Facing hostile cyber operations, States are crafting responsive strategies, tactics and rules of engagement. One of the major challenges in doing so is that key aspects of the international law governing cyber responses are vague, unsettled or complex. Not surprisingly, therefore, international law is markedly absent from strategies and operational concepts. Rather, they tend to take on a practical “tit-for-tat” feel as policymakers logically view “in-kind” responses as “fair play.” For them, responding in-kind surely must be lawful notwithstanding any challenges in discerning the precise legal character of the initial hostile cyber operation.
Testing that sense, this article examines the legal context surrounding in-kind responses to cyber operations conducted by, or otherwise attributable, to a State. It concludes that while in-kind responses often do minimize the risk of a response being unlawful, international law does not always permit States to respond in-kind. To tease loose the nuance, the article considers types of hostile cyber operations with respect to “in-kind” responses—armed attacks, uses of force not rising to the level of an armed attack, other internationally wrongful acts and lawful acts. The objective is greater contextual precision in evaluating in-kind cyber responses and, thereby, a lessening of the legal risk States face when engaging in them.