Force by Other Means: Developing a Comprehensive Method for Identifying Transnational Cyber Attacks as Article 2(4) Violations
In modern warfare, the most devastating attacks may no longer involve tanks or missiles, but lines of code. A single cyber operation can cripple hospitals, paralyze power grids, dismantle financial institutions, and prevent democratic election procedures from being carried out–bringing governments to a standstill without the firing of a single bullet. Despite the growing capacity for cyberattacks to inflict damage comparable to traditional kinetic warfare, international law remains ambiguous on when such actions qualify as “uses of force” under Article 2(4) of the UN Charter, which states that all UN member states must refrain from the “threat or use of force against the territorial integrity or political independence of any State.” [1]
To address this regulatory gap, a comprehensive filtering system that the International Court of Justice (ICJ) could adopt to clarify when cyber operations cross that legal boundary must be developed. Under this system, transnational cyberattacks qualify as prohibited uses of force when they meet the “scale and effects” threshold established by Nicaragua v. United States (1986) or when they degrade a state’s political independence by disabling essential government functions, and a series of cyberattacks may also cumulatively amount to a single wrongful act under the Accumulation of Events Theory. Together, these criteria form an effects-based test that extends the ICJ’s logic to cyberspace, ensuring that international law continues to protect sovereignty even as the means of coercion evolve.
Scale and Effects > Means
ICJ precedent has established that Article 2(4) of the UN Charter covers non-traditional actions based on their effects rather than their means. To understand this principle, consider what a “means-based” approach would entail: restricting Article 2(4)’s prohibition only to specific methods of force–conventional military attacks, bombing campaigns, invasions by ground troops, etc. Under such an interpretation, states could evade the Article's constraints simply by employing novel methods that achieve identical destructive outcomes. In contrast, an “effects-based” approach examines whether an action produces the consequences Article 2(4) was designed to prevent–severe harm to a state’s sovereignty and territorial integrity–regardless of the means employed.
The seminal case establishing this effects-based approach is Military and Paramilitary Activities in and against Nicaragua (Nicaragua v. United States), 1986 I.C.J. 14 (June 27), a case in which the plaintiff, Nicaragua, alleged that the United States effectively violated customary international law and its treaty obligations as outlined in the 1956 Treaty of Friendship, Commerce and Navigation. These claims centered on the United States’ support for the “Contras”–armed groups seeking to overthrow Nicaragua’s government. As part of this American support, Nicaragua accused the U.S. of attacking critical infrastructure such as oil pipelines and port facilities, while simultaneously training, arming, and financing the Contras. [2] Although the US withdrew from the ICJ proceedings, arguing that the Court lacked jurisdiction, it explained its position–Nicaragua was supporting armed opposition in neighboring El Salvador, and the American activities were intended as collective self-defense for El Salvador and other Central American states allegedly threatened by Nicaragua. [3]
The ICJ held that the US support for the Contras and certain military actions constituted a “use of force” against Nicaragua in violation of Article 2(4), [4] and rejected the US claim of collective self-defense since Nicaragua posted no armed attack against the states the US sought to defend. As part of its reasoning, the Court prioritized the scale and effects over means in its determination of the U.S. support for Contra forces as a “use of force” since “such an operation, because of its scale and effects, would have been classified as an armed attack rather than as a mere frontier incident had it been carried out by regular armed forces.” [5] The Court further stated that “the assistance to the contras, as well as the direct attacks on Nicaraguan ports, oil installations, etc. … not only amount to an unlawful use of force, but also constitute infringements of the territorial sovereignty of Nicaragua.” [6] This focus on consequences rather than methods establishes that Article 2(4)’s prohibition on member states’ uses of force is not limited to traditional kinetic warfare.
When cyberattacks disable a state’s key infrastructure–power grids, financial systems, government communications networks, healthcare systems–they produce the same destabilizing effects on sovereignty and territorial integrity that the Court condemned in Nicaragua. Governments lose the practical capacity to govern and maintain order within their state, as demonstrated by real-world incidents: Russian cyberattacks on Ukraine’s power grid in 2015 and 2016 left hundreds of thousands without electricity during winter months, [7] while more recent attacks on Ukrainian power plants have aimed to disable critical energy infrastructure during wartime. [8] The 2017 WannaCry ransomware attack paralyzed the British National Health Service (NHS), forcing hospitals to cancel over 19,000 appointments and operations and revert to pen-and-paper operations. [9] This attack disrupted a core function of British state sovereignty by disabling the UK government’s capacity to provide essential healthcare services to its citizens. Similarly, Russian-linked attacks on U.S. water facilities attempted to manipulate chlorine levels to potential fatal concentrations, threatening public health and the government’s capacity to provide essential services. These attacks prove that cyber operations can achieve the territorial sovereignty violations that Nicaragua prohibited.
A couple objections could be made to this analytical leap to cyber. While one may argue that cyberattacks do not cause physical destruction/casualties the way that traditional kinetic attacks do, Nicaragua itself involved a mix of indirect and direct actions beyond conventional warfare. The case included arming and training rebel forces (the Contras) alongside direct US military operations such as mining Nicaraguan harbors, attacking oil facilities, and conducting aerial strikes on military installations. [10] The Court’s focus was on the destabilization itself, not the means of achieving it. Second, major cyberattacks do produce tangible human consequences even without kinetic damage: the aforementioned WannaCry attack on the NHS resulted in cancelled surgeries, ambulance diversions, and other decisions that directly impacted patient health and potentially cost lives. [11] The distinction between a missile destroying a hospital and ransomware disabling that same hospital's ability to function is one of means, not effects. Similarly, cyber operations that achieve comparable destabilization should qualify, even without kinetic damage. If the prohibition were limited to specific weapons or kinetic methods, the Court would have said so. Instead, it articulated a broad effects-based standard.
Lastly, there may be the worry that such an analytical leap to cyberattacks from Nicaragua will lead to every transnational cyber operation being considered as a use of force. This would not be the case–only operations meeting the “scale and effects” threshold would qualify. The Court distinguished “most grave” uses of force from “other less grave forms.” Minor cyber intrusions (espionage, website defacement) wouldn’t meet this threshold, just as minor border incidents don’t constitute uses of force. To clarify what a cyberattack that would violate Article 2(4)’s prohibition on uses of force would look like, one could take the example of the 2017 NotPetya attack, which led to over $10 billion in damages, cripped Ukrainian government systems, banks, power companies, and airports. [12] Such effects would pass the scale threshold necessary for a cyber attack to be considered a violation.
Classifying infrastructure-disabling cyberattacks as uses of force does not expand Article 2(4) beyond its intended scope. Rather, it applies the Court’s own effects-based methodology to new technological means of achieving the same prohibited ends–severe destabilizations of state sovereignty and violations of territorial integrity. The Court’s precedent requires this extension: having determined that the scale and effects of an action, not its means, government Article 2(4) analysis in Nicaragua, the same legal standard must apply when cyber operations produce effects meeting the established threshold. The UN Charter’s drafters could not have anticipated cyber warfare in 1945, but they established a principle–the protection of sovereignty and territorial integrity from severe external interference–that transcends any specific technology, kinetic or otherwise.
Violations of Sovereignty
Further, cyberattacks disabling critical infrastructure should be classified as Article 2(4) violations because they fundamentally degrade a state’s capacity to perform essential government functions (i.e. their sovereignty). The ICJ’s effects-based approach in Nicaragua establishes that Article 2(4) focuses on the consequences rather than on the means, but this raises a question: what specific effects on 'political independence and territorial integrity' cross the threshold into prohibited uses of force? Legal scholar Ian Brownlie’s analysis of Article 2(4)’s drafting history may give us the answer. In his examination of the travaux préparatoires, Brownlie concluded that “the phrase under discussion was not intended to be restrictive but, on the contrary, to give more specific guarantees to small states and that it cannot be interpreted as having a qualifying effect… The phrase 'political independence and territorial integrity' has been used on many occasions to epitomize the total legal rights which a state has.” [13] This interpretation of Article 2(4)’s travaux préparatoires establishes that “political independence and territorial integrity" was intended to "epitomize the total legal rights which a state has" rather than impose restrictive qualifications on the prohibition. This interpretation aligns with the purpose of the UN Charter–namely, preventing conditions that enabled pre-WWII aggression, when economically and militarily superior powers granted other states independence only nominally while effectively controlling their functional capacity to govern.
When cyberattacks disable a state’s critical infrastructure, they directly impair “political independence” by degrading that state’s functional capacity to carry out essential government functions (maintaining public order, protecting its citizens, engaging in commerce, etc.) Such attacks achieve digitally what imperial practices achieved through economic coercion/military occupation: states are left nominally sovereign but incapable of independent action. This could resolve the tension between effects-based analysis and sovereignty violations by clearly defining when 2(4) thresholds are violated. Again, it must be clarified that not every sovereignty violation amounts to an Article 2(4) violation as well (ex. cyber espionage). Returning to the example of NotPetya attack, its crippling of Ukrainian government systems in 2017, which disabled ministries and paralyzed financial institutions, shows what this degradation of political independence looks like: Ukraine retained formal sovereignty but temporarily lost the functional capacity to govern–precisely the impairment Article 2(4) was designed to prohibit, according to Brownlie’s logic. Therefore, the critical threshold isn’t whether a cyberattack violates sovereignty, but whether it disables the necessary infrastructure for a government to perform its essential functions. Only the latter degrades political independence and constitutes a prohibited use of force under Article 2(4). Infrastructure-disabling cyberattacks that meet Nicaragua’s “scale and effects” threshold and impair a state’s capacity to govern would, therefore, satisfy both the effects-based test and violate Brownlie’s interpretation of political independence, marking them as clear Article 2(4) violations.
Accumulated Attacks
When individual cyberattacks fall below the Article 2(4) “scale and effects” threshold established by Nicaragua, the Accumulation of Events Theory–implicitly recognized in the UN’s Articles on Responsibility of States for Internationally Wrongful Acts (ARISWA)–provides a path for aggregating multiple incidents. This theory, also known as Nadelstichtaktik or 'needle prick', allows states to accumulate the consequences of multiple wrongful acts attributable to a single state actor when determining whether an Article 2(4) violation has occurred. ARSIWA Article 15 mandates that "a breach of an international obligation by a State through a series of actions...defined in aggregate as wrongful occurs when the action...taken with the other actions...is sufficient to constitute the wrongful act." [14] This provision shows that individual acts don’t need to independently violate international law if their cumulative consequences reach the prohibited threshold. As legal scholar Michael McLaughlin argues based on an analysis of Nicaragua and Iran v. United States (more commonly known as the Oil Platforms case), aggregating multiple incidents requires two conditions to be met: (1) the incidents must be causally and temporally related, and (2) the combined consequences must meet a de minimis threshold of severity. [15]
Russia’s Sandworm Team campaign, as documented in a 2020 Pennsylvania grand jury indictment, serves as an example of how states can strategically design campaigns to exploit this gap. The campaign encompassed: deployment of NotPetya (causing over $10 billion in damages), attacks on Ukrainian power grids, interference in Georgian government systems, targeting of French elections, and disruption of the 2018 Winter Olympics. [16] While Russia strategically designed each individual operation to amount to attacks that remain just below the armed attacks threshold, effectively preventing legal responses to each incident, the cumulative consequences of these events met both ICJ requirements: the attacks were temporally and causally connected as part of a coordinated strategy, and their combined severity far exceeded the de minimis threshold for uses of force.
Importantly, the Accumulation of Events Theory only applies when individual cyberattacks don’t independently meet the scale and effects threshold; it is a secondary framework. This does not lower the overall severity requirement but rather prevents states from evading responsibility by fragmenting what is really a unified campaign into multiple sub-threshold operations. This closes the legal gap that has allowed states to conduct sustained cyber aggression with impunity.
An Urgent Need for Change
The WannaCry ransomware attack of 2017, which crippled the British National Health Service (NHS), proves that cyber operations can paralyze key infrastructure even if no kinetic forces are used. Yet despite such clear parallels to kinetic warfare, international law has failed to keep pace, leaving ambiguity over whether these acts constitute wrongful “uses of force” under Article 2(4). The identification method proposed here, anchored in Nicaragua’s effects-based reasoning, Brownlie’s conception of sovereignty, and the Accumulation of Events Theory, attempts to bring coherence and precision to that question. Without such clarity, states risk two dangerous extremes: overreaction, by interpreting every major cyber incident as an act of war, or underreaction, by leaving victims of a large-scale transnational cyber aggression without meaningful recourse in international courts. A principled, effects-based system ensures that international law remains adaptive to new forms of international aggression while safeguarding the UN Charter’s principle of peace.
Edited by Andrew Chung
[1] “United Nations Charter (Full Text),” United Nations, https://www.un.org/en/about-us/un-charter/full-text.
[2] “Military and Paramilitary Activities in and Against Nicaragua (Nicaragua v. United States), 1986 I.C.J. 14, 103-23: Case Brief Summary,” Quimbee, https://www.quimbee.com/cases/military-and-paramilitary-activities-in-and-against-nicaragua-nicaragua-v-united-states.
[3] “Military and Paramilitary Activities in and Against Nicaragua (Nicaragua v. United States), 1986 I.C.J. 14, 103-23: Case Brief Summary,” Quimbee, https://www.quimbee.com/cases/military-and-paramilitary-activities-in-and-against-nicaragua-nicaragua-v-united-states.
[4] Patel, Bimal N. “Case Concerning Military and Paramilitary Activities in and Against Nicaragua: (Nicaragua v. USA),” In The World Court Reference Guide, by Bimal N. Patel and Shabtai Rosenne, https://doi.org/10.1163/9789004481237_119.
[5] Patel, Bimal N. “Case Concerning Military and Paramilitary Activities in and Against Nicaragua: (Nicaragua v. USA),” In The World Court Reference Guide, by Bimal N. Patel and Shabtai Rosenne, https://doi.org/10.1163/9789004481237_119.
[6] “Military and Paramilitary Activities (Nicaragua/United States of America),” Max-Planck-Institut Für Ausländisches Öffentliches Recht Und Völkerrecht, https://www.mpil.de/de/pub/publikationen/archiv/world-court-digest.cfm?fuseaction_wcd=aktdat&aktdat=104020501100.cfm.
[7] “Cyber-Attack Against Ukrainian Critical Infrastructure,” Cybersecurity and Infrastructure Security Agency, July 20, 2021, https://www.cisa.gov/news-events/ics-alerts/ir-alert-h-16-056-01.
[8] Humphreys, Brian E. “Attacks on Ukraine’s Electric Grid: Insights for U.S. Infrastructure Security and Resilience,” U.S. Congress, May 17, 2024, https://www.congress.gov/crs-product/R48067.
[9] “Investigation: WannaCry Cyber Attack and the NHS - NAO Report,” National Audit Office (NAO), October 27, 2017, https://www.nao.org.uk/reports/investigation-wannacry-cyber-attack-and-the-nhs/.
[10] Military and Paramilitary Activities in and Against Nicaragua (Nicar. v. U.S.), Judgment, 1986 I.C.J. 14, para. 21 (June 27).
[11] “Investigation: WannaCry Cyber Attack and the NHS - NAO Report,” National Audit Office (NAO), October 27, 2017, https://www.nao.org.uk/reports/investigation-wannacry-cyber-attack-and-the-nhs/.
[12] Greenberg, Andy. “The Untold Story of NotPetya, the Most Devastating Cyberattack in History,” WIRED, August 22, 2010, https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/.
[13] Hassan, Daniyal. “Has Article 2(4) Of The UN Charter Become Redundant In The 21st Century?” Courting The Law, February 19, 2016, https://courtingthelaw.com/2016/02/19/commentary/has-article-24-of-the-un-charter-become-redundant-in-the-21st-century/.
[14] McLaughlin, Michael. “Deterring the Next Invasion: Applying the Accumulation of Events Theory to Cyberspace,” Opinio Juris, March 2, 2023, https://opiniojuris.org/2023/03/02/deterring-the-next-invasion-applying-the-accumulation-of-events-theory-to-cyberspace/.
[15] McLaughlin, Michael. “Deterring the Next Invasion: Applying the Accumulation of Events Theory to Cyberspace,” Opinio Juris, March 2, 2023, https://opiniojuris.org/2023/03/02/deterring-the-next-invasion-applying-the-accumulation-of-events-theory-to-cyberspace/.
[16] “Six Russian GRU Officers Charged in Connection with Worldwide Deployment of Destructive Malware and Other Disruptive Actions in Cyberspace,” United States Department of Justice, October 19, 2020, https://www.justice.gov/archives/opa/pr/six-russian-gru-officers-charged-connection-worldwide-deployment-destructive-malware-and.