Increasingly, cyberattacks against the United States are attributed to other nations. In particular, Russia, North Korea, Iran, and China have engaged in persistent hostile cyber campaigns against U.S. government and private sector systems. China obtained U.S. workers' security applications from the Office of Personnel Management. North Korea launched an aggressive campaign against Sony Entertainment. Russia hacked the computers of U.S. political campaigns during the 2016 election.1

International legal norms provide the framework for responding to such actions. This chapter provides a high‐level overview of the criteria that nations use to determine whether they have the right to engage in self‐defense. Our international legal system has developed a set of rules that govern both the criteria that justify going to war (known as jus ad bellum) and the rules of conduct that apply once war has begun (jus in bello). Jus ad bellum is governed by a number of international agreements, most notably the United Nations Charter. Other agreements, most notably the Geneva Conventions, govern jus in bello. This chapter focuses on jus ad bellum.

The rules for jus ad bellum are based on decades of agreements, international legal precedent, and informal understandings among countries. Accordingly, the rules apply most easily to purely kinetic attacks, such as the use of ground troops or bombs. These legal norms, however, do not explicitly apply to cyberattacks. ...