one‑third of global health institutions reported experiencing at least one ransomware attack in the preceding year.[28] The World Health Organization (WHO) and other international organizations have collaborated with the United Nations Office on Drugs and Crime (UNODC) to try and strengthen cybersecurity efforts, recognizing that this surge of attacks puts the global health care infrastructure at critical risk.[29] As the health care and financial sectors show, cybercrime may still pose a risk as the world becomes more reliant on the cybersphere for basic services. This risk necessitates a proportional response under international law to expand the definitions of the use of force and non‑intervention to include impacts to infrastructure and economy.
State‑Sponsored Cyber Operations
Cybercrime and state‑sponsored cyber operations have a complex interplay due to overlap in their methods.[30] Both use malware, ransomware, and the gamut of techniques to achieve their goals.[31] Criminal cyber activity has opened the door for states to join the fray. The economic cybercrime ecosystem and the black market it has created combined with the demand from states for specialized cyber skills create proxies that bridge the gap between “sophisticated cyber capabilities and the strategic objectives of states lacking the requisite technical expertise.”[32] Thus, while one often supports the other, the key difference between cybercrime and state‑sponsored cyber operations is motive—cybercrime is economic, whereas state‑sponsored operations are political or tactical. Cyber operations cover a spectrum of actions such as cyber espionage, cyber sabotage, and cyber warfare.[33] At one end of this spectrum, cyber warfare is the only kind of operation that would qualify as the use of force under international law. The majority of state‑sponsored cyber operations act in the gray area beneath that threshold of warfare.
Cyber Warfare
While there is no universally agreed‑upon definition, cyber warfare is more narrowly understood as the conduct of a cyber operation by military means for military objectives.[34] Cyber warfare, via the use of computer systems to target an enemy’s computer or information systems, has the explicit aim of destruction or disruption for military advantage.[35] By most authorities, only governments, organs of the state, or state‑directed or sponsored individuals and groups can engage in cyber warfare, with the target being other states.[36] In other words, cyber warfare is the use of cyber tactics during military operations and has become a significant tool at an armed forces’ disposal.[37] Hybrid conflicts utilize cyber operations in combination with military force.[38] For example, Russia has been using cyberattacks to disable communications and cause mass panic and confusion in Ukraine to complement its other military efforts.[39] In attacking this cyber infrastructure in order to destabilize or disrupt Ukraine’s systems, Russia’s efforts qualify as cyber warfare.
Cyber warfare as referring to its use in military operations would clearly be categorized as the use of force under international law as it is, by definition, used in furtherance of war.[40] Cyber warfare results in tangible, physical consequences that are often significant to the use of force analysis.[41] The state‑sponsored operations in that limbo falling short of cyber warfare—cyber espionage and cyber sabotage—are the main cyber operations referred to in this Note, as they are the most difficult to define under international law.
Cyber espionage, like the term suggests, is using cyber techniques to gather information.[42] These actions, along with cyber sabotage, cost much less than a traditional military operation, can have immediate impact, can be employed over large distances, and can achieve the same effects in the “grey area below the threshold of an actual war.”[43] Although cyber espionage can be used by companies and states alike, the focus in this Note is on the latter. To succeed, cyber espionage uses attacks to obtain political, commercial, and military information advantageous to a state’s interests, either by the state itself or private proxies.[44] These efforts target government entities, individuals, and companies as well as social and international institutions in order to access sensitive information.[45] Economic cyber espionage targets trade secrets and intellectual property, posing a threat to a country’s competitive advantages and market shares.[46] Political and military cyber espionage has the intention of stealing information from foreign governments on national security issues and defense capabilities.[47]
Unlike cyber warfare, the impacts of cyber espionage are often not immediately apparent; attackers tend to use the information at advantageous moments, rather than at the moment of access.[48] Modern technologies allow cyber actors to stay undetected for long periods of time following a network breach, which leaves systems increasingly vulnerable.[49] For example, cyber espionage has been utilized by the United States and China for decades in their relations toward each other.[50] Chinese state‑sponsored hacking groups have been accused of stealing information from American tech giants, defense contractors, and government institutions; on the other hand, the United States has developed technology designed to monitor Chinese infrastructure.[51] To demonstrate the dangers of cyber espionage, take the following example: Volt Typhoon,[52] a Chinese‑sponsored hacking group, targeted and, as U.S. experts presume, have likely accessed American IT networks of communications, energy, transportation, water, and wastewater organizations.[53] If these networks are disrupted or compromised due to the actions of Volt Typhoon, the resulting disruptions to critical infrastructure could cause power outages, service disruptions, and physical damage that may impact people’s lives and safety.[54] Despite not being an offensive attack used in a military operation like cyber warfare, the potential ramifications of these cyber espionage tactics could incur similar consequences.[55] Cyber warfare meets the threshold of the use of force in part due to its physical effects—despite the possibility of those same physical effects, cyber espionage would not qualify under international law.
Cyber Sabotage
Cyber sabotage and cyber espionage are often intertwined. The same actors can engage in both types of conduct; cyber espionage can identify the security vulnerabilities that are later exploited via cyber sabotage.[56] In this context, cyber sabotage refers to acts aimed at disrupting or destroying information and communication technology.[57] Specifically, cyber sabotage could involve acts aimed at manipulating data, disrupting essential services, or damaging physical systems controlled by computers, or any other measure taken with the intent of targeting a state’s infrastructure or assets.[58]
The bounds of cyber sabotage are even murkier than cyber espionage. Sabotage is often labeled as a precursor to cyber warfare, as a type of manipulation that damages cyber systems.[59] However, despite this distinction, an act of sabotage on its own does not reach the threshold of cyber warfare.[60] One of the most well‑known examples of cyber sabotage is Stuxnet, a computer malware designed by the United States and Israeli intelligence forces.[61] This powerful malware created disruptive signals that altered the programming of centrifuges in order to disrupt Iran’s nuclear proliferation.[62] The malware successfully damaged centrifuges by altering the programming to spin the centrifuges incorrectly, and set the Iranian nuclear program back by at least two years.[63] From the United States’ point of view, this operation was a nonviolent alternative to launching airstrikes into Iran’s nuclear sites.[64] In essence, the United States carried out warlike objectives without formally declaring war or using force against Iran.[65] At what point will the international legal community decide that these workarounds are essentially permitting the use of force without the label?
All subcategories of state‑sponsored cyber operations can vary greatly in their scale and impact. As a result of this wide variance, there is a hesitancy to address cyberattacks under international law unless the acts definitively resemble physical warfare, like the use of cyber warfare in military operations.[66] State‑sponsored and state‑targeted cyberattacks falling below this threshold—namely cyber espionage and cyber sabotage—take advantage of international unwillingness to engage with the blurred lines of cyber operations. These cyberattacks can wage the same consequences of war and violate a state’s sovereignty, and yet will not be recognized as such under international law.[67] Given the high stakes of ignoring this phenomenon, it is time to take a hard look at the doctrines of public international law as they can be applied to these types of cyber operations.
Relevant Concepts of International Law
Cyber operations often result in similar consequences or achieve the same geopolitical objectives as acts of war traditionally prohibited by principles of international law.[68] Yet, due to their nonphysical nature, these attacks are viewed as insufficiently similar to military operations as to require adherence to international norms.[69] Currently, the non‑intervention and use of force doctrines stemming from state sovereignty—the concept recognizing that states have authority over their affairs and territory—are limited to physical attacks, which ignores the devastating impacts of cyberattacks. Section II.A explores the foundational principle of state sovereignty and how the cybersphere finds its place within this concept. Sections II.B and II.C turn to the non‑intervention principle and the use of force doctrine and focus on how these principles as developed by state practice, treaties, and caselaw make analyses of cyberattacks especially difficult. Finally, Section II.D addresses the laws of state responsibility and state attribution and examines how these principles pose problems for the inclusion of cyberattacks principles.
State Sovereignty
The principle of state sovereignty has a long history forming the foundation for the concept of a modern nation‑state and its authority. Sovereignty refers to the authority to control a given unit and be the final decision‑maker over the territory and anything related to it.[70] For example, monarchs are sovereigns because they are the political figure that have the decision‑making power within their borders, hold supremacy to other internal actors, and are only equal to other sovereigns.[71] In 1648, a document named the Peace of Westphalia ended the Thirty Years’ War in Europe and resulted in the concept of Westphalian sovereignty, which provided the foundation for the modern political structure of states and present‑day international law.[72] Prior to this idea of sovereignty, the Holy Roman Empire controlled all regions under its rule, but this power and central authority was then replaced by separate nation‑states resembling states as they are known today. Specifically, Westphalian sovereignty laid out the concept of nation‑states having their own territory, exclusive power over everything and everyone within their borders, and the right to be free from intervention from other nation‑states.[73] Before the twentieth century, states operated under this notion of absolute sovereignty that shielded them from intrusion from any external source—including international law.[74] Operating without a collective treaty or consensus among states, international law at this time mainly consisted of separate, bilateral duties and obligations between states under treaty or derived from rules of customary law.[75] These more traditional principles still inform the principles of international law, even though there was a shift to a more cooperative framework.
The twentieth century marked a turning point for the evolution of sovereignty and self‑determination.[76] After the end of World War II, international law developed with an eye toward facilitating cooperation between sovereign states, in contrast to the traditional norm of states merely coexisting with one another.[77] After decades of war between states who did not cooperate with each other toward a common ideal[78] and only looked inward toward their domestic needs, the devastation of World War II is viewed to have led to the “taming” of the traditional Westphalian sovereignty concept.[79] States began developing the framework we know today that recognizes each country’s responsibility to a global community of humanity, rather than only concerning themselves with conduct that serves their own objectives for their territory.[80]
To further this effort of squaring state sovereignty with international cooperation, the creation of international organizations demonstrates the adaptation of international law to consider not only other states but non‑state actors and individuals as well.[81] For example, the United Nations (UN) was created to uphold international law, maintain international peace and security, and protect human rights.[82] In order to achieve these objectives, the United Nations and other international organizations have the authority to form binding treaties under international law[83]—an authority only previously allowed to states—which is often viewed as a restriction on sovereignty.[84] However, this authority was granted to the organizations by the states themselves using their sovereign power, which allows for these bodies to function as lawmakers in the international legal order.[85] Thus, the UN Charter and other international instruments reflect foundational principles that states must adhere to, as agreed upon by states.[86] The UN Charter relies on sovereignty as the necessary prerequisite to the objectives imposed on Member States.[87] Sovereignty, then, is the glue that holds the modern international system together. Therefore, although sovereignty was not adapted to modern geopolitical needs of collaboration until relatively recently,[88] it was, in fact, capable of adaption. The rise of the cybersphere requires reexamining sovereignty once again.[89]
Sovereignty goes hand in hand with respect for territorial integrity of a state;[90] however, this is precisely the problem with cyberspace. Territorial integrity is the physical manifestation of sovereignty, which speaks to the authority to control and govern within a given territory and within geographical borders.[91] Therefore, violations of sovereignty are most commonly associated with invasions across borders and into a state’s territory by land, sea, or air.[92] As the internet exists outside territorial borders, a state cannot control online interactions as the sovereign in the same way it can for any other activity under its authority or physically within its territory.[93] As a result, cyberspace is controlled not just by sovereign states, but by global corporations and internet service providers, like Google, that operate the systems on which cyberspace exists; since they are not nation‑states themselves, these corporations should be subordinate to states in the international system.[94]
To account for this reality, there have been attempts to create definitions that link internet conduct with the physical spaces the conduct takes place from.[95] By doing so, states can be held responsible when such physical space is within their jurisdiction.[96] First, the physical aspects of cyberspace (namely physical equipment, computers, and cyber infrastructure) are located within a state’s territory, and these tangible objects are owned by governments, companies, and individuals that must be under the authority of a state by law.[97] Second, transactions in cyberspace occur between individuals in different territorial jurisdictions; for example, a person in the United States can pay a person in France over the internet, which ties that transaction geographically to the states from which the users logged on. Lastly, cyber activity can cause tangible and intangible effects in a state, ranging from social, political, to economic consequences. For instance, if a scammer from the United States drains the bank account of a Canadian individual, doing so may bring the cyber activity under the sovereign authority of Canada for the impact on a national within its borders.[98] Despite these efforts, however, there are still ongoing difficulties in pinpointing where cyberattacks originate. Sophisticated cyber actors can utilize a wide breadth of possible reroutes to hide the location of their activity or take advantage of other technological advances that make pinpointing challenging.[99] Accordingly, these circumstances mean that we must look beyond the physical aspects of cyberspace as a solution and instead examine the governing sovereignty principles themselves.
The Non‑Intervention Principle
As laid out in traditional definitions of Westphalian sovereignty discussed above, a state has authority over its territory free of intervention from any other states. The right to be free from intervention, known as the principle of non‑intervention, is fundamental in international law and operates as a corollary of sovereignty, as it details the rights and duties state sovereignty impose.[100] Specifically, non‑intervention dictates that a state should not intervene in the affairs of other states and prohibits physical intervention into territorial boundaries and interference in the internal affairs of a state.[101] This principle is viewed as “a corollary of every state’s right to sovereignty, territorial integrity and political independence,”[102] such that non‑intervention signifies the main defense of sovereignty.[103]
Article 2(7) of the UN Charter alludes to this principle, providing that nothing in the Charter “shall authorize the United Nations to intervene in matters which are essentially within the domestic jurisdiction of any state.”[104] Although the International Court of Justice (ICJ) noted that the principle of non‑intervention is not explicitly spelled out in the UN Charter, the Charter itself was not intended to embody the written confirmation of every principle of international law in force.[105] The non‑intervention principle is widely recognized as a rule of customary international law, which are binding yet often unwritten rules determined by actual state conduct.[106] The ICJ found a violation of the non‑intervention principle includes two factors: (1) an interference with a state’s internal or external affairs and (2) that the interference be coercive in character.[107]
The ICJ’s key precedent on the non‑intervention principle comes from the 1986 case Military and Paramilitary Activities in and Against Nicaragua (Nicaragua v. United States). In this case, the ICJ addressed how the United States provided financial support, training, weapons, intelligence, and logistical support to an anti‑communist paramilitary group (the Contras) for purposes of overthrowing the Nicaraguan government in the late 1970s to early 1980s.[108] The ICJ held that the United States intended to coerce Nicaragua by supporting and assisting the Contras, which constituted an intervention in Nicaragua’s internal affairs. This amounted to a clear breach of the non‑intervention principle, regardless of the political objectives of the state giving support.[109] In its analysis, the court interpreted that the principle of non‑intervention:
[F]orbids all States or groups of States to intervene directly or indirectly in internal or external affairs of other States. A prohibited intervention must accordingly be one bearing on matters in which each State is permitted, by the principle of State sovereignty, to decide freely. One of these is the choice of a political, economic, social and cultural system, and the formulation of foreign policy. Intervention is wrongful when it uses methods of coercion in regard to such choices, which must remain free ones. The element of coercion, which defines, and indeed forms the very essence of, prohibited intervention, is particularly obvious in the case of an intervention which uses force, either in the direct form of military action, or in the indirect form of support for subversive or terrorist armed activities within another State.[110]
In addition to providing a general framework on the definition of prohibited intervention under customary international law, the ICJ also found that under international law, there is no general right of intervention to help oppose another state’s affairs.[111] While the ICJ emphasized coercion as an essential part of prohibited intervention, it did not explicitly define coercion’s meaning.[112] Since this decision, the scope of non‑intervention has been subject to debate: This debate focuses on whether that scope is limited to armed or physical coercion, as highlighted in Nicaragua, or if it could include nonphysical forms of interference, such as economic acts.[113]
In the West, the prevailing view is one of more limited scope, where armed or physical intervention is prohibited while other kinds of interference are allowed, effectively adopting the narrower interpretation of coercion from Nicaragua.[114] This interpretation permits Western states to pursue actions that exert influence over the affairs of states in the developing world as long as they steer clear of physical, armed intervention.[115] This approach is especially poignant given the facts of Nicaragua itself, in which the United States pursued its foreign policy goals by attempting to overthrow a Latin American government in the name of stopping the spread of communism.[116] In fact, this is an ongoing phenomenon that continues into the twenty‑first century with U.S. actions in South American countries such as Venezuela.[117] By not including other acts such as economic interference in the Western definition of “intervention,” the non‑intervention principle has developed a pattern that seems to favor or protect Western influence, as discussed in Part III.[118]
Despite the attempts to separate non‑interference and the higher threshold concept of non‑intervention, the terms are often referred to interchangeably.[119] Prior to the Nicaragua decision, the United Nations adopted the Declaration on the Inadmissibility of Intervention and Interference in the Internal Affairs of States.[120] The Declaration clarified that in addition to the use of force or other military action, prohibited intervention includes acts of economic or political nature that aim to influence domestic affairs within a state.[121] The Declaration defines many nonphysical acts that would be considered prohibited intervention. However, the international legal community views this instrument as explicitly unreflective of customary international law and thereby nonbinding.[122] With the ICJ’s subsequent ruling in Nicaragua limiting prohibited intervention to physical coercion and the lack of customary status for these other types of interference, the Declaration is all but ignored while the ICJ’s definition remains the dominant view on non‑intervention.[123]
The tendency under international law to require coercion for violations of the non‑intervention principle is especially important in the context of cyber operations. Cyberattacks could be considered prohibited intervention if they are found to involve, as discussed, a coercive element. Without a clear definition of “coercive element” and years of scholarship debating whether it requires something physical,[124] it is hardly a clear‑cut solution, especially given that a physical element would exclude most cyber operations. However, while murky, coercion is a lower threshold to pass than is necessary for the use of force.[125] Cyber operations in that gray area could find a foothold in that analysis rather than needing to show armed conduct. In any case, despite the comparative “ease” of using the non‑intervention principle, analyses of cyber operations typically fall under the prohibition on the use of force doctrine.[126]
The Use of Force Doctrine
In addition to non‑intervention, Article 2(4) of the UN Charter declares that states are prohibited from using force against other states.[127] Article 2(4) dictates “All members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state.”[128] In general terms, the use of force is understood to prohibit traditional military or armed means directed against the territory of another state.[129] Both intervention and the use of force can be violative of state sovereignty.[130] While intervention refers to a variety of acts that infringe on a state’s authority over its domestic affairs and territory, the use of force is taken more seriously as a more specific subcategory falling under this umbrella.[131] The use of force is typically considered an act of war on behalf of one country against another. Therefore, its definition is more limited in scope, and international law requires restrictions on declaring an action the use of force due to its grave implications.[132]
To date, there has been no expansion of the use of force doctrine beyond acts that constitute armed conduct. There is only one exception in Article 51 of the UN Charter that allows for states to use force in self‑defense against an attack from another state.[133] The 1996 ICJ Advisory Opinion Legality of the Threat or Use of Nuclear Weapons came close; there, the Court interpreted Articles 2(4) and 51 of the UN Charter to apply to any use of force, regardless of the weapons used.[134] While the Court did not provide a concrete definition of the use of force, it specified that the UN Charter “neither expressly prohibits, nor permits, the use of any specific weapon, including nuclear weapons,” which slightly expanded the definition beyond traditional means of warfare if “weapons” is interpreted broadly.[135] Five years later, states and the United Nations echoed the ICJ’s view in finding planes to be a weapon under this definition following the terrorist attacks of September 11, 2001.[136] However, the extent of any clarification on the definition of force has only been to include planes as nontraditional weapons and continues to apply narrowly to armed, military, and physical acts.[137]
As cyberattacks are not physical armed attacks fitting squarely under the ICJ’s definition of use of force, the current interpretation of the doctrine makes it difficult to analyze cyber operations under international law. Despite the lack of a rigid definition of force in Article 2(4), with the formulation of the UN Charter, various treaties, international court decisions, and scholarly opinions, the international legal community clearly rejected including economic or nonphysical forms of aggression within the scope of the prohibited use of force.[138] The Vienna Convention on the Law of Treaties (VCLT) dictates to look at the “ordinary meaning” of a term,[139] and for the term “force,” this emphasizes the physical aspect of force by way of an almost scientific, physics‑based definition of kinetic energy.[140] Put simply, kinetic energy is action and reaction, such that an act be physical as to cause a tangible and physical consequence.[141] Using this mechanical approach, armed attacks are kinetic and therefore constitute prohibited uses of force; on the other hand, nonphysical actions like cyberattacks do not cause an immediate physical result and thus would fall short of the doctrine’s reach.[142] Under this traditional view, reflected by UN treaties and the ICJ, the use of force necessarily constitutes an intervention. But not all acts of intervention constitute the use of force.[143]
As other forms of intervention and coercion became geopolitical tools of influence,[144] the ICJ and other international tribunals recognized the need to differentiate acts that fall below the threshold of the use of force under the UN Charter through cases like Nicaragua—yet, these tribunals still chose to emphasize the physical aspects.[145] The ICJ narrowly defined ‘‘indirect’’ force to distinguish between indirect acts that constitute prohibited interventions versus indirect acts that rise to the prohibited use of force.[146] The main factor that escalates an indirect act from merely an intervention to the use of force is the causal chain to an armed act.[147] For example, training and providing weapons to an armed group that proceeds to carry out a physical attack could rise to the level of the use of force when such an attack results in physical consequences.[148] To illustrate this concept, if the United States armed and trained the Contras to specifically carry out an armed attack on the Nicaraguan government, doing so would qualify as the use of force due to the causal chain of the U.S. actions. However, merely funding and providing logistical support to that same armed group without more would only meet the criteria for prohibited intervention, not the use of force, because the acts would not directly result in an attack.[149] While this conclusion does seem to be a logical leap to absolve powerful states from responsibility when they indirectly influence the internal affairs of other states, which will be addressed later in Section II.D,[150] it does highlight that defining the use of force significantly hinges on the physical nature of the attack.
By their nature, cyber operations are bound to fall somewhere between prohibited intervention and the use of force as they do not squarely fit the definition of either.[151] This ambiguity has resulted in significant debate and analysis over the inclusion of such events under the use of force doctrine.[152] Echoing some of the same distinctions made by the ICJ, some scholars point to four unique factors of cyberattacks that distinguish such operations from tangible weapons typically involved in an armed attack.[153] The first differentiating factor is indirectness.[154] There are many possible attacks that manipulate one system indirectly to achieve a “knock‑on effect” from something else.[155] For example, manipulation of satellite systems to send an opposing force’s missiles off target or disabling air traffic control systems involve an act which requires further action to be taken by a second actor or object to achieve the desired result.[156] Where that initiating action is not a traditional use of armed force as is typical of cyber operations, the causal nexus becomes significant.[157] Second is intangibility, which recognizes that components of a cyber operation might not exist in the physical world.[158] Unlike a standard armed attack, the weapon and target involved in a cyber operation may only exist in the digital space.[159] When the target of a cyberattack is a physical entity, it is easier to fit into a traditional framework.[160] On the other hand, cyber operations often produce intangible effects where the target of the attack is information itself, such as an attack on a stock exchange.[161]
The third distinguishing factor is the locus or origin of cyber operations.[162] This refers to the difficulties in ascertaining the origins of a cyberattack.[163] Unlike a missile, or other traditional military weapons, viruses can be routed through several different proxy locations, and therefore jurisdictions, to disguise the true culprit and complicate attribution.[164] The fourth and final aspect is the unpredictable nature of cyberattack results.[165] “Results” refers to the wide range of possible consequences from a cyberattack, such as small‑scale ransomware phishing schemes to attacks that cripple entire systems of critical infrastructure.[166] This wide range poses difficulties for taking a one‑size‑fits‑all approach to recognizing the general term as the use of force.[167] These elements contribute to the hesitancy to categorize cyber operations under the use of force analysis with such clear departures from traditional armed attacks.
In response to these distinctive elements of cyber operations, international legal scholars have developed three main approaches in an attempt to analyze such attacks.[168] The effects‑based approach to cyberattack analysis looks to the impact and scope of an operation’s results as the main determining factor to find the use of force.[169] By focusing on the effects of a cyberattack rather than the means, this approach recognizes the extent of damage such an attack can inflict. Next, the target‑based approach deems any action that seeks to damage a state’s critical infrastructure systems as an armed attack.[170] This approach examines the intent of the attacker to a greater degree.[171] Finally, the instrument‑based approach focuses solely on the weapon used by an attacker in carrying out an operation.[172] If the cyber weapon sufficiently resembles traditional means of attack, the cyber operation would constitute the use of force.[173]
The effects‑based approach is most useful given the unique nature of cyber operations because it recognizes that the results of a cyberattack, and therefore its gravity, varies greatly.[174] However, this approach tends to focus on primarily physical effects of an attack, typically those which result in injury, destruction, and death, while excluding intangible consequences such as economic harms.[175] As most cyber operations intend intangible consequences, these approaches seek to fit cyberattacks within the traditional use of force doctrine by emphasizing any resemblance to traditional armed conflict, rather than adapting to the realities of the modern cyber landscape.
Law of State Responsibility and Attribution
Even if there were no difficulties in categorizing cyberattacks as the use of force, there is still the significant problem of holding states accountable for violating their international duties in the cybersphere.[176] This difficulty stems from the amorphous nature of cyber operations, which allows perpetrators to launch attacks from wherever they want—leaving state actors untraceable and undetected. State responsibility refers to a state’s international liability when it breaches its obligations under international law.[177] In the same way that the creation of international organizations was a reaction to the emphasis on unfettered notions of state sovereignty, so too was the law of state responsibility.[178] Before World War I, state responsibility was seen as against sovereign supremacy, because if the nation state can do whatever it wants, it is responsible only to itself.[179] After the atrocities in the first half of the nineteenth century, state responsibility emerged from the need to respect the rights of other states.[180] With the creation of the UN Charter and the subsequent establishment of various obligations under international law, the institution of state responsibility tries to address the question of what happens when states breach those obligations. Under this principle, a state is responsible for direct violations of international law, including breaches of treaty obligations, customary international law, or the violation of another state’s territory.[181] As summarized by the International Law Commission (ILC) in the Articles on State Responsibility,[182] the “general rule is that the only conduct attributed to the State . . . is that of its organs of government, or of others who have acted under the direction, instigation or control of those organs, i.e, as agents of the State.”[183] As such, sovereign states only bear responsibility for acts and omissions that can be traced to state actors themselves.[184]
The practice of only holding states liable for violations that can be explicitly traced to them is especially important in the context of cyber operations. States often enlist private actors such as hacking groups rather than state officials to execute cyberattacks.[185] Therefore, it becomes harder to establish a nexus between that state and the attack.[186] Per the ILC, to attribute the acts of a non‑state actor to a state, there must be a showing of the “existence of a real link between the . . . group performing the act and the State machinery.”[187] To establish the “real link,” the group must be acting on the instructions, or under the direction or control, of that state in carrying out the conduct in question.[188] International courts and tribunals approach attribution with significant focus on “direction or control” in order to attribute responsibility to states for actions of non‑state actors.[189] In Nicaragua and the ICJ’s 2007 opinion in the Application of the Convention on the Prevention and Punishment of the Crime of Genocide, the ICJ formulated a test to determine when a state becomes responsible for the actions of non‑state actors that carry out attacks on its behalf. In these decisions, the court delineated the concept of effective control, which requires specific and comprehensive control by the state over the activities to find attribution.[190] Under this test, it is insufficient for a state to exercise general control over a group, even if that group has a high dependency on that state.[191] The ICJ’s jurisprudence specified that effective control means that “the State’s instructions were given, in respect to each operation in which the alleged violations occurred, and not generally in respect of the overall actions taken by the persons or groups of persons having committed the violations.”[192] In other words, the state needs to give specific instructions for each action taken. Simple “blanket” instructions lend too much autonomy and decision‑making authority to the actors such that the state issuing the orders cannot be to blame. For example, under this doctrine, a state merely financing a cyber operation, without giving specific instructions on how to carry out that operation, would not be enough to hold that state responsible for the subsequent actions.[193]
In the 1999 case Prosecutor v. Tadić, the International Criminal Tribunal on Yugoslavia (ICTY) further clarified that the effective control test was not sufficient for military‑like groups and formulated a broader, more demanding test based on the “overall control” of a state.[194] Like the name suggests, the overall control test differs from the effective control test in that it is more encompassing of the group’s general conduct rather than focusing on specific instances of state instruction.[195] The ICTY held that situations where states enlist structured military‑like groups—such as paramilitary groups like the Nicaraguan Contras—to carry out cyber operations, courts should apply the overall control test and find such states responsible even where no specific instructions were issued.[196] Given that structured groups likely have their own hierarchy of authority from which to make decisions and take orders, the ICTY found it sufficient to require that the group as a whole be under the overall control of the state.[197] The ICTY reasoned that to find otherwise would mean states could easily shelter behind the lack of specific instructions in order to disclaim international responsibility.[198]
The overall control approach would be the optimal test given that the means of carrying out cyberattacks are often left up to the discretion of for‑hire cyber actors. However, there are two additional roadblocks. First, the ICTY in Tadić reaffirmed the applicability of the effective control test (the need for specific instructions) for nonmilitary groups and individuals.[199] Therefore, as most cyber actors would fall under this nonmilitary structure, the overall control test would not be an available approach in the majority of cases, which leaves only the more stringent effective control test. In practice, this means states can avoid attribution for state‑funded cyber operations just by not giving specific instructions to private cyber actors. Second, even if the overall control test was an available approach outside the narrow realm of militant groups, the ICTY still found that merely financing an operation is insufficient to satisfy both the overall control and the effective control tests.[200] As such, given that the virtual nature of these operations typically requires nothing more from a state beyond financing, governments can evade attribution under both control tests. Although at the time of this Note’s publication there are no confirmed instances of this happening yet, the structure of the state responsibility framework allows for the possibility. For example, a state could give a large check to a for‑hire hacking group for an attack with no further guidance other than ensuring the target state is successfully incapacitated. Under the current principles of state responsibility, despite the fact that the attack would not have occurred without the state’s funding, the lack of specific instructions allows the offending state to wipe its hands of repercussions and evade culpability on a mere technicality.
Taken together, the principles of non‑intervention, the use of force, and state responsibility create an international approach to sovereignty infringements that emphasizes the physicality of attacks. However, whether intended or not, cyberattacks often evade the modern underpinnings of each doctrine and take advantage of the gaps in international law that seem to represent blind spots for the new frontier of cyberspace. Non‑intervention requires an element of coercion that historically has only been given significance when it is physical coercion; the definition of use of force is limited to physical, armed attacks; and the rules on state responsibility require a high degree of state control over private actors that is antithetical to the nature of cyberattacks. The weaknesses in applying these doctrines to cyberattacks are clear. These shortcomings, and how they developed to focus on physical outcomes and limited state responsibility, disadvantage developing states on a global scale.
The Cyber Problem for Developing States: Taking Advantage of Security Vulnerabilities and Blind Spots in International Law
From the position of developing states, the advent of the cybersphere offers a double‑edged sword. On one hand, the universal vulnerabilities of network systems make cyber operations a threat to any state, regardless of its geopolitical power and security—which could level the playing field for developing states. On the other hand, despite this leveled playing field, cyberattacks can wreak far more havoc on critical infrastructure and economic systems in developing nations than they can in more powerful countries.[201] In addition, developing states also typically lack the resources to develop robust cybersecurity systems without assistance from other states and international organizations.[202] Altogether, developing states are especially vulnerable to cyber intervention and are at a disadvantage when compared to their developed counterparts. Section III.A examines the potential Western bias in international law that, in the context of non‑intervention and the use of force, leaves gaps for the interests of developing states. Section III.B then turns to disparities in cyber capabilities that leave the developing world beholden to Western powers or, at the very least, vulnerable. Next, Section III.C expands upon these ideas by examining cyberattacks in Costa Rica. This example showcases the damage a cyber operation can inflict—an action that would be an act of war in other circumstances. Finally, Section III.D addresses strengths and weaknesses of the current efforts in the international community aimed at cyber operations.
Consequences of Bias in International Law
In the aftermath of the world wars, the formation of modern international law mainly consisted of efforts and international actions by the prevailing global superpowers.[203] While the UN Charter guarantees equal sovereignty between all Member States,[204] the perspectives forming these principles are often subject to criticism. Scholars have argued that the UN Charter is biased in favor of Western states—Europe and North America, generally—at the expense of developing ones.[205] To put simply, international relations is produced in “western nations by western authors for western readers,”[206] and scholars similarly find this westward skew is present in international law. As a result, this asserted bias becomes interwoven in the framework for the modern international legal system.
Additionally, construction of the use of force and the non‑intervention principles’ deemphasis on economic coercion could similarly have Western bias. Following decolonization in Latin America, Asia, and Africa, Western powers exerted indirect control over these former colonies via economic, financial, and cultural means, coined as neocolonialism.[207] These indirect tactics became especially useful in the Cold War context as the United States and the Soviet Union poured economic and military aid into new developing countries to recruit them to either side.[208] Developing states sought to include these indirect measures in the formation of the non‑intervention principle and the use of force doctrine.[209] Yet, these efforts were often overruled by developed states that conveniently benefitted from the continued use of these indirect measures.[210] As a result of this construction, history may repeat itself and shift these indirect measures to the cybersphere.
For example, prior to the adoption of the UN Charter, Brazil and other developing states advocated for the document to include economic coercion or aggression, or both, within the scope of Article 2(4)’s prohibition on the use of force. However, Western states argued against this inclusion and won.[211] By failing to include language broadening the scope of the use of force, the prevailing definition meant that unarmed interventions in other states would not be as grave as the full use of force designation in the eyes of international law. Then, although the UN Member States unanimously passed and solidified the 1970 Friendly Relations Declaration, which supported including economic coercion in the non‑intervention principle, some argue that the vague language of the Declaration explains its unanimity—each state could choose its conception of their meaning without “violating its principles or its interests.”[212] States in the developing world advocated for an expanded definition of non‑intervention, while Western states limited the doctrine narrowly to the threat or use of armed force.[213] When the ICJ later confirmed in Nicaragua that the non‑intervention principle closely resembles the Western‑favored version, finding that non‑intervention required an element of coercion, the expanded definition advocated by Brazil was all but ignored.[214]
In another example highlighted by scholars, a debate in the 1970s on defining the scope of the right of state self‑defense emerged along the same lines.[215] The disagreements focused on the meaning of “indirect aggression,” which falls under the use of force umbrella. The Soviet’s draft position aimed to address the then‑increasing use of covert and subversive acts by other states, such as the use of irregulars (private actors).[216] Therefore, the Soviet draft argued that indirect economic aggression should be included in the definition of “armed force.” [217] On the other hand, Western countries advocated for the exclusion of economic aggression to restrict “armed force” to physical acts.[218] This split culminated in two dueling drafts: the Thirteen State Draft on behalf of developing states with an expanded definition versus the Six State Draft written by Western states with a narrower one.[219] Eventually the split was resolved in favor of the Six State Draft, and as a result, indirect economic aggression was excluded from the definition of “armed force,”[220] with many developing countries explicitly expressing disappointment at the narrow conception.[221] As a result, economic aggression was excluded from the definition.
In another example, a 1981 UN General Assembly resolution, the Declaration on the Inadmissibility of Intervention and Interference in the Internal Affairs of States, was drafted with the goal of expanding the principle of non‑intervention to include a specific list of rights and duties.[222] Some of the rights included in the instrument came directly out of the decolonization period, such as permanent sovereignty over national resources and the ability to develop systems of information and mass media without interference.[223] While the resolution was adopted, the aforementioned treaty rights were included in response to Western powers’ conduct toward developing states,[224] so it is unsurprising that the resolution had no support from Western powers.[225] However, despite a common practice to find UN treaties as reflective of customary international law, scholars widely dismissed this resolution as being such, chalking it up to the instrument lacking support from “many states.”[226] However, the vote passed with almost 81 percent of the General Assembly,[227] which begs the question: Is something only considered reflective of binding customary law when Western powers support it?
Similarly, scholars focusing on the nexus between developing states and international law claim that this Western orientation exists as structural bias in international institutions. These scholars purport that the ICJ’s worldview on the legal issues before it is not widely representative such that its’ decisions do not properly reflect the concerns of developing states.[228] This interpretive bias can create blind spots in certain areas—looking at the ICJ’s decision in Nicaragua, this purported blind spot is most noticeable in how the tribunal limited the scope of prohibited intervention to require an element of state coercion, which then excludes many instances of indirect intervention such as mere financial assistance.[229] Scholars argue that this decision, while well‑intentioned, has the inadvertent effect of “marginalizing the concerns, especially of developing states, who are often routinely the target of such sorts of indirect engagements.”[230]
The structural bias toward Western orientation is interwoven in the institutions of international law. As a result, cyber actors reap the benefits when the international legal community narrowly interprets the non‑intervention and use of force doctrines. The narrow scope of these analyses and the sway of Western powers in constructing international norms make it all the more difficult to categorize cyberattacks as violations of state sovereignty—at least under the current understanding.
Cyber Disparities in the Developing World
While state‑sponsored cyber operations are used against developed and developing states alike,[231] developing states often feel their effects on a grander scale.[232] Additionally, the advent of cyberattacks leaves developing countries the most vulnerable to influence from other powers, which can put them in similarly coercive situations they aimed to avoid with an expansive definition of non‑intervention in the first place.[233]
In addition to potential bias in the international legal framework itself, cyber disparities further compound Western dominance of cybersecurity capabilities and expose the comparative vulnerabilities of other states. As internet connectivity has become a top priority in many states to strengthen their economy and raise their geopolitical capital, developing countries are eager to join the fray.[234] However, without strong cybersecurity frameworks, internet access can cause more problems than benefits. The growing cyber disparity between developing and developed nations is mainly a cost issue, as developing state governments are often unable to afford the rising costs of maintaining adequate cybersecurity capabilities, such as securing personnel, technology, and systems.[235] For example, Latin America and Africa self‑reported the lowest number of cyber‑resilient organizations,[236] which refers to an organization’s ability “to anticipate, withstand, recover from, and adapt” to stresses or attacks on systems that use cyber sources.[237] This phenomenon of regional insufficient cyber resiliency is characterized as the “cybersecurity poverty line,” referring to the prohibitive cost of securing robust cybersecurity for an organization in a way that mirrors dynamics of real‑world poverty.[238] The power and capital in the cybersphere, akin to the power structure of international law itself, is in the hands of developed states.
A related concern is how rapid increases in developing countries’ internet access without adequate security measures may exacerbate security issues and put these countries at severe risk of attack.[239] In other words, these countries now have the capability to open the proverbial door to cyberspace and participate in the benefits to economy, cultural influence, and connectedness that lie beyond it. That door is left wide open for actors with bad intentions when a country lacks adequate cybersecurity infrastructure. When there is no framework or institution to prevent it, individuals and governments become easy targets for cyberattacks.[240] For example, the group responsible for the Costa Rica attacks—discussed in the next Section—targets systems that have major gaps in their networks, taking advantage of states trying to strengthen their infrastructure to keep pace with the rest of the developed world.[241]
To account for these deficiencies, developing states may try to work with developed states that have top‑notch cybersecurity frameworks to improve their own. Clearly, collaboration efforts require cooperation between these entities. However, developing states are hesitant to take the measures necessary to strengthen their cybersecurity—such as sharing data and receiving strategies or capabilities from developed states—because they want to avoid “Western imposition” on their governance.[242] While developed states may not have ulterior motives beyond bolstering their economy and enjoying the geopolitical soft power of such an arrangement, this wariness puts developing countries behind. If developing states choose not to improve their cybersecurity, they may still need to align themselves with developed states to safeguard against cyberattacks in the face of their diminished capability to fight them on their own.[243] The president of the UN Economic and Social Council (UNESCO) expressed concern that cyberattacks have potential to trigger interstate conflicts that endanger the entire development process, and “‘[d]eveloping countries, with relatively weak surveillance capacity are most vulnerable to such cyberattacks.’”[244] Therefore, ironically, the backing of a world power as a means of protection potentially signals the vulnerability to other world powers. In other words, aligning with a developed state could turn a cyber vulnerability into a tool at the disposal of its adversaries (like, hypothetically, if Russia attacked Costa Rica with the intent of riling the United States), with physical consequences for the vulnerable states in the middle like Costa Rica.[245]
The inability to develop robust cybersecurity structures, due to lack of resources and hesitant refrain from perceived Western influence, has the inadvertent effect of contributing to the power imbalance between developed and developing nations in the cybersphere. This hesitance may stem from the need to protect domestic affairs from intrusion in the setting of the historical tendency of Western states to exert indirect control over developing states, following the same line of concerns about excluding economic acts and other softer influence from the non‑intervention principle.[246] The broad interpretation of the non‑intervention doctrine desired by developing states should be viewed as customary international law. Doing so would imbue the definition with the same level of binding force as other sources of international law. It would make it easier to contextualize why this is such a critical issue for developing states that must try to keep up with the technological advances in the rest of the world.[247]
The 2022 cyberattack in Costa Rica represents the results of decades of Western bias in the international law system, Western influence in the affairs of developing states, and lack of cybersecurity infrastructure. In 2022, Costa Rica declared a state of emergency following a series of cyberattacks targeting its infrastructure and government services.[248] Conti Group—a prolific malware‑for‑hire gang operating out of Russia—claimed responsibility for the first attacks[249] that targeted the Costa Rican Ministry of Finance, stole government data, and disabled the Virtual Tax Administration and Customs Information System.[250] Two days later, Conti Group took control of the website for the Costa Rican Ministry of Science, Innovation, Technology and Telecommunications before attacking an email server of the National Meteorological Institute to steal information.[251] The group then demanded a ransom of $20 million from the Costa Rican government in exchange for not releasing the stolen information, which included sensitive information such as Costa Ricans’ tax returns and company intellectual property.[252]
Soon after, a second attack from a different actor known as the Hive Group with alleged connections to the Conti Group[253] forced the Costa Rican Social Security Fund to shut down all its critical systems, including its database for health records and collection system.[254] Teachers were unable to obtain paychecks, the tax and customs functions of the state were paralyzed, and health officials were unable to access medical records.[255] This incident disrupted life in Costa Rica for over two months, with President Chaves Robles declaring a state of emergency—“[w]e are at war and that’s not an exaggeration.”[256] In claiming responsibility for the attack, the Conti Group stated it was “determined to overthrow the government by means of a cyber attack,”[257] with no clear motivation other than to extort a ransom payment and cause chaos.
The cyberattacks on Costa Rica bear a clear resemblance to traditional warfare. Without having to consult the specifics of an international treaty, in the eyes of most, having the intent to overthrow a state’s government and carrying out an attack in furtherance of that intention is a declaration of war. If similar acts were ordered upon the United States by Russia, would that not be considered a declaration of war? When it was inflicted upon Costa Rica, its government treated it as such.[258] Even if these attacks would not have been as grave if inflicted on a more powerful country, the Costa Rican government still identified them as acts akin to war—therefore, the international legal community should analyze these acts proportionally.[259] Costa Rica would be unable to bring a claim in international court to prosecute the offenders, as the Conti Group and Hive Group are not states that breached their obligations under international law.[260]
Smaller states do not only experience disproportionate impacts from these cyberattacks but also may be used as pawns for powerful states to advance their geopolitical goals.[261] For example, the United States, Israel, and Spain provided technical assistance and funding to the Costa Rican government to restore its services.[262] The U.S. State Department alone offered a $10 million reward for information leading to identifying persons within the Conti Group, despite the attacks having a minimal impact on U.S. affairs.[263] In light of U.S. foreign policy objectives, the enthusiasm to assist in catching a Russian‑based hacking group could suggest that the United States could have capitalized on the state of emergency in Costa Rica to advance its position against Russia.[264] As some of the biggest perpetrators of state‑sponsored cyber operations—such as Russia and China—are adversaries of the United States,[265] it would be advantageous for U.S. foreign policy to intervene against them. The United States has alleged that countries like Russia rely on hacker groups to conduct operations—in fact, the Conti Group published a statement “declaring their loyalty to Moscow and threatening retaliation against countries that supported Ukraine.”[266] The Nicaragua case was decided at a time where the United States was furthering similar geopolitical goals to fight Soviet influence;[267] U.S. intervention in Nicaragua attempted to overthrow the leftist, Soviet‑backed government to bolster American authority during the Cold War.[268] Without ruling that these actions rise to the level of the use of force or prohibited intervention, countries like Costa Rica are left vulnerable to endure violations of their sovereignty as a potential means to a geopolitical end.
The cyberattack on Costa Rica, its aftermath, and the subsequent involvement from global powers showcases a cybersecurity phenomenon affecting developing states. Decades of Western‑leaning bias favoring developed states culminates in the inability under current international law to characterize this attack as the use of force. The disparity in cyber capabilities between Costa Rica and developed countries left Costa Rica vulnerable. Costa Rica’s lack of cyber infrastructure made the impacts of the attack particularly significant. Finally, the involvement of the United States highlighted the potential of using these attacks as proxies.
The Current Efforts in the International Community
Although the Costa Rica cyberattack makes it appear as though there is no attention paid to this phenomenon, the growing threats posed by cyber operations have not gone without discussion or debate in the international law community. Various international and regional organizations continue to develop guidance for analysts and theorists to begin categorizing cybersecurity risks.[269] The current materials addressing cyber operations under international law come with relative strengths and weaknesses. Section III.D.1 examines the strengths and weaknesses of the UN Cybercrime Convention, addressing the need for cooperation and mechanisms for cross‑border cyber acts. Section III.D.2 then turns to the Tallinn Manual, which specifically recommends guidelines to incorporate cyberattacks under the use of force and sovereignty principles.
UN Cybercrime Convention
In 2025, the United Nations demonstrated its growing commitment to tackle the effects of cybercrime. The General Assembly adopted the Convention Against Cybercrime (Cybercrime Convention), aimed at enhancing “international cooperation, law enforcement efforts, technical assistance, and capacity‑building related to cybercrime.”[270] The main objective of the Cybercrime Convention is a multilateral treaty to prevent and combat cybercrime while strengthening international cooperation. As this is the first comprehensive global treaty in this area and is expected to enter into force within a few years, it is crucial to engage with its strengths and shortcomings.[271] The treaty lays out measures for extradition of suspected cybercriminals, exchange of electronic evidence, and criminalization of cyber‑related offenses.[272] Most importantly for developing states, the treaty also creates a framework to provide technical assistance and capacity building between states.[273]
First, it appears the Cybercrime Convention addresses only cybercrime and not state‑sponsored cyber operations. For example, most provisions address financial crimes or child pornography crimes perpetrated by individuals or other private actors.[274] Therefore, it has no real application to state‑sponsored cyber operations falling short of the use of force. The only mention of a state is as a potential victim, in a one‑sentence jurisdiction clause where the Convention declares that a state has jurisdiction over a cyber offense if “the offence is committed against the State Party.”[275] Interestingly, while the treaty was in negotiations, many developed states sought to remove this subsection altogether.[276] On the other side, many developing states pushed for its inclusion. This debate could demonstrate how developing states, even in the setting of economic cybercrime, view being the target of cyberattacks as more of a threat requiring treaty protection whereas developed states, at the very least, do not consider them a significant risk. Despite its shortcomings, the Convention provides a foundation for the international community to build from as the first treaty of its kind.
Second, at minimum, the Cybercrime Convention demonstrates that the United Nations acknowledges the reality of cyber disparities; the text notes that developing states cannot adhere to obligations under the Cybercrime Convention without expending significant costs compared to developed states with more resources. Specifically, the Cybercrime Convention directs states to develop domestic preventative measures to tackle cybercrime at all levels of society,[277] while also urging international cooperation with other states using technical assistance and economic funding.[278] In the setting of financial and technical assistance being a tool of interference used by powerful states to exert indirect control over developing states in the twentieth century,[279] it is unsurprising that the provisions on technical assistance and capacity building were subject to debate that largely split between developed and developing countries.[280] For example, Article 54(1) of the Convention dictates that states shall consider affording one another technical assistance and capacity‑building by “taking into particular consideration the interests and needs of developing States Parties.”[281] The United States advocated for removing language referring to “the interests,”[282] which may be reflective of concerns about Western bias in international law where countries like the United States at times ignore the interests of developing states to further their own.[283]
While the Cybercrime Convention is a milestone as the first legally binding international treaty addressing cyber operations, it is also criticized as overly broad in scope and vulnerable to misuse in human rights contexts.[284] Most of the debates during the negotiation process centered around the definition of “cybercrime,” with states like Russia and China pushing for definitions that included content‑related crimes like disinformation, extremism, and subversion.[285] However, human rights experts warned that these definitions would allow authoritarian regimes to use the treaty to prosecute political dissidents and curb freedoms of expression.[286]
Similarly, deference to domestic laws and definitions under the Cybercrime Convention is subject to comparable misuse. For example, private data sharing to assist in surveillance for “serious crimes” did not adopt a universal definition of the term, such that states can share private data and increase surveillance on citizens within their own purview of ‘‘serious.’’[287] As a result, experts point to a “high likelihood that the powerful global cooperation tools the treaty creates will be abused.”[288] Similarly, the convention calls for judicial review for states to justify surveillance efforts but defers to domestic law to examine that investigatory power when many states’ domestic laws do not meet international human rights standards.[289]
In no way does this Note take the position that international cooperation should be discouraged or not pursued whenever possible. However, international cooperation coupled with human rights concerns or neocolonialist influence may be problematic. If powerful states provide widespread technical assistance to developing countries, it may cause the latter to become dependent upon the former. Some experts express concerns that the same developing states supposedly benefitting under the treaty are most vulnerable to the “UN‑washed requests from authoritarian governments.”[290] For example, the executive director of the Global Network Initiative expressed concern that the Russian government will misuse the convention to exploit the international acceptance of the Cybercrime Convention’s language and make demands from developing countries with weaker application of the rule of law.[291]
Much like the indirect tools of influence wielded over developing states in the second half of the twentieth century, there is widespread concern that adopting the Convention may permit developed countries to expand that influence into the cybersphere. All in all, the Cybercrime Convention is a first step that showcases how far the international legal community still has to go to robustly and effectively address cyber operations.
The Tallinn Manual
The Cybercrime Convention does not address state‑sponsored cyber operations that would warrant analysis under the non‑intervention principle or the use of force doctrine. Nor does the Convention attempt to define when cyberattacks constitute violations of sovereignty.[292] The Tallinn Manual (the Manual), on the other hand, is one of the most crucial research initiatives addressing cyber operations under principles of sovereignty, state responsibility, the law of war, and international humanitarian law.[293] Initially published in 2013, the Manual is the first comprehensive attempt to analyze the application of international law to state‑sponsored cyber operations. At the request of the NATO Cooperative Cyber Defense Center of Excellence (CCDCOE) located in Tallinn, Estonia, an international team of legal scholars compiled the instrument, representing the personal views of the authors as a guidance document for the legal community.[294] The second version of the Manual, released in 2017, assesses how international legal principles can be applied to malevolent cyber operations that do not rise to the level of an armed attack.[295]
One of the first rules in the Manual establishes that the principle of sovereignty applies to cyberspace and declares that “[a] State must not conduct cyber operations that violate the sovereignty of another State.”[296] Beyond this, the Manual does little to offer clarification on which cyber operations would constitute the use of force beyond the traditional concepts. The Manual merely states that a cyber act is the use of force when it is comparable to a noncyber act that rises to the use of force threshold—ascribing to the same general and circular language of previous analyses.[297] Thankfully, the Manual does establish factors to be weighed when determining if a given cyber act is the use of force. These factors include: (1) severity, (2) immediacy, (3) directness, (4) invasiveness, (5) measurability of effects, (6) military character, (7) state involvement, and (8) presumptive legality.[298]
Several of these factors do little to analyze cyber acts beyond the traditional use of force analysis. Without considering cyber operations as unique acts requiring a different approach, these factors inadequately advance the analysis.[299] However, the Manual acknowledges that the most important factor would be severity, which looks at the degree of impact of the cyber operation. The Manual establishes severity as a de minimis element, such that acts resulting in physical harm to persons or property will always be the use of force, whereas acts that merely result in annoyance will never be.[300] The cyber operations in the middle, as noted by the Manual, require a more extensive analysis. If this idea seems familiar, it is—the Manual echoes the difficulties with the gray area below the threshold of war, without offering new solutions to advance these positions.
The Manual’s rules also apply the doctrine of state responsibility to cyber activities. The Manual holds that states do bear international responsibility for cyber‑related acts that are attributable to their governments. Under the Manual, such acts constitute breaches of international legal obligation.[301] The Manual finds that when non‑state actors carry out cyber operations pursuant to a state’s direction or control, that state is ultimately responsible.[302] This view follows the approaches from Nicaragua and Tadić emphasizing effective and overall control as codified in the ILC Articles on State Responsibility.[303]
Unfortunately, by continuing to follow the interpretations from Nicaragua and Tadić, the Manual also includes those cases’ narrow language suggesting that states would not be responsible for harm from cyberattacks perpetrated by private groups only by providing financing for the operation.[304] While the Manual does acknowledge that it would be the use of force if states provide private groups with malware and training necessary to carry out cyberattacks, reflecting the effective control standard, financing alone would be insufficient to find that state responsible.[305] As addressed above, this does little to address the vast majority of state‑sponsored cyber operations where states pay proxy actors for the exact reason that they have the technical expertise or malware that a state lacks.
While the Manual is considered one of the most important guidance documents addressing cyber operations in the context of the use of force, non‑intervention, state sovereignty, and state responsibility, a common critique of the Manual is that it merely restates the customary international law on the various principles underlying jus ad bellum.[306] Despite the Manual’s discussion of these rising cyber issues, merely taking the traditional principles and declaring them applicable to cyberattacks does little to provide clarification or expand traditional norms to meet the changing technological landscape. The Manual is hesitant to define potentially catastrophic attacks outside the traditional framework, instead likening everything to conventional warfare. Even where the Manual does call for cyber operations to be considered the use of force, nothing need be done. As a guiding document, even the most helpful rules are not binding on actors under international law.
All in all, the way in which the international legal system developed did not prioritize the needs of developing states, and the cyber disparities exacerbate this problem. Costa Rica exemplifies this phenomenon. The current efforts pertaining to cyber operations and the use of force do not adequately address these pitfalls for not only developing states but for everyone’s sake. The unwillingness to truly challenge the assumptions of these doctrines of international law does not just make it difficult to analyze cyberattacks—it makes it difficult to better the position of developing states.
Recognition of Cyber Operations as Incursions on State Sovereignty
The increasing prevalence of cyber operations requires a different approach to the definitions of the use of force, non‑intervention, and state responsibility not yet incorporated under international law. So far, current efforts merely carve out niches for different types of cyber operations without adapting the elements of the use of force and non‑intervention analyses for the realities of the digital world.[307] This tendency not only leaves a gap for disastrous cyberattacks to occur—it also perpetuates Western biases that ignore developing states’ concerns about undue influence into their affairs. As a result, once again, international law leaves these states most vulnerable.[308] Part IV argues for an expansion of the use of force doctrine to include nonphysical harm, damage to critical infrastructure, and economic harms stemming from state‑sponsored cyberattacks.
Expanding Use of Force Definitions
The use of force doctrine should be expanded to account for the significant impacts that state‑sponsored cyberattacks could wage on states, despite these impacts not being the physical destruction akin to traditional warfare. First, there should be an inclusion of cyberattacks targeting or impacting critical infrastructure, and second, an inclusion of economic harms.
Expanding the Use of Force to Other Nonphysical Harm: The Recognition of Cyberattacks on Critical Infrastructure as Prohibited
The first way in which the definition of the use of force could expand to account for cyber operations would be to include attacks that target and cause damage to critical infrastructure. States have already agreed to norms around responsible behavior in cyberspace, specifically norms regarding critical infrastructure.[309] In fact, a UN working group specifically urged states not to conduct or knowingly support cyber activity that intentionally damages or impairs the use and operation of critical infrastructure (coined by the UN working group as “norm (f)” by way of its place in a list of recommendations).[310] While this guidance is generally viewed as nonbinding,[311] it recognizes that cyber operations have the unique ability to damage systems that tangentially result in more harm. Given a society’s dependency on these systems—like power grids, health care and financial systems, and transportation networks—targeting or otherwise impacting critical infrastructure should constitute the prohibited use of force.[312]
This Note argues that the norms on state behavior should condemn cyberattacks on critical infrastructure as the prohibited use of force, recognizing the nonphysical harm perpetrated by such operations. Like the commentary to norm (f) suggests, for an act to be deemed a violation, it must intentionally damage, intend to cause damage, or otherwise impair the use and operation of critical infrastructure to provide services to the public.[313] Application of this concept to expand the definition of the use of force would open the door to include nonphysical acts more generally under the doctrine. To illustrate this concept, one can look to Costa Rica. If analyzed under traditional concepts of the use of force, the analysis would focus on the physicality of the attack and point to the lack of physical destruction, physical injury, and armed weaponry.[314] As the Conti Group did not use this cyber operation to send missiles or execute an otherwise armed attack, this catastrophe would not meet the threshold of force despite throwing Costa Rica into a state of emergency.[315] The emphasis on physicality is clearly underinclusive—it did not result in physical injury or death of human beings itself, but Costa Ricans were heavily impacted.[316] However, if the use of force analysis focused on the Conti Group’s targeting of critical infrastructure and the successful impairment of that infrastructure, Costa Rica’s turmoil would be properly legitimized as the grave, prohibited use of force that it was.
In addition, recognizing the need to protect critical infrastructure or necessary services would help alleviate Western‑leaning biases, as the definition of these services varies from state to state.[317] In other words, considering the impacts of a cyberattack on a country’s necessary services could make it easier to find uses of force from the perspective of the target state. This shift would incorporate the perspectives of developing states and be a first step to leveling the playing field and giving weight to developing states in this arena. Once again looking to Costa Rica, if the attack were to be viewed through this lens, Costa Rica would demonstrate the necessity of its social security fund to the functioning of the country’s health care systems, wage distributions, and social welfare programs to show how the Conti Group targeted essential services with the intention of disabling them.[318] By considering what the victim state deems to be a necessary system or critical infrastructure, developing states can advocate for themselves without having to solely lean on definitions that may have a Western‑leaning bias and are therefore not representative of the definitions of all states.[319]
The threshold for force in this context, rather than automatic exclusion under traditional doctrine, would be a case‑by‑case evaluation. A case‑by‑case analysis alleviates the concern of making the use of force too broad and ripe for abuse. For example, there is the risk that a state could overemphasize the necessity of a system or deem something critical infrastructure to take advantage of this new consideration.[320] However, this risk is minimized when it is possible to consider a state’s intentions and weigh them against the real effects of a cyberattack. As such, factoring in critical infrastructure as a main element under the use of force analysis for cyberattacks would adapt this doctrine to account for the frequent use of this overemphasis of a service’s domestic importance. On the other hand, a case‑by‑case basis means that states would not be able to rely on a consistent threshold definition to plan their actions in compliance with international law. While a valid concern, the current framework, or lack thereof, is more unpredictable. A case‑by‑case approach offers structure in this vacuum.
The Expansion of the Use of Force Doctrine to Include Economic Harm
Another way to expand the use of force doctrine would be to include economic harms. Under the effects‑based approach to analyzing cyberattacks as the prohibited use of force—which looks at the effects of a cyberattack—the inclusion of economic harm is more controversial.[321] Economic damage is common with most cyber operations, even smaller cybercrimes, and there should understandably not be a blanket inclusion of any cyber operation that has economic impact. Turning to the more serious instances targeting a state itself, however, the hesitation to consider economic damage[322] ignores the majority of cyberattacks. For example, the Tallinn Manual itself refuses to address whether an attack on a stock exchange would be the use of force.[323] However, economic harm has significant potential to eventually result in physical injury and damage, as seen in Costa Rica.[324] The inclusion of economic harms would recognize the severity of such events.
Additionally, the inclusion of economic harm would account for the reality that cyber operations of equal magnitude could cause a brief financial dip in a powerful country but trigger a financial crisis and state of emergency in a smaller state. For example, Canada experienced an unsuccessful cyber operation targeting their financial reporting systems that barely made international headlines.[325] There was no resulting widespread economic harm, whereas Costa Rica was incapacitated for months with crippling damage nationwide.[326] Economic damage as a qualifying effect under the use of force analysis would recognize the harm perpetrated by cyberattacks and consider the state‑specific proportionality of that harm. The specific quantitative value given to that damage could then be decided on by the international legal community and take the economic situations of each state into consideration.
Furthermore, the concept of force in Article 2(4) of the UN Charter does not include economic coercion, which occurs when countries utilize economic pressure to exert force on a different state. This exclusion may be part of the reason why the international legal framework is hesitant to include economic harms within the effects‑based approach. Once again, these shortcomings may all trace back to the methods developed states employ to exert influence on developing states. When evaluating this counterpoint, there is an ongoing concern that the evaluation of economic harm effects within the use of force doctrine would open the door to look at economic statecraft—these economic methods like lending, foreign assistance, sanctions, and trade agreements most often used by powerful, developed countries as a means of international influence.[327]
However, to separate the two, situations where countries use economic statecraft that may result in economic harm toward target states (which, although beyond the scope of this Note, is worth discussion) are far different than when economic harm stems from a cyber operation.[328] Nowadays, the type of institutional economic influence that developed countries exert on weaker states is a result of development treaties and other contractual matters.[329] While these types of projects could eventually result in economic harm by indebting states to others, those consequences result from some form of consent between states—whether it be via contract or otherwise—such that they are not typically found to interfere with sovereignty.[330] Of course, that is not to say that economic influence cannot be coercive or take advantage of developing states. Historically, it has and will likely continue to impact these countries. Cyber operations, however, constitute a different kind of economic harm where one act has the potential to disable an economy, which interferes with the internal affairs of a state and violates sovereignty in a more immediate way. If a state were to bomb a stock exchange building and devastate an economy, it would beget the same economic harms as an attack conducted at the cyber level, yet only the former would be deemed a prohibitive use of force.[331] By taking economic harm into consideration, a cyberattack could be recognized as just as violative of a state’s sovereignty.
Expanding Attribution
There should be an expansion of state attribution principles to adapt to the unique nature of state‑sponsored cyber operations. First, there should be a relaxation of the control approach to state responsibility, and second, there should be a greater use of public attribution to deter such attacks.
Relaxing the Control Approach to Account for Non‑State Cyber Actors
Even if a cyberattack qualifies as the use of force using the doctrine’s expanded definitions described in Section IV.A, the next roadblock to qualifying such operations as incursions on state sovereignty is the difficulty of attribution. Currently, the effective control test is the key analysis in determining whether to hold a state accountable for a private actor’s conduct. As it stands, this test considers the issuance of specific instructions, beyond mere financing, to be met. This Note argues that the modern test is not sufficient for cyber operations and should not require that a state gives specific instructions to attribute cyberattacks to the state.
With traditional physical attacks, one can consider where the attack originated, where an actor is based out of, or which state executed the plan in order to determine what state is responsible. Unfortunately, cyberattacks are notoriously difficult to trace to one source or location because of the ease with which a country can route operations through multiple locations and jurisdictions.[332] The reality of these operations gives private cyber actors significant autonomy over the means of an attack with the mere financial backing of a state. As addressed above in Section II.D, the ICTY in Tadić, when deciding whether the individuals accused of crimes against humanity were acting at the behest of a state, expressed concern that requiring specific state instructions to attribute acts to that state may allow countries to circumvent responsibility by purposely issuing vague directives.[333] Applying this rationale to cyber operations, states could take significant advantage of this argument by leaving the technical execution of a cyberattack to the “experts.” To account for this possibility, even when there are no specific instructions given to a private actor, financial assistance should be sufficient for state attribution. Unlike in other boots‑on‑the‑ground contexts—such as the circumstances surrounding the Nicaragua case where there was aid to a paramilitary group—in the cyber realm, financial assistance is often the only action a state need take, which then should be enough to find that state responsible for the actions of another party. Some scholars highlight the “attribution asymmetry” of cyber means in comparison to conventional weapons,[334] where cyber operations can disable financial systems, defense systems, and other critical infrastructure without an actor leaving their computer.[335] Therefore, unlike physically arming individuals or nonmilitary groups, providing a group with the financial means to execute a cyberattack, even without providing specific guidance, is sufficiently serious to internationalize a conflict.[336]
This is especially true with the rising popularity of for‑hire hacking groups.[337] The low barrier of entry in this market for cyber capabilities has created a robust industry that merely requires payment for hackers to carry out attacks, and states are among their star customers.[338] Using the example of Costa Rica, if the Russian government paid the Conti Group, a known for‑hire cyber actor,[339] and instructed it to carry out the attack on Costa Rica, that payment is the equivalent of putting a weapon in its hands and giving the green light to pull the trigger. The Conti Group explicitly stated its intent to overthrow the Costa Rican government[340]—if it was funded by a state to do so, a technicality under the effective control test should not allow that state to avoid responsibility for a virtual act of war.
Encouragement of Public Attribution as a Deterrent
In addition to relaxing the control test, public attribution of cyberattacks is another tool that could encourage the development of norms under international law. A public attribution is the public declaration or announcement to the world attributing a state as a perpetrator of a cyberattack.[341] Internationally coordinated attributions in the past decade include naming North Korea in the WannaCry attack and Russia in the NotPetya attack.[342] While there is no specific evidentiary threshold for public attribution, most states find the need for a sufficient level of confidence or reasonableness before making such a public decision.[343] However, leaving states the discretion to decide how much evidence is required before attributing a cyber operation to a different country likely contributes to international hesitancy to conduct such investigations and find countries responsible at all. Many developing states are hesitant to name global powers as responsible for attacks out of fear of retaliation, which is a common sentiment for countries that often have to depend on these large states.[344] To add to that hesitation, the current international system does not have guardrails prohibiting the type of retaliation that would likely result (i.e., soft influence, geopolitical tension). Under the customary international law rules of state responsibility, “[a] state must make full reparation for any injury caused by an illegal act for which it is internationally responsible.”[345] When developing states like Costa Rica fall victim to state‑sponsored cyber operations and fear retaliation, to pursue remedies under the attribution framework is risky because there is no obligation under international law to require action or remedy by that offending state.[346] Encouraging public attribution could become an avenue of redress to at least shame offending states for their conduct and put other states on notice[347] but is practically difficult to explore, and the costs might outweigh the benefits.
Altogether, there are multiple ways in which international law could adapt in response to the realities of state‑sponsored cyberattacks so that developing states can obtain some level of recognition for these violations of their sovereignty. Solutions could include adopting one or all of the above suggestions. These include incorporating critical infrastructure (both targeting of, impact to, and local necessity of) as an element in the use of force analysis. Another related avenue is the inclusion of economic harms in the use of force doctrine. More broadly, relaxing the control test to state responsibility such that specific instructions are not required for attribution of cyberattacks is worth consideration despite potential hurdles in implementation. Finally, designing a system promoting public attribution of cyberattacks to put pressure on states to be responsible for their actions is another meaningful approach to this issue facing the international community.
Conclusion
Cyberattacks require more broad recognition as incursions on state sovereignty than the international law community is currently willing to recognize in order to properly account for the significant consequences these operations can, and could have, on developing states. The gaps that this Note describes in the principle of non‑intervention and the prohibition on the use of force allow cyber operations to continue, despite having similar intent, motivations, and consequences as war. A prohibited intervention requires coercion, which is undefined and interpreted to solely refer to physical actions. Similarly, the use of force definition extends solely to physical attacks, and in the rare case an attack is not physical, the use of force analysis only looks at physical consequences. While the international community is hesitant to categorize nonphysical impacts of cyber actions under these international law principles, the economic, structural, political, and physical damage a cyber operation can do, and has done, is often akin to conventional armed conflict. At the expense of developing states, the cyber landscape takes advantage of the international legal framework’s avoidance of defining nonmilitary influence as intervention or force. In the twentieth century, the nonphysical interference into the affairs of developing states by global powers was packaged as permissible influence under international law. Now, the same tactics are subject to abuse with the same, unchanged doctrines.
At the time the UN Charter was drafted, armed military attacks were some of the only means of using force against other states. Now, the cybersphere has made it possible to outsource such efforts and destabilize other countries without having to fire a gun or drop a bomb. Without modifying the existing framework for the changing reality, cyber actors will continue to weaken global systems and wage the consequences of war on states and their citizens without having to leave their desks.
* Associate Editor, University of Colorado Law Review, Volume 97; J.D. Candidate, University of Colorado Law School, Class of 2026; B.S. in Foreign Service and International Politics from Georgetown University. I extend my deepest appreciation to my peers on Colorado Law Review for their efforts, and in particular, I especially thank Julia Gessert and McKenzie Porter for their thoughtful insights and leadership of such a hardworking team that shaped this piece. Finally, I express profound gratitude to the professors and colleagues over the years who sparked my passion for international law, and my loved ones for their support.
- See Global Digitalization in 10 Charts, World Bank Grp.: News, https://www.worldbank.org/en/news/immersive-story/2024/03/05/global-digitalization-in-10-charts [https://perma.cc/G2S2-9TB9] (demonstrating the rapid growth of internet usage through charts showing the increase in the percentages of populations using the internet around the globe, along with the increase in information technology (IT) infrastructure). ↑
- Suman Naishadham, What We Know About Monday’s Sweeping Power Outage in Spain and Portugal, Associated Press, https://apnews.com/article/spain-power-outage-france-portugal-europe-grid-electricity-f091ffd3e51dfd3612edb2389eac1e11 [https://perma.cc/4JJM-53QZ] (last updated Apr. 30, 2025, at 5:03 AM). ↑
- See id. ↑
- Id. ↑
- See Spencer Feingold & Filipe Beato, Iberian Blackout: Cyberattack Is Not to Blame – but the Threat to Power Grids Is Real. Here’s Why, World Econ. F. (May 1, 2025), https://www.weforum.org/stories/2025/05/spain-might-not-cyberattack-blackout-power-outage-electric-grids-vulnerable [https://perma.cc/Q28N-S79U]. ↑
- Joyce Hakmeh & Esther Naylor, What Is a Cyberattack?, Chatham House, https://www.chathamhouse.org/2022/02/what-cyber-attack [https://perma.cc/D537-EDWW] (last updated Oct. 12, 2022). ↑
- Cyber operations is a term used interchangeably with cyberattack. See Cyber Operations Tracker, Council on Foreign Rels., https://www.cfr.org/cyber-operations [https://perma.cc/UHQ5-EF8A]. The data from this source focuses on threat actors suspected to be affiliated with a nation‑state. Id. These state‑sponsored attacks have the most accurate and comprehensive reporting as compared to non‑state actors such as hacktivist groups, where there is less reliable data to pull from. Id. ↑
- Id. This source also highlights that most cyber operations en masse are espionage. Id. The most cyber operations in 2023 came out of Russia, China, North Korea, and Pakistan. Id. ↑
- See infra Section II.D. ↑
- See infra Sections II.B–II.C. ↑
- See infra Part III. ↑
- See Hakmeh & Naylor, supra note 6. ↑
- Colin Murphy, Eur. Parl. Rsch. Serv., PE 760.356, Understanding Cybercrime 2 (2024), https://www.europarl.europa.eu/RegData/etudes/BRIE/2024/760356/EPRS_BRI(2024)760356_EN.pdf [https://perma.cc/F634-MJHV]. ↑
- Id. at 2–3; What Is a Threat Actor?, IBM (May 10, 2023), https://www.ibm.com/think/topics/threat-actor [https://perma.cc/Z9TC-6JVX]. ↑
- Esteban Borges, Types of Cyber Crime: A Guide to Prevention & Impact, Recorded Future (June 26, 2024), https://www.recordedfuture.com/threat-intelligence-101/cyber-threats/types-of-cybercrime [https://perma.cc/EB2V-V65N]. ↑
- Module 14: Hacktivism, Terrorism, Espionage, Disinformation Campaigns and Warfare in Cyberspace: Cyberwarfare, U.N. Off. on Drugs & Crime (June 2019) [hereinafter Module 14: Cyberwarfare], https://www.unodc.org/e4j/en/cybercrime/module-14/key-issues/cyberwarfare.html [https://perma.cc/UW6A-LXEM]. ↑
- Fabio Natalucci et al., Rising Cyber Threats Pose Serious Concerns for Financial Stability, IMF: Blog (Apr. 9, 2024), https://www.imf.org/en/Blogs/Articles/2024/04/09/rising-cyber-threats-pose-serious-concerns-for-financial-stability [https://perma.cc/RBP7-UD32]; see also Tim Maurer & Arthur Nelson, The Global Cyber Threat, Fin. & Dev., Mar. 2021, at 24, 24–25. ↑
- See infra Section III.B (discussing cyber disparities); infra Section III.C (describing the consequences of such an attack on Costa Rica). ↑
- See Maurer & Nelson, supra note 17, at 25 (discussing financial systems exacerbating the risk of cyberattacks). ↑
- Id. ↑
- Id. ↑
- Id. ↑
- See About the FSB, Fin. Stability Bd., https://www.fsb.org/about [https://perma.cc/QV27-FUPD] (last updated May 22, 2025). ↑
- Maurer & Nelson, supra note 17, at 25 (quoting Cyber Resilience, Fin. Stability Bd., https://www.fsb.org/work-of-the-fsb/financial-innovation-and-structural-change/cyber-resilience [https://perma.cc/4ENT-TWRG] (last updated Apr. 23, 2025)). ↑
- See id. at 27. ↑
- Id. at 25; Vibhu Mishra, Cyberattacks on Healthcare: A Global Threat That Can’t Be Ignored, U.N. News (Nov. 8, 2024), https://news.un.org/en/story/2024/11/1156751 [https://perma.cc/JJ56-XE79] (discussing the ongoing digital transformation of health care); Ransomware, Austl. Cyber Sec. Ctr., https://www.cyber.gov.au/threats/types-threats/ransomware [https://perma.cc/7D5R-2F4Z] (explaining that ransomware attacks work “by locking up or encrypting your files so you can no longer access them,” so that the perpetrator then demands a ransom to restore access to the files or threatens that the data and intellectual property will be leaked or sold online without payment). ↑
- See Mishra, supra note 26; Jonathan Reed, When Ransomware Kills: Attacks on Healthcare Facilities, IBM, https://www.ibm.com/think/insights/when-ransomware-kills-attacks-on-healthcare-facilities [https://perma.cc/BPM5-VF7A] (explaining that when ransomware attacks happen to health care facilities, they divert their functions to other hospitals that get overwhelmed by so many patients; and when computer systems are down, medications and blood tests cannot be accessed). ↑
- Mishra, supra note 26; see also Reed, supra note 27 (detailing a ransomware attack on an Alabama hospital that took down the hospital’s computer systems during a woman’s delivery that prevented access to monitoring tools and led to severe birth complications, which she argues contributed to the death of her newborn). ↑
- Mishra, supra note 26. ↑
- Celien De Stercke et al., Cybercrime & Cyberwarfare: Entering the Grey Zone, 19 Freedom from Fear Mag., no. 19, 2024, at 31, 36. ↑
- Id. ↑
- Id. at 35. ↑
- Kai Ambos, Cyber‑Attacks as International Crimes Under the Rome Statute of the International Criminal Court?, ICC F.: Invited Experts on Cyberwarfare Question (Mar. 7, 2022), https://iccforum.com/cyberwar#Ambos_fn7 [https://perma.cc/M7AX-CBQT]. ↑
- Id. Some scholars use cyber warfare interchangeably with state‑sponsored cyber operations as an umbrella term. ↑
- George Lekatis, From Espionage to Cyber Espionage, Cyber Risk GmbH, https://www.cyber-espionage.ch [https://perma.cc/U2EU-Z7QU] (describing and comparing cyber warfare in the context of espionage threats); What Is Cyber Espionage? Types & Examples, SentinelOne, https://www.sentinelone.com/cybersecurity-101/threat-intelligence/cyber-espionage [https://perma.cc/F88X-TPKN] (last updated Aug. 11, 2025). ↑
- See Module 14: Cyberwarfare, supra note 16. ↑
- What Is Cyber Espionage? Types & Examples, supra note 35. ↑
- Lekatis, supra note 35. ↑
- See, e.g., Jakub Przetacznik & Simona Tarpova, Eur. Parl. Rsch. Serv., PE 733.549, Russia’s War on Ukraine: Timeline of Cyber‑Attacks 2–3 (2022), https://www.europarl.europa.eu/RegData/etudes/BRIE/2022/733549/EPRS_BRI(2022)733549_EN.pdf [https://perma.cc/6SPX-RFR6]. ↑
- See What Is Cyber Espionage? Types & Examples, supra note 35. ↑
- Zeeshan Faisal Khan, Cyber Warfare and International Security: A New Geopolitical Frontier, 3 Critical Rev. Soc. Scis. Stud. 513, 514 (2025). ↑
- Module 14: Hacktivism, Terrorism, Espionage, Disinformation Campaigns and Warfare in Cyberspace: Cyberespionage, U.N. Off. on Drugs & Crime (June 2019), [hereinafter Module 14: Cyberespionage] https://www.unodc.org/e4j/en/cybercrime/module-14/key-issues/cyberespionage.html [https://perma.cc/7RWZ-8K6S]; Christine Hegenbart, Semantics Matter: NATO, Cyberspace and Future Threats 6 (NATO Def. Coll., Research Paper No. 103, July 2014), https://ciaotest.cc.columbia.edu/wps/nat/0032001/f_0032001_25996.pdf [https://perma.cc/7KPA-ZTJL]. ↑
- Lekatis, supra note 35; accord Module 14: Cyberwarfare, supra note 16; Hegenbart, supra note 42, at 10– 11. ↑
- Hegenbart, supra note 42; Lekatis, supra note 35. ↑
- See Arda Büyükkaya, Operation FlightNight: Indian Government Entities and Energy Sector Targeted by Cyber Espionage Campaign, EclecticIQ (Mar. 27, 2024), https://blog.eclecticiq.com/operation-flightnight-indian-government-entities-and-energy-sector-targeted-by-cyber-espionage-campaign [https://perma.cc/YG7V-K4UQ] (highlighting a phishing scheme that was likely cyber espionage aimed at gaining access to Indian energy sectors); Lekatis, supra note 35. ↑
- Hegenbart, supra note 42, at 6; Lekatis, supra note 35. ↑
- Hegenbart, supra note 42, at 6. ↑
- See Lekatis, supra note 35. ↑
- See id. ↑
- Khan, supra note 41, at 517. ↑
- Id. ↑
- Richard Forno, What Is Volt Typhoon? A Cybersecurity Expert Explains the Chinese Hackers Targeting US Critical Infrastructure, Conversation (Mar. 29, 2024, at 8:46 AM), https://theconversation.com/what-is-volt-typhoon-a-cybersecurity-expert-explains-the-chinese-hackers-targeting-us-critical-infrastructure-226600 [https://perma.cc/BY87-JCKX]. ↑
- Id. ↑
- See Press Release, Nat’l Sec. Agency, Cent. Sec. Serv., NSA and Partners Spotlight People’s Republic of China Targeting of U.S. Critical Infrastructure (Feb. 7, 2024), https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3669141/nsa-and-partners-spotlight-peoples-republic-of-china-targeting-of-us-critical-i [https://perma.cc/K5S4-3LFG]. ↑
- Forno, supra note 52 (stating that disrupting power and water to military facilities and critical supply chains poses a threat to the U.S. military). ↑
- Hegenbart, supra note 42, at 7. ↑
- Id. ↑
- What Is Cyber Warfare?, S&P Glob., https://www.spglobal.com/en/research-insights/market-insights/geopolitical-risk/cyber-warfare [https://perma.cc/28ZH-3NMM]. ↑
- See Lekatis, supra note 35. ↑
- Id.; see Hegenbart, supra note 42, at 6. ↑
- See Josh Fruhlinger, Stuxnet Explained: The First Known Cyberweapon, CSO (Aug. 31, 2022), https://www.csoonline.com/article/562691/stuxnet-explained-the-first-known-cyberweapon.html [https://perma.cc/BBS7-LU9W]. ↑
- Id. ↑
- Id. ↑
- Id. ↑
- See infra Section II.C. ↑
- See Use of Force, Int’l Cyber L.: Interactive Toolkit, https://cyberlaw.ccdcoe.org/wiki/Use_of_force [https://perma.cc/X2HQ-RVN9] (last updated Sep. 5, 2025, at 10:54 AM). ↑
- See id. ↑
- Under international human rights law, states are prohibited from launching direct attacks on civilians and civilian infrastructure. Armed Conflict: What Are the Laws of War?, Amnesty Int’l, https://www.amnesty.org/en/what-we-do/armed-conflict [https://perma.cc/EZ9K-TS8U]. ↑
- See infra Section II.C. ↑
- Christopher Mott, Sovereignty: Keystone of the International System, Inst. for Peace & Dipl. (Jan. 19, 2023), https://peacediplomacy.org/2023/01/19/sovereignty [https://perma.cc/ZWS9-2V8J]. ↑
- See id. ↑
- Arshid Iqbal Dar & Jamsheed Ahmed Sayed, The Evolution of State Sovereignty: A Historical Overview, 6 Int’l J. Human. & Soc. Sci. Invention 8, 10 (2017). The Peace of Westphalia ended the Thirty Years’ War in Europe, departed from the power and central authority of the Holy Roman Empire, replaced it with nation‑states with absolute sovereignty over territory, and recognized the equality of states as a principle of modern international law. Id. The traditional underpinnings of sovereignty came to be known as Westphalian sovereignty. See id. ↑
- Claire Vergerio, Beyond the Nation‑State, Bos. Rev. (May 27, 2021), https://www.bostonreview.net/articles/beyond-the-nation-state [https://perma.cc/3DJN-Y87R]; see Dar & Sayed, supra note 72, at 10. ↑
- Dar & Sayed, supra note 72, at 10. ↑
- Id. ↑
- Samantha Besson, Sovereignty, in Max Planck Encyclopedia of Public International Law (2011), https://opil.ouplaw.com/display/10.1093/law:epil/9780199231690/law-9780199231690-e1472 [https://perma.cc/U2PU-YJ7L]. ↑
- See id. ↑
- See id. (“The second part of the 20th century corresponded to the establishment of . . . the new conception of international law qua law of cooperation between sovereign States.”). ↑
- See id. ↑
- See id. ↑
- See Karen Mingst, International Organization, Encyc. Britannica, https://www.britannica.com/topic/international-organization [https://perma.cc/PY7C-DBEL] (last updated Apr. 12, 2025). ↑
- History of the United Nations, U.N., https://www.un.org/en/about-us/history-of-the-un [https://perma.cc/ZM8Q-9NG3]. ↑
- Mingst, supra note 81. ↑
- See Besson, supra note 76 (explaining that the delegation of sovereign powers to international organizations and internationalizing sovereignty generally does tame domestic sovereignty but in a way that now entrenches international standards to safeguard democracy and human rights). ↑
- See id. ↑
- Id. ↑
- Dar & Sayed, supra note 72, at 11; see U.N. Charter pmbl. ↑
- See infra Section II.C (discussing the use of force). ↑
- See, e.g., Besson, supra note 76. ↑
- See Dar & Sayed, supra note 72. ↑
- Sir Michael Wood, Territorial Integrity, Princeton Encyc. of Self‑Determination, https://pesd.princeton.edu/node/686 [https://perma.cc/2NY8-2KEQ] (explaining that territorial integrity is most important in international law in relation to the use of force because territorial borders are a physical manifestation of sovereignty that is subject to physical incursion). ↑
- Harriet Moynihan, The Application of International Law to State Cyberattacks: Sovereignty and Non‑Intervention 12 (Chatham House: Royal Inst. of Int’l Affs., Research Paper, 2019), https://www.chathamhouse.org/sites/default/files/publications/research/2019-11-29-Intl-Law-Cyberattacks.pdf [https://perma.cc/46BV-JF7J]. ↑
- Id. at 14. ↑
- Id. ↑
- For example, by applying jurisdictional laws or geographical conditions to internet activity. Id. at 13–14. ↑
- Id. ↑
- Id. See generally Barcelona Traction, Light and Power Co., Ltd. (Belg. v. Spain), Judgment, 1970 I.C.J. 3 (Feb. 5) (holding that corporations are viewed as being nationals of the state in which they are incorporated and are subject to the domestic laws of that state). ↑
- Moynihan, supra note 92, at 14. ↑
- Michael N. Schmitt, Cyber Operations and the Jud Ad Bellum Revisited, 56 Vill. L. Rev. 569, 603–05 (2011). ↑
- Jianming Shen, The Non‑Intervention Principle and Humanitarian Interventions Under International Law, Int’l Legal Theory, Spring 2001, at 2; Military and Paramilitary Activities in and Against Nicaragua (Nicar. v. U.S.), Judgment, 1986 I.C.J. 14, 106–07, ¶ 202 (June 27) (observing that, between independent states, respect for territorial sovereignty is an essential foundation of international relations and international law, requiring political integrity to be respected); Anne Peters, Humanity as the A and W of Sovereignty, 20 Eur. J. Int’l L. 513, 518 (2009). ↑
- Sir Michael Wood, Non‑Intervention (Non‑Interference in Domestic Affairs), Encyc. Princetoniensis, https://pesd.princeton.edu/node/551 [https://perma.cc/ETC2-SJWP]. ↑
- Cecilia Yue Wu, Challenging Paternalistic Interference: The Case for Non‑Intervention in a Globalized World, 65 Harv. Int’l L. J. 253, 258 (2023) (quoting Robert Jennings & Arthur Watts, Oppenheim’s International Law 428, § 128 (1996)). ↑
- See id. ↑
- U.N. Charter art. 2, ¶ 7. ↑
- Nicar. v. U.S., 1986 I.C.J. at 106–07, ¶ 202. ↑
- Id. The ICJ noted that, to be found a principle of customary law, a principle must be widely and substantially practiced by states. Id. Additionally, in regard to the principal, there must be opinio juris, which refers to states treating a practice as though they have an obligation to follow it as a rule under international law although no rule actually exists. See id. Taking the example of non‑intervention, if states around the world have been respecting this principle by not interfering with others for centuries and thought they had an obligation to do so despite there not being a rule in existence, that demonstrates evidence of customary international law. See id. ↑
- Marko Milanovic, Revisiting Coercion, Eur. J. of Int’l L. (July 17, 2023), https://www.ejiltalk.org/revisiting-coercion [https://perma.cc/T2QS-RQQQ]. ↑
- See Nicar. v. U.S., 1986 I.C.J. at 148, ¶ 292(9); Rosendo Arguello et al., History: Foreign Intervention, Encyc. Britannica: Nicar., https://www.britannica.com/place/Nicaragua/Foreign-intervention [https://perma.cc/9GMT-Z49L] (last updated Mar. 27, 2025) (providing background on U.S. activities in Nicaragua). In 1978, the American‑backed Somoza government in Nicaragua fell to the Sandinista government, which was interpreted by the United States as a shift toward communism. Arguello et al., supra. In 1981, U.S. President “Ronald Reagan authorized funds for the recruiting, training, and arming of Nicaraguan counterrevolutionaries (Contras) who would conduct military operations against the Sandinista regime.” Id. ↑
- Nicar. v. U.S., 1986 I.C.J. at 124–25, ¶¶ 241–42. ↑
- Id. at 107–08 ¶ 205. ↑
- Id. at 109–10 ¶ 209. ↑
- Milanovic, supra note 107. See generally Nicar. v. U.S., 1986 I.C.J. at 107– 08, 124 ¶¶ 205, 241 (discussing coercion without defining it). ↑
- Milanovic, supra note 107. ↑
- Denitsa Raynova, Eur. Leadership Network, Post‑Workshop Report: Towards a Common Understanding of the Non‑Intervention Principle 2 (2017), https://www.europeanleadershipnetwork.org/wp-content/uploads/2017/10/170929-ELN-Workshop-Report-Non-Intervention.pdf [https://perma.cc/NKU4-G46A]. ↑
- See id.; Sarang Shidore, Quincy Inst. for Responsible Statecraft, Winning the Majority: A New U.S. Bargain with the Global South 19–20 (2022), https://quincyinst-2.s3.amazonaws.com/wp-content/uploads/2022/11/17213739/QUINCY-BRIEF-NO.-33-NOV-2022-SHIDORE.pdf [https://perma.cc/V9FC-5MRS] (asserting that the United States intervened repeatedly to topple governments in newly independent states in the Global South); Nicar. v. U.S., 1986 I.C.J. at 124 ¶ 241 (describing how the United States funded and assisted the Contras, an oppositional guerrilla group in Nicaragua, in an effort to influence their campaign and depose the current Nicaraguan government in favor of a non‑communist regime); infra Section III.A. ↑
- See Arguello et al., supra note 108. ↑
- There is debate surrounding the U.S. decision to bombard Caracas, Venezuela. These actions were blatantly a use of armed force in violation of 2(4) of the UN Charter, but UN experts argue that this is exploitation through “thinly veiled pretexts to legitimise military aggression, foreign occupation, or regime-change strategies.” Press Release, U.N. Off. High Comm’r, UN Experts Condemn US Aggression Against Venezuela (Jan, 7, 2026), https://www.ohchr.org/en/press‑releases/2026/01/un-experts-condemn-us-aggression-against-venezuela [https://perma.cc/M9PH-MPWH]. ↑
- See infra Section III.A. ↑
- Raynova, supra note 114. ↑
- G.A. Res. 36/103, Declaration on the Inadmissibility of Intervention and Interference in the Internal Affairs of States, at 78 (Dec. 9, 1981). ↑
- Id., annex, arts. II(a), (c) (refraining from threatening to use force “to disrupt the political, social, or economic order”); id., annex, art II(e) (refraining from any action or attempt to destabilize the political system); id., annex, art II(f) (refraining “from the promotion, encouragement or support, direct or indirect . . . or any action which seeks to disrupt or undermine . . . the political order of other States”); id., annex, art II(j) (abstaining “from any defamatory campaign or . . . hostile propaganda”); id., annex, art II(l) (refraining “from the exploitation and the distortion of human rights abuses as a means of interference”). ↑
- See Wu, supra note 102, at 261. ↑
- See Marko Milanovic, Revisiting Coercion as an Element of Prohibited Intervention in International Law, 117 Am. J. Int’l L. 601, 602, 612–13 (2023). ↑
- See Use of Force, supra note 66. ↑
- See infra Section II.C (describing the use of force). ↑
- See infra Section II.C. ↑
- See U.N. Charter art. 2, ¶ 4; supra Sections II.A–II.B. ↑
- U.N. Charter art. 2, ¶ 4. ↑
- See Malcolm Shaw, Jurisdiction, Encyc. Britannica: Int’l L., https://www.britannica.com/topic/international-law/Jurisdiction [https://perma.cc/U2QW-4AE7] (last updated Feb. 14, 2026) (explaining that the use of force has been only used in relation to self‑defense, armed conflict, and war). ↑
- Florian Kriener, Intervention, Prohibition of, in Max Planck Encyclopedia of International Law (2023), https://opil.ouplaw.com/display/10.1093/law:epil/9780199231690/law-9780199231690-e1434 [https://perma.cc/8EKR-9DUM] (discussing how, while intervention itself is subject to debate, depending on the circumstances, intervention can be violative of state sovereignty and the use of force always is). ↑
- See id. ↑
- See id. ↑
- See U.N. Charter art. 51; Huseyin Kuru, Prohibition of Use of Force and Cyber Operations as “Force”, 2 J. Learning & Teaching Digit. Age 46, 47 (2017) (noting that the furthest the doctrine has been expanded is to nontraditional weapons, such as nuclear weapons and planes during terrorist attacks). ↑
- Legality of the Threat or Use of Nuclear Weapons, Advisory Opinion, 1996 I.C.J. 226, 265–67, ¶ 105 (July 8). ↑
- Legality of the Threat or Use of Nuclear Weapons, 1996 I.C.J. at 244, ¶ 39. ↑
- Kuru, supra note 133. In response to 9/11, the North Atlantic Treaty Organization (NATO) invoked Article 5 of the North Atlantic Treaty for the first and only time since its signing. ↑
- Id. at 47–48, 52; see Legality of the Threat or Use of Nuclear Weapons, 1996 I.C.J. at 226, ¶ 39. ↑
- Jakub Spáčil, Cyber Operations Against Critical Financial Infrastructure: A Non‑Destructive Armed Attack?, 22 Int’l & Compar. L. Rev. 27, 34 (2022); see Erin Pobjie, Elements of ‘Use of Force’: Effects, Gravity and Intention, in Prohibited Force: The Meaning of ‘Use of Force’ in International Law 132, 157 (2024); Laurie R. Blank, Irreconcilable Differences: The Thresholds for Armed Attack and International Armed Conflict, 96 Notre Dame L. Rev. 249, 249 (2020) (explaining that the two legal regimes relating to the use of force are jus ad bellum and the law of armed conflict, both of which involve armed attacks and warfare, which require a physical exertion of force). ↑
- See Vienna Convention on the Law of Treaties art. 31, May, 23 1969, 1155 U.N.T.S. 331 (entered into force Jan. 27, 1980). ↑
- Chosen Udorji, Reconceptualizing the Meaning of Indirect Force and the Scope of its Regulation Under International Law, 30 J. Conflict & Sec. L. 47, 58 (2025). ↑
- See id. ↑
- See id. at 58 n.95. ↑
- Id. at 58. In other words, the relationship between the two concepts is analogous to the principle that all squares are rectangles, but not all rectangles are squares, with the use of force and prohibited intervention pertaining to the square and the rectangle respectively. See Military and Paramilitary Activities in and Against Nicaragua (Nicar. v. U.S.), Judgment, 1986 I.C.J. 14, 109–10, ¶ 209 (June 27) (finding that acts constituting a breach of the customary principle of non‑intervention will also, if they directly or indirectly involve the use of force, constitute a breach of the principle of non‑use of force in international relations); G.A. Res. 3314 (XXIX), Definition of Aggression (Dec. 14, 1974) (alluding to the fact that economic and political acts constitute non‑intervention while armed coercion constitutes the use of force). ↑
- Nicar. v. U.S., 1986 I.C.J at 61, ¶ 107 (acknowledging that the United States had taken responsibility for its actions in Nicaragua and stating that this type of “aid” was becoming a major element of U.S. foreign policy in the region, as this case involved aid to Honduras and Guatemala in addition to Nicaragua). ↑
- See, e.g., id. at 139–40 ¶ 278; Armed Activities on the Territory of the Congo (Dem. Rep. Congo v. Uganda), Judgment, 2005 I.C.J. 168, 222–23 ¶¶ 145–47 (Dec. 19). ↑
- Udorji, supra note 140, at 60–61; Nicar. v. U.S., 1986 I.C.J. at 107–08 ¶¶ 205–06. ↑
- See Udorji, supra note 140, at 69, 75. ↑
- See, e.g., id. at 75. ↑
- Nicar. v. U.S., 1986 I.C.J. at 118–19 ¶ 228 (finding that by organizing or encouraging the organization of irregular forces or armed bands, entering the territory of another state, and participating in acts of civil strife in another state, the United States committed a violation of the principle of the non‑use of force in its assistance to the Contras in Nicaragua). The court also emphasized that the arming and training of the Contras involves the threat or use of force, but the mere supply of funds to the Contras, while an act of intervention, does not in itself amount to the use of force. Id. ↑
- See infra Section II.D (discussing state responsibility). ↑
- See Use of Force, supra note 66. ↑
- See id. ↑
- Kuru, supra note 133, at 48–49; Nicar. v. U.S., 1986 I.C.J. at 14. ↑
- Kuru, supra note 133, at 48. ↑
- Heather Harrison Dinniss, Cyber Warfare and the Laws of War 65 (2012). ↑
- Id. at 65–66. ↑
- Id. at 66. ↑
- Id. at 67. ↑
- Id. ↑
- See id. ↑
- Id. at 67–68. ↑
- Id. at 70. ↑
- See id. at 71; Larry Greenemeier, Seeking Address: Why Cyber Attacks Are So Difficult to Trace Back to Hackers, Sci. Am. (June 11, 2011), https://www.scientificamerican.com/article/tracking‑cyber-hackers [https://perma.cc/6XV2-QW46] (explaining that cyberattacks are difficult to trace because attackers use viruses, worms, and other malware to create a network of “zombie” computers that they can use to launch attacks, making it look like it came from one server in one location although the attack did not come from that place). ↑
- See Schmitt, supra note 99, at 594; see, e.g., Greenemeier, supra note 163. ↑
- Kuru, supra note 133, at 48 (citing Heidi Moore & Dan Roberts, AP Twitter Hack Causes Panic on Wall Street and Sends Dow Plunging, Guardian (Apr. 23, 2013, at 3:41 PM), https://www.theguardian.com/business/2013/apr/23/ap-tweet-hack-wall-street-freefall [https://perma.cc/5FA7-F2HF]). ↑
- Id. ↑
- See id. ↑
- Id. ↑
- Id. at 48. ↑
- Id. at 50. ↑
- See id. ↑
- Id. at 51. ↑
- Id. ↑
- See id. at 48–50. ↑
- See id. at 49. ↑
- See, e.g., id. at 50–52. ↑
- Malcolm Shaw, The Responsibility of States, Encyc. Britannica: Int’l L. https://www.britannica.com/topic/international-law/The-responsibility-of-states [https://perma.cc/2MQE-VYBR] (last updated Jan. 29, 2025). ↑
- James Crawford, State Responsibility: The General Part 25 (2013). ↑
- See id. ↑
- See, e.g., id. at 27–38, 35. ↑
- Shaw, supra note 177. ↑
- James Crawford, State Responsibility, in Max Planck Encyclopedias of International Law (2006), https://opil.ouplaw.com/display/10.1093/law:epil/9780199231690/law-9780199231690-e1093 [https://perma.cc/HH2M-NDYC]. Commonly referred to as ARSIWA, the concepts underlying state responsibility, namely attribution, breach, excuses, and consequences, were customary international law principles until they were codified in the Draft Articles on Responsibility of States for Internationally Wrongful Acts by the International Law Commission in 2001. Id.; Hui Chen et al., Geneva Ctr. for Sec. Pol’y, The Attribution of Cyber Operations to States in International Law 7 (2025), https://www.gcsp.ch/sites/default/files/2025-12/EWG-IL_Partnered_The%20Attribution%20of%20Cyber%20Operations%20to%20States%20in%20International%20Law_2025-12%3Bdigital_1.pdf [https://perma.cc/79D3-KXTW]. ↑
- Peter Margulies, Sovereignty and Cyber Attacks: Technology’s Challenge to the Law of State Responsibility, 14 Melbourne J. Int’l L., no. 2, 2013, at 1, 10; see Int’l L. Comm’n, Rep. on the Work of Its Fifty‑Third Session, Draft Articles on Responsibility of States for Internationally Wrongful Acts, arts. 8, 47, U.N. Doc. A/56/10 (2001) [hereinafter Articles on Responsibility of States]. ↑
- See Margulies, supra note 183, at 10. ↑
- See Chen et al., supra note 182, at 8–9. ↑
- Shaw, supra note 177; Chen et al., supra note 182, at 8–9. ↑
- Margulies, supra note 183, at 10–11 (quoting Articles on Responsibility of States, supra note 183, art. 8(1)). ↑
- Articles on Responsibility of States, supra note 183, art. 8. ↑
- Margulies, supra note 183, at 11–12; Military and Paramilitary Activities in and Against Nicaragua (Nicar. v. U.S.), Judgment, 1986 I.C.J. 14, 64–65, ¶¶ 114– 15 (June 27). ↑
- Margulies, supra note 183, at 11–12; Nicar. v. U.S., 1986 I.C.J. at 64–65, ¶¶ 114–15; Application of the Convention on the Prevention and Punishment of the Crime of Genocide (Bosn. & Herz. v. Serb. & Montenegro), Judgment, 2007 I.C.J. 43, 202–05, 208, 210 ¶¶ 385–92, 400, 406 (Feb. 26). ↑
- Nicar. v. U.S., 1986 I.C.J. at 64–65, ¶ 115 (finding that although the United States participated in the financing, organizing, training, supplying, and equipping of the Contras, the selection of its military or paramilitary targets, and the planning of the whole operation, this was insufficient to find state attribution for the acts violating international law conducted by the Contras because the members of the Contras could still conduct such acts without the control of the United States; whereas, if the United States had effective control over those military operations itself, that would give rise to the legal responsibility). ↑
- Bosn. & Herz. v. Serb. & Montenegro, 2007 I.C.J. at 208, ¶ 400. ↑
- See Nicar. v. U.S., 1986 I.C.J. at 58 ¶ 99. ↑
- See Margulies, supra note 183, at 11–12 (referencing Prosecutor v. Tadić, Case No. IT‑94‑1‑A, Judgment of the Appeals Chamber, ¶¶ 131, 145 (Int’l Crim. Trib. for the Former Yugoslavia July 15, 1999)). ↑
- Prosecutor v. Tadić, Case No. IT‑94‑1‑A ¶¶ 122, 131, 145; Nicar. v. U.S., 1986 I.C.J. at 58 ¶ 99. ↑
- Prosecutor v. Tadić, Case No. IT‑94‑1‑A ¶ 120 (explaining that an organized group differs from an individual because the group normally has a structure, a chain of command, and a set of rules as well as outward symbols of authority, such that a member of the group does not act on his own but conforms to the standards prevailing in the group and is subject to the authority of the head of the group, necessitating overall control of the state over the group). ↑
- See id. ↑
- Id. ¶¶ 122–23 (explaining that to find otherwise, states might easily shelter behind the lack of any specific instructions in order to disclaim international responsibility). ↑
- Id. ¶¶ 131–35 (first citing United States Diplomatic and Consular Staff in Tehran (U.S. v. Iran), Judgment, 1980 I.C.J. 3 (May 24) (finding that Iranian students storming the U.S. embassy were not acting on behalf of Iran because Iranian authorities had not specifically instructed them to perform the acts); then citing Nicar. v. U.S., 1986 I.C.J. 14 (finding that persons of nationality of unidentified Latin American countries needed to be acting on the instructions of the United States in addition to being paid by them to hold the United States responsible); then citing Alfred L.W. Short v. Islamic Republic of Iran, Award No. 312‑11135‑3, Iran‑U.S. Claims Tribunal (July 14, 1987) (finding that Iranian revolutionaries who ordered claimant’s departure from Iran were not attributable to Iran because Ayatollah Khomeini’s declarations did not amount to specific incitement to expel foreigners)). ↑
- Id. ¶ 131 (finding that “[i]n order to attribute the acts of a military or paramilitary group to a State, it must be proved that the State wields overall control over the group, not only by equipping and financing the group, but also by coordinating or helping in the general planning of its military activity”). ↑
- See infra Section III.C. ↑
- See infra Section III.B. ↑
- Jacques Fomerand et al., United Nations, Encyc. Britannica, https://www.britannica.com/topic/United-Nations [https://perma.cc/PF3B-2G52]. The United States, the United Kingdom, and the Soviet Union took the lead in designing the new organization of the United Nations and determining its decision‑making structure and functions, and at the 1945 United Nations Conference on International Organization in San Francisco, fifty countries participated, with the majority coming from Europe and the Americas as many countries in Africa were still under colonial rule. Id. ↑
- U.N. Charter art. 2, ¶ 1. ↑
- Udorji, supra note 140, at 59. See generally James Thuo Gathii, The Promise of International Law: A Third World View, 36 Am. U. Int’l L. Rev. 377 (2021) (speaking generally to the need for international law to incorporate the perspectives of the “Third World”); Andrea Bianchi, Choice and (the Awareness of) Its Consequences: The ICJ’s “Structural Bias” Strikes Again in the Marshall Islands Case, 111 Am. J. Int’l L. Unbound 81 (2017) (arguing that the bias of justices in the ICJ and the commitment to the status quo that avoids questioning the Western, state‑centered worldview influenced the judgment in the Marshall Islands Case). ↑
- Alex Young, Western Theory, Global World: Western Bias in International Theory, 36 Harv. Int’l Rev. 29, 29 (2014). ↑
- See Michael P. Auerbach, Neocolonialism, EBSCO: Rsch. Starters (2021), https://www.ebsco.com/research-starters/political-science/neocolonialism [https://perma.cc/ZW4E-AYSN]. ↑
- Dan Allosso & Tom Williford, Decolonization, in Modern World History (2021), https://mlpp.pressbooks.pub/modernworldhistory/chapter/decolonization [https://perma.cc/Y7EX-GWQH]. ↑
- See, e.g., Udorji, supra note 140, at 59. ↑
- Id. ↑
- Id. at 63–64; see Christine Gray, The Prohibition of the Use of Force, International Law and the Use of Force 33–34 (4th ed. 2018); U.N. Conf. on Int’l Org., Summary Report of Eleventh Meeting of Committee I/1, at 331–35, U.N. Doc 784/ I/1/27 (June 5, 1945) (demonstrating the tensions between developing and developed countries during the development of the United Nations). Additionally, the Brazilian delegate argued that Article 2(4) prohibits any interference that threatens the national security and territorial integrity of another member or involves any excessively foreign influence on its destinies, and that the phrase “in any other manner” was included to ensure no loopholes. Udorji, supra note 140, at 63– 64. These arguments were rejected by mainly Western states. Id. ↑
- Wu, supra note 102, at 260 (internal quotation marks omitted); G.A. Res. 2625 (XXV), Declaration on Principles of International Law Concerning Friendly Relations and Co‑Operation Among States in Accordance with the Charter of the United Nations, at 122 (Oct. 24, 1970). ↑
- Wu, supra note 102, at 260 n.50 (quoting Tomislav Mitrovic, Non‑Intervention in the Internal Affairs of States, in Principles of International Law Concerning Friendly Relations and Cooperation 219, 226 (Milan Šahović ed., 1972) (explaining that during deliberations on the Friendly Relations Declaration, a U.S. representative noted, “the basic provision of the [UN] Charter concerning the principle of non‑intervention was contained in Article 2, paragraph 4. Since Western countries held the term ‘force’ in this provision of the Charter to mean only ‘armed force,’ intervention was taken to mean the use or threat of armed force”)). ↑
- See id. at 263 (noting that, in Nicaragua, the ICJ held that coercion is particularly obvious in the threat or use of force). The ICJ sided with the conception of Western states to restrict non‑intervention, which ignored the expansive construction desired by Brazil and the other developing states. Id. ↑
- Udorji, supra note 140, at 64; see Ahmed M. Rifaat, International Aggression: A Study of the Legal Concept: Its Development and Definition in International Law 217–21 (1979) (beginning a discussion of indirect aggression). ↑
- Udorji, supra note 140, at 64. ↑
- Id. at 63–64. ↑
- Id. at 64. ↑
- Id. ↑
- Julius Stone, Conflict Through Consensus: United Nations Approaches to Aggression 74–75 (1977) (construed in Udorji, supra note 140, at 64); see also Military and Paramilitary Activities in and Against Nicaragua (Nicar. v. U.S.), Judgment, 1986 I.C.J. 14, 85 ¶ 157 (June 27) (showing the principles of the Six State Draft in practice). ↑
- See Udorji, supra note 140, at 64 (stating that some of the developing countries in the Thirteen Powers Draft included Peru, Kenya, Congo, Bolivia, India, Rwanda, Zambia, Libya, Cuba, and Madagascar). ↑
- Wu, supra note 102, at 261; see G.A. Res. 36/103, supra note 120. ↑
- G.A. Res. 36/103, supra note 120, arts. I(b)–(c), II(i)–(l). ↑
- Alexander Norbrook, Exploiting Natural Resources in a Decolonizing World: Evidence, Sovereignty, and Development Discourses in the UN (1951–1962), Princeton Hist. Rev., Summer 2025, at 28, 28, 64–66 (noting that in the post‑colonial era of the 1960s, many states like Nigeria, which recently gained independence and had economies driven by extraction of natural resources, wanted to terminate ongoing agreements allowing further exploitation from the French and British); Carolina Matos, Globalization and the Mass Media, in Encyclopedia of Globalization 2–4 (2012) (discussing cultural imperialism theories which highlight that the expansion of transnational corporations and strategic planning of the U.S. government shaped commercial broadcasting systems in Latin America). During the UNESCO New World Information and Communication Order (NWICO), “Third World critics” attacked the “Western dominance of news broadcasting” as “reproducing the prejudices of colonialism in their treatment of developing countries.” Matos, supra. ↑
- Wu, supra note 102, at 259 n.38 (quoting Maziar Jamnejad & Michael Wood, The Principle of Non‑Intervention, 22 Leiden J. Int’l L. 345, 348 (2009) (“[M]any writings on ‘non‑intervention’, particularly in earlier times, dealt solely with the law on the use of force.”)); see U.N. GAOR, 36th Sess., 91st plen. mtg. at 1631, U.N. Doc. A/36/PV.91 (Dec. 9, 1981) (recording that the resolution was adopted by 120 votes to 22, with the countries voting against the resolution including Australia, Austria, Belgium, Canada, Denmark, France, Germany, Iceland, Ireland, Israel, Italy, Japan, Luxembourg, Netherlands, New Zealand, Norway, Portugal, Spain, Sweden, United Kingdom, United States, and Venezuela). ↑
- Wu, supra note 102, at 261 n.59 (first quoting Philip Kunig, Prohibition of Intervention, in Max Planck Encyclopedias of International Law ¶¶ 9–10 (Rüdiger Wolfrum ed., 2008) (“The broad definition of the non‑intervention principle given by this resolution was passed against the will of many States and does not reflect general international opinion on the topic.”); then quoting Ori Pomson, The Prohibition on Intervention Under International Law and Cyber Operations, 99 Int’l L. Stud. 180 (2022) (“Resolution 36/103 . . . is of little value for discerning the scope of the customary prohibition on intervention.”)). ↑
- See U.N. Doc. A/36/PV.91, supra note 225 (showing the resolution was adopted by a vote of 120 in favor, 22 against, and 6 abstentions). ↑
- Udorji, supra note 140, at 63. ↑
- See id. ↑
- Id. ↑
- Cyber Operations Tracker, supra note 7. ↑
- See infra Section III.C (discussing Costa Rica). ↑
- See, e.g., Yannick Zerbe, Costa Rica Ransomware Attack (2022), Int’l Cyber L.: Interactive Toolkit, https://cyberlaw.ccdcoe.org/wiki/Costa_Rica_ransomware_attack_(2022) [https://perma.cc/7DF3-PJKB] (last updated Mar. 20, 2023, at 10:25 AM). ↑
- See Michael Rohrs & Paolo Dal Cin, 5 Causes of Cyber Inequity and the Systemic Risk It Creates, World Econ. F. (Jan. 11, 2024), https://www.weforum.org/agenda/2024/01/causes-cyber-inequity-systemic-risk [https://perma.cc/NUD7-NBPM]. ↑
- World Econ. F., Global Cybersecurity Outlook 2024: Insight Report 10 (2024), https://www3.weforum.org/docs/WEF_Global_Cybersecurity_Outlook_2024.pdf [https://perma.cc/RF3V-AF9X]. ↑
- Id. ↑
- Comput. Sec. Res. Ctr., Cyber Resiliency, Nat. Inst. of Standards & Tech., https://csrc.nist.gov/glossary/term/cyber_resiliency [https://perma.cc/Z9SZ-KZ6H]. ↑
- World Econ. F., supra note 235, at 10 (noting that North America and Europe had the highest number of cyber‑resilient organizations). ↑
- Lilly Pijnenburg Muller, Norwegian Inst. Int’l Affs., Cyber Security Capacity Building in Developing Countries: Challenges and Opportunities 6 (2015), https://cybilportal.org/wp-content/uploads/2020/06/NUPIReport03-15-Muller.pdf [https://perma.cc/6ZDR-JFKD]. ↑
- Id. at 10 (describing the lack of cybersecurity frameworks in developing countries). ↑
- See infra Section III.C; Jason Firch, Conti Costa Rica Ransomware Attack Explained, PurpleSec (Apr. 28, 2024), https://purplesec.us/breach-report/conti-ransomware-attack [https://perma.cc/Q9HY-SNFW]. ↑
- Muller, supra note 239, at 14. ↑
- Isabella Raba, Cybercrime and the Outgrowing Impact on Developing Nations. Costa Rica in the Background, Univ. of Navarra: Glob. Affs. & Strategic Stud. (May 11, 2024), https://en.unav.edu/web/global-affairs/cybercrime-and-the-outgrowing-impact-on-developing-nations.-costa-rica-in-the-background [https://perma.cc/VNF4-T7BC] (noting that Costa Rica allied itself with the United States and Israel to enhance its defense capabilities). ↑
- Developing Countries Most Vulnerable to Cyberattacks—UN, U.N. News (Dec. 9, 2011), https://news.un.org/en/story/2011/12/397922 [https://perma.cc/W5GJ-LMBW]. ↑
- See infra Section III.C (discussing Costa Rica). ↑
- See Wu, supra note 102, at 261, 280–82. ↑
- See id. at 260–61, 280–82; see, e.g., G.A. Res. 36/103, supra note 120 (providing multiple examples of intervention not recognized as customary international law and not supported by Western powers); Udorji, supra note 140, at 62–63 (explaining the efforts of developing nations for a broader definition of intervention). ↑
- See Zerbe, supra 233. ↑
- Id. ↑
- Id.; Firch, supra note 241. ↑
- Zerbe, supra note 233. ↑
- Id. ↑
- Matt Burgess, Conti’s Attack Against Costa Rica Sparks a New Ransomware Era, Wired (June 12, 2022, at 7:00 AM), https://www.wired.com/story/costa-rica-ransomware-conti [https://perma.cc/CD95-RX5M]. ↑
- Zerbe, supra note 233; Alan Suderman & Ben Fox, Costa Rica Chaos a Warning That Ransomware Threat Remains, Associated Press (June 17, 2022, at 5:20 AM), https://apnews.com/article/russia-ukraine-technology-united-states-costa-rica-central-america-194c69b0966dacf785d2be613c7734dd [https://perma.cc/34WL-L2KU]. ↑
- See supra note 254. ↑
- Javier Córdoba, Ransomware Gang Threatens to Overthrow Costa Rica Government, Associated Press (May 16, 2022, at 4:19 PM), https://apnews.com/article/technology-government-and-politics-caribbean-gangs-381efc2320abb5356dee7f356e55e608 [https://perma.cc/8L38-7X8B]. ↑
- Córdoba, supra note 256 (internal quotation marks omitted). ↑
- Id. ↑
- See id. ↑
- See How the Court Works, I.C.J., https://www.icj-cij.org/how-the-court-works [https://perma.cc/9LBA-NVYA]. The court may entertain two types of cases: legal disputes between states submitted to it by them (contentious cases) and requests for advisory opinions on legal questions referred to it by UN organs and specialized agencies (advisory proceedings). Id. For contentious cases, “only States (States Members of the United Nations and other States which have become parties to the Statute of the Court or which have accepted its jurisdiction under certain conditions) may be parties to contentious cases.” Id. ↑
- See, e.g., Zerbe, supra note 233. ↑
- Id. ↑
- Id. ↑
- See Press Release, U.S. Dep’t of Just., Justice Department Disrupts Covert Russian Government‑Sponsored Foreign Malign Influence Operation Targeting Audiences in the United States and Elsewhere (Sep. 4, 2024), https://www.justice.gov/archives/opa/pr/justice-department-disrupts-covert-russian-government-sponsored-foreign-malign-influence [https://perma.cc/BB7P-VXPS] (explaining the U.S. efforts to counter Russian cyber operations). ↑
- See Nathaniel Fick et al., Confronting Reality in Cyberspace: Foreign Policy for a Fragmented Internet, Council on Foreign Rels., https://www.cfr.org/task-force-reports/confronting-reality-in-cyberspace/findings [https://perma.cc/9238-A6MF] (last updated July 2022). ↑
- Id. ↑
- See Military and Paramilitary Activities in and Against Nicaragua (Nicar. v. U.S.), Judgment, 1986 I.C.J. 14, 61, ¶ 107 (June 27). ↑
- Sean T. Byrnes, Letting the World Scream, Hist. News Network (Nov. 26, 2024), https://www.historynewsnetwork.org/article/letting-the-world-scream [https://perma.cc/AC5U-7QQT]. ↑
- See infra Sections III.D.1–III.D.2. ↑
- Press Release, U.N. Off. on Drugs & Crime, United Nations: Member States Finalize a New Cybercrime Convention (Aug. 9, 2024), https://www.unodc.org/unodc/en/frontpage/2024/August/united-nations_-member-states-finalize-a-new-cybercrime-convention.html [https://perma.cc/FTJ9-UECM]; see Ad Hoc Comm. to Elaborate a Comprehensive Int’l Convention on Countering the Use of Info. & Commc’ns Techs. for Crim. Purposes, Draft United Nations Convention Against Cybercrime, art. 5, ¶ 1 U.N. Doc. A/AC.291/L.15 (Aug. 7, 2024) [hereinafter Cybercrime Convention]. ↑
- United Nations Convention Against Cybercrime; Strengthening International Cooperation for Combating Certain Crimes Committed by Means of Information and Communications Technology Systems and for the Sharing of Evidence in Electronic Form of Serious Crimes, U.N. Off. on Drugs & Crime, https://www.unodc.org/unodc/cybercrime/convention/home.html [https://perma.cc/K6WX-3DA5]. Currently, this treaty has been signed and is waiting to be ratified and entered into force. Id. ↑
- See Cybercrime Convention, supra note 270, arts. 7–17, 35, 37. ↑
- Directorate‑Gen. for Migration & Home Affs., Commission Signed UN Convention to Step Up the Fight Against Cybercrime, Eur. Comm’n (Oct. 27, 2025), https://home-affairs.ec.europa.eu/news/commission-signed-un-convention-step-fight-against-cybercrime-2025-10-27_en [https://perma.cc/J2Y7-NLT9]. ↑
- See Cybercrime Convention, supra note 270. ↑
- Id. art. 22, ¶ 2(d). ↑
- Ad Hoc Comm. to Elaborate a Comprehensive Int’l Convention on Countering the Use of Info. & Commc’ns techs. for Crim. Purposes, Draft Text of the Convention with Member State Amendments 26 (2023) [hereinafter Draft Text of the Convention with Member State Amendments], https://www.unodc.org/documents/Cybercrime/AdHocCommittee/6th_Session/DTC/DTC_rolling_text_01.09.2023_PM.pdf [https://perma.cc/K8FC-Z5RF] (noting art. 22, ¶ 4). ↑
- Cybercrime Convention, supra note 270, art. 53, ¶ 1 (calling for preventative measures via policies, best practices, and appropriate legislation). Paragraph 2 of Article 53 urges states to promote the active participation of relevant individuals and entities outside the public sector, such as nongovernmental organizations, civil society organizations, academic institutions, private sector entities, and the general public. Id. art. 53, ¶ 2. Paragraph 3 of Article 53 provides examples of preventative measures, including: (a) strengthening cooperation with law enforcement agencies; (b) promoting public awareness of cyber threats; (c) increasing capacity of domestic criminal justice systems; (d) encouraging service providers to take effective measures; (e) supporting programs to discourage at‑risk individuals from engaging in cybercrime; (f) promoting reintegration of convicted persons into society; (g) developing policies to prevent and eradicate gender‑based violence; (h) specific tailored efforts to keep children safe online; (i) enhancing the transparency to and contribution of the public in decision‑making processes and ensuring their access to adequate information; (j) respecting and protecting the freedom to seek, receive, and impart public information; (k) developing support programs for victims of offenses; and (l) preventing and detecting the transfer of proceeds from related offenses. Id. art. 53, ¶ 3. ↑
- Id. art. 54 ¶ 9, art. 56. ↑
- See, e.g., Auerbach, supra note 207; Allosso & Williford, supra note 208. ↑
- Draft Text of the Convention with Member State Amendments, supra note 276, at 5 (noting that countries agreed ad referendum (universal consensus) to include in Article 4); see Cybercrime Convention, supra note 270, art. 5, ¶ 1 (confirming state parties should carry out their treaty obligations in a manner “consistent with the principles of sovereign equality and territorial integrity of States and that of non‑intervention in the domestic affairs of other States”). ↑
- Cybercrime Convention, supra note 270, art. 54, ¶ 1. ↑
- Draft Text of the Convention with Member State Amendments, supra note 276, at 67. ↑
- See Tarik Kochi, Dreams and Nightmares of Liberal International Law: Capitalist Accumulation, Natural Rights and State Hegemony, 28 Law & Critique 23, 29–30 (2017). ↑
- Katitza Rodriguez, The UN Cybercrime Convention: Analyzing the Risks to Human Rights and Global Privacy, Just Sec. (Aug. 27, 2024), https://www.justsecurity.org/98738/cybercrime-convention-human-rights [https://perma.cc/84GW-AVLB]. ↑
- Ivana Stradner & Emily Hester, The UN Cybercrime Treaty: A Trojan Horse for Suppressing Dissent, Found. for Def. of Democracies (Oct. 23, 2025), https://www.fdd.org/analysis/2025/10/23/the-un-cybercrime-treaty-a-trojan-horse-for-suppressing-dissent [https://perma.cc/99ZS-VNF9]. ↑
- Id. ↑
- Id. ↑
- Rodriguez, supra note 284. ↑
- See id. ↑
- Karine Bannelier & Eugenia Lostri, Is Anyone Happy with the UN Cybercrime Convention?, Lawfare (Dec. 2, 2024, at 10:36 AM), https://www.lawfaremedia.org/article/is-anyone-happy-with-the-un-cybercrime-convention [https://perma.cc/UK5G-TU4X]. ↑
- Id. (summarizing the arguments of Jason Pielemeier, executive director of the Global Network Initiative). ↑
- See generally Cybercrime Convention, supra note 270 (not recognizing cyber operations under the non‑intervention principle nor defining cyberattacks as the use of force or violations of state sovereignty). ↑
- The Tallinn Manual, NATO Coop. Cyber Def. Ctr. of Excellence, https://ccdcoe.org/research/tallinn-manual [https://perma.cc/CF3D-KCPW]. ↑
- The Tallinn Manual & Primary Law Applicable to Cyber Conflicts, Geo. L. Libr.: Int’l & Foreign Cyberspace L. Rsch. Guide, https://guides.ll.georgetown.edu/cyberspace/cyber-conflicts [https://perma.cc/3Y9D-WLNY] (last updated July 9, 2025, at 2:42 PM). ↑
- Id.; see also Eric Talbot Jensen, The Tallinn Manual 2.0: Highlights and Insights, 48 Geo. J. Int’l L. 735, 740–41 (2017). ↑
- Jensen, supra note 295 at 741 (quoting Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations 17 (Michael N. Schmitt ed. 2017) [hereinafter Tallinn Manual 2.0]). ↑
- Terence Check, Book Review: Analyzing the Effectiveness of the Tallinn Manual’s Jus Ad Bellum Doctrine on Cyberconflict, a Nato‑Centric Approach, 63 Clev. State L. Rev. 495, 508 (2015) (referencing a section of the first edition of the Manual, which has been adjusted here to reflect current edition: Tallinn Manual 2.0, supra note 296, at 330). ↑
- Tallinn Manual 2.0, supra note 296, at 333–36. ↑
- Check, supra note 297, at 508–09 (noting that, for example with the factor of military character, “a military‑style cyber operation is so characteristic” of the use of force “that the articulation of such a factor is superfluous, and by mere operation of fact, military character is presumed”). ↑
- Id. (referencing Tallinn Manual 2.0, supra note 296, at 334–36). ↑
- Jensen, supra note 295, at 750 (referencing Tallinn Manual 2.0, supra note 296, at 84–85 (explaining that a cyber‑related act is recognizing that a state can make its cyber infrastructure available to non‑state groups or other states, fail to take measures to terminate cyber operations from its territory, or provide hardware or software to conduct cyber operations)). ↑
- Tallinn Manual 2.0, supra note 296, at 94 (describing that Rule 17 states: “Cyber operations conducted by a non‑State actor are attributable to a State when: engaged in pursuant to its instructions or under its direction or control; or the State acknowledges and adopts the operations as its own”). ↑
- See supra Section II.D (discussing these control tests). ↑
- See supra Section II.D (indicating that the Manual’s drafters included language from the ICTY finding in Tadić of state responsibility required official participation in the planning and supervision of military operations). ↑
- Tallinn Manual 2.0, supra note 296, at 96–97; see, e.g., Military and Paramilitary Activities in and Against Nicaragua (Nicar. v. U.S.), Judgment, 1986 I.C.J. 14, 66–67, ¶118–19 (June 27) (describing how the United States helped train the Contras). ↑
- Jus ad bellum refers to the conditions under which states may resort to war or to the use of armed force in general. Check, supra note 296, at 512; What Are Jus ad Bellum and Jus in Bello?, Int’l Comm. of the Red Cross (Jan. 22, 2015), https://www.icrc.org/en/document/what-are-jus-ad-bellum-and-jus-bello-0 [https://perma.cc/J3KL-KNH8]. ↑
- See supra Sections II.B–II.C (discussing non‑intervention and use of force). ↑
- See supra Section III.B (analyzing cyber disparities). ↑
- Samuli Haataja, Cyber Operations Against Critical Infrastructure Under Norms of Responsible State Behaviour and International Law, 30 Int’l J.L. & Info. Tech. 423, 424 (2022). ↑
- Id. at 430 (emphasizing Rep. of the Grp. of Gov’tl Experts on Devs. in the Field of Info. & Telecomms. in the Context of Int’l Sec., at 8, U.N. Doc. A/70/174 (July 22, 2015) [hereinafter GGE Report]). ↑
- Id. at 430–31 (emphasizing how international law scholars, such as Harriet Moynihan, Dennis Broeders, and others, note the voluntary, nonbinding nature of these norms and how that places importance on critical infrastructure). ↑
- See François Delerue, Cyber Operations and International Law 304 (2020). ↑
- Haataja, supra note 309, at 432; GGE Report, supra note 310. ↑
- See supra Section II.C. ↑
- See supra Section III.C (discussing Costa Rica). ↑
- See supra Section III.C. ↑
- 5 Things You Need to Know About Critical Infrastructures, U.N. Univ.: Inst. for the Env’t & Hum. Sec. (Mar. 28, 2024), https://unu.edu/ehs/series/5-things-you-need-know-about-critical-infrastructures [https://perma.cc/3Q4X-CUR6] (explaining that sectors considered critical infrastructure vary between countries). ↑
- E.g., Costa Rica: Access, Primary Health Care Performance Initiative (2022), https://www.improvingphc.org/costa-rica-access [https://perma.cc/Z3Y7-CBLT] (explaining that the Costa Rican Social Security Fund, or the Caja Costariccense de Seguro Social (CCSS), extended health care and other insurance coverage to more than 82 percent of the population and that this system handles the whole of the public health system in the country). ↑
- See supra Section III.A (discussing the potential Western bias in definitions of non‑intervention and the use of force). ↑
- See supra Section III.D.1 (analyzing how countries like Russia try to take advantage of defining terms locally). ↑
- Delerue, supra note 312, at 289; see Kuru, supra note 133, at 49. ↑
- Id. at 304. ↑
- Check, supra note 297, at 512 n.115. ↑
- See Carla Rosch, A Massive Cyberattack in Costa Rica Leaves Citizens Hurting, Rest of World (June 1, 2022), https://restofworld.org/2022/cyberattack-costa-rica-citizens-hurting [https://perma.cc/VJK7-GDUP] (explaining that as a result of the attack and disabling the systems that administer paychecks, health care, and other social services, Costa Rican citizens were unable to pay mortgages, struggled to pay for basic needs, and could not receive necessary health care services). ↑
- Significant Cyber Incidents, Ctr. for Strategic & Int’l Stud., https://www.csis.org/programs/strategic-technologies-program/significant-cyber-incidents [https://perma.cc/PM6Z-MUBV] (describing how Canada pulled its financial intelligence system FINTRAC offline after a cyber incident by an unidentified hacker in March 2024); Andrew Russell, 3 Months After Fintrac Hack, Experts Say Canada Missing Out on Financial Intelligence, Glob. News, https://globalnews.ca/news/10546979/3-months-after-fintrac-hack-experts-say-canada-missing-out-on-financial-intelligence [https://perma.cc/F9DC-KTAP] (last updated June 7, 2024, at 7:47 AM). While the cyberattack was reported, it was mainly reported in Canadian news outlets. See, e.g., Russell, supra. ↑
- Russell, supra note 325 (describing how the FINTRAC attack revealed a gap in intelligence, but Canada quickly moved to rectify the issue); Rosch, supra note 324. ↑
- What Is Economic Statecraft?, Council on Foreign Rels., https://education.cfr.org/learn/reading/what-economic-statecraft [https://perma.cc/79JF-BMYS] (last updated Feb. 25, 2025). ↑
- See Spáčil, supra note 138, at 35. ↑
- For example, China’s Belt and Road Initiative funds various infrastructure projects in African and Asian countries and has been a tool of exerting economic influence in these regions. See, e.g., Yu Jie & Jon Wallace, What Is China’s Belt and Road Initiative (BRI)?, Chatham House, https://www.chathamhouse.org/2021/09/what-chinas-belt-and-road-initiative-bri [https://perma.cc/J4AR-8BLW] (last updated Dec. 19, 2022). ↑
- See, e.g., id. (explaining that states agree to these infrastructure projects via contracts). For example, China built a high‑speed railway system in Kenya and provided jobs and training for local workforces, but there are concerns about Kenya’s ability to service the Chinese loans that paid for it. Id.; What Is Economic Statecraft?, supra note 327. ↑
- See supra Section II.C (analyzing the use of force). ↑
- See, e.g., Schmitt, supra note 99, at 570 (describing a cyberattack that was traced to at least 177 other countries). ↑
- See Prosecutor v. Tadić, Case No. IT‑94‑1‑A, Judgment of the Appeals Chamber, ¶ 120 (Int’l Crim. Trib. for the Former Yugoslavia, July 15, 1999); supra note 198 and accompanying text. ↑
- Margulies, supra note 183, at 20. ↑
- Id. ↑
- See generally id. at 3, 12 (explaining how states are not responsible for cyberattacks if they finance them but do not provide specific direction). ↑
- Andrew Doris & Mayesha Alam, Hackers for Hire: Confronting the Growing Market for Cyber Mercenaries, FP Analytics: Digit. Front Lines, https://digitalfrontlines.io/2025/01/30/hackers-cyber-mercenaries [https://perma.cc/H3F9-NAYC] (stating that, as of 2019, the cyber mercenary market had a value of $12 billion). ↑
- Id. “Since 2011, at least 74 national governments have leveraged cyber mercenaries for the use of spyware alone,” with the buyers in the market often being governments seeking to advance their interests. Id. ↑
- Zerbe, supra note 233. ↑
- Córdoba, supra note 256. ↑
- See Kristen Eichensehr, Cyberattack Attribution and International Law, Just Sec. (July 24, 2020), https://www.justsecurity.org/71640/cyberattack-attribution-and-international-law [https://perma.cc/LP74-6C5W]. ↑
- Id. The WannaCry ransomware attack in May 2017 disabled hundreds of thousands of computers in over 150 countries. See Kristen Eichensehr, Three Questions on the WannaCry Attribution to North Korea, Just Sec. (Dec. 20, 2017), https://www.justsecurity.org/49889/questions-wannacry-attribution-north-korea [https://perma.cc/E3PK-6WVM]. The Trump Administration formally accused the North Korean government of being responsible for the attack, and the United Kingdom, Australia, Canada, New Zealand, and Japan joined the United States in denouncing them. Id. The NotPetya attack was a widespread cyberattack in June 2017 aimed at Ukraine that ended up crippling computers globally. See Mark Landler & Scott Shane, U.S. Condemns Russia for Cyberattack, Showing Split in Stance on Putin, N.Y. Times (Feb. 15, 2018), https://www.nytimes.com/2018/02/15/us/politics/russia-cyberattack.html [https://perma.cc/V67A-T6PB]. The United States and Britain formally blamed Russia for the attack. Id. ↑
- Eichensehr, supra note 341. ↑
- See James Andrew Lewis, Creating Accountability for Global Cyber Norms, Ctr. for Strategic & Int’l Stud. (Feb. 23, 2022), https://www.csis.org/analysis/creating-accountability-global-cyber-norms [https://perma.cc/EUQ4-W755]; Rachel Anne Carter & Julian Enoizi, The Geneva Ass’n, Mapping a Path to Cyber Attribution Consensus 17 (2021), https://www.genevaassociation.org/sites/default/files/cyber-attribution_web_final.pdf [https://perma.cc/2PCC-TCCT] (stating that political factors may prevent calling out the behavior of another state, as the condemning state may experience retaliation). ↑
- Shaw, supra note 177. ↑
- See Jensen, supra note 295, at 752. ↑
- Id.; Shaw, supra note 177. ↑