Collective Countermeasures in Cyberspace: Bridging the Gap Between State Practice and International Legal Frameworks

Cyberattacks are increasingly state-sponsored, as are the responses to them. However, existing frameworks do not adequately address the legalities of collective responses to state-sponsored cyberattacks. Although Article 42 of the International Law Commission’s (ILC) Articles on State Responsibility (ASR) limits the right to take countermeasures to states that have been directly injured by cyber-attacks, the “savings clause” in Article 54 seems to contemplate collective action by non-injured states in response to erga omnes, meaning breaches of obligations owed to the international community as a whole. This article examines the legality and practicality of collective responses to cyberattacks, analyzing the tension between the traditional bilateral approach and the emerging advocacy for coordinated multilateral responses to cyber threats. Applying a doctrinal legal methodology, the article critically examines recent state practices, including the coordinated international response to the 2022 Iranian cyber-attack on Albania, the collective attribution of blame WannaCry (2017) and NotPetya (2017), and the European Union’s Cyber Diplomacy Toolbox. The analysis explores the growing, but inconsistent, body of state practice and opinio juris, with notable divergences among those states that, like Estonia, explicitly endorse collective countermeasures, and those that , like France, reject them outright. The article also examines the substantive and procedural precedents to lawful countermeasures, such as attribution, proportionality, necessity, and the protection of third-party rights, and suggests how these conditions can address the special problems of operating in cyberspace. The article concludes by observing that, although the current legal framework does not explicitly authorize collective countermeasures, evolving state practices and the unique nature of cybersecurity are gradually making collective countermeasures more universally acceptable. The article concludes by proposing that the use of cyber countermeasures by third parties, if grounded in the theory of third-party coercion, could provide a legally sound rationale for collective responses that are effective deterrents, and respect both state sovereignty and the international rule of law...