CYIL vol. 13 (2022)

JAKUB SPÁČIL CYIL 13 ȍ2022Ȏ Equipped with this legal framework for assessing animus aggressionis, we can finally return to the three hypothetical examples above. In the first example, a nuclear power plant was shut down as a result of cyber espionage. In this case, State A’s intention was not to use force, its operation was to comply with international law (espionage is not prohibited) 59 and the resulting consequence is merely the result of negligence. In this case, therefore, it must be concluded that State B has no right to respond in self-defence under Article 51 of the UN Charter since no armed attack took place. In the second example, there was an unplanned spread of precisely targeted malware to a commercial airport with the subsequent crash of a commercial aircraft. In this case, the intent of the attacker (State A) was to disable one radar in order to allow an unobserved overflight of State B’s territory, i.e., the objective was an operation that could meet the characteristics of a use of force but did not rise to the level of an armed attack. The subsequent crash of the commercial aircraft was an unintended consequence of this operation; from the point of view of mens rea , we would classify the situation under recklessnes. Thus, given the absence of animus aggressionis in relation to the consequence caused (the crash of the plane), the situation cannot be considered an armed attack and State B has no right to react in self-defense. In the third example, a large-scale cyber operation was used to deliberately disable the critical infrastructure of the attacked state. In this hypothetical situation, the attacker’s intent included, at least in general terms, the notion that such a broadly conducted cyber operation could produce consequences that would satisfy the elements of an armed attack. The attacked State is therefore the victim of an armed attack and has the right to respond in self-defense under Article 51 of the UN Charter. It can be summarized that in the first case it was negligence and in the second case it was recklessness, therefore the “intent to harm” feature is not fulfilled and these operations cannot be considered as an armed attack. On the other hand, in the case of the third operation, it can be said that the attacking State was at least aware that the consequences will occur in the ordinary course of events, it is therefore an act committed “knowingly” and therefore the “intent to harm” element is fulfilled and it is an armed attack. Admittedly, ascertaining intent is another heavy burden on a state that is the victim of a cyber operation. 60 Together with the attributability of the cyber operation to a particular attacker, this is a significant obstacle to effective self-defense. Proving animus aggressionis , however, is a prerequisite for properly justified self-defense and the prevention of unnecessary escalation of conflict. Yet, in the same time, proving intent is by no means impossible. Roscini, who in his monograph on cyber operations also concludes that animus aggressionis is a defining feature of an armed attack, states on the detection of animus aggressionis (in reference to the US DoD study): “In the cyber context, this hostile intent can be inferred from ‘such factors as persistence, sophistication of methods used, targeting of especially sensitive systems, and actual damage done’”. 61 The International Criminal Court in turn confirmed in Bemba case that “the existence of intent and knowledge can be inferred from relevant facts

59 SCHMITT, 2017, p. 168, see supra note 3. 60 SINGER, 2013, p. 150, see supra note 33.

61 United States Department of Defense. An Assessment Of International Legal Issues In Information Operations [online]. US DoD, May 1999 [accessed 14 March 2022], p. 21. Available at < https://irp.fas.org/eprint/io-legal. pdf>.

60