New Technologies in International Law / Tymofeyeva, Crhák et al.

However, starting with the simpler issues, the definition of a cyber attack should be briefly discussed. The first source of such definitions is through acts of international law. The BC does not directly indicate a definition of cyber attack. It does, however, refer to four categories of violations that it addresses. First, it refers in Titles 1 and 2 to violations consisting of computer-related offences. In particular, the obligation of signatory states to regulate was pointed out in Title 1: illegal access (Article 2 BC), illegal interception (Article 3 BC), data interference (Article 4 BC), system interference (Article 5 BC) and misuse of device (Article 6 BC). Subsequently, Title 2 defines computer related forgery (Article 7 BC) and computer related fraud (Article 8 BC). In conclusion, the provisions indicated illustrate quite well the catalogue of events that can be identified as a cyber attack. Surprisingly, the Draft Convention does not actually expand this catalogue in any meaningful way. The same categories are distinguished: unlawful access (Article 6 DC), unlawful interception (Article 7 DC), interference with computer data, digital information (Article 8 DC), interference with computer system, information and communication technology device (Article 9), misuse of devices (Article 10), computer forgery (Article 11), computer theft or fraud (Article 12). As can be observed, the process of extracting definitions with both conventions more than 20 years apart does not change. However, the two documents cannot be the same, as will be shown by a comparative analysis of further provisions of both conventions. The definitions shown above, derived from acts of international law, cannot be considered sufficient. Reference must therefore be made to international soft law. The best source in this regard would be the already mentioned Tallinn Manual. In accordance with Rule 92: A cyber attack is a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects. First, it should be noted that in international relations, especially in the context of conflicts between states in the digital arena, the inclusion of both offensive and defensive measures should be seen as an important added value. This is a very good example of how law should respond to the challenges posed by technology. On the one hand, there is a real distinction between offensive and defensive actions, which can be difficult to distinguish from the perspective of a participant in international relations. Moreover, it should be noted that this will not be the most important thing when analysing the responsibility of a particular entity or state for a cyber attack. On the positive side, the definition also includes a detailed explanation. This is because it is easy to find out important information about the scope of the definition. For the purposes of this research, it should be noted that this definition does not only cover the “release of kinetic force”, 674 nor should damage to persons or property be used as an argument for not including the loss or destruction of computer ‘Guidelines for the Security of Information Systems’ (1992) accessed 20 October 2023; OECD, ‘Guidelines for the Security of Information Systems and Networks’ (2002) accessed 20 October 2023; OECD, ‘Policy Framework on Digital Security’ (2022) accessed 20 October 2023. 674 Schmitt M, Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (CUP, 2017), pp. 415-416.

160