Cybersecurity Norms Under International Law: State Responsibility for Cyber Operations, Attribution, and the Tallinn Manual’s Limits

Introduction

The emergence of cyberspace as a domain of strategic competition has generated one of the most intellectually demanding debates in contemporary international law: does existing international law apply to state-sponsored cyber operations, and if so, how? The foundational instruments of international law, the UN Charter, the customary law of state responsibility, the law of armed conflict, were designed for a world in which states wielded physical force through conventional military means. Cyber operations, which can disable critical infrastructure without a single soldier crossing a border, can manipulate financial systems without firing a shot, and can subvert democratic processes without leaving attributable physical traces, challenge the conceptual categories through which international law understands the use of force, armed attack, and state responsibility.

The question is not merely academic. The SolarWinds supply chain compromise attributed to Russia’s SVR intelligence service, the NotPetya malware (also attributed to Russia’s GRU) that caused over ten billion dollars in damage globally and is the most economically destructive cyberattack in history, the Shamoon attacks on Saudi Aramco attributed to Iran, and the proliferating use of ransomware by state-sponsored actors against hospitals, power grids, and government systems all pose the question: at what point does a cyber operation constitute a use of force prohibited by Article 2(4) of the UN Charter, and what legal consequences follow?

This article examines the application of foundational international law principles to cyber operations, the Tallinn Manual’s contributions and limitations, the attribution problem, the UN-sponsored norm development processes, and India’s evolving position in global cyber governance.

Legal Framework

The UN Charter’s key provisions are Article 2(4), which prohibits the threat or use of force against the territorial integrity or political independence of any state, and Article 51, which preserves the inherent right of self-defence in response to an “armed attack.” The ICJ’s Nicaragua Case (Military and Paramilitary Activities in and against Nicaragua, 1986) established the threshold of “armed attack” as the trigger for the right to use force in self-defence, and held that this threshold is higher than the threshold for wrongful use of force: not every use of force constitutes an armed attack warranting counter-force. The Court also developed the “effective control” test for attributing the actions of non-state actors to states.

Applied to cyber operations, the threshold question becomes: what cyber effects constitute a “use of force” and what cross the higher threshold of “armed attack”? The prevailing scholarly consensus, reflected in the Tallinn Manual on the International Law Applicable to Cyber Operations (first edition 2013, revised Tallinn Manual 2.0 in 2017, and Tallinn Manual 3.0 in 2022, all produced by the NATO Cooperative Cyber Defence Centre of Excellence in Tallinn), is that cyber operations constitute a use of force when their effects are equivalent to those of a kinetic use of force. An operation that causes destruction of infrastructure, casualties, or large-scale disruption comparable to a physical military attack would meet this threshold. The NotPetya attack, which caused billions in damage and disrupted shipping, banking, and pharmaceutical operations globally, is frequently cited as a possible use-of-force-level operation; yet no state has formally invoked Article 51 in response to it.

The attribution of cyber operations to states is the second major legal challenge. Technical attribution (identifying the infrastructure, malware signatures, and operational patterns associated with a particular threat actor) has become increasingly sophisticated. Intelligence agencies in the US, UK, and their allies regularly attribute major cyber operations to specific state actors with high confidence. However, legal attribution under international law requires something more: the operation must be attributable to the state under the criteria established in the ARSIWA Articles on State Responsibility. Article 8 provides that conduct of a non-state actor is attributable to a state if the state directed or controlled the specific operation. The “effective control” standard from Nicaragua is demanding: general support or direction is insufficient; the state must have exercised effective control over the specific conduct. The “overall control” standard from the ICTY’s Tadic judgment is somewhat lower but was applied in the context of an organised armed group, not individual cyber actors.

The Tallinn Manual: Contributions and Limits

The Tallinn Manual, now in its third edition (2022), is an expert opinion document reflecting the views of the Manual’s international law expert group on how existing international law applies to cyber operations. It is explicitly not a statement of binding law: the participating states (primarily NATO members) do not endorse the Manual, and it represents the views of the approximately twenty international law scholars and practitioners who participated in its drafting. The Manual addresses the application of the jus ad bellum (law on the use of force) and jus in bello (international humanitarian law) to cyber operations, as well as state sovereignty, jurisdiction, and countermeasures in the cyber context.

The Tallinn Manual’s most significant contribution is providing a structured analytical framework that has influenced state practice and national cyber strategies. Its “Rules” (statements of law) and “Commentaries” (explaining the reasoning and noting areas of disagreement) have been incorporated into the legal frameworks of multiple states’ cyber commands. However, the Manual has been criticised on several grounds. First, its primary drafters represent a Western, NATO-aligned perspective, and the legal rules it endorses in contested areas often reflect Western state practice and interests. Second, major cyber powers including Russia and China have consistently rejected the Manual’s framework, particularly its application of IHL to cyberspace and its treatment of sovereignty in the cyber domain. Third, the Manual’s treatment of critical infrastructure protection is aspirational rather than reflective of consistent state practice.

The Tallinn Manual 3.0 (2022) addressed new areas including space-related cyber operations, machine learning and autonomous cyber operations, and the application of human rights law to state cyber activities, marking an important evolution in its analytical scope.

The UN Norm Development Processes

The primary multilateral forum for developing international norms on cyber behaviour has been the UN General Assembly’s First Committee (disarmament and international security), which has spawned two parallel tracks: the Group of Governmental Experts (GGE) and the Open-Ended Working Group (OEWG).

The GGE, operating in five-member groups of approximately twenty-five states since 2004, produced three consensus reports with significant normative implications: the 2013 GGE report affirming that international law applies in cyberspace; the 2015 GGE report developing a non-exhaustive list of voluntary, non-binding norms for responsible state behaviour (including non-interference in another state’s critical infrastructure; not allowing one’s territory to be used for internationally wrongful cyber acts; protecting emergency response teams); and the 2021 GGE report, which was the first to acknowledge the applicability of specific IHL provisions to cyber operations during armed conflict.

The OEWG, proposed by Russia and adopted by the UNGA in 2018, operates as a universal-membership parallel process, explicitly intended to give all UN member states (including those excluded from GGE) a voice in norm development. The OEWG produced its first consensus report in 2021, broadly consistent with GGE outputs, and has continued meeting under a second mandate (2021-2025). India participates actively in the OEWG, using it as a platform to advocate for developing-country perspectives on internet governance and cyber norms.

The key tension between GGE and OEWG reflects a deeper geopolitical division: the US, EU, and their allies prefer to affirm the application of existing international law to cyberspace (arguing that no new treaty is needed, merely interpretation); Russia, China, and many developing countries prefer a new comprehensive treaty (a “code of conduct” or international cybercrime convention that might limit offensive cyber operations more explicitly but also potentially authorise more extensive state control over internet content). As of 2026, no new binding treaty has emerged from the UN processes.

Contemporary Issues and Analysis

The attribution problem remains the most practically significant obstacle to effective international law enforcement in cyberspace. Even when technical attribution is confident, states are reluctant to translate technical attribution into formal legal attribution for multiple reasons: the evidentiary standards of international law are demanding, the intelligence methods used to establish attribution are classified, and public attribution may trigger escalatory responses. The result is that most major cyberattacks go without formal state-to-state legal response, even when political attribution is explicit.

The NotPetya case is illustrative. In February 2018, the US, UK, Canada, Australia, New Zealand, and later the EU and others publicly attributed NotPetya to the Russian military (GRU’s Sandworm team). This represented an unprecedented collective attribution. However, no formal legal proceedings were initiated: the US imposed additional sanctions on Russian entities (invoking CAATSA authority rather than IHL), but did not claim a right of self-defence or invoke ICJ jurisdiction. The UK’s call for Russia to “face consequences” was political, not legal. The gap between political attribution and legal consequence illustrates that the mechanisms for imposing legal accountability for cyber operations remain severely underdeveloped.

The specific norm against attacking critical infrastructure has attracted more sustained attention because the potential humanitarian consequences of disabling power grids, water treatment systems, or hospital networks are catastrophic. The 2015 GGE norm and multiple bilateral commitments (the Obama-Xi agreement of 2015, the Biden-Putin Geneva Summit understanding of 2021) commit states not to conduct such attacks in peacetime. These commitments have demonstrably been violated, including the Triton/TRISIS attack on Saudi petrochemical safety systems attributed to Iran, and Russian cyberattacks on Ukraine’s power grid beginning in 2015. The gap between normative commitment and operational conduct is the defining challenge of cyber governance.

India’s Position

India’s official position on cyber norms has evolved significantly since 2010. India initially resisted the affirmation that existing international law applies in cyberspace (at the 2011 GGE, India argued for a new treaty framework), but subsequently moved toward accepting that existing law applies while advocating for a new universal binding instrument to supplement it. India has supported the OEWG process and uses it to advocate for developing-country participation in internet governance, technology transfer to developing countries, and protection of digital public infrastructure from weaponisation.

India has experienced significant state-sponsored cyber operations against its own infrastructure, including the 2020 SolarWinds-style supply chain attack against Indian networks attributed to Chinese state actors, and persistent intrusions attributed to Pakistani intelligence services targeting Indian government networks. India’s National Cyber Security Policy and the CERT-In (Indian Computer Emergency Response Team) response frameworks have evolved substantially following these incidents.

India’s domestic cybersecurity architecture is increasingly robust, but India has been cautious about making formal legal attributions of cyber operations to states, consistent with its general preference for bilateral diplomatic management of disputes with China and Pakistan rather than formal international legal proceedings.

Practical and Policy Implications

The inability of international law to provide timely and enforceable consequences for major cyber operations has significant practical implications for critical infrastructure protection. Private entities operating critical infrastructure are in effect left to defend themselves against state-sponsored adversaries with significantly greater technical capabilities and resources. The EU’s NIS2 Directive (2022), imposing mandatory cybersecurity standards on operators of essential services, and India’s CERT-In mandatory incident reporting framework (2022), which requires reporting of cybersecurity incidents within six hours and data localisation requirements for IT service providers, represent national regulatory responses to a fundamentally international threat.

Suggestions and Reforms

The most practically urgent reform would be the development of a multilateral mechanism for verifying state compliance with the existing voluntary norms, particularly the norm against attacking critical infrastructure. One model is the IAEA inspection system for nuclear facilities: a UN-mandated body with authority to investigate major cyberattacks, compile evidence, and report findings to the Security Council, analogous to the OPCW’s role in investigating chemical weapons use. While this body would face the same sovereignty objections that hamper other verification regimes, its existence would at least create a forum for structured accountability that currently does not exist.

India should engage more actively in the Tallinn Manual process (future editions) to ensure developing-country perspectives on sovereignty, non-interference, and critical infrastructure protection are reflected, and should consider using OEWG as a platform for a concrete proposal on critical infrastructure protection that could command broad developing-country support.

Conclusion

Cyberspace has become the primary arena of great power competition below the threshold of armed conflict, and international law has struggled to keep pace with its governance challenges. The foundational principles of the UN Charter and state responsibility law apply to cyber operations, but their application to the specific characteristics of cyber capabilities (anonymity, dual use, rapid attribution problems, non-physical effects) generates significant uncertainty and inconsistency. The Tallinn Manual provides the most comprehensive analytical framework available, but it is expert opinion rather than binding law, and it reflects a Western strategic perspective that is not universally shared. The UN norm development processes have produced meaningful voluntary commitments that have been systematically violated. The result is a governance environment in which powerful states can conduct offensive cyber operations against critical infrastructure with minimal legal consequence, and international law enforcement mechanisms are effectively unavailable. Addressing this requires both technical solutions (stronger norms, verification mechanisms, and multilateral incident response) and political will to subordinate short-term strategic advantage to the longer-term rule of law.

About the Author

Leave a Reply

Your email address will not be published. Required fields are marked *

You may also like these