Manya Gupta
Introduction
In June 2025, amid escalating hostilities with Israel, the Iranian government declared a near-total internet blackout, cutting off around 97% of the country’s digital connectivity for thirteen days. Officials claimed the move was necessary to prevent further intrusions after an anti-Iranian group, reportedly with Israeli ties, breached Iran’s state-owned bank Sepah and destroyed sensitive data. Meanwhile, Israeli authorities accused Iran of hijacking internet-connected home security cameras to conduct real-time surveillance, a tactic previously observed in operations by Hamas and Russia. The blackout, while presented as a security measure, had profound consequences for civilians by cutting off access to emergency services, banking systems, healthcare platforms, and simple communication.
Such an action is increasingly being referred to as a ‘cyber blockade’ — a method of warfare that, despite its growing prevalence, remains ambiguously defined and insufficiently regulated under international law as existing framework regarding warfare is largely kinetic. Presently accepted definition was given by scholar Alice L. Russell as “preventing a state, through cyber-attacks, from receiving or transmitting information beyond its borders for political reasons, with the intent of weakening the state, government institutions, economy, or society.”[i] This definition encompasses a broad spectrum of cyber activities from distributed denial of service (DDoS) attacks to malware, ransomware, and infrastructure sabotage.
Iran’s shutdown is not an anomaly. Similar tactics have been employed in other conflict or high-tension zones. In Gaza, communication blackouts during military strikes disrupted humanitarian aid, severed emergency medical coordination, and left civilians unaware of evacuation routes. Ukraine has faced coordinated Russian cyber operations targeting its power grids, communication networks, and financial systems. Together, these instances raise urgent questions: Can cyber blockades be recognized as methods of warfare? Do they breach core principles of international humanitarian law? And lastly, how can responsibility be assigned to nations?
Examining Cyber Blockades as Crimes Against Humanity
The Rome Statute offers a framework through Article 7 which defines crimes against humanity as widespread or systematic attacks directed against civilian populations, committed with knowledge of the attack.
a) Widespread or Systematic Attack
As held in Prosecutor v. Akayesu[ii] and Kunarac,[iii] an attack must be either widespread (large-scale, affecting many victims) or systematic (organized and pursuant to a policy). Both conditions could plausibly apply to state-led cyber blockades. For instance, the destruction of Gaza’s telecommunications by Israel and the nationwide Iranian blackout in 2025 which persisted for days.
b) State or Organizational Policy
A cyber blockade imposed by government decree is inherently carried out in furtherance of a state policy. As per Prosecutor v. Bemba,[iv] the policy need not be formalized or publicly declared; it can be inferred from the systematic nature and execution of the acts. This is critical to distinguishing isolated incidents (e.g., hacker groups acting alone) from state-sponsored cyber repression.
c) Intent and Knowledge
Under Article 7, perpetrators must intend or know their acts are part of a broader attack on civilians. The virtual certainty test, as applied in Bemba,[v] implies that foreseeability of consequences is enough. In other words, if a state knowingly imposes a digital blockade knowing that it will cause medical system failures, economic paralysis, and communication breakdowns, the threshold of intent or knowledge is met.
Cyber blockades, if considered methods of warfare, must adhere to core IHL principles. First, the principle of distinction requires that attacks differentiate between civilian and military targets. Second, proportionality mandates that any incidental civilian harm must not be excessive in relation to the anticipated military advantage. Third, necessity obliges such operations to pursue a legitimate military objective. Blanket internet shutdowns may also qualify under the catch-all provision of Article 7(1)(k) i.e., “other inhumane acts” causing serious suffering or injury which are not tied to a traditional armed conflict or do not involve kinetic violence.
Moreover, Article 33 of the Fourth Geneva Convention explicitly prohibits collective punishment. Blanket digital restrictions that target entire populations, regardless of combatant status, may amount to violations of humanitarian law. The Tallinn Manual 2.0[vi] also emphasizes that cyber actions must not impede humanitarian relief operations or compromise the safety of aid personnel. Cyber blockades also violate Article 19 of the International Covenant on Civil and Political Rights (ICCPR), which safeguards the right to seek, receive, and impart information.
Attribution and State Responsibility
One of the most significant legal challenges in regulating cyber blockades is the problem of attribution, i.e. determining whether a particular cyber operation can be legally linked to a state. This is especially difficult due to the anonymous and borderless nature of cyberspace.[vii] According to Article 2 of the Articles on the Responsibility of States for Internationally Wrongful Acts (ARSIWA), a state may be held responsible when two key conditions are met: first, the act must be attributable to the state, and second, it must constitute a breach of an international legal obligation. Even though the conditions seem simple in theory, defining them in cyber situations is very challenging. Employing proxy servers, anonymization tools, and spoofed IP addresses tends to conceal the true origin of a cyber operation.
International jurisprudence has established two significant benchmarks for ascertaining state responsibility in such cases. The effective control test, as formulated in Nicaragua v. United States,[viii] requires that a state exert direct control over the specific conduct in question. The overall control test, developed in Prosecutor v. Duško Tadić,[ix] adopts a broader view by attributing responsibility where the state exercises general control over a group’s operations and provides material support. The effective control test is more restrictive, while the overall control test is more adaptable to modern conflict environments, including those involving cyber operations.
A state can also bear responsibility when a non-state actor operates under its instructions, direction, or control, or where the state expressly supports and adopts the actor’s conduct as codified in Article 8 of ARSIWA. This principle is particularly significant in cyber operations, where the distinction between state and private actors is often ambiguous. Rule 17 of the Tallinn Manual 2.0 also reaffirms that attribution can arise from substantial influence or adoption of conduct. One illustrative example is Russia’s cyber operations against Ukraine, where attacks on civilian infrastructure were carried out by actors with demonstrable links to the Russian state. Similarly, Israel’s control over Palestinian cyberspace and its execution of both kinetic and technical shutdowns of Gaza’s communication infrastructure leave little ambiguity regarding attribution.
Although direct evidence tying every operation to official state organs may not always exist, patterns of coordination, consistent political objectives, and operational scale can support inferences of state responsibility under international law.
Conclusion
Cyber blockades represent a new, insidious form of warfare, one that bypasses conventional weaponry and targets the very infrastructure modern societies depend on. As this blog has argued, these tactics may amount to crimes against humanity under international law when they are widespread, systematic and knowingly directed against civilian populations. Through the lens of incidents like Iran, Kashmir and Ukraine, we see how digital blackouts can cripple healthcare, supress dissent and inflict economic paralysis.
Despite the severity of these actions, the current legal architecture is ill-equipped to fully address them. Given the limited jurisdiction of the ICC and the high bar for attribution in cyberspace, the enforcement of UN Charter, ICCPR and Geneva Conventions remain elusive. International law must evolve to explicitly define cyber blockades, lower the threshold for attribution and build more robust and accessible avenues for redress. As the digital domain becomes a critical theatre of power, the failure to regulate cyber blockades risks normalising them and eroding civilian rights as well as state accountability.
Manya Gupta is a third-year student at Dr. Ram Manohar Lohiya National Law University, Lucknow
[i] Russell A.L., Cyber Blockades (Georgetown University Press 2014).
[ii] Prosecutor v Jean-Paul Akayesu (Judgement) ICTR-96-4-T (2 September 1998).
[iii] Prosecutor v Dragoljub Kunarac Radomir Kovac and Zoran Vukovic (Trial Judgment) IT-96-23-T (22 February 2001).
[iv] Prosecutor v Jean-Pierre Bemba Gombo (Judgement) ICC-01/05-01/08-388 (21 March 2016).
[v] Prosecutor v Jean-Pierre Bemba Gombo (Judgement) ICC-01/05-01/08-388 (21 March 2016).
[vi] Schmitt M.N., Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (Cambridge University Press 2017).
[vii] Delbert Tran, “The Law of Attribution: Rules for Attribution the Source of a Cyber-Attack Note” (2018) 20 YJLT https://yjolt.org/law-attribution-rules-attributing-source-cyber-attack accessed 14 July 2025.
[viii] Case Concerning Military and Paramilitary Activities In and Against Nicaragua (Merits) ICJ GL No 70 (27 June 1986).
[ix] Prosecutor v Dusko Tadic (Judgment) IT-94-1-T (7 May 1997).
NUALS Law Journal 