Introduction
The increasing development and spread of offensive cyber capabilities (OCC)—tools and methods designed to disrupt, degrade, or destroy digital infrastructure—pose a significant threat to global peace, stability, and trust in the digital ecosystem. These capabilities, which include malware, zero-day exploits, ransomware tools, and command-and-control infrastructure, are used by state and non-state actors for espionage, sabotage, warfare, and coercion. Unlike conventional weapons, offensive cyber tools are often cheap, easily distributed, and hard to trace, making their proliferation a growing concern. While international law does not currently provide a comprehensive legal regime specific to OCC, existing legal principles, treaties, and normative frameworks can be extended and adapted to mitigate their risks.

1. Applying the UN Charter and Use of Force Principles
The UN Charter, particularly Article 2(4), prohibits the use of force by one state against another, except in cases of self-defense or when authorized by the UN Security Council. Offensive cyber operations that cause physical damage, injury, or significant disruption to critical infrastructure may be considered equivalent to armed attacks.

How it helps
International law can classify certain cyberattacks—such as disabling a power grid or targeting a hospital—as breaches of the UN Charter, thereby justifying collective measures or sanctions.

Challenge
The legal threshold for what constitutes a “use of force” in cyberspace remains ambiguous. Not all cyber operations cause visible destruction, yet they can have strategic or economic consequences.

2. Use of International Humanitarian Law (IHL) in Armed Conflict
If a state engages in armed conflict using cyber means, IHL (also known as the laws of war) applies. This includes the principles of distinction, proportionality, necessity, and military objective. Offensive cyber operations during war must not target civilians or civilian objects and must minimize collateral damage.

How it helps
States are legally required to ensure their OCCs comply with IHL during conflicts, potentially reducing indiscriminate or unlawful cyberattacks.

Example
If a cyber operation targets a hospital or civilian water supply during war, it violates IHL and could be treated as a war crime.

3. Export Control and Arms Regulation Frameworks
OCCs can be regulated under existing arms control and export regimes, such as the Wassenaar Arrangement, which includes dual-use technologies and software (like intrusion tools). States can impose licensing requirements for exporting OCC-related software or restrict the transfer of cyber weapons.

How it helps
Such controls help prevent the sale or transfer of offensive tools to authoritarian regimes, terrorist groups, or criminal networks.

Challenge
Implementation is inconsistent. Many countries, including those producing advanced cyber tools, do not participate in or enforce strict export controls.

4. Criminalization Through International Cybercrime Conventions
Treaties like the Budapest Convention on Cybercrime establish frameworks for harmonizing laws against unauthorized access, interference, and data breaches. These provisions can apply to actors who develop or distribute OCCs for criminal or terrorist purposes.

How it helps
Criminalizing offensive cyber tool creation, possession, or distribution can discourage proliferation among non-state actors.

Challenge
Not all countries are parties to such conventions. Some major cyber powers (e.g., Russia and China) have not joined, limiting global enforcement.

5. Norm Development Through UN GGE and OEWG
The UN’s Group of Governmental Experts (GGE) and Open-Ended Working Group (OEWG) have promoted voluntary norms to govern responsible state behavior in cyberspace. These norms include:

• States should not knowingly allow their territory to be used for internationally wrongful cyber operations.

• States should avoid targeting critical infrastructure.

• States should not use cyber operations to undermine election infrastructure.

How it helps
While not legally binding, norms create international expectations and pressure, forming the basis for future treaties or customary law.

6. Attribution and State Responsibility Mechanisms
International law holds states responsible for actions carried out by their agents or those acting on their behalf. Attribution of cyberattacks is difficult but not impossible through technical, legal, and political methods. Once attributed, international law allows for countermeasures, sanctions, and reparations.

How it helps
Legal attribution frameworks discourage states from developing or using OCCs through proxies or covert means, knowing they could be held accountable.

Example
The U.S. and allies regularly attribute cyberattacks (e.g., WannaCry, NotPetya) to specific states like North Korea or Russia, using international law to justify sanctions.

7. Promoting Transparency and Confidence-Building Measures (CBMs)
International organizations such as the OSCE, ASEAN, and African Union encourage states to share information on cyber doctrine, establish communication hotlines, and report incidents to reduce miscalculation and escalation.

How it helps
Transparency builds trust and deters the unchecked spread of offensive tools by clarifying intentions and policies.

8. Human Rights Law and Civil Liberties Protection
International human rights law, especially the International Covenant on Civil and Political Rights (ICCPR), limits surveillance and cyber operations that violate privacy, freedom of expression, or due process. Offensive cyber tools, such as spyware and malware, often target dissidents, journalists, and human rights defenders.

How it helps
Legal frameworks like the UN Guiding Principles on Business and Human Rights can be used to hold private companies accountable for selling OCCs that enable rights abuses.

Example
After the NSO Group’s Pegasus spyware was used against activists and journalists, international outcry led to lawsuits, export restrictions, and blacklisting.

9. Role of Domestic Legislation in Supporting International Goals
States can reinforce international norms by enacting domestic laws that regulate offensive cyber tools and restrict their development, use, and sale. This includes requiring transparency, licensing, and lawful authorization for offensive operations.

Example
Countries like Germany, France, and Australia have legal frameworks requiring parliamentary oversight or judicial approval for certain intelligence cyber activities.

How it helps
Strong national laws aligned with international standards contribute to global restraint and accountability.

10. Multilateral Treaties or Future Legal Instruments
There is growing demand for a binding international treaty on cyberspace that would regulate the development and use of offensive capabilities, similar to nuclear non-proliferation or chemical weapons conventions. This could involve:

• A register of offensive cyber capabilities

• Ban or moratorium on certain cyber weapons

• International inspections or peer reviews

• Legal liability for state and non-state use of OCCs

How it helps
A treaty would move voluntary norms into the realm of binding international law, creating legal mechanisms for enforcement, monitoring, and dispute resolution.

Challenge
Major geopolitical disagreements, differing views on internet governance, and reluctance to limit cyber capabilities make consensus difficult.

Conclusion
International law can address offensive cyber capabilities and their proliferation by applying existing principles from humanitarian law, human rights, state responsibility, and arms control, while promoting the development of specific cyber norms and treaties. Though enforcement and attribution remain challenges, legal frameworks—combined with diplomacy, transparency, and cooperation—can help establish boundaries, promote accountability, and reduce the likelihood of cyber conflict. As offensive cyber capabilities continue to evolve, so too must international law, ensuring a balanced approach that safeguards security without undermining fundamental rights or international peace.