Read full article (PDF file, 303 KB)
Cyber hostilities falling below the "armed attack" threshold are increasingly prevalent on the international stage. Because these lesser uses of cyber-force can still have disruptive and threatening effects, states will want to react to them quickly and effectively. Countermeasures—temporarily lawful actions undertaken by an injured state in response to another state’s internationally wrongful conduct—offer one acceptable response under international law. As such, they have the potential to play a central role in governing the responses of states faced with cyber-incursions.Apart from the bare suggestion that countermeasures might have some bearing on the cyber context, little has been written on how exactly that legal framework would apply. This Essay seeks to fill that gap by using the 2007 cyber-attacks on Estonian networks as a vehicle for assessing how states might use countermeasures to respond to cyber-assaults that fall short of an "armed attack." In light of this analysis, I argue that cyber-tactics unsettle the necessity and proportionality inquiries designed to restrain how injured states can respond under the international law of countermeasures. In particular, I contend that "reciprocal countermeasures"—which have been cited by the U.S. Department of Defense and several scholars as being an effective and even preferable mode of self-help in the cyber context —are deeply problematic for an international legal regime that seeks to appropriately constrain state responses to cyber-conflict.
