General security

The cyber attacks on Saudi Aramco, RasGas, and U.S. banks in the context of international law

December 26, 2012 by Dimitar Kostadinov


When it was created, the Internet was launched as a classified military experiment, but nowadays it is a widely used tool that has a multitude of purposes. Recent cyber attacks on Saudi Arabia’s state oil company Saudi Aramco, the Qatari gas firm RasGas, and denial-of-service attacks on some major U.S. banks come as evidence that the battlefield is shifting from a three-dimensional to a linear front, and this tendency may also result in an overall drastic change of warfare standards. In spite of the obvious improvement of life standards which this technological revolution brought, the great dependency on computers may open a new page of warfare conduct. Because international law is hampered by constraints imposed before the advent of cyber attacks, one of the most significant challenges today is withstanding this rapid advance of computer technology.

Jus ad bellum and cyber warfare. Interaction and specifics of “use of force” and “armed attack” terms

The most essential jus ad bellum provisions are Article 2(4), the prohibition on the use of force, and article 51 of the UN Charter, the use of self-defense. These norms bind all states whether or not they are members of the United Nations. Although the UN Charter is drafted long before the emergence of the Internet and cyber attacks respectively, its provisions regulate any use of force. This fact is being affirmed by the International Court of Justice (ICJ): Article 2(4) and Article 51 are applicable to “any use of force, regardless of the weapons employed.”(ICJ, 1996) Among most scholars, there is no doubt that cyber attacks could qualify as a use of force pursuant to Article 2(4) and self-defense as in Article 51. Consequently, the UN Charter system, as well as the customary international law, regulates the conflicts in which the parties can use computer systems to inflict harm on each other (Robertson, 2002).

In relation to the aforementioned provisions, there are two significant terms—”use of force” (Article 2(4)) and “armed attack” (Article 51)—which seem to have a certain correlation between them. A careful textual analysis ascertains that both terms have different purposes and scope. While the concept of “use of force” seems to be broader in meaning, the term “armed force” is directly related to severe cases to threats to the peace, breach of the peace, or acts of aggression (Schmitt, 1999).

In the Nicaragua case (1985), the ICJ affirms that there is a difference between a “use of force” and an “armed attack”. The court adopts the view that an armed attack constitutes a higher degree as it bears direct infliction of death/injury on human beings or physical damage on property. This distinction made by the court does not tie the hands of states when it suffers an information operation that does not rise to the standard of ‘armed attack’. Simply, it means they should restrain their response short of military action (Schmitt, 2003). The distinction between an armed attack and the use of force is premeditated. The current U.N. scheme precludes responses, especially unilateral actions, to acts which do not rise to the level of an armed attack.

The type and level of response to cyber attacks

Similar to the terrorist acts, cyber attacks are initiated without warning and often, the result of the attack is noticeable within seconds after it has been launched, thus giving the victim almost no time to react. Usually, the level and type of response to the use of force is determined more or less by the extent of the impact of the initial strike. A cyber attack directed against a minor target that is not meant to cause grave consequences, such as death/injury or destruction/damage, would most probably not be viewed as an armed attack. Moreover, the state’s prerogative to respond to the use of force in self-defense is regulated by the necessity and proportionality tenets:


The principle of necessity justifies a more decisive action when all peaceful means are exhausted and there are no further options to settle the conflict any other way than through the use of forceful methods.


The proportionality tenet regulates the quantity of the countermeasures used. They must be proportional and adequate to those used in the initial attack made by the aggressor.

Not exactly clear is the situation when the uses of force do not reach the threshold of an armed attack. Both unilateral attack and collective self-defense are not allowed. Nonetheless, although reprisals infringe on the international law, acts like retorsion have become increasingly popular and often occur in cyber warfare. The attacks on Saudi Aramco, RasGas, and the US banks are thought to be retaliation strikes for the Stuxnet worm, which was allegedly devised by the joint efforts of US and Israeli specialists and designed to undermine Iran’s nuclear ambitions (Sale, 2012).

International law prohibits such attacks, butone way to cope with this situation is to address the issue to the UN Security Council, with the hope of getting permission for a forceful response not related to armed attack under Article 39 of the Charter. Unilateral responses are restricted without authorization from the Security Council.

When passive defensive measures prove themselves incapable of preventing an aggressive act, then the injured State has the right to retrieve reparations for the damages suffered. Of course, in accordance with the current international law, such a claim would only be possible if there is an actual agreement on cyber attacks between the states in question (Creekman, 2002).

The current warfare legislation and Schmitt’s scheme

The state practice concerning applying the jus ad bellum legal framework to cyber attacks, more specifically the use of force notion, is vague and ambiguous. Even though the current jus ad bellum and in bello do not regulate cyber attacks well, they can still serve as “a model for devising rules.” One way to adjust the notion of cyber attacks is to shape it with the help of the general principles and pre-existing legal frames for conventional armed attacks. Such an adjustment must stay by all means flexible and should not be performed in a merely prohibitive manner (Brown, 2006).

As an alternative, Michael Schmitt, the Chairman of International Law Department at the United States Naval War College, proposes a scheme of factors that may prove useful when a person evaluates whether a cyber attack constitutes a use of force and/or resembles a conventional armed attack (Schmitt, 2011). These factors are:

  1. Severity

This is the most important factor because it gives information about the negative consequences of a cyber attack. The Shamoon virus destroyed the hard drives of most of Aramco’s computers and erased the data on management servers which were of utmost importance for the company. U.S. Defense Secretary Leon Panetta claims that cyber attacks “could be as destructive as the terrorist attack of 9/11,” whether conducted by a state or non-state actors (Riley & Engleman, 2012).

(2) Immediacy

This criterion is also important because it indicates how soon the consequences emerge after the impact. If the results are evident soon after the attack, as is often the case with cyber attacks, the chance for a peaceful solution or other viable alternative decreases. Conversely, there are many concerns about computer methods like logic and time bombs whose real consequences appear with some delay (Schmitt, 2011). Shamoon’s code has an embedded timer that was set to attack at the exact time that Aramco’s computers were struck (Perlroth, 2012).

(3) Directness

This factor accentuates on the chain of causation of a cyber attack and assesses the line of events that would eventually lead from the act to the results (Schmitt, 1999). The Shamoon virus, as well as the Stuxnet worm, hit their targets causing direct negative consequences—data erasure or system malfunctions.

(4) Invasiveness

A factor related to the level of penetration in a secured system. The unauthorized armed attacks usually cross into another country’s border and they impair significantly the sovereignty of the victim state. Hence, the stability of the target state is threatened and the authority of the government and its institutions is undermined (Schmitt, 1999). The infected computers at Saudi Aramco weren’t connected to the Internet, and according to the officials involved in the investigation, the virus was distributed from a USB memory stick by an employee of the company (Sale, 2012).

(5) Measurability

This criterion identifies the consequences in terms of quantity. If the indicator shows that the number is too high, then the state’s interest is more likely to be impaired (Schmitt, 1999). In terms of numbers, the attack on Saudi Aramco wiped the data on 30, 000 computers, whereas the Stuxnet worm temporarily took 1,000 centrifuges at the Natanz nuclear plant out of order.

(6) Presumptive Legitimacy

Schmitt concludes that if an act is not prohibited, then it is permitted. The main reason is that international law tries to make the interpretation and implementation process simpler and also because it is prohibitive by nature (Schmitt, 2011). Erasing important information from the computers of a major oil company, sabotaging the functionality of a nuclear plant, and performing denial-of-service attacks on banks and financial institutions is however, by any means, illegitimate.

(7) Responsibility

An indicator which stands to show when a state is responsible for a cyber attack. The level of involvement of a state in a certain operation is the key here. If the state in question is deeply involved in a particular cyber attack, then this occurrence is more likely to be categorized as a use of force (Schmitt, 2011). Nevertheless, a cyber attack must be duly attributed first before a state is held responsible.

The Attribution Requirement

A very important issue is the attribution of the relevant actions to a state. The attribution of an attack to state agents is a condicio sine qua non under international law because of the potential misguidance of a counter strike towards an “innocent” computer system (Graham, 2010). When the attacker is a state actor, then the countermeasures must observe the jus ad bellum and jus in bello prescriptions pursuant to the UN Charter and customary international law (Condron, 2007).

There is this predominant conviction in international jurisprudence that only states can be adversaries and are entitled to the right to use force in the sense of the UN Charter, and that non-state actors are excluded from the scope of Article 2(4) (Barkham, 2001). Non–state actors like individuals, organized groups, and terrorist organizations need to be linked to a state in order to bear responsibility under this article, otherwise their actions may violate the domestic law of the country which they belong to but not the prohibition on the use of force (Schmitt, 2003).

Supposedly, most cyber attacks are conducted by individuals. The members of various terrorist organizations have gradually become more and more computer literate (Graham, 2010); for example, the minor hacker group “Cutting Sword of Justice,” which took the responsibility for the cyber attack on Aramco, consists only of about 100 participants. It is thought that this group is covertly sponsored by the Iranian government. However, the direct and affirmative attribution to another state may be a difficult task to deal with because of the inherent anonymity of these attacks.

The forensic officials involved in the Aramco investigation are not certain that the incident was an Iranian act. On the other hand, the forensic conclusion could not prove with certainty that the cyber attack wasn’t executed by a non-state actor. The virus could have been simplified on purpose (Riley & Engleman, 2012). However, there is a general conviction that Iran is behind all of the recent cyber attacks.


The probability of grave cyber attacks imposes an obligation to policymakers to generally reconsider the manner in which they conduct the protection of computer networks and devices, especially those which are an underlying segment of a critical national infrastructure. Clearly, cyber attacks present an enormous challenge to the jus ad bellum norms because those norms were elaborated well before the emergence of the Internet. Taking into account the significant damage of the cyber attacks on Saudi Aramco, RasGas, the US banks, as well as the Stuxnet hit at Natanz, the international community must realize completely the fact that grave cyber attacks are not myth, but reality, and that more decisive measures regarding this threat and its existence within the jus ad bellum framework are needed.

Reference List

Barkham, J. (2001). Information warfare and international law on the use of force. N.Y.U.J. INT’L L. & POL 57, 34.

Brown, D. (2006). A Proposal for an International Convention To Regulate the Use of Information Systems in Armed Conflict. Harvard: Harv. Int’l L.J.

Condron, S. (2007). Getting it right: Protecting American critical infrastructure in cyber space. Harvard Law Review, 20, 403-422.

Creekman, D. (2002). A helpless America? An examination of the legal options available to the United States in responding to varying types of cyber attacks. Am. U. Int’L L. Rev, 3, 641-681.

Graham, D. (2010). Cyber threats and the law of war. Journal of National Security Law and Policy, 4, 87-104.

International Court of Justice (1996). The legality of the threat or use of nuclear weapons. Retrieved from

International Court of Justice (1986). Military and Paramilitary Activities in and against Nicaragua (Nicaragua v. United States of America).
Retrieved from

Perlroth, N. (2012). In Cyberattack on Saudi Firm, U.S. Sees Iran Firing Back. Retrieved from

Riley M. & Engleman R. (2012). Code in Aramco Cyber Attack Indicates Lone Perpetrator. Retreived from

Robertson, H. B. (2002). Self-Defense against computer network attack. I NT’L L. STUD, 76, 121-123.

Sale, R. (2012). Saudi Insider Likely Key to Aramco Cyber-Attack. Retrieved from

Schmitt, M. (1999). Computer network attack and use of force in international law. Columbia Journal of Transnational Law, 37, 885-937.

Schmitt, M., Harrison D., Heather A., & Winfield, T. (2004). Computers and war: The legal battlespace. Harvard Program on Humanitarian Policy and Conflict Research.

Schmitt, M. (2011). Cyber operations and the jus ad bellum revisited. Villanova Law Review, 56, 569-606.

Posted: December 26, 2012
Articles Author
Dimitar Kostadinov
View Profile

Dimitar Kostadinov applied for a 6-year Master’s program in Bulgarian and European Law at the University of Ruse, and was enrolled in 2002 following high school. He obtained a Master degree in 2009. From 2008-2012, Dimitar held a job as data entry & research for the American company Law Seminars International and its Bulgarian-Slovenian business partner DATA LAB. In 2011, he was admitted Law and Politics of International Security to Vrije Universiteit Amsterdam, the Netherlands, graduating in August of 2012. Dimitar also holds an LL.M. diploma in Intellectual Property Rights & ICT Law from KU Leuven (Brussels, Belgium). Besides legal studies, he is particularly interested in Internet of Things, Big Data, privacy & data protection, electronic contracts, electronic business, electronic media, telecoms, and cybercrime. Dimitar attended the 6th Annual Internet of Things European summit organized by Forum Europe in Brussels.

Notice: Undefined index: visitor_id12882 in /www/resourcesinfosecinstitute_601/public/wp-content/plugins/infosec-user-info/infosec-user-info.php on line 117