Forget tanks and fighter jets. The greatest threat in modern conflicts is not a visible army, but a „virtual Trojan horse“ — invisible code that changes the rules of warfare.
Given that a technical, nor legislative approach is not always feasible to regulate the growing cyber-attacks perpetrated across states, international law continues to provide guidance to govern state behaviour in cyberspace. A key concern is the extent to which cyber-attacks should be classified as an unlawful use of force. Although existing agreements and treaties between states do not specifically refer to cyber-operations, the general principles and provisions of the Charter of the United Nations are often interpreted to extend their applicability to military actions conducted with cyber means.2 3
The Tallinn manual – as the “key legal compass”
A direct cyberattack targets computer or information systems to destroy them, steal data or steal computing power for offensive computer operations. Such attacks against hardware, software or data, rather than merely targeting humans constitute the deployment of cyber weapons and reflect a more strategic and destructive intent. These types of cyberattacks vary in capability and effectiveness, with perpetrators that can be based around the globe from state opponents and terrorist organizations to organized crime and individuals conducting assaults on traffic systems, power grids, financial institutions and governmental websites.4
According to the Tallinn Manual (from now on as “manual”),5 a cyber operation that results in the destruction of property is considered an attack under international law, a classification that depends on the scale and effects of the operation.6 An attack resulting in the destruction of property, e.g. the shutdown of power plants or traffic control systems. It is therefore not just a violation of privacy, but a strategic and destructive act with global implications.
The manual strictly expresses and defines what is considered as sovereignty of cyber infrastructure. Stating: “In particular, States enjoy sovereignty over any cyber infrastructure located on their territory and activities associated with that cyber infrastructure.”7 The Manual 2.0 presents the opinions of experts in their personal capacity. It is therefore not a binding international agreement or an official NATO statement. Anyhow, the project benefited from the unofficial input of individuals from many states (e.g.) and more than 50 reviewers resulting in a well thought out guide.8
The Montevideo Convention – Border control in intangible space
Following the classification of cyberattacks under international law, their interaction with the Montevideo Convention is crucial for a comprehensive understanding of their legal significance. The Montevideo Convention stipulates that four conditions must be met for an entity to qualify as a state: a defined territory, a permanent population, an effective government, and the capacity to enter into relations with other states.9 These criteria remain the prevailing international law standards for statehood, particularly relevant when cyber operations originate from and involve entities seeking state recognition.10
Given the rise of cyberattacks, it is common to analyse such operations as conceivable acts of cyber warfare and accordingly consider the involved perpetrators as prospective cyber belligerents. Meeting the Montevideo conditions solidifies the entity’s status, thereby conferring international legal recognition of its right to conduct cyber warfare alongside traditional kinetic warfare.11
International law is thus in limbo. How should we classify these attacks: Are they illegal use of force? Although existing treaties do not directly refer to cyber operations, the general principles of the UN Charter are often applied to cyber military actions. However, we are still dealing with fundamental questions: How can we protect the sovereignty of a state’s cyber infrastructure if an attack is carried out from beyond its borders? And most importantly: Can an entity that acquires statehood under the Montevideo Convention also acquire the right to wage cyber warfare alongside conventional warfare?
Global legislation is struggling to keep up the pace with reality. While technical and legislative solutions often fail, international law, as interpreted by the Tallinn Manual 2.0, for example, at least offers us guidance on how to manage the behaviour of states in cyberspace. However, it is important to note that this manual is only the opinion of experts and not a binding international agreement.
Let’s get ready. The future of conflict is playing out on our screens. It’s time to rethink what it means to be attacked!
Image by ImgSearch: https://imgsearch.com/image/futuristic-cybernetic-pegasus-in-motion-17515515
The author is a second-year student of Master’s degree programme at Faculty of Law, Comenius University in Bratislava.
1 United Nations Charter. Article 2 (4), Article 51.
2 AL-ARIDI, A. The virtual trojan horse in modern conflicts. In Teisė. 2018. Vol. 107, p. 66–80.
3 WAXMAN, M.C. Cyber-attacks as “Force” under UN charter article 2(4). In Scholarship Archive [online]. [cit. 7.10.2025]. Online: <https://scholarship.law.columbia.edu/faculty_scholarship/847>.
4 EFRONY, D. – SHANY, Y. A rule book on the shelf? Tallinn Manual 2.0 on Cyberoperations and subsequent state practice. In American Journal of International Law. 2018. Vol. 112, no. 4, s. 583–657.
5 SCHMITT, M. N. (Ed.). (2017). Tallinn manual 2.0 on the international law applicable to cyber operations. Cambridge University Press. ISBN: 9781107177222.
6 Ibid. Rule 92.
7 Ibid. Rule 1.
8 „In this regard Tallinn 2.0 does not reflect the views of any State or group of States. The IGE worked assiduously to be objective. This is not to say that State views were not considered. On the contrary, the Dutch Ministry of Foreign Affairs sponsored “The Hague Process,” by which 50 countries (including all of the UN Security Council’s five permanent members) and international organizations convened in the Hague during three meetings to consider draft manual chapters, receive briefings from key members of the IGE, and offer verbal and written input to the team.“ In SCHMITT, M. Tallinn Manual 2.0 on the International Law of Cyber Operations: What it is and isn’t. Just Security [online]. 2017. [cit. 2025-10-09]. Online: <https://www.justsecurity.org/37559/tallinn-manual-2-0-international-law-cyber-operations/>.
9 The Montevideo Convention on the Rights and Duties of States, Article 1.
10 KRASS, C. Implementing integrated deterrence in the cyber domain: The role of lawyers. In Yale Journal of International Law [online]. 2023. [cit. 2025-10-07]. Online: <https://yjil.yale.edu/posts/2023-08-29-implementing-integrated-deterrence-in-the-cyber-domain-the-role-of-lawyers>.
11 NIYOBUHUNGIRO, J. Challenges of state sovereignty and the right of state to self-defence: The case of cyber-attacks. In Proceedings of the 2nd International Conference Postgraduate School. 2018. s. 668–671.