New Technologies in International Law / Tymofeyeva, Crhák et al.

criterion of necessity obligates the use of cyber force to be needed in order to defend the target State in a situation where the non-forceful measure would not suffice. The Tallinn Manual in this context asserts the necessity of primary usage of passive defense instruments (such as firewalls) and/or of non-forceful active cyber measures when the operations meeting the threshold of use of force are not inevitable. In case of a necessary use of force, the cyber means must adhere to the proportionate degree conditional on the situation in question – in terms of scope, scale, intensity, duration etc. On the contrary, there is simply no rule compelling the cyber self-defense to react to cyber attacks only and vice versa . 640 Another crucial aspect in the determination of legal exercise of self-defense is the issue of its imminence and immediacy. The States in their doctrines, as well as the scholarship, take different stances towards the concepts of preemptive (anticipatory) and preventive self-defense. The cyber context certainly does not detract from the controversy over this rather evergreen topic. The collective form of the inherent right of self-defense naturally keeps its place in the cyber era, 641 as the capacities of States in the domain vary on a large scale. Needless to say, all the standard requirements applicable to the individual form, as well as additional established conditions for the collective self-defense, such as of a prior request of help, by the victim State, apply in a regular manner. 3. The question of attribution Article 2(4) of the UN Charter only applies to uses of force that are conducted by States or are otherwise attributable to States. Attribution denotes “ the operation of attaching a given action or omission to a State ” under international law. 642 Under Article 2 of the Draft Articles on State Responsibility, crucially, attribution is one of the elements to finding an internationally wrongful act. Hence, all international claims are based on attribution. It is inferred if the actor is an organ of that State under Art 4 if the actor is exercising government authority under Art 5, or if the actor is acting on the instructions, or under the direction or control, of that State under Art 8. As a cornerstone of all international law, attribution must be applied, albeit with some difficulty, also to cyber attacks and cyber espionage. 643 While State-organs in the broadest sense are thus by definition attributable to the State in question, activities of non-State actors are generally non-attributable, if not 640 Schmitt M, Tallinn Manual on the International Law Applicable to Cyber Warfare (CUP, 2013), pp. 61–62; Schmitt M, Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (CUP, 2017), pp. 348–349. 641 For more in a collective security organization perspective see, NATO 2020: Assured Security, Dynamic Engagement. Analysis and Recommendations of the Group of Experts on a New Strategic Concept for NATO’ (17 May 2010), pp. 20 and 45 . 642 ILC, ‘Draft Articles on Responsibility of States for Internationally Wrongful Acts’ November 2001) UN doc A/56/10, Art. 3, para 12. 643 Finlay L and Payne C, ‘The Attribution Problem and Cyber Armed Attacks’ (2019) 113 AJIL Unbound 202, p. 203.

152