What constitutes an “armed attack”? Not a difficult to question to answer? You’d be surprised.
One of the cornerstones of the current framework of international law is Article 51 of the UN Charter, which preserves the right of states to act in self-defence. There are, however, conditions:
Nothing in the present Charter shall impair the inherent right of individual or collective self-defence if an armed attack occurs against a Member of the United Nations, until the Security Council has taken measures necessary to maintain international peace and security. Measures taken by Members in the exercise of this right of self-defence shall be immediately reported to the Security Council and shall not in any way affect the authority and responsibility of the Security Council under the present Charter to take at any time such action as it deems necessary in order to maintain or restore international peace and security.
Charter of the United Nations, Chapter VII, Article 51
In other words, states are still allowed to act in self-defence – or in defence of another state – provided that an armed attack has occurred (or, in line with the Caroline case/test, there is an imminent threat of one).
Quite what constitutes an armed attack is another matter, and the US government seems keen to expand the concept.
The US had employed the concept of equivalence as part of its nuclear posture – explicitly stating that an attack with chemical or biological weapons would be met by a nuclear response – until the 2010 nuclear posture review. A report in the Wall Street Journal, commenting on a Pentagon strategy document due to be published next month, claims that the same concept may now be applied to “cyber-attacks”, allowing the US to respond to them with military force.
Quite what constitutes a “cyber-attack” isn’t clear, and I’d be surprised if the new strategy includes a requirement for physical damage. The US claimed that one hacker, Gary McKinnon, caused more than $700,000 of damage, but those costs related to repairing the systems he compromised. It would be an extraordinary loophole to set “cyber-attacks” outside military response because they happen not to cause physical damage.
Importantly, such a change in policy would need to be read together with the existing US position on the source of “armed attacks”: the 2001 invasion of Afghanistan was justified on a self-defence basis, despite the fact the 9/11 attacks had been carried out by a non-state actor. That approach is consistent with previous US actions, notably the intervention in Nicaragua, and in the US attack on the Al-Shifa factory.
Take these two strands – equivalence of “cyber attacks” and military action”, and the conflation of action by states and non-state actors – together, and you have a potentially expansive basis for action against states.
It’ll be interesting to see the detail of the US strategy document, but also the response from other states. The UK is reportedly developing “offensive” cyber warfare capabilities, while China have pursued cyber warfare capabilities for years.
Somehow, I doubt this issue will wind up paralleling the long running debates over the militarization of space, which – almost fifty years after McNamara cancelled the Dynasoar - have barely left the drawing board.