Recent revelations about large-scale cyber intrusions attributed to state-linked actors have brought the legal ambiguity of cyberspace into sharp focus. In particular, warnings by United States cyber agencies about Chinese state-sponsored groups such as “Volt Typhoon,” which has reportedly infiltrated critical infrastructure networks, and “Salt Typhoon,” linked to breaches in telecommunications systems, have underscored a troubling reality. These incidents are not isolated technical breaches but part of a broader pattern of persistent cyber operations that sit uncomfortably between espionage, coercion, and acts of war. They expose how international law is struggling to respond to a rapidly evolving domain of conflict.
The central problem is that cyber operations do not fit neatly into traditional legal categories. The international legal framework, particularly the United Nations Charter, was designed to regulate overt acts of war such as invasions or missile strikes. Cyber operations, however, can disable infrastructure, extract sensitive data, or disrupt essential services without triggering conventional thresholds of armed conflict. The reported activities of Volt Typhoon, which allegedly maintained long-term access to US critical infrastructure systems including energy and communications networks, illustrate this challenge. Even if such intrusions are deeply concerning from a security perspective, their classification under international law remains uncertain.
This ambiguity is further complicated by the question of harm. International law tends to treat physical damage or loss of life as key indicators of a “use of force.” Yet many cyber operations cause systemic disruption without direct physical destruction. For example, telecommunications breaches associated with Salt Typhoon reportedly allowed access to sensitive communications infrastructure. While this raises serious national security concerns, it does not automatically meet the legal threshold of armed attack under existing interpretations of international law. The result is a widening gap between perceived threat and legal categorization.
Attribution remains another major obstacle. Cyber operations are designed to obscure responsibility through proxy networks, false flags, and layered infrastructure. Even when intelligence agencies publicly attribute attacks, such as US and allied assessments linking Volt Typhoon to Chinese state-sponsored actors, legal attribution requires a higher standard of proof under international law. States are often reluctant to present detailed evidence publicly due to intelligence constraints, which weakens the ability to enforce accountability through legal mechanisms.
This uncertainty extends to the principle of sovereignty. Cyber intrusions challenge the traditional understanding of territorial integrity because they do not require physical entry into a state’s territory. However, they can still penetrate deeply into national systems. France and the United Kingdom have argued that unauthorized cyber operations causing significant effects on systems within a state may constitute a violation of sovereignty. Other states adopt narrower interpretations, requiring tangible damage. This lack of consensus leaves a legal vacuum that cyber operations readily exploit.
The ongoing Russia-Ukraine conflict has further demonstrated how cyber operations operate in this grey zone. Since 2022, Ukraine has faced continuous cyber attacks targeting government databases, energy infrastructure, and communication systems. Russia, in turn, has been accused of deploying cyber operations alongside kinetic warfare. These include attempts to disable Ukrainian power grids and disrupt public services. While some of these actions have caused real-world disruption, they are rarely treated as standalone armed attacks under international law. Instead, they are absorbed into the broader context of an ongoing armed conflict, further blurring legal boundaries.
What makes these developments particularly concerning is the normalization of persistent cyber intrusion as a tool of statecraft. Unlike traditional warfare, cyber operations can be conducted continuously below the threshold of armed conflict. This creates a strategic environment where states engage in constant low-level confrontation without triggering formal legal consequences. Over time, this risks eroding deterrence and making such behavior routine.
The implications for international stability are significant. If states increasingly rely on cyber operations to achieve strategic objectives while avoiding legal thresholds, the distinction between peace and conflict becomes harder to define. Critical infrastructure such as hospitals, financial systems, and energy grids become continuous targets of influence and disruption. This raises the risk that a cyber operation could unintentionally escalate into a physical conflict if it causes cascading failures in essential systems.
International legal efforts to address this issue have so far been limited. United Nations discussions through the Group of Governmental Experts and the Open-Ended Working Group have confirmed that international law applies to cyberspace. However, they have avoided defining precise thresholds for use of force, intervention, or sovereignty violations. This leaves states to interpret the law individually, resulting in fragmentation rather than clarity.
In response, states have increasingly relied on unilateral measures such as sanctions, public attribution, and the development of offensive cyber capabilities. While these tools provide some deterrence, they operate outside a clear legal framework and risk contributing to escalation rather than resolution. Without shared legal standards, responses to cyber operations become politically driven rather than norm-based.
The core challenge is not whether international law applies to cyberspace, but whether it can be made precise enough to regulate it effectively. The cases of Volt Typhoon, Salt Typhoon, and the ongoing cyber dimension of the Russia-Ukraine war demonstrate that cyber operations are no longer hypothetical legal problems. They are active instruments of geopolitical competition operating in a space where law has not yet caught up with practice.
Until international law develops clearer rules on attribution, sovereignty, and thresholds of force in cyberspace, the grey zone will persist. In this space, states gain strategic flexibility, but the international system loses legal certainty. The result is a fragile equilibrium where stability depends less on law and more on restraint.
[Image by M. Richter from Pixabay]
Maria Hassan is an undergraduate student of Peace and Conflict Studies at National Defence University, Islamabad. Opinions expressed in this article are those of the author.
