the use of force
military force, the identity of the attacker, any record of cyber operations by the attacker, and the nature of the target (such as critical infrastructure). Moreover, the factors operate in concert. As an example, a highly invasive operation that causes only inconvenience such as temporary denial of service is unlikely to be classiﬁed as a use of force. By contrast, some may categorize massive cyber operations that cripple an economy as a use of force, even though economic coercion is presumptively lawful. 11. Finally, it must be understood that ‘use of force’ as used in this Rule and ‘armed attack’ (Rule 13) are standards that serve different normative purposes. The ‘use of force’ standard is employed to determine whether a State has violated Article 2(4) of the United Nations Charter and the related customary international law prohibition. By contrast, the notion of ‘armed attack’ has to do with whether the target State may respond to an act with a use of force without itself violating the prohibition on using force. This distinction is critical in that the mere fact that a use of force has occurred does not alone justify a use of force in response.23 States facing a use of force not amounting to an armed attack will, in the view of the International Group of Experts, have to resort to other measures if they wish to respond lawfully, such as countermeasures (Rule 9) or actions consistent with the plea of necessity (Commentary accompanying Rule 9).
Rule 12 – Deﬁnition of threat of force A cyber operation, or threatened cyber operation, constitutes an unlawful threat of force when the threatened action, if carried out, would be an unlawful use of force. 1. This Rule examines the term ‘threat’ as used in Rule 10. 2. The phrase ‘cyber operation, or threatened cyber operation’ in this Rule applies to two situations. The ﬁrst is a cyber operation that is used to communicate a threat to use force (whether kinetic or cyber). The second is a threat conveyed by any means (e.g., public pronouncements) to carry out cyber operations qualifying as a use of force. 3. It is generally accepted that threats by States and ofﬁcials in a position to make good those threats are lawful if the threatened action 23
But see discussion of countermeasures rising to the level of use of force in the Commentary accompanying Rule 9 (noting a minority view allowing countermeasures at this level).