Cyber War: The Invisible War in Cyberspace That Decides the Conflicts of the Present

Paolo Galdieri : 27 June 2025 22:14

In the heart of contemporary conflicts, alongside tanks, drones and troops, an invisible, silent and often underestimated war is being fought: cyber war.

It is not just a futuristic scenario or a hypothetical threat. It is reality. From the conflicts between Russia and Ukraine, to the parallel attacks that occurred during the clash between Israel and Hamas, to the recent tensions between Israel and Iran, cyberspace has now become a real battlefield.

Cyberspace as a new domain of warfare

Cyberspace is no longer just the environment where computer fraud, child pornography dissemination or unauthorized access are carried out. It has been officially recognized by NATO as the fifth domain of warfare, alongside land, sea, air and space. This means that offensive and defensive operations conducted through information systems can have the same strategic and geopolitical weight as conventional attacks.

In the context of international relations, cyber warfare is distinct from other digital activities such as cyber crime, info warfare, cyber terrorism or state digital surveillance.

Here we are talking about real attacks carried out by one State against another, with the aim of destabilizing, sabotaging or strategic acquisition of sensitive data.

International law and the challenges of cyber war

One of the great open questions is the legal one: how are cyber conflicts regulated? Do we need a “tailor-made” law for cyberspace?

The prevailing position, also supported by the United States, is that the rules of international law – both in times of peace and war – also apply in cyberspace. However, evident critical issues remain:

• the attribution of the attack: in cyberspace it is difficult to identify the attacker with certainty;
• the concept of cyber weapon: when can a cyber attack be considered “military”? When can one also react with force?
• the proportionality of the response: international law requires that the response to an armed attack be proportionate. But how do you measure a digital attack?

According to many experts, a cyber attack becomes “armed” if it produces physical damage, deaths or destruction of critical infrastructures. In this context, we speak of a cyber weapon when the attack:

1. occurs in the context of a conflict between state or comparable actors;
2. has the aim of physically or electronically damaging sensitive infrastructures;
3. is carried out using advanced technological tools.

Cyber operations: CNA, CNE and CND

For the United States Department of Defense, cyber operations are divided into:

• CNA (Computer Network Attack): attacks aimed at disturbing, degrading or destroying information systems (these are the real “cyber war” operations);
• CNE (Computer Network Exploitation): secret collection of information – these are intelligence operations;
• CND (Computer Network Defence): defensive actions to protect networks and systems.

Only CNAs that pose a threat or use of force would fall under the scope of cyber warfare. The others are more properly placed in the context of espionage or information warfare.

Cyber attack and Article 5: when can NATO collective defense be triggered?

Article 5 of the North Atlantic Treaty, signed in 1949, provides that:

“An armed attack against one or more members of the Alliance shall be considered an attack against them all, and each of them shall take such measures as are necessary to assist the attacked State, including the use of armed force.”

Originally, this provision was intended for conventional military attacks (land, sea or air). However, since 2014 – particularly after the hacker attacks on Western infrastructure and the annexation of Crimea – NATO has officially extended the concept of “armed attack” to cyberspace as well.

When can a cyber attack trigger Article 5?

A cyber attack can theoretically trigger Article 5 if it reaches a threshold comparable to a conventional armed attack in terms of:

• severity  (e.g. paralysis of an entire national electrical system, sabotage of hospital infrastructure, deactivation of air defense);
• effects (human casualties, large-scale material damage);
• clarity of attribution (certain identifiability of the responsible actor, and whether this is a State or directly linked to it).

In 2007, Estonia – a NATO member – suffered a massive cyber attack attributed to Russian groups: Article 111 of the 2007 NATO Cyber Attack Act was not activated. 5, but since then NATO has established the Cyber Defense Center of Excellence in Tallinn.

• In 2021, NATO officially stated that “a significant cyber attack could trigger Article 5″, without specifying quantitative thresholds.
• The Russia-Ukraine crisis has further raised the level of attention: if Russia were to launch a devastating cyber attack against a NATO critical infrastructure, the Alliance could consider it a full-blown armed attack.

In conclusion, Article 5 can be applied to cyber warfare, but only in the presence of strong evidence, serious impacts and proven state responsibility. The Atlantic Alliance is still cautious: cyberspace is a fluid battlefield, where the wrong response risks degenerating the conflict rather than containing it.

Therefore, Article 5 today is more of a political than an operational tool in cyber warfare: it serves to dissuade potential attackers, but its concrete implementation remains exceptional and full of complex legal and diplomatic implications.

From European regulatory documents to national defense

The urgency of protecting ourselves from these threats is demonstrated by a series of regulatory and strategic acts, both international and national. In the European context, the NIS Directive of 2016, the G7 Taormina Document and the Tallinn Manuals stand out, real legal references on the subject.

In Italy, the regulatory effort has materialized in measures such as:

• the White Paper for International Security and Defense;
• the National Plan for Cyber Protection;
• the Prime Ministerial Decree of 17 February 2017“Directive containing guidelines for national cyber protection and IT security” ;
• Law no. 133/2019,  establishing the perimeter of national cyber security;
• Law 109/2021, containing “ Urgent provisions on cybersecurity, definition of the national cybersecurity architecture and establishment of the National Cybersecurity Agency “ , which established the National Cybersecurity Agency (ACN);
• Law no. 90/2024, “Provisions on strengthening national cybersecurity and cybercrime”, which imposes new obligations on notification, reaction and coordination in the event of cyber incidents.

The Tallinn Manuals: the international legal framework of cyber conflict

The two Tallinn Manuals (2013 and 2017), drafted by an international group of experts under the aegis of the NATO Centre of Excellence for Cyber Defence (CCDCOE), represent the most advanced attempt to give a legal interpretation to the role of international law in cyberspace, in the absence of specific binding treaties.

The first Manual focuses exclusively on situations of armed conflict: that is, it applies when cyber warfare joins or accompanies a conventional war. It analyses how the rules of international humanitarian law (or the law of war), such as the Geneva Convention, and those of general international law, including the principles of:

• sovereignty: each State has the exclusive right to control its own cyberspace and digital infrastructure;
• non-interference: cyber operations must not compromise the sovereignty or political independence of another State;
• prohibition of the use of force, except in self-defence;
• State responsibility: a State is responsible for acts committed in its cyberspace or by entities under its control.

 It also defines what can be considered “use of force” in the cyber field, distinguishing between disruptive actions (e.g. DDoS) and destructive attacks on critical infrastructures, which can potentially justify a military response.

The second Manual greatly expands the scope of the first. It focuses on cyber operations that occur below the threshold of armed conflict, i.e. in peacetime, and often in the absence of official declarations of war.

Tallinn 2.0 addresses new crucial issues:

• the responsibility of States for espionage, sabotage and disinformation activities conducted by “non-State” groups but tolerated or supported;
• the definition and protection of critical infrastructures;
• the interaction between cyber law and other branches of law international law, such as:
  • the law of the sea (e.g. submarine cables);
  • the law of space (for satellite communications);
  • diplomatic and consular law (in relation to the violation of the offices and data of foreign representations);
• the application of human rights to cyberspace: freedom of expression, protection of privacy, access to information;
• the legal treatment of cyber espionage operations, so far excluded from explicit rules, but which put national security and trust between States at risk;
• the methods of peaceful resolution of digital disputes and the responsibilities of States with regard to cyber attacks launched by internal actors or hosted on their territory.

If the first Manual represents a sort of “Emergency Manual” for cyber warfare, the second is a real encyclopedia of international law applied to cyberspace, also useful for preventing escalations and promoting responsible use of digital technologies.

The three key laws of Italian cybersecurity: 133/2019, 109/2021  and 90/2024

In the Italian regulatory landscape, three provisions represent the foundations of the national cyber defense strategy. These are Law 133/2019, Legislative Decree 82/2021 (converted into Law 109/2021) and Law 90/2024. Each of these regulatory interventions has progressively strengthened the institutional and operational architecture of cybersecurity in our country, with increasing objectives of prevention, coordination and effective response to digital attacks.

Law 133 was created to defend critical Italian digital infrastructures, both public and private, from potential cyber attacks. By converting Legislative Decree no. 105/2019, establishes the National Cyber Security Perimeter, which has two fundamental objectives:

1. identify the national strategic entities (ministries, companies, public bodies, essential service operators) that manage systems and networks that are fundamental for the security of the State;
2. impose on these entities the adoption of specific security measures, technological standards, notification obligations in the event of incidents and to subject suppliers of critical technologies to preventive verification.

The law assigns the Presidency of the Council, through the DIS (Department of Information for Security), a coordination role, with the collaboration of other bodies, such as the Ministry of Defense and the Interior. Furthermore, it provides for sanctions for those who do not comply with security obligations, and introduces a preventive assessment for ICT supplies in sensitive sectors.

With Legislative Decree 82, converted into Law 109/2021, Italy makes a leap in institutional quality by establishing the ACN – National Cybersecurity Agency. The Agency is responsible for:

• managing, monitoring and strengthening the country’s cyber resilience;
• coordinating the cyber defense activities of public administrations;
• promoting Italian and European strategic autonomy in the digital sector;
• collaborating with universities, research centers and companies to develop secure technologies;
• training a specialized workforce and promoting cybersecurity education campaigns among citizens and companies.

The ACN also deals with the operational implementation of the measures provided for by Law 133/2019 and represents the single interlocutor at European and international level for cooperation in the cyber sector.

The Italian model is transformed from reactive to proactive and integrated, recognizing cyberspace as a structural element of national security.

Law 90 of 2024 has updated and strengthened the existing regulatory system, introducing specific obligations and timely reporting of cyber incidents. In particular, it provides for:

• the obligation for certain subjects (public administrations and relevant operators) to send an initial report to the ACN within 24 hours from the moment they become aware of a cyber incident;
• the transmission of a complete notification within 72 hours, via the platforms made available by the Agency;
• the obligation for reported subjects to resolve vulnerabilities indicated by the ACN within 15 days;
• the identification within the PA of a structure and a cybersecurity contact person, who act as a single point of contact with the Agency.

Furthermore, the law promotes the harmonization between cybersecurity and digital transition: the person responsible for the digital transition (RTD) can coincide with the cybersecurity contact person.

This is a big step forward towards a reactive but also collaborative model, which rewards speed in crisis management and imposes clear timeframes for intervention, reducing the margins of uncertainty or inaction.

Cyberwar and propaganda: the future of conflicts is hybrid, but Italy is still culturally disarmed

Today all wars are hybrid: they are no longer fought only with conventional weapons, but extend into cyberspace, where the line between attack and defense is thin, invisible and constantly evolving. In this new dimension, alongside malware and sabotage operations, disinformation also plays a decisive role, fueled by sophisticated digital propaganda techniques, often enhanced by artificial intelligence. Fake news becomes ammunition, social networks become battlefields, and citizens’ minds become targets to be manipulated.

On the regulatory front, something is moving: international legislators – albeit slowly – are taking note of the extent of the threat, adopting laws increasingly oriented towards protecting critical digital systems, that is, those that store information vital to national security. Even in Italy, as demonstrated by laws 133/2019, 109/2021 and 90/2024, institutional awareness is now clear.

However, there remains a significant cultural delay. Computer science education, especially in the field of cybersecurity, is still marginal.  Universities that train digital security specialists are few, often undersized compared to the real demand of the market and the needs of the State. In many strategic realities, the adequate technical skills to manage cyber threats are lacking, and often those who lead decision-making processes do not have full mastery of digital risks.

 Furthermore, there is no clear regulatory definition of cybersecurity: it is not yet established how far a cybersecurity expert can go without incurring violations of the law. When does defense become intrusion? When does protection become abusive surveillance? These regulatory gaps create uncertainty and, in extreme cases, can even hinder the very security that is intended to be guaranteed.

In a global context in which war is fought with drones, codes and manipulated news, we can no longer afford to be left behind. Building a solid culture of cybersecurity is now a national priority, as much as equipping ourselves with traditional weapons. Because in the war of the future – which is already partly the present – the front line is made of competence, awareness and digital readiness.