technologies were contemplated and before it could be imagined that the medium of an attack on a nation might well be an altogether new and different medium.)
Second, he argued that in focusing primarily on state-on-state conflict, traditional LOAC ignores many of the most important issues that arise in today’s security environment—the issue of states acting against non-state actors and subnational entities. Hollis points out that the legal regimes governing such conflict are already in a state of flux (e.g., there is no doctrine comparable to the “use of force” or the self-defense provisions of the UN Charter). And when cyberattacks may be launched by non-state actors from the territories of nation-states, the relevant legal regime is even murkier.
For example, in the absence of state sponsorship, a cyberattack—even a very destructive one, conducted by a terrorist or criminal organization—does not qualify as an armed attack. A self-defense response is thus not sanctioned under the UN Charter. Even if the origin of the cyberattack can be traced to a specific state, a military or law enforcement response against an entity within that state cannot be undertaken unilaterally without violating that state’s sovereignty. Only if the state in question is unable or unwilling to stop the cyberattack may the attacked state take countermeasures on its own.
Hollis concluded from his analysis that the translation difficulties and the insufficiency of traditional LOAC with respect to subnational actors call for a new legal framework for governing cyberattack and other information operations.