Ferry Oorsprong, MA, EMSD (1974) is an Air Force Lieutenant-Colonel (GS). He has worked as Lecturer International Security Studies and recently started as Assistant Professor Air Power at the Netherlands Defence Academy. Ferry holds an academic master’s degree in Military Strategic Studies and a professional master’s degree in Security and Defence. He is currently preparing a PhD research proposal in line with the submitted paper.
LinkedIn: Ferry Oorsprong
Brigadier-General dr. Paul Ducheine, MSc, LL.M. (1965) is the Professor for Cyber Operations and Cyber Security at the Netherlands Defence Academy, and a Legal Advisor (Netherlands Army Legal Service). At the University of Amsterdam, he was named professor by special appointment of Law of Military Cyber Operations.
Peter Pijpers, MSc, LL.M (1969) is an Army Colonel (GS). He is Associate Professor of Cyber Operations at the Netherlands Defence Academy and PhD candidate at the University of Amsterdam. Peter is currently finalising his research on “Influence Operations in Cyberspace: On the Applicability of Public International Law during Influencing Operations in a Situation below the Threshold of the Use of Force”.
Armed Attack in Cyberspace: Clarifying and Assessing When Cyber-Attacks Trigger the Netherlands’ Right of Self-Defence
Whilst Article 51 of the UN Charter indicates that an ‘armed attack’ may trigger a State’s inherent right of individual or collective self-defence, the purport of armed attack remains a matter of interpretation and qualification. Moreover, actions carried out in (or through) cyberspace have caused the impetus for another debate: whether and when cyber-attacks can qualify as an armed attack. To improve the notion of self-defence and contribute to the jus ad bellum (international law on the use of transnational force), more clarification as to what constitutes an armed attack in cyberspace is necessary. Therefore, norms – regarding when cyber-attacks reach the threshold of an armed attack – could be conducive to guide State behaviour. On the one hand, these norms could be used in the political decision-making processes for States that consider initiating cyber-attacks. On the other, they will help victim States in their decision-making processes in response to cyber-attacks with a grave impact.
The main aim of the paper is to propose a tangible guideline that outlines when cyber-attacks – perpetrated solely in or through cyberspace and not in conjunction with conventional military attacks – can qualify as an armed attack. By assessing the positions of States (opinio juris) and leading academic opinions regarding the qualification of cyber-attacks as armed attacks, and applying international and interdisciplinary policy documents to transfer the legal debate into tangible options, a policy framework is deduced that can serve as a baseline for international cyber norms. This framework distinguishes three separate categories of armed attack in cyberspace, each with their own distinctive levels to determine if and when a cyber-attack can qualify as an armed attack. For now, these levels are tailored for the Netherlands in absolute numbers, but when transferred to percentages of the gross national/domestic product and the population size, they could perhaps be suitable for other States as well.