Mr. Ikenna Iheuwa on “From Silent Infiltration to Strategic Risk: Why the Tallinn Manual Should Address Latent Cyber Threats Introduction”

Today we welcome a new Lawfire^® contributor, Mr Ikenna Iheuwa, who grapples with the issue of how international law should consider situations where a “State-linked actor” penetrates a “sensitive national system” and implants “dormant capabilities that can be activated at a later time.”  As he says, though they cause no immediate damage, they could result in “catastrophic harm…once activated.”  Consider this from the essay:

[I]f an explosive device were discovered inside a power plant, most would classify it as an imminent armed attack. But a latent cyber exploit in the same plant is treated merely as an intrusion or espionage under the prevailing effects-based approach.

This gap creates a dangerous strategic dilemma. These latent threats are indistinguishable in potential effect from sabotage tools, yet the law treats them as if nothing has yet happened. The only distinction is that these latent capabilities are digital, not physical. 

You’ll want to read his analysis and critiques of exist norms, and consider his innovative solution! 

From Silent Infiltration to Strategic Risk: Why the Tallinn Manual Should Address Latent Cyber Threats

By Ikenna Victor Iheuwa

Introduction

Cyberspace has become a preferred arena for projecting power without open confrontation. State-linked actors can now penetrate sensitive national systems without firing a shot, often implanting dormant capabilities that can be activated at a later time.

Under prevailing international law, a cyber operation rises to the level of a prohibited “use of force” when its effects resemble kinetic attacks, that is, they cause destruction, death, or disable critical functions.

The dilemma is that these cyber intrusions, which often leave behind latent capabilities, appear legally innocuous: they cause no immediate damage, fail the “imminence” test under the Caroline formula, and are typically treated as espionage or sovereignty violations (UN Charter, Art. 2(4)).

Yet their hidden potential to disable grids, shut down water facilities, or compromise nuclear systems means that catastrophic harm can be unleashed instantly once activated.

This raises the central question: Should the mere implantation of latent capabilities in critical systems, though harmless at first glance, be treated as a prohibited use of force under international law? Or should the law continue to wait until activation, at which point the cost of inaction may be devastating?

Examples of High-Profile Attacks

The July 2025 breach of the U.S. National Nuclear Security Administration (NNSA) underscores the growing risk. According to Microsoft, China-based groups exploited zero-day vulnerabilities in SharePoint to penetrate NNSA systems (Microsoft Security Blog).

(A “zero-day” exploit is a cyberattack vector that takes advantage of an unknown or unaddressed security flaw, giving the software or device vendor zero days to fix the flaw. (IBM)).

The Department of Energy reported no classified data loss and only minimal disruption. Yet the very fact that hostile actors gained access to America’s nuclear agency raises profound strategic and legal questions (Reuters).

Similarly, outside the nuclear sphere, supply-chain vulnerabilities also illustrate the danger of latent capabilities. In 2019, U.S. authorities intercepted a Chinese-manufactured power transformer bound for the grid and sent it to Sandia National Laboratories for analysis because of concerns about embedded backdoors or vulnerabilities (Forbes).

More recently, rogue communication devices were discovered in Chinese-made solar inverters and batteries, components that could bypass firewalls and grant remote access to the grid (Reuters, May 14, 2025).

These cases demonstrate a troubling pattern: today’s cyber operations often appear harmless at first yet embed the means for devastating future attacks.

The Limits of Current Law

International law already provides a framework for cyber operations; however, its rules are tethered to concepts developed for physical warfare.Under Article 2(4) of the UN Charter, states are prohibited from using force against another’s territorial integrity or political independence. Yet not all uses of force qualify as an armed attack.

The narrow definition of an “armed attack” is important for determining whether a state has a right to self-defense in response to a use of force against it. Under Article 51, only the “most grave” instances trigger the right of self-defense.

The Tallinn Manual 2.0 extends this framework to cyberspace, treating cyber operations as uses of force only when their consequences resemble those of kinetic attacks, such as missile strikes. To assess this, it applies an effects-based test, weighing factors like severity, immediacy, directness, invasiveness, measurability, and military character (Tallinn Manual 2.0, Rule 69).

The law also recognizes that states may act in anticipatory self-defense if an armed attack is imminent. This principle derives from the 19th-century Caroline incident, where U.S. Secretary of State Daniel Webster famously stated that the necessity must be “instant, overwhelming, leaving no choice of means, and no moment for deliberation” (Yale Avalon).

In practice, this means that most intrusions, including the July 2025 breach of the National Nuclear Security Administration, fall below the threshold of use of force. The NNSA breach did not cause destruction, casualties, or disablement of nuclear functions.

Under current doctrine, it is classified as a sovereignty violation or cyber espionage rather than a prohibited use of force (Reuters, 2025). However, the UK Attorney General’s 2022 speech rejected sovereignty as a standalone rule in cyberspace, favoring instead the non-intervention principle (UK AG 2022 Speech).

The Latency Problem

Here lies the legal blind spot. A cyber infiltration may not cause visible damage at the point of entry, yet it implants the capability for catastrophic harm, waiting only for activation.

Under prevailing interpretations, this is not an armed attack. The dilemma is stark: should a state treat such an intrusion as legally innocuous espionage, or as the equivalent of planting a “ticking time bomb” inside its critical infrastructure?

International law does recognize anticipatory self-defense when an armed attack is imminent, rooted in the Caroline test’s requirement that the necessity be “instant, overwhelming, leaving no choice of means, and no moment for deliberation.” Yet in cyberspace, imminence is notoriously difficult to judge.

A malicious capability hidden inside a nuclear control system may remain dormant for months or years. It is not “about to be used” in the traditional sense, but once activated, it could cause immediate, severe, and irreversible harm.

The result is a double standard: if an explosive device were discovered inside a power plant, most would classify it as an imminent armed attack. But a latent cyber exploit in the same plant is treated merely as an intrusion or espionage under the prevailing effects-based approach.

This gap creates a dangerous strategic dilemma. These latent threats are indistinguishable in potential effect from sabotage tools, yet the law treats them as if nothing has yet happened. The only distinction is that these latent capabilities are digital, not physical. 

Additionally, the Caroline test assumes that a state will have the capacity to identify an imminent threat before it materializes. But this presumption does not hold equally in cyberspace.

Technologically advanced states, such as the United States, may possess the forensic tools to probe their systems and discover latent intrusions before they are activated. For less advanced states, however, the window between what is about to happen and what is already happening can collapse into mere seconds.

By the time an intrusion is detected, the exploit has already transitioned from latency to activation, producing catastrophic harm. In such cases, the doctrine of imminence is functionally meaningless: the law only authorizes anticipatory action in a moment that, for many states, will never be available.

Target-Based Threshold: The Solution

This article advocates a target-based threshold for a narrow, agreed category of per se protected systems: nuclear command-and-control, national grid operations, and water purification facilities. Infiltration of such systems, even without immediate effects, would be treated as a prohibited use of force.

In legal terms, this is akin to trespass in a restricted zone: the act itself is wrongful because of where it occurs, not just because of the consequences that follow. Such a framework would provide states with clearer legal grounds to take proportionate, preventive action, thereby reducing the incentives for adversaries to exploit this grey zone.

By clinging to an effects-based threshold, international law risks overlooking the most perilous aspect of modern cyber operations: the ability to implant dormant capabilities that can be activated at will. Recognizing these intrusions into certain critical systems as prohibited uses of force would bring the law in line with the realities of twenty-first-century cyber conflict.

Any proposal to treat intrusions into per se protected systems as uses of force must consequently address the problem of attribution. Cyber operations are often routed through proxies or false-flag infrastructures, raising the risk of miscalculation.

To mitigate this, states could adopt procedural thresholds, such as requiring independent technical verification or corroboration among allies before classifying a latent intrusion as a prohibited use of force (CCDCOE on attribution).

Additionally, strengthening the enforcement of the due diligence obligation could also help by holding states accountable for harmful cyber acts originating from their territory, particularly where they are unwilling to act against the operators. This view is reflected in Tallinn Manual 2.0, Rule 6, though its status as binding customary law remains contested.

Equally important is avoiding overreach. The protected category should be narrow and specific, encompassing nuclear command-and-control systems, transmission-level power grids, and water purification facilities. Extending the rule to every industrial control system or operational technology (ICS/OT) would risk diluting its legitimacy and escalating routine espionage into unlawful force.

Why It Matters

If the Tallinn Manual and broader international norms fail to evolve, adversaries will continue to exploit this gap, embedding latent threats in critical systems with little fear of consequence.

By the time such capabilities are activated, the cost of inaction may be measured not in technical losses but in national survival.

A target-based threshold, treating intrusions into nuclear command-and-control systems, national grids, or water systems as acts of force, offers one way forward. Coupled with stronger enforcement of due diligence, such a shift would send a clear signal: some systems are off-limits to any cyber penetration.

At the same time, the expansion to the target-based threshold must be tempered by escalation management. Not every latent intrusion warrants a forcible response.

International law already permits countermeasures and proportionate, non-forcible tools like sanctions. (UK AG 2022 Speech). This framework reserves forceful action for clear, verified cases of malicious intrusion into prohibited systems. This will preserve the stability of these systems while still deterring the most dangerous operations.

Ultimately, the latency problem is not merely a technical issue but also a legal and strategic one. Updating international law to address it would close a loophole that advantages the attacker, restore balance to deterrence, and ensure the rules of the digital battlefield reflect twenty-first-century risks.

About the Author

Mr. Ikenna Victor Iheuwa is an attorney licensed to practice law in Nigeria and a J.D. Candidate at Stetson University College of Law(Class of 2027). He holds an LL.M. in International Law (with Distinction) from Stetson and focuses his legal studies on Corporate, Business, and Energy Law. Before beginning his U.S. legal education, Ikenna served as a State Counsel in the Kwara State Department of Public Prosecution, where he prosecuted criminal cases on behalf of the State. He later co-founded Rhexoville International Ltd., an asset management company managing cross-border transactions in Nigeria, the United Kingdom, and Florida. His research and scholarship explore Law Reform and Advocacy, Cyber and Data Security, and Global Energy Transition. 

The views expressed by guest authors do not necessarily reflect my views, those of the Center on Law, Ethics and National Security, or Duke University. See also here. 

Remember what we like to say on Lawfire^®: gather the facts, examine the law, evaluate the arguments – and then decide for yourself!