Cyber-attacks and the right of self-defense: a case study of the Netherlands

Abstract Whilst Article 51 of the UN Charter as a rule indicates that an “armed attack” may trigger a State’s right of self-defense, the actual purport of armed attack remains a matter of interpretation and qualification. To improve the notion of the rule on self-defense and contribute to the jus ad bellum, more clarification as to what constitutes an armed attack in cyberspace is necessary. Therefore, policy norms—regarding when cyber-attacks reach the threshold of an armed attack—could guide State behavior. On the one hand, these policy norms could be used in the political decision-making processes for States that consider initiating cyber-attacks. On the other, they could help victim States in their decision-making processes in response to grave cyber-attacks. The aim of the paper is to propose a tangible guideline that outlines when cyber-attacks—perpetrated solely in or through cyberspace and not in conjunction with conventional military attacks—can qualify as an armed attack. By assessing the positions of States and leading academic opinions regarding the qualification of cyber-attacks as armed attacks, and applying international and interdisciplinary policy documents to transfer the legal debate into tangible options, a policy framework is deduced that can serve as a baseline for international cyber norms. This framework distinguishes three separate categories of armed attack in cyberspace, each with their own distinctive levels to determine when a cyber-attack can qualify as an armed attack. These absolute levels are tailored for the Netherlands but could also be suitable for other States when transferred to percentages of the gross national/domestic product and the population size.


Introduction
"Nothing in the present Charter shall impair the inherent right of individual or collective self-defence if an armed attack occurs against a Member of the United Nations, until the Security Council has taken the measures necessary to maintain international peace and security." 1 Whilst Article 51 of the UN Charter indicates that an "armed attack" may trigger a State's inherent right of individual or collective self-defense, the purport of armed attack remains a matter of both interpretation and qualification. 2 Prior to 9/11, the traditional interpretation of an armed attack-as referred to in Article 51-relied on the transnational use of military force by State actors on a "relatively large" scale with "substantial" effect Gill and Ducheine 2013;Randelzhofer 1994). Since 9/11, however, a more modern interpretation arose, accepting the fact that also unorthodox uses of force by non-State actors could qualify as such (Gill and Tibori-Szab o 2019). Fourteen years later, this interpretation was expressed again when France invoked the mutual defense clause of Article 42(7) of the Treaty on European Union-based on Article 51 of the UN Charter-after the Bataclan terrorist attacks in Paris (Boddens Hosang and Ducheine 2020). In the same vein, actions carried out in cyberspace have caused the impetus for further debate regarding whether and when digital attacks (or incursions)-conducted solely in (or through) cyberspace and not in conjunction with conventional uses of force and attacks-can qualify as an armed attack (Boothby et al. 2012). Although scholars (Schmitt 2017), international organizations (UN GGE 2015Report 2015, coalitions (UN General Assembly 2021), and even States (the Netherlands included) (Ministry of Foreign Affairs 2019) have (to some extent) expressed legal opinions in this respect, unfortunately, the debate has yet to reach a conclusion.
To improve the notion of self-defense and contribute to the jus ad bellum (international law on the use of transnational force), more clarification as to what constitutes an armed attack in cyberspace is necessary. It is, however, rather unlikely that additional binding legal norms will be drafted regarding this topic (Schmitt 2020). Therefore, non-binding norms or guidance-regarding when cyber-attacks reach the threshold of an armed attack-could be conducive to guide State behavior. 3 While rules are legally binding to all States (when part of customary international law) or to those States that are part of a specific treaty, their application can face ambiguity. Norms, on the other hand, are indicia providing additional points of reference for interpreting and applying existing legislation. Besides the fact that such norms would serve as the start of a form of (international) law making (Ma c ak 2017), in which, primarily, States incrementally reach an agreement regarding the armed attack-threshold in cyberspace and its impact on self-defense, the results would be 2-fold: one of particular relevance for the author of the attack, and another for the addressee, i.e. the victim of the attack. First, the armed attack-threshold, when applied in cyberspace, could be used in the political decision-making processes for States considering initiating a cyber-attack. It may be expected that States-the authors of cyber-attacks-will (a) try to abide by the jus ad bellum, (b) pay respect to the prohibition of the use of force as referred to in Article 2(4) of the UN Charter, and (c) be aware of the consequences if cyber-attacks of a certain scale and effect qualify as an armed attack in terms of Article 51 of the UN Charter. This relates to the second result: clarity on the parameters regarding the armed attack-threshold in cyberspace would help victim States in their decision-making processes in response to cyber-attacks with a grave impact. If the armed attack-threshold would indeed be reached, it then offers the victim State a legal base in international law for the use of transnational force-i.e. self-defense-in response to that attack .
The main aim of this paper is to propose a tangible guideline that outlines when cyber-attacks-conducted solely in (or through) cyberspace and not in conjunction with conventional military attacks-qualify as an armed attack. The center of attention will be cyber-attacks directed against civilian (i.e. nonmilitary) targets. In order to do so, section 2 will contain a brief appreciation of the traditional interpretation of an armed attack, with a focus on explaining why judging the scale and effect is crucial for its identification. Section 3 is a survey of positions of States (opinio juris) and leading academic opinions regarding the application of international law in cyberspace, specifically aimed at the qualification of cyber-attacks as armed attacks. This survey confirms the applicability of international law in cyberspace and provides some specific examples of potential armed attacks in cyberspace. Section 4 is key to this contribution, as it transfers the legal debate into tangible options by applying policy documents from other States and disciplines. To enable that cross-fertilization, this section first analyses which type(s) of cyber-attacks is/are eligible to qualify as an armed attack, followed by the analysis of international and interdisciplinary polities in search of tangible indicators for the armed attack-threshold that can be used in cyberspace. This process, based on desk research, results in eleven cyber-attack scenarios that could (theoretically) qualify as an armed attack. 4 These scenarios (as summarized in Appendix A) were used to conduct structured interviews to collect verbal statements from leading cyber experts from the Netherlands' ministries of (a) Foreign Affairs, (b) Defense, and (c) Justice and Security regarding when these theoretically identified potential armed attacks in cyberspace would actually reach the armed attack-threshold in practice and, therewith, trigger the Netherlands' right of self-defense. The choice was made to interview two legal experts (focussing on the legal eligibility), two policy experts (focussing on the strategic credibility) and one operational expert (focussing on the technical feasibility). During five interviews in total, the experts were asked (as if they were advising their minister) to judge whether and how each cyber-attack scenario could reach the necessary (scale and effect) threshold for triggering the Netherlands' right of self-defense. Section 5, eventually, presents the results of the field research and suggests a policy framework regarding the scale and effect of armed attacks in cyberspace that can serve as a baseline for international norms or guidance regarding the armed attack-threshold. This policy framework distinguishes three separate cyber-attack categories, each with their own tangible levels to determine if and when they qualify as an armed attack. For now, these levels are tailored for the Netherlands in absolute numbers, but when transferred to percentages of the gross national/domestic product and the population size, they could perhaps be suitable for other States as well. The paper will end with some concluding reflections.
2. Armed attack and the lacking ability to judge scale and effect Self-defense in response to an armed attack, as referred to in i.a. Article 51 of the UN Charter, is one of the legal exceptions to the prohibition of the transboundary use of force, as laid down in Article 2(4) of the UN Charter. 5 Since the prohibition of the use of force has the status of peremptory norm or jus cogens, 6 it might be surprising that the UN Charter lacks a definition of both "use of force" and "armed attack" (Dinnis 2012, 77;Kerschischnig 2012, 111). Therefore, in practice, the armed attack-standard requires an interpretation based on the case at hand, resulting in the fact that expert opinions-regarding the purport of armed attack-have differed to this day (Ruys 2010, 1).
Starting with the term force, the UN Charter uses "force" with and without the adjective "armed." The assumption in this paper is that when the UN Charter uses "force," it encapsulates "armed force." This was epitomized by the rejection of a Brazilian amendment to also prohibit "the threat or use of economic measures" during the travaux pr eparatoires at the San Francisco Conference in 1945 (UNIO 1945, 609;Roscini 2014, 45-46). 7 This rejection implies that the drafters of the UN Charter did not intend to expand the interpretation of force beyond armed force (Roscini 2014, 45). With regard to the scope of use of force, which does not coincide with the scope of armed attack (Randelzhofer 1994, 663), not every use of force equals an armed attack. 8 This understanding is reflected in the Nicaragua Case in which the International Court of Justice (ICJ) mentioned that "armed attacks form a subset of the term force in Article 2(4)" (Dinnis 2012, 77). In the same Nicaragua Case, the ICJ provided another indication of how the term armed attack should be understood by asserting the necessity "to distinguish the most grave forms of the use of force (those constituting an armed attack) from other less grave forms" (Ruys 2010, 140;ICJ 1986, para 191, 101). This necessity corresponds with academic opinions implying that an armed attack only exists in case of a "reasonably significant" use of force on a relatively large scale with substantial effect (Randelzhofer 1994, 669;Gill 2015, 216). Paragraph 195 of the Nicaragua Case, in which the ICJ stated that "the difference between armed attacks and less grave forms of the use of force is primarily one of scale and effects," substantiates this approach (Ruys 2010, 140). However, the crucial and remaining question to be answered is when the scale and effect of the use of force are considered relatively large and substantial, and how this should be clarified and assessed.
According to Yoram Dinstein "a use of force not involving loss of life or significant destruction of property falls short of an armed attack" (Dinstein 2013, 279). This could imply that "loss of life" and "significant destruction of property" are criteria for an armed attack. On the other hand, Tom Ruys argues that customary practice suggests that even small-scale operations can qualify as an armed attack if it concerns "bombings, artillery, naval or aerial attacks" resulting in, or capable of resulting in "destruction of property or loss of lives" (Ruys 2010, 155). Still, for operations without these specific (kinetic) characteristics, appraising the scale and effect as relatively large and substantial would remain necessary in order for the use of force to be "reasonably significant" and qualify as an armed attack.
Overall, this implies that judging the scale and effect is crucial for identifying an armed attack. However, to this day, no tangible criteria have been defined for that purpose in international law (i.e. the jus ad bellum).

The application of international law for qualifying cyber-attacks as armed attacks
Although international law does not provide tangible criteria regarding the application of the armed attack-standard, when analyzing the extent to which cyber-attacks can qualify as an armed attack, other sources can provide additional guidance. Therefore, this section will first elaborate on leading academic opinions, followed by the positions expressed by States. 9

Leading academic opinions
At the invitation of the North Atlantic Treaty Organization (NATO) Cooperative Cyber Defence Center of Excellence (CCD COE), an International Group of Experts (IGE) drafted the Tallinn Manuals. The first edition, that covered the applicability of international law to "cyber warfare," was followed by the 2.0 version that focused on how international law applies more broadly to "cyber operations" (Schmitt 2013b, 1-4). Although the Tallinn Manuals are no official legal documents, the leading academic experts gathered in the IGE unanimously stated that existing international law applies to cyberspace (Schmitt 2017, 3;Schmitt 2013b, 24), and is applicable to cyber operations (Schmitt 2017, 3).
Regarding armed attacks, the IGE also unanimously agreed that some cyber operations can be "sufficiently grave" to qualify as an armed attack, which is in accordance with the ICJ's Nuclear Weapons advisory opinion arguing that "the choice of means of attack is immaterial to the issue of whether an operation qualifies as an armed attack" (ICJ 1996;Schmitt 2017, 340, Rule 71, para. 4). Dinstein supports the IGE's opinion by stating that "the legal principles of the customary jus ad bellum remain intact whether the armed attack is kinetic or cyber" (Dinstein 2013, 280). Dinstein has also stated that "all armed attacks (justifying individual and collective self-defense in response, pursuant to Article 51) must be subject to the same criteria, whatever weapon is resorted to" (Roscini 2014, viii). However, the remaining crucial question-again-is how and when cyber-attacks can be judged as "sufficiently grave." In this respect, the IGE took notice of the ICJ decision in the Nicaragua Case stating that "scale and effects are to be considered when determining whether particular actions amount to an armed attack" (Schmitt 2017, 330, Rule 69, para. 1).
Unfortunately, existing international law provides little tangible criteria to judge scale and effect (ICJ 2003, para 72, 195-196;ICJ 2005, para 143, 222;UN 1974). Nevertheless, the IGE agreed that "a cyber operation that seriously injures or kills a number of persons or that causes significant damage to, or destruction of, property" meets the threshold of an armed attack (Schmitt 2017, 341, Rule 71, para. 8). Moreover, Marco Roscini-one of the IGE legal peer reviewers (Schmitt 2017, xvii)concluded that "the use of any device [ … ] which results in a considerable loss of life and/or extensive destruction of property must be deemed to fulfill the conditions of an armed attack" (Roscini 2014, 71). One specific example was unanimously considered to qualify as an armed attack: a cyber operation conducted to assassinate a foreign head of state while abroad (Schmitt 2015(Schmitt , 1123Schmitt 2017, 346, Rule 71, para. 22). However, broad criteria like seriously, a number of, significant, considerable and extensive contain no clear parameters. Moreover, how should a cyber operation be dealt with that does not kill the head of State, but the CEO of the largest Stateowned corporation instead? For that question, the IGE was unable to define a "bright-line rule" (Schmitt 2017, 346, Rule 71, para. 22).
Other cases are even less clear, especially if cyber operations do not directly result in injury, death, damage or destruction (Schmitt 2012, 288;Schmitt 2017, 342, Rule 71, para. 12). The classic scenario in this non-kinetic context is a cyber operation against "a major international stock exchange that causes the market to crash" (Schmitt 2017, 343, Rule 71, para. 12). The IGE reached no consensus in this case, but-in the absence of a "conclusive definitional threshold"-States should be "highly sensitive to the international community's probable assessment" when judging the scale and effect of cyber operations (Schmitt 2017, 333, Rule 69, para. 8). 10 The positions of States, addressed in the next paragraph, will help estimating this "international community's probable assessment" (Schmitt 2017, 333, Rule 69, para. 8). Additionally, there are some particular positions of individual States. The UK states that (a) "if a hostile state interferes with the operation of one of our nuclear reactors, resulting in widespread loss of life, the fact that the act is carried out by way of a cyber operation does not prevent it from being viewed as an unlawful use of force or an armed attack against us," (b) "if it would be a breach of international law to bomb an air traffic control tower with the effect of downing civilian aircraft, then it will be a breach of international law to use a hostile cyber operation to disable air traffic control systems which results in the same, ultimately lethal, effects" and (c) "acts like the targeting of essential medial services are no less prohibited interventions, or even armed attacks, when they are committed by cyber means" (Attorney General's Office 2018). According to France, a cyber-attack could be categorized as an armed attack if it causes "substantial loss of life or significant physical or economic damage" (Schmitt 2019a). That would be the case if an operation in cyberspace "caused a failure of critical infrastructure with significant consequences or consequences liable to paralyze whole swathes of the country's activity, trigger technological or ecological disasters and claim numerous victims" (Minist ere des Arm ees 2019, 8). Estonia considers a cyber operation "which for example, targets digital infrastructure or services necessary for the functioning of society" eligible for qualification. Moreover, Estonia believes that "growing digitalization of our societies and services can also lower the threshold for harmful effects" (Sits 2019).

Positions of states
The Netherlands' legal opinion explicitly articulates that the qualification of a cyber-attack as an armed attack "depends on the scale and effects of the incident in question" (Minister of Foreign Affairs 2019, 8-9). It also articulates that a cyberattack must have a cross-border character to be able to qualify as an armed attack (Parliamentary Papers II 2019-2020, 33 694, nr 47 2019). Moreover, a cyber-attack "that has comparable consequences to an armed attack (fatalities, damage and destruction) can justify a response with cyber weapons or conventional weapons ( … )" (Ministry of Foreign Affairs 2019). The Government of the Netherlands, therefore, endorses the finding of the CAVV and the AIV Advisory Report on Cyber Warfare. The report stated that "a serious, organized cyber-attack on essential functions of the state could conceivably be qualified as an armed attack within the purpose and intent of Article 51 of the UN Charter if it could or did lead to serious disruption of the functioning of the state or serious and long-lasting consequences for the stability of the state" (AIV/CAVV 2011, 21).
Inspired by examples from the same report, which also explicitly included "an attack on the entire military communication and command network that makes it impossible to deploy the armed forces" (AIV/CAVV 2011, 21), the (then) Netherlands' minister of Defense suggested in her keynote address, marking the first anniversary of the Tallinn Manual 2.0 on the 20th of June 2018, that "if a cyberattack targets the entire Dutch financial system, or if it prevents the government from carrying out essential tasks such as policing or taxation … it would qualify as an armed attack and thus trigger a state's right to defend itself, even by force" (Bijleveld 2018, 45). Although there is no international consensus regarding cyber-attacks with a relatively large scale and substantial effect that do not cause fatalities, physical damage or destruction (Parliamentary Papers II 2019-2020, 33 694, nr 57 2019), this view was echoed by Michael Schmitt when he analyzed these Netherlands' statements (Schmitt 2019b).

In search of a threshold: cross-fertilization to assess eligible cyber-attacks
Although the previous section provided some potential examples, a list of "readymade" armed attacks in cyberspace cannot be composed at this point. Therefore, this section aims to transfer the legal debate into policy options. In order to take this crucial step, the first paragraph will analyze which type(s) of cyber-attack is/are considered eligible for armed attack-qualification. In the second paragraph, international and interdisciplinary policy documents will be introduced to enable us to provide more granularity than academics or (representatives of) States have (openly) done so far, as to when these eligible cyber-attacks could reach the threshold of an armed attack.

Analyzing the eligibility of cyber-attacks
In principle, cyber-attacks between States-without taking enabling attacks in support of conventional attacks into account-can be categorized in three different types: "cyber espionage," 12 "manipulation of the information environment," and "disruption, degradation or destruction of core security assets" (Whyte and Mazanec 2019, 100-101). 13 For each type, an analysis will take place to determine whether it is eligible to qualify as an armed attack.
Due to the large scale at which modern "cyber espionage"-also referred to as information exfiltration-takes place, this first type has become a real concern and a kind of intrusion that is too disturbing and too big to ignore (Maurer 2018, 56). An illustrative example is the blueprint information for the F-35 fighter aircraft thataccording to the Snowden Leaks-was among the more than 50 TB of information that China stole from the United States (US) government in a years-long theft operation (Valeriano and Maness 2015, 95;Whyte and Mazanec 2019, 120). However, even the most relentless "close access cyber espionage operations" (Schmitt 2017, 171, Rule 32, para. 8 þ 9) would not be graded as "cyber warfare" (Ducheine and Pijpers 2021, 276), regardless of their severity or the method employed (Schmitt 2017, 171, Rule 32, para. 8). In fact, cyber espionage is to be considered as (merely) an intelligence or counter-intelligence operation (Ducheine and Pijpers 2021, 287-288). Therefore, cyber espionage operations do not violate Article 2(4) and will not be considered eligible for qualification as an armed attack.
With regard to the second cyber-attack type, an illustrative example of "manipulation of the information environment" is the way Russia and (perhaps even more impressively) Cambridge Analytica (contracted by the Republican Party) displayed their methods during the US elections in 2016. Especially the combined use of social media and big data to massively target and influence individual voters, demonstrated that modern techniques can manipulate the information environment and harm the democratic integrity of Western countries (Hakim and Rosenberg 2018;Amer and Noujaim 2019;Pijpers and Ducheine 2020;Pijpers 2022). Moreover, while manipulation of the information environment is not an obvious expression of force, it could be regarded as a psychological instrument or "weapon". Nevertheless, despite its harmfulness, both the UK and the Netherlands have explicitly designated "manipulating electoral systems" and "altering election outcomes" as (merely) a potential breach of the nonintervention principle (Attorney General's Office 2018; Minister of Foreign Affairs 2019, 6-7). Therefore, for the purpose of this research in which the authors focus on the Netherlands' right of self-defense, it does not amount to a violation of the prohibition of the use of force and is, thus, not considered eligible to qualify as an armed attack, regardless of its scale and effect.
The third type refers to "disruption, degradation or destruction of core security assets." The most straightforward analogy regarding the qualification of cyber-attacks as an armed attack, 14 is when cyber-attacks create effects comparable to traditional kinetic weapons. A cyber-attack directed at critical infrastructure, including a nuclear powerplant to trigger a meltdown, or the system control station of a dam (upstream a populated area) could arguably fall in that category (Gill and Ducheine 2013, 444). The possibility of this qualification would especially, but perhaps not exclusively, arise if "loss of life or significant destruction of property" are involved (Dinstein 2013, 279). Therefore, in this paper, "disruption, degradation or destruction of core security assets" is the type of cyber-attack that is considered eligible for qualification as an armed attack (Schmitt 2018, 66).

Applying international and interdisciplinary policy documents
France and the UK have both developed a cyber-attack categorization system. While France only briefly describes the highest level as "extremely urgent with an extreme impact," it explicitly states that this level (Level 5: Emergency) is eligible for qualifying as an armed attack as referred to in Article 51 of the UN Charter (see Appendix B) (Secr etariat G en eral de la D efense et de la S ecurit e Nationale 2018, 80). The UK also hints toward an armed attack by describing extensively that the highest level (Category 1: National cyber emergency) concerns a "cyber-attack which causes sustained disruption of UK essential services or affects UK national security, leading to severe economic or social consequences or to loss of life," but does not explicitly refer to it (see Appendix C) (National Cyber Security Centre 2018).
The Netherlands, in turn, has no cyber-attack categorization system, but the Netherlands' Ministry of Justice and Security did define so-called Category A (the highest level) vital processes (see Appendix D) (Nationaal Co€ ordinator Terrorismebestrijding en Veiligheid 2020). These "core security assets" that can be disrupted, degraded or destructed by cyber-attacks can be grouped as production, storage and processing of nuclear material (leading to a nuclear disaster), production, distribution and transport of electricity, gas and oil (leading to the unavailability of electricity or other forms of energy), water barriers (leading to catastrophic floods), and clean water supply (leading to the unavailability of fresh water). Moreover, the Netherlands also defined several Category B vital processes (see Appendix D) (Nationaal Co€ ordinator Terrorismebestrijding en Veiligheid 2020), some of which are (at least implicitly) included in the positions of States as described in paragraph 3.2.: internet itself (disabling the digital infrastructure or services necessary for the functioning of society), air traffic control (leading to air disasters), large-scale production/processing and/or storage of (petro)chemical substances (leading to an "ecological disaster"), financial systems (including government processes for "taxation"), communications networks (necessary for "policing"), and military capacity (making it impossible to deploy the armed forces).
Building on the eligibility of cyber-attacks "disrupting, degrading or destructing core security assets" and the French (and implicitly also the British) principle that cyber-attacks belonging to the highest (emergency) category could (potentially) qualify as an armed attack, the suggestion arises that the Netherlands could consider cyber-attacks conducted against its most vital (so-called Category A) processes eligible for armed attack-qualification. Moreover, since some cyber-attacks against Category B vital processes are (at least implicitly) included in the positions of States, their eligibility for armed attack-qualification should not be neglected. Therefore, it is suggested in this paper that the Netherlands could take cyber-attacks-authored by another State-against both Category A and (at least some) Category B vital processes into account as potential armed attacks.
What makes this suggestion so useful, is the fact that each category incorporates officially defined specific levels regarding the (minimum) expected effects in case of their "disruption, degradation or destruction." In search of a tangible guideline for the Netherlands' armed attack-threshold, these levels could provide a distinct indication with regard to when the right of self-defense would be triggered. In other words, even though the levels for the Netherlands' Category A and B vital processes were not intended for categorizing cyber-attacks (Nationaal Co€ ordinator Terrorismebestrijding en Veiligheid 2020), they could help to judge if a cyber operation seriously injures or kills enough persons, or causes significant damage to, or destruction of, property. To be more specific, for the Netherlands, the necessary threshold for a cyber-attack to be severe enough in scale and effect and, thus, qualify as an armed attack, could lie somewhere in the bandwidth between the levels defined for Category A and the levels defined for Category B. In concrete terms, this would imply that a "disruption, degradation or destruction of core security assets" should cause either: (a) a physical damage of 1000-10,000 people dead, seriously injured or chronically sick, (b) a societal damage of 100,000-1,000,000 people with serious societal survivability problems, or (c) an economic damage of 5,000,000,000-50,000,000,000 euros (see Appendix D) (Nationaal Co€ ordinator Terrorismebestrijding en Veiligheid 2020).
When referring to an acknowledged armed attack (the 9/11 terrorist attacks in 2001), ample support is provided for the armed attack-thresholds suggested above. For instance, the number of fatalities (2977) is inside the suggested bandwidth (Amadeo 2020). Moreover, the most direct economic damage-taking the World Trade Center buildings into account, including computers, furniture, cars, utilities, the subway system and other buildings, as well as the costs for treating injuries and cleaning up the areawas 31,000,000,000 dollars, also inside the bandwidth (Amadeo 2020).
With regard to "core security assets" in the form of heads of State, none of the positions of States included cyber-attacks resulting in their assassination as a potential armed attack. Also, the head of State is not defined as a Netherlands' vital "process." However, as stated in paragraph 3.1., the IGE unanimously regarded this a specific example to qualify as an armed attack (Schmitt 2017, 346, Rule 71, para. 22). Therefore, it was (theoretically) identified as an additional cyber-attack scenario, eligible for armed attack-qualification.

Policy framework regarding the scale and effect of armed attacks in cyberspace
Based on the legal appreciation of scale and effect-with regard to armed attack-by States and leading academics, and the assessment of French, British and Netherlands' policy documents, an effort was made to establish a categorization of cyber-attacks, along with tangible thresholds for each category. Building upon the ten cyber-attack scenarios (against nonmilitary targets) that could (theoretically) qualify as an armed attack if their scale and effect would reach the suggested bandwidths, interviews were conducted with five leading Dutch cyber experts, including two legal experts; one working for the Ministry of Foreign Affairs and one working for the Ministry of Defense. With a focus on the legal eligibility, particularly these two experts were asked-as if they were advising their minister-to assess when these cyber-attack scenarios would reach the armed attack-threshold in practice, triggering the Netherlands' right of self-defense. 15 Analyzing their expert judgements led to three categories of armed attack in cyberspace: (I) comparable to kinetic attacks, directly leading to physical damage, (II) comparable to kinetic attacks, indirectly leading to physical damage, and (III) not comparable to kinetic attacks, leading to societal disruption. Each category is addressed in a separate paragraph hereafter by explaining what criteria contribute to their qualification.
Moreover, two general guidelines-derived from these three categories and the contributing criteria suggested in the next three paragraphs-can be identified. First, the necessary level of proof increases when the self-evident nature of the cyber-attack decreases. This means that the less direct the harmful effects are, the more precise they have to be documented and demonstrated, 16 and the higher the level of evidence is for qualifying as an armed attack. Secondly, not all contributing criteria are equally important for armed attack qualification. With regard to the suggested thresholds, physical damage is considered most important.

Contributing criteria for cyber-attacks comparable to kinetic attacks, directly leading to physical damage
Identification of this first category is based on the similarities between the scenarios that comprised disruption, degradation or destruction of production, storage and processing of nuclear material (leading to a nuclear disaster), water barriers (leading to catastrophic floods), air traffic control (leading to air disasters), large-scale production/processing and/or storage of (petro)chemical substances (leading to an "ecological disaster"), and heads of State (leading to their assassination). Their similarities explain the label of this category: comparable to kinetic attacks, directly leading to physical damage. Moreover, some of these targets are even designated "objects containing dangerous forces" and thus explicitly protected by international law. 17 Comparing the expert judgements with regard to when this category triggers the Netherlands' right of self-defense, led to the suggestion that cyber-attacks launched against Category I targets would have to create one or more of the following effects (from most important to less important): (a) a physical damage of 1 or more persons dead, (b) a societal damage of at least 100,000 people with serious societal survivability problems, and/or (c) an economic damage of at least 5,000,000,000 euros (with the remark that using only economic damage as a qualifier is difficult, due to the reluctant official position of the Netherlands' government). 18 After conducting the interviews, it also became clear that disruption, degradation or destruction of essential medical services-specifically mentioned by the UK as a potential armed attack-is another example of this first category. Theoretically, it was excluded, because it is not (yet) a Netherlands' vital process, but since attacking essential medical services leads directly to physical damage, 1 or more persons dead would suffice to qualify as an armed attack.

5.2.
Contributing criteria for cyber-attacks comparable to kinetic attacks, indirectly leading to physical damage Identification of this second category is based on the similarities between the scenarios that comprised disruption, degradation or destruction of production, distribution and transport of electricity, gas and oil (leading to the unavailability of electricity or other forms of energy), clean water supply (leading to the unavailability of fresh water), and communications networks (necessary for "policing"). Also, in this case, their similarities explain the label of this category: comparable to kinetic attacks, indirectly leading to physical damage. Compared to the previous category, their nature is less self-evident, implying that the threshold for qualifying as an armed attack is higher, as well as the level of substantiation necessary for demonstrating the (indirect) harmful effects.
Comparing the expert judgements with regard to when this category triggers the Netherlands' right of self-defense, led to the suggestion that cyber-attacks launched against Category II targets would have to create one or more of the follow-on effects (from most important to less important): (a) a physical damage of more than 1000 people dead, seriously injured or chronically sick, (b) a societal damage of 100,000-1,000,000 people with serious societal survivability problems, and/or (c) an economic damage of 5,000,000,000-50,000,000,000 euros (with the remark that using only economic damage as a qualifier is difficult, due to the reluctant official position of the Netherlands' government). 19 5.3. Contributing criteria for cyber-attacks not comparable to kinetic attacks, leading to societal disruption Identification of this third category is mainly based on the scenario that comprised disruption, degradation or destruction of financial systems (including government processes for "taxation"), and possibly complemented by-although considered less likely to reach the suggested threshold-internet itself (disabling the digital infrastructure or services necessary for the functioning of society). Despite the caveat regarding cyber-attacks conducted against internet itself, this category consists of cyber-attacks that are not comparable to kinetic attacks and (probably) "only" cause societal and economic damage, making their nature the least self-evident and their effects the most non-kinetic compared to the previous two categories. This implies that the necessary level of substantiation is the highest of all categories, as well as the threshold for qualifying as an armed attack.
The purest criterion-according to the leading Dutch cyber experts-for this category to trigger the Netherlands' right of self-defense, is achieving "societal disruption." Unfortunately, like "armed attack," "societal disruption"-combined with "serious societal survivability problems" for a number of people-lacks a clear definition. Although the Netherlands Scientific Council for Government Policy (WRR) states that "digital societal disruption" occurs "when normal life is seriously and adversely affected" (The Netherlands Scientific Council for Government Policy 2019, 7), it also recognizes the absence of a tangible threshold and how difficult it is to overcome this lacuna (Wetenschappelijk Raad voor het Regeringsbeleid 2019, 25). The WRR hints toward "key societal systems and institutions being visibly impacted," and "citizens losing confidence in the institutions of government, the market economy and the society in which they live" (The Netherlands Scientific Council for Government Policy 2019, 6-7), but further clarification would need additional research.
Nevertheless, the leading Dutch cyber experts-particularly the two legal expertsgenerally accepted the upper limits of the suggested bandwidths for societal and economic damage as a guideline for the (absolute) minimum threshold. 20 This would imply the suggestion that cyber-attacks launched against Category III targets trigger the Netherlands' right of self-defense if it leads to one or more of the following effects: (a) a societal damage of at least 1,000,000 people with serious societal survivability problems, and/or (b) an economic damage of at least 50,000,000,000 euros (with the remark that using only economic damage as a qualifier is difficult, due to the reluctant official position of the Netherlands' government). 21 To conclude this section, Figure 1 provides a schematic overview of the synthesis resulting in contributing criteria that could trigger the Netherlands' right of selfdefense for three cyber armed attack-categories.

Concluding reflections
By interpreting the legal guidance for armed attacks in cyberspace, and cross-fertilizing it with international and interdisciplinary policy documents, including the opinion of leading Dutch cyber experts, this paper has offered further granularity in the discourse on scale and effect regarding cyber-attacks that might qualify as an armed attack in the meaning of Article 51 of the UN Charter, triggering the right of selfdefense in international relations. This granularity could enable us to take away some of the legal "uncertainty" (Schmitt 2017, 346, Rule 72, para 20) articulated in the Tallinn Manual 2.0.
The result of the conducted synthesis is a policy framework with a categorization that will provide more clarity for (a) the author of a cyber-attack with regard to when the armed attack-threshold is reached in cyberspace and (b) when a victim State can respond in self-defense to cyber-attacks with a grave impact. However, three aspects need to be addressed to ensure the proper interpretation and implementation of the suggested policy framework.
First, as already mentioned, it must be clear that the suggested levels for each category originate from the (minimum) expected effects in case of disruption, degradation or destruction of Netherlands' vital processes. Although the original impact levels are official policy from the Ministry of Justice and Security, 22 they were not defined to categorize cyber-attacks or determine if they qualify as an armed attack. Nevertheless, while existing sources in international law provide no tangible guidance for judging whether the scale and effect of cyber operations can be appraised as relatively large and substantial, the applied form of cross-fertilization offers a potential solution for this problem.
Secondly, and this has also been mentioned already, the suggested categorization is currently quantified for the Netherlands' situation. However, it could perhaps be widened by applying relative criteria: using percentages of the population size or of the gross national/domestic product as contributing criteria could possibly make the thresholds suitable for other States as well.
Thirdly, and most importantly, by recognizing a category of armed attack in cyberspace that is not comparable to kinetic attacks, leading to societal disruption (Category III), the suggested policy framework positions itself in a situation similar to the 1945 Brazilian proposal on the use of force interpretation in the UN Charter, arguing that apart from a prohibition on the threat and use of force, a similar transboundary prohibition should apply to "mesure d'ordre economique." 23 Therefore, ignited by the emergence of cyberspace, a discourse should commence on what the width and depth of the use of force and subsequently an armed attack is in cyberspace, and whether societal disruption-caused by serious societal survivability problems for a (relatively large) number of people and/or (substantial) economic damage-could indeed be a valid criterion for armed attack-qualification, as argued in this paper. And if so, then

Categories of armed attack in cyberspace
Practical examples (of disrupted, degraded or destructed 'core security assets')

Characteristics
Contributing criteria that could trigger the NL right of self-defense (from most important to less important with the remark that using only economic damage as a qualifier is difficult, due to the reluctant official position of the Netherlands' government) I Production, storage and processing of nuclear material (leading to a nuclear disaster) -comparable to kinetic attacks directly leading to physical damage (a) a direct physical damage of 1 or more persons dead (b) a societal damage of at least 100,000 people with serious societal survivability problems (c) an economic damage of at least 5,000,000,000 euros

Water barriers (leading to catastrophic floods)
Large-scale production/processing and/or storage of (petro)chemical substances (leading to an 'ecological disaster') Air traffic control (leading to air disasters) Heads of State (leading to their assassination) Essential medical services (leading to dying patients)

II
Production, distribution and transport of electricity, gas and oil (leading to the unavailability of electricity or other forms of energy) -comparable to kinetic attacks indirectly leading to physical damage (a) an indirect physical damage of more than 1,000 people dead, seriously injured or chronically sick (b) a societal damage of 100,000 -1,000,000 people with serious societal survivability problems (c) an economic damage of 5,000,000,000 -50,000,000,000 euros Clean water supply (leading to the unavailability of fresh water) Communications networks (necessary for 'policing')

III
Financial systems (including government processes for 'taxation') -not comparable to kinetic attacks -leading to 'societal disruption' 'Societal disruption', the purest criterion for this category, could be achieved with: (a) a societal damage of at least 1,000,000 people (as an absolute minimum) with serious societal survivability problems (b) an economic damage of at least 50,000,000,000 euros (as an absolute minimum) Internet itself (disabling the digital infrastructure or services necessary for the functioning of society) Figure 1. Policy framework regarding when cyber-attacks qualify as an armed attack, triggering the Netherlands' right of self-defense.
perhaps the current non-eligibility of "cyber espionage" and "manipulation of the information environment" for armed attack qualification-presumed earlier in this paper-would have to be reconsidered, assuming that both types of cyber-attacks could indeed be grave enough to cause societal disruption.  (1986), para 190, 100. A peremptory norm of international law (jus cogens) is a norm from which no derogation is permitted and which can be modified only by a norm of international law having the same character. 7. The Brazilian proposal to include "mesure d'ordre economique." 8. Although most States recognize the gap between both articles, one does not: the US. Its position is that any "use of force" triggers the right of self-defense, even though the rest of the world focusses on Article 51 of the UN Charter which talks about "armed attack" (University of Virginia School of Law 2017; Schmitt 2013a, 689; Schmitt 2013b, 332-333, Rule 69, para. 7). 9. Regarding the sources of law, according to Article 38(1) of the Statute of the ICJ, customary law takes precedence over the opinions of leading academics. However, the customary international law is far from solidified in this matter: state practice is lacking and the legal opinions of only a few States are available. Since the opinions of leading academics were developed first and potentially influenced the positions of States, these will be dealt with first. 10. Although this guidance was articulated for determining if cyber operations violate the prohibition of the use of force, in this paper, it is also considered important in relation to an armed attack, since armed attack is depicted to have a higher threshold than the use of force-standard (Schmitt 2015(Schmitt , 1115. 11. While numerous states have provided legal opinion on the application of international law to cyberspace, most express their position in generic terms. See Schmitt (2019). The position of the US will not be addressed since it holds the view that the threshold for the use of force and armed attack are identical, see Schmitt (2020), Schmitt (2013a, 689), and Schmitt (2017, 332-333, Rule 69, para. 7). 12. Cyber Espionage is the non-consensual collection of confidential information. Whilst cyber espionage can be executed in peacetime or during armed conflict, it does not reach the threshold of the use of force. See also Buchan and Navarrete (2021, 232-235). 13. Whyte and Mazanec identify 4 types of attacks. Supporting kinetic attacks is the fourth category which is excluded from this analysis. See also National Coordinator for Security and Counterterrorism (2019).

Notes
* 5,000,000,000 -50,000,000,000 euros. Cat B (and Dutch political support: AIV/CAVV Report), but excluded from the field research due to the specific focus on non-military targets Cyber-attack scenarios for which the Netherlands' armed attack-threshold could lie somewhere in the defined bandwidths. 24 Appendix D