Cyber-Attacks–Prevention-Reactions: The Role of States and Private Actors

Privacy and Security and Innovation and Economic Growth

Article Snapshot


Karine Bannelier and Theodore Christakis


Les Cahiers de la Revue Défense Nationale, Committee for National Defense Studies, 2017.


Cyber-attacks are a growing threat to peace and security. Private actors play a leading role in ensuring that digital technologies are secure from cyber-attacks.

Policy Relevance

Policymakers must reconsider the role of private actors in international conflict.

Main Points

  • Traditionally, States enjoy unparalleled power over private actors, but top tech companies have greater power to prevent and respond to cyber-attacks; the major role of private actors in cybersecurity will disrupt international law.
  • Policymakers should reflect on the roles of public and private actors in cybersecurity, taking into account the complexity of the problem, and the international character of cyber-attacks.
  • Under international law, each State has a duty of due diligence, the obligation to prevent its territory from being used as a base from which cyber-attacks are launched.
    • A State must protect its critical infrastructure, but should respect privacy rights.
    • A State must take reasonable measures to hinder cyber-attacks, given its technological capabilities.
    • A State must respond to other States’ requests for assistance.
  • A cyber-attack may constitute the “use of force” under international law, but no military response is justified unless the damage to the victim amounts to an “armed attack,” that is, causes damage equivalent to that done by conventional weapons.
  • Active cyber defenses include controversial retaliatory counter-measures known as reverse hacking or “hack-backs,” the retaliation of the victim of a cyber-attack against the attacker.
  • International law does not give private actors a right to conduct hack-backs even in self defense, but international law does not explicitly prohibit private actors’ hack-backs.
  • A State may authorize private actors to respond to cyber-attacks by reverse hacking, but the response should be proportionate and controlled by the State; a State may not legally give carte blanche to private firms’ hack-backs.

Get The Article

Find the full article online

Search for Full Article